1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3 * AMD Secure Encrypted Virtualization (SEV) driver interface
4 *
5 * Copyright (C) 2016-2017 Advanced Micro Devices, Inc.
6 *
7 * Author: Brijesh Singh <brijesh.singh@amd.com>
8 *
9 * SEV API spec is available at https://developer.amd.com/sev
10 */
11
12 #ifndef __PSP_SEV_H__
13 #define __PSP_SEV_H__
14
15 #include <uapi/linux/psp-sev.h>
16
17 /* As defined by SEV API, under "Guest Policy". */
18 #define SEV_POLICY_MASK_NODBG BIT(0)
19 #define SEV_POLICY_MASK_NOKS BIT(1)
20 #define SEV_POLICY_MASK_ES BIT(2)
21 #define SEV_POLICY_MASK_NOSEND BIT(3)
22 #define SEV_POLICY_MASK_DOMAIN BIT(4)
23 #define SEV_POLICY_MASK_SEV BIT(5)
24 #define SEV_POLICY_MASK_API_MAJOR GENMASK(23, 16)
25 #define SEV_POLICY_MASK_API_MINOR GENMASK(31, 24)
26
27 /* As defined by SEV-SNP Firmware ABI, under "Guest Policy". */
28 #define SNP_POLICY_MASK_API_MINOR GENMASK_ULL(7, 0)
29 #define SNP_POLICY_MASK_API_MAJOR GENMASK_ULL(15, 8)
30 #define SNP_POLICY_MASK_SMT BIT_ULL(16)
31 #define SNP_POLICY_MASK_RSVD_MBO BIT_ULL(17)
32 #define SNP_POLICY_MASK_MIGRATE_MA BIT_ULL(18)
33 #define SNP_POLICY_MASK_DEBUG BIT_ULL(19)
34 #define SNP_POLICY_MASK_SINGLE_SOCKET BIT_ULL(20)
35 #define SNP_POLICY_MASK_CXL_ALLOW BIT_ULL(21)
36 #define SNP_POLICY_MASK_MEM_AES_256_XTS BIT_ULL(22)
37 #define SNP_POLICY_MASK_RAPL_DIS BIT_ULL(23)
38 #define SNP_POLICY_MASK_CIPHERTEXT_HIDING_DRAM BIT_ULL(24)
39 #define SNP_POLICY_MASK_PAGE_SWAP_DISABLE BIT_ULL(25)
40
41 /* Base SEV-SNP policy bitmask for minimum supported SEV firmware version */
42 #define SNP_POLICY_MASK_BASE (SNP_POLICY_MASK_API_MINOR | \
43 SNP_POLICY_MASK_API_MAJOR | \
44 SNP_POLICY_MASK_SMT | \
45 SNP_POLICY_MASK_RSVD_MBO | \
46 SNP_POLICY_MASK_MIGRATE_MA | \
47 SNP_POLICY_MASK_DEBUG | \
48 SNP_POLICY_MASK_SINGLE_SOCKET)
49
50 #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */
51
52 /**
53 * SEV platform state
54 */
55 enum sev_state {
56 SEV_STATE_UNINIT = 0x0,
57 SEV_STATE_INIT = 0x1,
58 SEV_STATE_WORKING = 0x2,
59
60 SEV_STATE_MAX
61 };
62
63 /**
64 * SEV platform and guest management commands
65 */
66 enum sev_cmd {
67 /* platform commands */
68 SEV_CMD_INIT = 0x001,
69 SEV_CMD_SHUTDOWN = 0x002,
70 SEV_CMD_FACTORY_RESET = 0x003,
71 SEV_CMD_PLATFORM_STATUS = 0x004,
72 SEV_CMD_PEK_GEN = 0x005,
73 SEV_CMD_PEK_CSR = 0x006,
74 SEV_CMD_PEK_CERT_IMPORT = 0x007,
75 SEV_CMD_PDH_CERT_EXPORT = 0x008,
76 SEV_CMD_PDH_GEN = 0x009,
77 SEV_CMD_DF_FLUSH = 0x00A,
78 SEV_CMD_DOWNLOAD_FIRMWARE = 0x00B,
79 SEV_CMD_GET_ID = 0x00C,
80 SEV_CMD_INIT_EX = 0x00D,
81
82 /* Guest commands */
83 SEV_CMD_DECOMMISSION = 0x020,
84 SEV_CMD_ACTIVATE = 0x021,
85 SEV_CMD_DEACTIVATE = 0x022,
86 SEV_CMD_GUEST_STATUS = 0x023,
87
88 /* Guest launch commands */
89 SEV_CMD_LAUNCH_START = 0x030,
90 SEV_CMD_LAUNCH_UPDATE_DATA = 0x031,
91 SEV_CMD_LAUNCH_UPDATE_VMSA = 0x032,
92 SEV_CMD_LAUNCH_MEASURE = 0x033,
93 SEV_CMD_LAUNCH_UPDATE_SECRET = 0x034,
94 SEV_CMD_LAUNCH_FINISH = 0x035,
95 SEV_CMD_ATTESTATION_REPORT = 0x036,
96
97 /* Guest migration commands (outgoing) */
98 SEV_CMD_SEND_START = 0x040,
99 SEV_CMD_SEND_UPDATE_DATA = 0x041,
100 SEV_CMD_SEND_UPDATE_VMSA = 0x042,
101 SEV_CMD_SEND_FINISH = 0x043,
102 SEV_CMD_SEND_CANCEL = 0x044,
103
104 /* Guest migration commands (incoming) */
105 SEV_CMD_RECEIVE_START = 0x050,
106 SEV_CMD_RECEIVE_UPDATE_DATA = 0x051,
107 SEV_CMD_RECEIVE_UPDATE_VMSA = 0x052,
108 SEV_CMD_RECEIVE_FINISH = 0x053,
109
110 /* Guest debug commands */
111 SEV_CMD_DBG_DECRYPT = 0x060,
112 SEV_CMD_DBG_ENCRYPT = 0x061,
113
114 /* SNP specific commands */
115 SEV_CMD_SNP_INIT = 0x081,
116 SEV_CMD_SNP_SHUTDOWN = 0x082,
117 SEV_CMD_SNP_PLATFORM_STATUS = 0x083,
118 SEV_CMD_SNP_DF_FLUSH = 0x084,
119 SEV_CMD_SNP_INIT_EX = 0x085,
120 SEV_CMD_SNP_SHUTDOWN_EX = 0x086,
121 SEV_CMD_SNP_DECOMMISSION = 0x090,
122 SEV_CMD_SNP_ACTIVATE = 0x091,
123 SEV_CMD_SNP_GUEST_STATUS = 0x092,
124 SEV_CMD_SNP_GCTX_CREATE = 0x093,
125 SEV_CMD_SNP_GUEST_REQUEST = 0x094,
126 SEV_CMD_SNP_ACTIVATE_EX = 0x095,
127 SEV_CMD_SNP_LAUNCH_START = 0x0A0,
128 SEV_CMD_SNP_LAUNCH_UPDATE = 0x0A1,
129 SEV_CMD_SNP_LAUNCH_FINISH = 0x0A2,
130 SEV_CMD_SNP_DBG_DECRYPT = 0x0B0,
131 SEV_CMD_SNP_DBG_ENCRYPT = 0x0B1,
132 SEV_CMD_SNP_PAGE_SWAP_OUT = 0x0C0,
