From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933670AbdKAWGL (ORCPT <rfc822;w@1wt.eu>);
        Wed, 1 Nov 2017 18:06:11 -0400
Received: from mail-bn3nam01on0059.outbound.protection.outlook.com ([104.47.33.59]:44352
        "EHLO NAM01-BN3-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S933527AbdKAVRJ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Nov 2017 17:17:09 -0400
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=brijesh.singh@amd.com; 
From: Brijesh Singh <brijesh.singh@amd.com>
To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: bp@alien8.de, Brijesh Singh <brijesh.singh@amd.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
        Borislav Petkov <bp@suse.de>, Herbert Xu <herbert@gondor.apana.org.au>,
        Gary Hook <gary.hook@amd.com>, Tom Lendacky <thomas.lendacky@amd.com>,
        linux-crypto@vger.kernel.org
Subject: [Part2 PATCH v7 19/38] crypto: ccp: Implement SEV_PEK_CERT_IMPORT ioctl command
Date: Wed,  1 Nov 2017 16:16:04 -0500
Message-Id: <20171101211623.71496-20-brijesh.singh@amd.com>
X-Mailer: git-send-email 2.9.5
In-Reply-To: <20171101211623.71496-1-brijesh.singh@amd.com>
References: <20171101211623.71496-1-brijesh.singh@amd.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Originating-IP: [165.204.78.1]
X-ClientProxiedBy: DM5PR06CA0064.namprd06.prod.outlook.com
 (2603:10b6:3:37::26) To DM2PR12MB0155.namprd12.prod.outlook.com
 (2a01:111:e400:50ce::18)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 5f577a66-7b67-4d54-6f7d-08d5216ddd4d
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081)(4534020)(4602075)(2017052603199);SRVR:DM2PR12MB0155;
X-Microsoft-Exchange-Diagnostics: 1;DM2PR12MB0155;3:nre05kdp/wF+OryS7MaVUnV1k48McE1jcrnt2X+AVb0fj4GeJhA0Ty+zH40nfeuFmuvq0swtXs/hjUc1trvMU0tdCINgtyhSK9Vm9W+/lfEsw2RH5UrKsClcXU6qUhbYk4i6uGBP6VNkKd2YF5LPpd/ELmU+ARfKIkS+OpPIJxZV7qmDRk754Ey9J/oEYoertNFZXsn7BR9P/mHKH2OMQUGGLR5vP56hJxT560uWFiPql/3k62ZdsEqyD2pWvjpD;25:iba/t4eFn4InePXxC+IaLbJn7muBMUWbn2RFx6VZngcCT+ozLbHbmEYdrTEAl2MfbozMXE2VLgNeYGz6iSCVbtETTiMjp6JYPolzcPCc775To9FW38JJ2czPn+Ir3tetzoP6zKQxSN795gCNwXNN3F+F/8Zqu+2pf50AlByneAf2PtSM/kVB2tGYn1jXlGIOrq1DjQrtsUFgUHJVtw/kx1niRNnPl3xjwzu6ch6wwi5jnK1FBw44i4I/o6AtGkSbv+0NQQBxjgNBhDCEvU+vpmjxUqZ7nUkhBYGNe5l6AZl1s8eXo1rEA5l21mI4JrcGmsUS+69on+eCEkI4duNFsg==;31:KhdX8Oq27bObyvf6AuQD+HlY0uGqyD7iKX/2czsx/d/s/kbFL0VLCeCCuz1deKzRWbjN6zMoMttSE7V35m2MVjFjvOWAIY6UJa5Jq4OyKwLKHno3Qem+EVejEfU28YQM0HOOop0U7z5RXFIrPiOsnAvrm6GBbSlbMkgd4MGp1oh/YyuxQng1DWyMhYqXSvzIOi01mvr0L1sMZnvOzXODdu8cVgFepGPH3Paib7nqoB4=
