1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * AMD Secure Encrypted Virtualization (SEV) guest driver interface
4  *
5  * Copyright (C) 2021 Advanced Micro Devices, Inc.
6  *
7  * Author: Brijesh Singh <brijesh.singh@amd.com>
8  */
9 
10 #include <linux/module.h>
11 #include <linux/kernel.h>
12 #include <linux/types.h>
13 #include <linux/mutex.h>
14 #include <linux/io.h>
15 #include <linux/platform_device.h>
16 #include <linux/miscdevice.h>
17 #include <linux/set_memory.h>
18 #include <linux/fs.h>
19 #include <crypto/aead.h>
20 #include <linux/scatterlist.h>
21 #include <linux/psp-sev.h>
22 #include <uapi/linux/sev-guest.h>
23 #include <uapi/linux/psp-sev.h>
24 
25 #include <asm/svm.h>
26 #include <asm/sev.h>
27 
28 #include "sev-guest.h"
29 
30 #define DEVICE_NAME	"sev-guest"
31 #define AAD_LEN		48
32 #define MSG_HDR_VER	1
33 
34 struct snp_guest_crypto {
35 	struct crypto_aead *tfm;
36 	u8 *iv, *authtag;
37 	int iv_len, a_len;
38 };
39 
40 struct snp_guest_dev {
41 	struct device *dev;
42 	struct miscdevice misc;
43 
44 	void *certs_data;
45 	struct snp_guest_crypto *crypto;
46 	struct snp_guest_msg *request, *response;
47 	struct snp_secrets_page_layout *layout;
48 	struct snp_req_data input;
49 	u32 *os_area_msg_seqno;
50 	u8 *vmpck;
51 };
52 
53 static u32 vmpck_id;
54 module_param(vmpck_id, uint, 0444);
55 MODULE_PARM_DESC(vmpck_id, "The VMPCK ID to use when communicating with the PSP.");
56 
57 /* Mutex to serialize the shared buffer access and command handling. */
58 static DEFINE_MUTEX(snp_cmd_mutex);
59 
60 static bool is_vmpck_empty(struct snp_guest_dev *snp_dev)
61 {
62 	char zero_key[VMPCK_KEY_LEN] = {0};
63 
64 	if (snp_dev->vmpck)
65 		return !memcmp(snp_dev->vmpck, zero_key, VMPCK_KEY_LEN);
66 
67 	return true;
68 }
69 
70 static void snp_disable_vmpck(struct snp_guest_dev *snp_dev)
71 {
72 	memzero_explicit(snp_dev->vmpck, VMPCK_KEY_LEN);
73 	snp_dev->vmpck = NULL;
74 }
75 
76 static inline u64 __snp_get_msg_seqno(struct snp_guest_dev *snp_dev)
77 {
78 	u64 count;
79 
80 	lockdep_assert_held(&snp_cmd_mutex);
81 
82 	/* Read the current message sequence counter from secrets pages */
83 	count = *snp_dev->os_area_msg_seqno;
84 
85 	return count + 1;
86 }
87 
88 /* Return a non-zero on success */
89 static u64 snp_get_msg_seqno(struct snp_guest_dev *snp_dev)
90 {
91 	u64 count = __snp_get_msg_seqno(snp_dev);
92 
93 	/*
94 	 * The message sequence counter for the SNP guest request is a  64-bit
95 	 * value but the version 2 of GHCB specification defines a 32-bit storage
96 	 * for it. If the counter exceeds the 32-bit value then return zero.
97 	 * The caller should check the return value, but if the caller happens to
98 	 * not check the value and use it, then the firmware treats zero as an
99 	 * invalid number and will fail the  message request.
100 	 */
101 	if (count >= UINT_MAX) {
102 		dev_err(snp_dev->dev, "request message sequence counter overflow\n");
103 		return 0;
104 	}
105 
106 	return count;
107 }
108 
109 static void snp_inc_msg_seqno(struct snp_guest_dev *snp_dev)
110 {
111 	/*
112 	 * The counter is also incremented by the PSP, so increment it by 2
113 	 * and save in secrets page.
