1*cbabf03cSDov Murik // SPDX-License-Identifier: GPL-2.0
2*cbabf03cSDov Murik /*
3*cbabf03cSDov Murik * efi_secret module
4*cbabf03cSDov Murik *
5*cbabf03cSDov Murik * Copyright (C) 2022 IBM Corporation
6*cbabf03cSDov Murik * Author: Dov Murik <dovmurik@linux.ibm.com>
7*cbabf03cSDov Murik */
8*cbabf03cSDov Murik
9*cbabf03cSDov Murik /**
10*cbabf03cSDov Murik * DOC: efi_secret: Allow reading EFI confidential computing (coco) secret area
11*cbabf03cSDov Murik * via securityfs interface.
12*cbabf03cSDov Murik *
13*cbabf03cSDov Murik * When the module is loaded (and securityfs is mounted, typically under
14*cbabf03cSDov Murik * /sys/kernel/security), a "secrets/coco" directory is created in securityfs.
15*cbabf03cSDov Murik * In it, a file is created for each secret entry. The name of each such file
16*cbabf03cSDov Murik * is the GUID of the secret entry, and its content is the secret data.
17*cbabf03cSDov Murik */
18*cbabf03cSDov Murik
19*cbabf03cSDov Murik #include <linux/platform_device.h>
20*cbabf03cSDov Murik #include <linux/seq_file.h>
21*cbabf03cSDov Murik #include <linux/fs.h>
22*cbabf03cSDov Murik #include <linux/kernel.h>
23*cbabf03cSDov Murik #include <linux/init.h>
24*cbabf03cSDov Murik #include <linux/module.h>
25*cbabf03cSDov Murik #include <linux/io.h>
26*cbabf03cSDov Murik #include <linux/security.h>
27*cbabf03cSDov Murik #include <linux/efi.h>
28*cbabf03cSDov Murik #include <linux/cacheflush.h>
29*cbabf03cSDov Murik
30*cbabf03cSDov Murik #define EFI_SECRET_NUM_FILES 64
31*cbabf03cSDov Murik
32*cbabf03cSDov Murik struct efi_secret {
33*cbabf03cSDov Murik struct dentry *secrets_dir;
34*cbabf03cSDov Murik struct dentry *fs_dir;
35*cbabf03cSDov Murik struct dentry *fs_files[EFI_SECRET_NUM_FILES];
36*cbabf03cSDov Murik void __iomem *secret_data;
37*cbabf03cSDov Murik u64 secret_data_len;
38*cbabf03cSDov Murik };
39*cbabf03cSDov Murik
40*cbabf03cSDov Murik /*
41*cbabf03cSDov Murik * Structure of the EFI secret area
42*cbabf03cSDov Murik *
43*cbabf03cSDov Murik * Offset Length
44*cbabf03cSDov Murik * (bytes) (bytes) Usage
45*cbabf03cSDov Murik * ------- ------- -----
46*cbabf03cSDov Murik * 0 16 Secret table header GUID (must be 1e74f542-71dd-4d66-963e-ef4287ff173b)
47*cbabf03cSDov Murik * 16 4 Length of bytes of the entire secret area
48*cbabf03cSDov Murik *
49*cbabf03cSDov Murik * 20 16 First secret entry's GUID
50*cbabf03cSDov Murik * 36 4 First secret entry's length in bytes (= 16 + 4 + x)
51*cbabf03cSDov Murik * 40 x First secret entry's data
52*cbabf03cSDov Murik *
53*cbabf03cSDov Murik * 40+x 16 Second secret entry's GUID
54*cbabf03cSDov Murik * 56+x 4 Second secret entry's length in bytes (= 16 + 4 + y)
55*cbabf03cSDov Murik * 60+x y Second secret entry's data
56*cbabf03cSDov Murik *
57*cbabf03cSDov Murik * (... and so on for additional entries)
58*cbabf03cSDov Murik *
59*cbabf03cSDov Murik * The GUID of each secret entry designates the usage of the secret data.