X-MS-TrafficTypeDiagnostic: DM2PR12MB0155:
X-Microsoft-Exchange-Diagnostics: 1;DM2PR12MB0155;20:l9NsNASPcHbwwcNee9MktaczWlq1c6eojCqMVU310l/bxsqTMQ1gw0W55mJuvHohSTVAfe3HTlbpeP1irU+rAVpvRDoH8yCRVaIhKSpy/CN7xq/0drKIX7azmvfKwgegI+zYTR1Gx6fIkSVU+cBVqLoIqvnTFCiPuM0FTq6l9D8A6HvDXP0/SdA7aDP6hywmn1C7/7Xsq1/4ojTlwamDKkdbXdGOCx75JPUwYLT5oeSKkk15/wUbd4MsmDJU3e0nI6VuyqTb3rEWc9fVjArITdr9A6XY253oaUemR0XUQGRulQrRvE4hBzhKJ/nExvPGqar83MlUBHnkaJG+O9AoYypo3GO9wl8Yi7T2CCqJPfKHaepSbBLhBbLXDbFWxLy14vZ1LA/JxuagD/iQjacStwUbTUiBRRMGN9Fn6LbTA3txxwJAgp/WzJWTvs83j1T/VcHQIQm5B/HkrbHarINzgdW9IoQ5cGa3seHZL9Tdzoam16Ptq2qpkx0D2II1deiJ;4:OqTol9Q/aJ1WqqBENJUZIgoTq6KySy96L9oUqoITIMHMuvzvF2Sd09wy4q+gLllpGoAOo7zkNNL/FwO+1gwEErSjCVa0PCxMkvZXYUE6+ZU/cZx+zayXpSmrzCJCmLNYtCEs0ivCtINI6Ge50JdifDJ4fnBv8FEov84Yfvlyc5RS8BG2hcOh7QQSo6PZ6MJYEvlmvuX5fnHxdIvfE+osyZlgqAZIA0o1+YMo+r0n8hnZqJI9pNHvTZOc8FyYanCALWlUQnSV1CHTXn+SPGd6zvjJeR2nb76q2uGbTtlsYzQ4MJ4ZDbeKOIFa4pUywoJPYbJ2VyZjzHkm3GgjtIXAGA==
X-Exchange-Antispam-Report-Test: UriScan:(9452136761055)(767451399110);
X-Microsoft-Antispam-PRVS: <DM2PR12MB0155D98F436236E1DBC2DCDFE55F0@DM2PR12MB0155.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(3231020)(10201501046)(93006095)(93001095)(3002001)(6055026)(6041248)(20161123560025)(20161123555025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123558100)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:DM2PR12MB0155;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:DM2PR12MB0155;
X-Forefront-PRVS: 0478C23FE0
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6009001)(39860400002)(376002)(346002)(189002)(199003)(1076002)(6116002)(97736004)(66066001)(50466002)(3846002)(25786009)(4326008)(54906003)(316002)(8676002)(47776003)(36756003)(23676003)(50986999)(478600001)(81156014)(81166006)(105586002)(53416004)(575784001)(53936002)(189998001)(106356001)(2906002)(16526018)(2870700001)(76176999)(33646002)(305945005)(7736002)(86362001)(5660300001)(6486002)(101416001)(50226002)(68736007)(8936002)(2950100002)(6666003);DIR:OUT;SFP:1101;SCL:1;SRVR:DM2PR12MB0155;H:wsp141597wss.amd.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTJQUjEyTUIwMTU1OzIzOnJnajVoV1ZXMWZHRThKTUwxd0hpV1dnNmtM?=
 =?utf-8?B?SVp1aDg2TTIxN2cyNlNlczJMdGFvSXE4em9JMDY1NXM1aThVYlJTaTNta2pj?=
