1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * AMD Secure Encrypted Virtualization (SEV) interface
4
 *
5
 * Copyright (C) 2016,2019 Advanced Micro Devices, Inc.
6
 *
7
 * Author: Brijesh Singh <[email protected]>
8
 */
9

10
#include <linux/bitfield.h>
11
#include <linux/module.h>
12
#include <linux/kernel.h>
13
#include <linux/kthread.h>
14
#include <linux/sched.h>
15
#include <linux/interrupt.h>
16
#include <linux/spinlock.h>
17
#include <linux/spinlock_types.h>
18
#include <linux/types.h>
19
#include <linux/mutex.h>
20
#include <linux/delay.h>
21
#include <linux/hw_random.h>
22
#include <linux/ccp.h>
23
#include <linux/firmware.h>
24
#include <linux/panic_notifier.h>
25
#include <linux/gfp.h>
26
#include <linux/cpufeature.h>
27
#include <linux/fs.h>
28
#include <linux/fs_struct.h>
29
#include <linux/psp.h>
30
#include <linux/amd-iommu.h>
31
#include <linux/crash_dump.h>
32

33
#include <asm/smp.h>
34
#include <asm/cacheflush.h>
35
#include <asm/e820/types.h>
36
#include <asm/sev.h>
37
#include <asm/msr.h>
38

39
#include "psp-dev.h"
40
#include "sev-dev.h"
41

42
#define DEVICE_NAME		"sev"
43
#define SEV_FW_FILE		"amd/sev.fw"
44
#define SEV_FW_NAME_SIZE	64
45

46
/* Minimum firmware version required for the SEV-SNP support */
47
#define SNP_MIN_API_MAJOR	1
48
#define SNP_MIN_API_MINOR	51
49

50
/*
51
 * Maximum number of firmware-writable buffers that might be specified
52
 * in the parameters of a legacy SEV command buffer.
53
 */
54
#define CMD_BUF_FW_WRITABLE_MAX 2
55

56
/* Leave room in the descriptor array for an end-of-list indicator. */
57
#define CMD_BUF_DESC_MAX (CMD_BUF_FW_WRITABLE_MAX + 1)
58

59
static DEFINE_MUTEX(sev_cmd_mutex);
60
static struct sev_misc_dev *misc_dev;
61

62
static int psp_cmd_timeout = 100;
63
module_param(psp_cmd_timeout, int, 0644);
64
MODULE_PARM_DESC(psp_cmd_timeout, " default timeout value, in seconds, for PSP commands");
65

66
static int psp_probe_timeout = 5;
67
module_param(psp_probe_timeout, int, 0644);
68
MODULE_PARM_DESC(psp_probe_timeout, " default timeout value, in seconds, during PSP device probe");
69

70
static char *init_ex_path;
71
module_param(init_ex_path, charp, 0444);
72
MODULE_PARM_DESC(init_ex_path, " Path for INIT_EX data; if set try INIT_EX");
73

74
static bool psp_init_on_probe = true;
75
module_param(psp_init_on_probe, bool, 0444);
76
MODULE_PARM_DESC(psp_init_on_probe, "  if true, the PSP will be initialized on module init. Else the PSP will be initialized on the first command requiring it");
77

78
MODULE_FIRMWARE("amd/amd_sev_fam17h_model0xh.sbin"); /* 1st gen EPYC */
79
MODULE_FIRMWARE("amd/amd_sev_fam17h_model3xh.sbin"); /* 2nd gen EPYC */
80
MODULE_FIRMWARE("amd/amd_sev_fam19h_model0xh.sbin"); /* 3rd gen EPYC */
81
MODULE_FIRMWARE("amd/amd_sev_fam19h_model1xh.sbin"); /* 4th gen EPYC */
82

83
static bool psp_dead;
84
static int psp_timeout;
85

86
enum snp_hv_fixed_pages_state {
87
	ALLOCATED,
88
	HV_FIXED,
89
};
90

91
struct snp_hv_fixed_pages_entry {
92
	struct list_head list;
93
	struct page *page;
94
	unsigned int order;
95
	bool free;
96
	enum snp_hv_fixed_pages_state page_state;
97
};
98

99
static LIST_HEAD(snp_hv_fixed_pages);
100

101
/* Trusted Memory Region (TMR):
102
 *   The TMR is a 1MB area that must be 1MB aligned.  Use the page allocator
103
 *   to allocate the memory, which will return aligned memory for the specified
104
 *   allocation order.
105
 *
106
 * When SEV-SNP is enabled the TMR needs to be 2MB aligned and 2MB sized.
107
 */
108
#define SEV_TMR_SIZE		(1024 * 1024)
109
#define SNP_TMR_SIZE		(2 * 1024 * 1024)
110

111
static void *sev_es_tmr;
112
static size_t sev_es_tmr_size = SEV_TMR_SIZE;
113

114
/* INIT_EX NV Storage:
115
 *   The NV Storage is a 32Kb area and must be 4Kb page aligned.  Use the page
116
 *   allocator to allocate the memory, which will return aligned memory for the
117
 *   specified allocation order.
118
 */
119
#define NV_LENGTH (32 * 1024)
120
static void *sev_init_ex_buffer;
121

122
/*
123
 * SEV_DATA_RANGE_LIST:
124
 *   Array containing range of pages that firmware transitions to HV-fixed
125
 *   page state.
126
 */
127
static struct sev_data_range_list *snp_range_list;
128

129
static void __sev_firmware_shutdown(struct sev_device *sev, bool panic);
130

131
static int snp_shutdown_on_panic(struct notifier_block *nb,
132
				 unsigned long reason, void *arg);
133

134
static struct notifier_block snp_panic_notifier = {
135
	.notifier_call = snp_shutdown_on_panic,
136
};
137

138
static inline bool sev_version_greater_or_equal(u8 maj, u8 min)
139
{
140
	struct sev_device *sev = psp_master->sev_data;
141

142
	if (sev->api_major > maj)
143
		return true;
144

145
	if (sev->api_major == maj && sev->api_minor >= min)
146
		return true;
147

148
	return false;
149
}
150

151
static void sev_irq_handler(int irq, void *data, unsigned int status)
152
{
153
	struct sev_device *sev = data;
154
	int reg;
155

156
	/* Check if it is command completion: */
157
	if (!(status & SEV_CMD_COMPLETE))
158
		return;
159

160
	/* Check if it is SEV command completion: */
161
	reg = ioread32(sev->io_regs + sev->vdata->cmdresp_reg);
162
	if (FIELD_GET(PSP_CMDRESP_RESP, reg)) {
163
		sev->int_rcvd = 1;
164
		wake_up(&sev->int_queue);
165
	}
166
}
167

168
static int sev_wait_cmd_ioc(struct sev_device *sev,
169
			    unsigned int *reg, unsigned int timeout)
170
{
171
	int ret;
172

173
	/*
174
	 * If invoked during panic handling, local interrupts are disabled,
175
	 * so the PSP command completion interrupt can't be used. Poll for
176
	 * PSP command completion instead.
177
	 */
178
	if (irqs_disabled()) {
179
		unsigned long timeout_usecs = (timeout * USEC_PER_SEC) / 10;
180

181
		/* Poll for SEV command completion: */
182
		while (timeout_usecs--) {
183
			*reg = ioread32(sev->io_regs + sev->vdata->cmdresp_reg);
184
			if (*reg & PSP_CMDRESP_RESP)
185
				return 0;
186

187
			udelay(10);
188
		}
189
		return -ETIMEDOUT;
190
	}
191

192
	ret = wait_event_timeout(sev->int_queue,
193
			sev->int_rcvd, timeout * HZ);
194
	if (!ret)
195
		return -ETIMEDOUT;
196

197
	*reg = ioread32(sev->io_regs + sev->vdata->cmdresp_reg);
198

199
	return 0;
200
}
201

202
static int sev_cmd_buffer_len(int cmd)
203
{
204
	switch (cmd) {
205
	case SEV_CMD_INIT:			return sizeof(struct sev_data_init);
206
	case SEV_CMD_INIT_EX:                   return sizeof(struct sev_data_init_ex);
207
	case SEV_CMD_SNP_SHUTDOWN_EX:		return sizeof(struct sev_data_snp_shutdown_ex);
208
	case SEV_CMD_SNP_INIT_EX:		return sizeof(struct sev_data_snp_init_ex);
209
	case SEV_CMD_PLATFORM_STATUS:		return sizeof(struct sev_user_data_status);
210
	case SEV_CMD_PEK_CSR:			return sizeof(struct sev_data_pek_csr);
211
	case SEV_CMD_PEK_CERT_IMPORT:		return sizeof(struct sev_data_pek_cert_import);
212
	case SEV_CMD_PDH_CERT_EXPORT:		return sizeof(struct sev_data_pdh_cert_export);
213
	case SEV_CMD_LAUNCH_START:		return sizeof(struct sev_data_launch_start);
214
	case SEV_CMD_LAUNCH_UPDATE_DATA:	return sizeof(struct sev_data_launch_update_data);
215
	case SEV_CMD_LAUNCH_UPDATE_VMSA:	return sizeof(struct sev_data_launch_update_vmsa);
216
	case SEV_CMD_LAUNCH_FINISH:		return sizeof(struct sev_data_launch_finish);
217
	case SEV_CMD_LAUNCH_MEASURE:		return sizeof(struct sev_data_launch_measure);
218
	case SEV_CMD_ACTIVATE:			return sizeof(struct sev_data_activate);
219
	case SEV_CMD_DEACTIVATE:		return sizeof(struct sev_data_deactivate);
220
	case SEV_CMD_DECOMMISSION:		return sizeof(struct sev_data_decommission);
221
	case SEV_CMD_GUEST_STATUS:		return sizeof(struct sev_data_guest_status);
222
	case SEV_CMD_DBG_DECRYPT:		return sizeof(struct sev_data_dbg);
223
	case SEV_CMD_DBG_ENCRYPT:		return sizeof(struct sev_data_dbg);
224
	case SEV_CMD_SEND_START:		return sizeof(struct sev_data_send_start);
225
	case SEV_CMD_SEND_UPDATE_DATA:		return sizeof(struct sev_data_send_update_data);
226
	case SEV_CMD_SEND_UPDATE_VMSA:		return sizeof(struct sev_data_send_update_vmsa);
227
	case SEV_CMD_SEND_FINISH:		return sizeof(struct sev_data_send_finish);
228
	case SEV_CMD_RECEIVE_START:		return sizeof(struct sev_data_receive_start);
229
	case SEV_CMD_RECEIVE_FINISH:		return sizeof(struct sev_data_receive_finish);
230
	case SEV_CMD_RECEIVE_UPDATE_DATA:	return sizeof(struct sev_data_receive_update_data);
231
	case SEV_CMD_RECEIVE_UPDATE_VMSA:	return sizeof(struct sev_data_receive_update_vmsa);
232
	case SEV_CMD_LAUNCH_UPDATE_SECRET:	return sizeof(struct sev_data_launch_secret);
233
	case SEV_CMD_DOWNLOAD_FIRMWARE:		return sizeof(struct sev_data_download_firmware);
234
	case SEV_CMD_GET_ID:			return sizeof(struct sev_data_get_id);
235
	case SEV_CMD_ATTESTATION_REPORT:	return sizeof(struct sev_data_attestation_report);
236
	case SEV_CMD_SEND_CANCEL:		return sizeof(struct sev_data_send_cancel);
237
	case SEV_CMD_SNP_GCTX_CREATE:		return sizeof(struct sev_data_snp_addr);
238
	case SEV_CMD_SNP_LAUNCH_START:		return sizeof(struct sev_data_snp_launch_start);
239
	case SEV_CMD_SNP_LAUNCH_UPDATE:		return sizeof(struct sev_data_snp_launch_update);
240
	case SEV_CMD_SNP_ACTIVATE:		return sizeof(struct sev_data_snp_activate);
241
	case SEV_CMD_SNP_DECOMMISSION:		return sizeof(struct sev_data_snp_addr);
242
	case SEV_CMD_SNP_PAGE_RECLAIM:		return sizeof(struct sev_data_snp_page_reclaim);
243
	case SEV_CMD_SNP_GUEST_STATUS:		return sizeof(struct sev_data_snp_guest_status);
244
	case SEV_CMD_SNP_LAUNCH_FINISH:		return sizeof(struct sev_data_snp_launch_finish);
245
	case SEV_CMD_SNP_DBG_DECRYPT:		return sizeof(struct sev_data_snp_dbg);
246
	case SEV_CMD_SNP_DBG_ENCRYPT:		return sizeof(struct sev_data_snp_dbg);
247
	case SEV_CMD_SNP_PAGE_UNSMASH:		return sizeof(struct sev_data_snp_page_unsmash);
248
	case SEV_CMD_SNP_PLATFORM_STATUS:	return sizeof(struct sev_data_snp_addr);
249
	case SEV_CMD_SNP_GUEST_REQUEST:		return sizeof(struct sev_data_snp_guest_request);
250
	case SEV_CMD_SNP_CONFIG:		return sizeof(struct sev_user_data_snp_config);
251
	case SEV_CMD_SNP_COMMIT:		return sizeof(struct sev_data_snp_commit);
252
	case SEV_CMD_SNP_FEATURE_INFO:		return sizeof(struct sev_data_snp_feature_info);
253
	case SEV_CMD_SNP_VLEK_LOAD:		return sizeof(struct sev_user_data_snp_vlek_load);
254
	default:				return 0;
255
	}
256

257
	return 0;
258
}
259

260
static struct file *open_file_as_root(const char *filename, int flags, umode_t mode)
261
{
262
	struct file *fp;
263
	struct path root;
264
	struct cred *cred;
265
	const struct cred *old_cred;
266

267
	task_lock(&init_task);
268
	get_fs_root(init_task.fs, &root);
269
	task_unlock(&init_task);
270

271
	cred = prepare_creds();
272
	if (!cred)
273
		return ERR_PTR(-ENOMEM);
274
	cred->fsuid = GLOBAL_ROOT_UID;
275
	old_cred = override_creds(cred);
276

