xref: /linux/drivers/s390/char/uvdevice.c (revision 906fd46a65383cd639e5eec72a047efc33045d86) 
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  *  Copyright IBM Corp. 2022
4  *  Author(s): Steffen Eiden <seiden@linux.ibm.com>
5  *
6  *  This file provides a Linux misc device to give userspace access to some
7  *  Ultravisor (UV) functions. The device only accepts IOCTLs and will only
8  *  be present if the Ultravisor facility (158) is present.
9  *
10  *  When userspace sends a valid IOCTL uvdevice will copy the input data to
11  *  kernel space, do some basic validity checks to avoid kernel/system
12  *  corruption. Any other check that the Ultravisor does will not be done by
13  *  the uvdevice to keep changes minimal when adding new functionalities
14  *  to existing UV-calls.
15  *  After the checks uvdevice builds a corresponding
16  *  Ultravisor Call Control Block, and sends the request to the Ultravisor.
17  *  Then, it copies the response, including the return codes, back to userspace.
18  *  It is the responsibility of the userspace to check for any error issued
19  *  by UV and to interpret the UV response. The uvdevice acts as a communication
20  *  channel for userspace to the Ultravisor.
21  */
22 
23 #include <linux/module.h>
24 #include <linux/kernel.h>
25 #include <linux/miscdevice.h>
26 #include <linux/types.h>
27 #include <linux/stddef.h>
28 #include <linux/vmalloc.h>
29 #include <linux/slab.h>
30 #include <linux/cpufeature.h>
31 
32 #include <asm/uvdevice.h>
33 #include <asm/uv.h>
34 
35 #define BIT_UVIO_INTERNAL U32_MAX
36 /* Mapping from IOCTL-nr to UVC-bit */
37 static const u32 ioctl_nr_to_uvc_bit[] __initconst = {
38 	[UVIO_IOCTL_UVDEV_INFO_NR] = BIT_UVIO_INTERNAL,
39 	[UVIO_IOCTL_ATT_NR] = BIT_UVC_CMD_RETR_ATTEST,
40 	[UVIO_IOCTL_ADD_SECRET_NR] = BIT_UVC_CMD_ADD_SECRET,
41 	[UVIO_IOCTL_LIST_SECRETS_NR] = BIT_UVC_CMD_LIST_SECRETS,
42 	[UVIO_IOCTL_LOCK_SECRETS_NR] = BIT_UVC_CMD_LOCK_SECRETS,
43 };
44 
45 static_assert(ARRAY_SIZE(ioctl_nr_to_uvc_bit) == UVIO_IOCTL_NUM_IOCTLS);
46 
47 static struct uvio_uvdev_info uvdev_info = {
48 	.supp_uvio_cmds = GENMASK_ULL(UVIO_IOCTL_NUM_IOCTLS - 1, 0),
49 };
50 
51 static void __init set_supp_uv_cmds(unsigned long *supp_uv_cmds)
52 {
53 	int i;
54 
55 	for (i = 0; i < UVIO_IOCTL_NUM_IOCTLS; i++) {
56 		if (ioctl_nr_to_uvc_bit[i] == BIT_UVIO_INTERNAL)
57 			continue;
58 		if (!test_bit_inv(ioctl_nr_to_uvc_bit[i], uv_info.inst_calls_list))
59 			continue;
60 		__set_bit(i, supp_uv_cmds);
61 	}
62 }
63 
64 /**
65  * uvio_uvdev_info() - get information about the uvdevice
66  *
67  * @uv_ioctl: ioctl control block
68  *
69  * Lists all IOCTLs that are supported by this uvdevice
70  */
71 static int uvio_uvdev_info(struct uvio_ioctl_cb *uv_ioctl)
72 {
73 	void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
74 
75 	if (uv_ioctl->argument_len < sizeof(uvdev_info))
76 		return -EINVAL;
77 	if (copy_to_user(user_buf_arg, &uvdev_info, sizeof(uvdev_info)))
78 		return -EFAULT;
79 
80 	uv_ioctl->uv_rc = UVC_RC_EXECUTED;
81 	return 0;
82 }
83 
84 static int uvio_build_uvcb_attest(struct uv_cb_attest *uvcb_attest, u8 *arcb,