 =?utf-8?B?c2V2QmJVK1hrUnFQeUtyaDhyYjNLazcvS1VMZnUwWm1XZ3pEcWREQlhybk9F?=
 =?utf-8?B?Rkd4S3lqbnF3WFlPNHNpeTh2cmN0andXWUlVcVl0eFo3SFJvRFZBNGZrR3RE?=
 =?utf-8?B?QmNkUHVzOFdFem8wY080R0xjenpVaXdLYXhDdzBPaEU0K3BJc0lYVmFyOEFT?=
 =?utf-8?B?WERpUzIycUxXeHp6RXNST1ZUV0M0VzZrYTR2TGQ4bVVFMC91ZGpsQ2E2Q24r?=
 =?utf-8?B?bHBPcUFWUDVuTjI0bXNNMXVGL1ArUklocTJ5YTVReTFxNHJUM2pFYXRLWm1y?=
 =?utf-8?B?YW1YZElTM0FRaW1kY0JQSjhTK3B0VE02aXFoSUZHSVVSdjlHWjQ4WE9xOHdT?=
 =?utf-8?B?bXoraTB2U0dBTmI3cElGVnR5YUpZVjM3VkZCQ3FMZFduMktVdEpIa0pFaVF6?=
 =?utf-8?B?NTdRcmNjRkZZOWhPL3ZFdzRObE9ZWFNvTzdiMHMzWnY5Q1kwTkgxNW5nNVFN?=
 =?utf-8?B?OFQrL09panhIa2JCVFFxeEFiSEJTRUNkTHVYaFYxRGtIeXh4RU00T2tqWmta?=
 =?utf-8?B?Q0pLRUJvc0dSUkMvTS9jTlpJYzNZajJETWhjVmJKSmF6ZHdjL2p5ZS9CZ0hn?=
 =?utf-8?B?Ly9kQ0RoRGJEZ3AveVNoVkUrcjl5RXRtQmM3M0N2VHJuUmFCV1dZYUpiSkNQ?=
 =?utf-8?B?RERudEpTM3FPY1NXVnVsVS90TmpyMlRHTStQemVmVXNPZURlcW0xckdMYWRK?=
 =?utf-8?B?TStNWUhqenRraHh5cllwd3B2VUtkYVFDMWFjWFhKQ2w3WjVEbVBXSm9pdWJR?=
 =?utf-8?B?OVlMcnBzZWJaU1ZzRFRaUWFpOVo5UG94MGdkWWJ0T0NMbzN6WUVxQXd0cmJx?=
 =?utf-8?B?ZzZMUyt5TTBMY29zWjY5NHlSZWw0TXJ0bEE4c3pMZDd2c2pJNHNxSXV5dGF3?=
 =?utf-8?B?dUtNTlRNcmxZQ0NYMzIxenZZOUNRUno1SWtEc1E3WGFBaDZMWGZqd21jVjNE?=
 =?utf-8?B?N2RqQzV4a1V2NmJEOVpEU005Q3JjQkhpUjlEUk5pN0R5eGNlRUZLTjhPY21h?=
 =?utf-8?B?NFJoTkRmaWJGcjZMV1lwVlZ4RERCejl4MGg5dDFrVjlJSzJ6S0hPaytQWXIz?=
 =?utf-8?B?Rk9vRlNRSTZXd3JLbHNNRXRFR3NMNnZ2c3grQWQzaDZqMjlTczBJWXc4RExG?=
 =?utf-8?B?dnJMbFk3UVV3dmdzVUpLS0hkclVGQXRmVUFrbUtnUkJiUlVuU2pLWlR4NTFG?=
 =?utf-8?B?NEtyUGRadXFtRmY2UDhEaW0wQjN1aHR0TEtLay8rUUVySmhsMVc4TzJ6Wm9T?=
 =?utf-8?B?VUd0WnhXWkZjelFDbXlSOWRrbFRleHUydDdocHZKa1RINDFVVU5sN2ZrR21V?=
 =?utf-8?B?SnlSN3RJYzFhbURlNjhEMFNTd0trTjB1SGZQZkp5ZyszN2h6VVZXTzhKbElq?=
 =?utf-8?B?N001QT09?=
X-Microsoft-Exchange-Diagnostics: 1;DM2PR12MB0155;6:CA6eIQ03H/fLPMdadDsJ6oj3M3IHLRzYKVy7gT5oyL2I20kWCvGWBhkpG76ieGiSbAlkCT+MU1Q35PvS/ImWSUAELIyCCDexjxuHG43o2maQ11VeTzlSnMnJtz4Bh/paVNdeAjtAwdRSQNiXnfmu94pyIxmTJ7m94XjmEjMwWfqKZaOrRNvVMxa3qQJsQglAeMPt/Hx0IVGBQVUx/LQWXlNKbaB3y/D3W9IbbboJ3Pqo534EA9JCnCyT6uHj3/rU/0JsrEc2LDsAutYrWffGMsUPc8GlgBBx2C3Z1ZJHjZj/lkTMjH9TjvipdYxAgb+GKiGiglBysYNrLYII67ttt8aI0TG33KbPbnifdrW8+0U=;5:McolBWmg6cSTp+uPDfRWtlbCaQfGmkbTDny+l1TWxQoycaxlPneA/ki1fNG93tuL7M25GlKT3+peCrpb+ULhQEodItohw3cgqepx/+TgLGlARONjPN/Ao0wQ7Ay+TGe3JViMGFdhh7TPsQwDoU6LYAKjyFgXv1w//oRgWxcG1KU=;24:8Hhonu4DwmiqnudHlENdGDBWwRV9pRDgM/e8ZThBOzxM+7uUMqfWrwAI6VLuY+KJRP9jtK1bWn93jD9L8/nUP4CJlf09B4t5p2Qi8kTBC14=;7:cgJdtnInQfW8KmngyY0Hq6/4Dl0ArL68cHkjo508z1SutOhwwj/Dccu48SoNOac9vExrX/DKUMguPbxUbs0DqjS4+N6xI32p+p+FL2GbOuIGirWJzFQazpsXyqNXXGkvOvqbBMiWshl1gmDPvABUecaQ/SGeboyYTcuLtx1OvGFyRIrlw++Ghaq+DfgIBpa/Y4ojEesgWIlSw8Xt0oiVYCPqkGygUSRL3qWSK0K41E/TAUC6aVqEHYDrTiqGQKxA
