Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/arch/x86/boot/compressed/sev.c
26481 views
1
// SPDX-License-Identifier: GPL-2.0

2
/*

3
 * AMD Encrypted Register State Support

4
 *

5
 * Author: Joerg Roedel <[email protected]>

6
 */

7


8
/*

9
 * misc.h needs to be first because it knows how to include the other kernel

10
 * headers in the pre-decompression code in a way that does not break

11
 * compilation.

12
 */

13
#include "misc.h"

14


15
#include <asm/bootparam.h>

16
#include <asm/pgtable_types.h>

17
#include <asm/sev.h>

18
#include <asm/trapnr.h>

19
#include <asm/trap_pf.h>

20
#include <asm/msr-index.h>

21
#include <asm/fpu/xcr.h>

22
#include <asm/ptrace.h>

23
#include <asm/svm.h>

24
#include <asm/cpuid/api.h>

25


26
#include "error.h"

27
#include "sev.h"

28


29
static struct ghcb boot_ghcb_page __aligned(PAGE_SIZE);

30
struct ghcb *boot_ghcb;

31


32
#undef __init

33
#define __init

34


35
#undef __head

36
#define __head

37


38
#define __BOOT_COMPRESSED

39


40
extern struct svsm_ca *boot_svsm_caa;

41
extern u64 boot_svsm_caa_pa;

42


43
struct svsm_ca *svsm_get_caa(void)

44
{

45
	return boot_svsm_caa;

46
}

47


48
u64 svsm_get_caa_pa(void)

49
{

50
	return boot_svsm_caa_pa;

51
}

52


53
int svsm_perform_call_protocol(struct svsm_call *call);

54


55
u8 snp_vmpl;

56


57
/* Include code for early handlers */

58
#include "../../boot/startup/sev-shared.c"

59


60
int svsm_perform_call_protocol(struct svsm_call *call)

61
{

62
	struct ghcb *ghcb;

63
	int ret;

64


65
	if (boot_ghcb)

66
		ghcb = boot_ghcb;

67
	else

68
		ghcb = NULL;

69


70
	do {

71
		ret = ghcb ? svsm_perform_ghcb_protocol(ghcb, call)

72
			   : svsm_perform_msr_protocol(call);

73
	} while (ret == -EAGAIN);

74


75
	return ret;

76
}

77


78
static bool sev_snp_enabled(void)

79
{

80
	return sev_status & MSR_AMD64_SEV_SNP_ENABLED;

81
}

82


83
static void __page_state_change(unsigned long paddr, enum psc_op op)

84
{

85
	u64 val, msr;

86


87
	/*

88
	 * If private -> shared then invalidate the page before requesting the

89
	 * state change in the RMP table.

90
	 */

91
	if (op == SNP_PAGE_STATE_SHARED)

92
		pvalidate_4k_page(paddr, paddr, false);

93


94
	/* Save the current GHCB MSR value */

95
	msr = sev_es_rd_ghcb_msr();

96


97
	/* Issue VMGEXIT to change the page state in RMP table. */

98
	sev_es_wr_ghcb_msr(GHCB_MSR_PSC_REQ_GFN(paddr >> PAGE_SHIFT, op));

99
	VMGEXIT();

100


101
	/* Read the response of the VMGEXIT. */

102
	val = sev_es_rd_ghcb_msr();

103
	if ((GHCB_RESP_CODE(val) != GHCB_MSR_PSC_RESP) || GHCB_MSR_PSC_RESP_VAL(val))

104
		sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PSC);

105


106
	/* Restore the GHCB MSR value */

107
	sev_es_wr_ghcb_msr(msr);

108


109
	/*

110
	 * Now that page state is changed in the RMP table, validate it so that it is

111
	 * consistent with the RMP entry.

