search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WIP FPC-III support
[linux/fpc-iii.git] / arch / x86 / kernel / sev-es-shared.c
blobcdc04d09124233d0c90c3def9a2dc6fcaadaade9
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * AMD Encrypted Register State Support
4 *
5 * Author: Joerg Roedel <jroedel@suse.de>
6 *
7 * This file is not compiled stand-alone. It contains code shared
8 * between the pre-decompression boot code and the running Linux kernel
9 * and is included directly into both code-bases.
10 */
11
12 #ifndef __BOOT_COMPRESSED
13 #define error(v) pr_err(v)
14 #define has_cpuflag(f) boot_cpu_has(f)
15 #endif
16
17 static bool __init sev_es_check_cpu_features(void)
18 {
19 if (!has_cpuflag(X86_FEATURE_RDRAND)) {
20 error("RDRAND instruction not supported - no trusted source of randomness available\n");
21 return false;
22 }
23
24 return true;
25 }
26
27 static void sev_es_terminate(unsigned int reason)
28 {
29 u64 val = GHCB_SEV_TERMINATE;
30
31 /*
32 * Tell the hypervisor what went wrong - only reason-set 0 is
33 * currently supported.
34 */
35 val |= GHCB_SEV_TERMINATE_REASON(0, reason);
36
37 /* Request Guest Termination from Hypvervisor */
38 sev_es_wr_ghcb_msr(val);
39 VMGEXIT();
40
41 while (true)
42 asm volatile("hlt\n" : : : "memory");
43 }
44
45 static bool sev_es_negotiate_protocol(void)
46 {
47 u64 val;
48
49 /* Do the GHCB protocol version negotiation */
50 sev_es_wr_ghcb_msr(GHCB_SEV_INFO_REQ);
51 VMGEXIT();
52 val = sev_es_rd_ghcb_msr();
53
54 if (GHCB_INFO(val) != GHCB_SEV_INFO)
55 return false;
56
57 if (GHCB_PROTO_MAX(val) < GHCB_PROTO_OUR ||
58 GHCB_PROTO_MIN(val) > GHCB_PROTO_OUR)
59 return false;
60
61 return true;
62 }
63
64 static __always_inline void vc_ghcb_invalidate(struct ghcb *ghcb)
65 {
66 memset(ghcb->save.valid_bitmap, 0, sizeof(ghcb->save.valid_bitmap));
67 }
68
69 static bool vc_decoding_needed(unsigned long exit_code)
70 {
71 /* Exceptions don't require to decode the instruction */
72 return !(exit_code >= SVM_EXIT_EXCP_BASE &&
73 exit_code <= SVM_EXIT_LAST_EXCP);
74 }
75
76 static enum es_result vc_init_em_ctxt(struct es_em_ctxt *ctxt,
77 struct pt_regs *regs,
78 unsigned long exit_code)
79 {
80 enum es_result ret = ES_OK;
81
82 memset(ctxt, 0, sizeof(*ctxt));
83 ctxt->regs = regs;
84
85 if (vc_decoding_needed(exit_code))
86 ret = vc_decode_insn(ctxt);
87
88 return ret;
89 }
90
91 static void vc_finish_insn(struct es_em_ctxt *ctxt)
92 {
93 ctxt->regs->ip += ctxt->insn.length;
94 }
95
96 static enum es_result sev_es_ghcb_hv_call(struct ghcb *ghcb,
97 struct es_em_ctxt *ctxt,
98 u64 exit_code, u64 exit_info_1,
99 u64 exit_info_2)
100 {
101 enum es_result ret;
102
103 /* Fill in protocol and format specifiers */
104 ghcb->protocol_version = GHCB_PROTOCOL_MAX;
105 ghcb->ghcb_usage = GHCB_DEFAULT_USAGE;
