1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Common Ultravisor functions and initialization 4 * 5 * Copyright IBM Corp. 2019, 2020 6 */ 7 #define KMSG_COMPONENT "prot_virt" 8 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 9 10 #include <linux/kernel.h> 11 #include <linux/types.h> 12 #include <linux/sizes.h> 13 #include <linux/bitmap.h> 14 #include <linux/memblock.h> 15 #include <linux/pagemap.h> 16 #include <linux/swap.h> 17 #include <asm/facility.h> 18 #include <asm/sections.h> 19 #include <asm/uv.h> 20 21 /* the bootdata_preserved fields come from ones in arch/s390/boot/uv.c */ 22 #ifdef CONFIG_PROTECTED_VIRTUALIZATION_GUEST 23 int __bootdata_preserved(prot_virt_guest); 24 #endif 25 26 struct uv_info __bootdata_preserved(uv_info); 27 28 #if IS_ENABLED(CONFIG_KVM) 29 int __bootdata_preserved(prot_virt_host); 30 EXPORT_SYMBOL(prot_virt_host); 31 EXPORT_SYMBOL(uv_info); 32 33 static int __init uv_init(unsigned long stor_base, unsigned long stor_len) 34 { 35 struct uv_cb_init uvcb = { 36 .header.cmd = UVC_CMD_INIT_UV, 37 .header.len = sizeof(uvcb), 38 .stor_origin = stor_base, 39 .stor_len = stor_len, 40 }; 41 42 if (uv_call(0, (uint64_t)&uvcb)) { 43 pr_err("Ultravisor init failed with rc: 0x%x rrc: 0%x\n", 44 uvcb.header.rc, uvcb.header.rrc); 45 return -1; 46 } 47 return 0; 48 } 49 50 void __init setup_uv(void) 51 { 52 unsigned long uv_stor_base; 53 54 /* 55 * keep these conditions in line with has_uv_sec_stor_limit() 56 */ 57 if (!is_prot_virt_host()) 58 return; 59 60 if (is_prot_virt_guest()) { 61 prot_virt_host = 0; 62 pr_warn("Protected virtualization not available in protected guests."); 63 return; 64 } 65 66 if (!test_facility(158)) { 67 prot_virt_host = 0; 68 pr_warn("Protected virtualization not supported by the hardware."); 69 return; 70 } 71 72 uv_stor_base = (unsigned long)memblock_alloc_try_nid( 73 uv_info.uv_base_stor_len, SZ_1M, SZ_2G, 74 MEMBLOCK_ALLOC_ACCESSIBLE, NUMA_NO_NODE); 75 if (!uv_stor_base) { 76 pr_warn("Failed to reserve %lu bytes for ultravisor base storage\n", 77 uv_info.uv_base_stor_len); 78 goto fail; 79 } 80 81 if (uv_init(uv_stor_base, uv_info.uv_base_stor_len)) { 82 memblock_free(uv_stor_base, uv_info.uv_base_stor_len); 83 goto fail; 84 } 85 86 pr_info("Reserving %luMB as ultravisor base storage\n", 87 uv_info.uv_base_stor_len >> 20); 88 return; 89 fail: 90 pr_info("Disabling support for protected virtualization"); 91 prot_virt_host = 0; 92 } 93 94 /* 95 * Requests the Ultravisor to pin the page in the shared state. This will 96 * cause an intercept when the guest attempts to unshare the pinned page. 97 */ 98 static int uv_pin_shared(unsigned long paddr) 99 { 100 struct uv_cb_cfs uvcb = { 101 .header.cmd = UVC_CMD_PIN_PAGE_SHARED, 102 .header.len = sizeof(uvcb), 103 .paddr = paddr, 104 }; 105 106 if (uv_call(0, (u64)&uvcb)) 107 return -EINVAL; 108 return 0; 109 } 110 111 /* 112 * Requests the Ultravisor to destroy a guest page and make it 113 * accessible to the host. The destroy clears the page instead of 114 * exporting. 115 * 116 * @paddr: Absolute host address of page to be destroyed 117 */ 118 int uv_destroy_page(unsigned long paddr) 119 { 120 struct uv_cb_cfs uvcb = { 121 .header.cmd = UVC_CMD_DESTR_SEC_STOR, 122 .header.len = sizeof(uvcb), 123 .paddr = paddr 124 }; 125 126 if (uv_call(0, (u64)&uvcb)) { 127 /* 128 * Older firmware uses 107/d as an indication of a non secure 129 * page. Let us emulate the newer variant (no-op). 