112
	 */

113
	if (op == SNP_PAGE_STATE_PRIVATE)

114
		pvalidate_4k_page(paddr, paddr, true);

115
}

116


117
void snp_set_page_private(unsigned long paddr)

118
{

119
	if (!sev_snp_enabled())

120
		return;

121


122
	__page_state_change(paddr, SNP_PAGE_STATE_PRIVATE);

123
}

124


125
void snp_set_page_shared(unsigned long paddr)

126
{

127
	if (!sev_snp_enabled())

128
		return;

129


130
	__page_state_change(paddr, SNP_PAGE_STATE_SHARED);

131
}

132


133
bool early_setup_ghcb(void)

134
{

135
	if (set_page_decrypted((unsigned long)&boot_ghcb_page))

136
		return false;

137


138
	/* Page is now mapped decrypted, clear it */

139
	memset(&boot_ghcb_page, 0, sizeof(boot_ghcb_page));

140


141
	boot_ghcb = &boot_ghcb_page;

142


143
	/* Initialize lookup tables for the instruction decoder */

144
	sev_insn_decode_init();

145


146
	/* SNP guest requires the GHCB GPA must be registered */

147
	if (sev_snp_enabled())

148
		snp_register_ghcb_early(__pa(&boot_ghcb_page));

149


150
	return true;

151
}

152


153
void snp_accept_memory(phys_addr_t start, phys_addr_t end)

154
{

155
	for (phys_addr_t pa = start; pa < end; pa += PAGE_SIZE)

156
		__page_state_change(pa, SNP_PAGE_STATE_PRIVATE);

157
}

158


159
void sev_es_shutdown_ghcb(void)

160
{

161
	if (!boot_ghcb)

162
		return;

163


164
	if (!sev_es_check_cpu_features())

165
		error("SEV-ES CPU Features missing.");

166


167
	/*

168
	 * This denotes whether to use the GHCB MSR protocol or the GHCB

169
	 * shared page to perform a GHCB request. Since the GHCB page is

170
	 * being changed to encrypted, it can't be used to perform GHCB

171
	 * requests. Clear the boot_ghcb variable so that the GHCB MSR

172
	 * protocol is used to change the GHCB page over to an encrypted

173
	 * page.

174
	 */

175
	boot_ghcb = NULL;

176


177
	/*

178
	 * GHCB Page must be flushed from the cache and mapped encrypted again.

179
	 * Otherwise the running kernel will see strange cache effects when

180
	 * trying to use that page.

181
	 */

182
	if (set_page_encrypted((unsigned long)&boot_ghcb_page))

183
		error("Can't map GHCB page encrypted");

184


185
	/*

186
	 * GHCB page is mapped encrypted again and flushed from the cache.

187
	 * Mark it non-present now to catch bugs when #VC exceptions trigger

188
	 * after this point.

189
	 */

190
	if (set_page_non_present((unsigned long)&boot_ghcb_page))

191
		error("Can't unmap GHCB page");

192
}

193


194
static void __noreturn sev_es_ghcb_terminate(struct ghcb *ghcb, unsigned int set,

195
					     unsigned int reason, u64 exit_info_2)

196
{

197
	u64 exit_info_1 = SVM_VMGEXIT_TERM_REASON(set, reason);

198


199
	vc_ghcb_invalidate(ghcb);

200
	ghcb_set_sw_exit_code(ghcb, SVM_VMGEXIT_TERM_REQUEST);

201
	ghcb_set_sw_exit_info_1(ghcb, exit_info_1);

202
	ghcb_set_sw_exit_info_2(ghcb, exit_info_2);

203


204
	sev_es_wr_ghcb_msr(__pa(ghcb));

205
	VMGEXIT();

206


207
	while (true)

208
		asm volatile("hlt\n" : : : "memory");

209
}

210


211
bool sev_es_check_ghcb_fault(unsigned long address)

212
{

213
	/* Check whether the fault was on the GHCB page */

214
	return ((address & PAGE_MASK) == (unsigned long)&boot_ghcb_page);

215
}

216


217
/*

218
 * SNP_FEATURES_IMPL_REQ is the mask of SNP features that will need

219
 * guest side implementation for proper functioning of the guest. If any

220
 * of these features are enabled in the hypervisor but are lacking guest

221
 * side implementation, the behavior of the guest will be undefined. The

222
 * guest could fail in non-obvious way making it difficult to debug.

223
 *

224
 * As the behavior of reserved feature bits is unknown to be on the

225
 * safe side add them to the required features mask.