133 SEV_CMD_SNP_PAGE_SWAP_IN = 0x0C1,
134 SEV_CMD_SNP_PAGE_MOVE = 0x0C2,
135 SEV_CMD_SNP_PAGE_MD_INIT = 0x0C3,
136 SEV_CMD_SNP_PAGE_SET_STATE = 0x0C6,
137 SEV_CMD_SNP_PAGE_RECLAIM = 0x0C7,
138 SEV_CMD_SNP_PAGE_UNSMASH = 0x0C8,
139 SEV_CMD_SNP_CONFIG = 0x0C9,
140 SEV_CMD_SNP_DOWNLOAD_FIRMWARE_EX = 0x0CA,
141 SEV_CMD_SNP_COMMIT = 0x0CB,
142 SEV_CMD_SNP_VLEK_LOAD = 0x0CD,
143 SEV_CMD_SNP_FEATURE_INFO = 0x0CE,
144
145 SEV_CMD_MAX,
146 };
147
148 /**
149 * struct sev_data_init - INIT command parameters
150 *
151 * @flags: processing flags
152 * @tmr_address: system physical address used for SEV-ES
153 * @tmr_len: len of tmr_address
154 */
155 struct sev_data_init {
156 u32 flags; /* In */
157 u32 reserved; /* In */
158 u64 tmr_address; /* In */
159 u32 tmr_len; /* In */
160 } __packed;
161
162 /**
163 * struct sev_data_init_ex - INIT_EX command parameters
164 *
165 * @length: len of the command buffer read by the PSP
166 * @flags: processing flags
167 * @tmr_address: system physical address used for SEV-ES
168 * @tmr_len: len of tmr_address
169 * @nv_address: system physical address used for PSP NV storage
170 * @nv_len: len of nv_address
171 */
172 struct sev_data_init_ex {
173 u32 length; /* In */
174 u32 flags; /* In */
175 u64 tmr_address; /* In */
176 u32 tmr_len; /* In */
177 u32 reserved; /* In */
178 u64 nv_address; /* In/Out */
179 u32 nv_len; /* In */
180 } __packed;
181
182 #define SEV_INIT_FLAGS_SEV_ES 0x01
183
184 /**
185 * struct sev_data_pek_csr - PEK_CSR command parameters
186 *
187 * @address: PEK certificate chain
188 * @len: len of certificate
189 */
190 struct sev_data_pek_csr {
191 u64 address; /* In */
192 u32 len; /* In/Out */
193 } __packed;
194
195 /**
196 * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters
197 *
198 * @pek_address: PEK certificate chain
199 * @pek_len: len of PEK certificate
200 * @oca_address: OCA certificate chain
201 * @oca_len: len of OCA certificate
202 */
203 struct sev_data_pek_cert_import {
204 u64 pek_cert_address; /* In */
205 u32 pek_cert_len; /* In */
206 u32 reserved; /* In */
207 u64 oca_cert_address; /* In */
208 u32 oca_cert_len; /* In */
209 } __packed;
210
211 /**
212 * struct sev_data_download_firmware - DOWNLOAD_FIRMWARE command parameters
213 *
214 * @address: physical address of firmware image
215 * @len: len of the firmware image
216 */
217 struct sev_data_download_firmware {
218 u64 address; /* In */
219 u32 len; /* In */
220 } __packed;
221
222 /**
223 * struct sev_data_get_id - GET_ID command parameters
224 *
225 * @address: physical address of region to place unique CPU ID(s)
226 * @len: len of the region
227 */
228 struct sev_data_get_id {
229 u64 address; /* In */
230 u32 len; /* In/Out */
231 } __packed;
232 /**
233 * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters
234 *
235 * @pdh_address: PDH certificate address
236 * @pdh_len: len of PDH certificate
237 * @cert_chain_address: PDH certificate chain
238 * @cert_chain_len: len of PDH certificate chain
239 */
240 struct sev_data_pdh_cert_export {
241 u64 pdh_cert_address; /* In */
242 u32 pdh_cert_len; /* In/Out */
243 u32 reserved; /* In */
244 u64 cert_chain_address; /* In */
245 u32 cert_chain_len; /* In/Out */
246 } __packed;
247
248 /**
249 * struct sev_data_decommission - DECOMMISSION command parameters
250 *
251 * @handle: handle of the VM to decommission
252 */
253 struct sev_data_decommission {
254 u32 handle; /* In */
255 } __packed;
256
257 /**
258 * struct sev_data_activate - ACTIVATE command parameters
259 *
260 * @handle: handle of the VM to activate
261 * @asid: asid assigned to the VM
262 */
263 struct sev_data_activate {
264 u32 handle; /* In */
265 u32 asid; /* In */
266 } __packed;
267
268 /**
269 * struct sev_data_deactivate - DEACTIVATE command parameters
270 *
271 * @handle: handle of the VM to deactivate
272 */
273 struct sev_data_deactivate {
274 u32 handle; /* In */
275 } __packed;
276
277 /**
278 * struct sev_data_guest_status - SEV GUEST_STATUS command parameters
279 *
280 * @handle: handle of the VM to retrieve status
281 * @policy: policy information for the VM
282 * @asid: current ASID of the VM
283 * @state: current state of the VM
284 */
285 struct sev_data_guest_status {
286 u32 handle; /* In */
