From: Borislav Petkov <bp@alien8.de>
To: Brijesh Singh <brijesh.singh@amd.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"Gary Hook" <gary.hook@amd.com>,
"Tom Lendacky" <thomas.lendacky@amd.com>,
linux-crypto@vger.kernel.org
Subject: Re: [Part2 PATCH v7 18/38] crypto: ccp: Implement SEV_PEK_CSR ioctl command
Date: Fri, 3 Nov 2017 20:42:09 +0100 [thread overview]
Message-ID: <20171103194209.epitwoakf3c3qlk5@pd.tnic> (raw)
In-Reply-To: <20171101211623.71496-19-brijesh.singh@amd.com>
On Wed, Nov 01, 2017 at 04:16:03PM -0500, Brijesh Singh wrote:
> The SEV_PEK_CSR command can be used to generate a PEK certificate
> signing request. The command is defined in SEV spec section 5.7.
>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: "Radim Krčmář" <rkrcmar@redhat.com>
> Cc: Borislav Petkov <bp@suse.de>
> Cc: Herbert Xu <herbert@gondor.apana.org.au>
> Cc: Gary Hook <gary.hook@amd.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: linux-crypto@vger.kernel.org
> Cc: kvm@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Improvements-by: Borislav Petkov <bp@suse.de>
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> Acked-by: Gary R Hook <gary.hook@amd.com>
> ---
> drivers/crypto/ccp/psp-dev.c | 68 ++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 68 insertions(+)
>
> diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
> index 42991c2e9085..4e2f9d037f0a 100644
> --- a/drivers/crypto/ccp/psp-dev.c
> +++ b/drivers/crypto/ccp/psp-dev.c
> @@ -298,6 +298,71 @@ static int sev_ioctl_do_pek_pdh_gen(int cmd, struct sev_issue_cmd *argp)
> return __sev_do_cmd_locked(cmd, 0, &argp->error);
> }
>
> +static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp)
> +{
> + struct sev_user_data_pek_csr input;
> + struct sev_data_pek_csr *data;
> + void *blob = NULL;
> + int ret;
> +
> + if (copy_from_user(&input, (void __user *)argp->data, sizeof(input)))
> + return -EFAULT;
> +
> + data = kzalloc(sizeof(*data), GFP_KERNEL);
> + if (!data)
> + return -ENOMEM;
> +
> + /* userspace wants to query CSR length */
> + if (!input.address || !input.length)
> + goto cmd;
> +
> + /* allocate a physically contiguous buffer to store the CSR blob */
> + if (!access_ok(VERIFY_WRITE, input.address, input.length) ||
> + input.length > SEV_FW_BLOB_MAX_SIZE) {
> + ret = -EFAULT;
> + goto e_free;
> + }
> +
> + blob = kmalloc(input.length, GFP_KERNEL);
> + if (!blob) {
> + ret = -ENOMEM;
> + goto e_free;
> + }
> +
> + data->address = __psp_pa(blob);
> + data->len = input.length;
> +
> +cmd:
> + if (psp_master->sev_state == SEV_STATE_UNINIT) {
> + ret = __sev_platform_init_locked(psp_master->sev_init, &argp->error);
Right, you're passing psp_master->sev_init (or whatever you're going to
end up calling it) down but then in __sev_platform_init_locked() you end
up doing
if (!data)
data = &psp->cmd_buf;
which looks silly.
IOW, if not really required, __sev_platform_init_locked() could have
only one argument instead:
static int __sev_platform_init_locked(int *error)
unless some later patch needs to pass in a different command buffer. I
guess I need to keep on reviewing...
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
next prev parent reply other threads:[~2017-11-03 19:42 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-01 21:15 [Part2 PATCH v7 00/38] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 01/38] Documentation/virtual/kvm: Add AMD Secure Encrypted Virtualization (SEV) Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 02/38] x86/CPU/AMD: Add the Secure Encrypted Virtualization CPU feature Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 03/38] kvm: svm: prepare for new bit definition in nested_ctl Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 04/38] kvm: svm: Add SEV feature definitions to KVM Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 05/38] KVM: SVM: Prepare to reserve asid for SEV guest Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 06/38] KVM: X86: Extend CPUID range to include new leaf Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 07/38] KVM: Introduce KVM_MEMORY_ENCRYPT_OP ioctl Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 08/38] KVM: Introduce KVM_MEMORY_ENCRYPT_{UN,}REG_REGION ioctl Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 09/38] crypto: ccp: Build the AMD secure processor driver only with AMD CPU support Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 10/38] crypto: ccp: Define SEV userspace ioctl and command id Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 11/38] crypto: ccp: Define SEV key management " Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 12/38] crypto: ccp: Add Platform Security Processor (PSP) device support Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 13/38] crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support Brijesh Singh
2017-11-02 17:10 ` Borislav Petkov
2017-11-02 17:32 ` Brijesh Singh
2017-11-01 21:15 ` [Part2 PATCH v7 14/38] crypto: ccp: Implement SEV_FACTORY_RESET ioctl command Brijesh Singh
2017-11-03 12:42 ` Borislav Petkov
2017-11-01 21:16 ` [Part2 PATCH v7 15/38] crypto: ccp: Implement SEV_PLATFORM_STATUS " Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 16/38] crypto: ccp: Implement SEV_PEK_GEN " Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 17/38] crypto: ccp: Implement SEV_PDH_GEN " Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 18/38] crypto: ccp: Implement SEV_PEK_CSR " Brijesh Singh
2017-11-03 19:42 ` Borislav Petkov [this message]
2017-11-03 20:01 ` Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 19/38] crypto: ccp: Implement SEV_PEK_CERT_IMPORT " Brijesh Singh
2017-11-04 10:22 ` Borislav Petkov
2017-11-01 21:16 ` [Part2 PATCH v7 20/38] crypto: ccp: Implement SEV_PDH_CERT_EXPORT " Brijesh Singh
2017-11-05 11:34 ` Borislav Petkov
2017-11-06 16:16 ` Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 21/38] KVM: X86: Add CONFIG_KVM_AMD_SEV Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 22/38] KVM: SVM: Add sev module_param Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 23/38] KVM: SVM: Reserve ASID range for SEV guest Brijesh Singh
2017-11-06 10:34 ` Borislav Petkov
2017-11-06 16:18 ` Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 24/38] KVM: Define SEV key management command id Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 25/38] KVM: SVM: Add KVM_SEV_INIT command Brijesh Singh
2017-11-06 10:57 ` Borislav Petkov
2017-11-06 16:19 ` Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 26/38] KVM: SVM: VMRUN should use associated ASID when SEV is enabled Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 27/38] KVM: SVM: Add support for KVM_SEV_LAUNCH_START command Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 28/38] KVM: SVM: Add support for KVM_SEV_LAUNCH_UPDATE_DATA command Brijesh Singh
2017-11-01 21:16 ` [Part2 PATCH v7 29/38] KVM: SVM: Add support for KVM_SEV_LAUNCH_MEASURE command Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171103194209.epitwoakf3c3qlk5@pd.tnic \
--to=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=gary.hook@amd.com \
--cc=herbert@gondor.apana.org.au \
--cc=kvm@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=thomas.lendacky@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).