1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * TDX guest user interface driver
4 *
5 * Copyright (C) 2022 Intel Corporation
6 */
7
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9
10 #include <linux/kernel.h>
11 #include <linux/miscdevice.h>
12 #include <linux/mm.h>
13 #include <linux/module.h>
14 #include <linux/mod_devicetable.h>
15 #include <linux/string.h>
16 #include <linux/uaccess.h>
17 #include <linux/set_memory.h>
18 #include <linux/io.h>
19 #include <linux/delay.h>
20 #include <linux/sockptr.h>
21 #include <linux/tsm.h>
22 #include <linux/tsm-mr.h>
23
24 #include <uapi/linux/tdx-guest.h>
25
26 #include <asm/cpu_device_id.h>
27 #include <asm/tdx.h>
28
29 /* TDREPORT buffer */
30 static u8 *tdx_report_buf;
31
32 /* Lock to serialize TDG.MR.REPORT and TDG.MR.RTMR.EXTEND TDCALLs */
33 static DEFINE_MUTEX(mr_lock);
34
35 /* TDREPORT fields */
36 enum {
37 TDREPORT_reportdata = 128,
38 TDREPORT_tee_tcb_info = 256,
39 TDREPORT_tdinfo = TDREPORT_tee_tcb_info + 256,
40 TDREPORT_attributes = TDREPORT_tdinfo,
41 TDREPORT_xfam = TDREPORT_attributes + sizeof(u64),
42 TDREPORT_mrtd = TDREPORT_xfam + sizeof(u64),
43 TDREPORT_mrconfigid = TDREPORT_mrtd + SHA384_DIGEST_SIZE,
44 TDREPORT_mrowner = TDREPORT_mrconfigid + SHA384_DIGEST_SIZE,
45 TDREPORT_mrownerconfig = TDREPORT_mrowner + SHA384_DIGEST_SIZE,
46 TDREPORT_rtmr0 = TDREPORT_mrownerconfig + SHA384_DIGEST_SIZE,
47 TDREPORT_rtmr1 = TDREPORT_rtmr0 + SHA384_DIGEST_SIZE,
48 TDREPORT_rtmr2 = TDREPORT_rtmr1 + SHA384_DIGEST_SIZE,
49 TDREPORT_rtmr3 = TDREPORT_rtmr2 + SHA384_DIGEST_SIZE,
50 TDREPORT_servtd_hash = TDREPORT_rtmr3 + SHA384_DIGEST_SIZE,
51 };
52
tdx_do_report(sockptr_t data,sockptr_t tdreport)53 static int tdx_do_report(sockptr_t data, sockptr_t tdreport)
54 {
55 scoped_cond_guard(mutex_intr, return -EINTR, &mr_lock) {
56 u8 *reportdata = tdx_report_buf + TDREPORT_reportdata;
57 int ret;
58
59 if (!sockptr_is_null(data) &&
60 copy_from_sockptr(reportdata, data, TDX_REPORTDATA_LEN))
61 return -EFAULT;
62
63 ret = tdx_mcall_get_report0(reportdata, tdx_report_buf);
64 if (WARN_ONCE(ret, "tdx_mcall_get_report0() failed: %d", ret))
65 return ret;
66
67 if (!sockptr_is_null(tdreport) &&
68 copy_to_sockptr(tdreport, tdx_report_buf, TDX_REPORT_LEN))
69 return -EFAULT;
70 }
71 return 0;
72 }
73
tdx_do_extend(u8 mr_ind,const u8 * data)74 static int tdx_do_extend(u8 mr_ind, const u8 *data)
75 {
76 scoped_cond_guard(mutex_intr, return -EINTR, &mr_lock) {
77 /*
78 * TDX requires @extend_buf to be 64-byte aligned.
79 * It's safe to use REPORTDATA buffer for that purpose because
80 * tdx_mr_report/extend_lock() are mutually exclusive.