287 u32 policy; /* Out */
288 u32 asid; /* Out */
289 u8 state; /* Out */
290 } __packed;
291
292 /**
293 * struct sev_data_launch_start - LAUNCH_START command parameters
294 *
295 * @handle: handle assigned to the VM
296 * @policy: guest launch policy
297 * @dh_cert_address: physical address of DH certificate blob
298 * @dh_cert_len: len of DH certificate blob
299 * @session_address: physical address of session parameters
300 * @session_len: len of session parameters
301 */
302 struct sev_data_launch_start {
303 u32 handle; /* In/Out */
304 u32 policy; /* In */
305 u64 dh_cert_address; /* In */
306 u32 dh_cert_len; /* In */
307 u32 reserved; /* In */
308 u64 session_address; /* In */
309 u32 session_len; /* In */
310 } __packed;
311
312 /**
313 * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter
314 *
315 * @handle: handle of the VM to update
316 * @len: len of memory to be encrypted
317 * @address: physical address of memory region to encrypt
318 */
319 struct sev_data_launch_update_data {
320 u32 handle; /* In */
321 u32 reserved;
322 u64 address; /* In */
323 u32 len; /* In */
324 } __packed;
325
326 /**
327 * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command
328 *
329 * @handle: handle of the VM
330 * @address: physical address of memory region to encrypt
331 * @len: len of memory region to encrypt
332 */
333 struct sev_data_launch_update_vmsa {
334 u32 handle; /* In */
335 u32 reserved;
336 u64 address; /* In */
337 u32 len; /* In */
338 } __packed;
339
340 /**
341 * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters
342 *
343 * @handle: handle of the VM to process
344 * @address: physical address containing the measurement blob
345 * @len: len of measurement blob
346 */
347 struct sev_data_launch_measure {
348 u32 handle; /* In */
349 u32 reserved;
350 u64 address; /* In */
351 u32 len; /* In/Out */
352 } __packed;
353
354 /**
355 * struct sev_data_launch_secret - LAUNCH_SECRET command parameters
356 *
357 * @handle: handle of the VM to process
358 * @hdr_address: physical address containing the packet header
359 * @hdr_len: len of packet header
360 * @guest_address: system physical address of guest memory region
361 * @guest_len: len of guest_paddr
362 * @trans_address: physical address of transport memory buffer
363 * @trans_len: len of transport memory buffer
364 */
365 struct sev_data_launch_secret {
366 u32 handle; /* In */
367 u32 reserved1;
368 u64 hdr_address; /* In */
369 u32 hdr_len; /* In */
370 u32 reserved2;
371 u64 guest_address; /* In */
372 u32 guest_len; /* In */
373 u32 reserved3;
374 u64 trans_address; /* In */
375 u32 trans_len; /* In */
376 } __packed;
377
378 /**
379 * struct sev_data_launch_finish - LAUNCH_FINISH command parameters
380 *
381 * @handle: handle of the VM to process
382 */
383 struct sev_data_launch_finish {
384 u32 handle; /* In */
385 } __packed;
386
387 /**
388 * struct sev_data_send_start - SEND_START command parameters
389 *
390 * @handle: handle of the VM to process
391 * @policy: policy information for the VM
392 * @pdh_cert_address: physical address containing PDH certificate
393 * @pdh_cert_len: len of PDH certificate
394 * @plat_certs_address: physical address containing platform certificate
395 * @plat_certs_len: len of platform certificate
396 * @amd_certs_address: physical address containing AMD certificate
397 * @amd_certs_len: len of AMD certificate
398 * @session_address: physical address containing Session data
399 * @session_len: len of session data
400 */
401 struct sev_data_send_start {
402 u32 handle; /* In */
403 u32 policy; /* Out */
404 u64 pdh_cert_address; /* In */
405 u32 pdh_cert_len; /* In */
406 u32 reserved1;
407 u64 plat_certs_address; /* In */
408 u32 plat_certs_len; /* In */
409 u32 reserved2;
410 u64 amd_certs_address; /* In */
411 u32 amd_certs_len; /* In */
412 u32 reserved3;
413 u64 session_address; /* In */
414 u32 session_len; /* In/Out */
415 } __packed;
416
417 /**
418 * struct sev_data_send_update - SEND_UPDATE_DATA command
419 *
420 * @handle: handle of the VM to process
421 * @hdr_address: physical address containing packet header
422 * @hdr_len: len of packet header
423 * @guest_address: physical address of guest memory region to send