60*cbabf03cSDov Murik */
61*cbabf03cSDov Murik
62*cbabf03cSDov Murik /**
63*cbabf03cSDov Murik * struct secret_header - Header of entire secret area; this should be followed
64*cbabf03cSDov Murik * by instances of struct secret_entry.
65*cbabf03cSDov Murik * @guid: Must be EFI_SECRET_TABLE_HEADER_GUID
66*cbabf03cSDov Murik * @len: Length in bytes of entire secret area, including header
67*cbabf03cSDov Murik */
68*cbabf03cSDov Murik struct secret_header {
69*cbabf03cSDov Murik efi_guid_t guid;
70*cbabf03cSDov Murik u32 len;
71*cbabf03cSDov Murik } __attribute((packed));
72*cbabf03cSDov Murik
73*cbabf03cSDov Murik /**
74*cbabf03cSDov Murik * struct secret_entry - Holds one secret entry
75*cbabf03cSDov Murik * @guid: Secret-specific GUID (or NULL_GUID if this secret entry was deleted)
76*cbabf03cSDov Murik * @len: Length of secret entry, including its guid and len fields
77*cbabf03cSDov Murik * @data: The secret data (full of zeros if this secret entry was deleted)
78*cbabf03cSDov Murik */
79*cbabf03cSDov Murik struct secret_entry {
80*cbabf03cSDov Murik efi_guid_t guid;
81*cbabf03cSDov Murik u32 len;
82*cbabf03cSDov Murik u8 data[];
83*cbabf03cSDov Murik } __attribute((packed));
84*cbabf03cSDov Murik
secret_entry_data_len(struct secret_entry * e)85*cbabf03cSDov Murik static size_t secret_entry_data_len(struct secret_entry *e)
86*cbabf03cSDov Murik {
87*cbabf03cSDov Murik return e->len - sizeof(*e);
88*cbabf03cSDov Murik }
89*cbabf03cSDov Murik
90*cbabf03cSDov Murik static struct efi_secret the_efi_secret;
91*cbabf03cSDov Murik
efi_secret_get(void)92*cbabf03cSDov Murik static inline struct efi_secret *efi_secret_get(void)
93*cbabf03cSDov Murik {
94*cbabf03cSDov Murik return &the_efi_secret;
95*cbabf03cSDov Murik }
96*cbabf03cSDov Murik
efi_secret_bin_file_show(struct seq_file * file,void * data)97*cbabf03cSDov Murik static int efi_secret_bin_file_show(struct seq_file *file, void *data)
98*cbabf03cSDov Murik {
99*cbabf03cSDov Murik struct secret_entry *e = file->private;
100*cbabf03cSDov Murik
101*cbabf03cSDov Murik if (e)
102*cbabf03cSDov Murik seq_write(file, e->data, secret_entry_data_len(e));
103*cbabf03cSDov Murik
104*cbabf03cSDov Murik return 0;
105*cbabf03cSDov Murik }
106*cbabf03cSDov Murik DEFINE_SHOW_ATTRIBUTE(efi_secret_bin_file);
107*cbabf03cSDov Murik
108*cbabf03cSDov Murik /*
109*cbabf03cSDov Murik * Overwrite memory content with zeroes, and ensure that dirty cache lines are
110*cbabf03cSDov Murik * actually written back to memory, to clear out the secret.
