[RFC,03/12] powerpc/prom_init: Add the ESM call to prom_init

From: Ram Pai <linuxram@us.ibm.com>

Make the Enter-Secure-Mode (ESM) ultravisor call to switch the VM to secure
mode. Add "svm=" command line option to turn off switching to secure mode.
Introduce CONFIG_PPC_SVM to control support for secure guests.

Signed-off-by: Ram Pai <linuxram@us.ibm.com>
[ Generate an RTAS os-term hcall when the ESM ucall fails. ]
Signed-off-by: Michael Anderson <andmike@linux.ibm.com>
[ Cleaned up the code a bit. ]
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
---
 .../admin-guide/kernel-parameters.txt         |   5 +
 arch/powerpc/include/asm/ultravisor-api.h     |   1 +
 arch/powerpc/kernel/prom_init.c               | 124 ++++++++++++++++++
 3 files changed, 130 insertions(+)

On 21/05/2019 14:49, Thiago Jung Bauermann wrote:
> From: Ram Pai <linuxram@us.ibm.com>
> 
> Make the Enter-Secure-Mode (ESM) ultravisor call to switch the VM to secure
> mode. Add "svm=" command line option to turn off switching to secure mode.
> Introduce CONFIG_PPC_SVM to control support for secure guests.
> 
> Signed-off-by: Ram Pai <linuxram@us.ibm.com>
> [ Generate an RTAS os-term hcall when the ESM ucall fails. ]
> Signed-off-by: Michael Anderson <andmike@linux.ibm.com>
> [ Cleaned up the code a bit. ]
> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
> ---
>  .../admin-guide/kernel-parameters.txt         |   5 +
>  arch/powerpc/include/asm/ultravisor-api.h     |   1 +
>  arch/powerpc/kernel/prom_init.c               | 124 ++++++++++++++++++
>  3 files changed, 130 insertions(+)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index c45a19d654f3..7237d86b25c6 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -4501,6 +4501,11 @@
>  			/sys/power/pm_test). Only available when CONFIG_PM_DEBUG
>  			is set. Default value is 5.
>  
> +	svm=		[PPC]
> +			Format: { on | off | y | n | 1 | 0 }
> +			This parameter controls use of the Protected
> +			Execution Facility on pSeries.
> +
>  	swapaccount=[0|1]
>  			[KNL] Enable accounting of swap in memory resource
>  			controller if no parameter or 1 is given or disable
> diff --git a/arch/powerpc/include/asm/ultravisor-api.h b/arch/powerpc/include/asm/ultravisor-api.h
> index 15e6ce77a131..0e8b72081718 100644
> --- a/arch/powerpc/include/asm/ultravisor-api.h
> +++ b/arch/powerpc/include/asm/ultravisor-api.h
> @@ -19,6 +19,7 @@
>  
>  /* opcodes */
>  #define UV_WRITE_PATE			0xF104
> +#define UV_ESM				0xF110
>  #define UV_RETURN			0xF11C
>  
>  #endif /* _ASM_POWERPC_ULTRAVISOR_API_H */
> diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
> index 523bb99d7676..5d8a3efb54f2 100644
> --- a/arch/powerpc/kernel/prom_init.c
> +++ b/arch/powerpc/kernel/prom_init.c
> @@ -44,6 +44,7 @@
>  #include <asm/sections.h>
>  #include <asm/machdep.h>
>  #include <asm/asm-prototypes.h>
> +#include <asm/ultravisor-api.h>
>  
>  #include <linux/linux_logo.h>
>  
> @@ -174,6 +175,10 @@ static unsigned long __prombss prom_tce_alloc_end;
>  static bool __prombss prom_radix_disable;
>  #endif
>  
> +#ifdef CONFIG_PPC_SVM
> +static bool __prombss prom_svm_disable;
> +#endif
> +
>  struct platform_support {
>  	bool hash_mmu;
>  	bool radix_mmu;
> @@ -809,6 +814,17 @@ static void __init early_cmdline_parse(void)
>  	if (prom_radix_disable)
>  		prom_debug("Radix disabled from cmdline\n");
>  #endif /* CONFIG_PPC_PSERIES */
> +
> +#ifdef CONFIG_PPC_SVM
> +	opt = prom_strstr(prom_cmd_line, "svm=");
> +	if (opt) {
> +		bool val;
> +
> +		opt += sizeof("svm=") - 1;
> +		if (!prom_strtobool(opt, &val))
> +			prom_svm_disable = !val;
> +	}
> +#endif /* CONFIG_PPC_SVM */
>  }
>  
>  #ifdef CONFIG_PPC_PSERIES
> @@ -1707,6 +1723,43 @@ static void __init prom_close_stdin(void)
>  	}
>  }
>  
> +#ifdef CONFIG_PPC_SVM
> +static int prom_rtas_os_term_hcall(uint64_t args)


This is just an rtas hcall, nothing special about "os-term".