114 	 */
115 	*snp_dev->os_area_msg_seqno += 2;
116 }
117 
118 static inline struct snp_guest_dev *to_snp_dev(struct file *file)
119 {
120 	struct miscdevice *dev = file->private_data;
121 
122 	return container_of(dev, struct snp_guest_dev, misc);
123 }
124 
125 static struct snp_guest_crypto *init_crypto(struct snp_guest_dev *snp_dev, u8 *key, size_t keylen)
126 {
127 	struct snp_guest_crypto *crypto;
128 
129 	crypto = kzalloc(sizeof(*crypto), GFP_KERNEL_ACCOUNT);
130 	if (!crypto)
131 		return NULL;
132 
133 	crypto->tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
134 	if (IS_ERR(crypto->tfm))
135 		goto e_free;
136 
137 	if (crypto_aead_setkey(crypto->tfm, key, keylen))
138 		goto e_free_crypto;
139 
140 	crypto->iv_len = crypto_aead_ivsize(crypto->tfm);
141 	crypto->iv = kmalloc(crypto->iv_len, GFP_KERNEL_ACCOUNT);
142 	if (!crypto->iv)
143 		goto e_free_crypto;
144 
145 	if (crypto_aead_authsize(crypto->tfm) > MAX_AUTHTAG_LEN) {
146 		if (crypto_aead_setauthsize(crypto->tfm, MAX_AUTHTAG_LEN)) {
147 			dev_err(snp_dev->dev, "failed to set authsize to %d\n", MAX_AUTHTAG_LEN);
148 			goto e_free_iv;
149 		}
150 	}
151 
152 	crypto->a_len = crypto_aead_authsize(crypto->tfm);
153 	crypto->authtag = kmalloc(crypto->a_len, GFP_KERNEL_ACCOUNT);
154 	if (!crypto->authtag)
155 		goto e_free_auth;
156 
157 	return crypto;
158 
159 e_free_auth:
160 	kfree(crypto->authtag);
161 e_free_iv:
162 	kfree(crypto->iv);
163 e_free_crypto:
164 	crypto_free_aead(crypto->tfm);
165 e_free:
166 	kfree(crypto);
167 
168 	return NULL;
169 }
170 
171 static void deinit_crypto(struct snp_guest_crypto *crypto)
172 {
173 	crypto_free_aead(crypto->tfm);
174 	kfree(crypto->iv);
175 	kfree(crypto->authtag);
176 	kfree(crypto);
177 }
178 
179 static int enc_dec_message(struct snp_guest_crypto *crypto, struct snp_guest_msg *msg,
180 			   u8 *src_buf, u8 *dst_buf, size_t len, bool enc)
181 {
182 	struct snp_guest_msg_hdr *hdr = &msg->hdr;
183 	struct scatterlist src[3], dst[3];
184 	DECLARE_CRYPTO_WAIT(wait);
185 	struct aead_request *req;
186 	int ret;
187 
188 	req = aead_request_alloc(crypto->tfm, GFP_KERNEL);
189 	if (!req)
190 		return -ENOMEM;
191 
192 	/*
193 	 * AEAD memory operations:
194 	 * +------ AAD -------+------- DATA -----+---- AUTHTAG----+
195 	 * |  msg header      |  plaintext       |  hdr->authtag  |
196 	 * | bytes 30h - 5Fh  |    or            |                |
197 	 * |                  |   cipher         |                |
198 	 * +------------------+------------------+----------------+
199 	 */
200 	sg_init_table(src, 3);
201 	sg_set_buf(&src[0], &hdr->algo, AAD_LEN);
202 	sg_set_buf(&src[1], src_buf, hdr->msg_sz);
203 	sg_set_buf(&src[2], hdr->authtag, crypto->a_len);
204 
205 	sg_init_table(dst, 3);
206 	sg_set_buf(&dst[0], &hdr->algo, AAD_LEN);
207 	sg_set_buf(&dst[1], dst_buf, hdr->msg_sz);
208 	sg_set_buf(&dst[2], hdr->authtag, crypto->a_len);
209 
210 	aead_request_set_ad(req, AAD_LEN);
211 	aead_request_set_tfm(req, crypto->tfm);
212 	aead_request_set_callback(req, 0, crypto_req_done, &wait);
213 
214 	aead_request_set_crypt(req, src, dst, len, crypto->iv);
215 	ret = crypto_wait_req(enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req), &wait);
216 
217 	aead_request_free(req);
218 	return ret;
219 }
220 
221 static int __enc_payload(struct snp_guest_dev *snp_dev, struct snp_guest_msg *msg,
222 			 void *plaintext, size_t len)
223 {
224 	struct snp_guest_crypto *crypto = snp_dev->crypto;
225 	struct snp_guest_msg_hdr *hdr = &msg->hdr;
226 
227 	memset(crypto->iv, 0, crypto->iv_len);
228 	memcpy(crypto->iv, &hdr->msg_seqno, sizeof(hdr->msg_seqno));
229 