106
107 ghcb_set_sw_exit_code(ghcb, exit_code);
108 ghcb_set_sw_exit_info_1(ghcb, exit_info_1);
109 ghcb_set_sw_exit_info_2(ghcb, exit_info_2);
110
111 sev_es_wr_ghcb_msr(__pa(ghcb));
112 VMGEXIT();
113
114 if ((ghcb->save.sw_exit_info_1 & 0xffffffff) == 1) {
115 u64 info = ghcb->save.sw_exit_info_2;
116 unsigned long v;
117
118 info = ghcb->save.sw_exit_info_2;
119 v = info & SVM_EVTINJ_VEC_MASK;
120
121 /* Check if exception information from hypervisor is sane. */
122 if ((info & SVM_EVTINJ_VALID) &&
123 ((v == X86_TRAP_GP) || (v == X86_TRAP_UD)) &&
124 ((info & SVM_EVTINJ_TYPE_MASK) == SVM_EVTINJ_TYPE_EXEPT)) {
125 ctxt->fi.vector = v;
126 if (info & SVM_EVTINJ_VALID_ERR)
127 ctxt->fi.error_code = info >> 32;
128 ret = ES_EXCEPTION;
129 } else {
130 ret = ES_VMM_ERROR;
131 }
132 } else {
133 ret = ES_OK;
134 }
135
136 return ret;
137 }
138
139 /*
140 * Boot VC Handler - This is the first VC handler during boot, there is no GHCB
141 * page yet, so it only supports the MSR based communication with the
142 * hypervisor and only the CPUID exit-code.
143 */
144 void __init do_vc_no_ghcb(struct pt_regs *regs, unsigned long exit_code)
145 {
146 unsigned int fn = lower_bits(regs->ax, 32);
147 unsigned long val;
148
149 /* Only CPUID is supported via MSR protocol */
150 if (exit_code != SVM_EXIT_CPUID)
151 goto fail;
152
153 sev_es_wr_ghcb_msr(GHCB_CPUID_REQ(fn, GHCB_CPUID_REQ_EAX));
154 VMGEXIT();
155 val = sev_es_rd_ghcb_msr();
156 if (GHCB_SEV_GHCB_RESP_CODE(val) != GHCB_SEV_CPUID_RESP)
157 goto fail;
158 regs->ax = val >> 32;
159
160 sev_es_wr_ghcb_msr(GHCB_CPUID_REQ(fn, GHCB_CPUID_REQ_EBX));
161 VMGEXIT();
162 val = sev_es_rd_ghcb_msr();
163 if (GHCB_SEV_GHCB_RESP_CODE(val) != GHCB_SEV_CPUID_RESP)
164 goto fail;
165 regs->bx = val >> 32;
166
167 sev_es_wr_ghcb_msr(GHCB_CPUID_REQ(fn, GHCB_CPUID_REQ_ECX));
168 VMGEXIT();
169 val = sev_es_rd_ghcb_msr();
170 if (GHCB_SEV_GHCB_RESP_CODE(val) != GHCB_SEV_CPUID_RESP)
171 goto fail;
172 regs->cx = val >> 32;
173
174 sev_es_wr_ghcb_msr(GHCB_CPUID_REQ(fn, GHCB_CPUID_REQ_EDX));
175 VMGEXIT();
176 val = sev_es_rd_ghcb_msr();
177 if (GHCB_SEV_GHCB_RESP_CODE(val) != GHCB_SEV_CPUID_RESP)
178 goto fail;
179 regs->dx = val >> 32;
180
181 /*
182 * This is a VC handler and the #VC is only raised when SEV-ES is
183 * active, which means SEV must be active too. Do sanity checks on the
184 * CPUID results to make sure the hypervisor does not trick the kernel
185 * into the no-sev path. This could map sensitive data unencrypted and
186 * make it accessible to the hypervisor.
187 *
188 * In particular, check for:
189 * - Hypervisor CPUID bit
190 * - Availability of CPUID leaf 0x8000001f
191 * - SEV CPUID bit.
192 *
193 * The hypervisor might still report the wrong C-bit position, but this
194 * can't be checked here.
