1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * AMD Secure Encrypted Virtualization (SEV) driver interface 4 * 5 * Copyright (C) 2016-2017 Advanced Micro Devices, Inc. 6 * 7 * Author: Brijesh Singh <brijesh.singh@amd.com> 8 * 9 * SEV API spec is available at https://developer.amd.com/sev 10 */ 11 12 #ifndef __PSP_SEV_H__ 13 #define __PSP_SEV_H__ 14 15 #include <uapi/linux/psp-sev.h> 16 17 #define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ 18 19 /** 20 * SEV platform state 21 */ 22 enum sev_state { 23 SEV_STATE_UNINIT = 0x0, 24 SEV_STATE_INIT = 0x1, 25 SEV_STATE_WORKING = 0x2, 26 27 SEV_STATE_MAX 28 }; 29 30 /** 31 * SEV platform and guest management commands 32 */ 33 enum sev_cmd { 34 /* platform commands */ 35 SEV_CMD_INIT = 0x001, 36 SEV_CMD_SHUTDOWN = 0x002, 37 SEV_CMD_FACTORY_RESET = 0x003, 38 SEV_CMD_PLATFORM_STATUS = 0x004, 39 SEV_CMD_PEK_GEN = 0x005, 40 SEV_CMD_PEK_CSR = 0x006, 41 SEV_CMD_PEK_CERT_IMPORT = 0x007, 42 SEV_CMD_PDH_CERT_EXPORT = 0x008, 43 SEV_CMD_PDH_GEN = 0x009, 44 SEV_CMD_DF_FLUSH = 0x00A, 45 SEV_CMD_DOWNLOAD_FIRMWARE = 0x00B, 46 SEV_CMD_GET_ID = 0x00C, 47 SEV_CMD_INIT_EX = 0x00D, 48 49 /* Guest commands */ 50 SEV_CMD_DECOMMISSION = 0x020, 51 SEV_CMD_ACTIVATE = 0x021, 52 SEV_CMD_DEACTIVATE = 0x022, 53 SEV_CMD_GUEST_STATUS = 0x023, 54 55 /* Guest launch commands */ 56 SEV_CMD_LAUNCH_START = 0x030, 57 SEV_CMD_LAUNCH_UPDATE_DATA = 0x031, 58 SEV_CMD_LAUNCH_UPDATE_VMSA = 0x032, 59 SEV_CMD_LAUNCH_MEASURE = 0x033, 60 SEV_CMD_LAUNCH_UPDATE_SECRET = 0x034, 61 SEV_CMD_LAUNCH_FINISH = 0x035, 62 SEV_CMD_ATTESTATION_REPORT = 0x036, 63 64 /* Guest migration commands (outgoing) */ 65 SEV_CMD_SEND_START = 0x040, 66 SEV_CMD_SEND_UPDATE_DATA = 0x041, 67 SEV_CMD_SEND_UPDATE_VMSA = 0x042, 68 SEV_CMD_SEND_FINISH = 0x043, 69 SEV_CMD_SEND_CANCEL = 0x044, 70 71 /* Guest migration commands (incoming) */ 72 SEV_CMD_RECEIVE_START = 0x050, 73 SEV_CMD_RECEIVE_UPDATE_DATA = 0x051, 74 SEV_CMD_RECEIVE_UPDATE_VMSA = 0x052, 75 SEV_CMD_RECEIVE_FINISH = 0x053, 76 77 /* Guest debug commands */ 78 SEV_CMD_DBG_DECRYPT = 0x060, 79 SEV_CMD_DBG_ENCRYPT = 0x061, 80 81 /* SNP specific commands */ 82 SEV_CMD_SNP_INIT = 0x081, 83 SEV_CMD_SNP_SHUTDOWN = 0x082, 84 SEV_CMD_SNP_PLATFORM_STATUS = 0x083, 85 SEV_CMD_SNP_DF_FLUSH = 0x084, 86 SEV_CMD_SNP_INIT_EX = 0x085, 87 SEV_CMD_SNP_SHUTDOWN_EX = 0x086, 88 SEV_CMD_SNP_DECOMMISSION = 0x090, 89 SEV_CMD_SNP_ACTIVATE = 0x091, 90 SEV_CMD_SNP_GUEST_STATUS = 0x092, 91 SEV_CMD_SNP_GCTX_CREATE = 0x093, 92 SEV_CMD_SNP_GUEST_REQUEST = 0x094, 93 SEV_CMD_SNP_ACTIVATE_EX = 0x095, 94 SEV_CMD_SNP_LAUNCH_START = 0x0A0, 95 SEV_CMD_SNP_LAUNCH_UPDATE = 0x0A1, 96 SEV_CMD_SNP_LAUNCH_FINISH = 0x0A2, 97 SEV_CMD_SNP_DBG_DECRYPT = 0x0B0, 98 SEV_CMD_SNP_DBG_ENCRYPT = 0x0B1, 99 SEV_CMD_SNP_PAGE_SWAP_OUT = 0x0C0, 100 SEV_CMD_SNP_PAGE_SWAP_IN = 0x0C1, 101 SEV_CMD_SNP_PAGE_MOVE = 0x0C2, 102 SEV_CMD_SNP_PAGE_MD_INIT = 0x0C3, 103 SEV_CMD_SNP_PAGE_SET_STATE = 0x0C6, 104 SEV_CMD_SNP_PAGE_RECLAIM = 0x0C7, 105 SEV_CMD_SNP_PAGE_UNSMASH = 0x0C8, 106 SEV_CMD_SNP_CONFIG = 0x0C9, 107 SEV_CMD_SNP_DOWNLOAD_FIRMWARE_EX = 0x0CA, 108 SEV_CMD_SNP_COMMIT = 0x0CB, 109 SEV_CMD_SNP_VLEK_LOAD = 0x0CD, 110 111 SEV_CMD_MAX, 112 }; 113 114 /** 115 * struct sev_data_init - INIT command parameters 116 * 117 * @flags: processing flags 118 * @tmr_address: system physical address used for SEV-ES 119 * @tmr_len: len of tmr_address 120 */ 121 struct sev_data_init { 122 u32 flags; /* In */ 123 u32 reserved; /* In */ 124 u64 tmr_address; /* In */ 125 u32 tmr_len; /* In */ 126 } __packed; 127 128 /** 129 * struct sev_data_init_ex - INIT_EX command parameters 130 * 131 * @length: len of the command buffer read by the PSP 132 * @flags: processing flags 133 * @tmr_address: system physical address used for