1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright IBM Corp. 2022 4 * Author(s): Steffen Eiden <seiden@linux.ibm.com> 5 * 6 * This file provides a Linux misc device to give userspace access to some 7 * Ultravisor (UV) functions. The device only accepts IOCTLs and will only 8 * be present if the Ultravisor facility (158) is present. 9 * 10 * When userspace sends a valid IOCTL uvdevice will copy the input data to 11 * kernel space, do some basic validity checks to avoid kernel/system 12 * corruption. Any other check that the Ultravisor does will not be done by 13 * the uvdevice to keep changes minimal when adding new functionalities 14 * to existing UV-calls. 15 * After the checks uvdevice builds a corresponding 16 * Ultravisor Call Control Block, and sends the request to the Ultravisor. 17 * Then, it copies the response, including the return codes, back to userspace. 18 * It is the responsibility of the userspace to check for any error issued 19 * by UV and to interpret the UV response. The uvdevice acts as a communication 20 * channel for userspace to the Ultravisor. 21 */ 22 23 #include <linux/module.h> 24 #include <linux/kernel.h> 25 #include <linux/miscdevice.h> 26 #include <linux/types.h> 27 #include <linux/stddef.h> 28 #include <linux/vmalloc.h> 29 #include <linux/slab.h> 30 #include <linux/cpufeature.h> 31 32 #include <asm/uvdevice.h> 33 #include <asm/uv.h> 34 35 #define BIT_UVIO_INTERNAL U32_MAX 36 /* Mapping from IOCTL-nr to UVC-bit */ 37 static const u32 ioctl_nr_to_uvc_bit[] __initconst = { 38 [UVIO_IOCTL_UVDEV_INFO_NR] = BIT_UVIO_INTERNAL, 39 [UVIO_IOCTL_ATT_NR] = BIT_UVC_CMD_RETR_ATTEST, 40 [UVIO_IOCTL_ADD_SECRET_NR] = BIT_UVC_CMD_ADD_SECRET, 41 [UVIO_IOCTL_LIST_SECRETS_NR] = BIT_UVC_CMD_LIST_SECRETS, 42 [UVIO_IOCTL_LOCK_SECRETS_NR] = BIT_UVC_CMD_LOCK_SECRETS, 43 }; 44 45 static_assert(ARRAY_SIZE(ioctl_nr_to_uvc_bit) == UVIO_IOCTL_NUM_IOCTLS); 46 47 static struct uvio_uvdev_info uvdev_info = { 48 .supp_uvio_cmds = GENMASK_ULL(UVIO_IOCTL_NUM_IOCTLS - 1, 0), 49 }; 50 51 static void __init set_supp_uv_cmds(unsigned long *supp_uv_cmds) 52 { 53 int i; 54 55 for (i = 0; i < UVIO_IOCTL_NUM_IOCTLS; i++) { 56 if (ioctl_nr_to_uvc_bit[i] == BIT_UVIO_INTERNAL) 57 continue; 58 if (!test_bit_inv(ioctl_nr_to_uvc_bit[i], uv_info.inst_calls_list)) 59 continue; 60 __set_bit(i, supp_uv_cmds); 61 } 62 } 63 64 /** 65 * uvio_uvdev_info() - get information about the uvdevice 66 * 67 * @uv_ioctl: ioctl control block 68 * 69 * Lists all IOCTLs that are supported by this uvdevice 70 */ 71 static int uvio_uvdev_info(struct uvio_ioctl_cb *uv_ioctl) 72 { 73 void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr; 74 75 if (uv_ioctl->argument_len < sizeof(uvdev_info)) 76 return -EINVAL; 77 if (copy_to_user(user_buf_arg, &uvdev_info, sizeof(uvdev_info))) 78 return -EFAULT; 79 80 uv_ioctl->uv_rc = UVC_RC_EXECUTED; 81 return 0; 82 } 83 84 static int uvio_build_uvcb_attest(struct uv_cb_attest *uvcb_attest, u8 *arcb, 85 u8 *meas, u8 *add_data, struct uvio_attest *uvio_attest) 86 { 87 void __user *user_buf_arcb = (void __user *)uvio_attest->arcb_addr; 88 89 if (copy_from_user(arcb, user_buf_arcb, uvio_attest->arcb_len)) 90 return -EFAULT; 91 92 uvcb_attest->header.len = sizeof(*uvcb_attest); 93 uvcb_attest->header.cmd = UVC_CMD_RETR_ATTEST; 94 uvcb_attest->arcb_addr = (u64)arcb; 95 uvcb_attest->cont_token = 0; 96 uvcb_attest->user_data_len = uvio_attest->user_data_len; 97 memcpy(uvcb_attest->user_data, uvio_attest->user_data, sizeof(uvcb_attest->user_data)); 98 uvcb_attest->meas_len = uvio_attest->meas_len; 99 uvcb_attest->meas_addr = (u64)meas; 100 uvcb_attest->add_data_len = uvio_attest->add_data_len; 101 uvcb_attest->add_data_addr = (u64)add_data; 102 103 return 0; 104 } 105 106 static int uvio_copy_attest_result_to_user(struct uv_cb_attest *uvcb_attest, 107 struct uvio_ioctl_cb *uv_ioctl, 108 u8 *measurement, u8 *add_data, 109 struct uvio_attest *uvio_attest) 110 { 111 struct uvio_attest __user *user_uvio_attest = (void __user *)uv_ioctl->argument_addr; 112 void __user *user_buf_add = (void __user *)uvio_attest->add_data_addr; 113 void __user *user_buf_meas = (void __user *)uvio_attest->meas_addr; 114 void __user *user_buf_uid = &user_uvio_attest->config_uid; 115 116 if (copy_to_user(user_buf_meas, measurement, uvio_attest->meas_len)) 117 return -EFAULT; 118 if (add_data && copy_to_user(user_buf_add, add_data, uvio_attest->add_data_len)) 119 return -EFAULT; 120 if (copy_to_user(user_buf_uid, uvcb_attest->config_uid, sizeof(uvcb_attest->config_uid))) 121 return -EFAULT; 122 return 0; 123 } 124 125 static int get_uvio_attest(struct uvio_ioctl_cb *uv_ioctl, struct uvio_attest *uvio_attest) 126 { 127 u8 __user *user_arg_buf = (u8 __user *)uv_ioctl->argument_addr; 128 129 if (copy_from_user(uvio_attest, user_arg_buf, sizeof(*uvio_attest))) 130 return -EFAULT; 131 132 if (uvio_attest->arcb_len > UVIO_ATT_ARCB_MAX_LEN) 133 return -EINVAL; 134 if (uvio_attest->arcb_len == 0) 135 return -EINVAL; 136 if (uvio_attest->meas_len > UVIO_ATT_MEASUREMENT_MAX_LEN) 137 return -EINVAL; 138 if (uvio_attest->meas_len == 0) 139 return -EINVAL; 140 if (uvio_attest->add_data_len > UVIO_ATT_ADDITIONAL_MAX_LEN) 141 return -EINVAL; 142 if (uvio_attest->reserved136) 143 return -EINVAL; 144 return 0; 145 } 146 147 /** 148 * uvio_attestation() - Perform a Retrieve Attestation Measurement UVC. 149 * 150 * @uv_ioctl: ioctl control block 151 * 152 * uvio_attestation() does a Retrieve Attestation Measurement Ultravisor Call. 153 * It verifies that the given userspace addresses are valid and request sizes 154 * are sane. Every other check is made by the Ultravisor (UV) and won't result 155 * in a negative return value. It copies the input to kernelspace, builds the 156 * request, sends the UV-call, and copies the result to userspace. 157 * 158 * The Attestation Request has two input and two outputs. 159 * ARCB and User Data are inputs for the UV generated by userspace. 160 * Measurement and Additional Data are outputs for userspace generated by UV. 161 * 162 * The Attestation Request Control Block (ARCB) is a cryptographically verified 163 * and secured request to UV and User Data is some plaintext data which is 164 * going to be included in the Attestation Measurement calculation. 