424 * @guest_len: len of guest memory region to send
425 * @trans_address: physical address of host memory region
426 * @trans_len: len of host memory region
427 */
428 struct sev_data_send_update_data {
429 u32 handle; /* In */
430 u32 reserved1;
431 u64 hdr_address; /* In */
432 u32 hdr_len; /* In/Out */
433 u32 reserved2;
434 u64 guest_address; /* In */
435 u32 guest_len; /* In */
436 u32 reserved3;
437 u64 trans_address; /* In */
438 u32 trans_len; /* In */
439 } __packed;
440
441 /**
442 * struct sev_data_send_update - SEND_UPDATE_VMSA command
443 *
444 * @handle: handle of the VM to process
445 * @hdr_address: physical address containing packet header
446 * @hdr_len: len of packet header
447 * @guest_address: physical address of guest memory region to send
448 * @guest_len: len of guest memory region to send
449 * @trans_address: physical address of host memory region
450 * @trans_len: len of host memory region
451 */
452 struct sev_data_send_update_vmsa {
453 u32 handle; /* In */
454 u64 hdr_address; /* In */
455 u32 hdr_len; /* In/Out */
456 u32 reserved2;
457 u64 guest_address; /* In */
458 u32 guest_len; /* In */
459 u32 reserved3;
460 u64 trans_address; /* In */
461 u32 trans_len; /* In */
462 } __packed;
463
464 /**
465 * struct sev_data_send_finish - SEND_FINISH command parameters
466 *
467 * @handle: handle of the VM to process
468 */
469 struct sev_data_send_finish {
470 u32 handle; /* In */
471 } __packed;
472
473 /**
474 * struct sev_data_send_cancel - SEND_CANCEL command parameters
475 *
476 * @handle: handle of the VM to process
477 */
478 struct sev_data_send_cancel {
479 u32 handle; /* In */
480 } __packed;
481
482 /**
483 * struct sev_data_receive_start - RECEIVE_START command parameters
484 *
485 * @handle: handle of the VM to perform receive operation
486 * @pdh_cert_address: system physical address containing PDH certificate blob
487 * @pdh_cert_len: len of PDH certificate blob
488 * @session_address: system physical address containing session blob
489 * @session_len: len of session blob
490 */
491 struct sev_data_receive_start {
492 u32 handle; /* In/Out */
493 u32 policy; /* In */
494 u64 pdh_cert_address; /* In */
495 u32 pdh_cert_len; /* In */
496 u32 reserved1;
497 u64 session_address; /* In */
498 u32 session_len; /* In */
499 } __packed;
500
501 /**
502 * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters
503 *
504 * @handle: handle of the VM to update
505 * @hdr_address: physical address containing packet header blob
506 * @hdr_len: len of packet header
507 * @guest_address: system physical address of guest memory region
508 * @guest_len: len of guest memory region
509 * @trans_address: system physical address of transport buffer
510 * @trans_len: len of transport buffer
511 */
512 struct sev_data_receive_update_data {
513 u32 handle; /* In */
514 u32 reserved1;
515 u64 hdr_address; /* In */
516 u32 hdr_len; /* In */
517 u32 reserved2;
518 u64 guest_address; /* In */
519 u32 guest_len; /* In */
520 u32 reserved3;
521 u64 trans_address; /* In */
522 u32 trans_len; /* In */
523 } __packed;
524
525 /**
526 * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters
527 *
528 * @handle: handle of the VM to update
529 * @hdr_address: physical address containing packet header blob
530 * @hdr_len: len of packet header
531 * @guest_address: system physical address of guest memory region
532 * @guest_len: len of guest memory region
533 * @trans_address: system physical address of transport buffer
534 * @trans_len: len of transport buffer
535 */
536 struct sev_data_receive_update_vmsa {
537 u32 handle; /* In */
538 u32 reserved1;
539 u64 hdr_address; /* In */
540 u32 hdr_len; /* In */
541 u32 reserved2;
542 u64 guest_address; /* In */
543 u32 guest_len; /* In */
544 u32 reserved3;
545 u64 trans_address; /* In */
546 u32 trans_len; /* In */
547 } __packed;
548
549 /**
550 * struct sev_data_receive_finish - RECEIVE_FINISH command parameters
551 *
552 * @handle: handle of the VM to finish
553 */
554 struct sev_data_receive_finish {
555 u32 handle; /* In */
556 } __packed;
557
558 /**
559 * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters
560 *
561 * @handle: handle of the VM to perform debug operation
562 * @src_addr: source address of data to operate on