SEV-ES 134 * @tmr_len: len of tmr_address 135 * @nv_address: system physical address used for PSP NV storage 136 * @nv_len: len of nv_address 137 */ 138 struct sev_data_init_ex { 139 u32 length; /* In */ 140 u32 flags; /* In */ 141 u64 tmr_address; /* In */ 142 u32 tmr_len; /* In */ 143 u32 reserved; /* In */ 144 u64 nv_address; /* In/Out */ 145 u32 nv_len; /* In */ 146 } __packed; 147 148 #define SEV_INIT_FLAGS_SEV_ES 0x01 149 150 /** 151 * struct sev_data_pek_csr - PEK_CSR command parameters 152 * 153 * @address: PEK certificate chain 154 * @len: len of certificate 155 */ 156 struct sev_data_pek_csr { 157 u64 address; /* In */ 158 u32 len; /* In/Out */ 159 } __packed; 160 161 /** 162 * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters 163 * 164 * @pek_address: PEK certificate chain 165 * @pek_len: len of PEK certificate 166 * @oca_address: OCA certificate chain 167 * @oca_len: len of OCA certificate 168 */ 169 struct sev_data_pek_cert_import { 170 u64 pek_cert_address; /* In */ 171 u32 pek_cert_len; /* In */ 172 u32 reserved; /* In */ 173 u64 oca_cert_address; /* In */ 174 u32 oca_cert_len; /* In */ 175 } __packed; 176 177 /** 178 * struct sev_data_download_firmware - DOWNLOAD_FIRMWARE command parameters 179 * 180 * @address: physical address of firmware image 181 * @len: len of the firmware image 182 */ 183 struct sev_data_download_firmware { 184 u64 address; /* In */ 185 u32 len; /* In */ 186 } __packed; 187 188 /** 189 * struct sev_data_get_id - GET_ID command parameters 190 * 191 * @address: physical address of region to place unique CPU ID(s) 192 * @len: len of the region 193 */ 194 struct sev_data_get_id { 195 u64 address; /* In */ 196 u32 len; /* In/Out */ 197 } __packed; 198 /** 199 * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters 200 * 201 * @pdh_address: PDH certificate address 202 * @pdh_len: len of PDH certificate 203 * @cert_chain_address: PDH certificate chain 204 * @cert_chain_len: len of PDH certificate chain 205 */ 206 struct sev_data_pdh_cert_export { 207 u64 pdh_cert_address; /* In */ 208 u32 pdh_cert_len; /* In/Out */ 209 u32 reserved; /* In */ 210 u64 cert_chain_address; /* In */ 211 u32 cert_chain_len; /* In/Out */ 212 } __packed; 213 214 /** 215 * struct sev_data_decommission - DECOMMISSION command parameters 216 * 217 * @handle: handle of the VM to decommission 218 */ 219 struct sev_data_decommission { 220 u32 handle; /* In */ 221 } __packed; 222 223 /** 224 * struct sev_data_activate - ACTIVATE command parameters 225 * 226 * @handle: handle of the VM to activate 227 * @asid: asid assigned to the VM 228 */ 229 struct sev_data_activate { 230 u32 handle; /* In */ 231 u32 asid; /* In */ 232 } __packed; 233 234 /** 235 * struct sev_data_deactivate - DEACTIVATE command parameters 236 * 237 * @handle: handle of the VM to deactivate 238 */ 239 struct sev_data_deactivate { 240 u32 handle; /* In */ 241 } __packed; 242 243 /** 244 * struct sev_data_guest_status - SEV GUEST_STATUS command parameters 245 * 246 * @handle: handle of the VM to retrieve status 247 * @policy: policy information for the VM 248 * @asid: current ASID of the VM 249 * @state: current state of the VM 250 */ 251 struct sev_data_guest_status { 252 u32 handle; /* In */ 253 u32 policy; /* Out */ 254 u32 asid; /* Out */ 255 u8 state; /* Out */ 256 } __packed; 257 258 /** 259 * struct sev_data_launch_start - LAUNCH_START command parameters 260 * 261 * @handle: handle assigned to the VM 262 * @policy: guest launch policy 263 * @dh_cert_address: physical address of DH certificate blob 264 * @dh_cert_len: len of DH certificate blob 265 * @session_address: physical address of session parameters 266 * @session_len: len of session parameters 267 */ 268 struct sev_data_launch_start { 269 u32 