165 * 166 * Measurement is a cryptographic measurement of the callers properties, 167 * optional data configured by the ARCB and the user data. If specified by the 168 * ARCB, UV will add some Additional Data to the measurement calculation. 169 * This Additional Data is then returned as well. 170 * 171 * If the Retrieve Attestation Measurement UV facility is not present, 172 * UV will return invalid command rc. This won't be fenced in the driver 173 * and does not result in a negative return value. 174 * 175 * Context: might sleep 176 * 177 * Return: 0 on success or a negative error code on error. 178 */ 179 static int uvio_attestation(struct uvio_ioctl_cb *uv_ioctl) 180 { 181 struct uv_cb_attest *uvcb_attest = NULL; 182 struct uvio_attest *uvio_attest = NULL; 183 u8 *measurement = NULL; 184 u8 *add_data = NULL; 185 u8 *arcb = NULL; 186 int ret; 187 188 ret = -EINVAL; 189 if (uv_ioctl->argument_len != sizeof(*uvio_attest)) 190 goto out; 191 192 ret = -ENOMEM; 193 uvio_attest = kzalloc(sizeof(*uvio_attest), GFP_KERNEL); 194 if (!uvio_attest) 195 goto out; 196 197 ret = get_uvio_attest(uv_ioctl, uvio_attest); 198 if (ret) 199 goto out; 200 201 ret = -ENOMEM; 202 arcb = kvzalloc(uvio_attest->arcb_len, GFP_KERNEL); 203 measurement = kvzalloc(uvio_attest->meas_len, GFP_KERNEL); 204 if (!arcb || !measurement) 205 goto out; 206 207 if (uvio_attest->add_data_len) { 208 add_data = kvzalloc(uvio_attest->add_data_len, GFP_KERNEL); 209 if (!add_data) 210 goto out; 211 } 212 213 uvcb_attest = kzalloc(sizeof(*uvcb_attest), GFP_KERNEL); 214 if (!uvcb_attest) 215 goto out; 216 217 ret = uvio_build_uvcb_attest(uvcb_attest, arcb, measurement, add_data, uvio_attest); 218 if (ret) 219 goto out; 220 221 uv_call_sched(0, (u64)uvcb_attest); 222 223 uv_ioctl->uv_rc = uvcb_attest->header.rc; 224 uv_ioctl->uv_rrc = uvcb_attest->header.rrc; 225 226 ret = uvio_copy_attest_result_to_user(uvcb_attest, uv_ioctl, measurement, add_data, 227 uvio_attest); 228 out: 229 kvfree(arcb); 230 kvfree(measurement); 231 kvfree(add_data); 232 kfree(uvio_attest); 233 kfree(uvcb_attest); 234 return ret; 235 } 236 237 /** uvio_add_secret() - perform an Add Secret UVC 238 * 239 * @uv_ioctl: ioctl control block 240 * 241 * uvio_add_secret() performs the Add Secret Ultravisor Call. 242 * 243 * The given userspace argument address and size are verified to be 244 * valid but every other check is made by the Ultravisor 245 * (UV). Therefore UV errors won't result in a negative return 246 * value. The request is then copied to kernelspace, the UV-call is 247 * performed and the results are copied back to userspace. 248 * 249 * The argument has to point to an Add Secret Request Control Block 250 * which is an encrypted and cryptographically verified request that 251 * inserts a protected guest's secrets into the Ultravisor for later 252 * use. 253 * 254 * If the Add Secret UV facility is not present, UV will return 255 * invalid command rc. This won't be fenced in the driver and does not 256 * result in a negative return value. 