195 */
196
197 if ((fn == 1 && !(regs->cx & BIT(31))))
198 /* Hypervisor bit */
199 goto fail;
200 else if (fn == 0x80000000 && (regs->ax < 0x8000001f))
201 /* SEV leaf check */
202 goto fail;
203 else if ((fn == 0x8000001f && !(regs->ax & BIT(1))))
204 /* SEV bit */
205 goto fail;
206
207 /* Skip over the CPUID two-byte opcode */
208 regs->ip += 2;
209
210 return;
211
212 fail:
213 sev_es_wr_ghcb_msr(GHCB_SEV_TERMINATE);
214 VMGEXIT();
215
216 /* Shouldn't get here - if we do halt the machine */
217 while (true)
218 asm volatile("hlt\n");
219 }
220
221 static enum es_result vc_insn_string_read(struct es_em_ctxt *ctxt,
222 void *src, char *buf,
223 unsigned int data_size,
224 unsigned int count,
225 bool backwards)
226 {
227 int i, b = backwards ? -1 : 1;
228 enum es_result ret = ES_OK;
229
230 for (i = 0; i < count; i++) {
231 void *s = src + (i * data_size * b);
232 char *d = buf + (i * data_size);
233
234 ret = vc_read_mem(ctxt, s, d, data_size);
235 if (ret != ES_OK)
236 break;
237 }
238
239 return ret;
240 }
241
242 static enum es_result vc_insn_string_write(struct es_em_ctxt *ctxt,
243 void *dst, char *buf,
244 unsigned int data_size,
245 unsigned int count,
246 bool backwards)
247 {
248 int i, s = backwards ? -1 : 1;
249 enum es_result ret = ES_OK;
250
251 for (i = 0; i < count; i++) {
252 void *d = dst + (i * data_size * s);
253 char *b = buf + (i * data_size);
254
255 ret = vc_write_mem(ctxt, d, b, data_size);
256 if (ret != ES_OK)
257 break;
258 }
259
260 return ret;
261 }
262
263 #define IOIO_TYPE_STR BIT(2)
264 #define IOIO_TYPE_IN 1
265 #define IOIO_TYPE_INS (IOIO_TYPE_IN | IOIO_TYPE_STR)
266 #define IOIO_TYPE_OUT 0
267 #define IOIO_TYPE_OUTS (IOIO_TYPE_OUT | IOIO_TYPE_STR)
268
269 #define IOIO_REP BIT(3)
270
271 #define IOIO_ADDR_64 BIT(9)
272 #define IOIO_ADDR_32 BIT(8)
273 #define IOIO_ADDR_16 BIT(7)
274
275 #define IOIO_DATA_32 BIT(6)
276 #define IOIO_DATA_16 BIT(5)
277 #define IOIO_DATA_8 BIT(4)
278
279 #define IOIO_SEG_ES (0 << 10)
280 #define IOIO_SEG_DS (3 << 10)
281
282 static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
283 {
284 struct insn *insn = &ctxt->insn;
285 *exitinfo = 0;
286
287 switch (insn->opcode.bytes[0]) {
288 /* INS opcodes */
289 case 0x6c:
290 case 0x6d:
291 *exitinfo |= IOIO_TYPE_INS;
292 *exitinfo |= IOIO_SEG_ES;
293 *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
294 break;
295
296 /* OUTS opcodes */
297 case 0x6e:
298 case 0x6f:
299 *exitinfo |= IOIO_TYPE_OUTS;
300 *exitinfo |= IOIO_SEG_DS;
301 *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
302 break;
303
304 /* IN immediate opcodes */
305 case 0xe4:
306 case 0xe5:
307 *exitinfo |= IOIO_TYPE_IN;
308 *exitinfo |= (u8)insn->immediate.value << 16;
309 break;
310
