1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright IBM Corp. 2022, 2024
4 * Author(s): Steffen Eiden <seiden@linux.ibm.com>
5 *
6 * This file provides a Linux misc device to give userspace access to some
7 * Ultravisor (UV) functions. The device only accepts IOCTLs and will only
8 * be present if the Ultravisor facility (158) is present.
9 *
10 * When userspace sends a valid IOCTL uvdevice will copy the input data to
11 * kernel space, do some basic validity checks to avoid kernel/system
12 * corruption. Any other check that the Ultravisor does will not be done by
13 * the uvdevice to keep changes minimal when adding new functionalities
14 * to existing UV-calls.
15 * After the checks uvdevice builds a corresponding
16 * Ultravisor Call Control Block, and sends the request to the Ultravisor.
17 * Then, it copies the response, including the return codes, back to userspace.
18 * It is the responsibility of the userspace to check for any error issued
19 * by UV and to interpret the UV response. The uvdevice acts as a communication
20 * channel for userspace to the Ultravisor.
21 */
22
23 #include <linux/module.h>
24 #include <linux/kernel.h>
25 #include <linux/miscdevice.h>
26 #include <linux/types.h>
27 #include <linux/stddef.h>
28 #include <linux/vmalloc.h>
29 #include <linux/slab.h>
30 #include <linux/cpufeature.h>
31
32 #include <asm/uvdevice.h>
33 #include <asm/uv.h>
34
35 #define BIT_UVIO_INTERNAL U32_MAX
36 /* Mapping from IOCTL-nr to UVC-bit */
37 static const u32 ioctl_nr_to_uvc_bit[] __initconst = {
38 [UVIO_IOCTL_UVDEV_INFO_NR] = BIT_UVIO_INTERNAL,
39 [UVIO_IOCTL_ATT_NR] = BIT_UVC_CMD_RETR_ATTEST,
40 [UVIO_IOCTL_ADD_SECRET_NR] = BIT_UVC_CMD_ADD_SECRET,
41 [UVIO_IOCTL_LIST_SECRETS_NR] = BIT_UVC_CMD_LIST_SECRETS,
42 [UVIO_IOCTL_LOCK_SECRETS_NR] = BIT_UVC_CMD_LOCK_SECRETS,
43 [UVIO_IOCTL_RETR_SECRET_NR] = BIT_UVC_CMD_RETR_ATTEST,
44 };
45
46 static_assert(ARRAY_SIZE(ioctl_nr_to_uvc_bit) == UVIO_IOCTL_NUM_IOCTLS);
47
48 static struct uvio_uvdev_info uvdev_info = {
49 .supp_uvio_cmds = GENMASK_ULL(UVIO_IOCTL_NUM_IOCTLS - 1, 0),
50 };
51
set_supp_uv_cmds(unsigned long * supp_uv_cmds)52 static void __init set_supp_uv_cmds(unsigned long *supp_uv_cmds)
53 {
54 int i;
55
56 for (i = 0; i < UVIO_IOCTL_NUM_IOCTLS; i++) {
57 if (ioctl_nr_to_uvc_bit[i] == BIT_UVIO_INTERNAL)
58 continue;
59 if (!test_bit_inv(ioctl_nr_to_uvc_bit[i], uv_info.inst_calls_list))
60 continue;
61 __set_bit(i, supp_uv_cmds);
62 }
63 }
64
65 /**
66 * uvio_uvdev_info() - Get information about the uvdevice
67 *
68 * @uv_ioctl: ioctl control block
69 *
70 * Lists all IOCTLs that are supported by this uvdevice
71 *
72 * Return: 0 on success or a negative error code on error
73 */
uvio_uvdev_info(struct uvio_ioctl_cb * uv_ioctl)74 static int uvio_uvdev_info(struct uvio_ioctl_cb *uv_ioctl)
75 {
76 void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
77
78 if (uv_ioctl->argument_len < sizeof(uvdev_info))
79 return -EINVAL;
80 if (copy_to_user(user_buf_arg, &uvdev_info, sizeof(uvdev_info)))
81 return -EFAULT;
82