230 	return enc_dec_message(crypto, msg, plaintext, msg->payload, len, true);
231 }
232 
233 static int dec_payload(struct snp_guest_dev *snp_dev, struct snp_guest_msg *msg,
234 		       void *plaintext, size_t len)
235 {
236 	struct snp_guest_crypto *crypto = snp_dev->crypto;
237 	struct snp_guest_msg_hdr *hdr = &msg->hdr;
238 
239 	/* Build IV with response buffer sequence number */
240 	memset(crypto->iv, 0, crypto->iv_len);
241 	memcpy(crypto->iv, &hdr->msg_seqno, sizeof(hdr->msg_seqno));
242 
243 	return enc_dec_message(crypto, msg, msg->payload, plaintext, len, false);
244 }
245 
246 static int verify_and_dec_payload(struct snp_guest_dev *snp_dev, void *payload, u32 sz)
247 {
248 	struct snp_guest_crypto *crypto = snp_dev->crypto;
249 	struct snp_guest_msg *resp = snp_dev->response;
250 	struct snp_guest_msg *req = snp_dev->request;
251 	struct snp_guest_msg_hdr *req_hdr = &req->hdr;
252 	struct snp_guest_msg_hdr *resp_hdr = &resp->hdr;
253 
254 	dev_dbg(snp_dev->dev, "response [seqno %lld type %d version %d sz %d]\n",
255 		resp_hdr->msg_seqno, resp_hdr->msg_type, resp_hdr->msg_version, resp_hdr->msg_sz);
256 
257 	/* Verify that the sequence counter is incremented by 1 */
258 	if (unlikely(resp_hdr->msg_seqno != (req_hdr->msg_seqno + 1)))
259 		return -EBADMSG;
260 
261 	/* Verify response message type and version number. */
262 	if (resp_hdr->msg_type != (req_hdr->msg_type + 1) ||
263 	    resp_hdr->msg_version != req_hdr->msg_version)
264 		return -EBADMSG;
265 
266 	/*
267 	 * If the message size is greater than our buffer length then return
268 	 * an error.
269 	 */
270 	if (unlikely((resp_hdr->msg_sz + crypto->a_len) > sz))
271 		return -EBADMSG;
272 
273 	/* Decrypt the payload */
274 	return dec_payload(snp_dev, resp, payload, resp_hdr->msg_sz + crypto->a_len);
275 }
276 
277 static int enc_payload(struct snp_guest_dev *snp_dev, u64 seqno, int version, u8 type,
278 			void *payload, size_t sz)
279 {
280 	struct snp_guest_msg *req = snp_dev->request;
281 	struct snp_guest_msg_hdr *hdr = &req->hdr;
282 
283 	memset(req, 0, sizeof(*req));
284 
285 	hdr->algo = SNP_AEAD_AES_256_GCM;
286 	hdr->hdr_version = MSG_HDR_VER;
287 	hdr->hdr_sz = sizeof(*hdr);
288 	hdr->msg_type = type;
289 	hdr->msg_version = version;
290 	hdr->msg_seqno = seqno;
291 	hdr->msg_vmpck = vmpck_id;
292 	hdr->msg_sz = sz;
293 
294 	/* Verify the sequence number is non-zero */
295 	if (!hdr->msg_seqno)
296 		return -ENOSR;
297 
298 	dev_dbg(snp_dev->dev, "request [seqno %lld type %d version %d sz %d]\n",
299 		hdr->msg_seqno, hdr->msg_type, hdr->msg_version, hdr->msg_sz);
300 
301 	return __enc_payload(snp_dev, req, payload, sz);
302 }
303 
304 static int handle_guest_request(struct snp_guest_dev *snp_dev, u64 exit_code, int msg_ver,
305 				u8 type, void *req_buf, size_t req_sz, void *resp_buf,
306 				u32 resp_sz, __u64 *fw_err)
307 {
308 	unsigned long err;
309 	u64 seqno;
310 	int rc;
311 
312 	/* Get message sequence and verify that its a non-zero */
313 	seqno = snp_get_msg_seqno(snp_dev);
314 	if (!seqno)
315 		return -EIO;
316 
317 	memset(snp_dev->response, 0, sizeof(struct snp_guest_msg));
318 
319 	/* Encrypt the userspace provided payload */
320 	rc = enc_payload(snp_dev, seqno, msg_ver, type, req_buf, req_sz);
321 	if (rc)
322 		return rc;
323 
324 	/* Call firmware to process the request */
325 	rc = snp_issue_guest_request(exit_code, &snp_dev->input, &err);
326 	if (fw_err)
327 		*fw_err = err;
328 
329 	if (rc)
330 		return rc;
331 
332 	/*
333 	 * The verify_and_dec_payload() will fail only if the hypervisor is
334 	 * actively modifying the message header or corrupting the encrypted payload.
