1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Confidential Computing Platform Capability checks 4 * 5 * Copyright (C) 2021 Advanced Micro Devices, Inc. 6 * Copyright (C) 2024 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 7 * 8 * Author: Tom Lendacky <thomas.lendacky@amd.com> 9 */ 10 11 #include <linux/export.h> 12 #include <linux/cc_platform.h> 13 #include <linux/string.h> 14 #include <linux/random.h> 15 16 #include <asm/archrandom.h> 17 #include <asm/coco.h> 18 #include <asm/processor.h> 19 20 enum cc_vendor cc_vendor __ro_after_init = CC_VENDOR_NONE; 21 u64 cc_mask __ro_after_init; 22 23 static bool noinstr intel_cc_platform_has(enum cc_attr attr) 24 { 25 switch (attr) { 26 case CC_ATTR_GUEST_UNROLL_STRING_IO: 27 case CC_ATTR_HOTPLUG_DISABLED: 28 case CC_ATTR_GUEST_MEM_ENCRYPT: 29 case CC_ATTR_MEM_ENCRYPT: 30 return true; 31 default: 32 return false; 33 } 34 } 35 36 /* 37 * Handle the SEV-SNP vTOM case where sme_me_mask is zero, and 38 * the other levels of SME/SEV functionality, including C-bit 39 * based SEV-SNP, are not enabled. 40 */ 41 static __maybe_unused __always_inline bool amd_cc_platform_vtom(enum cc_attr attr) 42 { 43 switch (attr) { 44 case CC_ATTR_GUEST_MEM_ENCRYPT: 45 case CC_ATTR_MEM_ENCRYPT: 46 return true; 47 default: 48 return false; 49 } 50 } 51 52 /* 53 * SME and SEV are very similar but they are not the same, so there are 54 * times that the kernel will need to distinguish between SME and SEV. The 55 * cc_platform_has() function is used for this. When a distinction isn't 56 * needed, the CC_ATTR_MEM_ENCRYPT attribute can be used. 57 * 58 * The trampoline code is a good example for this requirement. Before 59 * paging is activated, SME will access all memory as decrypted, but SEV 60 * will access all memory as encrypted. So, when APs are being brought 61 * up under SME the trampoline area cannot be encrypted, whereas under SEV 62 * the trampoline area must be encrypted. 63 */ 64 65 static bool noinstr amd_cc_platform_has(enum cc_attr attr) 66 { 67 #ifdef CONFIG_AMD_MEM_ENCRYPT 68 69 if (sev_status & MSR_AMD64_SNP_VTOM) 70 return amd_cc_platform_vtom(attr); 71 72 switch (attr) { 73 case CC_ATTR_MEM_ENCRYPT: 74 return sme_me_mask; 75 76 case CC_ATTR_HOST_MEM_ENCRYPT: 77 return sme_me_mask && !(sev_status & MSR_AMD64_SEV_ENABLED); 78 79 case CC_ATTR_GUEST_MEM_ENCRYPT: 80 return sev_status & MSR_AMD64_SEV_ENABLED; 81 82 case CC_ATTR_GUEST_STATE_ENCRYPT: 83 return sev_status & MSR_AMD64_SEV_ES_ENABLED; 84 85 /* 86 * With SEV, the rep string I/O instructions need to be unrolled 87 * but SEV-ES supports them through the #VC handler. 88 */ 89 case CC_ATTR_GUEST_UNROLL_STRING_IO: 90 return (sev_status & MSR_AMD64_SEV_ENABLED) && 91 !(sev_status & MSR_AMD64_SEV_ES_ENABLED); 92 93 case CC_ATTR_GUEST_SEV_SNP: 94 return sev_status & MSR_AMD64_SEV_SNP_ENABLED; 95 96 default: 97 return false; 98 } 99 #else 100 return false; 101 #endif 102 } 103 104 bool noinstr cc_platform_has(enum cc_attr attr) 105 { 106 switch (cc_vendor) { 107 case CC_VENDOR_AMD: 108 return amd_cc_platform_has(attr); 109 case CC_VENDOR_INTEL: 110 return intel_cc_platform_has(attr); 111 default: 112 return false; 113 } 114 } 115 EXPORT_SYMBOL_GPL(cc_platform_has); 116 117 u64 cc_mkenc(u64 val) 118 { 119 /* 120 * Both AMD and Intel use a bit in the page table to indicate 121 * encryption status of the page. 122 * 123 * - for AMD, bit *set* means the page is encrypted 124 * - for AMD with vTOM and for Intel, *clear* means encrypted 125 */ 126 switch (cc_vendor) { 127 case CC_VENDOR_AMD: 128 if (sev_status & MSR_AMD64_SNP_VTOM) 129 return val & ~cc_mask; 130 else 131 return val | cc_mask; 132 case CC_VENDOR_INTEL: 133 return val & ~cc_mask; 134 default: 135 return val; 136 } 137 } 138 139 u64 cc_mkdec(u64 val) 140 { 141 /* See comment in cc_mkenc() */ 142 switch (cc_vendor) { 143 case CC_VENDOR_AMD: 144 if (sev_status & MSR_AMD64_SNP_VTOM) 145 return val | cc_mask; 146 else 147 return val & ~cc_mask; 148 case CC_VENDOR_INTEL: 149 return val | cc_mask; 150 default: 151 return val; 152 } 153 } 154 EXPORT_SYMBOL_GPL(cc_mkdec); 155 156 __init void cc_random_init(void) 157 { 158 /* 159 * The seed is 32 bytes (in units of longs), which is 256 bits, which 160 * is the security level that the RNG is targeting. 161 */ 162 unsigned long rng_seed[32 / sizeof(long)]; 163 size_t i, longs; 164 165 if (!cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) 166 return; 167 168 /* 169 * Since the CoCo threat model includes the host, the only reliable 170 * source of entropy that can be neither observed nor manipulated is 171 * RDRAND. Usually, RDRAND failure is considered tolerable, but since 172 * CoCo guests have no other unobservable source of entropy, it's 173 * important to at least ensure the RNG gets some initial random seeds. 174 */ 175 for (i = 0; i < ARRAY_SIZE(rng_seed); i += longs) { 176 longs = arch_get_random_longs(&rng_seed[i], ARRAY_SIZE(rng_seed) - i); 177 178 /* 179 * A zero return value means that the guest doesn't have RDRAND 180 * or the CPU is physically broken, and in both cases that 181 * means most crypto inside of the CoCo instance will be 182 * broken, defeating the purpose of CoCo in the first place. So 183 * just panic here because it's absolutely unsafe to continue 184 * executing. 185 */ 186 if (longs == 0) 187 panic("RDRAND is defective."); 188 } 189 add_device_randomness(rng_seed, sizeof(rng_seed)); 190 memzero_explicit(rng_seed, sizeof(rng_seed)); 191 } 192