277
	fp = file_open_root(&root, filename, flags, mode);
278
	path_put(&root);
279

280
	put_cred(revert_creds(old_cred));
281

282
	return fp;
283
}
284

285
static int sev_read_init_ex_file(void)
286
{
287
	struct sev_device *sev = psp_master->sev_data;
288
	struct file *fp;
289
	ssize_t nread;
290

291
	lockdep_assert_held(&sev_cmd_mutex);
292

293
	if (!sev_init_ex_buffer)
294
		return -EOPNOTSUPP;
295

296
	fp = open_file_as_root(init_ex_path, O_RDONLY, 0);
297
	if (IS_ERR(fp)) {
298
		int ret = PTR_ERR(fp);
299

300
		if (ret == -ENOENT) {
301
			dev_info(sev->dev,
302
				"SEV: %s does not exist and will be created later.\n",
303
				init_ex_path);
304
			ret = 0;
305
		} else {
306
			dev_err(sev->dev,
307
				"SEV: could not open %s for read, error %d\n",
308
				init_ex_path, ret);
309
		}
310
		return ret;
311
	}
312

313
	nread = kernel_read(fp, sev_init_ex_buffer, NV_LENGTH, NULL);
314
	if (nread != NV_LENGTH) {
315
		dev_info(sev->dev,
316
			"SEV: could not read %u bytes to non volatile memory area, ret %ld\n",
317
			NV_LENGTH, nread);
318
	}
319

320
	dev_dbg(sev->dev, "SEV: read %ld bytes from NV file\n", nread);
321
	filp_close(fp, NULL);
322

323
	return 0;
324
}
325

326
static int sev_write_init_ex_file(void)
327
{
328
	struct sev_device *sev = psp_master->sev_data;
329
	struct file *fp;
330
	loff_t offset = 0;
331
	ssize_t nwrite;
332

333
	lockdep_assert_held(&sev_cmd_mutex);
334

335
	if (!sev_init_ex_buffer)
336
		return 0;
337

338
	fp = open_file_as_root(init_ex_path, O_CREAT | O_WRONLY, 0600);
339
	if (IS_ERR(fp)) {
340
		int ret = PTR_ERR(fp);
341

342
		dev_err(sev->dev,
343
			"SEV: could not open file for write, error %d\n",
344
			ret);
345
		return ret;
346
	}
347

348
	nwrite = kernel_write(fp, sev_init_ex_buffer, NV_LENGTH, &offset);
349
	vfs_fsync(fp, 0);
350
	filp_close(fp, NULL);
351

352
	if (nwrite != NV_LENGTH) {
353
		dev_err(sev->dev,
354
			"SEV: failed to write %u bytes to non volatile memory area, ret %ld\n",
355
			NV_LENGTH, nwrite);
356
		return -EIO;
357
	}
358

359
	dev_dbg(sev->dev, "SEV: write successful to NV file\n");
360

361
	return 0;
362
}
363

364
static int sev_write_init_ex_file_if_required(int cmd_id)
365
{
366
	lockdep_assert_held(&sev_cmd_mutex);
367

368
	if (!sev_init_ex_buffer)
369
		return 0;
370

371
	/*
372
	 * Only a few platform commands modify the SPI/NV area, but none of the
373
	 * non-platform commands do. Only INIT(_EX), PLATFORM_RESET, PEK_GEN,
374
	 * PEK_CERT_IMPORT, and PDH_GEN do.
375
	 */
376
	switch (cmd_id) {
377
	case SEV_CMD_FACTORY_RESET:
378
	case SEV_CMD_INIT_EX:
379
	case SEV_CMD_PDH_GEN:
380
	case SEV_CMD_PEK_CERT_IMPORT:
381
	case SEV_CMD_PEK_GEN:
382
		break;
383
	default:
384
		return 0;
385
	}
386

387
	return sev_write_init_ex_file();
388
}
389

390
/*
391
 * snp_reclaim_pages() needs __sev_do_cmd_locked(), and __sev_do_cmd_locked()
392
 * needs snp_reclaim_pages(), so a forward declaration is needed.
393
 */
394
static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret);
395

396
static int snp_reclaim_pages(unsigned long paddr, unsigned int npages, bool locked)
397
{
398
	int ret, err, i;
399

400
	paddr = __sme_clr(ALIGN_DOWN(paddr, PAGE_SIZE));
401

402
	for (i = 0; i < npages; i++, paddr += PAGE_SIZE) {
403
		struct sev_data_snp_page_reclaim data = {0};
404

405
		data.paddr = paddr;
406

407
		if (locked)
408
			ret = __sev_do_cmd_locked(SEV_CMD_SNP_PAGE_RECLAIM, &data, &err);
409
		else
410
			ret = sev_do_cmd(SEV_CMD_SNP_PAGE_RECLAIM, &data, &err);
411

412
		if (ret)
413
			goto cleanup;
414

415
		ret = rmp_make_shared(__phys_to_pfn(paddr), PG_LEVEL_4K);
416
		if (ret)
417
			goto cleanup;
418
	}
419

420
	return 0;
421

422
cleanup:
423
	/*
424
	 * If there was a failure reclaiming the page then it is no longer safe
425
	 * to release it back to the system; leak it instead.
426
	 */
427
	snp_leak_pages(__phys_to_pfn(paddr), npages - i);
428
	return ret;
429
}
430

431
static int rmp_mark_pages_firmware(unsigned long paddr, unsigned int npages, bool locked)
432
{
433
	unsigned long pfn = __sme_clr(paddr) >> PAGE_SHIFT;
434
	int rc, i;
435

436
	for (i = 0; i < npages; i++, pfn++) {
437
		rc = rmp_make_private(pfn, 0, PG_LEVEL_4K, 0, true);
438
		if (rc)
439
			goto cleanup;
440
	}
441

442
	return 0;
443

444
cleanup:
445
	/*
446
	 * Try unrolling the firmware state changes by
447
	 * reclaiming the pages which were already changed to the
448
	 * firmware state.
449
	 */
450
	snp_reclaim_pages(paddr, i, locked);
451

452
	return rc;
453
}
454

455
static struct page *__snp_alloc_firmware_pages(gfp_t gfp_mask, int order, bool locked)
456
{
457
	unsigned long npages = 1ul << order, paddr;
458
	struct sev_device *sev;
459
	struct page *page;
460

461
	if (!psp_master || !psp_master->sev_data)
462
		return NULL;
463

464
	page = alloc_pages(gfp_mask, order);
465
	if (!page)
466
		return NULL;
467

468
	/* If SEV-SNP is initialized then add the page in RMP table. */
469
	sev = psp_master->sev_data;
470
	if (!sev->snp_initialized)
471
		return page;
472

473
	paddr = __pa((unsigned long)page_address(page));
474
	if (rmp_mark_pages_firmware(paddr, npages, locked))
475
		return NULL;
476

477
	return page;
478
}
479

480
void *snp_alloc_firmware_page(gfp_t gfp_mask)
481
{
482
	struct page *page;
483

484
	page = __snp_alloc_firmware_pages(gfp_mask, 0, false);
485

486
	return page ? page_address(page) : NULL;
487
}
488
EXPORT_SYMBOL_GPL(snp_alloc_firmware_page);
489

490
static void __snp_free_firmware_pages(struct page *page, int order, bool locked)
491
{
492
	struct sev_device *sev = psp_master->sev_data;
493
	unsigned long paddr, npages = 1ul << order;
494

495
	if (!page)
496
		return;
497

498
	paddr = __pa((unsigned long)page_address(page));
499
	if (sev->snp_initialized &&
500
	    snp_reclaim_pages(paddr, npages, locked))
501
		return;
502

503
	__free_pages(page, order);
504
}
505

506
void snp_free_firmware_page(void *addr)
507
{
508
	if (!addr)
509
		return;
510

511
	__snp_free_firmware_pages(virt_to_page(addr), 0, false);
512
}
513
EXPORT_SYMBOL_GPL(snp_free_firmware_page);
514

515
static void *sev_fw_alloc(unsigned long len)
516
{
517
	struct page *page;
518

519
	page = __snp_alloc_firmware_pages(GFP_KERNEL, get_order(len), true);
520
	if (!page)
521
		return NULL;
522

523
	return page_address(page);
524
}
525

526
/**
527
 * struct cmd_buf_desc - descriptors for managing legacy SEV command address
528
 * parameters corresponding to buffers that may be written to by firmware.
529
 *
530
 * @paddr_ptr:  pointer to the address parameter in the command buffer which may
531
 *              need to be saved/restored depending on whether a bounce buffer
532
 *              is used. In the case of a bounce buffer, the command buffer
533
 *              needs to be updated with the address of the new bounce buffer
534
 *              snp_map_cmd_buf_desc() has allocated specifically for it. Must
535
 *              be NULL if this descriptor is only an end-of-list indicator.
536
 *
537
 * @paddr_orig: storage for the original address parameter, which can be used to
538
 *              restore the original value in @paddr_ptr in cases where it is
539
 *              replaced with the address of a bounce buffer.
540
 *
541
 * @len: length of buffer located at the address originally stored at @paddr_ptr
542
 *
543
 * @guest_owned: true if the address corresponds to guest-owned pages, in which
544
 *               case bounce buffers are not needed.
545
 */
546
struct cmd_buf_desc {
547
	u64 *paddr_ptr;
548
	u64 paddr_orig;
549
	u32 len;
550
	bool guest_owned;
551
};
552

553
/*
554
 * If a legacy SEV command parameter is a memory address, those pages in
555
 * turn need to be transitioned to/from firmware-owned before/after
556
 * executing the firmware command.
557
 *
558
 * Additionally, in cases where those pages are not guest-owned, a bounce
559
 * buffer is needed in place of the original memory address parameter.
560
 *
561
 * A set of descriptors are used to keep track of this handling, and
562
 * initialized here based on the specific commands being executed.
563
 */
564
static void snp_populate_cmd_buf_desc_list(int cmd, void *cmd_buf,
565
					   struct cmd_buf_desc *desc_list)
566
{
567
	switch (cmd) {
568
	case SEV_CMD_PDH_CERT_EXPORT: {
569
		struct sev_data_pdh_cert_export *data = cmd_buf;
570

571
		desc_list[0].paddr_ptr = &data->pdh_cert_address;
572
		desc_list[0].len = data->pdh_cert_len;
573
		desc_list[1].paddr_ptr = &data->cert_chain_address;
574
		desc_list[1].len = data->cert_chain_len;
575
		break;
576
	}
577
	case SEV_CMD_GET_ID: {
578
		struct sev_data_get_id *data = cmd_buf;
579

580
		desc_list[0].paddr_ptr = &data->address;
581
		desc_list[0].len = data->len;
582
		break;
583
	}
584
	case SEV_CMD_PEK_CSR: {
585
		struct sev_data_pek_csr *data = cmd_buf;
586

587
		desc_list[0].paddr_ptr = &data->address;
588
		desc_list[0].len = data->len;
589
		break;
590
	}
591
	case SEV_CMD_LAUNCH_UPDATE_DATA: {
592
		struct sev_data_launch_update_data *data = cmd_buf;
593

594
		desc_list[0].paddr_ptr = &data->address;
595
		desc_list[0].len = data->len;
596
		desc_list[0].guest_owned = true;
597
		break;
598
	}
599
	case SEV_CMD_LAUNCH_UPDATE_VMSA: {
600
		struct sev_data_launch_update_vmsa *data = cmd_buf;
601

602
		desc_list[0].paddr_ptr = &data->address;
603
		desc_list[0].len = data->len;
604
		desc_list[0].guest_owned = true;
605
		break;
606
	}
607
	case SEV_CMD_LAUNCH_MEASURE: {
608
		struct sev_data_launch_measure *data = cmd_buf;
609

610
		desc_list[0].paddr_ptr = &data->address;
611
		desc_list[0].len = data->len;
612
		break;
613
	}
614
	case SEV_CMD_LAUNCH_UPDATE_SECRET: {
615
		struct sev_data_launch_secret *data = cmd_buf;
616

617
		desc_list[0].paddr_ptr = &data->guest_address;
618
		desc_list[0].len = data->guest_len;
619
		desc_list[0].guest_owned = true;
620
		break;
621
	}
622
	case SEV_CMD_DBG_DECRYPT: {
623
		struct sev_data_dbg *data = cmd_buf;
624

625
		desc_list[0].paddr_ptr = &data->dst_addr;
626
		desc_list[0].len = data->len;
627
		desc_list[0].guest_owned = true;
628
		break;
629
	}
630
	case SEV_CMD_DBG_ENCRYPT: {
631
		struct sev_data_dbg *data = cmd_buf;
632

633
		desc_list[0].paddr_ptr = &data->dst_addr;
634
		desc_list[0].len = data->len;
635
		desc_list[0].guest_owned = true;
636
		break;
637
	}
638
	case SEV_CMD_ATTESTATION_REPORT: {
639
		struct sev_data_attestation_report *data = cmd_buf;
640

641
		desc_list[0].paddr_ptr = &data->address;
642
		desc_list[0].len = data->len;
643
		break;
644
	}
645
	case SEV_CMD_SEND_START: {
646
		struct sev_data_send_start *data = cmd_buf;
647

648
		desc_list[0].paddr_ptr = &data->session_address;
649
		desc_list[0].len = data->session_len;
650
		break;
651
	}
652
	case SEV_CMD_SEND_UPDATE_DATA: {
653
		struct sev_data_send_update_data *data = cmd_buf;
654

655
		desc_list[0].paddr_ptr = &data->hdr_address;
656
		desc_list[0].len = data->hdr_len;
657
		desc_list[1].paddr_ptr = &data->trans_address;
658
		desc_list[1].len = data->trans_len;
659
		break;
660
	}
661
	case SEV_CMD_SEND_UPDATE_VMSA: {
662
		struct sev_data_send_update_vmsa *data = cmd_buf;
663

