From: Brijesh Singh <brijesh.singh@amd.com>
To: Borislav Petkov <bp@suse.de>
Cc: brijesh.singh@amd.com, "Paolo Bonzini" <pbonzini@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"Gary Hook" <gary.hook@amd.com>,
"Tom Lendacky" <thomas.lendacky@amd.com>,
linux-crypto@vger.kernel.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [Part2 PATCH v5.1 12.5/31] crypto: ccp: Implement SEV_PEK_GEN ioctl command
Date: Thu, 12 Oct 2017 15:11:07 -0500 [thread overview]
Message-ID: <e2a67da0-5442-f9d6-6390-bfbb0a352639@amd.com> (raw)
In-Reply-To: <20171012182844.kjv5zab7o6fwwwdk@pd.tnic>
On 10/12/17 1:28 PM, Borislav Petkov wrote:
> On Fri, Oct 06, 2017 at 08:06:03PM -0500, Brijesh Singh wrote:
>> The SEV_PEK_GEN command is used to generate a new Platform Endorsement
>> Key (PEK). The command is defined in SEV spec section 5.6.
>>
>> Cc: Paolo Bonzini <pbonzini@redhat.com>
>> Cc: "Radim Krčmář" <rkrcmar@redhat.com>
>> Cc: Borislav Petkov <bp@suse.de>
>> Cc: Herbert Xu <herbert@gondor.apana.org.au>
>> Cc: Gary Hook <gary.hook@amd.com>
>> Cc: Tom Lendacky <thomas.lendacky@amd.com>
>> Cc: linux-crypto@vger.kernel.org
>> Cc: kvm@vger.kernel.org
>> Cc: linux-kernel@vger.kernel.org
>> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
>> ---
>> drivers/crypto/ccp/psp-dev.c | 68 ++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 68 insertions(+)
> Just small fixups. Worth noting is this:
>
> if (do_shutdown)
> - sev_handle_cmd(SEV_CMD_SHUTDOWN, 0, NULL);
> + ret = sev_do_cmd(SEV_CMD_SHUTDOWN, 0, NULL);
>
> I think we want to return the result of the *last* command
> executed, which, in the do_shutdown=1 case is SEV_CMD_SHUTDOWN, not
> SEV_CMD_PEK_GEN.
Lets consider this scenario
1- platform is in uninit state, we transition it to INIT
2- PEK_GEN command failed
3- since we have transitioned the platform in INIT state hence we must
call the shutdown otherwise we will leave the system in wrong state. The
shutdown command will most probably succeed and we will look the ret value
> ---
> diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
> index d02f48e356e8..31045ea7e798 100644
> --- a/drivers/crypto/ccp/psp-dev.c
> +++ b/drivers/crypto/ccp/psp-dev.c
> @@ -211,7 +211,7 @@ static int sev_platform_get_state(int *state, int *error)
> if (!data)
> return -ENOMEM;
>
> - ret = sev_handle_cmd(SEV_CMD_PLATFORM_STATUS, data, error);
> + ret = sev_do_cmd(SEV_CMD_PLATFORM_STATUS, data, error);
> if (!ret)
> *state = data->state;
>
> @@ -228,7 +228,7 @@ static int sev_firmware_init(int *error)
> if (!data)
> return -ENOMEM;
>
> - rc = sev_handle_cmd(SEV_CMD_INIT, data, error);
> + rc = sev_do_cmd(SEV_CMD_INIT, data, error);
>
> kfree(data);
> return rc;
> @@ -240,8 +240,8 @@ static int sev_ioctl_pek_gen(struct sev_issue_cmd *argp)
> int ret, state;
>
> /*
> - * PEK_GEN command can be issued only when firmware is in INIT state.
> - * If firmware is in UNINIT state then we transition it in INIT state
> + * The PEK_GEN command can be issued only when the firmware is in INIT
> + * state. If it is in UNINIT state then we transition it in INIT state
> * and issue the command.