335 	 * This hints that hypervisor is acting in a bad faith. Disable the VMPCK so that
336 	 * the key cannot be used for any communication. The key is disabled to ensure
337 	 * that AES-GCM does not use the same IV while encrypting the request payload.
338 	 */
339 	rc = verify_and_dec_payload(snp_dev, resp_buf, resp_sz);
340 	if (rc) {
341 		dev_alert(snp_dev->dev,
342 			  "Detected unexpected decode failure, disabling the vmpck_id %d\n",
343 			  vmpck_id);
344 		snp_disable_vmpck(snp_dev);
345 		return rc;
346 	}
347 
348 	/* Increment to new message sequence after payload decryption was successful. */
349 	snp_inc_msg_seqno(snp_dev);
350 
351 	return 0;
352 }
353 
354 static int get_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg)
355 {
356 	struct snp_guest_crypto *crypto = snp_dev->crypto;
357 	struct snp_report_resp *resp;
358 	struct snp_report_req req;
359 	int rc, resp_len;
360 
361 	lockdep_assert_held(&snp_cmd_mutex);
362 
363 	if (!arg->req_data || !arg->resp_data)
364 		return -EINVAL;
365 
366 	if (copy_from_user(&req, (void __user *)arg->req_data, sizeof(req)))
367 		return -EFAULT;
368 
369 	/*
370 	 * The intermediate response buffer is used while decrypting the
371 	 * response payload. Make sure that it has enough space to cover the
372 	 * authtag.
373 	 */
374 	resp_len = sizeof(resp->data) + crypto->a_len;
375 	resp = kzalloc(resp_len, GFP_KERNEL_ACCOUNT);
376 	if (!resp)
377 		return -ENOMEM;
378 
379 	rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg->msg_version,
380 				  SNP_MSG_REPORT_REQ, &req, sizeof(req), resp->data,
381 				  resp_len, &arg->fw_err);
382 	if (rc)
383 		goto e_free;
384 
385 	if (copy_to_user((void __user *)arg->resp_data, resp, sizeof(*resp)))
386 		rc = -EFAULT;
387 
388 e_free:
389 	kfree(resp);
390 	return rc;
391 }
392 
393 static int get_derived_key(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg)
394 {
395 	struct snp_guest_crypto *crypto = snp_dev->crypto;
396 	struct snp_derived_key_resp resp = {0};
397 	struct snp_derived_key_req req;
398 	int rc, resp_len;
399 	/* Response data is 64 bytes and max authsize for GCM is 16 bytes. */
400 	u8 buf[64 + 16];
401 
402 	lockdep_assert_held(&snp_cmd_mutex);
403 
404 	if (!arg->req_data || !arg->resp_data)
405 		return -EINVAL;
406 
407 	/*
408 	 * The intermediate response buffer is used while decrypting the
409 	 * response payload. Make sure that it has enough space to cover the
410 	 * authtag.