130 */ 131 if (uvcb.header.rc == 0x107 && uvcb.header.rrc == 0xd) 132 return 0; 133 return -EINVAL; 134 } 135 return 0; 136 } 137 138 /* 139 * Requests the Ultravisor to encrypt a guest page and make it 140 * accessible to the host for paging (export). 141 * 142 * @paddr: Absolute host address of page to be exported 143 */ 144 int uv_convert_from_secure(unsigned long paddr) 145 { 146 struct uv_cb_cfs uvcb = { 147 .header.cmd = UVC_CMD_CONV_FROM_SEC_STOR, 148 .header.len = sizeof(uvcb), 149 .paddr = paddr 150 }; 151 152 if (uv_call(0, (u64)&uvcb)) 153 return -EINVAL; 154 return 0; 155 } 156 157 /* 158 * Calculate the expected ref_count for a page that would otherwise have no 159 * further pins. This was cribbed from similar functions in other places in 160 * the kernel, but with some slight modifications. We know that a secure 161 * page can not be a huge page for example. 162 */ 163 static int expected_page_refs(struct page *page) 164 { 165 int res; 166 167 res = page_mapcount(page); 168 if (PageSwapCache(page)) { 169 res++; 170 } else if (page_mapping(page)) { 171 res++; 172 if (page_has_private(page)) 173 res++; 174 } 175 return res; 176 } 177 178 static int make_secure_pte(pte_t *ptep, unsigned long addr, 179 struct page *exp_page, struct uv_cb_header *uvcb) 180 { 181 pte_t entry = READ_ONCE(*ptep); 182 struct page *page; 183 int expected, rc = 0; 184 185 if (!pte_present(entry)) 186 return -ENXIO; 187 if (pte_val(entry) & _PAGE_INVALID) 188 return -ENXIO; 189 190 page = pte_page(entry); 191 if (page != exp_page) 192 return -ENXIO; 193 if (PageWriteback(page)) 194 return -EAGAIN; 195 expected = expected_page_refs(page); 196 if (!page_ref_freeze(page, expected)) 197 return -EBUSY; 198 set_bit(PG_arch_1, &page->flags); 199 rc = uv_call(0, (u64)uvcb); 200 page_ref_unfreeze(page, expected); 201 /* Return -ENXIO if the page was not mapped, -EINVAL otherwise */ 202 if (rc) 203 rc = uvcb->rc == 0x10a ? -ENXIO : -EINVAL; 204 return rc; 205 } 206 207 /* 208 * Requests the Ultravisor to make a page accessible to a guest. 209 * If it's brought in the first time, it will be cleared. If 210 * it has been exported before, it will be decrypted and integrity 211 * checked. 212 */ 213 int gmap_make_secure(struct gmap *gmap, unsigned long gaddr, void *uvcb) 214 { 215 struct vm_area_struct *vma; 216 bool local_drain = false; 217 spinlock_t *ptelock; 218 unsigned long uaddr; 219 struct page *page; 220 pte_t *ptep; 221 int rc; 222 223 again: 224 rc = -EFAULT; 225 mmap_read_lock(gmap->mm); 226 227 uaddr = __gmap_translate(gmap, gaddr); 228 if (IS_ERR_VALUE(uaddr)) 229 goto out; 230 vma = find_vma(gmap->mm, uaddr); 231 if (!vma) 232 goto out; 233 /* 234 * Secure pages cannot be huge and userspace should not combine both. 235 * In case userspace does it anyway this will result in an -EFAULT for 236 * the unpack. The guest is thus never reaching secure mode. If 237 * userspace is playing dirty tricky with mapping huge pages later 238 * on this will result in a segmentation fault. 