226
 */

227
#define SNP_FEATURES_IMPL_REQ	(MSR_AMD64_SNP_VTOM |			\

228
				 MSR_AMD64_SNP_REFLECT_VC |		\

229
				 MSR_AMD64_SNP_RESTRICTED_INJ |		\

230
				 MSR_AMD64_SNP_ALT_INJ |		\

231
				 MSR_AMD64_SNP_DEBUG_SWAP |		\

232
				 MSR_AMD64_SNP_VMPL_SSS |		\

233
				 MSR_AMD64_SNP_SECURE_TSC |		\

234
				 MSR_AMD64_SNP_VMGEXIT_PARAM |		\

235
				 MSR_AMD64_SNP_VMSA_REG_PROT |		\

236
				 MSR_AMD64_SNP_RESERVED_BIT13 |		\

237
				 MSR_AMD64_SNP_RESERVED_BIT15 |		\

238
				 MSR_AMD64_SNP_RESERVED_MASK)

239


240
/*

241
 * SNP_FEATURES_PRESENT is the mask of SNP features that are implemented

242
 * by the guest kernel. As and when a new feature is implemented in the

243
 * guest kernel, a corresponding bit should be added to the mask.

244
 */

245
#define SNP_FEATURES_PRESENT	(MSR_AMD64_SNP_DEBUG_SWAP |	\

246
				 MSR_AMD64_SNP_SECURE_TSC)

247


248
u64 snp_get_unsupported_features(u64 status)

249
{

250
	if (!(status & MSR_AMD64_SEV_SNP_ENABLED))

251
		return 0;

252


253
	return status & SNP_FEATURES_IMPL_REQ & ~SNP_FEATURES_PRESENT;

254
}

255


256
void snp_check_features(void)

257
{

258
	u64 unsupported;

259


260
	/*

261
	 * Terminate the boot if hypervisor has enabled any feature lacking

262
	 * guest side implementation. Pass on the unsupported features mask through

263
	 * EXIT_INFO_2 of the GHCB protocol so that those features can be reported

264
	 * as part of the guest boot failure.

265
	 */

266
	unsupported = snp_get_unsupported_features(sev_status);

267
	if (unsupported) {

268
		if (ghcb_version < 2 || (!boot_ghcb && !early_setup_ghcb()))

269
			sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED);

270


271
		sev_es_ghcb_terminate(boot_ghcb, SEV_TERM_SET_GEN,

272
				      GHCB_SNP_UNSUPPORTED, unsupported);

273
	}

274
}

275


276
/* Search for Confidential Computing blob in the EFI config table. */

277
static struct cc_blob_sev_info *find_cc_blob_efi(struct boot_params *bp)

278
{

279
	unsigned long cfg_table_pa;

280
	unsigned int cfg_table_len;

281
	int ret;

282


283
	ret = efi_get_conf_table(bp, &cfg_table_pa, &cfg_table_len);

284
	if (ret)

285
		return NULL;

286


287
	return (struct cc_blob_sev_info *)efi_find_vendor_table(bp, cfg_table_pa,

288
								cfg_table_len,

289
								EFI_CC_BLOB_GUID);

290
}

291


292
/*

293
 * Initial set up of SNP relies on information provided by the

294
 * Confidential Computing blob, which can be passed to the boot kernel

295
 * by firmware/bootloader in the following ways:

296
 *

297
 * - via an entry in the EFI config table

298
 * - via a setup_data structure, as defined by the Linux Boot Protocol

299
 *

300
 * Scan for the blob in that order.

301
 */

302
static struct cc_blob_sev_info *find_cc_blob(struct boot_params *bp)

303
{

304
	struct cc_blob_sev_info *cc_info;

305


306
	cc_info = find_cc_blob_efi(bp);

307
	if (cc_info)

308
		goto found_cc_info;

309


310
	cc_info = find_cc_blob_setup_data(bp);

311
	if (!cc_info)

312
		return NULL;

313


314
found_cc_info:

315
	if (cc_info->magic != CC_BLOB_SEV_HDR_MAGIC)

316
		sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED);

317


318
	return cc_info;

319
}

320


321
/*

322
 * Indicate SNP based on presence of SNP-specific CC blob. Subsequent checks

323
 * will verify the SNP CPUID/MSR bits.

324
 */

325
static bool early_snp_init(struct boot_params *bp)

326
{

327
	struct cc_blob_sev_info *cc_info;

328


329
	if (!bp)

330
		return false;

331


332
	cc_info = find_cc_blob(bp);

333
	if (!cc_info)

334
		return false;

335


336
	/*

337
	 * If a SNP-specific Confidential Computing blob is present, then

338
	 * firmware/bootloader have indicated SNP support. Verifying this

339
	 * involves CPUID checks which will be more reliable if the SNP

340
	 * CPUID table is used. See comments over snp_setup_cpuid_table() for

341
	 * more details.