257 * 258 * Context: might sleep 259 * 260 * Return: 0 on success or a negative error code on error. 261 */ 262 static int uvio_add_secret(struct uvio_ioctl_cb *uv_ioctl) 263 { 264 void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr; 265 struct uv_cb_guest_addr uvcb = { 266 .header.len = sizeof(uvcb), 267 .header.cmd = UVC_CMD_ADD_SECRET, 268 }; 269 void *asrcb = NULL; 270 int ret; 271 272 if (uv_ioctl->argument_len > UVIO_ADD_SECRET_MAX_LEN) 273 return -EINVAL; 274 if (uv_ioctl->argument_len == 0) 275 return -EINVAL; 276 277 asrcb = kvzalloc(uv_ioctl->argument_len, GFP_KERNEL); 278 if (!asrcb) 279 return -ENOMEM; 280 281 ret = -EFAULT; 282 if (copy_from_user(asrcb, user_buf_arg, uv_ioctl->argument_len)) 283 goto out; 284 285 ret = 0; 286 uvcb.addr = (u64)asrcb; 287 uv_call_sched(0, (u64)&uvcb); 288 uv_ioctl->uv_rc = uvcb.header.rc; 289 uv_ioctl->uv_rrc = uvcb.header.rrc; 290 291 out: 292 kvfree(asrcb); 293 return ret; 294 } 295 296 /** uvio_list_secrets() - perform a List Secret UVC 297 * @uv_ioctl: ioctl control block 298 * 299 * uvio_list_secrets() performs the List Secret Ultravisor Call. It verifies 300 * that the given userspace argument address is valid and its size is sane. 301 * Every other check is made by the Ultravisor (UV) and won't result in a 302 * negative return value. It builds the request, performs the UV-call, and 303 * copies the result to userspace. 304 * 305 * The argument specifies the location for the result of the UV-Call. 306 * 307 * If the List Secrets UV facility is not present, UV will return invalid 308 * command rc. This won't be fenced in the driver and does not result in a 309 * negative return value. 310 * 311 * Context: might sleep 312 * 313 * Return: 0 on success or a negative error code on error. 314 */ 315 static int uvio_list_secrets(struct uvio_ioctl_cb *uv_ioctl) 316 { 317 void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr; 318 struct uv_cb_guest_addr uvcb = { 319 .header.len = sizeof(uvcb), 320 .header.cmd = UVC_CMD_LIST_SECRETS, 321 }; 322 void *secrets = NULL; 323 int ret = 0; 324 325 if (uv_ioctl->argument_len != UVIO_LIST_SECRETS_LEN) 326 return -EINVAL; 327 328 secrets = kvzalloc(UVIO_LIST_SECRETS_LEN, GFP_KERNEL); 329 if (!secrets) 330 return -ENOMEM; 331 332 uvcb.addr = (u64)secrets; 333 uv_call_sched(0, (u64)&uvcb); 334 uv_ioctl->uv_rc = uvcb.header.rc; 335 uv_ioctl->uv_rrc = uvcb.header.rrc; 336 337 if (copy_to_user(user_buf_arg, secrets, UVIO_LIST_SECRETS_LEN)) 338 ret = -EFAULT; 339 340 kvfree(secrets); 341 return ret; 342 } 343 344 /** uvio_lock_secrets() - perform a Lock Secret Store UVC 345 * @uv_ioctl: ioctl control block 346 * 347 * uvio_lock_secrets() performs the Lock Secret Store Ultravisor Call. It 348 * performs the UV-call and copies the return codes to the ioctl control block. 349 * After this call was dispatched successfully every following Add Secret UVC 350 * and Lock Secrets UVC will fail with return code 0x102. 351 * 352 * The argument address and size must be 0. 