// SPDX-License-Identifier: GPL-2.0 /* * Copyright IBM Corp. 2022, 2024 * Author(s): Steffen Eiden <seiden@linux.ibm.com> * * This file provides a Linux misc device to give userspace access to some * Ultravisor (UV) functions. The device only accepts IOCTLs and will only * be present if the Ultravisor facility (158) is present. * * When userspace sends a valid IOCTL uvdevice will copy the input data to * kernel space, do some basic validity checks to avoid kernel/system * corruption. Any other check that the Ultravisor does will not be done by * the uvdevice to keep changes minimal when adding new functionalities * to existing UV-calls. * After the checks uvdevice builds a corresponding * Ultravisor Call Control Block, and sends the request to the Ultravisor. * Then, it copies the response, including the return codes, back to userspace. * It is the responsibility of the userspace to check for any error issued * by UV and to interpret the UV response. The uvdevice acts as a communication * channel for userspace to the Ultravisor.
*/
staticvoid __init set_supp_uv_cmds(unsignedlong *supp_uv_cmds)
{ int i;
for (i = 0; i < UVIO_IOCTL_NUM_IOCTLS; i++) { if (ioctl_nr_to_uvc_bit[i] == BIT_UVIO_INTERNAL) continue; if (!test_bit_inv(ioctl_nr_to_uvc_bit[i], uv_info.inst_calls_list)) continue;
__set_bit(i, supp_uv_cmds);
}
}
/** * uvio_uvdev_info() - Get information about the uvdevice * * @uv_ioctl: ioctl control block * * Lists all IOCTLs that are supported by this uvdevice * * Return: 0 on success or a negative error code on error
*/ staticint uvio_uvdev_info(struct uvio_ioctl_cb *uv_ioctl)
{ void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
if (uv_ioctl->argument_len < sizeof(uvdev_info)) return -EINVAL; if (copy_to_user(user_buf_arg, &uvdev_info, sizeof(uvdev_info))) return -EFAULT;
if (copy_from_user(uvio_attest, user_arg_buf, sizeof(*uvio_attest))) return -EFAULT;
if (uvio_attest->arcb_len > UVIO_ATT_ARCB_MAX_LEN) return -EINVAL; if (uvio_attest->arcb_len == 0) return -EINVAL; if (uvio_attest->meas_len > UVIO_ATT_MEASUREMENT_MAX_LEN) return -EINVAL; if (uvio_attest->meas_len == 0) return -EINVAL; if (uvio_attest->add_data_len > UVIO_ATT_ADDITIONAL_MAX_LEN) return -EINVAL; if (uvio_attest->reserved136) return -EINVAL; return 0;
}
/** * uvio_attestation() - Perform a Retrieve Attestation Measurement UVC. * * @uv_ioctl: ioctl control block * * uvio_attestation() does a Retrieve Attestation Measurement Ultravisor Call. * It verifies that the given userspace addresses are valid and request sizes * are sane. Every other check is made by the Ultravisor (UV) and won't result * in a negative return value. It copies the input to kernelspace, builds the * request, sends the UV-call, and copies the result to userspace. * * The Attestation Request has two input and two outputs. * ARCB and User Data are inputs for the UV generated by userspace. * Measurement and Additional Data are outputs for userspace generated by UV. * * The Attestation Request Control Block (ARCB) is a cryptographically verified * and secured request to UV and User Data is some plaintext data which is * going to be included in the Attestation Measurement calculation. * * Measurement is a cryptographic measurement of the callers properties, * optional data configured by the ARCB and the user data. If specified by the * ARCB, UV will add some Additional Data to the measurement calculation. * This Additional Data is then returned as well. * * If the Retrieve Attestation Measurement UV facility is not present, * UV will return invalid command rc. This won't be fenced in the driver * and does not result in a negative return value. * * Context: might sleep * * Return: 0 on success or a negative error code on error
*/ staticint uvio_attestation(struct uvio_ioctl_cb *uv_ioctl)