342
	 */

343
	setup_cpuid_table(cc_info);

344


345
	/*

346
	 * Record the SVSM Calling Area (CA) address if the guest is not

347
	 * running at VMPL0. The CA will be used to communicate with the

348
	 * SVSM and request its services.

349
	 */

350
	svsm_setup_ca(cc_info);

351


352
	/*

353
	 * Pass run-time kernel a pointer to CC info via boot_params so EFI

354
	 * config table doesn't need to be searched again during early startup

355
	 * phase.

356
	 */

357
	bp->cc_blob_address = (u32)(unsigned long)cc_info;

358


359
	return true;

360
}

361


362
/*

363
 * sev_check_cpu_support - Check for SEV support in the CPU capabilities

364
 *

365
 * Returns < 0 if SEV is not supported, otherwise the position of the

366
 * encryption bit in the page table descriptors.

367
 */

368
static int sev_check_cpu_support(void)

369
{

370
	unsigned int eax, ebx, ecx, edx;

371


372
	/* Check for the SME/SEV support leaf */

373
	eax = 0x80000000;

374
	ecx = 0;

375
	native_cpuid(&eax, &ebx, &ecx, &edx);

376
	if (eax < 0x8000001f)

377
		return -ENODEV;

378


379
	/*

380
	 * Check for the SME/SEV feature:

381
	 *   CPUID Fn8000_001F[EAX]

382
	 *   - Bit 0 - Secure Memory Encryption support

383
	 *   - Bit 1 - Secure Encrypted Virtualization support

384
	 *   CPUID Fn8000_001F[EBX]

385
	 *   - Bits 5:0 - Pagetable bit position used to indicate encryption

386
	 */

387
	eax = 0x8000001f;

388
	ecx = 0;

389
	native_cpuid(&eax, &ebx, &ecx, &edx);

390
	/* Check whether SEV is supported */

391
	if (!(eax & BIT(1)))

392
		return -ENODEV;

393


394
	return ebx & 0x3f;

395
}

396


397
void sev_enable(struct boot_params *bp)

398
{

399
	struct msr m;

400
	int bitpos;

401
	bool snp;

402


403
	/*

404
	 * bp->cc_blob_address should only be set by boot/compressed kernel.

405
	 * Initialize it to 0 to ensure that uninitialized values from

406
	 * buggy bootloaders aren't propagated.

407
	 */

408
	if (bp)

409
		bp->cc_blob_address = 0;

410


411
	/*

412
	 * Do an initial SEV capability check before early_snp_init() which

413
	 * loads the CPUID page and the same checks afterwards are done

414
	 * without the hypervisor and are trustworthy.

415
	 *

416
	 * If the HV fakes SEV support, the guest will crash'n'burn

417
	 * which is good enough.

418
	 */

419


420
	if (sev_check_cpu_support() < 0)

421
		return;

422


423
	/*

424
	 * Setup/preliminary detection of SNP. This will be sanity-checked

425
	 * against CPUID/MSR values later.

426
	 */

427
	snp = early_snp_init(bp);

428


429
	/* Now repeat the checks with the SNP CPUID table. */

430


431
	bitpos = sev_check_cpu_support();

432
	if (bitpos < 0) {

433
		if (snp)

434
			error("SEV-SNP support indicated by CC blob, but not CPUID.");

435
		return;

436
	}

437


438
	/* Set the SME mask if this is an SEV guest. */

439
	boot_rdmsr(MSR_AMD64_SEV, &m);

440
	sev_status = m.q;

441
	if (!(sev_status & MSR_AMD64_SEV_ENABLED))

442
		return;

443


444
	/* Negotiate the GHCB protocol version. */

445
	if (sev_status & MSR_AMD64_SEV_ES_ENABLED) {

446
		if (!sev_es_negotiate_protocol())

447
			sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_PROT_UNSUPPORTED);

448
	}

449


450
	/*

451
	 * SNP is supported in v2 of the GHCB spec which mandates support for HV

452
	 * features.