> */
> ret = sev_platform_get_state(&state, &argp->error);
> @@ -258,10 +258,10 @@ static int sev_ioctl_pek_gen(struct sev_issue_cmd *argp)
> do_shutdown = 1;
> }
>
> - ret = sev_handle_cmd(SEV_CMD_PEK_GEN, 0, &argp->error);
> + ret = sev_do_cmd(SEV_CMD_PEK_GEN, 0, &argp->error);
>
> if (do_shutdown)
> - sev_handle_cmd(SEV_CMD_SHUTDOWN, 0, NULL);
> + ret = sev_do_cmd(SEV_CMD_SHUTDOWN, 0, NULL);
>
> return ret;
> }
> @@ -291,10 +291,10 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
> ret = sev_ioctl_do_platform_status(&input);
> break;
>
> - case SEV_PEK_GEN: {
> + case SEV_PEK_GEN:
> ret = sev_ioctl_pek_gen(&input);
> break;
> - }
> +
> default:
> ret = -EINVAL;
> goto out;
>
next prev parent reply other threads:[~2017-10-12 20:11 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-04 13:13 [Part2 PATCH v5 00/31] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 01/31] Documentation/virtual/kvm: Add AMD Secure Encrypted Virtualization (SEV) Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 02/31] x86/CPU/AMD: Add the Secure Encrypted Virtualization CPU feature Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 03/31] kvm: svm: prepare for new bit definition in nested_ctl Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 04/31] kvm: svm: Add SEV feature definitions to KVM Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 05/31] KVM: SVM: Prepare to reserve asid for SEV guest Brijesh Singh
2017-10-04 14:33 ` Borislav Petkov
2017-10-04 13:13 ` [Part2 PATCH v5 06/31] KVM: X86: Extend CPUID range to include new leaf Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 07/31] KVM: Introduce KVM_MEMORY_ENCRYPT_OP ioctl Brijesh Singh
2017-10-04 14:50 ` Borislav Petkov
2017-10-04 13:13 ` [Part2 PATCH v5 08/31] KVM: Introduce KVM_MEMORY_ENCRYPT_REGISTER_REGION ioctl Brijesh Singh
2017-10-04 15:19 ` Borislav Petkov
2017-10-04 17:18 ` Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 09/31] crypto: ccp: Build the AMD secure processor driver only with AMD CPU support Brijesh Singh
2017-10-04 21:47 ` Borislav Petkov
2017-10-04 23:06 ` Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 10/31] crypto: ccp: Add Platform Security Processor (PSP) device support Brijesh Singh
2017-10-05 9:56 ` Borislav Petkov
2017-10-06 23:09 ` [Part2 PATCH v5.1 " Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 11/31] crypto: ccp: Define SEV key management command id Brijesh Singh
2017-10-05 20:56 ` Borislav Petkov
2017-10-08 21:14 ` Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 12/31] crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support Brijesh Singh
2017-10-06 18:49 ` Borislav Petkov
2017-10-06 19:48 ` Brijesh Singh
2017-10-07 18:13 ` Brijesh Singh
2017-10-07 1:05 ` [Part2 PATCH v5.1 12.1/31] " Brijesh Singh
2017-10-07 1:06 ` [Part2 PATCH v5.1 12.2/31] crypto: ccp: Define SEV userspace ioctl and command id Brijesh Singh
2017-10-07 14:20 ` Borislav Petkov
2017-10-08 21:18 ` Brijesh Singh
2017-10-11 16:46 ` [Part2 PATCH v5.2 12.1/31] " Brijesh Singh
2017-10-12 13:27 ` Borislav Petkov
2017-10-12 14:18 ` Brijesh Singh
2017-10-07 1:06 ` [Part2 PATCH v5.1 12.3/31] crypto: ccp: Implement SEV_FACTORY_RESET ioctl command Brijesh Singh
2017-10-11 14:32 ` Borislav Petkov
2017-10-11 16:55 ` [Part2 PATCH v5.2 " Brijesh Singh
2017-10-12 14:13 ` Borislav Petkov
2017-10-07 1:06 ` [Part2 PATCH v5.1 12.4/31] crypto: ccp: Implement SEV_PLATFORM_STATUS " Brijesh Singh
2017-10-11 17:01 ` [Part2 PATCH v5.2 " Brijesh Singh
2017-10-11 17:02 ` [Part2 PATCH v5.1 " Borislav Petkov
2017-10-11 19:49 ` Brijesh Singh
2017-10-11 20:04 ` Borislav Petkov
2017-10-11 20:10 ` Borislav Petkov
2017-10-11 20:10 ` Brijesh Singh
2017-10-11 20:28 ` Borislav Petkov
2017-10-11 20:45 ` Brijesh Singh
2017-10-11 20:53 ` Brijesh Singh
2017-10-11 20:54 ` Borislav Petkov
2017-10-07 1:06 ` [Part2 PATCH v5.1 12.5/31] crypto: ccp: Implement SEV_PEK_GEN " Brijesh Singh
2017-10-12 18:28 ` Borislav Petkov
