xref: /linux/arch/x86/coco/core.c (revision c118478665f467e57d06b2354de65974b246b82b) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Confidential Computing Platform Capability checks
4  *
5  * Copyright (C) 2021 Advanced Micro Devices, Inc.
6  * Copyright (C) 2024 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
7  *
8  * Author: Tom Lendacky <thomas.lendacky@amd.com>
9  */
10 
11 #include <linux/export.h>
12 #include <linux/cc_platform.h>
13 #include <linux/string.h>
14 #include <linux/random.h>
15 
16 #include <asm/archrandom.h>
17 #include <asm/coco.h>
18 #include <asm/processor.h>
19 
20 enum cc_vendor cc_vendor __ro_after_init = CC_VENDOR_NONE;
21 u64 cc_mask __ro_after_init;
22 
23 static struct cc_attr_flags {
24 	__u64 host_sev_snp	: 1,
25 	      __resv		: 63;
26 } cc_flags;
27 
28 static bool noinstr intel_cc_platform_has(enum cc_attr attr)
29 {
30 	switch (attr) {
31 	case CC_ATTR_GUEST_UNROLL_STRING_IO:
32 	case CC_ATTR_GUEST_MEM_ENCRYPT:
33 	case CC_ATTR_MEM_ENCRYPT:
34 		return true;
35 	default:
36 		return false;
37 	}
38 }
39 
40 /*
41  * Handle the SEV-SNP vTOM case where sme_me_mask is zero, and
42  * the other levels of SME/SEV functionality, including C-bit
43  * based SEV-SNP, are not enabled.
44  */
45 static __maybe_unused __always_inline bool amd_cc_platform_vtom(enum cc_attr attr)
46 {
47 	switch (attr) {
48 	case CC_ATTR_GUEST_MEM_ENCRYPT:
49 	case CC_ATTR_MEM_ENCRYPT:
50 		return true;
51 	default:
52 		return false;
53 	}
54 }
55 
56 /*
57  * SME and SEV are very similar but they are not the same, so there are
58  * times that the kernel will need to distinguish between SME and SEV. The
59  * cc_platform_has() function is used for this.  When a distinction isn't
60  * needed, the CC_ATTR_MEM_ENCRYPT attribute can be used.
61  *
62  * The trampoline code is a good example for this requirement.  Before
63  * paging is activated, SME will access all memory as decrypted, but SEV
64  * will access all memory as encrypted.  So, when APs are being brought
65  * up under SME the trampoline area cannot be encrypted, whereas under SEV
66  * the trampoline area must be encrypted.
67  */
68 
69 static bool noinstr amd_cc_platform_has(enum cc_attr attr)
70 {
71 #ifdef CONFIG_AMD_MEM_ENCRYPT
72 
73 	if (sev_status & MSR_AMD64_SNP_VTOM)
74 		return amd_cc_platform_vtom(attr);
75 
76 	switch (attr) {
77 	case CC_ATTR_MEM_ENCRYPT:
78 		return sme_me_mask;
79 
80 	case CC_ATTR_HOST_MEM_ENCRYPT:
81 		return sme_me_mask && !(sev_status & MSR_AMD64_SEV_ENABLED);
82 
83 	case CC_ATTR_GUEST_MEM_ENCRYPT:
84 		return sev_status & MSR_AMD64_SEV_ENABLED;
85 
86 	case CC_ATTR_GUEST_STATE_ENCRYPT:
87 		return sev_status & MSR_AMD64_SEV_ES_ENABLED;
88 
89 	/*
90 	 * With SEV, the rep string I/O instructions need to be unrolled
91 	 * but SEV-ES supports them through the #VC handler.
92 	 */
93 	case CC_ATTR_GUEST_UNROLL_STRING_IO:
94 		return (sev_status & MSR_AMD64_SEV_ENABLED) &&
95 			!(sev_status & MSR_AMD64_SEV_ES_ENABLED);
96 
97 	case CC_ATTR_GUEST_SEV_SNP:
98 		return sev_status & MSR_AMD64_SEV_SNP_ENABLED;
99 
100 	case CC_ATTR_HOST_SEV_SNP:
101 		return cc_flags.host_sev_snp;
102 
103 	default:
104 		return false;
105 	}
106 #else
107 	return false;
108 #endif
109 }
110 
111 bool noinstr cc_platform_has(enum cc_attr attr)
112 {
113 	switch (cc_vendor) {
114 	case CC_VENDOR_AMD:
115 		return amd_cc_platform_has(attr);
116 	case CC_VENDOR_INTEL:
117 		return intel_cc_platform_has(attr);
118 	default:
119 		return false;
120 	}
121 }
122 EXPORT_SYMBOL_GPL(cc_platform_has);
123 
124 u64 cc_mkenc(u64 val)
125 {
126 	/*
127 	 * Both AMD and Intel use a bit in the page table to indicate
128 	 * encryption status of the page.