81 */
82 u8 *extend_buf = tdx_report_buf + TDREPORT_reportdata;
83 int ret;
84
85 memcpy(extend_buf, data, SHA384_DIGEST_SIZE);
86
87 ret = tdx_mcall_extend_rtmr(mr_ind, extend_buf);
88 if (WARN_ONCE(ret, "tdx_mcall_extend_rtmr(%u) failed: %d", mr_ind, ret))
89 return ret;
90 }
91 return 0;
92 }
93
94 #define TDX_MR_(r) .mr_value = (void *)TDREPORT_##r, TSM_MR_(r, SHA384)
95 static struct tsm_measurement_register tdx_mrs[] = {
96 { TDX_MR_(rtmr0) | TSM_MR_F_RTMR },
97 { TDX_MR_(rtmr1) | TSM_MR_F_RTMR },
98 { TDX_MR_(rtmr2) | TSM_MR_F_RTMR },
99 { TDX_MR_(rtmr3) | TSM_MR_F_RTMR },
100 { TDX_MR_(mrtd) },
101 { TDX_MR_(mrconfigid) | TSM_MR_F_NOHASH },
102 { TDX_MR_(mrowner) | TSM_MR_F_NOHASH },
103 { TDX_MR_(mrownerconfig) | TSM_MR_F_NOHASH },
104 };
105 #undef TDX_MR_
106
tdx_mr_refresh(const struct tsm_measurements * tm)107 static int tdx_mr_refresh(const struct tsm_measurements *tm)
108 {
109 return tdx_do_report(KERNEL_SOCKPTR(NULL), KERNEL_SOCKPTR(NULL));
110 }
111
tdx_mr_extend(const struct tsm_measurements * tm,const struct tsm_measurement_register * mr,const u8 * data)112 static int tdx_mr_extend(const struct tsm_measurements *tm,
113 const struct tsm_measurement_register *mr,
114 const u8 *data)
115 {
116 return tdx_do_extend(mr - tm->mrs, data);
117 }
118
119 static struct tsm_measurements tdx_measurements = {
120 .mrs = tdx_mrs,
121 .nr_mrs = ARRAY_SIZE(tdx_mrs),
122 .refresh = tdx_mr_refresh,
123 .write = tdx_mr_extend,
124 };
125
tdx_mr_init(void)126 static const struct attribute_group *tdx_mr_init(void)
127 {
128 const struct attribute_group *g;
129 int rc;
130
131 u8 *buf __free(kfree) = kzalloc(TDX_REPORT_LEN, GFP_KERNEL);
132 if (!buf)
133 return ERR_PTR(-ENOMEM);
134
135 tdx_report_buf = buf;
136 rc = tdx_mr_refresh(&tdx_measurements);
137 if (rc)
138 return ERR_PTR(rc);
139
140 /*
141 * @mr_value was initialized with the offset only, while the base
142 * address is being added here.
143 */
144 for (size_t i = 0; i < ARRAY_SIZE(tdx_mrs); ++i)
145 *(long *)&tdx_mrs[i].mr_value += (long)buf;
146
147 g = tsm_mr_create_attribute_group(&tdx_measurements);
148 if (!IS_ERR(g))
149 tdx_report_buf = no_free_ptr(buf);
150
151 return g;
152 }
153
tdx_mr_deinit(const struct attribute_group * mr_grp)154 static void tdx_mr_deinit(const struct attribute_group *mr_grp)
155 {
156 tsm_mr_free_attribute_group(mr_grp);
157 kfree(tdx_report_buf);
158 }
159
160 /*
161 * Intel's SGX QE implementation generally uses Quote size less
162 * than 8K (2K Quote data + ~5K of certificate blob).
163 * DICE-based attestation uses layered evidence that requires
164 * larger Quote size (~100K).
165 */
166 #define GET_QUOTE_BUF_SIZE SZ_128K
167
168 #define GET_QUOTE_CMD_VER 1
169
170 /* TDX GetQuote status codes */
171 #define GET_QUOTE_SUCCESS 0
172 #define GET_QUOTE_IN_FLIGHT 0xffffffffffffffff
173
174 #define TDX_QUOTE_MAX_LEN (GET_QUOTE_BUF_SIZE - sizeof(struct tdx_quote_buf))
175
176 /* struct tdx_quote_buf: Format of Quote request buffer.
177 * @version: Quote format version, filled by TD.
178 * @status: Status code of Quote request, filled by VMM.
179 * @in_len: Length of TDREPORT, filled by TD.
180 * @out_len: Length of Quote data, filled by VMM.
181 * @data: Quote data on output or TDREPORT on input.
182 *
183 * More details of Quote request buffer can be found in TDX
184 * Guest-Host Communication Interface (GHCI) for Intel TDX 1.0,
185 * section titled "TDG.VP.VMCALL<GetQuote>"
186 */
187 struct tdx_quote_buf {
188 u64 version;
189 u64 status;
190 u32 in_len;
191 u32 out_len;
192 u8 data[];
193 };
194
195 /* Quote data buffer */
196 static void *quote_data;
197
198 /* Lock to streamline quote requests */
199 static DEFINE_MUTEX(quote_lock);
200
201 /*
202 * GetQuote request timeout in seconds. Expect that 30 seconds
203 * is enough time for QE to respond to any Quote requests.
