1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Common Ultravisor functions and initialization 4 * 5 * Copyright IBM Corp. 2019, 2020 6 */ 7 #define KMSG_COMPONENT "prot_virt" 8 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 9 10 #include <linux/kernel.h> 11 #include <linux/types.h> 12 #include <linux/sizes.h> 13 #include <linux/bitmap.h> 14 #include <linux/memblock.h> 15 #include <linux/pagemap.h> 16 #include <linux/swap.h> 17 #include <asm/facility.h> 18 #include <asm/sections.h> 19 #include <asm/uv.h> 20 21 /* the bootdata_preserved fields come from ones in arch/s390/boot/uv.c */ 22 #ifdef CONFIG_PROTECTED_VIRTUALIZATION_GUEST 23 int __bootdata_preserved(prot_virt_guest); 24 #endif 25 26 struct uv_info __bootdata_preserved(uv_info); 27 28 #if IS_ENABLED(CONFIG_KVM) 29 int __bootdata_preserved(prot_virt_host); 30 EXPORT_SYMBOL(prot_virt_host); 31 EXPORT_SYMBOL(uv_info); 32 33 static int __init uv_init(unsigned long stor_base, unsigned long stor_len) 34 { 35 struct uv_cb_init uvcb = { 36 .header.cmd = UVC_CMD_INIT_UV, 37 .header.len = sizeof(uvcb), 38 .stor_origin = stor_base, 39 .stor_len = stor_len, 40 }; 41 42 if (uv_call(0, (uint64_t)&uvcb)) { 43 pr_err("Ultravisor init failed with rc: 0x%x rrc: 0%x\n", 44 uvcb.header.rc, uvcb.header.rrc); 45 return -1; 46 } 47 return 0; 48 } 49 50 void __init setup_uv(void) 51 { 52 unsigned long uv_stor_base; 53 54 /* 55 * keep these conditions in line with has_uv_sec_stor_limit() 56 */ 57 if (!is_prot_virt_host()) 58 return; 59 60 if (is_prot_virt_guest()) { 61 prot_virt_host = 0; 62 pr_warn("Protected virtualization not available in protected guests."); 63 return; 64 } 65 66 if (!test_facility(158)) { 67 prot_virt_host = 0; 68 pr_warn("Protected virtualization not supported by the hardware."); 69 return; 70 } 71 72 uv_stor_base = (unsigned long)memblock_alloc_try_nid( 73 uv_info.uv_base_stor_len, SZ_1M, SZ_2G, 74 MEMBLOCK_ALLOC_ACCESSIBLE, NUMA_NO_NODE); 75 if (!uv_stor_base) { 76 pr_warn("Failed to reserve %lu bytes for ultravisor base storage\n", 77 uv_info.uv_base_stor_len); 78 goto fail; 79 } 80 81 if (uv_init(uv_stor_base, uv_info.uv_base_stor_len)) { 82 memblock_free(uv_stor_base, uv_info.uv_base_stor_len); 83 goto fail; 84 } 85 86 pr_info("Reserving %luMB as ultravisor base storage\n", 87 uv_info.uv_base_stor_len >> 20); 88 return; 89 fail: 90 pr_info("Disabling support for protected virtualization"); 91 prot_virt_host = 0; 92 } 93 94 /* 95 * Requests the Ultravisor to pin the page in the shared state. This will 96 * cause an intercept when the guest attempts to unshare the pinned page. 97 */ 98 static int uv_pin_shared(unsigned long paddr) 99 { 100 struct uv_cb_cfs uvcb = { 101 .header.cmd = UVC_CMD_PIN_PAGE_SHARED, 102 .header.len = sizeof(uvcb), 103 .paddr = paddr, 104 }; 105 106 if (uv_call(0, (u64)&uvcb)) 107 return -EINVAL; 108 return 0; 109 } 110 111 /* 112 * Requests the Ultravisor to destroy a guest page and make it 113 * accessible to the host. The destroy clears the page instead of 114 * exporting. 115 * 116 * @paddr: Absolute host address of page to be destroyed 117 */ 118 int uv_destroy_page(unsigned long paddr) 119 { 120 struct uv_cb_cfs uvcb = { 121 .header.cmd = UVC_CMD_DESTR_SEC_STOR, 122 .header.len = sizeof(uvcb), 123 .paddr = paddr 124 }; 125 126 if (uv_call(0, (u64)&uvcb)) { 127 /* 128 * Older firmware uses 107/d as an indication of a non secure 129 * page. Let us emulate the newer variant (no-op). 