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1;DM2PR12MB0155;20:pnzd7x8ac2Tjqdzt19TxZsOlHeZLSTgsa6bnbu9+Q9WKqyUuCrovOqY+JlUNkmxSAX/na6EYOfTnaThONUnHCLmt3l+Urp9Bo+OK7Zc7VR0pNmGA/MHp3NNdpK6zDwhee7ZP6snvZLiv9XeRZlEzFuN3xEHhPAKylXprY0BG+OTavHkYlgP3nUwUU1s8HsK9CgFQ8L9FOzFrJ/dDsmRlWMCdkB/b2f7Jwd6MWUQtju2gGKB+uPjDrTkYCG/g50gN
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Nov 2017 21:16:48.7503 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5f577a66-7b67-4d54-6f7d-08d5216ddd4d
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR12MB0155
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The SEV_PEK_CERT_IMPORT command can be used to import the signed PEK
certificate. The command is defined in SEV spec section 5.8.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Gary Hook <gary.hook@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: linux-crypto@vger.kernel.org
Cc: kvm@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Improvements-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Acked-by: Gary R Hook <gary.hook@amd.com>
---
 drivers/crypto/ccp/psp-dev.c | 81 ++++++++++++++++++++++++++++++++++++++++++++
 include/linux/psp-sev.h      |  4 +++
 2 files changed, 85 insertions(+)

diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
index 4e2f9d037f0a..2648faf33a19 100644
--- a/drivers/crypto/ccp/psp-dev.c
+++ b/drivers/crypto/ccp/psp-dev.c
@@ -363,6 +363,84 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp)
 	return ret;
 }
 
+void *psp_copy_user_blob(u64 __user uaddr, u32 len)
+{
+	void *data;
+
+	if (!uaddr || !len)
+		return ERR_PTR(-EINVAL);
+
+	/* verify that blob length does not exceed our limit */
+	if (len > SEV_FW_BLOB_MAX_SIZE)
+		return ERR_PTR(-EINVAL);
+
+	data = kmalloc(len, GFP_KERNEL);
+	if (!data)
+		return ERR_PTR(-ENOMEM);
+
+	if (copy_from_user(data, (void __user *)(uintptr_t)uaddr, len))
+		goto e_free;
+
+	return data;
+
+e_free:
+	kfree(data);
+	return ERR_PTR(-EFAULT);
+}
+EXPORT_SYMBOL_GPL(psp_copy_user_blob);
+