{ struct uv_cb_attest *uvcb_attest = NULL; struct uvio_attest *uvio_attest = NULL;
u8 *measurement = NULL;
u8 *add_data = NULL;
u8 *arcb = NULL; int ret;
ret = -EINVAL; if (uv_ioctl->argument_len != sizeof(*uvio_attest)) goto out;
ret = -ENOMEM;
uvio_attest = kzalloc(sizeof(*uvio_attest), GFP_KERNEL); if (!uvio_attest) goto out;
ret = get_uvio_attest(uv_ioctl, uvio_attest); if (ret) goto out;
ret = -ENOMEM;
arcb = kvzalloc(uvio_attest->arcb_len, GFP_KERNEL);
measurement = kvzalloc(uvio_attest->meas_len, GFP_KERNEL); if (!arcb || !measurement) goto out;
if (uvio_attest->add_data_len) {
add_data = kvzalloc(uvio_attest->add_data_len, GFP_KERNEL); if (!add_data) goto out;
}
uvcb_attest = kzalloc(sizeof(*uvcb_attest), GFP_KERNEL); if (!uvcb_attest) goto out;
ret = uvio_build_uvcb_attest(uvcb_attest, arcb, measurement, add_data, uvio_attest); if (ret) goto out;
/** * uvio_add_secret() - Perform an Add Secret UVC * * @uv_ioctl: ioctl control block * * uvio_add_secret() performs the Add Secret Ultravisor Call. * * The given userspace argument address and size are verified to be * valid but every other check is made by the Ultravisor * (UV). Therefore UV errors won't result in a negative return * value. The request is then copied to kernelspace, the UV-call is * performed and the results are copied back to userspace. * * The argument has to point to an Add Secret Request Control Block * which is an encrypted and cryptographically verified request that * inserts a protected guest's secrets into the Ultravisor for later * use. * * If the Add Secret UV facility is not present, UV will return * invalid command rc. This won't be fenced in the driver and does not * result in a negative return value. * * Context: might sleep * * Return: 0 on success or a negative error code on error
*/ staticint uvio_add_secret(struct uvio_ioctl_cb *uv_ioctl)
{ void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr; struct uv_cb_guest_addr uvcb = {
.header.len = sizeof(uvcb),
.header.cmd = UVC_CMD_ADD_SECRET,
}; void *asrcb = NULL; int ret;
if (uv_ioctl->argument_len > UVIO_ADD_SECRET_MAX_LEN) return -EINVAL; if (uv_ioctl->argument_len == 0) return -EINVAL;
asrcb = kvzalloc(uv_ioctl->argument_len, GFP_KERNEL); if (!asrcb) return -ENOMEM;
ret = -EFAULT; if (copy_from_user(asrcb, user_buf_arg, uv_ioctl->argument_len)) goto out;
/* * Do the actual secret list creation. Calls the list secrets UVC until there * is no more space in the user buffer, or the list ends.
*/ staticint uvio_get_list(void *zpage, struct uvio_ioctl_cb *uv_ioctl)
{ const size_t data_off = offsetof(struct uv_secret_list, secrets);
u8 __user *user_buf = (u8 __user *)uv_ioctl->argument_addr; struct uv_secret_list *list = zpage;
u16 num_secrets_stored = 0;
size_t user_off = data_off;
size_t copy_len;
do {
uv_list_secrets(list, list->next_secret_idx, &uv_ioctl->uv_rc,
&uv_ioctl->uv_rrc); if (uv_ioctl->uv_rc != UVC_RC_EXECUTED &&
uv_ioctl->uv_rc != UVC_RC_MORE_DATA) break;
/** * uvio_list_secrets() - Perform a List Secret UVC * * @uv_ioctl: ioctl control block * * uvio_list_secrets() performs the List Secret Ultravisor Call. It verifies * that the given userspace argument address is valid and its size is sane. * Every other check is made by the Ultravisor (UV) and won't result in a * negative return value. It builds the request, performs the UV-call, and * copies the result to userspace. * * The argument specifies the location for the result of the UV-Call. * * Argument length must be a multiple of a page. * The list secrets IOCTL will call the list UVC multiple times and fill * the provided user-buffer with list elements until either the list ends or * the buffer is full. The list header is merged over all list header from the * individual UVCs. * * If the List Secrets UV facility is not present, UV will return invalid * command rc. This won't be fenced in the driver and does not result in a * negative return value. * * Context: might sleep * * Return: 0 on success or a negative error code on error