111*cbabf03cSDov Murik */
wipe_memory(void * addr,size_t size)112*cbabf03cSDov Murik static void wipe_memory(void *addr, size_t size)
113*cbabf03cSDov Murik {
114*cbabf03cSDov Murik memzero_explicit(addr, size);
115*cbabf03cSDov Murik #ifdef CONFIG_X86
116*cbabf03cSDov Murik clflush_cache_range(addr, size);
117*cbabf03cSDov Murik #endif
118*cbabf03cSDov Murik }
119*cbabf03cSDov Murik
efi_secret_unlink(struct inode * dir,struct dentry * dentry)120*cbabf03cSDov Murik static int efi_secret_unlink(struct inode *dir, struct dentry *dentry)
121*cbabf03cSDov Murik {
122*cbabf03cSDov Murik struct efi_secret *s = efi_secret_get();
123*cbabf03cSDov Murik struct inode *inode = d_inode(dentry);
124*cbabf03cSDov Murik struct secret_entry *e = (struct secret_entry *)inode->i_private;
125*cbabf03cSDov Murik int i;
126*cbabf03cSDov Murik
127*cbabf03cSDov Murik if (e) {
128*cbabf03cSDov Murik /* Zero out the secret data */
129*cbabf03cSDov Murik wipe_memory(e->data, secret_entry_data_len(e));
130*cbabf03cSDov Murik e->guid = NULL_GUID;
131*cbabf03cSDov Murik }
132*cbabf03cSDov Murik
133*cbabf03cSDov Murik inode->i_private = NULL;
134*cbabf03cSDov Murik
135*cbabf03cSDov Murik for (i = 0; i < EFI_SECRET_NUM_FILES; i++)
136*cbabf03cSDov Murik if (s->fs_files[i] == dentry)
137*cbabf03cSDov Murik s->fs_files[i] = NULL;
138*cbabf03cSDov Murik
139*cbabf03cSDov Murik /*
140*cbabf03cSDov Murik * securityfs_remove tries to lock the directory's inode, but we reach
141*cbabf03cSDov Murik * the unlink callback when it's already locked
142*cbabf03cSDov Murik */
143*cbabf03cSDov Murik inode_unlock(dir);
144*cbabf03cSDov Murik securityfs_remove(dentry);
145*cbabf03cSDov Murik inode_lock(dir);
146*cbabf03cSDov Murik
147*cbabf03cSDov Murik return 0;
148*cbabf03cSDov Murik }
149*cbabf03cSDov Murik
150*cbabf03cSDov Murik static const struct inode_operations efi_secret_dir_inode_operations = {
151*cbabf03cSDov Murik .lookup = simple_lookup,
152*cbabf03cSDov Murik .unlink = efi_secret_unlink,
153*cbabf03cSDov Murik };
154*cbabf03cSDov Murik
efi_secret_map_area(struct platform_device * dev)155*cbabf03cSDov Murik static int efi_secret_map_area(struct platform_device *dev)
156*cbabf03cSDov Murik {
157*cbabf03cSDov Murik int ret;
158*cbabf03cSDov Murik struct efi_secret *s = efi_secret_get();
159*cbabf03cSDov Murik struct linux_efi_coco_secret_area *secret_area;
160*cbabf03cSDov Murik
161*cbabf03cSDov Murik if (efi.coco_secret == EFI_INVALID_TABLE_ADDR) {
162*cbabf03cSDov Murik dev_err(&dev->dev, "Secret area address is not available\n");
163*cbabf03cSDov Murik return -EINVAL;
164*cbabf03cSDov Murik }
165*cbabf03cSDov Murik
166*cbabf03cSDov Murik secret_area = memremap(efi.coco_secret, sizeof(*secret_area), MEMREMAP_WB);
167*cbabf03cSDov Murik if (secret_area == NULL) {
168*cbabf03cSDov Murik dev_err(&dev->dev, "Could not map secret area EFI config entry\n");
169*cbabf03cSDov Murik return -ENOMEM;