411 	 */
412 	resp_len = sizeof(resp.data) + crypto->a_len;
413 	if (sizeof(buf) < resp_len)
414 		return -ENOMEM;
415 
416 	if (copy_from_user(&req, (void __user *)arg->req_data, sizeof(req)))
417 		return -EFAULT;
418 
419 	rc = handle_guest_request(snp_dev, SVM_VMGEXIT_GUEST_REQUEST, arg->msg_version,
420 				  SNP_MSG_KEY_REQ, &req, sizeof(req), buf, resp_len,
421 				  &arg->fw_err);
422 	if (rc)
423 		return rc;
424 
425 	memcpy(resp.data, buf, sizeof(resp.data));
426 	if (copy_to_user((void __user *)arg->resp_data, &resp, sizeof(resp)))
427 		rc = -EFAULT;
428 
429 	/* The response buffer contains the sensitive data, explicitly clear it. */
430 	memzero_explicit(buf, sizeof(buf));
431 	memzero_explicit(&resp, sizeof(resp));
432 	return rc;
433 }
434 
435 static int get_ext_report(struct snp_guest_dev *snp_dev, struct snp_guest_request_ioctl *arg)
436 {
437 	struct snp_guest_crypto *crypto = snp_dev->crypto;
438 	struct snp_ext_report_req req;
439 	struct snp_report_resp *resp;
440 	int ret, npages = 0, resp_len;
441 
442 	lockdep_assert_held(&snp_cmd_mutex);
443 
444 	if (!arg->req_data || !arg->resp_data)
445 		return -EINVAL;
446 
447 	if (copy_from_user(&req, (void __user *)arg->req_data, sizeof(req)))
448 		return -EFAULT;
449 
450 	/* userspace does not want certificate data */
451 	if (!req.certs_len || !req.certs_address)
452 		goto cmd;
453 
454 	if (req.certs_len > SEV_FW_BLOB_MAX_SIZE ||
455 	    !IS_ALIGNED(req.certs_len, PAGE_SIZE))
456 		return -EINVAL;
457 
458 	if (!access_ok((const void __user *)req.certs_address, req.certs_len))
459 		return -EFAULT;
460 
461 	/*
462 	 * Initialize the intermediate buffer with all zeros. This buffer
463 	 * is used in the guest request message to get the certs blob from
464 	 * the host. If host does not supply any certs in it, then copy
465 	 * zeros to indicate that certificate data was not provided.
466 	 */
467 	memset(snp_dev->certs_data, 0, req.certs_len);
468 	npages = req.certs_len >> PAGE_SHIFT;
469 cmd:
470 	/*
471 	 * The intermediate response buffer is used while decrypting the
472 	 * response payload. Make sure that it has enough space to cover the
473 	 * authtag.
474 	 */
475 	resp_len = sizeof(resp->data) + crypto->a_len;
476 	resp = kzalloc(resp_len, GFP_KERNEL_ACCOUNT);
477 	if (!resp)
478 		return -ENOMEM;
479 
480 	snp_dev->input.data_npages = npages;
481 	ret = handle_guest_request(snp_dev, SVM_VMGEXIT_EXT_GUEST_REQUEST, arg->msg_version,
482 				   SNP_MSG_REPORT_REQ, &req.data,
483 				   sizeof(req.data), resp->data, resp_len, &arg->fw_err);
484 
485 	/* If certs length is invalid then copy the returned length */
486 	if (arg->fw_err == SNP_GUEST_REQ_INVALID_LEN) {
487 		req.certs_len = snp_dev->input.data_npages << PAGE_SHIFT;
488 
489 		if (copy_to_user((void __user *)arg->req_data, &req, sizeof(req)))
490 			ret = -EFAULT;
491 	}
492 
493 	if (ret)
494 		goto e_free;
495 
496 	if (npages &&
497 	    copy_to_user((void __user *)req.certs_address, snp_dev->certs_data,
498 			 req.certs_len)) {
499 		ret = -EFAULT;
500 		goto e_free;
501 	}
502 
503 	if (copy_to_user((void __user *)arg->resp_data, resp, sizeof(*resp)))
504 		ret = -EFAULT;
505 
506 e_free:
507 	kfree(resp);
508 	return ret;
509 }
510 
511 static long snp_guest_ioctl(struct file *file, unsigned int ioctl, unsigned long arg)