453
	 */

454
	if (sev_status & MSR_AMD64_SEV_SNP_ENABLED) {

455
		u64 hv_features;

456
		int ret;

457


458
		hv_features = get_hv_features();

459
		if (!(hv_features & GHCB_HV_FT_SNP))

460
			sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SNP_UNSUPPORTED);

461


462
		/*

463
		 * Enforce running at VMPL0 or with an SVSM.

464
		 *

465
		 * Use RMPADJUST (see the rmpadjust() function for a description of

466
		 * what the instruction does) to update the VMPL1 permissions of a

467
		 * page. If the guest is running at VMPL0, this will succeed. If the

468
		 * guest is running at any other VMPL, this will fail. Linux SNP guests

469
		 * only ever run at a single VMPL level so permission mask changes of a

470
		 * lesser-privileged VMPL are a don't-care.

471
		 */

472
		ret = rmpadjust((unsigned long)&boot_ghcb_page, RMP_PG_SIZE_4K, 1);

473


474
		/*

475
		 * Running at VMPL0 is not required if an SVSM is present and the hypervisor

476
		 * supports the required SVSM GHCB events.

477
		 */

478
		if (ret &&

479
		    !(snp_vmpl && (hv_features & GHCB_HV_FT_SNP_MULTI_VMPL)))

480
			sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_NOT_VMPL0);

481
	}

482


483
	if (snp && !(sev_status & MSR_AMD64_SEV_SNP_ENABLED))

484
		error("SEV-SNP supported indicated by CC blob, but not SEV status MSR.");

485


486
	sme_me_mask = BIT_ULL(bitpos);

487
}

488


489
/*

490
 * sev_get_status - Retrieve the SEV status mask

491
 *

492
 * Returns 0 if the CPU is not SEV capable, otherwise the value of the

493
 * AMD64_SEV MSR.

494
 */

495
u64 sev_get_status(void)

496
{

497
	struct msr m;

498


499
	if (sev_check_cpu_support() < 0)

500
		return 0;

501


502
	boot_rdmsr(MSR_AMD64_SEV, &m);

503
	return m.q;

504
}

505


506
void sev_prep_identity_maps(unsigned long top_level_pgt)

507
{

508
	/*

509
	 * The Confidential Computing blob is used very early in uncompressed

510
	 * kernel to find the in-memory CPUID table to handle CPUID

511
	 * instructions. Make sure an identity-mapping exists so it can be

512
	 * accessed after switchover.

513
	 */

514
	if (sev_snp_enabled()) {

515
		unsigned long cc_info_pa = boot_params_ptr->cc_blob_address;

516
		struct cc_blob_sev_info *cc_info;

517


518
		kernel_add_identity_map(cc_info_pa, cc_info_pa + sizeof(*cc_info));

519


520
		cc_info = (struct cc_blob_sev_info *)cc_info_pa;

521
		kernel_add_identity_map(cc_info->cpuid_phys, cc_info->cpuid_phys + cc_info->cpuid_len);

522
	}

523


524
	sev_verify_cbit(top_level_pgt);

525
}

526


527
bool early_is_sevsnp_guest(void)

528
{

529
	static bool sevsnp;

530


531
	if (sevsnp)

532
		return true;

533


534
	if (!(sev_get_status() & MSR_AMD64_SEV_SNP_ENABLED))

535
		return false;

536


537
	sevsnp = true;

538


539
	if (!snp_vmpl) {

540
		unsigned int eax, ebx, ecx, edx;

541


542
		/*

543
		 * CPUID Fn8000_001F_EAX[28] - SVSM support

544
		 */

545
		eax = 0x8000001f;

546
		ecx = 0;

547
		native_cpuid(&eax, &ebx, &ecx, &edx);

548
		if (eax & BIT(28)) {

549
			struct msr m;

550


551
			/* Obtain the address of the calling area to use */

552
			boot_rdmsr(MSR_SVSM_CAA, &m);

553
			boot_svsm_caa = (void *)m.q;

554
			boot_svsm_caa_pa = m.q;

555


556
			/*

557
			 * The real VMPL level cannot be discovered, but the

558
			 * memory acceptance routines make no use of that so

559
			 * any non-zero value suffices here.

560
			 */

561
			snp_vmpl = U8_MAX;

562
		}

563
	}

564
	return true;

565
}

566


567