563 * @dst_addr: destination address of data to operate on
564 * @len: len of data to operate on
565 */
566 struct sev_data_dbg {
567 u32 handle; /* In */
568 u32 reserved;
569 u64 src_addr; /* In */
570 u64 dst_addr; /* In */
571 u32 len; /* In */
572 } __packed;
573
574 /**
575 * struct sev_data_attestation_report - SEV_ATTESTATION_REPORT command parameters
576 *
577 * @handle: handle of the VM
578 * @mnonce: a random nonce that will be included in the report.
579 * @address: physical address where the report will be copied.
580 * @len: length of the physical buffer.
581 */
582 struct sev_data_attestation_report {
583 u32 handle; /* In */
584 u32 reserved;
585 u64 address; /* In */
586 u8 mnonce[16]; /* In */
587 u32 len; /* In/Out */
588 } __packed;
589
590 /**
591 * struct sev_data_snp_download_firmware - SNP_DOWNLOAD_FIRMWARE command params
592 *
593 * @address: physical address of firmware image
594 * @len: length of the firmware image
595 */
596 struct sev_data_snp_download_firmware {
597 u64 address; /* In */
598 u32 len; /* In */
599 } __packed;
600
601 /**
602 * struct sev_data_snp_activate - SNP_ACTIVATE command params
603 *
604 * @gctx_paddr: system physical address guest context page
605 * @asid: ASID to bind to the guest
606 */
607 struct sev_data_snp_activate {
608 u64 gctx_paddr; /* In */
609 u32 asid; /* In */
610 } __packed;
611
612 /**
613 * struct sev_data_snp_addr - generic SNP command params
614 *
615 * @address: physical address of generic data param
616 */
617 struct sev_data_snp_addr {
618 u64 address; /* In/Out */
619 } __packed;
620
621 /**
622 * struct sev_data_snp_launch_start - SNP_LAUNCH_START command params
623 *
624 * @gctx_paddr: system physical address of guest context page
625 * @policy: guest policy
626 * @ma_gctx_paddr: system physical address of migration agent
627 * @ma_en: the guest is associated with a migration agent
628 * @imi_en: launch flow is launching an IMI (Incoming Migration Image) for the
629 * purpose of guest-assisted migration.
630 * @rsvd: reserved
631 * @desired_tsc_khz: hypervisor desired mean TSC freq in kHz of the guest
632 * @gosvw: guest OS-visible workarounds, as defined by hypervisor
633 */
634 struct sev_data_snp_launch_start {
635 u64 gctx_paddr; /* In */
636 u64 policy; /* In */
637 u64 ma_gctx_paddr; /* In */
638 u32 ma_en:1; /* In */
639 u32 imi_en:1; /* In */
640 u32 rsvd:30;
641 u32 desired_tsc_khz; /* In */
642 u8 gosvw[16]; /* In */
643 } __packed;
644
645 /* SNP support page type */
646 enum {
647 SNP_PAGE_TYPE_NORMAL = 0x1,
648 SNP_PAGE_TYPE_VMSA = 0x2,
649 SNP_PAGE_TYPE_ZERO = 0x3,
650 SNP_PAGE_TYPE_UNMEASURED = 0x4,
651 SNP_PAGE_TYPE_SECRET = 0x5,
652 SNP_PAGE_TYPE_CPUID = 0x6,
653
654 SNP_PAGE_TYPE_MAX
655 };
656
657 /**
658 * struct sev_data_snp_launch_update - SNP_LAUNCH_UPDATE command params
659 *
660 * @gctx_paddr: system physical address of guest context page
661 * @page_size: page size 0 indicates 4K and 1 indicates 2MB page
662 * @page_type: encoded page type
663 * @imi_page: indicates that this page is part of the IMI (Incoming Migration
664 * Image) of the guest
665 * @rsvd: reserved
666 * @rsvd2: reserved
667 * @address: system physical address of destination page to encrypt
668 * @rsvd3: reserved
669 * @vmpl1_perms: VMPL permission mask for VMPL1
670 * @vmpl2_perms: VMPL permission mask for VMPL2
671 * @vmpl3_perms: VMPL permission mask for VMPL3
672 * @rsvd4: reserved
673 */
674 struct sev_data_snp_launch_update {
675 u64 gctx_paddr; /* In */
676 u32 page_size:1; /* In */
677 u32 page_type:3; /* In */
678 u32 imi_page:1; /* In */
679 u32 rsvd:27;
680 u32 rsvd2;
681 u64 address; /* In */
682 u32 rsvd3:8;
683 u32 vmpl1_perms:8; /* In */
684 u32 vmpl2_perms:8; /* In */
685 u32 vmpl3_perms:8; /* In */
686 u32 rsvd4;
687 } __packed;
688
689 /**
690 * struct sev_data_snp_launch_finish - SNP_LAUNCH_FINISH command params
691 *
692 * @gctx_paddr: system physical address of guest context page
693 * @id_block_paddr: system physical address of ID block
694 * @id_auth_paddr: system physical address of ID block authentication structure
695 * @id_block_en: indicates whether ID block is present
696 * @auth_key_en: indicates whether author key is present in authentication structure