664
		desc_list[0].paddr_ptr = &data->hdr_address;
665
		desc_list[0].len = data->hdr_len;
666
		desc_list[1].paddr_ptr = &data->trans_address;
667
		desc_list[1].len = data->trans_len;
668
		break;
669
	}
670
	case SEV_CMD_RECEIVE_UPDATE_DATA: {
671
		struct sev_data_receive_update_data *data = cmd_buf;
672

673
		desc_list[0].paddr_ptr = &data->guest_address;
674
		desc_list[0].len = data->guest_len;
675
		desc_list[0].guest_owned = true;
676
		break;
677
	}
678
	case SEV_CMD_RECEIVE_UPDATE_VMSA: {
679
		struct sev_data_receive_update_vmsa *data = cmd_buf;
680

681
		desc_list[0].paddr_ptr = &data->guest_address;
682
		desc_list[0].len = data->guest_len;
683
		desc_list[0].guest_owned = true;
684
		break;
685
	}
686
	default:
687
		break;
688
	}
689
}
690

691
static int snp_map_cmd_buf_desc(struct cmd_buf_desc *desc)
692
{
693
	unsigned int npages;
694

695
	if (!desc->len)
696
		return 0;
697

698
	/* Allocate a bounce buffer if this isn't a guest owned page. */
699
	if (!desc->guest_owned) {
700
		struct page *page;
701

702
		page = alloc_pages(GFP_KERNEL_ACCOUNT, get_order(desc->len));
703
		if (!page) {
704
			pr_warn("Failed to allocate bounce buffer for SEV legacy command.\n");
705
			return -ENOMEM;
706
		}
707

708
		desc->paddr_orig = *desc->paddr_ptr;
709
		*desc->paddr_ptr = __psp_pa(page_to_virt(page));
710
	}
711

712
	npages = PAGE_ALIGN(desc->len) >> PAGE_SHIFT;
713

714
	/* Transition the buffer to firmware-owned. */
715
	if (rmp_mark_pages_firmware(*desc->paddr_ptr, npages, true)) {
716
		pr_warn("Error moving pages to firmware-owned state for SEV legacy command.\n");
717
		return -EFAULT;
718
	}
719

720
	return 0;
721
}
722

723
static int snp_unmap_cmd_buf_desc(struct cmd_buf_desc *desc)
724
{
725
	unsigned int npages;
726

727
	if (!desc->len)
728
		return 0;
729

730
	npages = PAGE_ALIGN(desc->len) >> PAGE_SHIFT;
731

732
	/* Transition the buffers back to hypervisor-owned. */
733
	if (snp_reclaim_pages(*desc->paddr_ptr, npages, true)) {
734
		pr_warn("Failed to reclaim firmware-owned pages while issuing SEV legacy command.\n");
735
		return -EFAULT;
736
	}
737

738
	/* Copy data from bounce buffer and then free it. */
739
	if (!desc->guest_owned) {
740
		void *bounce_buf = __va(__sme_clr(*desc->paddr_ptr));
741
		void *dst_buf = __va(__sme_clr(desc->paddr_orig));
742

743
		memcpy(dst_buf, bounce_buf, desc->len);
744
		__free_pages(virt_to_page(bounce_buf), get_order(desc->len));
745

746
		/* Restore the original address in the command buffer. */
747
		*desc->paddr_ptr = desc->paddr_orig;
748
	}
749

750
	return 0;
751
}
752

753
static int snp_map_cmd_buf_desc_list(int cmd, void *cmd_buf, struct cmd_buf_desc *desc_list)
754
{
755
	int i;
756

757
	snp_populate_cmd_buf_desc_list(cmd, cmd_buf, desc_list);
758

759
	for (i = 0; i < CMD_BUF_DESC_MAX; i++) {
760
		struct cmd_buf_desc *desc = &desc_list[i];
761

762
		if (!desc->paddr_ptr)
763
			break;
764

765
		if (snp_map_cmd_buf_desc(desc))
766
			goto err_unmap;
767
	}
768

769
	return 0;
770

771
err_unmap:
772
	for (i--; i >= 0; i--)
773
		snp_unmap_cmd_buf_desc(&desc_list[i]);
774

775
	return -EFAULT;
776
}
777

778
static int snp_unmap_cmd_buf_desc_list(struct cmd_buf_desc *desc_list)
779
{
780
	int i, ret = 0;
781

782
	for (i = 0; i < CMD_BUF_DESC_MAX; i++) {
783
		struct cmd_buf_desc *desc = &desc_list[i];
784

785
		if (!desc->paddr_ptr)
786
			break;
787

788
		if (snp_unmap_cmd_buf_desc(&desc_list[i]))
789
			ret = -EFAULT;
790
	}
791

792
	return ret;
793
}
794

795
static bool sev_cmd_buf_writable(int cmd)
796
{
797
	switch (cmd) {
798
	case SEV_CMD_PLATFORM_STATUS:
799
	case SEV_CMD_GUEST_STATUS:
800
	case SEV_CMD_LAUNCH_START:
801
	case SEV_CMD_RECEIVE_START:
802
	case SEV_CMD_LAUNCH_MEASURE:
803
	case SEV_CMD_SEND_START:
804
	case SEV_CMD_SEND_UPDATE_DATA:
805
	case SEV_CMD_SEND_UPDATE_VMSA:
806
	case SEV_CMD_PEK_CSR:
807
	case SEV_CMD_PDH_CERT_EXPORT:
808
	case SEV_CMD_GET_ID:
809
	case SEV_CMD_ATTESTATION_REPORT:
810
		return true;
811
	default:
812
		return false;
813
	}
814
}
815

816
/* After SNP is INIT'ed, the behavior of legacy SEV commands is changed. */
817
static bool snp_legacy_handling_needed(int cmd)
818
{
819
	struct sev_device *sev = psp_master->sev_data;
820

821
	return cmd < SEV_CMD_SNP_INIT && sev->snp_initialized;
822
}
823

824
static int snp_prep_cmd_buf(int cmd, void *cmd_buf, struct cmd_buf_desc *desc_list)
825
{
826
	if (!snp_legacy_handling_needed(cmd))
827
		return 0;
828

829
	if (snp_map_cmd_buf_desc_list(cmd, cmd_buf, desc_list))
830
		return -EFAULT;
831

832
	/*
833
	 * Before command execution, the command buffer needs to be put into
834
	 * the firmware-owned state.
835
	 */
836
	if (sev_cmd_buf_writable(cmd)) {
837
		if (rmp_mark_pages_firmware(__pa(cmd_buf), 1, true))
838
			return -EFAULT;
839
	}
840

841
	return 0;
842
}
843

844
static int snp_reclaim_cmd_buf(int cmd, void *cmd_buf)
845
{
846
	if (!snp_legacy_handling_needed(cmd))
847
		return 0;
848

849
	/*
850
	 * After command completion, the command buffer needs to be put back
851
	 * into the hypervisor-owned state.
852
	 */
853
	if (sev_cmd_buf_writable(cmd))
854
		if (snp_reclaim_pages(__pa(cmd_buf), 1, true))
855
			return -EFAULT;
856

857
	return 0;
858
}
859

860
static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret)
861
{
862
	struct cmd_buf_desc desc_list[CMD_BUF_DESC_MAX] = {0};
863
	struct psp_device *psp = psp_master;
864
	struct sev_device *sev;
865
	unsigned int cmdbuff_hi, cmdbuff_lo;
866
	unsigned int phys_lsb, phys_msb;
867
	unsigned int reg;
868
	void *cmd_buf;
869
	int buf_len;
870
	int ret = 0;
871

872
	if (!psp || !psp->sev_data)
873
		return -ENODEV;
874

875
	if (psp_dead)
876
		return -EBUSY;
877

878
	sev = psp->sev_data;
879

880
	buf_len = sev_cmd_buffer_len(cmd);
881
	if (WARN_ON_ONCE(!data != !buf_len))
882
		return -EINVAL;
883

884
	/*
885
	 * Copy the incoming data to driver's scratch buffer as __pa() will not
886
	 * work for some memory, e.g. vmalloc'd addresses, and @data may not be
887
	 * physically contiguous.
888
	 */
889
	if (data) {
890
		/*
891
		 * Commands are generally issued one at a time and require the
892
		 * sev_cmd_mutex, but there could be recursive firmware requests
893
		 * due to SEV_CMD_SNP_PAGE_RECLAIM needing to be issued while
894
		 * preparing buffers for another command. This is the only known
895
		 * case of nesting in the current code, so exactly one
896
		 * additional command buffer is available for that purpose.
897
		 */
898
		if (!sev->cmd_buf_active) {
899
			cmd_buf = sev->cmd_buf;
900
			sev->cmd_buf_active = true;
901
		} else if (!sev->cmd_buf_backup_active) {
902
			cmd_buf = sev->cmd_buf_backup;
903
			sev->cmd_buf_backup_active = true;
904
		} else {
905
			dev_err(sev->dev,
906
				"SEV: too many firmware commands in progress, no command buffers available.\n");
907
			return -EBUSY;
908
		}
909

910
		memcpy(cmd_buf, data, buf_len);
911

912
		/*
913
		 * The behavior of the SEV-legacy commands is altered when the
914
		 * SNP firmware is in the INIT state.
915
		 */
916
		ret = snp_prep_cmd_buf(cmd, cmd_buf, desc_list);
917
		if (ret) {
918
			dev_err(sev->dev,
919
				"SEV: failed to prepare buffer for legacy command 0x%x. Error: %d\n",
920
				cmd, ret);
921
			return ret;
922
		}
923
	} else {
924
		cmd_buf = sev->cmd_buf;
925
	}
926

927
	/* Get the physical address of the command buffer */
928
	phys_lsb = data ? lower_32_bits(__psp_pa(cmd_buf)) : 0;
929
	phys_msb = data ? upper_32_bits(__psp_pa(cmd_buf)) : 0;
930

931
	dev_dbg(sev->dev, "sev command id %#x buffer 0x%08x%08x timeout %us\n",
932
		cmd, phys_msb, phys_lsb, psp_timeout);
933

934
	print_hex_dump_debug("(in):  ", DUMP_PREFIX_OFFSET, 16, 2, data,
935
			     buf_len, false);
936

937
	iowrite32(phys_lsb, sev->io_regs + sev->vdata->cmdbuff_addr_lo_reg);
938
	iowrite32(phys_msb, sev->io_regs + sev->vdata->cmdbuff_addr_hi_reg);
939

940
	sev->int_rcvd = 0;
941

942
	reg = FIELD_PREP(SEV_CMDRESP_CMD, cmd);
943

944
	/*
945
	 * If invoked during panic handling, local interrupts are disabled so
946
	 * the PSP command completion interrupt can't be used.
947
	 * sev_wait_cmd_ioc() already checks for interrupts disabled and
948
	 * polls for PSP command completion.  Ensure we do not request an
949
	 * interrupt from the PSP if irqs disabled.
950
	 */
951
	if (!irqs_disabled())
952
		reg |= SEV_CMDRESP_IOC;
953

954
	iowrite32(reg, sev->io_regs + sev->vdata->cmdresp_reg);
955

956
	/* wait for command completion */
957
	ret = sev_wait_cmd_ioc(sev, &reg, psp_timeout);
958
	if (ret) {
959
		if (psp_ret)
960
			*psp_ret = 0;
961

962
		dev_err(sev->dev, "sev command %#x timed out, disabling PSP\n", cmd);
963
		psp_dead = true;
964

965
		return ret;
966
	}
967

968
	psp_timeout = psp_cmd_timeout;
969

970
	if (psp_ret)
971
		*psp_ret = FIELD_GET(PSP_CMDRESP_STS, reg);
972

973
	if (FIELD_GET(PSP_CMDRESP_STS, reg)) {
974
		dev_dbg(sev->dev, "sev command %#x failed (%#010lx)\n",
975
			cmd, FIELD_GET(PSP_CMDRESP_STS, reg));
976

977
		/*
978
		 * PSP firmware may report additional error information in the
979
		 * command buffer registers on error. Print contents of command
980
		 * buffer registers if they changed.
981
		 */
982
		cmdbuff_hi = ioread32(sev->io_regs + sev->vdata->cmdbuff_addr_hi_reg);
983
		cmdbuff_lo = ioread32(sev->io_regs + sev->vdata->cmdbuff_addr_lo_reg);
984
		if (cmdbuff_hi != phys_msb || cmdbuff_lo != phys_lsb) {
985
			dev_dbg(sev->dev, "Additional error information reported in cmdbuff:");
986
			dev_dbg(sev->dev, "  cmdbuff hi: %#010x\n", cmdbuff_hi);
987
			dev_dbg(sev->dev, "  cmdbuff lo: %#010x\n", cmdbuff_lo);
988
		}
989
		ret = -EIO;
990
	} else {
991
		ret = sev_write_init_ex_file_if_required(cmd);
992
	}
993

994
	/*
995
	 * Copy potential output from the PSP back to data.  Do this even on
996
	 * failure in case the caller wants to glean something from the error.
997
	 */
998
	if (data) {
999
		int ret_reclaim;
1000
		/*
1001
		 * Restore the page state after the command completes.
1002
		 */
1003
		ret_reclaim = snp_reclaim_cmd_buf(cmd, cmd_buf);
1004
		if (ret_reclaim) {
1005
			dev_err(sev->dev,
1006
				"SEV: failed to reclaim buffer for legacy command %#x. Error: %d\n",
1007
				cmd, ret_reclaim);
1008
			return ret_reclaim;
1009
		}
1010

1011
		memcpy(data, cmd_buf, buf_len);
1012

1013
		if (sev->cmd_buf_backup_active)
1014
			sev->cmd_buf_backup_active = false;
1015
		else
1016
			sev->cmd_buf_active = false;
1017

1018
		if (snp_unmap_cmd_buf_desc_list(desc_list))
1019
			return -EFAULT;
1020
	}
1021

1022
	print_hex_dump_debug("(out): ", DUMP_PREFIX_OFFSET, 16, 2, data,
1023
			     buf_len, false);
1024