2017-10-12 20:11 ` Brijesh Singh [this message]
2017-10-12 20:21 ` Borislav Petkov
2017-10-12 20:34 ` Brijesh Singh
2017-10-07 1:06 ` [Part2 PATCH v5.1 12.6/31] crypto: ccp: Implement SEV_PDH_GEN " Brijesh Singh
2017-10-12 18:48 ` Borislav Petkov
2017-10-12 20:21 ` Brijesh Singh
2017-10-12 20:23 ` Borislav Petkov
2017-10-07 1:06 ` [Part2 PATCH v5.1 12.7/31] crypto: ccp: Implement SEV_PEK_CSR " Brijesh Singh
2017-10-12 19:53 ` Borislav Petkov
2017-10-13 2:24 ` Brijesh Singh
2017-10-13 4:13 ` Brijesh Singh
2017-10-13 10:20 ` Borislav Petkov
2017-10-13 9:14 ` Borislav Petkov
2017-10-07 1:06 ` [Part2 PATCH v5.1 12.8/31] crypto: ccp: Implement SEV_PEK_CERT_IMPORT " Brijesh Singh
2017-10-13 14:53 ` Borislav Petkov
2017-10-13 16:09 ` Brijesh Singh
2017-10-07 1:06 ` [Part2 PATCH v5.1 12.9/31] crypto: ccp: Implement SEV_PDH_CERT_EXPORT " Brijesh Singh
2017-10-13 15:01 ` Borislav Petkov
2017-10-07 18:40 ` [Part2 PATCH v5.1 12.1/31] crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support Borislav Petkov
2017-10-08 13:30 ` Brijesh Singh
2017-10-08 14:00 ` Borislav Petkov
2017-10-09 0:11 ` Brijesh Singh
2017-10-09 15:21 ` Borislav Petkov
2017-10-10 15:00 ` Brijesh Singh
2017-10-10 18:43 ` Tom Lendacky
2017-10-10 20:04 ` Borislav Petkov
2017-10-11 14:19 ` Borislav Petkov
2017-10-11 14:23 ` Brijesh Singh
2017-10-11 16:50 ` [Part2 PATCH v5.2 12.2/31] " Brijesh Singh
2017-10-12 14:08 ` Borislav Petkov
2017-10-12 21:11 ` Brijesh Singh
2017-10-12 21:41 ` Borislav Petkov
2017-10-12 21:52 ` Brijesh Singh
2017-10-12 22:22 ` Borislav Petkov
2017-10-12 18:21 ` Borislav Petkov
2017-10-12 20:05 ` Brijesh Singh
2017-10-04 13:13 ` [Part2 PATCH v5 13/31] KVM: X86: Add CONFIG_KVM_AMD_SEV Brijesh Singh
2017-10-13 16:44 ` Borislav Petkov
2017-10-04 13:13 ` [Part2 PATCH v5 14/31] KVM: SVM: Add sev module_param Brijesh Singh
2017-10-13 16:46 ` Borislav Petkov
2017-10-04 13:13 ` [Part2 PATCH v5 15/31] KVM: SVM: Reserve ASID range for SEV guest Brijesh Singh
2017-10-13 16:58 ` Borislav Petkov
2017-10-04 13:13 ` [Part2 PATCH v5 16/31] KVM: Define SEV key management command id Brijesh Singh
2017-10-13 18:54 ` Borislav Petkov
2017-10-14 10:06 ` Borislav Petkov
2017-10-04 13:13 ` [Part2 PATCH v5 17/31] KVM: SVM: Add KVM_SEV_INIT command Brijesh Singh
2017-10-14 9:21 ` Borislav Petkov
2017-10-04 13:13 ` [Part2 PATCH v5 18/31] KVM: SVM: VMRUN should use assosiated ASID when SEV is enabled Brijesh Singh
2017-10-14 9:27 ` Borislav Petkov
2017-10-04 13:14 ` [Part2 PATCH v5 19/31] KVM: SVM: Add support for KVM_SEV_LAUNCH_START command Brijesh Singh
2017-10-14 10:08 ` Borislav Petkov
2017-10-04 13:14 ` [Part2 PATCH v5 20/31] KVM: SVM: Add support for KVM_SEV_LAUNCH_UPDATE_DATA command Brijesh Singh
2017-10-14 14:59 ` Borislav Petkov
2017-10-04 13:14 ` [Part2 PATCH v5 21/31] KVM: SVM: Add support for KVM_SEV_LAUNCH_MEASURE command Brijesh Singh
2017-10-04 13:14 ` [Part2 PATCH v5 22/31] KVM: SVM: Add support for SEV LAUNCH_FINISH command Brijesh Singh
2017-10-04 13:14 ` [Part2 PATCH v5 23/31] KVM: SVM: Add support for SEV GUEST_STATUS command Brijesh Singh
2017-10-04 13:14 ` [Part2 PATCH v5 24/31] KVM: SVM: Add support for SEV DEBUG_DECRYPT command Brijesh Singh
2017-10-04 13:14 ` [Part2 PATCH v5 25/31] KVM: SVM: Add support for SEV DEBUG_ENCRYPT command Brijesh Singh
2017-10-04 13:14 ` [Part2 PATCH v5 26/31] KVM: SVM: Add support for SEV LAUNCH_SECRET command Brijesh Singh
2017-10-04 13:14 ` [Part2 PATCH v5 27/31] KVM: SVM: Pin guest memory when SEV is active Brijesh Singh
2017-10-04 13:14 ` [Part2 PATCH v5 28/31] KVM: X86: Add memory encryption enabled ops Brijesh Singh
2017-10-04 13:14 ` [Part2 PATCH v5 29/31] KVM: SVM: Clear C-bit from the page fault address Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e2a67da0-5442-f9d6-6390-bfbb0a352639@amd.com \
--to=brijesh.singh@amd.com \
--cc=bp@suse.de \
--cc=gary.hook@amd.com \
--cc=herbert@gondor.apana.org.au \
--cc=kvm@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.