85 				  u8 *meas, u8 *add_data, struct uvio_attest *uvio_attest)
86 {
87 	void __user *user_buf_arcb = (void __user *)uvio_attest->arcb_addr;
88 
89 	if (copy_from_user(arcb, user_buf_arcb, uvio_attest->arcb_len))
90 		return -EFAULT;
91 
92 	uvcb_attest->header.len = sizeof(*uvcb_attest);
93 	uvcb_attest->header.cmd = UVC_CMD_RETR_ATTEST;
94 	uvcb_attest->arcb_addr = (u64)arcb;
95 	uvcb_attest->cont_token = 0;
96 	uvcb_attest->user_data_len = uvio_attest->user_data_len;
97 	memcpy(uvcb_attest->user_data, uvio_attest->user_data, sizeof(uvcb_attest->user_data));
98 	uvcb_attest->meas_len = uvio_attest->meas_len;
99 	uvcb_attest->meas_addr = (u64)meas;
100 	uvcb_attest->add_data_len = uvio_attest->add_data_len;
101 	uvcb_attest->add_data_addr = (u64)add_data;
102 
103 	return 0;
104 }
105 
106 static int uvio_copy_attest_result_to_user(struct uv_cb_attest *uvcb_attest,
107 					   struct uvio_ioctl_cb *uv_ioctl,
108 					   u8 *measurement, u8 *add_data,
109 					   struct uvio_attest *uvio_attest)
110 {
111 	struct uvio_attest __user *user_uvio_attest = (void __user *)uv_ioctl->argument_addr;
112 	u32 __user *user_buf_add_len = (u32 __user *)&user_uvio_attest->add_data_len;
113 	void __user *user_buf_add = (void __user *)uvio_attest->add_data_addr;
114 	void __user *user_buf_meas = (void __user *)uvio_attest->meas_addr;
115 	void __user *user_buf_uid = &user_uvio_attest->config_uid;
116 
117 	if (copy_to_user(user_buf_meas, measurement, uvio_attest->meas_len))
118 		return -EFAULT;
119 	if (add_data && copy_to_user(user_buf_add, add_data, uvio_attest->add_data_len))
120 		return -EFAULT;
121 	if (put_user(uvio_attest->add_data_len, user_buf_add_len))
122 		return -EFAULT;
123 	if (copy_to_user(user_buf_uid, uvcb_attest->config_uid, sizeof(uvcb_attest->config_uid)))
124 		return -EFAULT;
125 	return 0;
126 }
127 
128 static int get_uvio_attest(struct uvio_ioctl_cb *uv_ioctl, struct uvio_attest *uvio_attest)
129 {
130 	u8 __user *user_arg_buf = (u8 __user *)uv_ioctl->argument_addr;
131 
132 	if (copy_from_user(uvio_attest, user_arg_buf, sizeof(*uvio_attest)))
133 		return -EFAULT;
134 
135 	if (uvio_attest->arcb_len > UVIO_ATT_ARCB_MAX_LEN)
136 		return -EINVAL;
137 	if (uvio_attest->arcb_len == 0)
138 		return -EINVAL;
139 	if (uvio_attest->meas_len > UVIO_ATT_MEASUREMENT_MAX_LEN)
140 		return -EINVAL;
141 	if (uvio_attest->meas_len == 0)
142 		return -EINVAL;
143 	if (uvio_attest->add_data_len > UVIO_ATT_ADDITIONAL_MAX_LEN)
144 		return -EINVAL;
145 	if (uvio_attest->reserved136)
146 		return -EINVAL;
147 	return 0;
148 }
149 
150 /**
151  * uvio_attestation() - Perform a Retrieve Attestation Measurement UVC.
152  *
153  * @uv_ioctl: ioctl control block
154  *
155  * uvio_attestation() does a Retrieve Attestation Measurement Ultravisor Call.
156  * It verifies that the given userspace addresses are valid and request sizes
157  * are sane. Every other check is made by the Ultravisor (UV) and won't result
158  * in a negative return value. It copies the input to kernelspace, builds the
159  * request, sends the UV-call, and copies the result to userspace.
160  *
161  * The Attestation Request has two input and two outputs.