> +{
> +	register uint64_t arg1 asm("r3") = 0xf000;
> +	register uint64_t arg2 asm("r4") = args;
> +
> +	asm volatile("sc 1\n" : "=r" (arg1) :
> +			"r" (arg1),
> +			"r" (arg2) :);
> +	return arg1;
> +}
> +
> +static struct rtas_args __prombss os_term_args;
> +
> +static void __init prom_rtas_os_term(char *str)
> +{
> +	phandle rtas_node;
> +	__be32 val;
> +	u32 token;
> +
> +	prom_printf("%s: start...\n", __func__);
> +	rtas_node = call_prom("finddevice", 1, 1, ADDR("/rtas"));
> +	prom_printf("rtas_node: %x\n", rtas_node);
> +	if (!PHANDLE_VALID(rtas_node))
> +		return;
> +
> +	val = 0;
> +	prom_getprop(rtas_node, "ibm,os-term", &val, sizeof(val));
> +	token = be32_to_cpu(val);
> +	prom_printf("ibm,os-term: %x\n", token);
> +	if (token == 0)
> +		prom_panic("Could not get token for ibm,os-term\n");
> +	os_term_args.token = cpu_to_be32(token);
> +	prom_rtas_os_term_hcall((uint64_t)&os_term_args);
> +}
> +#endif /* CONFIG_PPC_SVM */
> +
>  /*
>   * Allocate room for and instantiate RTAS
>   */
> @@ -3162,6 +3215,74 @@ static void unreloc_toc(void)
>  #endif
>  #endif
>  
> +#ifdef CONFIG_PPC_SVM
> +/*
> + * The ESM blob is a data structure with information needed by the Ultravisor to
> + * validate the integrity of the secure guest.
> + */
> +static void *get_esm_blob(void)
> +{
> +	/*
> +	 * FIXME: We are still finalizing the details on how prom_init will grab
> +	 * the ESM blob. When that is done, this function will be updated.
> +	 */
> +	return (void *)0xdeadbeef;
> +}
> +
> +/*
> + * Perform the Enter Secure Mode ultracall.
> + */
> +static int enter_secure_mode(void *esm_blob, void *retaddr, void *fdt)
> +{
> +	register uint64_t func asm("r0") = UV_ESM;
> +	register uint64_t arg1 asm("r3") = (uint64_t)esm_blob;
> +	register uint64_t arg2 asm("r4") = (uint64_t)retaddr;
> +	register uint64_t arg3 asm("r5") = (uint64_t)fdt;
> +
> +	asm volatile("sc 2\n"
> +		     : "=r"(arg1)
> +		     : "r"(func), "0"(arg1), "r"(arg2), "r"(arg3)
> +		     :);
> +
> +	return (int)arg1;
> +}
> +
> +/*
> + * Call the Ultravisor to transfer us to secure memory if we have an ESM blob.
> + */
> +static void setup_secure_guest(void *fdt)
> +{
> +	void *esm_blob;
> +	int ret;
> +
> +	if (prom_svm_disable) {
> +		prom_printf("Secure mode is OFF\n");
> +		return;
> +	}
> +
> +	esm_blob = get_esm_blob();
> +	if (esm_blob == NULL)
> +		/*
> +		 * Absence of an ESM blob isn't an error, it just means we
> +		 * shouldn't switch to secure mode.
> +		 */
> +		return;
> +
> +	/* Switch to secure mode. */
> +	prom_printf("Switching to secure mode.\n");
> +
> +	ret = enter_secure_mode(esm_blob, NULL, fdt);
> +	if (ret != U_SUCCESS) {
> +		prom_printf("Returned %d from switching to secure mode.\n", ret);
> +		prom_rtas_os_term("Switch to secure mode failed.\n");
> +	}
> +}
> +#else
> +static void setup_secure_guest(void *fdt)
> +{
> +}
> +#endif /* CONFIG_PPC_SVM */
> +
>  /*
>   * We enter here early on, when the Open Firmware prom is still
>   * handling exceptions and the MMU hash table for us.
> @@ -3360,6 +3481,9 @@ unsigned long __init prom_init(unsigned long r3, unsigned long r4,
>  	unreloc_toc();
>  #endif
>  
> +	/* Move to secure memory if we're supposed to be secure guests. */
> +	setup_secure_guest((void *)hdr);
> +
>  	__start(hdr, kbase, 0, 0, 0, 0, 0);
>  
>  	return 0;
>

Hello Alexey,

Thanks for reviewing this patch!