handle; /* In/Out */ 270 u32 policy; /* In */ 271 u64 dh_cert_address; /* In */ 272 u32 dh_cert_len; /* In */ 273 u32 reserved; /* In */ 274 u64 session_address; /* In */ 275 u32 session_len; /* In */ 276 } __packed; 277 278 /** 279 * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter 280 * 281 * @handle: handle of the VM to update 282 * @len: len of memory to be encrypted 283 * @address: physical address of memory region to encrypt 284 */ 285 struct sev_data_launch_update_data { 286 u32 handle; /* In */ 287 u32 reserved; 288 u64 address; /* In */ 289 u32 len; /* In */ 290 } __packed; 291 292 /** 293 * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command 294 * 295 * @handle: handle of the VM 296 * @address: physical address of memory region to encrypt 297 * @len: len of memory region to encrypt 298 */ 299 struct sev_data_launch_update_vmsa { 300 u32 handle; /* In */ 301 u32 reserved; 302 u64 address; /* In */ 303 u32 len; /* In */ 304 } __packed; 305 306 /** 307 * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters 308 * 309 * @handle: handle of the VM to process 310 * @address: physical address containing the measurement blob 311 * @len: len of measurement blob 312 */ 313 struct sev_data_launch_measure { 314 u32 handle; /* In */ 315 u32 reserved; 316 u64 address; /* In */ 317 u32 len; /* In/Out */ 318 } __packed; 319 320 /** 321 * struct sev_data_launch_secret - LAUNCH_SECRET command parameters 322 * 323 * @handle: handle of the VM to process 324 * @hdr_address: physical address containing the packet header 325 * @hdr_len: len of packet header 326 * @guest_address: system physical address of guest memory region 327 * @guest_len: len of guest_paddr 328 * @trans_address: physical address of transport memory buffer 329 * @trans_len: len of transport memory buffer 330 */ 331 struct sev_data_launch_secret { 332 u32 handle; /* In */ 333 u32 reserved1; 334 u64 hdr_address; /* In */ 335 u32 hdr_len; /* In */ 336 u32 reserved2; 337 u64 guest_address; /* In */ 338 u32 guest_len; /* In */ 339 u32 reserved3; 340 u64 trans_address; /* In */ 341 u32 trans_len; /* In */ 342 } __packed; 343 344 /** 345 * struct sev_data_launch_finish - LAUNCH_FINISH command parameters 346 * 347 * @handle: handle of the VM to process 348 */ 349 struct sev_data_launch_finish { 350 u32 handle; /* In */ 351 } __packed; 352 353 /** 354 * struct sev_data_send_start - SEND_START command parameters 355 * 356 * @handle: handle of the VM to process 357 * @policy: policy information for the VM 358 * @pdh_cert_address: physical address containing PDH certificate 359 * @pdh_cert_len: len of PDH certificate 360 * @plat_certs_address: physical address containing platform certificate 361 * @plat_certs_len: len of platform certificate 362 * @amd_certs_address: physical address containing AMD certificate 363 * @amd_certs_len: len of AMD certificate 364 * @session_address: physical address containing Session data 365 * @session_len: len of session data 366 */ 367 struct sev_data_send_start { 368 u32 handle; /* In */ 369 u32 policy; /* Out */ 370 u64 pdh_cert_address; /* In */ 371 u32 pdh_cert_len; /* In */ 372 u32 reserved1; 373 u64 plat_certs_address; /* In */ 374 u32 plat_certs_len; /* In */ 375 u32 reserved2; 376 u64 amd_certs_address; /* In */ 377 u32 amd_certs_len; /* In */ 378 u32 reserved3; 379 u64 session_address; /* In */ 380 u32 session_len; /* In/Out */ 381 } __packed; 382 383 /** 384 * struct sev_data_send_update - SEND_UPDATE_DATA command 385 * 386 * @handle: handle of the VM to process 387 * @hdr_address: physical address containing packet header 388 * @hdr_len: len of packet header 389 * @guest_address: physical address of guest memory region to send 390 * @guest_len: len of guest memory region