83 uv_ioctl->uv_rc = UVC_RC_EXECUTED;
84 return 0;
85 }
86
uvio_build_uvcb_attest(struct uv_cb_attest * uvcb_attest,u8 * arcb,u8 * meas,u8 * add_data,struct uvio_attest * uvio_attest)87 static int uvio_build_uvcb_attest(struct uv_cb_attest *uvcb_attest, u8 *arcb,
88 u8 *meas, u8 *add_data, struct uvio_attest *uvio_attest)
89 {
90 void __user *user_buf_arcb = (void __user *)uvio_attest->arcb_addr;
91
92 if (copy_from_user(arcb, user_buf_arcb, uvio_attest->arcb_len))
93 return -EFAULT;
94
95 uvcb_attest->header.len = sizeof(*uvcb_attest);
96 uvcb_attest->header.cmd = UVC_CMD_RETR_ATTEST;
97 uvcb_attest->arcb_addr = (u64)arcb;
98 uvcb_attest->cont_token = 0;
99 uvcb_attest->user_data_len = uvio_attest->user_data_len;
100 memcpy(uvcb_attest->user_data, uvio_attest->user_data, sizeof(uvcb_attest->user_data));
101 uvcb_attest->meas_len = uvio_attest->meas_len;
102 uvcb_attest->meas_addr = (u64)meas;
103 uvcb_attest->add_data_len = uvio_attest->add_data_len;
104 uvcb_attest->add_data_addr = (u64)add_data;
105
106 return 0;
107 }
108
uvio_copy_attest_result_to_user(struct uv_cb_attest * uvcb_attest,struct uvio_ioctl_cb * uv_ioctl,u8 * measurement,u8 * add_data,struct uvio_attest * uvio_attest)109 static int uvio_copy_attest_result_to_user(struct uv_cb_attest *uvcb_attest,
110 struct uvio_ioctl_cb *uv_ioctl,
111 u8 *measurement, u8 *add_data,
112 struct uvio_attest *uvio_attest)
113 {
114 struct uvio_attest __user *user_uvio_attest = (void __user *)uv_ioctl->argument_addr;
115 u32 __user *user_buf_add_len = (u32 __user *)&user_uvio_attest->add_data_len;
116 void __user *user_buf_add = (void __user *)uvio_attest->add_data_addr;
117 void __user *user_buf_meas = (void __user *)uvio_attest->meas_addr;
118 void __user *user_buf_uid = &user_uvio_attest->config_uid;
119
120 if (copy_to_user(user_buf_meas, measurement, uvio_attest->meas_len))
121 return -EFAULT;
122 if (add_data && copy_to_user(user_buf_add, add_data, uvio_attest->add_data_len))
123 return -EFAULT;
124 if (put_user(uvio_attest->add_data_len, user_buf_add_len))
125 return -EFAULT;
126 if (copy_to_user(user_buf_uid, uvcb_attest->config_uid, sizeof(uvcb_attest->config_uid)))
127 return -EFAULT;
128 return 0;
129 }
130
get_uvio_attest(struct uvio_ioctl_cb * uv_ioctl,struct uvio_attest * uvio_attest)131 static int get_uvio_attest(struct uvio_ioctl_cb *uv_ioctl, struct uvio_attest *uvio_attest)
132 {
133 u8 __user *user_arg_buf = (u8 __user *)uv_ioctl->argument_addr;
134
135 if (copy_from_user(uvio_attest, user_arg_buf, sizeof(*uvio_attest)))
136 return -EFAULT;
137
138 if (uvio_attest->arcb_len > UVIO_ATT_ARCB_MAX_LEN)
139 return -EINVAL;
140 if (uvio_attest->arcb_len == 0)
141 return -EINVAL;
142 if (uvio_attest->meas_len > UVIO_ATT_MEASUREMENT_MAX_LEN)
143 return -EINVAL;
144 if (uvio_attest->meas_len == 0)
145 return -EINVAL;
146 if (uvio_attest->add_data_len > UVIO_ATT_ADDITIONAL_MAX_LEN)
147 return -EINVAL;
148 if (uvio_attest->reserved136)
149 return -EINVAL;
150 return 0;
151 }
152
153 /**
154 * uvio_attestation() - Perform a Retrieve Attestation Measurement UVC.