129 	 *
130 	 * - for AMD, bit *set* means the page is encrypted
131 	 * - for AMD with vTOM and for Intel, *clear* means encrypted
132 	 */
133 	switch (cc_vendor) {
134 	case CC_VENDOR_AMD:
135 		if (sev_status & MSR_AMD64_SNP_VTOM)
136 			return val & ~cc_mask;
137 		else
138 			return val | cc_mask;
139 	case CC_VENDOR_INTEL:
140 		return val & ~cc_mask;
141 	default:
142 		return val;
143 	}
144 }
145 
146 u64 cc_mkdec(u64 val)
147 {
148 	/* See comment in cc_mkenc() */
149 	switch (cc_vendor) {
150 	case CC_VENDOR_AMD:
151 		if (sev_status & MSR_AMD64_SNP_VTOM)
152 			return val | cc_mask;
153 		else
154 			return val & ~cc_mask;
155 	case CC_VENDOR_INTEL:
156 		return val | cc_mask;
157 	default:
158 		return val;
159 	}
160 }
161 EXPORT_SYMBOL_GPL(cc_mkdec);
162 
163 static void amd_cc_platform_clear(enum cc_attr attr)
164 {
165 	switch (attr) {
166 	case CC_ATTR_HOST_SEV_SNP:
167 		cc_flags.host_sev_snp = 0;
168 		break;
169 	default:
170 		break;
171 	}
172 }
173 
174 void cc_platform_clear(enum cc_attr attr)
175 {
176 	switch (cc_vendor) {
177 	case CC_VENDOR_AMD:
178 		amd_cc_platform_clear(attr);
179 		break;
180 	default:
181 		break;
182 	}
183 }
184 
185 static void amd_cc_platform_set(enum cc_attr attr)
186 {
187 	switch (attr) {
188 	case CC_ATTR_HOST_SEV_SNP:
189 		cc_flags.host_sev_snp = 1;
190 		break;
191 	default:
192 		break;
193 	}
194 }
195 
196 void cc_platform_set(enum cc_attr attr)
197 {
198 	switch (cc_vendor) {
199 	case CC_VENDOR_AMD:
200 		amd_cc_platform_set(attr);
201 		break;
202 	default:
203 		break;
204 	}
205 }
206 
207 __init void cc_random_init(void)
208 {
209 	/*
210 	 * The seed is 32 bytes (in units of longs), which is 256 bits, which
211 	 * is the security level that the RNG is targeting.
212 	 */
213 	unsigned long rng_seed[32 / sizeof(long)];
214 	size_t i, longs;
215 
216 	if (!cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT))
217 		return;
218 
219 	/*
220 	 * Since the CoCo threat model includes the host, the only reliable
221 	 * source of entropy that can be neither observed nor manipulated is
222 	 * RDRAND. Usually, RDRAND failure is considered tolerable, but since
223 	 * CoCo guests have no other unobservable source of entropy, it's
224 	 * important to at least ensure the RNG gets some initial random seeds.
225 	 */
226 	for (i = 0; i < ARRAY_SIZE(rng_seed); i += longs) {
227 		longs = arch_get_random_longs(&rng_seed[i], ARRAY_SIZE(rng_seed) - i);
228 
229 		/*
230 		 * A zero return value means that the guest doesn't have RDRAND
231 		 * or the CPU is physically broken, and in both cases that
232 		 * means most crypto inside of the CoCo instance will be
233 		 * broken, defeating the purpose of CoCo in the first place. So
234 		 * just panic here because it's absolutely unsafe to continue
235 		 * executing.
236 		 */
237 		if (longs == 0)
238 			panic("RDRAND is defective.");
239 	}
240 	add_device_randomness(rng_seed, sizeof(rng_seed));
241 	memzero_explicit(rng_seed, sizeof(rng_seed));
242 }
243