1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * TDX guest user interface driver
4 *
5 * Copyright (C) 2022 Intel Corporation
6 */
7
8 #include <linux/kernel.h>
9 #include <linux/miscdevice.h>
10 #include <linux/mm.h>
11 #include <linux/module.h>
12 #include <linux/mod_devicetable.h>
13 #include <linux/string.h>
14 #include <linux/uaccess.h>
15 #include <linux/set_memory.h>
16 #include <linux/io.h>
17 #include <linux/delay.h>
18 #include <linux/tsm.h>
19 #include <linux/sizes.h>
20
21 #include <uapi/linux/tdx-guest.h>
22
23 #include <asm/cpu_device_id.h>
24 #include <asm/tdx.h>
25
26 /*
27 * Intel's SGX QE implementation generally uses Quote size less
28 * than 8K (2K Quote data + ~5K of certificate blob).
29 */
30 #define GET_QUOTE_BUF_SIZE SZ_8K
31
32 #define GET_QUOTE_CMD_VER 1
33
34 /* TDX GetQuote status codes */
35 #define GET_QUOTE_SUCCESS 0
36 #define GET_QUOTE_IN_FLIGHT 0xffffffffffffffff
37
38 /* struct tdx_quote_buf: Format of Quote request buffer.
39 * @version: Quote format version, filled by TD.
40 * @status: Status code of Quote request, filled by VMM.
41 * @in_len: Length of TDREPORT, filled by TD.
42 * @out_len: Length of Quote data, filled by VMM.
43 * @data: Quote data on output or TDREPORT on input.
44 *
45 * More details of Quote request buffer can be found in TDX
46 * Guest-Host Communication Interface (GHCI) for Intel TDX 1.0,
47 * section titled "TDG.VP.VMCALL<GetQuote>"
48 */
49 struct tdx_quote_buf {
50 u64 version;
51 u64 status;
52 u32 in_len;
53 u32 out_len;
54 u8 data[];
55 };
56
57 /* Quote data buffer */
58 static void *quote_data;
59
60 /* Lock to streamline quote requests */
61 static DEFINE_MUTEX(quote_lock);
62
63 /*
64 * GetQuote request timeout in seconds. Expect that 30 seconds
65 * is enough time for QE to respond to any Quote requests.
66 */
67 static u32 getquote_timeout = 30;
68
tdx_get_report0(struct tdx_report_req __user * req)69 static long tdx_get_report0(struct tdx_report_req __user *req)
70 {
71 u8 *reportdata, *tdreport;
72 long ret;
73
74 reportdata = kmalloc(TDX_REPORTDATA_LEN, GFP_KERNEL);
75 if (!reportdata)
76 return -ENOMEM;
77
78 tdreport = kzalloc(TDX_REPORT_LEN, GFP_KERNEL);
79 if (!tdreport) {
80 ret = -ENOMEM;
81 goto out;
82 }
83
84 if (copy_from_user(reportdata, req->reportdata, TDX_REPORTDATA_LEN)) {
85 ret = -EFAULT;
86 goto out;
87 }
88
89 /* Generate TDREPORT0 using "TDG.MR.REPORT" TDCALL */
90 ret = tdx_mcall_get_report0(reportdata, tdreport);
91 if (ret)
92 goto out;
93
94 if (copy_to_user(req->tdreport, tdreport, TDX_REPORT_LEN))
95 ret = -EFAULT;
96
97 out:
98 kfree(reportdata);
99 kfree(tdreport);
100
101 return ret;
102 }
103
free_quote_buf(void * buf)104 static void free_quote_buf(void *buf)
105 {
106 size_t len = PAGE_ALIGN(GET_QUOTE_BUF_SIZE);
107 unsigned int count = len >> PAGE_SHIFT;
108
109 if (set_memory_encrypted((unsigned long)buf, count)) {
110 pr_err("Failed to restore encryption mask for Quote buffer, leak it\n");
111 return;
112 }
113
114 free_pages_exact(buf, len);
115 }
116
alloc_quote_buf(void)117 static void *alloc_quote_buf(void)
118 {
119 size_t len = PAGE_ALIGN(GET_QUOTE_BUF_SIZE);
120 unsigned int count = len >> PAGE_SHIFT;
121 void *addr;
122
123 addr = alloc_pages_exact(len, GFP_KERNEL | __GFP_ZERO);
124 if (!addr)
125 return NULL;
126
127 if (set_memory_decrypted((unsigned long)addr, count))
128 return NULL;
129
130 return addr;
131 }
132
133 /*
134 * wait_for_quote_completion() - Wait for Quote request completion
135 * @quote_buf: Address of Quote buffer.