155 *
156 * @uv_ioctl: ioctl control block
157 *
158 * uvio_attestation() does a Retrieve Attestation Measurement Ultravisor Call.
159 * It verifies that the given userspace addresses are valid and request sizes
160 * are sane. Every other check is made by the Ultravisor (UV) and won't result
161 * in a negative return value. It copies the input to kernelspace, builds the
162 * request, sends the UV-call, and copies the result to userspace.
163 *
164 * The Attestation Request has two input and two outputs.
165 * ARCB and User Data are inputs for the UV generated by userspace.
166 * Measurement and Additional Data are outputs for userspace generated by UV.
167 *
168 * The Attestation Request Control Block (ARCB) is a cryptographically verified
169 * and secured request to UV and User Data is some plaintext data which is
170 * going to be included in the Attestation Measurement calculation.
171 *
172 * Measurement is a cryptographic measurement of the callers properties,
173 * optional data configured by the ARCB and the user data. If specified by the
174 * ARCB, UV will add some Additional Data to the measurement calculation.
175 * This Additional Data is then returned as well.
176 *
177 * If the Retrieve Attestation Measurement UV facility is not present,
178 * UV will return invalid command rc. This won't be fenced in the driver
179 * and does not result in a negative return value.
180 *
181 * Context: might sleep
182 *
183 * Return: 0 on success or a negative error code on error
184 */
uvio_attestation(struct uvio_ioctl_cb * uv_ioctl)185 static int uvio_attestation(struct uvio_ioctl_cb *uv_ioctl)
186 {
187 struct uv_cb_attest *uvcb_attest = NULL;
188 struct uvio_attest *uvio_attest = NULL;
189 u8 *measurement = NULL;
190 u8 *add_data = NULL;
191 u8 *arcb = NULL;
192 int ret;
193
194 ret = -EINVAL;
195 if (uv_ioctl->argument_len != sizeof(*uvio_attest))
196 goto out;
197
198 ret = -ENOMEM;
199 uvio_attest = kzalloc(sizeof(*uvio_attest), GFP_KERNEL);
200 if (!uvio_attest)
201 goto out;
202
203 ret = get_uvio_attest(uv_ioctl, uvio_attest);
204 if (ret)
205 goto out;
206
207 ret = -ENOMEM;
208 arcb = kvzalloc(uvio_attest->arcb_len, GFP_KERNEL);
209 measurement = kvzalloc(uvio_attest->meas_len, GFP_KERNEL);
210 if (!arcb || !measurement)
211 goto out;
212
213 if (uvio_attest->add_data_len) {
214 add_data = kvzalloc(uvio_attest->add_data_len, GFP_KERNEL);
215 if (!add_data)
216 goto out;
217 }
218
219 uvcb_attest = kzalloc(sizeof(*uvcb_attest), GFP_KERNEL);
220 if (!uvcb_attest)
221 goto out;
222
223 ret = uvio_build_uvcb_attest(uvcb_attest, arcb, measurement, add_data, uvio_attest);
224 if (ret)
225 goto out;
226
227 uv_call_sched(0, (u64)uvcb_attest);
228
229 uv_ioctl->uv_rc = uvcb_attest->header.rc;
230 uv_ioctl->uv_rrc = uvcb_attest->header.rrc;
231
232 ret = uvio_copy_attest_result_to_user(uvcb_attest, uv_ioctl, measurement, add_data,
233 uvio_attest);
234 out:
235 kvfree(arcb);
236 kvfree(measurement);
237 kvfree(add_data);
238 kfree(uvio_attest);
239 kfree(uvcb_attest);
240 return ret;
241 }
242
243 /**
244 * uvio_add_secret() - Perform an Add Secret UVC
245 *
246 * @uv_ioctl: ioctl control block
247 *
248 * uvio_add_secret() performs the Add Secret Ultravisor Call.
249 *
250 * The given userspace argument address and size are verified to be
251 * valid but every other check is made by the Ultravisor
252 * (UV). Therefore UV errors won't result in a negative return
253 * value. The request is then copied to kernelspace, the UV-call is
254 * performed and the results are copied back to userspace.
255 *
256 * The argument has to point to an Add Secret Request Control Block
257 * which is an encrypted and cryptographically verified request that
258 * inserts a protected guest's secrets into the Ultravisor for later
259 * use.