204 */
205 static u32 getquote_timeout = 30;
206
tdx_get_report0(struct tdx_report_req __user * req)207 static long tdx_get_report0(struct tdx_report_req __user *req)
208 {
209 return tdx_do_report(USER_SOCKPTR(req->reportdata),
210 USER_SOCKPTR(req->tdreport));
211 }
212
free_quote_buf(void * buf)213 static void free_quote_buf(void *buf)
214 {
215 size_t len = PAGE_ALIGN(GET_QUOTE_BUF_SIZE);
216 unsigned int count = len >> PAGE_SHIFT;
217
218 if (set_memory_encrypted((unsigned long)buf, count)) {
219 pr_err("Failed to restore encryption mask for Quote buffer, leak it\n");
220 return;
221 }
222
223 free_pages_exact(buf, len);
224 }
225
alloc_quote_buf(void)226 static void *alloc_quote_buf(void)
227 {
228 size_t len = PAGE_ALIGN(GET_QUOTE_BUF_SIZE);
229 unsigned int count = len >> PAGE_SHIFT;
230 void *addr;
231
232 addr = alloc_pages_exact(len, GFP_KERNEL | __GFP_ZERO);
233 if (!addr)
234 return NULL;
235
236 if (set_memory_decrypted((unsigned long)addr, count))
237 return NULL;
238
239 return addr;
240 }
241
242 /*
243 * wait_for_quote_completion() - Wait for Quote request completion
244 * @quote_buf: Address of Quote buffer.
245 * @timeout: Timeout in seconds to wait for the Quote generation.
246 *
247 * As per TDX GHCI v1.0 specification, sec titled "TDG.VP.VMCALL<GetQuote>",
248 * the status field in the Quote buffer will be set to GET_QUOTE_IN_FLIGHT
249 * while VMM processes the GetQuote request, and will change it to success
250 * or error code after processing is complete. So wait till the status
251 * changes from GET_QUOTE_IN_FLIGHT or the request being timed out.
252 */
wait_for_quote_completion(struct tdx_quote_buf * quote_buf,u32 timeout)253 static int wait_for_quote_completion(struct tdx_quote_buf *quote_buf, u32 timeout)
254 {
255 int i = 0;
256
257 /*
258 * Quote requests usually take a few seconds to complete, so waking up
259 * once per second to recheck the status is fine for this use case.
260 */
261 while (quote_buf->status == GET_QUOTE_IN_FLIGHT && i++ < timeout) {
262 if (msleep_interruptible(MSEC_PER_SEC))
263 return -EINTR;
264 }
265
266 return (i == timeout) ? -ETIMEDOUT : 0;
267 }
268
tdx_report_new_locked(struct tsm_report * report,void * data)269 static int tdx_report_new_locked(struct tsm_report *report, void *data)
270 {
271 u8 *buf;
272 struct tdx_quote_buf *quote_buf = quote_data;
273 struct tsm_report_desc *desc = &report->desc;
274 u32 out_len;
275 int ret;
276 u64 err;
277
278 /*
279 * If the previous request is timedout or interrupted, and the
280 * Quote buf status is still in GET_QUOTE_IN_FLIGHT (owned by
281 * VMM), don't permit any new request.
282 */
283 if (quote_buf->status == GET_QUOTE_IN_FLIGHT)
284 return -EBUSY;
285
286 if (desc->inblob_len != TDX_REPORTDATA_LEN)
287 return -EINVAL;
288
289 memset(quote_data, 0, GET_QUOTE_BUF_SIZE);
290
291 /* Update Quote buffer header */
292 quote_buf->version = GET_QUOTE_CMD_VER;
293 quote_buf->in_len = TDX_REPORT_LEN;
294
295 ret = tdx_do_report(KERNEL_SOCKPTR(desc->inblob),
296 KERNEL_SOCKPTR(quote_buf->data));
297 if (ret)
298 return ret;
299
300 err = tdx_hcall_get_quote(quote_data, GET_QUOTE_BUF_SIZE);
301 if (err) {
302 pr_err("GetQuote hypercall failed, status:%llx\n", err);
303 return -EIO;
304 }
305
306 ret = wait_for_quote_completion(quote_buf, getquote_timeout);
307 if (ret) {
308 pr_err("GetQuote request timedout\n");
309 return ret;
310 }
311
312 if (quote_buf->status != GET_QUOTE_SUCCESS) {
313 pr_debug("GetQuote request failed, status:%llx\n", quote_buf->status);