697 * @vcek_disabled: indicates whether use of VCEK is allowed for attestation reports
698 * @rsvd: reserved
699 * @host_data: host-supplied data for guest, not interpreted by firmware
700 */
701 struct sev_data_snp_launch_finish {
702 u64 gctx_paddr;
703 u64 id_block_paddr;
704 u64 id_auth_paddr;
705 u8 id_block_en:1;
706 u8 auth_key_en:1;
707 u8 vcek_disabled:1;
708 u64 rsvd:61;
709 u8 host_data[32];
710 } __packed;
711
712 /**
713 * struct sev_data_snp_guest_status - SNP_GUEST_STATUS command params
714 *
715 * @gctx_paddr: system physical address of guest context page
716 * @address: system physical address of guest status page
717 */
718 struct sev_data_snp_guest_status {
719 u64 gctx_paddr;
720 u64 address;
721 } __packed;
722
723 /**
724 * struct sev_data_snp_page_reclaim - SNP_PAGE_RECLAIM command params
725 *
726 * @paddr: system physical address of page to be claimed. The 0th bit in the
727 * address indicates the page size. 0h indicates 4KB and 1h indicates
728 * 2MB page.
729 */
730 struct sev_data_snp_page_reclaim {
731 u64 paddr;
732 } __packed;
733
734 /**
735 * struct sev_data_snp_page_unsmash - SNP_PAGE_UNSMASH command params
736 *
737 * @paddr: system physical address of page to be unsmashed. The 0th bit in the
738 * address indicates the page size. 0h indicates 4 KB and 1h indicates
739 * 2 MB page.
740 */
741 struct sev_data_snp_page_unsmash {
742 u64 paddr;
743 } __packed;
744
745 /**
746 * struct sev_data_snp_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters
747 *
748 * @gctx_paddr: system physical address of guest context page
749 * @src_addr: source address of data to operate on
750 * @dst_addr: destination address of data to operate on
751 */
752 struct sev_data_snp_dbg {
753 u64 gctx_paddr; /* In */
754 u64 src_addr; /* In */
755 u64 dst_addr; /* In */
756 } __packed;
757
758 /**
759 * struct sev_data_snp_guest_request - SNP_GUEST_REQUEST command params
760 *
761 * @gctx_paddr: system physical address of guest context page
762 * @req_paddr: system physical address of request page
763 * @res_paddr: system physical address of response page
764 */
765 struct sev_data_snp_guest_request {
766 u64 gctx_paddr; /* In */
767 u64 req_paddr; /* In */
768 u64 res_paddr; /* In */
769 } __packed;
770
771 /**
772 * struct sev_data_snp_init_ex - SNP_INIT_EX structure
773 *
774 * @init_rmp: indicate that the RMP should be initialized.
775 * @list_paddr_en: indicate that list_paddr is valid
776 * @rsvd: reserved
777 * @rsvd1: reserved
778 * @list_paddr: system physical address of range list
779 * @rsvd2: reserved
780 */
781 struct sev_data_snp_init_ex {
782 u32 init_rmp:1;
783 u32 list_paddr_en:1;
784 u32 rapl_dis:1;
785 u32 ciphertext_hiding_en:1;
786 u32 rsvd:28;
787 u32 rsvd1;
788 u64 list_paddr;
789 u16 max_snp_asid;
790 u8 rsvd2[46];
791 } __packed;
792
793 /**
794 * struct sev_data_range - RANGE structure
795 *
796 * @base: system physical address of first byte of range
797 * @page_count: number of 4KB pages in this range
798 * @rsvd: reserved
799 */
800 struct sev_data_range {
801 u64 base;
802 u32 page_count;
803 u32 rsvd;
804 } __packed;
805
806 /**
807 * struct sev_data_range_list - RANGE_LIST structure
808 *
809 * @num_elements: number of elements in RANGE_ARRAY
810 * @rsvd: reserved
811 * @ranges: array of num_elements of type RANGE
812 */
813 struct sev_data_range_list {
814 u32 num_elements;
815 u32 rsvd;
816 struct sev_data_range ranges[];
817 } __packed;
818
819 /**
820 * struct sev_data_snp_shutdown_ex - SNP_SHUTDOWN_EX structure
821 *
822 * @len: length of the command buffer read by the PSP
823 * @iommu_snp_shutdown: Disable enforcement of SNP in the IOMMU
824 * @rsvd1: reserved
825 */
826 struct sev_data_snp_shutdown_ex {
827 u32 len;
828 u32 iommu_snp_shutdown:1;
829 u32 rsvd1:31;
830 } __packed;
831
832 /**
833 * struct sev_platform_init_args
834 *
835 * @error: SEV firmware error code
836 * @probe: True if this is being called as part of CCP module probe, which
837 * will defer SEV_INIT/SEV_INIT_EX firmware initialization until needed
838 * unless psp_init_on_probe module param is set
839 * @max_snp_asid: When non-zero, enable ciphertext hiding and specify the
840 * maximum ASID that can be used for an SEV-SNP guest.