170*cbabf03cSDov Murik }
171*cbabf03cSDov Murik if (!secret_area->base_pa || secret_area->size < sizeof(struct secret_header)) {
172*cbabf03cSDov Murik dev_err(&dev->dev,
173*cbabf03cSDov Murik "Invalid secret area memory location (base_pa=0x%llx size=0x%llx)\n",
174*cbabf03cSDov Murik secret_area->base_pa, secret_area->size);
175*cbabf03cSDov Murik ret = -EINVAL;
176*cbabf03cSDov Murik goto unmap;
177*cbabf03cSDov Murik }
178*cbabf03cSDov Murik
179*cbabf03cSDov Murik s->secret_data = ioremap_encrypted(secret_area->base_pa, secret_area->size);
180*cbabf03cSDov Murik if (s->secret_data == NULL) {
181*cbabf03cSDov Murik dev_err(&dev->dev, "Could not map secret area\n");
182*cbabf03cSDov Murik ret = -ENOMEM;
183*cbabf03cSDov Murik goto unmap;
184*cbabf03cSDov Murik }
185*cbabf03cSDov Murik
186*cbabf03cSDov Murik s->secret_data_len = secret_area->size;
187*cbabf03cSDov Murik ret = 0;
188*cbabf03cSDov Murik
189*cbabf03cSDov Murik unmap:
190*cbabf03cSDov Murik memunmap(secret_area);
191*cbabf03cSDov Murik return ret;
192*cbabf03cSDov Murik }
193*cbabf03cSDov Murik
efi_secret_securityfs_teardown(struct platform_device * dev)194*cbabf03cSDov Murik static void efi_secret_securityfs_teardown(struct platform_device *dev)
195*cbabf03cSDov Murik {
196*cbabf03cSDov Murik struct efi_secret *s = efi_secret_get();
197*cbabf03cSDov Murik int i;
198*cbabf03cSDov Murik
199*cbabf03cSDov Murik for (i = (EFI_SECRET_NUM_FILES - 1); i >= 0; i--) {
200*cbabf03cSDov Murik securityfs_remove(s->fs_files[i]);
201*cbabf03cSDov Murik s->fs_files[i] = NULL;
202*cbabf03cSDov Murik }
203*cbabf03cSDov Murik
204*cbabf03cSDov Murik securityfs_remove(s->fs_dir);
205*cbabf03cSDov Murik s->fs_dir = NULL;
206*cbabf03cSDov Murik
207*cbabf03cSDov Murik securityfs_remove(s->secrets_dir);
208*cbabf03cSDov Murik s->secrets_dir = NULL;
209*cbabf03cSDov Murik
210*cbabf03cSDov Murik dev_dbg(&dev->dev, "Removed securityfs entries\n");
211*cbabf03cSDov Murik }
212*cbabf03cSDov Murik
efi_secret_securityfs_setup(struct platform_device * dev)213*cbabf03cSDov Murik static int efi_secret_securityfs_setup(struct platform_device *dev)
214*cbabf03cSDov Murik {
215*cbabf03cSDov Murik struct efi_secret *s = efi_secret_get();
216*cbabf03cSDov Murik int ret = 0, i = 0, bytes_left;
217*cbabf03cSDov Murik unsigned char *ptr;
218*cbabf03cSDov Murik struct secret_header *h;
219*cbabf03cSDov Murik struct secret_entry *e;
220*cbabf03cSDov Murik struct dentry *dent;
221*cbabf03cSDov Murik char guid_str[EFI_VARIABLE_GUID_LEN + 1];
222*cbabf03cSDov Murik
223*cbabf03cSDov Murik ptr = (void __force *)s->secret_data;
224*cbabf03cSDov Murik h = (struct secret_header *)ptr;
225*cbabf03cSDov Murik if (efi_guidcmp(h->guid, EFI_SECRET_TABLE_HEADER_GUID)) {
226*cbabf03cSDov Murik /*
227*cbabf03cSDov Murik * This is not an error: it just means that EFI defines secret
228*cbabf03cSDov Murik * area but it was not populated by the Guest Owner.