512 {
513 	struct snp_guest_dev *snp_dev = to_snp_dev(file);
514 	void __user *argp = (void __user *)arg;
515 	struct snp_guest_request_ioctl input;
516 	int ret = -ENOTTY;
517 
518 	if (copy_from_user(&input, argp, sizeof(input)))
519 		return -EFAULT;
520 
521 	input.fw_err = 0xff;
522 
523 	/* Message version must be non-zero */
524 	if (!input.msg_version)
525 		return -EINVAL;
526 
527 	mutex_lock(&snp_cmd_mutex);
528 
529 	/* Check if the VMPCK is not empty */
530 	if (is_vmpck_empty(snp_dev)) {
531 		dev_err_ratelimited(snp_dev->dev, "VMPCK is disabled\n");
532 		mutex_unlock(&snp_cmd_mutex);
533 		return -ENOTTY;
534 	}
535 
536 	switch (ioctl) {
537 	case SNP_GET_REPORT:
538 		ret = get_report(snp_dev, &input);
539 		break;
540 	case SNP_GET_DERIVED_KEY:
541 		ret = get_derived_key(snp_dev, &input);
542 		break;
543 	case SNP_GET_EXT_REPORT:
544 		ret = get_ext_report(snp_dev, &input);
545 		break;
546 	default:
547 		break;
548 	}
549 
550 	mutex_unlock(&snp_cmd_mutex);
551 
552 	if (input.fw_err && copy_to_user(argp, &input, sizeof(input)))
553 		return -EFAULT;
554 
555 	return ret;
556 }
557 
558 static void free_shared_pages(void *buf, size_t sz)
559 {
560 	unsigned int npages = PAGE_ALIGN(sz) >> PAGE_SHIFT;
561 	int ret;
562 
563 	if (!buf)
564 		return;
565 
566 	ret = set_memory_encrypted((unsigned long)buf, npages);
567 	if (ret) {
568 		WARN_ONCE(ret, "failed to restore encryption mask (leak it)\n");
569 		return;
570 	}
571 
572 	__free_pages(virt_to_page(buf), get_order(sz));
573 }
574 
575 static void *alloc_shared_pages(struct device *dev, size_t sz)
576 {
577 	unsigned int npages = PAGE_ALIGN(sz) >> PAGE_SHIFT;
578 	struct page *page;
579 	int ret;
580 
581 	page = alloc_pages(GFP_KERNEL_ACCOUNT, get_order(sz));
582 	if (!page)
583 		return NULL;
584 
585 	ret = set_memory_decrypted((unsigned long)page_address(page), npages);
586 	if (ret) {
587 		dev_err(dev, "failed to mark page shared, ret=%d\n", ret);
588 		__free_pages(page, get_order(sz));
589 		return NULL;
590 	}
591 
592 	return page_address(page);
593 }
594 
595 static const struct file_operations snp_guest_fops = {
596 	.owner	= THIS_MODULE,
597 	.unlocked_ioctl = snp_guest_ioctl,
598 };
599 
600 static u8 *get_vmpck(int id, struct snp_secrets_page_layout *layout, u32 **seqno)
601 {
602 	u8 *key = NULL;
603 
604 	switch (id) {
605 	case 0:
606 		*seqno = &layout->os_area.msg_seqno_0;
607 		key = layout->vmpck0;
608 		break;
609 	case 1:
610 		*seqno = &layout->os_area.msg_seqno_1;
611 		key = layout->vmpck1;
612 		break;
613 	case 2:
614 		*seqno = &layout->os_area.msg_seqno_2;
615 		key = layout->vmpck2;
616 		break;
617 	case 3:
618 		*seqno = &layout->os_area.msg_seqno_3;
619 		key = layout->vmpck3;
620 		break;
621 	default:
622 		break;
623 	}
624 
625 	return key;
626 }
627 
628 static int __init sev_guest_probe(struct platform_device *pdev)
629 {
630 	struct snp_secrets_page_layout *layout;
631 	struct sev_guest_platform_data *data;
632 	struct device *dev = &pdev->dev;
633 	struct snp_guest_dev *snp_dev;
634 	struct miscdevice *misc;
635 	int ret;
636 
637 	if (!dev->platform_data)
638 		return -ENODEV;
639 
640 	data = (struct sev_guest_platform_data *)dev->platform_data;
641 	layout = (__force void *)ioremap_encrypted(data->secrets_gpa, PAGE_SIZE);