841 */
842 struct sev_platform_init_args {
843 int error;
844 bool probe;
845 unsigned int max_snp_asid;
846 };
847
848 /**
849 * struct sev_data_snp_commit - SNP_COMMIT structure
850 *
851 * @len: length of the command buffer read by the PSP
852 */
853 struct sev_data_snp_commit {
854 u32 len;
855 } __packed;
856
857 /**
858 * struct sev_data_snp_feature_info - SEV_SNP_FEATURE_INFO structure
859 *
860 * @length: len of the command buffer read by the PSP
861 * @ecx_in: subfunction index
862 * @feature_info_paddr : System Physical Address of the FEATURE_INFO structure
863 */
864 struct sev_data_snp_feature_info {
865 u32 length;
866 u32 ecx_in;
867 u64 feature_info_paddr;
868 } __packed;
869
870 /**
871 * struct feature_info - FEATURE_INFO structure
872 *
873 * @eax: output of SNP_FEATURE_INFO command
874 * @ebx: output of SNP_FEATURE_INFO command
875 * @ecx: output of SNP_FEATURE_INFO command
876 * #edx: output of SNP_FEATURE_INFO command
877 */
878 struct snp_feature_info {
879 u32 eax;
880 u32 ebx;
881 u32 ecx;
882 u32 edx;
883 } __packed;
884
885 #define SNP_RAPL_DISABLE_SUPPORTED BIT(2)
886 #define SNP_CIPHER_TEXT_HIDING_SUPPORTED BIT(3)
887 #define SNP_AES_256_XTS_POLICY_SUPPORTED BIT(4)
888 #define SNP_CXL_ALLOW_POLICY_SUPPORTED BIT(5)
889
890 #ifdef CONFIG_CRYPTO_DEV_SP_PSP
891
892 /**
893 * sev_module_init - perform PSP SEV module initialization
894 *
895 * Returns:
896 * 0 if the PSP module is successfully initialized
897 * negative value if the PSP module initialization fails
898 */
899 int sev_module_init(void);
900
901 /**
902 * sev_platform_init - perform SEV INIT command
903 *
904 * @args: struct sev_platform_init_args to pass in arguments
905 *
906 * Returns:
907 * 0 if the SEV successfully processed the command
908 * -%ENODEV if the SEV device is not available
909 * -%ENOTSUPP if the SEV does not support SEV
910 * -%ETIMEDOUT if the SEV command timed out
911 * -%EIO if the SEV returned a non-zero return code
912 */
913 int sev_platform_init(struct sev_platform_init_args *args);
914
915 /**
916 * sev_platform_status - perform SEV PLATFORM_STATUS command
917 *
918 * @status: sev_user_data_status structure to be processed
919 * @error: SEV command return code
920 *
921 * Returns:
922 * 0 if the SEV successfully processed the command
923 * -%ENODEV if the SEV device is not available
924 * -%ENOTSUPP if the SEV does not support SEV
925 * -%ETIMEDOUT if the SEV command timed out
926 * -%EIO if the SEV returned a non-zero return code
927 */
928 int sev_platform_status(struct sev_user_data_status *status, int *error);
929
930 /**
931 * sev_issue_cmd_external_user - issue SEV command by other driver with a file
932 * handle.
933 *
934 * This function can be used by other drivers to issue a SEV command on
935 * behalf of userspace. The caller must pass a valid SEV file descriptor
936 * so that we know that it has access to SEV device.