136 * @timeout: Timeout in seconds to wait for the Quote generation.
137 *
138 * As per TDX GHCI v1.0 specification, sec titled "TDG.VP.VMCALL<GetQuote>",
139 * the status field in the Quote buffer will be set to GET_QUOTE_IN_FLIGHT
140 * while VMM processes the GetQuote request, and will change it to success
141 * or error code after processing is complete. So wait till the status
142 * changes from GET_QUOTE_IN_FLIGHT or the request being timed out.
143 */
wait_for_quote_completion(struct tdx_quote_buf * quote_buf,u32 timeout)144 static int wait_for_quote_completion(struct tdx_quote_buf *quote_buf, u32 timeout)
145 {
146 int i = 0;
147
148 /*
149 * Quote requests usually take a few seconds to complete, so waking up
150 * once per second to recheck the status is fine for this use case.
151 */
152 while (quote_buf->status == GET_QUOTE_IN_FLIGHT && i++ < timeout) {
153 if (msleep_interruptible(MSEC_PER_SEC))
154 return -EINTR;
155 }
156
157 return (i == timeout) ? -ETIMEDOUT : 0;
158 }
159
tdx_report_new(struct tsm_report * report,void * data)160 static int tdx_report_new(struct tsm_report *report, void *data)
161 {
162 u8 *buf, *reportdata = NULL, *tdreport = NULL;
163 struct tdx_quote_buf *quote_buf = quote_data;
164 struct tsm_desc *desc = &report->desc;
165 int ret;
166 u64 err;
167
168 /* TODO: switch to guard(mutex_intr) */
169 if (mutex_lock_interruptible("e_lock))
170 return -EINTR;
171
172 /*
173 * If the previous request is timedout or interrupted, and the
174 * Quote buf status is still in GET_QUOTE_IN_FLIGHT (owned by
175 * VMM), don't permit any new request.
176 */
177 if (quote_buf->status == GET_QUOTE_IN_FLIGHT) {
178 ret = -EBUSY;
179 goto done;
180 }
181
182 if (desc->inblob_len != TDX_REPORTDATA_LEN) {
183 ret = -EINVAL;
184 goto done;
185 }
186
187 reportdata = kmalloc(TDX_REPORTDATA_LEN, GFP_KERNEL);
188 if (!reportdata) {
189 ret = -ENOMEM;
190 goto done;
191 }
192
193 tdreport = kzalloc(TDX_REPORT_LEN, GFP_KERNEL);
194 if (!tdreport) {
195 ret = -ENOMEM;
196 goto done;
197 }
198
199 memcpy(reportdata, desc->inblob, desc->inblob_len);
200
201 /* Generate TDREPORT0 using "TDG.MR.REPORT" TDCALL */
202 ret = tdx_mcall_get_report0(reportdata, tdreport);
203 if (ret) {
204 pr_err("GetReport call failed\n");
205 goto done;
206 }
207
208 memset(quote_data, 0, GET_QUOTE_BUF_SIZE);
209
210 /* Update Quote buffer header */
211 quote_buf->version = GET_QUOTE_CMD_VER;
212 quote_buf->in_len = TDX_REPORT_LEN;
213
214 memcpy(quote_buf->data, tdreport, TDX_REPORT_LEN);
215
216 err = tdx_hcall_get_quote(quote_data, GET_QUOTE_BUF_SIZE);
217 if (err) {
218 pr_err("GetQuote hypercall failed, status:%llx\n", err);
219 ret = -EIO;
220 goto done;
221 }
222
223 ret = wait_for_quote_completion(quote_buf, getquote_timeout);
224 if (ret) {
225 pr_err("GetQuote request timedout\n");
226 goto done;
227 }
228