130 */ 131 if (uvcb.header.rc == 0x107 && uvcb.header.rrc == 0xd) 132 return 0; 133 return -EINVAL; 134 } 135 return 0; 136 } 137 138 /* 139 * Requests the Ultravisor to encrypt a guest page and make it 140 * accessible to the host for paging (export). 141 * 142 * @paddr: Absolute host address of page to be exported 143 */ 144 int uv_convert_from_secure(unsigned long paddr) 145 { 146 struct uv_cb_cfs uvcb = { 147 .header.cmd = UVC_CMD_CONV_FROM_SEC_STOR, 148 .header.len = sizeof(uvcb), 149 .paddr = paddr 150 }; 151 152 if (uv_call(0, (u64)&uvcb)) 153 return -EINVAL; 154 return 0; 155 } 156 157 /* 158 * Calculate the expected ref_count for a page that would otherwise have no 159 * further pins. This was cribbed from similar functions in other places in 160 * the kernel, but with some slight modifications. We know that a secure 161 * page can not be a huge page for example. 162 */ 163 static int expected_page_refs(struct page *page) 164 { 165 int res; 166 167 res = page_mapcount(page); 168 if (PageSwapCache(page)) { 169 res++; 170 } else if (page_mapping(page)) { 171 res++; 172 if (page_has_private(page)) 173 res++; 174 } 175 return res; 176 } 177 178 static int make_secure_pte(pte_t *ptep, unsigned long addr, 179 struct page *exp_page, struct uv_cb_header *uvcb) 180 { 181 pte_t entry = READ_ONCE(*ptep); 182 struct page *page; 183 int expected, rc = 0; 184 185 if (!pte_present(entry)) 186 return -ENXIO; 187 if (pte_val(entry) & _PAGE_INVALID) 188 return -ENXIO; 189 190 page = pte_page(entry); 191 if (page != exp_page) 192 return -ENXIO; 193 if (PageWriteback(page)) 194 return -EAGAIN; 195 expected = expected_page_refs(page); 196 if (!page_ref_freeze(page, expected)) 197 return -EBUSY; 198 set_bit(PG_arch_1, &page->flags); 199 rc = uv_call(0, (u64)uvcb); 200 page_ref_unfreeze(page, expected); 201 /* Return -ENXIO if the page was not mapped, -EINVAL otherwise */ 202 if (rc) 203 rc = uvcb->rc == 0x10a ? -ENXIO : -EINVAL; 204 return rc; 205 } 206 207 /* 208 * Requests the Ultravisor to make a page accessible to a guest. 209 * If it's brought in the first time, it will be cleared. If 210 * it has been exported before, it will be decrypted and integrity 211 * checked. 212 */ 213 int gmap_make_secure(struct gmap *gmap, unsigned long gaddr, void *uvcb) 214 { 215 struct vm_area_struct *vma; 216 bool local_drain = false; 217 spinlock_t *ptelock; 218 unsigned long uaddr; 219 struct page *page; 220 pte_t *ptep; 221 int rc; 222 223 again: 224 rc = -EFAULT; 225 mmap_read_lock(gmap->mm); 226 227 uaddr = __gmap_translate(gmap, gaddr); 228 if (IS_ERR_VALUE(uaddr)) 229 goto out; 230 vma = find_vma(gmap->mm, uaddr); 231 if (!vma) 232 goto out; 233 /* 234 * Secure pages cannot be huge and userspace should not combine both. 235 * In case userspace does it anyway this will result in an -EFAULT for 236 * the unpack. The guest is thus never reaching secure mode. If 237 * userspace is playing dirty tricky with mapping huge pages later 238 * on this will result in a segmentation fault. 