229*cbabf03cSDov Murik */
230*cbabf03cSDov Murik dev_dbg(&dev->dev, "EFI secret area does not start with correct GUID\n");
231*cbabf03cSDov Murik return -ENODEV;
232*cbabf03cSDov Murik }
233*cbabf03cSDov Murik if (h->len < sizeof(*h)) {
234*cbabf03cSDov Murik dev_err(&dev->dev, "EFI secret area reported length is too small\n");
235*cbabf03cSDov Murik return -EINVAL;
236*cbabf03cSDov Murik }
237*cbabf03cSDov Murik if (h->len > s->secret_data_len) {
238*cbabf03cSDov Murik dev_err(&dev->dev, "EFI secret area reported length is too big\n");
239*cbabf03cSDov Murik return -EINVAL;
240*cbabf03cSDov Murik }
241*cbabf03cSDov Murik
242*cbabf03cSDov Murik s->secrets_dir = NULL;
243*cbabf03cSDov Murik s->fs_dir = NULL;
244*cbabf03cSDov Murik memset(s->fs_files, 0, sizeof(s->fs_files));
245*cbabf03cSDov Murik
246*cbabf03cSDov Murik dent = securityfs_create_dir("secrets", NULL);
247*cbabf03cSDov Murik if (IS_ERR(dent)) {
248*cbabf03cSDov Murik dev_err(&dev->dev, "Error creating secrets securityfs directory entry err=%ld\n",
249*cbabf03cSDov Murik PTR_ERR(dent));
250*cbabf03cSDov Murik return PTR_ERR(dent);
251*cbabf03cSDov Murik }
252*cbabf03cSDov Murik s->secrets_dir = dent;
253*cbabf03cSDov Murik
254*cbabf03cSDov Murik dent = securityfs_create_dir("coco", s->secrets_dir);
255*cbabf03cSDov Murik if (IS_ERR(dent)) {
256*cbabf03cSDov Murik dev_err(&dev->dev, "Error creating coco securityfs directory entry err=%ld\n",
257*cbabf03cSDov Murik PTR_ERR(dent));
258*cbabf03cSDov Murik return PTR_ERR(dent);
259*cbabf03cSDov Murik }
260*cbabf03cSDov Murik d_inode(dent)->i_op = &efi_secret_dir_inode_operations;
261*cbabf03cSDov Murik s->fs_dir = dent;
262*cbabf03cSDov Murik
263*cbabf03cSDov Murik bytes_left = h->len - sizeof(*h);
264*cbabf03cSDov Murik ptr += sizeof(*h);
265*cbabf03cSDov Murik while (bytes_left >= (int)sizeof(*e) && i < EFI_SECRET_NUM_FILES) {
266*cbabf03cSDov Murik e = (struct secret_entry *)ptr;
267*cbabf03cSDov Murik if (e->len < sizeof(*e) || e->len > (unsigned int)bytes_left) {
268*cbabf03cSDov Murik dev_err(&dev->dev, "EFI secret area is corrupted\n");
269*cbabf03cSDov Murik ret = -EINVAL;
270*cbabf03cSDov Murik goto err_cleanup;
271*cbabf03cSDov Murik }
272*cbabf03cSDov Murik
273*cbabf03cSDov Murik /* Skip deleted entries (which will have NULL_GUID) */
274*cbabf03cSDov Murik if (efi_guidcmp(e->guid, NULL_GUID)) {
275*cbabf03cSDov Murik efi_guid_to_str(&e->guid, guid_str);
276*cbabf03cSDov Murik
277*cbabf03cSDov Murik dent = securityfs_create_file(guid_str, 0440, s->fs_dir, (void *)e,
278*cbabf03cSDov Murik &efi_secret_bin_file_fops);
279*cbabf03cSDov Murik if (IS_ERR(dent)) {
280*cbabf03cSDov Murik dev_err(&dev->dev, "Error creating efi_secret securityfs entry\n");
281*cbabf03cSDov Murik ret = PTR_ERR(dent);
282*cbabf03cSDov Murik goto err_cleanup;