*/ staticint uvio_list_secrets(struct uvio_ioctl_cb *uv_ioctl)
{ void *zpage; int rc;
zpage = (void *)get_zeroed_page(GFP_KERNEL); if (!zpage) return -ENOMEM;
rc = uvio_get_list(zpage, uv_ioctl);
free_page((unsignedlong)zpage); return rc;
}
/** * uvio_lock_secrets() - Perform a Lock Secret Store UVC * * @ioctl: ioctl control block * * uvio_lock_secrets() performs the Lock Secret Store Ultravisor Call. It * performs the UV-call and copies the return codes to the ioctl control block. * After this call was dispatched successfully every following Add Secret UVC * and Lock Secrets UVC will fail with return code 0x102. * * The argument address and size must be 0. * * If the Lock Secrets UV facility is not present, UV will return invalid * command rc. This won't be fenced in the driver and does not result in a * negative return value. * * Context: might sleep * * Return: 0 on success or a negative error code on error
*/ staticint uvio_lock_secrets(struct uvio_ioctl_cb *ioctl)
{ struct uv_cb_nodata uvcb = {
.header.len = sizeof(uvcb),
.header.cmd = UVC_CMD_LOCK_SECRETS,
};
if (ioctl->argument_addr || ioctl->argument_len) return -EINVAL;
/** * uvio_retr_secret() - Perform a retrieve secret UVC * * @uv_ioctl: ioctl control block. * * uvio_retr_secret() performs the Retrieve Secret Ultravisor Call. * The first two bytes of the argument specify the index of the secret to be * retrieved. The retrieved secret is copied into the argument buffer if there * is enough space. * The argument length must be at least two bytes and at max 8192 bytes. * * Context: might sleep * * Return: 0 on success or a negative error code on error
*/ staticint uvio_retr_secret(struct uvio_ioctl_cb *uv_ioctl)
{
u16 __user *user_index = (u16 __user *)uv_ioctl->argument_addr; struct uv_cb_retr_secr uvcb = {
.header.len = sizeof(uvcb),
.header.cmd = UVC_CMD_RETR_SECRET,
};
u32 buf_len = uv_ioctl->argument_len; void *buf = NULL; int ret;
if (buf_len > UVIO_RETR_SECRET_MAX_LEN || buf_len < sizeof(*user_index)) return -EINVAL;
buf = kvzalloc(buf_len, GFP_KERNEL); if (!buf) return -ENOMEM;
ret = -EFAULT; if (get_user(uvcb.secret_idx, user_index)) goto err;
if (_IOC_DIR(cmd) != (_IOC_READ | _IOC_WRITE)) return -ENOIOCTLCMD; if (_IOC_TYPE(cmd) != UVIO_TYPE_UVC) return -ENOIOCTLCMD; if (nr >= UVIO_IOCTL_NUM_IOCTLS) return -ENOIOCTLCMD; if (_IOC_SIZE(cmd) != sizeof(*ioctl)) return -ENOIOCTLCMD; if (copy_from_user(ioctl, argp, sizeof(*ioctl))) return -EFAULT; if (ioctl->flags != 0) return -EINVAL; if (memchr_inv(ioctl->reserved14, 0, sizeof(ioctl->reserved14))) return -EINVAL;
return nr;
}
/* * IOCTL entry point for the Ultravisor device.
*/ staticlong uvio_ioctl(struct file *filp, unsignedint cmd, unsignedlong arg)
{ void __user *argp = (void __user *)arg; struct uvio_ioctl_cb uv_ioctl = { }; long ret; int nr;
nr = uvio_copy_and_check_ioctl(&uv_ioctl, argp, cmd); if (nr < 0) return nr;
switch (nr) { case UVIO_IOCTL_UVDEV_INFO_NR:
ret = uvio_uvdev_info(&uv_ioctl); break; case UVIO_IOCTL_ATT_NR:
ret = uvio_attestation(&uv_ioctl); break; case UVIO_IOCTL_ADD_SECRET_NR:
ret = uvio_add_secret(&uv_ioctl); break; case UVIO_IOCTL_LIST_SECRETS_NR:
ret = uvio_list_secrets(&uv_ioctl); break; case UVIO_IOCTL_LOCK_SECRETS_NR:
ret = uvio_lock_secrets(&uv_ioctl); break; case UVIO_IOCTL_RETR_SECRET_NR:
ret = uvio_retr_secret(&uv_ioctl); break; default:
ret = -ENOIOCTLCMD; break;
} if (ret) return ret;
if (copy_to_user(argp, &uv_ioctl, sizeof(uv_ioctl)))
ret = -EFAULT;
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