260 *
261 * If the Add Secret UV facility is not present, UV will return
262 * invalid command rc. This won't be fenced in the driver and does not
263 * result in a negative return value.
264 *
265 * Context: might sleep
266 *
267 * Return: 0 on success or a negative error code on error
268 */
uvio_add_secret(struct uvio_ioctl_cb * uv_ioctl)269 static int uvio_add_secret(struct uvio_ioctl_cb *uv_ioctl)
270 {
271 void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
272 struct uv_cb_guest_addr uvcb = {
273 .header.len = sizeof(uvcb),
274 .header.cmd = UVC_CMD_ADD_SECRET,
275 };
276 void *asrcb = NULL;
277 int ret;
278
279 if (uv_ioctl->argument_len > UVIO_ADD_SECRET_MAX_LEN)
280 return -EINVAL;
281 if (uv_ioctl->argument_len == 0)
282 return -EINVAL;
283
284 asrcb = kvzalloc(uv_ioctl->argument_len, GFP_KERNEL);
285 if (!asrcb)
286 return -ENOMEM;
287
288 ret = -EFAULT;
289 if (copy_from_user(asrcb, user_buf_arg, uv_ioctl->argument_len))
290 goto out;
291
292 ret = 0;
293 uvcb.addr = (u64)asrcb;
294 uv_call_sched(0, (u64)&uvcb);
295 uv_ioctl->uv_rc = uvcb.header.rc;
296 uv_ioctl->uv_rrc = uvcb.header.rrc;
297
298 out:
299 kvfree(asrcb);
300 return ret;
301 }
302
303 /*
304 * Do the actual secret list creation. Calls the list secrets UVC until there
305 * is no more space in the user buffer, or the list ends.
306 */
uvio_get_list(void * zpage,struct uvio_ioctl_cb * uv_ioctl)307 static int uvio_get_list(void *zpage, struct uvio_ioctl_cb *uv_ioctl)
308 {
309 const size_t data_off = offsetof(struct uv_secret_list, secrets);
310 u8 __user *user_buf = (u8 __user *)uv_ioctl->argument_addr;
311 struct uv_secret_list *list = zpage;
312 u16 num_secrets_stored = 0;
313 size_t user_off = data_off;
314 size_t copy_len;
315
316 do {
317 uv_list_secrets(list, list->next_secret_idx, &uv_ioctl->uv_rc,
318 &uv_ioctl->uv_rrc);
319 if (uv_ioctl->uv_rc != UVC_RC_EXECUTED &&
320 uv_ioctl->uv_rc != UVC_RC_MORE_DATA)
321 break;
322
323 copy_len = sizeof(list->secrets[0]) * list->num_secr_stored;
324 if (copy_to_user(user_buf + user_off, list->secrets, copy_len))
325 return -EFAULT;
326
327 user_off += copy_len;
328 num_secrets_stored += list->num_secr_stored;
329 } while (uv_ioctl->uv_rc == UVC_RC_MORE_DATA &&
330 user_off + sizeof(*list) <= uv_ioctl->argument_len);
331
332 list->num_secr_stored = num_secrets_stored;
333 if (copy_to_user(user_buf, list, data_off))
334 return -EFAULT;
335 return 0;
336 }
337
338 /**
339 * uvio_list_secrets() - Perform a List Secret UVC
340 *
341 * @uv_ioctl: ioctl control block
342 *
343 * uvio_list_secrets() performs the List Secret Ultravisor Call. It verifies
344 * that the given userspace argument address is valid and its size is sane.
345 * Every other check is made by the Ultravisor (UV) and won't result in a
346 * negative return value. It builds the request, performs the UV-call, and
347 * copies the result to userspace.
348 *
349 * The argument specifies the location for the result of the UV-Call.
350 *
351 * Argument length must be a multiple of a page.
352 * The list secrets IOCTL will call the list UVC multiple times and fill
353 * the provided user-buffer with list elements until either the list ends or
354 * the buffer is full. The list header is merged over all list header from the
355 * individual UVCs.
356 *
357 * If the List Secrets UV facility is not present, UV will return invalid
358 * command rc. This won't be fenced in the driver and does not result in a
359 * negative return value.