162  * ARCB and User Data are inputs for the UV generated by userspace.
163  * Measurement and Additional Data are outputs for userspace generated by UV.
164  *
165  * The Attestation Request Control Block (ARCB) is a cryptographically verified
166  * and secured request to UV and User Data is some plaintext data which is
167  * going to be included in the Attestation Measurement calculation.
168  *
169  * Measurement is a cryptographic measurement of the callers properties,
170  * optional data configured by the ARCB and the user data. If specified by the
171  * ARCB, UV will add some Additional Data to the measurement calculation.
172  * This Additional Data is then returned as well.
173  *
174  * If the Retrieve Attestation Measurement UV facility is not present,
175  * UV will return invalid command rc. This won't be fenced in the driver
176  * and does not result in a negative return value.
177  *
178  * Context: might sleep
179  *
180  * Return: 0 on success or a negative error code on error.
181  */
182 static int uvio_attestation(struct uvio_ioctl_cb *uv_ioctl)
183 {
184 	struct uv_cb_attest *uvcb_attest = NULL;
185 	struct uvio_attest *uvio_attest = NULL;
186 	u8 *measurement = NULL;
187 	u8 *add_data = NULL;
188 	u8 *arcb = NULL;
189 	int ret;
190 
191 	ret = -EINVAL;
192 	if (uv_ioctl->argument_len != sizeof(*uvio_attest))
193 		goto out;
194 
195 	ret = -ENOMEM;
196 	uvio_attest = kzalloc(sizeof(*uvio_attest), GFP_KERNEL);
197 	if (!uvio_attest)
198 		goto out;
199 
200 	ret = get_uvio_attest(uv_ioctl, uvio_attest);
201 	if (ret)
202 		goto out;
203 
204 	ret = -ENOMEM;
205 	arcb = kvzalloc(uvio_attest->arcb_len, GFP_KERNEL);
206 	measurement = kvzalloc(uvio_attest->meas_len, GFP_KERNEL);
207 	if (!arcb || !measurement)
208 		goto out;
209 
210 	if (uvio_attest->add_data_len) {
211 		add_data = kvzalloc(uvio_attest->add_data_len, GFP_KERNEL);
212 		if (!add_data)
213 			goto out;
214 	}
215 
216 	uvcb_attest = kzalloc(sizeof(*uvcb_attest), GFP_KERNEL);
217 	if (!uvcb_attest)
218 		goto out;
219 
220 	ret = uvio_build_uvcb_attest(uvcb_attest, arcb,  measurement, add_data, uvio_attest);
221 	if (ret)
222 		goto out;
223 
224 	uv_call_sched(0, (u64)uvcb_attest);
225 
226 	uv_ioctl->uv_rc = uvcb_attest->header.rc;
227 	uv_ioctl->uv_rrc = uvcb_attest->header.rrc;
228 
229 	ret = uvio_copy_attest_result_to_user(uvcb_attest, uv_ioctl, measurement, add_data,
230 					      uvio_attest);
231 out:
232 	kvfree(arcb);
233 	kvfree(measurement);
234 	kvfree(add_data);
235 	kfree(uvio_attest);
236 	kfree(uvcb_attest);
237 	return ret;
238 }
239 
240 /** uvio_add_secret() - perform an Add Secret UVC
241  *
242  * @uv_ioctl: ioctl control block
243  *
244  * uvio_add_secret() performs the Add Secret Ultravisor Call.
245  *
246  * The given userspace argument address and size are verified to be
247  * valid but every other check is made by the Ultravisor
248  * (UV). Therefore UV errors won't result in a negative return
249  * value. The request is then copied to kernelspace, the UV-call is
250  * performed and the results are copied back to userspace.
251  *
252  * The argument has to point to an Add Secret Request Control Block
253  * which is an encrypted and cryptographically verified request that
254  * inserts a protected guest's secrets into the Ultravisor for later
255  * use.
256  *
257  * If the Add Secret UV facility is not present, UV will return
258  * invalid command rc. This won't be fenced in the driver and does not
259  * result in a negative return value.
260  *
261  * Context: might sleep
262  *
263  * Return: 0 on success or a negative error code on error.