239 */ 240 if (is_vm_hugetlb_page(vma)) 241 goto out; 242 243 rc = -ENXIO; 244 page = follow_page(vma, uaddr, FOLL_WRITE); 245 if (IS_ERR_OR_NULL(page)) 246 goto out; 247 248 lock_page(page); 249 ptep = get_locked_pte(gmap->mm, uaddr, &ptelock); 250 rc = make_secure_pte(ptep, uaddr, page, uvcb); 251 pte_unmap_unlock(ptep, ptelock); 252 unlock_page(page); 253 out: 254 mmap_read_unlock(gmap->mm); 255 256 if (rc == -EAGAIN) { 257 wait_on_page_writeback(page); 258 } else if (rc == -EBUSY) { 259 /* 260 * If we have tried a local drain and the page refcount 261 * still does not match our expected safe value, try with a 262 * system wide drain. This is needed if the pagevecs holding 263 * the page are on a different CPU. 264 */ 265 if (local_drain) { 266 lru_add_drain_all(); 267 /* We give up here, and let the caller try again */ 268 return -EAGAIN; 269 } 270 /* 271 * We are here if the page refcount does not match the 272 * expected safe value. The main culprits are usually 273 * pagevecs. With lru_add_drain() we drain the pagevecs 274 * on the local CPU so that hopefully the refcount will 275 * reach the expected safe value. 276 */ 277 lru_add_drain(); 278 local_drain = true; 279 /* And now we try again immediately after draining */ 280 goto again; 281 } else if (rc == -ENXIO) { 282 if (gmap_fault(gmap, gaddr, FAULT_FLAG_WRITE)) 283 return -EFAULT; 284 return -EAGAIN; 285 } 286 return rc; 287 } 288 EXPORT_SYMBOL_GPL(gmap_make_secure); 289 290 int gmap_convert_to_secure(struct gmap *gmap, unsigned long gaddr) 291 { 292 struct uv_cb_cts uvcb = { 293 .header.cmd = UVC_CMD_CONV_TO_SEC_STOR, 294 .header.len = sizeof(uvcb), 295 .guest_handle = gmap->guest_handle, 296 .gaddr = gaddr, 297 }; 298 299 return gmap_make_secure(gmap, gaddr, &uvcb); 300 } 301 EXPORT_SYMBOL_GPL(gmap_convert_to_secure); 302 303 /* 304 * To be called with the page locked or with an extra reference! This will 305 * prevent gmap_make_secure from touching the page concurrently. Having 2 306 * parallel make_page_accessible is fine, as the UV calls will become a 307 * no-op if the page is already exported. 308 */ 309 int arch_make_page_accessible(struct page *page) 310 { 311 int rc = 0; 312 313 /* Hugepage cannot be protected, so nothing to do */ 314 if (PageHuge(page)) 315 return 0; 316 317 /* 318 * PG_arch_1 is used in 3 places: 319 * 1. for kernel page tables during early boot 320 * 2. for storage keys of huge pages and KVM 321 * 3. As an indication that this page might be secure. This can 322 * overindicate, e.g. we set the bit before calling 323 * convert_to_secure. 324 * As secure pages are never huge, all 3 variants can co-exists. 325 */ 326 if (!test_bit(PG_arch_1, &page->flags)) 327 return 0; 328 329 rc = uv_pin_shared(page_to_phys(page)); 330 if (!rc) { 331 clear_bit(PG_arch_1, &page->flags); 332 return 0; 333 } 334 335 rc = uv_convert_from_secure(page_to_phys(page)); 336 if (!rc) { 337 clear_bit(PG_arch_1, &page->flags); 338 return 0; 339 } 340 341 return rc; 342 } 343 EXPORT_SYMBOL_GPL(arch_make_page_accessible); 344 345 #endif 346 347 #if defined(CONFIG_PROTECTED_VIRTUALIZATION_GUEST) || IS_ENABLED(CONFIG_KVM) 348 static ssize_t uv_query_facilities(struct kobject *kobj, 349 struct kobj_attribute *attr, char *page) 350 { 351 return scnprintf(page, PAGE_SIZE, "%lx\n%lx\n%lx\n%lx\n", 352 uv_info.inst_calls_list[0], 353 uv_info.inst_calls_list[1], 354 uv_info.inst_calls_list[2], 355 