642 	if (!layout)
643 		return -ENODEV;
644 
645 	ret = -ENOMEM;
646 	snp_dev = devm_kzalloc(&pdev->dev, sizeof(struct snp_guest_dev), GFP_KERNEL);
647 	if (!snp_dev)
648 		goto e_unmap;
649 
650 	ret = -EINVAL;
651 	snp_dev->vmpck = get_vmpck(vmpck_id, layout, &snp_dev->os_area_msg_seqno);
652 	if (!snp_dev->vmpck) {
653 		dev_err(dev, "invalid vmpck id %d\n", vmpck_id);
654 		goto e_unmap;
655 	}
656 
657 	/* Verify that VMPCK is not zero. */
658 	if (is_vmpck_empty(snp_dev)) {
659 		dev_err(dev, "vmpck id %d is null\n", vmpck_id);
660 		goto e_unmap;
661 	}
662 
663 	platform_set_drvdata(pdev, snp_dev);
664 	snp_dev->dev = dev;
665 	snp_dev->layout = layout;
666 
667 	/* Allocate the shared page used for the request and response message. */
668 	snp_dev->request = alloc_shared_pages(dev, sizeof(struct snp_guest_msg));
669 	if (!snp_dev->request)
670 		goto e_unmap;
671 
672 	snp_dev->response = alloc_shared_pages(dev, sizeof(struct snp_guest_msg));
673 	if (!snp_dev->response)
674 		goto e_free_request;
675 
676 	snp_dev->certs_data = alloc_shared_pages(dev, SEV_FW_BLOB_MAX_SIZE);
677 	if (!snp_dev->certs_data)
678 		goto e_free_response;
679 
680 	ret = -EIO;
681 	snp_dev->crypto = init_crypto(snp_dev, snp_dev->vmpck, VMPCK_KEY_LEN);
682 	if (!snp_dev->crypto)
683 		goto e_free_cert_data;
684 
685 	misc = &snp_dev->misc;
686 	misc->minor = MISC_DYNAMIC_MINOR;
687 	misc->name = DEVICE_NAME;
688 	misc->fops = &snp_guest_fops;
689 
690 	/* initial the input address for guest request */
691 	snp_dev->input.req_gpa = __pa(snp_dev->request);
692 	snp_dev->input.resp_gpa = __pa(snp_dev->response);
693 	snp_dev->input.data_gpa = __pa(snp_dev->certs_data);
694 
695 	ret =  misc_register(misc);
696 	if (ret)
697 		goto e_free_cert_data;
698 
699 	dev_info(dev, "Initialized SEV guest driver (using vmpck_id %d)\n", vmpck_id);
700 	return 0;
701 
702 e_free_cert_data:
703 	free_shared_pages(snp_dev->certs_data, SEV_FW_BLOB_MAX_SIZE);
704 e_free_response:
705 	free_shared_pages(snp_dev->response, sizeof(struct snp_guest_msg));
706 e_free_request:
707 	free_shared_pages(snp_dev->request, sizeof(struct snp_guest_msg));
708 e_unmap:
709 	iounmap(layout);
710 	return ret;
711 }
712 
713 static int __exit sev_guest_remove(struct platform_device *pdev)
714 {
715 	struct snp_guest_dev *snp_dev = platform_get_drvdata(pdev);
716 
717 	free_shared_pages(snp_dev->certs_data, SEV_FW_BLOB_MAX_SIZE);
718 	free_shared_pages(snp_dev->response, sizeof(struct snp_guest_msg));
719 	free_shared_pages(snp_dev->request, sizeof(struct snp_guest_msg));
720 	deinit_crypto(snp_dev->crypto);
721 	misc_deregister(&snp_dev->misc);
722 
723 	return 0;
724 }
725 
726 /*
727  * This driver is meant to be a common SEV guest interface driver and to
728  * support any SEV guest API. As such, even though it has been introduced
729  * with the SEV-SNP support, it is named "sev-guest".
730  */
731 static struct platform_driver sev_guest_driver = {
732 	.remove		= __exit_p(sev_guest_remove),
733 	.driver		= {
734 		.name = "sev-guest",
735 	},
736 };
737 
738 module_platform_driver_probe(sev_guest_driver, sev_guest_probe);
739 
740 MODULE_AUTHOR("Brijesh Singh <brijesh.singh@amd.com>");
741 MODULE_LICENSE("GPL");
742 MODULE_VERSION("1.0.0");
743 MODULE_DESCRIPTION("AMD SEV Guest Driver");
744