1025
	return ret;
1026
}
1027

1028
int sev_do_cmd(int cmd, void *data, int *psp_ret)
1029
{
1030
	int rc;
1031

1032
	mutex_lock(&sev_cmd_mutex);
1033
	rc = __sev_do_cmd_locked(cmd, data, psp_ret);
1034
	mutex_unlock(&sev_cmd_mutex);
1035

1036
	return rc;
1037
}
1038
EXPORT_SYMBOL_GPL(sev_do_cmd);
1039

1040
static int __sev_init_locked(int *error)
1041
{
1042
	struct sev_data_init data;
1043

1044
	memset(&data, 0, sizeof(data));
1045
	if (sev_es_tmr) {
1046
		/*
1047
		 * Do not include the encryption mask on the physical
1048
		 * address of the TMR (firmware should clear it anyway).
1049
		 */
1050
		data.tmr_address = __pa(sev_es_tmr);
1051

1052
		data.flags |= SEV_INIT_FLAGS_SEV_ES;
1053
		data.tmr_len = sev_es_tmr_size;
1054
	}
1055

1056
	return __sev_do_cmd_locked(SEV_CMD_INIT, &data, error);
1057
}
1058

1059
static int __sev_init_ex_locked(int *error)
1060
{
1061
	struct sev_data_init_ex data;
1062

1063
	memset(&data, 0, sizeof(data));
1064
	data.length = sizeof(data);
1065
	data.nv_address = __psp_pa(sev_init_ex_buffer);
1066
	data.nv_len = NV_LENGTH;
1067

1068
	if (sev_es_tmr) {
1069
		/*
1070
		 * Do not include the encryption mask on the physical
1071
		 * address of the TMR (firmware should clear it anyway).
1072
		 */
1073
		data.tmr_address = __pa(sev_es_tmr);
1074

1075
		data.flags |= SEV_INIT_FLAGS_SEV_ES;
1076
		data.tmr_len = sev_es_tmr_size;
1077
	}
1078

1079
	return __sev_do_cmd_locked(SEV_CMD_INIT_EX, &data, error);
1080
}
1081

1082
static inline int __sev_do_init_locked(int *psp_ret)
1083
{
1084
	if (sev_init_ex_buffer)
1085
		return __sev_init_ex_locked(psp_ret);
1086
	else
1087
		return __sev_init_locked(psp_ret);
1088
}
1089

1090
static void snp_set_hsave_pa(void *arg)
1091
{
1092
	wrmsrq(MSR_VM_HSAVE_PA, 0);
1093
}
1094

1095
/* Hypervisor Fixed pages API interface */
1096
static void snp_hv_fixed_pages_state_update(struct sev_device *sev,
1097
					    enum snp_hv_fixed_pages_state page_state)
1098
{
1099
	struct snp_hv_fixed_pages_entry *entry;
1100

1101
	/* List is protected by sev_cmd_mutex */
1102
	lockdep_assert_held(&sev_cmd_mutex);
1103

1104
	if (list_empty(&snp_hv_fixed_pages))
1105
		return;
1106

1107
	list_for_each_entry(entry, &snp_hv_fixed_pages, list)
1108
		entry->page_state = page_state;
1109
}
1110

1111
/*
1112
 * Allocate HV_FIXED pages in 2MB aligned sizes to ensure the whole
1113
 * 2MB pages are marked as HV_FIXED.
1114
 */
1115
struct page *snp_alloc_hv_fixed_pages(unsigned int num_2mb_pages)
1116
{
1117
	struct psp_device *psp_master = psp_get_master_device();
1118
	struct snp_hv_fixed_pages_entry *entry;
1119
	struct sev_device *sev;
1120
	unsigned int order;
1121
	struct page *page;
1122

1123
	if (!psp_master || !psp_master->sev_data)
1124
		return NULL;
1125

1126
	sev = psp_master->sev_data;
1127

1128
	order = get_order(PMD_SIZE * num_2mb_pages);
1129

1130
	/*
1131
	 * SNP_INIT_EX is protected by sev_cmd_mutex, therefore this list
1132
	 * also needs to be protected using the same mutex.
1133
	 */
1134
	guard(mutex)(&sev_cmd_mutex);
1135

1136
	/*
1137
	 * This API uses SNP_INIT_EX to transition allocated pages to HV_Fixed
1138
	 * page state, fail if SNP is already initialized.
1139
	 */
1140
	if (sev->snp_initialized)
1141
		return NULL;
1142

1143
	/* Re-use freed pages that match the request */
1144
	list_for_each_entry(entry, &snp_hv_fixed_pages, list) {
1145
		/* Hypervisor fixed page allocator implements exact fit policy */
1146
		if (entry->order == order && entry->free) {
1147
			entry->free = false;
1148
			memset(page_address(entry->page), 0,
1149
			       (1 << entry->order) * PAGE_SIZE);
1150
			return entry->page;
1151
		}
1152
	}
1153

1154
	page = alloc_pages(GFP_KERNEL | __GFP_ZERO, order);
1155
	if (!page)
1156
		return NULL;
1157

1158
	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
1159
	if (!entry) {
1160
		__free_pages(page, order);
1161
		return NULL;
1162
	}
1163

1164
	entry->page = page;
1165
	entry->order = order;
1166
	list_add_tail(&entry->list, &snp_hv_fixed_pages);
1167

1168
	return page;
1169
}
1170

1171
void snp_free_hv_fixed_pages(struct page *page)
1172
{
1173
	struct psp_device *psp_master = psp_get_master_device();
1174
	struct snp_hv_fixed_pages_entry *entry, *nentry;
1175

1176
	if (!psp_master || !psp_master->sev_data)
1177
		return;
1178

1179
	/*
1180
	 * SNP_INIT_EX is protected by sev_cmd_mutex, therefore this list
1181
	 * also needs to be protected using the same mutex.
1182
	 */
1183
	guard(mutex)(&sev_cmd_mutex);
1184

1185
	list_for_each_entry_safe(entry, nentry, &snp_hv_fixed_pages, list) {
1186
		if (entry->page != page)
1187
			continue;
1188

1189
		/*
1190
		 * HV_FIXED page state cannot be changed until reboot
1191
		 * and they cannot be used by an SNP guest, so they cannot
1192
		 * be returned back to the page allocator.
1193
		 * Mark the pages as free internally to allow possible re-use.
1194
		 */
1195
		if (entry->page_state == HV_FIXED) {
1196
			entry->free = true;
1197
		} else {
1198
			__free_pages(page, entry->order);
1199
			list_del(&entry->list);
1200
			kfree(entry);
1201
		}
1202
		return;
1203
	}
1204
}
1205

1206
static void snp_add_hv_fixed_pages(struct sev_device *sev, struct sev_data_range_list *range_list)
1207
{
1208
	struct snp_hv_fixed_pages_entry *entry;
1209
	struct sev_data_range *range;
1210
	int num_elements;
1211

1212
	lockdep_assert_held(&sev_cmd_mutex);
1213

1214
	if (list_empty(&snp_hv_fixed_pages))
1215
		return;
1216

1217
	num_elements = list_count_nodes(&snp_hv_fixed_pages) +
1218
		       range_list->num_elements;
1219

1220
	/*
1221
	 * Ensure the list of HV_FIXED pages that will be passed to firmware
1222
	 * do not exceed the page-sized argument buffer.
1223
	 */
1224
	if (num_elements * sizeof(*range) + sizeof(*range_list) > PAGE_SIZE) {
1225
		dev_warn(sev->dev, "Additional HV_Fixed pages cannot be accommodated, omitting\n");
1226
		return;
1227
	}
1228

1229
	range = &range_list->ranges[range_list->num_elements];
1230
	list_for_each_entry(entry, &snp_hv_fixed_pages, list) {
1231
		range->base = page_to_pfn(entry->page) << PAGE_SHIFT;
1232
		range->page_count = 1 << entry->order;
1233
		range++;
1234
	}
1235
	range_list->num_elements = num_elements;
1236
}
1237

1238
static void snp_leak_hv_fixed_pages(void)
1239
{
1240
	struct snp_hv_fixed_pages_entry *entry;
1241

1242
	/* List is protected by sev_cmd_mutex */
1243
	lockdep_assert_held(&sev_cmd_mutex);
1244

1245
	if (list_empty(&snp_hv_fixed_pages))
1246
		return;
1247

1248
	list_for_each_entry(entry, &snp_hv_fixed_pages, list)
1249
		if (entry->page_state == HV_FIXED)
1250
			__snp_leak_pages(page_to_pfn(entry->page),
1251
					 1 << entry->order, false);
1252
}
1253

1254
bool sev_is_snp_ciphertext_hiding_supported(void)
1255
{
1256
	struct psp_device *psp = psp_master;
1257
	struct sev_device *sev;
1258

1259
	if (!psp || !psp->sev_data)
1260
		return false;
1261

1262
	sev = psp->sev_data;
1263

1264
	/*
1265
	 * Feature information indicates if CipherTextHiding feature is
1266
	 * supported by the SEV firmware and additionally platform status
1267
	 * indicates if CipherTextHiding feature is enabled in the
1268
	 * Platform BIOS.
1269
	 */
1270
	return ((sev->snp_feat_info_0.ecx & SNP_CIPHER_TEXT_HIDING_SUPPORTED) &&
1271
		 sev->snp_plat_status.ciphertext_hiding_cap);
1272
}
1273
EXPORT_SYMBOL_GPL(sev_is_snp_ciphertext_hiding_supported);
1274

1275
static int snp_get_platform_data(struct sev_device *sev, int *error)
1276
{
1277
	struct sev_data_snp_feature_info snp_feat_info;
1278
	struct snp_feature_info *feat_info;
1279
	struct sev_data_snp_addr buf;
1280
	struct page *page;
1281
	int rc;
1282

1283
	/*
1284
	 * This function is expected to be called before SNP is
1285
	 * initialized.
1286
	 */
1287
	if (sev->snp_initialized)
1288
		return -EINVAL;
1289

1290
	buf.address = __psp_pa(&sev->snp_plat_status);
1291
	rc = sev_do_cmd(SEV_CMD_SNP_PLATFORM_STATUS, &buf, error);
1292
	if (rc) {
1293
		dev_err(sev->dev, "SNP PLATFORM_STATUS command failed, ret = %d, error = %#x\n",
1294
			rc, *error);
1295
		return rc;
1296
	}
1297

1298
	sev->api_major = sev->snp_plat_status.api_major;
1299
	sev->api_minor = sev->snp_plat_status.api_minor;
1300
	sev->build = sev->snp_plat_status.build_id;
1301

1302
	/*
1303
	 * Do feature discovery of the currently loaded firmware,
1304
	 * and cache feature information from CPUID 0x8000_0024,
1305
	 * sub-function 0.
1306
	 */
1307
	if (!sev->snp_plat_status.feature_info)
1308
		return 0;
1309

1310
	/*
1311
	 * Use dynamically allocated structure for the SNP_FEATURE_INFO
1312
	 * command to ensure structure is 8-byte aligned, and does not
1313
	 * cross a page boundary.
1314
	 */
1315
	page = alloc_page(GFP_KERNEL);
1316
	if (!page)
1317
		return -ENOMEM;
1318

1319
	feat_info = page_address(page);
1320
	snp_feat_info.length = sizeof(snp_feat_info);
1321
	snp_feat_info.ecx_in = 0;
1322
	snp_feat_info.feature_info_paddr = __psp_pa(feat_info);
1323

1324
	rc = sev_do_cmd(SEV_CMD_SNP_FEATURE_INFO, &snp_feat_info, error);
1325
	if (!rc)
1326
		sev->snp_feat_info_0 = *feat_info;
1327
	else
1328
		dev_err(sev->dev, "SNP FEATURE_INFO command failed, ret = %d, error = %#x\n",
1329
			rc, *error);
1330

1331
	__free_page(page);
1332

1333
	return rc;
1334
}
1335

1336
static int snp_filter_reserved_mem_regions(struct resource *rs, void *arg)
1337
{
1338
	struct sev_data_range_list *range_list = arg;
1339
	struct sev_data_range *range = &range_list->ranges[range_list->num_elements];
1340
	size_t size;
1341

1342
	/*
1343
	 * Ensure the list of HV_FIXED pages that will be passed to firmware
1344
	 * do not exceed the page-sized argument buffer.
1345
	 */
1346
	if ((range_list->num_elements * sizeof(struct sev_data_range) +
1347
	     sizeof(struct sev_data_range_list)) > PAGE_SIZE)
1348
		return -E2BIG;
1349

1350
	switch (rs->desc) {
1351
	case E820_TYPE_RESERVED:
1352
	case E820_TYPE_PMEM:
1353
	case E820_TYPE_ACPI:
1354
		range->base = rs->start & PAGE_MASK;
1355
		size = PAGE_ALIGN((rs->end + 1) - rs->start);
1356
		range->page_count = size >> PAGE_SHIFT;
1357
		range_list->num_elements++;
1358
		break;
1359
	default:
1360
		break;
1361
	}
1362

1363
	return 0;
1364
}
1365

1366
static int __sev_snp_init_locked(int *error, unsigned int max_snp_asid)
1367
{
1368
	struct psp_device *psp = psp_master;
1369
	struct sev_data_snp_init_ex data;
1370
	struct sev_device *sev;
1371
	void *arg = &data;
1372
	int cmd, rc = 0;
1373

1374
	if (!cc_platform_has(CC_ATTR_HOST_SEV_SNP))
1375
		return -ENODEV;
1376

1377
	sev = psp->sev_data;
1378

1379
	if (sev->snp_initialized)
1380
		return 0;
1381

1382
	if (!sev_version_greater_or_equal(SNP_MIN_API_MAJOR, SNP_MIN_API_MINOR)) {
1383
		dev_dbg(sev->dev, "SEV-SNP support requires firmware version >= %d:%d\n",
1384
			SNP_MIN_API_MAJOR, SNP_MIN_API_MINOR);
1385
		return -EOPNOTSUPP;
1386
	}
1387