239 */ 240 if (is_vm_hugetlb_page(vma)) 241 goto out; 242 243 rc = -ENXIO; 244 page = follow_page(vma, uaddr, FOLL_WRITE); 245 if (IS_ERR_OR_NULL(page)) 246 goto out; 247 248 lock_page(page); 249 ptep = get_locked_pte(gmap->mm, uaddr, &ptelock); 250 rc = make_secure_pte(ptep, uaddr, page, uvcb); 251 pte_unmap_unlock(ptep, ptelock); 252 unlock_page(page); 253 out: 254 mmap_read_unlock(gmap->mm); 255 256 if (rc == -EAGAIN) { 257 wait_on_page_writeback(page); 258 } else if (rc == -EBUSY) { 259 /* 260 * If we have tried a local drain and the page refcount 261 * still does not match our expected safe value, try with a 262 * system wide drain. This is needed if the pagevecs holding 263 * the page are on a different CPU. 264 */ 265 if (local_drain) { 266 lru_add_drain_all(); 267 /* We give up here, and let the caller try again */ 268 return -EAGAIN; 269 } 270 /* 271 * We are here if the page refcount does not match the 272 * expected safe value. The main culprits are usually 273 * pagevecs. With lru_add_drain() we drain the pagevecs 274 * on the local CPU so that hopefully the refcount will 275 * reach the expected safe value. 276 */ 277 lru_add_drain(); 278 local_drain = true; 279 /* And now we try again immediately after draining */ 280 goto again; 281 } else if (rc == -ENXIO) { 282 if (gmap_fault(gmap, gaddr, FAULT_FLAG_WRITE)) 283 return -EFAULT; 284 return -EAGAIN; 285 } 286 return rc; 287 } 288 EXPORT_SYMBOL_GPL(gmap_make_secure); 289 290 int gmap_convert_to_secure(struct gmap *gmap, unsigned long gaddr) 291 { 292 struct uv_cb_cts uvcb = { 293 .header.cmd = UVC_CMD_CONV_TO_SEC_STOR, 294 .header.len = sizeof(uvcb), 295 .guest_handle = gmap->guest_handle, 296 .gaddr = gaddr, 297 }; 298 299 return gmap_make_secure(gmap, gaddr, &uvcb); 300 } 301 EXPORT_SYMBOL_GPL(gmap_convert_to_secure); 302 303 /* 304 * To be called with the page locked or with an extra reference! This will 305 * prevent gmap_make_secure from touching the page concurrently. Having 2 306 * parallel make_page_accessible is fine, as the UV calls will become a 307 * no-op if the page is already exported. 308 */ 309 int arch_make_page_accessible(struct page *page) 310 { 311 int rc = 0; 312 313 /* Hugepage cannot be protected, so nothing to do */ 314 if (PageHuge(page)) 315 return 0; 316 317 /* 318 * PG_arch_1 is used in 3 places: 319 * 1. for kernel page tables during early boot 320 * 2. for storage keys of huge pages and KVM 321 * 3. As an indication that this page might be secure. This can 322 * overindicate, e.g. we set the bit before calling 323 * convert_to_secure. 324 * As secure pages are never huge, all 3 variants can co-exists. 325 */ 326 if (!test_bit(PG_arch_1, &page->flags)) 327 return 0; 328 329 rc = uv_pin_shared(page_to_phys(page)); 330 if (!rc) { 331 clear_bit(PG_arch_1, &page->flags); 332 return 0; 333 } 334 335 rc = uv_convert_from_secure(page_to_phys(page)); 336 if (!rc) { 337 clear_bit(PG_arch_1, &page->flags); 338 return 0; 339 } 340 341 return rc; 342 } 343 EXPORT_SYMBOL_GPL(arch_make_page_accessible); 344 345 #endif 346 347 #if defined(CONFIG_PROTECTED_VIRTUALIZATION_GUEST) || IS_ENABLED(CONFIG_KVM) 348 static ssize_t uv_query_facilities(struct kobject *kobj, 349 struct kobj_attribute *attr, char *page) 350 { 351 return scnprintf(page, PAGE_SIZE, "%lx\n%lx\n%lx\n%lx\n", 352 uv_info.inst_calls_list[0], 353 uv_info.inst_calls_list[1], 354 uv_info.inst_calls_list[2], 355 uv_info.inst_calls_list[3]); 356 } 357 358 static struct kobj_attribute uv_query_facilities_attr = 359 __ATTR(facilities, 0444, uv_query_facilities, NULL); 360 361 static ssize_t uv_query_feature_indications(struct kobject *kobj, 362 struct kobj_attribute *attr, char *buf) 363 { 364 return