uv_info.inst_calls_list[3]); 356 } 357 358 static struct kobj_attribute uv_query_facilities_attr = 359 __ATTR(facilities, 0444, uv_query_facilities, NULL); 360 361 static ssize_t uv_query_max_guest_cpus(struct kobject *kobj, 362 struct kobj_attribute *attr, char *page) 363 { 364 return scnprintf(page, PAGE_SIZE, "%d\n", 365 uv_info.max_guest_cpu_id + 1); 366 } 367 368 static struct kobj_attribute uv_query_max_guest_cpus_attr = 369 __ATTR(max_cpus, 0444, uv_query_max_guest_cpus, NULL); 370 371 static ssize_t uv_query_max_guest_vms(struct kobject *kobj, 372 struct kobj_attribute *attr, char *page) 373 { 374 return scnprintf(page, PAGE_SIZE, "%d\n", 375 uv_info.max_num_sec_conf); 376 } 377 378 static struct kobj_attribute uv_query_max_guest_vms_attr = 379 __ATTR(max_guests, 0444, uv_query_max_guest_vms, NULL); 380 381 static ssize_t uv_query_max_guest_addr(struct kobject *kobj, 382 struct kobj_attribute *attr, char *page) 383 { 384 return scnprintf(page, PAGE_SIZE, "%lx\n", 385 uv_info.max_sec_stor_addr); 386 } 387 388 static struct kobj_attribute uv_query_max_guest_addr_attr = 389 __ATTR(max_address, 0444, uv_query_max_guest_addr, NULL); 390 391 static struct attribute *uv_query_attrs[] = { 392 &uv_query_facilities_attr.attr, 393 &uv_query_max_guest_cpus_attr.attr, 394 &uv_query_max_guest_vms_attr.attr, 395 &uv_query_max_guest_addr_attr.attr, 396 NULL, 397 }; 398 399 static struct attribute_group uv_query_attr_group = { 400 .attrs = uv_query_attrs, 401 }; 402 403 static ssize_t uv_is_prot_virt_guest(struct kobject *kobj, 404 struct kobj_attribute *attr, char *page) 405 { 406 int val = 0; 407 408 #ifdef CONFIG_PROTECTED_VIRTUALIZATION_GUEST 409 val = prot_virt_guest; 410 #endif 411 return scnprintf(page, PAGE_SIZE, "%d\n", val); 412 } 413 414 static ssize_t uv_is_prot_virt_host(struct kobject *kobj, 415 struct kobj_attribute *attr, char *page) 416 { 417 int val = 0; 418 419 #if IS_ENABLED(CONFIG_KVM) 420 val = prot_virt_host; 421 #endif 422 423 return scnprintf(page, PAGE_SIZE, "%d\n", val); 424 } 425 426 static struct kobj_attribute uv_prot_virt_guest = 427 __ATTR(prot_virt_guest, 0444, uv_is_prot_virt_guest, NULL); 428 429 static struct kobj_attribute uv_prot_virt_host = 430 __ATTR(prot_virt_host, 0444, uv_is_prot_virt_host, NULL); 431 432 static const struct attribute *uv_prot_virt_attrs[] = { 433 &uv_prot_virt_guest.attr, 434 &uv_prot_virt_host.attr, 435 NULL, 436 }; 437 438 static struct kset *uv_query_kset; 439 static struct kobject *uv_kobj; 440 441 static int __init uv_info_init(void) 442 { 443 int rc = -ENOMEM; 444 445 if (!test_facility(158)) 446 return 0; 447 448 uv_kobj = kobject_create_and_add("uv", firmware_kobj); 449 if (!uv_kobj) 450 return -ENOMEM; 451 452 rc = sysfs_create_files(uv_kobj, uv_prot_virt_attrs); 453 if (rc) 454 goto out_kobj; 455 456 uv_query_kset = kset_create_and_add("query", NULL, uv_kobj); 457 if (!uv_query_kset) { 458 rc = -ENOMEM; 459 goto out_ind_files; 460 } 461 462 rc = sysfs_create_group(&uv_query_kset->kobj, &uv_query_attr_group); 463 if (!rc) 464 return 0; 465 466 kset_unregister(uv_query_kset); 467 out_ind_files: 468 sysfs_remove_files(uv_kobj, uv_prot_virt_attrs); 469 out_kobj: 470 kobject_del(uv_kobj); 471 kobject_put(uv_kobj); 472 return rc; 473 } 474 device_initcall(uv_info_init); 475 #endif 476