to send 391 * @trans_address: physical address of host memory region 392 * @trans_len: len of host memory region 393 */ 394 struct sev_data_send_update_data { 395 u32 handle; /* In */ 396 u32 reserved1; 397 u64 hdr_address; /* In */ 398 u32 hdr_len; /* In/Out */ 399 u32 reserved2; 400 u64 guest_address; /* In */ 401 u32 guest_len; /* In */ 402 u32 reserved3; 403 u64 trans_address; /* In */ 404 u32 trans_len; /* In */ 405 } __packed; 406 407 /** 408 * struct sev_data_send_update - SEND_UPDATE_VMSA command 409 * 410 * @handle: handle of the VM to process 411 * @hdr_address: physical address containing packet header 412 * @hdr_len: len of packet header 413 * @guest_address: physical address of guest memory region to send 414 * @guest_len: len of guest memory region to send 415 * @trans_address: physical address of host memory region 416 * @trans_len: len of host memory region 417 */ 418 struct sev_data_send_update_vmsa { 419 u32 handle; /* In */ 420 u64 hdr_address; /* In */ 421 u32 hdr_len; /* In/Out */ 422 u32 reserved2; 423 u64 guest_address; /* In */ 424 u32 guest_len; /* In */ 425 u32 reserved3; 426 u64 trans_address; /* In */ 427 u32 trans_len; /* In */ 428 } __packed; 429 430 /** 431 * struct sev_data_send_finish - SEND_FINISH command parameters 432 * 433 * @handle: handle of the VM to process 434 */ 435 struct sev_data_send_finish { 436 u32 handle; /* In */ 437 } __packed; 438 439 /** 440 * struct sev_data_send_cancel - SEND_CANCEL command parameters 441 * 442 * @handle: handle of the VM to process 443 */ 444 struct sev_data_send_cancel { 445 u32 handle; /* In */ 446 } __packed; 447 448 /** 449 * struct sev_data_receive_start - RECEIVE_START command parameters 450 * 451 * @handle: handle of the VM to perform receive operation 452 * @pdh_cert_address: system physical address containing PDH certificate blob 453 * @pdh_cert_len: len of PDH certificate blob 454 * @session_address: system physical address containing session blob 455 * @session_len: len of session blob 456 */ 457 struct sev_data_receive_start { 458 u32 handle; /* In/Out */ 459 u32 policy; /* In */ 460 u64 pdh_cert_address; /* In */ 461 u32 pdh_cert_len; /* In */ 462 u32 reserved1; 463 u64 session_address; /* In */ 464 u32 session_len; /* In */ 465 } __packed; 466 467 /** 468 * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters 469 * 470 * @handle: handle of the VM to update 471 * @hdr_address: physical address containing packet header blob 472 * @hdr_len: len of packet header 473 * @guest_address: system physical address of guest memory region 474 * @guest_len: len of guest memory region 475 * @trans_address: system physical address of transport buffer 476 * @trans_len: len of transport buffer 477 */ 478 struct sev_data_receive_update_data { 479 u32 handle; /* In */ 480 u32 reserved1; 481 u64 hdr_address; /* In */ 482 u32 hdr_len; /* In */ 483 u32 reserved2; 484 u64 guest_address; /* In */ 485 u32 guest_len; /* In */ 486 u32 reserved3; 487 u64 trans_address; /* In */ 488 u32 trans_len; /* In */ 489 } __packed; 490 491 /** 492 * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters 493 * 494 * @handle: handle of the VM to update 495 * @hdr_address: physical address containing packet header blob 496 * @hdr_len: len of packet header 497 * @guest_address: system physical address of guest memory region 498 * @guest_len: len of guest memory region 499 * @trans_address: system physical address of transport buffer 500 * @trans_len: len of transport buffer 501 */ 502 struct sev_data_receive_update_vmsa { 503 u32 handle; /* In */ 504 u32 reserved1; 505 u64 hdr_address; /* In */ 506 u32 hdr_len; /* In */ 507 u32 reserved2; 508 u64 guest_address; /* In */ 509 u32 guest_len; /* In */ 510 u32 reserved3; 511 u64 