+static int sev_ioctl_do_pek_import(struct sev_issue_cmd *argp)
+{
+	struct sev_user_data_pek_cert_import input;
+	struct sev_data_pek_cert_import *data;
+	void *pek_blob, *oca_blob;
+	int ret;
+
+	if (copy_from_user(&input, (void __user *)argp->data, sizeof(input)))
+		return -EFAULT;
+
+	data = kzalloc(sizeof(*data), GFP_KERNEL);
+	if (!data)
+		return -ENOMEM;
+
+	/* copy PEK certificate blobs from userspace */
+	pek_blob = psp_copy_user_blob(input.pek_cert_address, input.pek_cert_len);
+	if (IS_ERR(pek_blob)) {
+		ret = PTR_ERR(pek_blob);
+		goto e_free;
+	}
+
+	data->pek_cert_address = __psp_pa(pek_blob);
+	data->pek_cert_len = input.pek_cert_len;
+
+	/* copy PEK certificate blobs from userspace */
+	oca_blob = psp_copy_user_blob(input.oca_cert_address, input.oca_cert_len);
+	if (IS_ERR(oca_blob)) {
+		ret = PTR_ERR(oca_blob);
+		goto e_free_pek;
+	}
+
+	data->oca_cert_address = __psp_pa(oca_blob);
+	data->oca_cert_len = input.oca_cert_len;
+
+	/* If platform is not in INIT state then transition it to INIT */
+	if (psp_master->sev_state != SEV_STATE_INIT) {
+		ret = __sev_platform_init_locked(psp_master->sev_init, &argp->error);
+		if (ret)
+			goto e_free_oca;
+	}
+
+	ret = __sev_do_cmd_locked(SEV_CMD_PEK_CERT_IMPORT, data, &argp->error);
+
+e_free_oca:
+	kfree(oca_blob);
+e_free_pek:
+	kfree(pek_blob);
+e_free:
+	kfree(data);
+	return ret;
+}
+
 static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
 {
 	void __user *argp = (void __user *)arg;
@@ -400,6 +478,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
 	case SEV_PEK_CSR:
 		ret = sev_ioctl_do_pek_csr(&input);
 		break;
+	case SEV_PEK_CERT_IMPORT:
+		ret = sev_ioctl_do_pek_import(&input);
+		break;
 	default:
 		ret = -EINVAL;
 		goto out;
diff --git a/include/linux/psp-sev.h b/include/linux/psp-sev.h
index fb563248d9a9..a65d96dea77b 100644
--- a/include/linux/psp-sev.h
+++ b/include/linux/psp-sev.h
@@ -606,6 +606,8 @@ int sev_guest_df_flush(int *error);
  */
 int sev_guest_decommission(struct sev_data_decommission *data, int *error);
 
+void *psp_copy_user_blob(u64 __user uaddr, u32 len);
+
 #else	/* !CONFIG_CRYPTO_DEV_SP_PSP */
 
 static inline int
@@ -632,6 +634,8 @@ sev_issue_cmd_external_user(struct file *filep,
 	return -ENODEV;
 }
 
+static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); }
+
 #endif	/* CONFIG_CRYPTO_DEV_SP_PSP */
 
 #endif	/* __PSP_SEV_H__ */
-- 
2.9.5