353 * 354 * If the Lock Secrets UV facility is not present, UV will return invalid 355 * command rc. This won't be fenced in the driver and does not result in a 356 * negative return value. 357 * 358 * Context: might sleep 359 * 360 * Return: 0 on success or a negative error code on error. 361 */ 362 static int uvio_lock_secrets(struct uvio_ioctl_cb *ioctl) 363 { 364 struct uv_cb_nodata uvcb = { 365 .header.len = sizeof(uvcb), 366 .header.cmd = UVC_CMD_LOCK_SECRETS, 367 }; 368 369 if (ioctl->argument_addr || ioctl->argument_len) 370 return -EINVAL; 371 372 uv_call(0, (u64)&uvcb); 373 ioctl->uv_rc = uvcb.header.rc; 374 ioctl->uv_rrc = uvcb.header.rrc; 375 376 return 0; 377 } 378 379 static int uvio_copy_and_check_ioctl(struct uvio_ioctl_cb *ioctl, void __user *argp, 380 unsigned long cmd) 381 { 382 u8 nr = _IOC_NR(cmd); 383 384 if (_IOC_DIR(cmd) != (_IOC_READ | _IOC_WRITE)) 385 return -ENOIOCTLCMD; 386 if (_IOC_TYPE(cmd) != UVIO_TYPE_UVC) 387 return -ENOIOCTLCMD; 388 if (nr >= UVIO_IOCTL_NUM_IOCTLS) 389 return -ENOIOCTLCMD; 390 if (_IOC_SIZE(cmd) != sizeof(*ioctl)) 391 return -ENOIOCTLCMD; 392 if (copy_from_user(ioctl, argp, sizeof(*ioctl))) 393 return -EFAULT; 394 if (ioctl->flags != 0) 395 return -EINVAL; 396 if (memchr_inv(ioctl->reserved14, 0, sizeof(ioctl->reserved14))) 397 return -EINVAL; 398 399 return nr; 400 } 401 402 /* 403 * IOCTL entry point for the Ultravisor device. 404 */ 405 static long uvio_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) 406 { 407 void __user *argp = (void __user *)arg; 408 struct uvio_ioctl_cb uv_ioctl = { }; 409 long ret; 410 int nr; 411 412 nr = uvio_copy_and_check_ioctl(&uv_ioctl, argp, cmd); 413 if (nr < 0) 414 return nr; 415 416 switch (nr) { 417 case UVIO_IOCTL_UVDEV_INFO_NR: 418 ret = uvio_uvdev_info(&uv_ioctl); 419 break; 420 case UVIO_IOCTL_ATT_NR: 421 ret = uvio_attestation(&uv_ioctl); 422 break; 423 case UVIO_IOCTL_ADD_SECRET_NR: 424 ret = uvio_add_secret(&uv_ioctl); 425 break; 426 case UVIO_IOCTL_LIST_SECRETS_NR: 427 ret = uvio_list_secrets(&uv_ioctl); 428 break; 429 case UVIO_IOCTL_LOCK_SECRETS_NR: 430 ret = uvio_lock_secrets(&uv_ioctl); 431 break; 432 default: 433 ret = -ENOIOCTLCMD; 434 break; 435 } 436 if (ret) 437 return ret; 438 439 if (copy_to_user(argp, &uv_ioctl, sizeof(uv_ioctl))) 440 ret = -EFAULT; 441 442 return ret; 443 } 444 445 static const struct file_operations uvio_dev_fops = { 446 .owner = THIS_MODULE, 447 .unlocked_ioctl = uvio_ioctl, 448 .llseek = no_llseek, 449 }; 450 451 static struct miscdevice uvio_dev_miscdev = { 452 .minor = MISC_DYNAMIC_MINOR, 453 .name = UVIO_DEVICE_NAME, 454 .fops = &uvio_dev_fops, 455 }; 456 457 static void __exit uvio_dev_exit(void) 458 { 459 misc_deregister(&uvio_dev_miscdev); 460 } 461 462 static int __init uvio_dev_init(void) 463 { 464 set_supp_uv_cmds((unsigned long *)&uvdev_info.supp_uv_cmds); 465 return misc_register(&uvio_dev_miscdev); 466 } 467 468 module_cpu_feature_match(S390_CPU_FEATURE_UV, uvio_dev_init); 469 module_exit(uvio_dev_exit); 470 471 MODULE_AUTHOR("IBM Corporation"); 472 MODULE_LICENSE("GPL"); 473 MODULE_DESCRIPTION("Ultravisor UAPI driver"); 474