trans_address; /* In */ 512 u32 trans_len; /* In */ 513 } __packed; 514 515 /** 516 * struct sev_data_receive_finish - RECEIVE_FINISH command parameters 517 * 518 * @handle: handle of the VM to finish 519 */ 520 struct sev_data_receive_finish { 521 u32 handle; /* In */ 522 } __packed; 523 524 /** 525 * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters 526 * 527 * @handle: handle of the VM to perform debug operation 528 * @src_addr: source address of data to operate on 529 * @dst_addr: destination address of data to operate on 530 * @len: len of data to operate on 531 */ 532 struct sev_data_dbg { 533 u32 handle; /* In */ 534 u32 reserved; 535 u64 src_addr; /* In */ 536 u64 dst_addr; /* In */ 537 u32 len; /* In */ 538 } __packed; 539 540 /** 541 * struct sev_data_attestation_report - SEV_ATTESTATION_REPORT command parameters 542 * 543 * @handle: handle of the VM 544 * @mnonce: a random nonce that will be included in the report. 545 * @address: physical address where the report will be copied. 546 * @len: length of the physical buffer. 547 */ 548 struct sev_data_attestation_report { 549 u32 handle; /* In */ 550 u32 reserved; 551 u64 address; /* In */ 552 u8 mnonce[16]; /* In */ 553 u32 len; /* In/Out */ 554 } __packed; 555 556 /** 557 * struct sev_data_snp_download_firmware - SNP_DOWNLOAD_FIRMWARE command params 558 * 559 * @address: physical address of firmware image 560 * @len: length of the firmware image 561 */ 562 struct sev_data_snp_download_firmware { 563 u64 address; /* In */ 564 u32 len; /* In */ 565 } __packed; 566 567 /** 568 * struct sev_data_snp_activate - SNP_ACTIVATE command params 569 * 570 * @gctx_paddr: system physical address guest context page 571 * @asid: ASID to bind to the guest 572 */ 573 struct sev_data_snp_activate { 574 u64 gctx_paddr; /* In */ 575 u32 asid; /* In */ 576 } __packed; 577 578 /** 579 * struct sev_data_snp_addr - generic SNP command params 580 * 581 * @address: physical address of generic data param 582 */ 583 struct sev_data_snp_addr { 584 u64 address; /* In/Out */ 585 } __packed; 586 587 /** 588 * struct sev_data_snp_launch_start - SNP_LAUNCH_START command params 589 * 590 * @gctx_paddr: system physical address of guest context page 591 * @policy: guest policy 592 * @ma_gctx_paddr: system physical address of migration agent 593 * @ma_en: the guest is associated with a migration agent 594 * @imi_en: launch flow is launching an IMI (Incoming Migration Image) for the 595 * purpose of guest-assisted migration. 596 * @rsvd: reserved 597 * @gosvw: guest OS-visible workarounds, as defined by hypervisor 598 */ 599 struct sev_data_snp_launch_start { 600 u64 gctx_paddr; /* In */ 601 u64 policy; /* In */ 602 u64 ma_gctx_paddr; /* In */ 603 u32 ma_en:1; /* In */ 604 u32 imi_en:1; /* In */ 605 u32 rsvd:30; 606 u8 gosvw[16]; /* In */ 607 } __packed; 608 609 /* SNP support page type */ 610 enum { 611 SNP_PAGE_TYPE_NORMAL = 0x1, 612 SNP_PAGE_TYPE_VMSA = 0x2, 613 SNP_PAGE_TYPE_ZERO = 0x3, 614 SNP_PAGE_TYPE_UNMEASURED = 0x4, 615 SNP_PAGE_TYPE_SECRET = 0x5, 616 SNP_PAGE_TYPE_CPUID = 0x6, 617 618 SNP_PAGE_TYPE_MAX 619 }; 620 621 /** 622 * struct sev_data_snp_launch_update - SNP_LAUNCH_UPDATE command params 623 * 624 * @gctx_paddr: system physical address of guest context page 625 * @page_size: page size 0 indicates 4K and 1 indicates 2MB page 626 * @page_type: encoded page type 627 * @imi_page: indicates that this page is part of the IMI (Incoming Migration 628 * Image) of the guest 629 * @rsvd: reserved 630 * @rsvd2: reserved 631 * @address: system physical address of destination page to encrypt 632 * @rsvd3: reserved 633 * @vmpl1_perms: VMPL permission mask for VMPL1 634 * @vmpl2_perms: VMPL permission mask for VMPL2 635 * @vmpl3_perms: VMPL permission mask