iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

crypto: ccp: Add the SNP_SET_CONFIG command

Browse Source 
The SEV-SNP firmware provides the SNP_CONFIG command used to set various
system-wide configuration values for SNP guests, such as the reported
TCB version used when signing guest attestation reports. Add an
interface to set this via userspace.

  [ mdr: Squash in doc patch from Dionna, drop extended request/
    certificate handling and simplify this to a simple wrapper around
    SNP_CONFIG fw cmd. ]

Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Co-developed-by: Alexey Kardashevskiy <aik@amd.com>
Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
Co-developed-by: Dionna Glaze <dionnaglaze@google.com>
Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20240126041126.1927228-26-michael.roth@amd.com
This commit is contained in:
Brijesh Singh 2024-01-25 22:11:25 -06:00 committed by Borislav Petkov (AMD)
parent fad133c79a
commit cb645fe478
3 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Documentation/virt/coco/sev-guest.rst
View File

@ -162,6 +162,19 @@ SEV-SNP firmware SNP_COMMIT command. This prevents roll-back to a previously
committed firmware version. This will also update the reported TCB to match committed firmware version. This will also update the reported TCB to match
that of the currently installed firmware. that of the currently installed firmware.
2.6 SNP_SET_CONFIG
------------------
:Technology: sev-snp
:Type: hypervisor ioctl cmd
:Parameters (in): struct sev_user_data_snp_config
:Returns (out): 0 on success, -negative on error
SNP_SET_CONFIG is used to set the system-wide configuration such as
reported TCB version in the attestation report. The command is similar
to SNP_CONFIG command defined in the SEV-SNP spec. The current values of
the firmware parameters affected by this command can be queried via
SNP_PLATFORM_STATUS.
3. SEV-SNP CPUID Enforcement 3. SEV-SNP CPUID Enforcement
============================ ============================

20
drivers/crypto/ccp/sev-dev.c
View File

@ -2004,6 +2004,23 @@ static int sev_ioctl_do_snp_commit(struct sev_issue_cmd *argp)
return __sev_do_cmd_locked(SEV_CMD_SNP_COMMIT, &buf, &argp->error); return __sev_do_cmd_locked(SEV_CMD_SNP_COMMIT, &buf, &argp->error);
} }
static int sev_ioctl_do_snp_set_config(struct sev_issue_cmd *argp, bool writable)
{
struct sev_device *sev = psp_master->sev_data;
struct sev_user_data_snp_config config;
if (!sev->snp_initialized || !argp->data)
return -EINVAL;
if (!writable)
return -EPERM;
if (copy_from_user(&config, (void __user *)argp->data, sizeof(config)))
return -EFAULT;
return __sev_do_cmd_locked(SEV_CMD_SNP_CONFIG, &config, &argp->error);
}
static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
{ {
void __user *argp = (void __user *)arg; void __user *argp = (void __user *)arg;
@ -2061,6 +2078,9 @@ static long sev_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
case SNP_COMMIT: case SNP_COMMIT:
ret = sev_ioctl_do_snp_commit(&input); ret = sev_ioctl_do_snp_commit(&input);
break; break;
case SNP_SET_CONFIG:
ret = sev_ioctl_do_snp_set_config(&input, writable);
break;
default: default:
ret = -EINVAL; ret = -EINVAL;
goto out; goto out;

1
include/uapi/linux/psp-sev.h
View File

@ -30,6 +30,7 @@ enum {
SEV_GET_ID2, SEV_GET_ID2,
SNP_PLATFORM_STATUS, SNP_PLATFORM_STATUS,
SNP_COMMIT, SNP_COMMIT,
SNP_SET_CONFIG,
SEV_MAX, SEV_MAX,
}; };