314 return -EIO;
315 }
316
317 out_len = READ_ONCE(quote_buf->out_len);
318
319 if (out_len > TDX_QUOTE_MAX_LEN)
320 return -EFBIG;
321
322 buf = kvmemdup(quote_buf->data, out_len, GFP_KERNEL);
323 if (!buf)
324 return -ENOMEM;
325
326 report->outblob = buf;
327 report->outblob_len = out_len;
328
329 /*
330 * TODO: parse the PEM-formatted cert chain out of the quote buffer when
331 * provided
332 */
333
334 return ret;
335 }
336
tdx_report_new(struct tsm_report * report,void * data)337 static int tdx_report_new(struct tsm_report *report, void *data)
338 {
339 scoped_cond_guard(mutex_intr, return -EINTR, "e_lock)
340 return tdx_report_new_locked(report, data);
341 }
342
tdx_report_attr_visible(int n)343 static bool tdx_report_attr_visible(int n)
344 {
345 switch (n) {
346 case TSM_REPORT_GENERATION:
347 case TSM_REPORT_PROVIDER:
348 return true;
349 }
350
351 return false;
352 }
353
tdx_report_bin_attr_visible(int n)354 static bool tdx_report_bin_attr_visible(int n)
355 {
356 switch (n) {
357 case TSM_REPORT_INBLOB:
358 case TSM_REPORT_OUTBLOB:
359 return true;
360 }
361
362 return false;
363 }
364
tdx_guest_ioctl(struct file * file,unsigned int cmd,unsigned long arg)365 static long tdx_guest_ioctl(struct file *file, unsigned int cmd,
366 unsigned long arg)
367 {
368 switch (cmd) {
369 case TDX_CMD_GET_REPORT0:
370 return tdx_get_report0((struct tdx_report_req __user *)arg);
371 default:
372 return -ENOTTY;
373 }
374 }
375
376 static const struct file_operations tdx_guest_fops = {
377 .owner = THIS_MODULE,
378 .unlocked_ioctl = tdx_guest_ioctl,
379 };
380
381 static const struct attribute_group *tdx_attr_groups[] = {
382 NULL, /* measurements */
383 NULL
384 };
385
386 static struct miscdevice tdx_misc_dev = {
387 .name = KBUILD_MODNAME,
388 .minor = MISC_DYNAMIC_MINOR,
389 .fops = &tdx_guest_fops,
390 .groups = tdx_attr_groups,
391 };
392
393 static const struct x86_cpu_id tdx_guest_ids[] = {
394 X86_MATCH_FEATURE(X86_FEATURE_TDX_GUEST, NULL),
395 {}
396 };
397 MODULE_DEVICE_TABLE(x86cpu, tdx_guest_ids);
398
399 static const struct tsm_report_ops tdx_tsm_ops = {
400 .name = KBUILD_MODNAME,
401 .report_new = tdx_report_new,
402 .report_attr_visible = tdx_report_attr_visible,
403 .report_bin_attr_visible = tdx_report_bin_attr_visible,
404 };
405
tdx_guest_init(void)406 static int __init tdx_guest_init(void)
407 {
408 int ret;
409
410 if (!x86_match_cpu(tdx_guest_ids))
411 return -ENODEV;
412
413 tdx_attr_groups[0] = tdx_mr_init();
414 if (IS_ERR(tdx_attr_groups[0]))
415 return PTR_ERR(tdx_attr_groups[0]);
416
417 ret = misc_register(&tdx_misc_dev);
418 if (ret)
419 goto deinit_mr;
420
421 quote_data = alloc_quote_buf();
422 if (!quote_data) {
423 pr_err("Failed to allocate Quote buffer\n");
424 ret = -ENOMEM;
425 goto free_misc;
426 }
427
428 ret = tsm_report_register(&tdx_tsm_ops, NULL);
429 if (ret)
430 goto free_quote;
431
432 return 0;
433
434 free_quote:
435 free_quote_buf(quote_data);
436 free_misc:
437 misc_deregister(&tdx_misc_dev);
438 deinit_mr:
439 tdx_mr_deinit(tdx_attr_groups[0]);
440
441 return ret;
442 }
443 module_init(tdx_guest_init);
444
tdx_guest_exit(void)445 static void __exit tdx_guest_exit(void)
446 {
447 tsm_report_unregister(&tdx_tsm_ops);
448 free_quote_buf(quote_data);
449 misc_deregister(&tdx_misc_dev);
450 tdx_mr_deinit(tdx_attr_groups[0]);
451 }
452 module_exit(tdx_guest_exit);
453
454 MODULE_AUTHOR("Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>");
455 MODULE_DESCRIPTION("TDX Guest Driver");
456 MODULE_LICENSE("GPL");
457