for VMPL3 636 * @rsvd4: reserved 637 */ 638 struct sev_data_snp_launch_update { 639 u64 gctx_paddr; /* In */ 640 u32 page_size:1; /* In */ 641 u32 page_type:3; /* In */ 642 u32 imi_page:1; /* In */ 643 u32 rsvd:27; 644 u32 rsvd2; 645 u64 address; /* In */ 646 u32 rsvd3:8; 647 u32 vmpl1_perms:8; /* In */ 648 u32 vmpl2_perms:8; /* In */ 649 u32 vmpl3_perms:8; /* In */ 650 u32 rsvd4; 651 } __packed; 652 653 /** 654 * struct sev_data_snp_launch_finish - SNP_LAUNCH_FINISH command params 655 * 656 * @gctx_paddr: system physical address of guest context page 657 * @id_block_paddr: system physical address of ID block 658 * @id_auth_paddr: system physical address of ID block authentication structure 659 * @id_block_en: indicates whether ID block is present 660 * @auth_key_en: indicates whether author key is present in authentication structure 661 * @vcek_disabled: indicates whether use of VCEK is allowed for attestation reports 662 * @rsvd: reserved 663 * @host_data: host-supplied data for guest, not interpreted by firmware 664 */ 665 struct sev_data_snp_launch_finish { 666 u64 gctx_paddr; 667 u64 id_block_paddr; 668 u64 id_auth_paddr; 669 u8 id_block_en:1; 670 u8 auth_key_en:1; 671 u8 vcek_disabled:1; 672 u64 rsvd:61; 673 u8 host_data[32]; 674 } __packed; 675 676 /** 677 * struct sev_data_snp_guest_status - SNP_GUEST_STATUS command params 678 * 679 * @gctx_paddr: system physical address of guest context page 680 * @address: system physical address of guest status page 681 */ 682 struct sev_data_snp_guest_status { 683 u64 gctx_paddr; 684 u64 address; 685 } __packed; 686 687 /** 688 * struct sev_data_snp_page_reclaim - SNP_PAGE_RECLAIM command params 689 * 690 * @paddr: system physical address of page to be claimed. The 0th bit in the 691 * address indicates the page size. 0h indicates 4KB and 1h indicates 692 * 2MB page. 693 */ 694 struct sev_data_snp_page_reclaim { 695 u64 paddr; 696 } __packed; 697 698 /** 699 * struct sev_data_snp_page_unsmash - SNP_PAGE_UNSMASH command params 700 * 701 * @paddr: system physical address of page to be unsmashed. The 0th bit in the 702 * address indicates the page size. 0h indicates 4 KB and 1h indicates 703 * 2 MB page. 704 */ 705 struct sev_data_snp_page_unsmash { 706 u64 paddr; 707 } __packed; 708 709 /** 710 * struct sev_data_snp_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters 711 * 712 * @gctx_paddr: system physical address of guest context page 713 * @src_addr: source address of data to operate on 714 * @dst_addr: destination address of data to operate on 715 */ 716 struct sev_data_snp_dbg { 717 u64 gctx_paddr; /* In */ 718 u64 src_addr; /* In */ 719 u64 dst_addr; /* In */ 720 } __packed; 721 722 /** 723 * struct sev_data_snp_guest_request - SNP_GUEST_REQUEST command params 724 * 725 * @gctx_paddr: system physical address of guest context page 726 * @req_paddr: system physical address of request page 727 * @res_paddr: system physical address of response page 728 */ 729 struct sev_data_snp_guest_request { 730 u64 gctx_paddr; /* In */ 731 u64 req_paddr; /* In */ 732 u64 res_paddr; /* In */ 733 } __packed; 734 735 /** 736 * struct sev_data_snp_init_ex - SNP_INIT_EX structure 737 * 738 * @init_rmp: indicate that the RMP should be initialized. 