1388
	/* SNP_INIT requires MSR_VM_HSAVE_PA to be cleared on all CPUs. */
1389
	on_each_cpu(snp_set_hsave_pa, NULL, 1);
1390

1391
	/*
1392
	 * Starting in SNP firmware v1.52, the SNP_INIT_EX command takes a list
1393
	 * of system physical address ranges to convert into HV-fixed page
1394
	 * states during the RMP initialization.  For instance, the memory that
1395
	 * UEFI reserves should be included in the that list. This allows system
1396
	 * components that occasionally write to memory (e.g. logging to UEFI
1397
	 * reserved regions) to not fail due to RMP initialization and SNP
1398
	 * enablement.
1399
	 *
1400
	 */
1401
	if (sev_version_greater_or_equal(SNP_MIN_API_MAJOR, 52)) {
1402
		/*
1403
		 * Firmware checks that the pages containing the ranges enumerated
1404
		 * in the RANGES structure are either in the default page state or in the
1405
		 * firmware page state.
1406
		 */
1407
		snp_range_list = kzalloc(PAGE_SIZE, GFP_KERNEL);
1408
		if (!snp_range_list) {
1409
			dev_err(sev->dev,
1410
				"SEV: SNP_INIT_EX range list memory allocation failed\n");
1411
			return -ENOMEM;
1412
		}
1413

1414
		/*
1415
		 * Retrieve all reserved memory regions from the e820 memory map
1416
		 * to be setup as HV-fixed pages.
1417
		 */
1418
		rc = walk_iomem_res_desc(IORES_DESC_NONE, IORESOURCE_MEM, 0, ~0,
1419
					 snp_range_list, snp_filter_reserved_mem_regions);
1420
		if (rc) {
1421
			dev_err(sev->dev,
1422
				"SEV: SNP_INIT_EX walk_iomem_res_desc failed rc = %d\n", rc);
1423
			return rc;
1424
		}
1425

1426
		/*
1427
		 * Add HV_Fixed pages from other PSP sub-devices, such as SFS to the
1428
		 * HV_Fixed page list.
1429
		 */
1430
		snp_add_hv_fixed_pages(sev, snp_range_list);
1431

1432
		memset(&data, 0, sizeof(data));
1433

1434
		if (max_snp_asid) {
1435
			data.ciphertext_hiding_en = 1;
1436
			data.max_snp_asid = max_snp_asid;
1437
		}
1438

1439
		data.init_rmp = 1;
1440
		data.list_paddr_en = 1;
1441
		data.list_paddr = __psp_pa(snp_range_list);
1442
		cmd = SEV_CMD_SNP_INIT_EX;
1443
	} else {
1444
		cmd = SEV_CMD_SNP_INIT;
1445
		arg = NULL;
1446
	}
1447

1448
	/*
1449
	 * The following sequence must be issued before launching the first SNP
1450
	 * guest to ensure all dirty cache lines are flushed, including from
1451
	 * updates to the RMP table itself via the RMPUPDATE instruction:
1452
	 *
1453
	 * - WBINVD on all running CPUs
1454
	 * - SEV_CMD_SNP_INIT[_EX] firmware command
1455
	 * - WBINVD on all running CPUs
1456
	 * - SEV_CMD_SNP_DF_FLUSH firmware command
1457
	 */
1458
	wbinvd_on_all_cpus();
1459

1460
	rc = __sev_do_cmd_locked(cmd, arg, error);
1461
	if (rc) {
1462
		dev_err(sev->dev, "SEV-SNP: %s failed rc %d, error %#x\n",
1463
			cmd == SEV_CMD_SNP_INIT_EX ? "SNP_INIT_EX" : "SNP_INIT",
1464
			rc, *error);
1465
		return rc;
1466
	}
1467

1468
	/* Prepare for first SNP guest launch after INIT. */
1469
	wbinvd_on_all_cpus();
1470
	rc = __sev_do_cmd_locked(SEV_CMD_SNP_DF_FLUSH, NULL, error);
1471
	if (rc) {
1472
		dev_err(sev->dev, "SEV-SNP: SNP_DF_FLUSH failed rc %d, error %#x\n",
1473
			rc, *error);
1474
		return rc;
1475
	}
1476

1477
	snp_hv_fixed_pages_state_update(sev, HV_FIXED);
1478
	sev->snp_initialized = true;
1479
	dev_dbg(sev->dev, "SEV-SNP firmware initialized\n");
1480

1481
	dev_info(sev->dev, "SEV-SNP API:%d.%d build:%d\n", sev->api_major,
1482
		 sev->api_minor, sev->build);
1483

1484
	atomic_notifier_chain_register(&panic_notifier_list,
1485
				       &snp_panic_notifier);
1486

1487
	sev_es_tmr_size = SNP_TMR_SIZE;
1488

1489
	return 0;
1490
}
1491

1492
static void __sev_platform_init_handle_tmr(struct sev_device *sev)
1493
{
1494
	if (sev_es_tmr)
1495
		return;
1496

1497
	/* Obtain the TMR memory area for SEV-ES use */
1498
	sev_es_tmr = sev_fw_alloc(sev_es_tmr_size);
1499
	if (sev_es_tmr) {
1500
		/* Must flush the cache before giving it to the firmware */
1501
		if (!sev->snp_initialized)
1502
			clflush_cache_range(sev_es_tmr, sev_es_tmr_size);
1503
	} else {
1504
			dev_warn(sev->dev, "SEV: TMR allocation failed, SEV-ES support unavailable\n");
1505
	}
1506
}
1507

1508
/*
1509
 * If an init_ex_path is provided allocate a buffer for the file and
1510
 * read in the contents. Additionally, if SNP is initialized, convert
1511
 * the buffer pages to firmware pages.
1512
 */
1513
static int __sev_platform_init_handle_init_ex_path(struct sev_device *sev)
1514
{
1515
	struct page *page;
1516
	int rc;
1517

1518
	if (!init_ex_path)
1519
		return 0;
1520

1521
	if (sev_init_ex_buffer)
1522
		return 0;
1523

1524
	page = alloc_pages(GFP_KERNEL, get_order(NV_LENGTH));
1525
	if (!page) {
1526
		dev_err(sev->dev, "SEV: INIT_EX NV memory allocation failed\n");
1527
		return -ENOMEM;
1528
	}
1529

1530
	sev_init_ex_buffer = page_address(page);
1531

1532
	rc = sev_read_init_ex_file();
1533
	if (rc)
1534
		return rc;
1535

1536
	/* If SEV-SNP is initialized, transition to firmware page. */
1537
	if (sev->snp_initialized) {
1538
		unsigned long npages;
1539

1540
		npages = 1UL << get_order(NV_LENGTH);
1541
		if (rmp_mark_pages_firmware(__pa(sev_init_ex_buffer), npages, false)) {
1542
			dev_err(sev->dev, "SEV: INIT_EX NV memory page state change failed.\n");
1543
			return -ENOMEM;
1544
		}
1545
	}
1546

1547
	return 0;
1548
}
1549

1550
static int __sev_platform_init_locked(int *error)
1551
{
1552
	int rc, psp_ret, dfflush_error;
1553
	struct sev_device *sev;
1554

1555
	psp_ret = dfflush_error = SEV_RET_NO_FW_CALL;
1556

1557
	if (!psp_master || !psp_master->sev_data)
1558
		return -ENODEV;
1559

1560
	sev = psp_master->sev_data;
1561

1562
	if (sev->sev_plat_status.state == SEV_STATE_INIT)
1563
		return 0;
1564

1565
	__sev_platform_init_handle_tmr(sev);
1566

1567
	rc = __sev_platform_init_handle_init_ex_path(sev);
1568
	if (rc)
1569
		return rc;
1570

1571
	rc = __sev_do_init_locked(&psp_ret);
1572
	if (rc && psp_ret == SEV_RET_SECURE_DATA_INVALID) {
1573
		/*
1574
		 * Initialization command returned an integrity check failure
1575
		 * status code, meaning that firmware load and validation of SEV
1576
		 * related persistent data has failed. Retrying the
1577
		 * initialization function should succeed by replacing the state
1578
		 * with a reset state.
1579
		 */
1580
		dev_err(sev->dev,
1581
"SEV: retrying INIT command because of SECURE_DATA_INVALID error. Retrying once to reset PSP SEV state.");
1582
		rc = __sev_do_init_locked(&psp_ret);
1583
	}
1584

1585
	if (error)
1586
		*error = psp_ret;
1587

1588
	if (rc) {
1589
		dev_err(sev->dev, "SEV: %s failed %#x, rc %d\n",
1590
			sev_init_ex_buffer ? "INIT_EX" : "INIT", psp_ret, rc);
1591
		return rc;
1592
	}
1593

1594
	sev->sev_plat_status.state = SEV_STATE_INIT;
1595

1596
	/* Prepare for first SEV guest launch after INIT */
1597
	wbinvd_on_all_cpus();
1598
	rc = __sev_do_cmd_locked(SEV_CMD_DF_FLUSH, NULL, &dfflush_error);
1599
	if (rc) {
1600
		dev_err(sev->dev, "SEV: DF_FLUSH failed %#x, rc %d\n",
1601
			dfflush_error, rc);
1602
		return rc;
1603
	}
1604

1605
	dev_dbg(sev->dev, "SEV firmware initialized\n");
1606

1607
	dev_info(sev->dev, "SEV API:%d.%d build:%d\n", sev->api_major,
1608
		 sev->api_minor, sev->build);
1609

1610
	return 0;
1611
}
1612

1613
static int _sev_platform_init_locked(struct sev_platform_init_args *args)
1614
{
1615
	struct sev_device *sev;
1616
	int rc;
1617

1618
	if (!psp_master || !psp_master->sev_data)
1619
		return -ENODEV;
1620

1621
	/*
1622
	 * Skip SNP/SEV initialization under a kdump kernel as SEV/SNP
1623
	 * may already be initialized in the previous kernel. Since no
1624
	 * SNP/SEV guests are run under a kdump kernel, there is no
1625
	 * need to initialize SNP or SEV during kdump boot.
1626
	 */
1627
	if (is_kdump_kernel())
1628
		return 0;
1629

1630
	sev = psp_master->sev_data;
1631

1632
	if (sev->sev_plat_status.state == SEV_STATE_INIT)
1633
		return 0;
1634

1635
	rc = __sev_snp_init_locked(&args->error, args->max_snp_asid);
1636
	if (rc && rc != -ENODEV)
1637
		return rc;
1638

1639
	/* Defer legacy SEV/SEV-ES support if allowed by caller/module. */
1640
	if (args->probe && !psp_init_on_probe)
1641
		return 0;
1642

1643
	return __sev_platform_init_locked(&args->error);
1644
}
1645

1646
int sev_platform_init(struct sev_platform_init_args *args)
1647
{
1648
	int rc;
1649

1650
	mutex_lock(&sev_cmd_mutex);
1651
	rc = _sev_platform_init_locked(args);
1652
	mutex_unlock(&sev_cmd_mutex);
1653

1654
	return rc;
1655
}
1656
EXPORT_SYMBOL_GPL(sev_platform_init);
1657

1658
static int __sev_platform_shutdown_locked(int *error)
1659
{
1660
	struct psp_device *psp = psp_master;
1661
	struct sev_device *sev;
1662
	int ret;
1663

1664
	if (!psp || !psp->sev_data)
1665
		return 0;
1666

1667
	sev = psp->sev_data;
1668

1669
	if (sev->sev_plat_status.state == SEV_STATE_UNINIT)
1670
		return 0;
1671

1672
	ret = __sev_do_cmd_locked(SEV_CMD_SHUTDOWN, NULL, error);
1673
	if (ret) {
1674
		dev_err(sev->dev, "SEV: failed to SHUTDOWN error %#x, rc %d\n",
1675
			*error, ret);
1676
		return ret;
1677
	}
1678

1679
	sev->sev_plat_status.state = SEV_STATE_UNINIT;
1680
	dev_dbg(sev->dev, "SEV firmware shutdown\n");
1681

1682
	return ret;
1683
}
1684

1685
static int sev_get_platform_state(int *state, int *error)
1686
{
1687
	struct sev_user_data_status data;
1688
	int rc;
1689

1690
	rc = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, error);
1691
	if (rc)
1692
		return rc;
1693

1694
	*state = data.state;
1695
	return rc;
1696
}
1697

1698
static int sev_move_to_init_state(struct sev_issue_cmd *argp, bool *shutdown_required)
1699
{
1700
	struct sev_platform_init_args init_args = {0};
1701
	int rc;
1702

1703
	rc = _sev_platform_init_locked(&init_args);
1704
	if (rc) {
1705
		argp->error = SEV_RET_INVALID_PLATFORM_STATE;
1706
		return rc;
1707
	}
1708

1709
	*shutdown_required = true;
1710

1711
	return 0;
1712
}
1713

1714
static int snp_move_to_init_state(struct sev_issue_cmd *argp, bool *shutdown_required)
1715
{
1716
	int error, rc;
1717

1718
	rc = __sev_snp_init_locked(&error, 0);
1719
	if (rc) {
1720
		argp->error = SEV_RET_INVALID_PLATFORM_STATE;
1721
		return rc;
1722
	}
1723

1724
	*shutdown_required = true;
1725

1726
	return 0;
1727
}
1728

1729
static int sev_ioctl_do_reset(struct sev_issue_cmd *argp, bool writable)
1730
{
1731
	int state, rc;
1732

1733
	if (!writable)
1734
		return -EPERM;
1735

1736
	/*
1737
	 * The SEV spec requires that FACTORY_RESET must be issued in
1738
	 * UNINIT state. Before we go further lets check if any guest is
1739
	 * active.
1740
	 *
1741
	 * If FW is in WORKING state then deny the request otherwise issue
1742
	 * SHUTDOWN command do INIT -> UNINIT before issuing the FACTORY_RESET.
1743
	 *
1744
	 */
1745
	rc = sev_get_platform_state(&state, &argp->error);
1746
	if (rc)
1747
		return rc;
1748