264  */
265 static int uvio_add_secret(struct uvio_ioctl_cb *uv_ioctl)
266 {
267 	void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
268 	struct uv_cb_guest_addr uvcb = {
269 		.header.len = sizeof(uvcb),
270 		.header.cmd = UVC_CMD_ADD_SECRET,
271 	};
272 	void *asrcb = NULL;
273 	int ret;
274 
275 	if (uv_ioctl->argument_len > UVIO_ADD_SECRET_MAX_LEN)
276 		return -EINVAL;
277 	if (uv_ioctl->argument_len == 0)
278 		return -EINVAL;
279 
280 	asrcb = kvzalloc(uv_ioctl->argument_len, GFP_KERNEL);
281 	if (!asrcb)
282 		return -ENOMEM;
283 
284 	ret = -EFAULT;
285 	if (copy_from_user(asrcb, user_buf_arg, uv_ioctl->argument_len))
286 		goto out;
287 
288 	ret = 0;
289 	uvcb.addr = (u64)asrcb;
290 	uv_call_sched(0, (u64)&uvcb);
291 	uv_ioctl->uv_rc = uvcb.header.rc;
292 	uv_ioctl->uv_rrc = uvcb.header.rrc;
293 
294 out:
295 	kvfree(asrcb);
296 	return ret;
297 }
298 
299 /** uvio_list_secrets() - perform a List Secret UVC
300  * @uv_ioctl: ioctl control block
301  *
302  * uvio_list_secrets() performs the List Secret Ultravisor Call. It verifies
303  * that the given userspace argument address is valid and its size is sane.
304  * Every other check is made by the Ultravisor (UV) and won't result in a
305  * negative return value. It builds the request, performs the UV-call, and
306  * copies the result to userspace.
307  *
308  * The argument specifies the location for the result of the UV-Call.
309  *
310  * If the List Secrets UV facility is not present, UV will return invalid
311  * command rc. This won't be fenced in the driver and does not result in a
312  * negative return value.
313  *
314  * Context: might sleep
315  *
316  * Return: 0 on success or a negative error code on error.
317  */
318 static int uvio_list_secrets(struct uvio_ioctl_cb *uv_ioctl)
319 {
320 	void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
321 	struct uv_cb_guest_addr uvcb = {
322 		.header.len = sizeof(uvcb),
323 		.header.cmd = UVC_CMD_LIST_SECRETS,
324 	};
325 	void *secrets = NULL;
326 	int ret = 0;
327 
328 	if (uv_ioctl->argument_len != UVIO_LIST_SECRETS_LEN)
329 		return -EINVAL;
330 
331 	secrets = kvzalloc(UVIO_LIST_SECRETS_LEN, GFP_KERNEL);
332 	if (!secrets)
333 		return -ENOMEM;
334 
335 	uvcb.addr = (u64)secrets;
336 	uv_call_sched(0, (u64)&uvcb);
337 	uv_ioctl->uv_rc = uvcb.header.rc;
338 	uv_ioctl->uv_rrc = uvcb.header.rrc;
339 
340 	if (copy_to_user(user_buf_arg, secrets, UVIO_LIST_SECRETS_LEN))
341 		ret = -EFAULT;
342 
343 	kvfree(secrets);
344 	return ret;
345 }
346 
347 /** uvio_lock_secrets() - perform a Lock Secret Store UVC
348  * @uv_ioctl: ioctl control block
349  *
350  * uvio_lock_secrets() performs the Lock Secret Store Ultravisor Call. It
351  * performs the UV-call and copies the return codes to the ioctl control block.
352  * After this call was dispatched successfully every following Add Secret UVC
353  * and Lock Secrets UVC will fail with return code 0x102.
354  *
355  * The argument address and size must be 0.
356  *
357  * If the Lock Secrets UV facility is not present, UV will return invalid
358  * command rc. This won't be fenced in the driver and does not result in a
359  * negative return value.
360  *
361  * Context: might sleep
362  *
363  * Return: 0 on success or a negative error code on error.