Alexey Kardashevskiy <aik@ozlabs.ru> writes:

> On 21/05/2019 14:49, Thiago Jung Bauermann wrote:
>> @@ -1707,6 +1723,43 @@ static void __init prom_close_stdin(void)
>>  	}
>>  }
>>  
>> +#ifdef CONFIG_PPC_SVM
>> +static int prom_rtas_os_term_hcall(uint64_t args)
>
>
> This is just an rtas hcall, nothing special about "os-term".

Sorry, unfortunately I don't understand how we're treating os-term
especially. Do you mean that we should inline this function directly
into prom_rtas_os_term()?

>> +{
>> +	register uint64_t arg1 asm("r3") = 0xf000;
>> +	register uint64_t arg2 asm("r4") = args;
>> +
>> +	asm volatile("sc 1\n" : "=r" (arg1) :
>> +			"r" (arg1),
>> +			"r" (arg2) :);
>> +	return arg1;
>> +}
>> +
>> +static struct rtas_args __prombss os_term_args;
>> +
>> +static void __init prom_rtas_os_term(char *str)
>> +{
>> +	phandle rtas_node;
>> +	__be32 val;
>> +	u32 token;
>> +
>> +	prom_printf("%s: start...\n", __func__);
>> +	rtas_node = call_prom("finddevice", 1, 1, ADDR("/rtas"));
>> +	prom_printf("rtas_node: %x\n", rtas_node);
>> +	if (!PHANDLE_VALID(rtas_node))
>> +		return;
>> +
>> +	val = 0;
>> +	prom_getprop(rtas_node, "ibm,os-term", &val, sizeof(val));
>> +	token = be32_to_cpu(val);
>> +	prom_printf("ibm,os-term: %x\n", token);
>> +	if (token == 0)
>> +		prom_panic("Could not get token for ibm,os-term\n");
>> +	os_term_args.token = cpu_to_be32(token);
>> +	prom_rtas_os_term_hcall((uint64_t)&os_term_args);
>> +}
>> +#endif /* CONFIG_PPC_SVM */
>> +
>>  /*
>>   * Allocate room for and instantiate RTAS
>>   */

On 29/06/2019 08:33, Thiago Jung Bauermann wrote:
> 
> Hello Alexey,
> 
> Thanks for reviewing this patch!
> 
> Alexey Kardashevskiy <aik@ozlabs.ru> writes:
> 
>> On 21/05/2019 14:49, Thiago Jung Bauermann wrote:
>>> @@ -1707,6 +1723,43 @@ static void __init prom_close_stdin(void)
>>>  	}
>>>  }
>>>  
>>> +#ifdef CONFIG_PPC_SVM
>>> +static int prom_rtas_os_term_hcall(uint64_t args)
>>
>>
>> This is just an rtas hcall, nothing special about "os-term".
> 
> Sorry, unfortunately I don't understand how we're treating os-term
> especially. Do you mean that we should inline this function directly
> into prom_rtas_os_term()?

I meant the function name - prom_rtas_os_term_hcall - should rather be
prom_rtas_hcall.



> 
>>> +{
>>> +	register uint64_t arg1 asm("r3") = 0xf000;
>>> +	register uint64_t arg2 asm("r4") = args;
>>> +
>>> +	asm volatile("sc 1\n" : "=r" (arg1) :
>>> +			"r" (arg1),
>>> +			"r" (arg2) :);
>>> +	return arg1;
>>> +}
>>> +
>>> +static struct rtas_args __prombss os_term_args;
>>> +
>>> +static void __init prom_rtas_os_term(char *str)
>>> +{
>>> +	phandle rtas_node;
>>> +	__be32 val;
>>> +	u32 token;
>>> +
>>> +	prom_printf("%s: start...\n", __func__);
>>> +	rtas_node = call_prom("finddevice", 1, 1, ADDR("/rtas"));
>>> +	prom_printf("rtas_node: %x\n", rtas_node);
>>> +	if (!PHANDLE_VALID(rtas_node))
>>> +		return;
>>> +
>>> +	val = 0;
>>> +	prom_getprop(rtas_node, "ibm,os-term", &val, sizeof(val));
>>> +	token = be32_to_cpu(val);
>>> +	prom_printf("ibm,os-term: %x\n", token);
>>> +	if (token == 0)
>>> +		prom_panic("Could not get token for ibm,os-term\n");
>>> +	os_term_args.token = cpu_to_be32(token);
>>> +	prom_rtas_os_term_hcall((uint64_t)&os_term_args);
>>> +}
>>> +#endif /* CONFIG_PPC_SVM */
>>> +
>>>  /*
>>>   * Allocate room for and instantiate RTAS
>>>   */
>