1749
	if (state == SEV_STATE_WORKING)
1750
		return -EBUSY;
1751

1752
	if (state == SEV_STATE_INIT) {
1753
		rc = __sev_platform_shutdown_locked(&argp->error);
1754
		if (rc)
1755
			return rc;
1756
	}
1757

1758
	return __sev_do_cmd_locked(SEV_CMD_FACTORY_RESET, NULL, &argp->error);
1759
}
1760

1761
static int sev_ioctl_do_platform_status(struct sev_issue_cmd *argp)
1762
{
1763
	struct sev_user_data_status data;
1764
	int ret;
1765

1766
	memset(&data, 0, sizeof(data));
1767

1768
	ret = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, &argp->error);
1769
	if (ret)
1770
		return ret;
1771

1772
	if (copy_to_user((void __user *)argp->data, &data, sizeof(data)))
1773
		ret = -EFAULT;
1774

1775
	return ret;
1776
}
1777

1778
static int sev_ioctl_do_pek_pdh_gen(int cmd, struct sev_issue_cmd *argp, bool writable)
1779
{
1780
	struct sev_device *sev = psp_master->sev_data;
1781
	bool shutdown_required = false;
1782
	int rc;
1783

1784
	if (!writable)
1785
		return -EPERM;
1786

1787
	if (sev->sev_plat_status.state == SEV_STATE_UNINIT) {
1788
		rc = sev_move_to_init_state(argp, &shutdown_required);
1789
		if (rc)
1790
			return rc;
1791
	}
1792

1793
	rc = __sev_do_cmd_locked(cmd, NULL, &argp->error);
1794

1795
	if (shutdown_required)
1796
		__sev_firmware_shutdown(sev, false);
1797

1798
	return rc;
1799
}
1800

1801
static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp, bool writable)
1802
{
1803
	struct sev_device *sev = psp_master->sev_data;
1804
	struct sev_user_data_pek_csr input;
1805
	bool shutdown_required = false;
1806
	struct sev_data_pek_csr data;
1807
	void __user *input_address;
1808
	void *blob = NULL;
1809
	int ret;
1810

1811
	if (!writable)
1812
		return -EPERM;
1813

1814
	if (copy_from_user(&input, (void __user *)argp->data, sizeof(input)))
1815
		return -EFAULT;
1816

1817
	memset(&data, 0, sizeof(data));
1818

1819
	/* userspace wants to query CSR length */
1820
	if (!input.address || !input.length)
1821
		goto cmd;
1822

1823
	/* allocate a physically contiguous buffer to store the CSR blob */
1824
	input_address = (void __user *)input.address;
1825
	if (input.length > SEV_FW_BLOB_MAX_SIZE)
1826
		return -EFAULT;
1827

1828
	blob = kzalloc(input.length, GFP_KERNEL);
1829
	if (!blob)
1830
		return -ENOMEM;
1831

1832
	data.address = __psp_pa(blob);
1833
	data.len = input.length;
1834

1835
cmd:
1836
	if (sev->sev_plat_status.state == SEV_STATE_UNINIT) {
1837
		ret = sev_move_to_init_state(argp, &shutdown_required);
1838
		if (ret)
1839
			goto e_free_blob;
1840
	}
1841

1842
	ret = __sev_do_cmd_locked(SEV_CMD_PEK_CSR, &data, &argp->error);
1843

1844
	 /* If we query the CSR length, FW responded with expected data. */
1845
	input.length = data.len;
1846

1847
	if (copy_to_user((void __user *)argp->data, &input, sizeof(input))) {
1848
		ret = -EFAULT;
1849
		goto e_free_blob;
1850
	}
1851

1852
	if (blob) {
1853
		if (copy_to_user(input_address, blob, input.length))
1854
			ret = -EFAULT;
1855
	}
1856

1857
e_free_blob:
1858
	if (shutdown_required)
1859
		__sev_firmware_shutdown(sev, false);
1860

1861
	kfree(blob);
1862
	return ret;
1863
}
1864

1865
void *psp_copy_user_blob(u64 uaddr, u32 len)
1866
{
1867
	if (!uaddr || !len)
1868
		return ERR_PTR(-EINVAL);
1869

1870
	/* verify that blob length does not exceed our limit */
1871
	if (len > SEV_FW_BLOB_MAX_SIZE)
1872
		return ERR_PTR(-EINVAL);
1873

1874
	return memdup_user((void __user *)uaddr, len);
1875
}
1876
EXPORT_SYMBOL_GPL(psp_copy_user_blob);
1877

1878
static int sev_get_api_version(void)
1879
{
1880
	struct sev_device *sev = psp_master->sev_data;
1881
	struct sev_user_data_status status;
1882
	int error = 0, ret;
1883

1884
	/*
1885
	 * Cache SNP platform status and SNP feature information
1886
	 * if SNP is available.
1887
	 */
1888
	if (cc_platform_has(CC_ATTR_HOST_SEV_SNP)) {
1889
		ret = snp_get_platform_data(sev, &error);
1890
		if (ret)
1891
			return 1;
1892
	}
1893

1894
	ret = sev_platform_status(&status, &error);
1895
	if (ret) {
1896
		dev_err(sev->dev,
1897
			"SEV: failed to get status. Error: %#x\n", error);
1898
		return 1;
1899
	}
1900

1901
	/* Cache SEV platform status */
1902
	sev->sev_plat_status = status;
1903

1904
	sev->api_major = status.api_major;
1905
	sev->api_minor = status.api_minor;
1906
	sev->build = status.build;
1907

1908
	return 0;
1909
}
1910

1911
static int sev_get_firmware(struct device *dev,
1912
			    const struct firmware **firmware)
1913
{
1914
	char fw_name_specific[SEV_FW_NAME_SIZE];
1915
	char fw_name_subset[SEV_FW_NAME_SIZE];
1916

1917
	snprintf(fw_name_specific, sizeof(fw_name_specific),
1918
		 "amd/amd_sev_fam%.2xh_model%.2xh.sbin",
1919
		 boot_cpu_data.x86, boot_cpu_data.x86_model);
1920

1921
	snprintf(fw_name_subset, sizeof(fw_name_subset),
1922
		 "amd/amd_sev_fam%.2xh_model%.1xxh.sbin",
1923
		 boot_cpu_data.x86, (boot_cpu_data.x86_model & 0xf0) >> 4);
1924

1925
	/* Check for SEV FW for a particular model.
1926
	 * Ex. amd_sev_fam17h_model00h.sbin for Family 17h Model 00h
1927
	 *
1928
	 * or
1929
	 *
1930
	 * Check for SEV FW common to a subset of models.
1931
	 * Ex. amd_sev_fam17h_model0xh.sbin for
1932
	 *     Family 17h Model 00h -- Family 17h Model 0Fh
1933
	 *
1934
	 * or
1935
	 *
1936
	 * Fall-back to using generic name: sev.fw
1937
	 */
1938
	if ((firmware_request_nowarn(firmware, fw_name_specific, dev) >= 0) ||
1939
	    (firmware_request_nowarn(firmware, fw_name_subset, dev) >= 0) ||
1940
	    (firmware_request_nowarn(firmware, SEV_FW_FILE, dev) >= 0))
1941
		return 0;
1942

1943
	return -ENOENT;
1944
}
1945

1946
/* Don't fail if SEV FW couldn't be updated. Continue with existing SEV FW */
1947
static int sev_update_firmware(struct device *dev)
1948
{
1949
	struct sev_data_download_firmware *data;
1950
	const struct firmware *firmware;
1951
	int ret, error, order;
1952
	struct page *p;
1953
	u64 data_size;
1954

1955
	if (!sev_version_greater_or_equal(0, 15)) {
1956
		dev_dbg(dev, "DOWNLOAD_FIRMWARE not supported\n");
1957
		return -1;
1958
	}
1959

1960
	if (sev_get_firmware(dev, &firmware) == -ENOENT) {
1961
		dev_dbg(dev, "No SEV firmware file present\n");
1962
		return -1;
1963
	}
1964

1965
	/*
1966
	 * SEV FW expects the physical address given to it to be 32
1967
	 * byte aligned. Memory allocated has structure placed at the
1968
	 * beginning followed by the firmware being passed to the SEV
1969
	 * FW. Allocate enough memory for data structure + alignment
1970
	 * padding + SEV FW.
1971
	 */
1972
	data_size = ALIGN(sizeof(struct sev_data_download_firmware), 32);
1973

1974
	order = get_order(firmware->size + data_size);
1975
	p = alloc_pages(GFP_KERNEL, order);
1976
	if (!p) {
1977
		ret = -1;
1978
		goto fw_err;
1979
	}
1980

1981
	/*
1982
	 * Copy firmware data to a kernel allocated contiguous
1983
	 * memory region.
1984
	 */
1985
	data = page_address(p);
1986
	memcpy(page_address(p) + data_size, firmware->data, firmware->size);
1987

1988
	data->address = __psp_pa(page_address(p) + data_size);
1989
	data->len = firmware->size;
1990

1991
	ret = sev_do_cmd(SEV_CMD_DOWNLOAD_FIRMWARE, data, &error);
1992

1993
	/*
1994
	 * A quirk for fixing the committed TCB version, when upgrading from
1995
	 * earlier firmware version than 1.50.
1996
	 */
1997
	if (!ret && !sev_version_greater_or_equal(1, 50))
1998
		ret = sev_do_cmd(SEV_CMD_DOWNLOAD_FIRMWARE, data, &error);
1999

2000
	if (ret)
2001
		dev_dbg(dev, "Failed to update SEV firmware: %#x\n", error);
2002

2003
	__free_pages(p, order);
2004

2005
fw_err:
2006
	release_firmware(firmware);
2007

2008
	return ret;
2009
}
2010

2011
static int __sev_snp_shutdown_locked(int *error, bool panic)
2012
{
2013
	struct psp_device *psp = psp_master;
2014
	struct sev_device *sev;
2015
	struct sev_data_snp_shutdown_ex data;
2016
	int ret;
2017

2018
	if (!psp || !psp->sev_data)
2019
		return 0;
2020

2021
	sev = psp->sev_data;
2022

2023
	if (!sev->snp_initialized)
2024
		return 0;
2025

2026
	memset(&data, 0, sizeof(data));
2027
	data.len = sizeof(data);
2028
	data.iommu_snp_shutdown = 1;
2029

2030
	/*
2031
	 * If invoked during panic handling, local interrupts are disabled
2032
	 * and all CPUs are stopped, so wbinvd_on_all_cpus() can't be called.
2033
	 * In that case, a wbinvd() is done on remote CPUs via the NMI
2034
	 * callback, so only a local wbinvd() is needed here.
2035
	 */
2036
	if (!panic)
2037
		wbinvd_on_all_cpus();
2038
	else
2039
		wbinvd();
2040

2041
	ret = __sev_do_cmd_locked(SEV_CMD_SNP_SHUTDOWN_EX, &data, error);
2042
	/* SHUTDOWN may require DF_FLUSH */
2043
	if (*error == SEV_RET_DFFLUSH_REQUIRED) {
2044
		int dfflush_error = SEV_RET_NO_FW_CALL;
2045

2046
		ret = __sev_do_cmd_locked(SEV_CMD_SNP_DF_FLUSH, NULL, &dfflush_error);
2047
		if (ret) {
2048
			dev_err(sev->dev, "SEV-SNP DF_FLUSH failed, ret = %d, error = %#x\n",
2049
				ret, dfflush_error);
2050
			return ret;
2051
		}
2052
		/* reissue the shutdown command */
2053
		ret = __sev_do_cmd_locked(SEV_CMD_SNP_SHUTDOWN_EX, &data,
2054
					  error);
2055
	}
2056
	if (ret) {
2057
		dev_err(sev->dev, "SEV-SNP firmware shutdown failed, rc %d, error %#x\n",
2058
			ret, *error);
2059
		return ret;
2060
	}
2061

2062
	/*
2063
	 * SNP_SHUTDOWN_EX with IOMMU_SNP_SHUTDOWN set to 1 disables SNP
2064
	 * enforcement by the IOMMU and also transitions all pages
2065
	 * associated with the IOMMU to the Reclaim state.
2066
	 * Firmware was transitioning the IOMMU pages to Hypervisor state
2067
	 * before version 1.53. But, accounting for the number of assigned
2068
	 * 4kB pages in a 2M page was done incorrectly by not transitioning
2069
	 * to the Reclaim state. This resulted in RMP #PF when later accessing
2070
	 * the 2M page containing those pages during kexec boot. Hence, the
2071
	 * firmware now transitions these pages to Reclaim state and hypervisor
2072
	 * needs to transition these pages to shared state. SNP Firmware
2073
	 * version 1.53 and above are needed for kexec boot.
2074
	 */
2075
	ret = amd_iommu_snp_disable();
2076
	if (ret) {
2077
		dev_err(sev->dev, "SNP IOMMU shutdown failed\n");
2078
		return ret;
2079
	}
2080

2081
	snp_leak_hv_fixed_pages();
2082
	sev->snp_initialized = false;
2083
	dev_dbg(sev->dev, "SEV-SNP firmware shutdown\n");
2084

2085
	/*
2086
	 * __sev_snp_shutdown_locked() deadlocks when it tries to unregister
2087
	 * itself during panic as the panic notifier is called with RCU read
2088
	 * lock held and notifier unregistration does RCU synchronization.
2089
	 */
2090
	if (!panic)
2091
		atomic_notifier_chain_unregister(&panic_notifier_list,
2092
						 &snp_panic_notifier);
2093

2094
	/* Reset TMR size back to default */
2095
	sev_es_tmr_size = SEV_TMR_SIZE;
2096

2097
	return ret;
2098
}
2099

2100
static int sev_ioctl_do_pek_import(struct sev_issue_cmd *argp, bool writable)
2101
{
2102
	struct sev_device *sev = psp_master->sev_data;
2103
	struct sev_user_data_pek_cert_import input;
2104
	struct sev_data_pek_cert_import data;
2105
	bool shutdown_required = false;
2106
	void *pek_blob, *oca_blob;
2107
	int ret;
2108