739 * @list_paddr_en: indicate that list_paddr is valid 740 * @rsvd: reserved 741 * @rsvd1: reserved 742 * @list_paddr: system physical address of range list 743 * @rsvd2: reserved 744 */ 745 struct sev_data_snp_init_ex { 746 u32 init_rmp:1; 747 u32 list_paddr_en:1; 748 u32 rsvd:30; 749 u32 rsvd1; 750 u64 list_paddr; 751 u8 rsvd2[48]; 752 } __packed; 753 754 /** 755 * struct sev_data_range - RANGE structure 756 * 757 * @base: system physical address of first byte of range 758 * @page_count: number of 4KB pages in this range 759 * @rsvd: reserved 760 */ 761 struct sev_data_range { 762 u64 base; 763 u32 page_count; 764 u32 rsvd; 765 } __packed; 766 767 /** 768 * struct sev_data_range_list - RANGE_LIST structure 769 * 770 * @num_elements: number of elements in RANGE_ARRAY 771 * @rsvd: reserved 772 * @ranges: array of num_elements of type RANGE 773 */ 774 struct sev_data_range_list { 775 u32 num_elements; 776 u32 rsvd; 777 struct sev_data_range ranges[]; 778 } __packed; 779 780 /** 781 * struct sev_data_snp_shutdown_ex - SNP_SHUTDOWN_EX structure 782 * 783 * @len: length of the command buffer read by the PSP 784 * @iommu_snp_shutdown: Disable enforcement of SNP in the IOMMU 785 * @rsvd1: reserved 786 */ 787 struct sev_data_snp_shutdown_ex { 788 u32 len; 789 u32 iommu_snp_shutdown:1; 790 u32 rsvd1:31; 791 } __packed; 792 793 /** 794 * struct sev_platform_init_args 795 * 796 * @error: SEV firmware error code 797 * @probe: True if this is being called as part of CCP module probe, which 798 * will defer SEV_INIT/SEV_INIT_EX firmware initialization until needed 799 * unless psp_init_on_probe module param is set 800 */ 801 struct sev_platform_init_args { 802 int error; 803 bool probe; 804 }; 805 806 /** 807 * struct sev_data_snp_commit - SNP_COMMIT structure 808 * 809 * @len: length of the command buffer read by the PSP 810 */ 811 struct sev_data_snp_commit { 812 u32 len; 813 } __packed; 814 815 #ifdef CONFIG_CRYPTO_DEV_SP_PSP 816 817 /** 818 * sev_module_init - perform PSP SEV module initialization 819 * 820 * Returns: 821 * 0 if the PSP module is successfully initialized 822 * negative value if the PSP module initialization fails 823 */ 824 int sev_module_init(void); 825 826 /** 827 * sev_platform_init - perform SEV INIT command 828 * 829 * @args: struct sev_platform_init_args to pass in arguments 830 * 831 * Returns: 832 * 0 if the SEV successfully processed the command 833 * -%ENODEV if the SEV device is not available 834 * -%ENOTSUPP if the SEV does not support SEV 835 * -%ETIMEDOUT if the SEV command timed out 836 * -%EIO if the SEV returned a non-zero return code 837 */ 838 int sev_platform_init(struct sev_platform_init_args *args); 839 840 /** 841 * sev_platform_status - perform SEV PLATFORM_STATUS command 842 * 843 * @status: sev_user_data_status structure to be processed 844 * @error: SEV command return code 845 * 846 * Returns: 847 * 0 if the SEV successfully processed the command 848 * -%ENODEV if the SEV device is not available 849 * -%ENOTSUPP if the SEV does not support SEV 850 * -%ETIMEDOUT if the SEV command timed out 851 * -%EIO if the SEV returned a non-zero return code 852 */ 853 int sev_platform_status(struct sev_user_data_status *status, int *error); 854 855 /** 856 * sev_issue_cmd_external_user - issue SEV command by other driver with a file 857 * handle. 858 * 859 * This function can be used by other drivers to issue a SEV command on 860 * behalf of userspace. The caller must pass a valid SEV file descriptor 861 * so that we know that it has access to SEV device. 862 * 863 * @filep - SEV device file pointer 864 * @cmd - command to issue 865 * @data - command buffer 866 * @error: SEV command return code 867 * 868 * Returns: 869 * 0 if the SEV successfully processed the command 870 * -%ENODEV if the SEV device is not available 871 * -%ENOTSUPP if the SEV does not support SEV 872 * -%ETIMEDOUT if the SEV command timed out 873 * -%EIO if the SEV returned a non-zero return code 874 * -%EINVAL if the SEV file descriptor is not valid 875 */ 876 int sev_issue_cmd_external_user(struct file *filep, unsigned int id, 877 void *data, int *error); 878 879 /** 880 * sev_guest_deactivate - perform SEV DEACTIVATE command 881 * 882 * @deactivate: sev_data_deactivate structure to