360 *
361 * Context: might sleep
362 *
363 * Return: 0 on success or a negative error code on error
364 */
uvio_list_secrets(struct uvio_ioctl_cb * uv_ioctl)365 static int uvio_list_secrets(struct uvio_ioctl_cb *uv_ioctl)
366 {
367 void *zpage;
368 int rc;
369
370 if (uv_ioctl->argument_len == 0 ||
371 uv_ioctl->argument_len % UVIO_LIST_SECRETS_LEN != 0)
372 return -EINVAL;
373
374 zpage = (void *)get_zeroed_page(GFP_KERNEL);
375 if (!zpage)
376 return -ENOMEM;
377
378 rc = uvio_get_list(zpage, uv_ioctl);
379
380 free_page((unsigned long)zpage);
381 return rc;
382 }
383
384 /**
385 * uvio_lock_secrets() - Perform a Lock Secret Store UVC
386 *
387 * @ioctl: ioctl control block
388 *
389 * uvio_lock_secrets() performs the Lock Secret Store Ultravisor Call. It
390 * performs the UV-call and copies the return codes to the ioctl control block.
391 * After this call was dispatched successfully every following Add Secret UVC
392 * and Lock Secrets UVC will fail with return code 0x102.
393 *
394 * The argument address and size must be 0.
395 *
396 * If the Lock Secrets UV facility is not present, UV will return invalid
397 * command rc. This won't be fenced in the driver and does not result in a
398 * negative return value.
399 *
400 * Context: might sleep
401 *
402 * Return: 0 on success or a negative error code on error
403 */
uvio_lock_secrets(struct uvio_ioctl_cb * ioctl)404 static int uvio_lock_secrets(struct uvio_ioctl_cb *ioctl)
405 {
406 struct uv_cb_nodata uvcb = {
407 .header.len = sizeof(uvcb),
408 .header.cmd = UVC_CMD_LOCK_SECRETS,
409 };
410
411 if (ioctl->argument_addr || ioctl->argument_len)
412 return -EINVAL;
413
414 uv_call(0, (u64)&uvcb);
415 ioctl->uv_rc = uvcb.header.rc;
416 ioctl->uv_rrc = uvcb.header.rrc;
417
418 return 0;
419 }
420
421 /**
422 * uvio_retr_secret() - Perform a retrieve secret UVC
423 *
424 * @uv_ioctl: ioctl control block.
425 *
426 * uvio_retr_secret() performs the Retrieve Secret Ultravisor Call.
427 * The first two bytes of the argument specify the index of the secret to be
428 * retrieved. The retrieved secret is copied into the argument buffer if there
429 * is enough space.
430 * The argument length must be at least two bytes and at max 8192 bytes.
431 *
432 * Context: might sleep
433 *
434 * Return: 0 on success or a negative error code on error
435 */
uvio_retr_secret(struct uvio_ioctl_cb * uv_ioctl)436 static int uvio_retr_secret(struct uvio_ioctl_cb *uv_ioctl)
437 {
438 u16 __user *user_index = (u16 __user *)uv_ioctl->argument_addr;
439 struct uv_cb_retr_secr uvcb = {
440 .header.len = sizeof(uvcb),
441 .header.cmd = UVC_CMD_RETR_SECRET,
442 };
443 u32 buf_len = uv_ioctl->argument_len;
444 void *buf = NULL;
445 int ret;
446
447 if (buf_len > UVIO_RETR_SECRET_MAX_LEN || buf_len < sizeof(*user_index))
448 return -EINVAL;
449
450 buf = kvzalloc(buf_len, GFP_KERNEL);
451 if (!buf)
452 return -ENOMEM;
453
454 ret = -EFAULT;
455 if (get_user(uvcb.secret_idx, user_index))
456 goto err;
457
458 uvcb.buf_addr = (u64)buf;