2109
	if (!writable)
2110
		return -EPERM;
2111

2112
	if (copy_from_user(&input, (void __user *)argp->data, sizeof(input)))
2113
		return -EFAULT;
2114

2115
	/* copy PEK certificate blobs from userspace */
2116
	pek_blob = psp_copy_user_blob(input.pek_cert_address, input.pek_cert_len);
2117
	if (IS_ERR(pek_blob))
2118
		return PTR_ERR(pek_blob);
2119

2120
	data.reserved = 0;
2121
	data.pek_cert_address = __psp_pa(pek_blob);
2122
	data.pek_cert_len = input.pek_cert_len;
2123

2124
	/* copy PEK certificate blobs from userspace */
2125
	oca_blob = psp_copy_user_blob(input.oca_cert_address, input.oca_cert_len);
2126
	if (IS_ERR(oca_blob)) {
2127
		ret = PTR_ERR(oca_blob);
2128
		goto e_free_pek;
2129
	}
2130

2131
	data.oca_cert_address = __psp_pa(oca_blob);
2132
	data.oca_cert_len = input.oca_cert_len;
2133

2134
	/* If platform is not in INIT state then transition it to INIT */
2135
	if (sev->sev_plat_status.state != SEV_STATE_INIT) {
2136
		ret = sev_move_to_init_state(argp, &shutdown_required);
2137
		if (ret)
2138
			goto e_free_oca;
2139
	}
2140

2141
	ret = __sev_do_cmd_locked(SEV_CMD_PEK_CERT_IMPORT, &data, &argp->error);
2142

2143
e_free_oca:
2144
	if (shutdown_required)
2145
		__sev_firmware_shutdown(sev, false);
2146

2147
	kfree(oca_blob);
2148
e_free_pek:
2149
	kfree(pek_blob);
2150
	return ret;
2151
}
2152

2153
static int sev_ioctl_do_get_id2(struct sev_issue_cmd *argp)
2154
{
2155
	struct sev_user_data_get_id2 input;
2156
	struct sev_data_get_id data;
2157
	void __user *input_address;
2158
	void *id_blob = NULL;
2159
	int ret;
2160

2161
	/* SEV GET_ID is available from SEV API v0.16 and up */
2162
	if (!sev_version_greater_or_equal(0, 16))
2163
		return -ENOTSUPP;
2164

2165
	if (copy_from_user(&input, (void __user *)argp->data, sizeof(input)))
2166
		return -EFAULT;
2167

2168
	input_address = (void __user *)input.address;
2169

2170
	if (input.address && input.length) {
2171
		/*
2172
		 * The length of the ID shouldn't be assumed by software since
2173
		 * it may change in the future.  The allocation size is limited
2174
		 * to 1 << (PAGE_SHIFT + MAX_PAGE_ORDER) by the page allocator.
2175
		 * If the allocation fails, simply return ENOMEM rather than
2176
		 * warning in the kernel log.
2177
		 */
2178
		id_blob = kzalloc(input.length, GFP_KERNEL | __GFP_NOWARN);
2179
		if (!id_blob)
2180
			return -ENOMEM;
2181

2182
		data.address = __psp_pa(id_blob);
2183
		data.len = input.length;
2184
	} else {
2185
		data.address = 0;
2186
		data.len = 0;
2187
	}
2188

2189
	ret = __sev_do_cmd_locked(SEV_CMD_GET_ID, &data, &argp->error);
2190

2191
	/*
2192
	 * Firmware will return the length of the ID value (either the minimum
2193
	 * required length or the actual length written), return it to the user.
2194
	 */
2195
	input.length = data.len;
2196

2197
	if (copy_to_user((void __user *)argp->data, &input, sizeof(input))) {
2198
		ret = -EFAULT;
2199
		goto e_free;
2200
	}
2201

2202
	if (id_blob) {
2203
		if (copy_to_user(input_address, id_blob, data.len)) {
2204
			ret = -EFAULT;
2205
			goto e_free;
2206
		}
2207
	}
2208

2209
e_free:
2210
	kfree(id_blob);
2211

2212
	return ret;
2213
}
2214

2215
static int sev_ioctl_do_get_id(struct sev_issue_cmd *argp)
2216
{
2217
	struct sev_data_get_id *data;
2218
	u64 data_size, user_size;
2219
	void *id_blob, *mem;
2220
	int ret;
2221

2222
	/* SEV GET_ID available from SEV API v0.16 and up */
2223
	if (!sev_version_greater_or_equal(0, 16))
2224
		return -ENOTSUPP;
2225

2226
	/* SEV FW expects the buffer it fills with the ID to be
2227
	 * 8-byte aligned. Memory allocated should be enough to
2228
	 * hold data structure + alignment padding + memory
2229
	 * where SEV FW writes the ID.
2230
	 */
2231
	data_size = ALIGN(sizeof(struct sev_data_get_id), 8);
2232
	user_size = sizeof(struct sev_user_data_get_id);
2233

2234
	mem = kzalloc(data_size + user_size, GFP_KERNEL);
2235
	if (!mem)
2236
		return -ENOMEM;
2237

2238
	data = mem;
2239
	id_blob = mem + data_size;
2240

2241
	data->address = __psp_pa(id_blob);
2242
	data->len = user_size;
2243

2244
	ret = __sev_do_cmd_locked(SEV_CMD_GET_ID, data, &argp->error);
2245
	if (!ret) {
2246
		if (copy_to_user((void __user *)argp->data, id_blob, data->len))
2247
			ret = -EFAULT;
2248
	}
2249

2250
	kfree(mem);
2251

2252
	return ret;
2253
}
2254

2255
static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable)
2256
{
2257
	struct sev_device *sev = psp_master->sev_data;
2258
	struct sev_user_data_pdh_cert_export input;
2259
	void *pdh_blob = NULL, *cert_blob = NULL;
2260
	struct sev_data_pdh_cert_export data;
2261
	void __user *input_cert_chain_address;
2262
	void __user *input_pdh_cert_address;
2263
	bool shutdown_required = false;
2264
	int ret;
2265

2266
	if (copy_from_user(&input, (void __user *)argp->data, sizeof(input)))
2267
		return -EFAULT;
2268

2269
	memset(&data, 0, sizeof(data));
2270

2271
	input_pdh_cert_address = (void __user *)input.pdh_cert_address;
2272
	input_cert_chain_address = (void __user *)input.cert_chain_address;
2273

2274
	/* Userspace wants to query the certificate length. */
2275
	if (!input.pdh_cert_address ||
2276
	    !input.pdh_cert_len ||
2277
	    !input.cert_chain_address)
2278
		goto cmd;
2279

2280
	/* Allocate a physically contiguous buffer to store the PDH blob. */
2281
	if (input.pdh_cert_len > SEV_FW_BLOB_MAX_SIZE)
2282
		return -EFAULT;
2283

2284
	/* Allocate a physically contiguous buffer to store the cert chain blob. */
2285
	if (input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE)
2286
		return -EFAULT;
2287

2288
	pdh_blob = kzalloc(input.pdh_cert_len, GFP_KERNEL);
2289
	if (!pdh_blob)
2290
		return -ENOMEM;
2291

2292
	data.pdh_cert_address = __psp_pa(pdh_blob);
2293
	data.pdh_cert_len = input.pdh_cert_len;
2294

2295
	cert_blob = kzalloc(input.cert_chain_len, GFP_KERNEL);
2296
	if (!cert_blob) {
2297
		ret = -ENOMEM;
2298
		goto e_free_pdh;
2299
	}
2300

2301
	data.cert_chain_address = __psp_pa(cert_blob);
2302
	data.cert_chain_len = input.cert_chain_len;
2303

2304
cmd:
2305
	/* If platform is not in INIT state then transition it to INIT. */
2306
	if (sev->sev_plat_status.state != SEV_STATE_INIT) {
2307
		if (!writable) {
2308
			ret = -EPERM;
2309
			goto e_free_cert;
2310
		}
2311
		ret = sev_move_to_init_state(argp, &shutdown_required);
2312
		if (ret)
2313
			goto e_free_cert;
2314
	}
2315

2316
	ret = __sev_do_cmd_locked(SEV_CMD_PDH_CERT_EXPORT, &data, &argp->error);
2317

2318
	/* If we query the length, FW responded with expected data. */
2319
	input.cert_chain_len = data.cert_chain_len;
2320
	input.pdh_cert_len = data.pdh_cert_len;
2321

2322
	if (copy_to_user((void __user *)argp->data, &input, sizeof(input))) {
2323
		ret = -EFAULT;
2324
		goto e_free_cert;
2325
	}
2326

2327
	if (pdh_blob) {
2328
		if (copy_to_user(input_pdh_cert_address,
2329
				 pdh_blob, input.pdh_cert_len)) {
2330
			ret = -EFAULT;
2331
			goto e_free_cert;
2332
		}
2333
	}
2334

2335
	if (cert_blob) {
2336
		if (copy_to_user(input_cert_chain_address,
2337
				 cert_blob, input.cert_chain_len))
2338
			ret = -EFAULT;
2339
	}
2340

2341
e_free_cert:
2342
	if (shutdown_required)
2343
		__sev_firmware_shutdown(sev, false);
2344

2345
	kfree(cert_blob);
2346
e_free_pdh:
2347
	kfree(pdh_blob);
2348
	return ret;
2349
}
2350

2351
static int sev_ioctl_do_snp_platform_status(struct sev_issue_cmd *argp)
2352
{
2353
	struct sev_device *sev = psp_master->sev_data;
2354
	bool shutdown_required = false;
2355
	struct sev_data_snp_addr buf;
2356
	struct page *status_page;
2357
	int ret, error;
2358
	void *data;
2359

2360
	if (!argp->data)
2361
		return -EINVAL;
2362

2363
	status_page = alloc_page(GFP_KERNEL_ACCOUNT);
2364
	if (!status_page)
2365
		return -ENOMEM;
2366

2367
	data = page_address(status_page);
2368

2369
	if (!sev->snp_initialized) {
2370
		ret = snp_move_to_init_state(argp, &shutdown_required);
2371
		if (ret)
2372
			goto cleanup;
2373
	}
2374

2375
	/*
2376
	 * Firmware expects status page to be in firmware-owned state, otherwise
2377
	 * it will report firmware error code INVALID_PAGE_STATE (0x1A).
2378
	 */
2379
	if (rmp_mark_pages_firmware(__pa(data), 1, true)) {
2380
		ret = -EFAULT;
2381
		goto cleanup;
2382
	}
2383

2384
	buf.address = __psp_pa(data);
2385
	ret = __sev_do_cmd_locked(SEV_CMD_SNP_PLATFORM_STATUS, &buf, &argp->error);
2386

2387
	/*
2388
	 * Status page will be transitioned to Reclaim state upon success, or
2389
	 * left in Firmware state in failure. Use snp_reclaim_pages() to
2390
	 * transition either case back to Hypervisor-owned state.
2391
	 */
2392
	if (snp_reclaim_pages(__pa(data), 1, true))
2393
		return -EFAULT;
2394

2395
	if (ret)
2396
		goto cleanup;
2397

2398
	if (copy_to_user((void __user *)argp->data, data,
2399
			 sizeof(struct sev_user_data_snp_status)))
2400
		ret = -EFAULT;
2401

2402
cleanup:
2403
	if (shutdown_required)
2404
		__sev_snp_shutdown_locked(&error, false);
2405

2406
	__free_pages(status_page, 0);
2407
	return ret;
2408
}
2409

2410
static int sev_ioctl_do_snp_commit(struct sev_issue_cmd *argp)
2411
{
2412
	struct sev_device *sev = psp_master->sev_data;
2413
	struct sev_data_snp_commit buf;
2414
	bool shutdown_required = false;
2415
	int ret, error;
2416

2417
	if (!sev->snp_initialized) {
2418
		ret = snp_move_to_init_state(argp, &shutdown_required);
2419
		if (ret)
2420
			return ret;
2421
	}
2422

2423
	buf.len = sizeof(buf);
2424

2425
	ret = __sev_do_cmd_locked(SEV_CMD_SNP_COMMIT, &buf, &argp->error);
2426

2427
	if (shutdown_required)
2428
		__sev_snp_shutdown_locked(&error, false);
2429

2430
	return ret;
2431
}
2432

2433
static int sev_ioctl_do_snp_set_config(struct sev_issue_cmd *argp, bool writable)
2434
{
2435
	struct sev_device *sev = psp_master->sev_data;
2436
	struct sev_user_data_snp_config config;
2437
	bool shutdown_required = false;
2438
	int ret, error;
2439

2440
	if (!argp->data)
2441
		return -EINVAL;
2442

2443
	if (!writable)
2444
		return -EPERM;
2445

2446
	if (copy_from_user(&config, (void __user *)argp->data, sizeof(config)))
2447
		return -EFAULT;
2448

2449
	if (!sev->snp_initialized) {
2450
		ret = snp_move_to_init_state(argp, &shutdown_required);
2451
		if (ret)
2452
			return ret;
2453
	}
2454

2455
	ret = __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error);
2456

2457
	if (shutdown_required)
2458
		__sev_snp_shutdown_locked(&error, false);
2459

2460
	return ret;
2461
}
2462

2463
static int sev_ioctl_do_snp_vlek_load(struct sev_issue_cmd *argp, bool writable)
2464
{
2465
	struct sev_device *sev = psp_master->sev_data;
2466
	struct sev_user_data_snp_vlek_load input;
2467
	bool shutdown_required = false;
2468
	int ret, error;
2469
	void *blob;
2470

2471
	if (!argp->data)
2472
		return -EINVAL;
2473

2474
	if (!writable)
2475
		return -EPERM;
2476

2477
	if (copy_from_user(&input, u64_to_user_ptr(argp->data), sizeof(input)))
2478
		return -EFAULT;
2479

2480
	if (input.len != sizeof(input) || input.vlek_wrapped_version != 0)
2481
		return -EINVAL;
2482