283*cbabf03cSDov Murik }
284*cbabf03cSDov Murik
285*cbabf03cSDov Murik s->fs_files[i++] = dent;
286*cbabf03cSDov Murik }
287*cbabf03cSDov Murik ptr += e->len;
288*cbabf03cSDov Murik bytes_left -= e->len;
289*cbabf03cSDov Murik }
290*cbabf03cSDov Murik
291*cbabf03cSDov Murik dev_info(&dev->dev, "Created %d entries in securityfs secrets/coco\n", i);
292*cbabf03cSDov Murik return 0;
293*cbabf03cSDov Murik
294*cbabf03cSDov Murik err_cleanup:
295*cbabf03cSDov Murik efi_secret_securityfs_teardown(dev);
296*cbabf03cSDov Murik return ret;
297*cbabf03cSDov Murik }
298*cbabf03cSDov Murik
efi_secret_unmap_area(void)299*cbabf03cSDov Murik static void efi_secret_unmap_area(void)
300*cbabf03cSDov Murik {
301*cbabf03cSDov Murik struct efi_secret *s = efi_secret_get();
302*cbabf03cSDov Murik
303*cbabf03cSDov Murik if (s->secret_data) {
304*cbabf03cSDov Murik iounmap(s->secret_data);
305*cbabf03cSDov Murik s->secret_data = NULL;
306*cbabf03cSDov Murik s->secret_data_len = 0;
307*cbabf03cSDov Murik }
308*cbabf03cSDov Murik }
309*cbabf03cSDov Murik
efi_secret_probe(struct platform_device * dev)310*cbabf03cSDov Murik static int efi_secret_probe(struct platform_device *dev)
311*cbabf03cSDov Murik {
312*cbabf03cSDov Murik int ret;
313*cbabf03cSDov Murik
314*cbabf03cSDov Murik ret = efi_secret_map_area(dev);
315*cbabf03cSDov Murik if (ret)
316*cbabf03cSDov Murik return ret;
317*cbabf03cSDov Murik
318*cbabf03cSDov Murik ret = efi_secret_securityfs_setup(dev);
319*cbabf03cSDov Murik if (ret)
320*cbabf03cSDov Murik goto err_unmap;
321*cbabf03cSDov Murik
322*cbabf03cSDov Murik return ret;
323*cbabf03cSDov Murik
324*cbabf03cSDov Murik err_unmap:
325*cbabf03cSDov Murik efi_secret_unmap_area();
326*cbabf03cSDov Murik return ret;
327*cbabf03cSDov Murik }
328*cbabf03cSDov Murik
efi_secret_remove(struct platform_device * dev)329*cbabf03cSDov Murik static int efi_secret_remove(struct platform_device *dev)
330*cbabf03cSDov Murik {
331*cbabf03cSDov Murik efi_secret_securityfs_teardown(dev);
332*cbabf03cSDov Murik efi_secret_unmap_area();
333*cbabf03cSDov Murik return 0;
334*cbabf03cSDov Murik }
335*cbabf03cSDov Murik
336*cbabf03cSDov Murik static struct platform_driver efi_secret_driver = {
337*cbabf03cSDov Murik .probe = efi_secret_probe,
338*cbabf03cSDov Murik .remove = efi_secret_remove,
339*cbabf03cSDov Murik .driver = {
340*cbabf03cSDov Murik .name = "efi_secret",
341*cbabf03cSDov Murik },
342*cbabf03cSDov Murik };
343*cbabf03cSDov Murik
344*cbabf03cSDov Murik module_platform_driver(efi_secret_driver);
345*cbabf03cSDov Murik
346*cbabf03cSDov Murik MODULE_DESCRIPTION("Confidential computing EFI secret area access");
347*cbabf03cSDov Murik MODULE_AUTHOR("IBM");
348*cbabf03cSDov Murik MODULE_LICENSE("GPL");
349*cbabf03cSDov Murik MODULE_ALIAS("platform:efi_secret");
350