311 /* OUT immediate opcodes */
312 case 0xe6:
313 case 0xe7:
314 *exitinfo |= IOIO_TYPE_OUT;
315 *exitinfo |= (u8)insn->immediate.value << 16;
316 break;
317
318 /* IN register opcodes */
319 case 0xec:
320 case 0xed:
321 *exitinfo |= IOIO_TYPE_IN;
322 *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
323 break;
324
325 /* OUT register opcodes */
326 case 0xee:
327 case 0xef:
328 *exitinfo |= IOIO_TYPE_OUT;
329 *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
330 break;
331
332 default:
333 return ES_DECODE_FAILED;
334 }
335
336 switch (insn->opcode.bytes[0]) {
337 case 0x6c:
338 case 0x6e:
339 case 0xe4:
340 case 0xe6:
341 case 0xec:
342 case 0xee:
343 /* Single byte opcodes */
344 *exitinfo |= IOIO_DATA_8;
345 break;
346 default:
347 /* Length determined by instruction parsing */
348 *exitinfo |= (insn->opnd_bytes == 2) ? IOIO_DATA_16
349 : IOIO_DATA_32;
350 }
351 switch (insn->addr_bytes) {
352 case 2:
353 *exitinfo |= IOIO_ADDR_16;
354 break;
355 case 4:
356 *exitinfo |= IOIO_ADDR_32;
357 break;
358 case 8:
359 *exitinfo |= IOIO_ADDR_64;
360 break;
361 }
362
363 if (insn_has_rep_prefix(insn))
364 *exitinfo |= IOIO_REP;
365
366 return ES_OK;
367 }
368
369 static enum es_result vc_handle_ioio(struct ghcb *ghcb, struct es_em_ctxt *ctxt)
370 {
371 struct pt_regs *regs = ctxt->regs;
372 u64 exit_info_1, exit_info_2;
373 enum es_result ret;
374
375 ret = vc_ioio_exitinfo(ctxt, &exit_info_1);
376 if (ret != ES_OK)
377 return ret;
378
379 if (exit_info_1 & IOIO_TYPE_STR) {
380
381 /* (REP) INS/OUTS */
382
383 bool df = ((regs->flags & X86_EFLAGS_DF) == X86_EFLAGS_DF);
384 unsigned int io_bytes, exit_bytes;
385 unsigned int ghcb_count, op_count;
386 unsigned long es_base;
387 u64 sw_scratch;
388
389 /*
390 * For the string variants with rep prefix the amount of in/out
391 * operations per #VC exception is limited so that the kernel
392 * has a chance to take interrupts and re-schedule while the
393 * instruction is emulated.
394 */
395 io_bytes = (exit_info_1 >> 4) & 0x7;
396 ghcb_count = sizeof(ghcb->shared_buffer) / io_bytes;
397
398 op_count = (exit_info_1 & IOIO_REP) ? regs->cx : 1;
399 exit_info_2 = min(op_count, ghcb_count);
400 exit_bytes = exit_info_2 * io_bytes;
401
402 es_base = insn_get_seg_base(ctxt->regs, INAT_SEG_REG_ES);
403
404 /* Read bytes of OUTS into the shared buffer */
405 if (!(exit_info_1 & IOIO_TYPE_IN)) {
406 ret = vc_insn_string_read(ctxt,
407 (void *)(es_base + regs->si),
408 ghcb->shared_buffer, io_bytes,
409 exit_info_2, df);
410 if (ret)
411 return ret;
412 }
413
414 /*
415 * Issue an VMGEXIT to the HV to consume the bytes from the
416 * shared buffer or to have it write them into the shared buffer
417 * depending on the instruction: OUTS or INS.