364  */
365 static int uvio_lock_secrets(struct uvio_ioctl_cb *ioctl)
366 {
367 	struct uv_cb_nodata uvcb = {
368 		.header.len = sizeof(uvcb),
369 		.header.cmd = UVC_CMD_LOCK_SECRETS,
370 	};
371 
372 	if (ioctl->argument_addr || ioctl->argument_len)
373 		return -EINVAL;
374 
375 	uv_call(0, (u64)&uvcb);
376 	ioctl->uv_rc = uvcb.header.rc;
377 	ioctl->uv_rrc = uvcb.header.rrc;
378 
379 	return 0;
380 }
381 
382 static int uvio_copy_and_check_ioctl(struct uvio_ioctl_cb *ioctl, void __user *argp,
383 				     unsigned long cmd)
384 {
385 	u8 nr = _IOC_NR(cmd);
386 
387 	if (_IOC_DIR(cmd) != (_IOC_READ | _IOC_WRITE))
388 		return -ENOIOCTLCMD;
389 	if (_IOC_TYPE(cmd) != UVIO_TYPE_UVC)
390 		return -ENOIOCTLCMD;
391 	if (nr >= UVIO_IOCTL_NUM_IOCTLS)
392 		return -ENOIOCTLCMD;
393 	if (_IOC_SIZE(cmd) != sizeof(*ioctl))
394 		return -ENOIOCTLCMD;
395 	if (copy_from_user(ioctl, argp, sizeof(*ioctl)))
396 		return -EFAULT;
397 	if (ioctl->flags != 0)
398 		return -EINVAL;
399 	if (memchr_inv(ioctl->reserved14, 0, sizeof(ioctl->reserved14)))
400 		return -EINVAL;
401 
402 	return nr;
403 }
404 
405 /*
406  * IOCTL entry point for the Ultravisor device.
407  */
408 static long uvio_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
409 {
410 	void __user *argp = (void __user *)arg;
411 	struct uvio_ioctl_cb uv_ioctl = { };
412 	long ret;
413 	int nr;
414 
415 	nr = uvio_copy_and_check_ioctl(&uv_ioctl, argp, cmd);
416 	if (nr < 0)
417 		return nr;
418 
419 	switch (nr) {
420 	case UVIO_IOCTL_UVDEV_INFO_NR:
421 		ret = uvio_uvdev_info(&uv_ioctl);
422 		break;
423 	case UVIO_IOCTL_ATT_NR:
424 		ret = uvio_attestation(&uv_ioctl);
425 		break;
426 	case UVIO_IOCTL_ADD_SECRET_NR:
427 		ret = uvio_add_secret(&uv_ioctl);
428 		break;
429 	case UVIO_IOCTL_LIST_SECRETS_NR:
430 		ret = uvio_list_secrets(&uv_ioctl);
431 		break;
432 	case UVIO_IOCTL_LOCK_SECRETS_NR:
433 		ret = uvio_lock_secrets(&uv_ioctl);
434 		break;
435 	default:
436 		ret = -ENOIOCTLCMD;
437 		break;
438 	}
439 	if (ret)
440 		return ret;
441 
442 	if (copy_to_user(argp, &uv_ioctl, sizeof(uv_ioctl)))
443 		ret = -EFAULT;
444 
445 	return ret;
446 }
447 
448 static const struct file_operations uvio_dev_fops = {
449 	.owner = THIS_MODULE,
450 	.unlocked_ioctl = uvio_ioctl,
451 	.llseek = no_llseek,
452 };
453 
454 static struct miscdevice uvio_dev_miscdev = {
455 	.minor = MISC_DYNAMIC_MINOR,
456 	.name = UVIO_DEVICE_NAME,
457 	.fops = &uvio_dev_fops,
458 };
459 
460 static void __exit uvio_dev_exit(void)
461 {
462 	misc_deregister(&uvio_dev_miscdev);
463 }
464 
465 static int __init uvio_dev_init(void)
466 {
467 	set_supp_uv_cmds((unsigned long *)&uvdev_info.supp_uv_cmds);
468 	return misc_register(&uvio_dev_miscdev);
469 }
470 
471 module_cpu_feature_match(S390_CPU_FEATURE_UV, uvio_dev_init);
472 module_exit(uvio_dev_exit);
473 
474 MODULE_AUTHOR("IBM Corporation");
475 MODULE_LICENSE("GPL");
476 MODULE_DESCRIPTION("Ultravisor UAPI driver");
477