229 buf = kvmemdup(quote_buf->data, quote_buf->out_len, GFP_KERNEL);
230 if (!buf) {
231 ret = -ENOMEM;
232 goto done;
233 }
234
235 report->outblob = buf;
236 report->outblob_len = quote_buf->out_len;
237
238 /*
239 * TODO: parse the PEM-formatted cert chain out of the quote buffer when
240 * provided
241 */
242 done:
243 mutex_unlock("e_lock);
244 kfree(reportdata);
245 kfree(tdreport);
246
247 return ret;
248 }
249
tdx_report_attr_visible(int n)250 static bool tdx_report_attr_visible(int n)
251 {
252 switch (n) {
253 case TSM_REPORT_GENERATION:
254 case TSM_REPORT_PROVIDER:
255 return true;
256 }
257
258 return false;
259 }
260
tdx_report_bin_attr_visible(int n)261 static bool tdx_report_bin_attr_visible(int n)
262 {
263 switch (n) {
264 case TSM_REPORT_INBLOB:
265 case TSM_REPORT_OUTBLOB:
266 return true;
267 }
268
269 return false;
270 }
271
tdx_guest_ioctl(struct file * file,unsigned int cmd,unsigned long arg)272 static long tdx_guest_ioctl(struct file *file, unsigned int cmd,
273 unsigned long arg)
274 {
275 switch (cmd) {
276 case TDX_CMD_GET_REPORT0:
277 return tdx_get_report0((struct tdx_report_req __user *)arg);
278 default:
279 return -ENOTTY;
280 }
281 }
282
283 static const struct file_operations tdx_guest_fops = {
284 .owner = THIS_MODULE,
285 .unlocked_ioctl = tdx_guest_ioctl,
286 };
287
288 static struct miscdevice tdx_misc_dev = {
289 .name = KBUILD_MODNAME,
290 .minor = MISC_DYNAMIC_MINOR,
291 .fops = &tdx_guest_fops,
292 };
293
294 static const struct x86_cpu_id tdx_guest_ids[] = {
295 X86_MATCH_FEATURE(X86_FEATURE_TDX_GUEST, NULL),
296 {}
297 };
298 MODULE_DEVICE_TABLE(x86cpu, tdx_guest_ids);
299
300 static const struct tsm_ops tdx_tsm_ops = {
301 .name = KBUILD_MODNAME,
302 .report_new = tdx_report_new,
303 .report_attr_visible = tdx_report_attr_visible,
304 .report_bin_attr_visible = tdx_report_bin_attr_visible,
305 };
306
tdx_guest_init(void)307 static int __init tdx_guest_init(void)
308 {
309 int ret;
310
311 if (!x86_match_cpu(tdx_guest_ids))
312 return -ENODEV;
313
314 ret = misc_register(&tdx_misc_dev);
315 if (ret)
316 return ret;
317
318 quote_data = alloc_quote_buf();
319 if (!quote_data) {
320 pr_err("Failed to allocate Quote buffer\n");
321 ret = -ENOMEM;
322 goto free_misc;
323 }
324
325 ret = tsm_register(&tdx_tsm_ops, NULL);
326 if (ret)
327 goto free_quote;
328
329 return 0;
330
331 free_quote:
332 free_quote_buf(quote_data);
333 free_misc:
334 misc_deregister(&tdx_misc_dev);
335
336 return ret;
337 }
338 module_init(tdx_guest_init);
339
tdx_guest_exit(void)340 static void __exit tdx_guest_exit(void)
341 {
342 tsm_unregister(&tdx_tsm_ops);
343 free_quote_buf(quote_data);
344 misc_deregister(&tdx_misc_dev);
345 }
346 module_exit(tdx_guest_exit);
347
348 MODULE_AUTHOR("Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>");
349 MODULE_DESCRIPTION("TDX Guest Driver");
350 MODULE_LICENSE("GPL");
351