418 */
419 sw_scratch = __pa(ghcb) + offsetof(struct ghcb, shared_buffer);
420 ghcb_set_sw_scratch(ghcb, sw_scratch);
421 ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO,
422 exit_info_1, exit_info_2);
423 if (ret != ES_OK)
424 return ret;
425
426 /* Read bytes from shared buffer into the guest's destination. */
427 if (exit_info_1 & IOIO_TYPE_IN) {
428 ret = vc_insn_string_write(ctxt,
429 (void *)(es_base + regs->di),
430 ghcb->shared_buffer, io_bytes,
431 exit_info_2, df);
432 if (ret)
433 return ret;
434
435 if (df)
436 regs->di -= exit_bytes;
437 else
438 regs->di += exit_bytes;
439 } else {
440 if (df)
441 regs->si -= exit_bytes;
442 else
443 regs->si += exit_bytes;
444 }
445
446 if (exit_info_1 & IOIO_REP)
447 regs->cx -= exit_info_2;
448
449 ret = regs->cx ? ES_RETRY : ES_OK;
450
451 } else {
452
453 /* IN/OUT into/from rAX */
454
455 int bits = (exit_info_1 & 0x70) >> 1;
456 u64 rax = 0;
457
458 if (!(exit_info_1 & IOIO_TYPE_IN))
459 rax = lower_bits(regs->ax, bits);
460
461 ghcb_set_rax(ghcb, rax);
462
463 ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_IOIO, exit_info_1, 0);
464 if (ret != ES_OK)
465 return ret;
466
467 if (exit_info_1 & IOIO_TYPE_IN) {
468 if (!ghcb_rax_is_valid(ghcb))
469 return ES_VMM_ERROR;
470 regs->ax = lower_bits(ghcb->save.rax, bits);
471 }
472 }
473
474 return ret;
475 }
476
477 static enum es_result vc_handle_cpuid(struct ghcb *ghcb,
478 struct es_em_ctxt *ctxt)
479 {
480 struct pt_regs *regs = ctxt->regs;
481 u32 cr4 = native_read_cr4();
482 enum es_result ret;
483
484 ghcb_set_rax(ghcb, regs->ax);
485 ghcb_set_rcx(ghcb, regs->cx);
486
487 if (cr4 & X86_CR4_OSXSAVE)
488 /* Safe to read xcr0 */
489 ghcb_set_xcr0(ghcb, xgetbv(XCR_XFEATURE_ENABLED_MASK));
490 else
491 /* xgetbv will cause #GP - use reset value for xcr0 */
492 ghcb_set_xcr0(ghcb, 1);
493
494 ret = sev_es_ghcb_hv_call(ghcb, ctxt, SVM_EXIT_CPUID, 0, 0);
495 if (ret != ES_OK)
496 return ret;
497
498 if (!(ghcb_rax_is_valid(ghcb) &&
499 ghcb_rbx_is_valid(ghcb) &&
500 ghcb_rcx_is_valid(ghcb) &&
501 ghcb_rdx_is_valid(ghcb)))
502 return ES_VMM_ERROR;
503
504 regs->ax = ghcb->save.rax;
505 regs->bx = ghcb->save.rbx;
506 regs->cx = ghcb->save.rcx;
507 regs->dx = ghcb->save.rdx;
508
509 return ES_OK;
510 }
511
512 static enum es_result vc_handle_rdtsc(struct ghcb *ghcb,
513 struct es_em_ctxt *ctxt,
514 unsigned long exit_code)
515 {
516 bool rdtscp = (exit_code == SVM_EXIT_RDTSCP);
517 enum es_result ret;
518
519 ret = sev_es_ghcb_hv_call(ghcb, ctxt, exit_code, 0, 0);
520 if (ret != ES_OK)
521 return ret;
522
523 if (!(ghcb_rax_is_valid(ghcb) && ghcb_rdx_is_valid(ghcb) &&
524 (!rdtscp || ghcb_rcx_is_valid(ghcb))))
525 return ES_VMM_ERROR;
526
527 ctxt->regs->ax = ghcb->save.rax;
528 ctxt->regs->dx = ghcb->save.rdx;
529 if (rdtscp)
530 ctxt->regs->cx = ghcb->save.rcx;
531
532 return ES_OK;
533 }
Linux with added FPC-III support