sysfs_emit(buf, "%lx\n", uv_info.uv_feature_indications); 365 } 366 367 static struct kobj_attribute uv_query_feature_indications_attr = 368 __ATTR(feature_indications, 0444, uv_query_feature_indications, NULL); 369 370 static ssize_t uv_query_max_guest_cpus(struct kobject *kobj, 371 struct kobj_attribute *attr, char *page) 372 { 373 return scnprintf(page, PAGE_SIZE, "%d\n", 374 uv_info.max_guest_cpu_id + 1); 375 } 376 377 static struct kobj_attribute uv_query_max_guest_cpus_attr = 378 __ATTR(max_cpus, 0444, uv_query_max_guest_cpus, NULL); 379 380 static ssize_t uv_query_max_guest_vms(struct kobject *kobj, 381 struct kobj_attribute *attr, char *page) 382 { 383 return scnprintf(page, PAGE_SIZE, "%d\n", 384 uv_info.max_num_sec_conf); 385 } 386 387 static struct kobj_attribute uv_query_max_guest_vms_attr = 388 __ATTR(max_guests, 0444, uv_query_max_guest_vms, NULL); 389 390 static ssize_t uv_query_max_guest_addr(struct kobject *kobj, 391 struct kobj_attribute *attr, char *page) 392 { 393 return scnprintf(page, PAGE_SIZE, "%lx\n", 394 uv_info.max_sec_stor_addr); 395 } 396 397 static struct kobj_attribute uv_query_max_guest_addr_attr = 398 __ATTR(max_address, 0444, uv_query_max_guest_addr, NULL); 399 400 static struct attribute *uv_query_attrs[] = { 401 &uv_query_facilities_attr.attr, 402 &uv_query_feature_indications_attr.attr, 403 &uv_query_max_guest_cpus_attr.attr, 404 &uv_query_max_guest_vms_attr.attr, 405 &uv_query_max_guest_addr_attr.attr, 406 NULL, 407 }; 408 409 static struct attribute_group uv_query_attr_group = { 410 .attrs = uv_query_attrs, 411 }; 412 413 static ssize_t uv_is_prot_virt_guest(struct kobject *kobj, 414 struct kobj_attribute *attr, char *page) 415 { 416 int val = 0; 417 418 #ifdef CONFIG_PROTECTED_VIRTUALIZATION_GUEST 419 val = prot_virt_guest; 420 #endif 421 return scnprintf(page, PAGE_SIZE, "%d\n", val); 422 } 423 424 static ssize_t uv_is_prot_virt_host(struct kobject *kobj, 425 struct kobj_attribute *attr, char *page) 426 { 427 int val = 0; 428 429 #if IS_ENABLED(CONFIG_KVM) 430 val = prot_virt_host; 431 #endif 432 433 return scnprintf(page, PAGE_SIZE, "%d\n", val); 434 } 435 436 static struct kobj_attribute uv_prot_virt_guest = 437 __ATTR(prot_virt_guest, 0444, uv_is_prot_virt_guest, NULL); 438 439 static struct kobj_attribute uv_prot_virt_host = 440 __ATTR(prot_virt_host, 0444, uv_is_prot_virt_host, NULL); 441 442 static const struct attribute *uv_prot_virt_attrs[] = { 443 &uv_prot_virt_guest.attr, 444 &uv_prot_virt_host.attr, 445 NULL, 446 }; 447 448 static struct kset *uv_query_kset; 449 static struct kobject *uv_kobj; 450 451 static int __init uv_info_init(void) 452 { 453 int rc = -ENOMEM; 454 455 if (!test_facility(158)) 456 return 0; 457 458 uv_kobj = kobject_create_and_add("uv", firmware_kobj); 459 if (!uv_kobj) 460 return -ENOMEM; 461 462 rc = sysfs_create_files(uv_kobj, uv_prot_virt_attrs); 463 if (rc) 464 goto out_kobj; 465 466 uv_query_kset = kset_create_and_add("query", NULL, uv_kobj); 467 if (!uv_query_kset) { 468 rc = -ENOMEM; 469 goto out_ind_files; 470 } 471 472 rc = sysfs_create_group(&uv_query_kset->kobj, &uv_query_attr_group); 473 if (!rc) 474 return 0; 475 476 kset_unregister(uv_query_kset); 477 out_ind_files: 478 sysfs_remove_files(uv_kobj, uv_prot_virt_attrs); 479 out_kobj: 480 kobject_del(uv_kobj); 481 kobject_put(uv_kobj); 482 return rc; 483 } 484 device_initcall(uv_info_init); 485 #endif 486