937 *
938 * @filep - SEV device file pointer
939 * @cmd - command to issue
940 * @data - command buffer
941 * @error: SEV command return code
942 *
943 * Returns:
944 * 0 if the SEV successfully processed the command
945 * -%ENODEV if the SEV device is not available
946 * -%ENOTSUPP if the SEV does not support SEV
947 * -%ETIMEDOUT if the SEV command timed out
948 * -%EIO if the SEV returned a non-zero return code
949 * -%EINVAL if the SEV file descriptor is not valid
950 */
951 int sev_issue_cmd_external_user(struct file *filep, unsigned int id,
952 void *data, int *error);
953
954 /**
955 * sev_guest_deactivate - perform SEV DEACTIVATE command
956 *
957 * @deactivate: sev_data_deactivate structure to be processed
958 * @sev_ret: sev command return code
959 *
960 * Returns:
961 * 0 if the sev successfully processed the command
962 * -%ENODEV if the sev device is not available
963 * -%ENOTSUPP if the sev does not support SEV
964 * -%ETIMEDOUT if the sev command timed out
965 * -%EIO if the sev returned a non-zero return code
966 */
967 int sev_guest_deactivate(struct sev_data_deactivate *data, int *error);
968
969 /**
970 * sev_guest_activate - perform SEV ACTIVATE command
971 *
972 * @activate: sev_data_activate structure to be processed
973 * @sev_ret: sev command return code
974 *
975 * Returns:
976 * 0 if the sev successfully processed the command
977 * -%ENODEV if the sev device is not available
978 * -%ENOTSUPP if the sev does not support SEV
979 * -%ETIMEDOUT if the sev command timed out
980 * -%EIO if the sev returned a non-zero return code
981 */
982 int sev_guest_activate(struct sev_data_activate *data, int *error);
983
984 /**
985 * sev_guest_df_flush - perform SEV DF_FLUSH command
986 *
987 * @sev_ret: sev command return code
988 *
989 * Returns:
990 * 0 if the sev successfully processed the command
991 * -%ENODEV if the sev device is not available
992 * -%ENOTSUPP if the sev does not support SEV
993 * -%ETIMEDOUT if the sev command timed out
994 * -%EIO if the sev returned a non-zero return code
995 */
996 int sev_guest_df_flush(int *error);
997
998 /**
999 * sev_guest_decommission - perform SEV DECOMMISSION command
1000 *
1001 * @decommission: sev_data_decommission structure to be processed
1002 * @sev_ret: sev command return code
1003 *
1004 * Returns:
1005 * 0 if the sev successfully processed the command
1006 * -%ENODEV if the sev device is not available
1007 * -%ENOTSUPP if the sev does not support SEV
1008 * -%ETIMEDOUT if the sev command timed out
1009 * -%EIO if the sev returned a non-zero return code
1010 */
1011 int sev_guest_decommission(struct sev_data_decommission *data, int *error);
1012
1013 /**
1014 * sev_do_cmd - issue an SEV or an SEV-SNP command
1015 *
1016 * @cmd: SEV or SEV-SNP firmware command to issue
1017 * @data: arguments for firmware command
1018 * @psp_ret: SEV command return code
1019 *
1020 * Returns:
1021 * 0 if the SEV device successfully processed the command
1022 * -%ENODEV if the PSP device is not available
1023 * -%ENOTSUPP if PSP device does not support SEV
1024 * -%ETIMEDOUT if the SEV command timed out
1025 * -%EIO if PSP device returned a non-zero return code
1026 */
1027 int sev_do_cmd(int cmd, void *data, int *psp_ret);
1028
1029 void *psp_copy_user_blob(u64 uaddr, u32 len);
1030 void *snp_alloc_firmware_page(gfp_t mask);
1031 void snp_free_firmware_page(void *addr);
1032 void sev_platform_shutdown(void);
1033 bool sev_is_snp_ciphertext_hiding_supported(void);
1034 u64 sev_get_snp_policy_bits(void);
1035
1036 #else /* !CONFIG_CRYPTO_DEV_SP_PSP */
1037
1038 static inline int
sev_platform_status(struct sev_user_data_status * status,int * error)1039 sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; }
1040
sev_platform_init(struct sev_platform_init_args * args)1041 static inline int sev_platform_init(struct sev_platform_init_args *args) { return -ENODEV; }
1042
1043 static inline int
sev_guest_deactivate(struct sev_data_deactivate * data,int * error)1044 sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; }
1045
1046 static inline int
sev_guest_decommission(struct sev_data_decommission * data,int * error)1047 sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; }
1048
1049 static inline int
sev_do_cmd(int cmd,void * data,int * psp_ret)1050 sev_do_cmd(int cmd, void *data, int *psp_ret) { return -ENODEV; }
1051
1052 static inline int
sev_guest_activate(struct sev_data_activate * data,int * error)1053 sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; }
1054
sev_guest_df_flush(int * error)1055 static inline int sev_guest_df_flush(int *error) { return -ENODEV; }
1056
1057 static inline int
sev_issue_cmd_external_user(struct file * filep,unsigned int id,void * data,int * error)1058 sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; }
1059
psp_copy_user_blob(u64 __user uaddr,u32 len)1060 static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); }
1061
snp_alloc_firmware_page(gfp_t mask)1062 static inline void *snp_alloc_firmware_page(gfp_t mask)
1063 {
1064 return NULL;
1065 }
1066
snp_free_firmware_page(void * addr)1067 static inline void snp_free_firmware_page(void *addr) { }
1068
sev_platform_shutdown(void)1069 static inline void sev_platform_shutdown(void) { }
1070
sev_is_snp_ciphertext_hiding_supported(void)1071 static inline bool sev_is_snp_ciphertext_hiding_supported(void) { return false; }
1072
1073 #endif /* CONFIG_CRYPTO_DEV_SP_PSP */
1074
1075 #endif /* __PSP_SEV_H__ */
1076