be processed 883 * @sev_ret: sev command return code 884 * 885 * Returns: 886 * 0 if the sev successfully processed the command 887 * -%ENODEV if the sev device is not available 888 * -%ENOTSUPP if the sev does not support SEV 889 * -%ETIMEDOUT if the sev command timed out 890 * -%EIO if the sev returned a non-zero return code 891 */ 892 int sev_guest_deactivate(struct sev_data_deactivate *data, int *error); 893 894 /** 895 * sev_guest_activate - perform SEV ACTIVATE command 896 * 897 * @activate: sev_data_activate structure to be processed 898 * @sev_ret: sev command return code 899 * 900 * Returns: 901 * 0 if the sev successfully processed the command 902 * -%ENODEV if the sev device is not available 903 * -%ENOTSUPP if the sev does not support SEV 904 * -%ETIMEDOUT if the sev command timed out 905 * -%EIO if the sev returned a non-zero return code 906 */ 907 int sev_guest_activate(struct sev_data_activate *data, int *error); 908 909 /** 910 * sev_guest_df_flush - perform SEV DF_FLUSH command 911 * 912 * @sev_ret: sev command return code 913 * 914 * Returns: 915 * 0 if the sev successfully processed the command 916 * -%ENODEV if the sev device is not available 917 * -%ENOTSUPP if the sev does not support SEV 918 * -%ETIMEDOUT if the sev command timed out 919 * -%EIO if the sev returned a non-zero return code 920 */ 921 int sev_guest_df_flush(int *error); 922 923 /** 924 * sev_guest_decommission - perform SEV DECOMMISSION command 925 * 926 * @decommission: sev_data_decommission structure to be processed 927 * @sev_ret: sev command return code 928 * 929 * Returns: 930 * 0 if the sev successfully processed the command 931 * -%ENODEV if the sev device is not available 932 * -%ENOTSUPP if the sev does not support SEV 933 * -%ETIMEDOUT if the sev command timed out 934 * -%EIO if the sev returned a non-zero return code 935 */ 936 int sev_guest_decommission(struct sev_data_decommission *data, int *error); 937 938 /** 939 * sev_do_cmd - issue an SEV or an SEV-SNP command 940 * 941 * @cmd: SEV or SEV-SNP firmware command to issue 942 * @data: arguments for firmware command 943 * @psp_ret: SEV command return code 944 * 945 * Returns: 946 * 0 if the SEV device successfully processed the command 947 * -%ENODEV if the PSP device is not available 948 * -%ENOTSUPP if PSP device does not support SEV 949 * -%ETIMEDOUT if the SEV command timed out 950 * -%EIO if PSP device returned a non-zero return code 951 */ 952 int sev_do_cmd(int cmd, void *data, int *psp_ret); 953 954 void *psp_copy_user_blob(u64 uaddr, u32 len); 955 void *snp_alloc_firmware_page(gfp_t mask); 956 void snp_free_firmware_page(void *addr); 957 958 #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ 959 960 static inline int 961 sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; } 962 963 static inline int sev_platform_init(struct sev_platform_init_args *args) { return -ENODEV; } 964 965 static inline int 966 sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; } 967 968 static inline int 969 sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; } 970 971 static inline int 972 sev_do_cmd(int cmd, void *data, int *psp_ret) { return -ENODEV; } 973 974 static inline int 975 sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; } 976 977 static inline int sev_guest_df_flush(int *error) { return -ENODEV; } 978 979 static inline int 980 sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; } 981 982 static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); } 983 984 static inline void *snp_alloc_firmware_page(gfp_t mask) 985 { 986 return NULL; 987 } 988 989 static inline void snp_free_firmware_page(void *addr) { } 990 991 #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ 992 993 #endif /* __PSP_SEV_H__ */ 994