459 uvcb.buf_size = buf_len;
460 uv_call_sched(0, (u64)&uvcb);
461
462 if (copy_to_user((__user void *)uv_ioctl->argument_addr, buf, buf_len))
463 goto err;
464
465 ret = 0;
466 uv_ioctl->uv_rc = uvcb.header.rc;
467 uv_ioctl->uv_rrc = uvcb.header.rrc;
468
469 err:
470 kvfree_sensitive(buf, buf_len);
471 return ret;
472 }
473
uvio_copy_and_check_ioctl(struct uvio_ioctl_cb * ioctl,void __user * argp,unsigned long cmd)474 static int uvio_copy_and_check_ioctl(struct uvio_ioctl_cb *ioctl, void __user *argp,
475 unsigned long cmd)
476 {
477 u8 nr = _IOC_NR(cmd);
478
479 if (_IOC_DIR(cmd) != (_IOC_READ | _IOC_WRITE))
480 return -ENOIOCTLCMD;
481 if (_IOC_TYPE(cmd) != UVIO_TYPE_UVC)
482 return -ENOIOCTLCMD;
483 if (nr >= UVIO_IOCTL_NUM_IOCTLS)
484 return -ENOIOCTLCMD;
485 if (_IOC_SIZE(cmd) != sizeof(*ioctl))
486 return -ENOIOCTLCMD;
487 if (copy_from_user(ioctl, argp, sizeof(*ioctl)))
488 return -EFAULT;
489 if (ioctl->flags != 0)
490 return -EINVAL;
491 if (memchr_inv(ioctl->reserved14, 0, sizeof(ioctl->reserved14)))
492 return -EINVAL;
493
494 return nr;
495 }
496
497 /*
498 * IOCTL entry point for the Ultravisor device.
499 */
uvio_ioctl(struct file * filp,unsigned int cmd,unsigned long arg)500 static long uvio_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
501 {
502 void __user *argp = (void __user *)arg;
503 struct uvio_ioctl_cb uv_ioctl = { };
504 long ret;
505 int nr;
506
507 nr = uvio_copy_and_check_ioctl(&uv_ioctl, argp, cmd);
508 if (nr < 0)
509 return nr;
510
511 switch (nr) {
512 case UVIO_IOCTL_UVDEV_INFO_NR:
513 ret = uvio_uvdev_info(&uv_ioctl);
514 break;
515 case UVIO_IOCTL_ATT_NR:
516 ret = uvio_attestation(&uv_ioctl);
517 break;
518 case UVIO_IOCTL_ADD_SECRET_NR:
519 ret = uvio_add_secret(&uv_ioctl);
520 break;
521 case UVIO_IOCTL_LIST_SECRETS_NR:
522 ret = uvio_list_secrets(&uv_ioctl);
523 break;
524 case UVIO_IOCTL_LOCK_SECRETS_NR:
525 ret = uvio_lock_secrets(&uv_ioctl);
526 break;
527 case UVIO_IOCTL_RETR_SECRET_NR:
528 ret = uvio_retr_secret(&uv_ioctl);
529 break;
530 default:
531 ret = -ENOIOCTLCMD;
532 break;
533 }
534 if (ret)
535 return ret;
536
537 if (copy_to_user(argp, &uv_ioctl, sizeof(uv_ioctl)))
538 ret = -EFAULT;
539
540 return ret;
541 }
542
543 static const struct file_operations uvio_dev_fops = {
544 .owner = THIS_MODULE,
545 .unlocked_ioctl = uvio_ioctl,
546 };
547
548 static struct miscdevice uvio_dev_miscdev = {
549 .minor = MISC_DYNAMIC_MINOR,
550 .name = UVIO_DEVICE_NAME,
551 .fops = &uvio_dev_fops,
552 };
553
uvio_dev_exit(void)554 static void __exit uvio_dev_exit(void)
555 {
556 misc_deregister(&uvio_dev_miscdev);
557 }
558
uvio_dev_init(void)559 static int __init uvio_dev_init(void)
560 {
561 set_supp_uv_cmds((unsigned long *)&uvdev_info.supp_uv_cmds);
562 return misc_register(&uvio_dev_miscdev);
563 }
564
565 module_cpu_feature_match(S390_CPU_FEATURE_UV, uvio_dev_init);
566 module_exit(uvio_dev_exit);
567
568 MODULE_AUTHOR("IBM Corporation");
569 MODULE_LICENSE("GPL");
570 MODULE_DESCRIPTION("Ultravisor UAPI driver");
571