2483
	blob = psp_copy_user_blob(input.vlek_wrapped_address,
2484
				  sizeof(struct sev_user_data_snp_wrapped_vlek_hashstick));
2485
	if (IS_ERR(blob))
2486
		return PTR_ERR(blob);
2487

2488
	input.vlek_wrapped_address = __psp_pa(blob);
2489

2490
	if (!sev->snp_initialized) {
2491
		ret = snp_move_to_init_state(argp, &shutdown_required);
2492
		if (ret)
2493
			goto cleanup;
2494
	}
2495

2496
	ret = __sev_do_cmd_locked(SEV_CMD_SNP_VLEK_LOAD, &input, &argp->error);
2497

2498
	if (shutdown_required)
2499
		__sev_snp_shutdown_locked(&error, false);
2500

2501
cleanup:
2502
	kfree(blob);
2503

2504
	return ret;
2505
}
2506

2507
static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
2508
{
2509
	void __user *argp = (void __user *)arg;
2510
	struct sev_issue_cmd input;
2511
	int ret = -EFAULT;
2512
	bool writable = file->f_mode & FMODE_WRITE;
2513

2514
	if (!psp_master || !psp_master->sev_data)
2515
		return -ENODEV;
2516

2517
	if (ioctl != SEV_ISSUE_CMD)
2518
		return -EINVAL;
2519

2520
	if (copy_from_user(&input, argp, sizeof(struct sev_issue_cmd)))
2521
		return -EFAULT;
2522

2523
	if (input.cmd > SEV_MAX)
2524
		return -EINVAL;
2525

2526
	mutex_lock(&sev_cmd_mutex);
2527

2528
	switch (input.cmd) {
2529

2530
	case SEV_FACTORY_RESET:
2531
		ret = sev_ioctl_do_reset(&input, writable);
2532
		break;
2533
	case SEV_PLATFORM_STATUS:
2534
		ret = sev_ioctl_do_platform_status(&input);
2535
		break;
2536
	case SEV_PEK_GEN:
2537
		ret = sev_ioctl_do_pek_pdh_gen(SEV_CMD_PEK_GEN, &input, writable);
2538
		break;
2539
	case SEV_PDH_GEN:
2540
		ret = sev_ioctl_do_pek_pdh_gen(SEV_CMD_PDH_GEN, &input, writable);
2541
		break;
2542
	case SEV_PEK_CSR:
2543
		ret = sev_ioctl_do_pek_csr(&input, writable);
2544
		break;
2545
	case SEV_PEK_CERT_IMPORT:
2546
		ret = sev_ioctl_do_pek_import(&input, writable);
2547
		break;
2548
	case SEV_PDH_CERT_EXPORT:
2549
		ret = sev_ioctl_do_pdh_export(&input, writable);
2550
		break;
2551
	case SEV_GET_ID:
2552
		pr_warn_once("SEV_GET_ID command is deprecated, use SEV_GET_ID2\n");
2553
		ret = sev_ioctl_do_get_id(&input);
2554
		break;
2555
	case SEV_GET_ID2:
2556
		ret = sev_ioctl_do_get_id2(&input);
2557
		break;
2558
	case SNP_PLATFORM_STATUS:
2559
		ret = sev_ioctl_do_snp_platform_status(&input);
2560
		break;
2561
	case SNP_COMMIT:
2562
		ret = sev_ioctl_do_snp_commit(&input);
2563
		break;
2564
	case SNP_SET_CONFIG:
2565
		ret = sev_ioctl_do_snp_set_config(&input, writable);
2566
		break;
2567
	case SNP_VLEK_LOAD:
2568
		ret = sev_ioctl_do_snp_vlek_load(&input, writable);
2569
		break;
2570
	default:
2571
		ret = -EINVAL;
2572
		goto out;
2573
	}
2574

2575
	if (copy_to_user(argp, &input, sizeof(struct sev_issue_cmd)))
2576
		ret = -EFAULT;
2577
out:
2578
	mutex_unlock(&sev_cmd_mutex);
2579

2580
	return ret;
2581
}
2582

2583
static const struct file_operations sev_fops = {
2584
	.owner	= THIS_MODULE,
2585
	.unlocked_ioctl = sev_ioctl,
2586
};
2587

2588
int sev_platform_status(struct sev_user_data_status *data, int *error)
2589
{
2590
	return sev_do_cmd(SEV_CMD_PLATFORM_STATUS, data, error);
2591
}
2592
EXPORT_SYMBOL_GPL(sev_platform_status);
2593

2594
int sev_guest_deactivate(struct sev_data_deactivate *data, int *error)
2595
{
2596
	return sev_do_cmd(SEV_CMD_DEACTIVATE, data, error);
2597
}
2598
EXPORT_SYMBOL_GPL(sev_guest_deactivate);
2599

2600
int sev_guest_activate(struct sev_data_activate *data, int *error)
2601
{
2602
	return sev_do_cmd(SEV_CMD_ACTIVATE, data, error);
2603
}
2604
EXPORT_SYMBOL_GPL(sev_guest_activate);
2605

2606
int sev_guest_decommission(struct sev_data_decommission *data, int *error)
2607
{
2608
	return sev_do_cmd(SEV_CMD_DECOMMISSION, data, error);
2609
}
2610
EXPORT_SYMBOL_GPL(sev_guest_decommission);
2611

2612
int sev_guest_df_flush(int *error)
2613
{
2614
	return sev_do_cmd(SEV_CMD_DF_FLUSH, NULL, error);
2615
}
2616
EXPORT_SYMBOL_GPL(sev_guest_df_flush);
2617

2618
static void sev_exit(struct kref *ref)
2619
{
2620
	misc_deregister(&misc_dev->misc);
2621
	kfree(misc_dev);
2622
	misc_dev = NULL;
2623
}
2624

2625
static int sev_misc_init(struct sev_device *sev)
2626
{
2627
	struct device *dev = sev->dev;
2628
	int ret;
2629

2630
	/*
2631
	 * SEV feature support can be detected on multiple devices but the SEV
2632
	 * FW commands must be issued on the master. During probe, we do not
2633
	 * know the master hence we create /dev/sev on the first device probe.
2634
	 * sev_do_cmd() finds the right master device to which to issue the
2635
	 * command to the firmware.
2636
	 */
2637
	if (!misc_dev) {
2638
		struct miscdevice *misc;
2639

2640
		misc_dev = kzalloc(sizeof(*misc_dev), GFP_KERNEL);
2641
		if (!misc_dev)
2642
			return -ENOMEM;
2643

2644
		misc = &misc_dev->misc;
2645
		misc->minor = MISC_DYNAMIC_MINOR;
2646
		misc->name = DEVICE_NAME;
2647
		misc->fops = &sev_fops;
2648

2649
		ret = misc_register(misc);
2650
		if (ret)
2651
			return ret;
2652

2653
		kref_init(&misc_dev->refcount);
2654
	} else {
2655
		kref_get(&misc_dev->refcount);
2656
	}
2657

2658
	init_waitqueue_head(&sev->int_queue);
2659
	sev->misc = misc_dev;
2660
	dev_dbg(dev, "registered SEV device\n");
2661

2662
	return 0;
2663
}
2664

2665
int sev_dev_init(struct psp_device *psp)
2666
{
2667
	struct device *dev = psp->dev;
2668
	struct sev_device *sev;
2669
	int ret = -ENOMEM;
2670

2671
	if (!boot_cpu_has(X86_FEATURE_SEV)) {
2672
		dev_info_once(dev, "SEV: memory encryption not enabled by BIOS\n");
2673
		return 0;
2674
	}
2675

2676
	sev = devm_kzalloc(dev, sizeof(*sev), GFP_KERNEL);
2677
	if (!sev)
2678
		goto e_err;
2679

2680
	sev->cmd_buf = (void *)devm_get_free_pages(dev, GFP_KERNEL, 1);
2681
	if (!sev->cmd_buf)
2682
		goto e_sev;
2683

2684
	sev->cmd_buf_backup = (uint8_t *)sev->cmd_buf + PAGE_SIZE;
2685

2686
	psp->sev_data = sev;
2687

2688
	sev->dev = dev;
2689
	sev->psp = psp;
2690

2691
	sev->io_regs = psp->io_regs;
2692

2693
	sev->vdata = (struct sev_vdata *)psp->vdata->sev;
2694
	if (!sev->vdata) {
2695
		ret = -ENODEV;
2696
		dev_err(dev, "sev: missing driver data\n");
2697
		goto e_buf;
2698
	}
2699

2700
	psp_set_sev_irq_handler(psp, sev_irq_handler, sev);
2701

2702
	ret = sev_misc_init(sev);
2703
	if (ret)
2704
		goto e_irq;
2705

2706
	dev_notice(dev, "sev enabled\n");
2707

2708
	return 0;
2709

2710
e_irq:
2711
	psp_clear_sev_irq_handler(psp);
2712
e_buf:
2713
	devm_free_pages(dev, (unsigned long)sev->cmd_buf);
2714
e_sev:
2715
	devm_kfree(dev, sev);
2716
e_err:
2717
	psp->sev_data = NULL;
2718

2719
	dev_notice(dev, "sev initialization failed\n");
2720

2721
	return ret;
2722
}
2723

2724
static void __sev_firmware_shutdown(struct sev_device *sev, bool panic)
2725
{
2726
	int error;
2727

2728
	__sev_platform_shutdown_locked(&error);
2729

2730
	if (sev_es_tmr) {
2731
		/*
2732
		 * The TMR area was encrypted, flush it from the cache.
2733
		 *
2734
		 * If invoked during panic handling, local interrupts are
2735
		 * disabled and all CPUs are stopped, so wbinvd_on_all_cpus()
2736
		 * can't be used. In that case, wbinvd() is done on remote CPUs
2737
		 * via the NMI callback, and done for this CPU later during
2738
		 * SNP shutdown, so wbinvd_on_all_cpus() can be skipped.
2739
		 */
2740
		if (!panic)
2741
			wbinvd_on_all_cpus();
2742

2743
		__snp_free_firmware_pages(virt_to_page(sev_es_tmr),
2744
					  get_order(sev_es_tmr_size),
2745
					  true);
2746
		sev_es_tmr = NULL;
2747
	}
2748

2749
	if (sev_init_ex_buffer) {
2750
		__snp_free_firmware_pages(virt_to_page(sev_init_ex_buffer),
2751
					  get_order(NV_LENGTH),
2752
					  true);
2753
		sev_init_ex_buffer = NULL;
2754
	}
2755

2756
	if (snp_range_list) {
2757
		kfree(snp_range_list);
2758
		snp_range_list = NULL;
2759
	}
2760

2761
	__sev_snp_shutdown_locked(&error, panic);
2762
}
2763

2764
static void sev_firmware_shutdown(struct sev_device *sev)
2765
{
2766
	mutex_lock(&sev_cmd_mutex);
2767
	__sev_firmware_shutdown(sev, false);
2768
	mutex_unlock(&sev_cmd_mutex);
2769
}
2770

2771
void sev_platform_shutdown(void)
2772
{
2773
	if (!psp_master || !psp_master->sev_data)
2774
		return;
2775

2776
	sev_firmware_shutdown(psp_master->sev_data);
2777
}
2778
EXPORT_SYMBOL_GPL(sev_platform_shutdown);
2779

2780
void sev_dev_destroy(struct psp_device *psp)
2781
{
2782
	struct sev_device *sev = psp->sev_data;
2783

2784
	if (!sev)
2785
		return;
2786

2787
	sev_firmware_shutdown(sev);
2788

2789
	if (sev->misc)
2790
		kref_put(&misc_dev->refcount, sev_exit);
2791

2792
	psp_clear_sev_irq_handler(psp);
2793
}
2794

2795
static int snp_shutdown_on_panic(struct notifier_block *nb,
2796
				 unsigned long reason, void *arg)
2797
{
2798
	struct sev_device *sev = psp_master->sev_data;
2799

2800
	/*
2801
	 * If sev_cmd_mutex is already acquired, then it's likely
2802
	 * another PSP command is in flight and issuing a shutdown
2803
	 * would fail in unexpected ways. Rather than create even
2804
	 * more confusion during a panic, just bail out here.
2805
	 */
2806
	if (mutex_is_locked(&sev_cmd_mutex))
2807
		return NOTIFY_DONE;
2808

2809
	__sev_firmware_shutdown(sev, true);
2810

2811
	return NOTIFY_DONE;
2812
}
2813

2814
int sev_issue_cmd_external_user(struct file *filep, unsigned int cmd,
2815
				void *data, int *error)
2816
{
2817
	if (!filep || filep->f_op != &sev_fops)
2818
		return -EBADF;
2819

2820
	return sev_do_cmd(cmd, data, error);
2821
}
2822
EXPORT_SYMBOL_GPL(sev_issue_cmd_external_user);
2823

2824
void sev_pci_init(void)
2825
{
2826
	struct sev_device *sev = psp_master->sev_data;
2827
	u8 api_major, api_minor, build;
2828

2829
	if (!sev)
2830
		return;
2831

2832
	psp_timeout = psp_probe_timeout;
2833

2834
	if (sev_get_api_version())
2835
		goto err;
2836

2837
	api_major = sev->api_major;
2838
	api_minor = sev->api_minor;
2839
	build     = sev->build;
2840

2841
	if (sev_update_firmware(sev->dev) == 0)
2842
		sev_get_api_version();
2843

2844
	if (api_major != sev->api_major || api_minor != sev->api_minor ||
2845
	    build != sev->build)
2846
		dev_info(sev->dev, "SEV firmware updated from %d.%d.%d to %d.%d.%d\n",
2847
			 api_major, api_minor, build,
2848
			 sev->api_major, sev->api_minor, sev->build);
2849

2850
	return;
2851

2852
err:
2853
	sev_dev_destroy(psp_master);
2854

2855
	psp_master->sev_data = NULL;
2856
}
2857

2858
void sev_pci_exit(void)
2859
{
2860
	struct sev_device *sev = psp_master->sev_data;
2861

2862
	if (!sev)
2863
		return;
2864

2865
	sev_firmware_shutdown(sev);
2866
}
2867

2868