Message ID | 20190521044912.1375-4-bauerman@linux.ibm.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | Secure Virtual Machine Enablement | expand |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/apply_patch | warning | Failed to apply on branch next (8150a153c013aa2dd1ffae43370b89ac1347a7fb) |
snowpatch_ozlabs/apply_patch | fail | Failed to apply to any branch |
On 21/05/2019 14:49, Thiago Jung Bauermann wrote: > From: Ram Pai <linuxram@us.ibm.com> > > Make the Enter-Secure-Mode (ESM) ultravisor call to switch the VM to secure > mode. Add "svm=" command line option to turn off switching to secure mode. > Introduce CONFIG_PPC_SVM to control support for secure guests. > > Signed-off-by: Ram Pai <linuxram@us.ibm.com> > [ Generate an RTAS os-term hcall when the ESM ucall fails. ] > Signed-off-by: Michael Anderson <andmike@linux.ibm.com> > [ Cleaned up the code a bit. ] > Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> > --- > .../admin-guide/kernel-parameters.txt | 5 + > arch/powerpc/include/asm/ultravisor-api.h | 1 + > arch/powerpc/kernel/prom_init.c | 124 ++++++++++++++++++ > 3 files changed, 130 insertions(+) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index c45a19d654f3..7237d86b25c6 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -4501,6 +4501,11 @@ > /sys/power/pm_test). Only available when CONFIG_PM_DEBUG > is set. Default value is 5. > > + svm= [PPC] > + Format: { on | off | y | n | 1 | 0 } > + This parameter controls use of the Protected > + Execution Facility on pSeries. > + > swapaccount=[0|1] > [KNL] Enable accounting of swap in memory resource > controller if no parameter or 1 is given or disable > diff --git a/arch/powerpc/include/asm/ultravisor-api.h b/arch/powerpc/include/asm/ultravisor-api.h > index 15e6ce77a131..0e8b72081718 100644 > --- a/arch/powerpc/include/asm/ultravisor-api.h > +++ b/arch/powerpc/include/asm/ultravisor-api.h > @@ -19,6 +19,7 @@ > > /* opcodes */ > #define UV_WRITE_PATE 0xF104 > +#define UV_ESM 0xF110 > #define UV_RETURN 0xF11C > > #endif /* _ASM_POWERPC_ULTRAVISOR_API_H */ > diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c > index 523bb99d7676..5d8a3efb54f2 100644 > --- a/arch/powerpc/kernel/prom_init.c > +++ b/arch/powerpc/kernel/prom_init.c > @@ -44,6 +44,7 @@ > #include <asm/sections.h> > #include <asm/machdep.h> > #include <asm/asm-prototypes.h> > +#include <asm/ultravisor-api.h> > > #include <linux/linux_logo.h> > > @@ -174,6 +175,10 @@ static unsigned long __prombss prom_tce_alloc_end; > static bool __prombss prom_radix_disable; > #endif > > +#ifdef CONFIG_PPC_SVM > +static bool __prombss prom_svm_disable; > +#endif > + > struct platform_support { > bool hash_mmu; > bool radix_mmu; > @@ -809,6 +814,17 @@ static void __init early_cmdline_parse(void) > if (prom_radix_disable) > prom_debug("Radix disabled from cmdline\n"); > #endif /* CONFIG_PPC_PSERIES */ > + > +#ifdef CONFIG_PPC_SVM > + opt = prom_strstr(prom_cmd_line, "svm="); > + if (opt) { > + bool val; > + > + opt += sizeof("svm=") - 1; > + if (!prom_strtobool(opt, &val)) > + prom_svm_disable = !val; > + } > +#endif /* CONFIG_PPC_SVM */ > } > > #ifdef CONFIG_PPC_PSERIES > @@ -1707,6 +1723,43 @@ static void __init prom_close_stdin(void) > } > } > > +#ifdef CONFIG_PPC_SVM > +static int prom_rtas_os_term_hcall(uint64_t args) This is just an rtas hcall, nothing special about "os-term". > +{ > + register uint64_t arg1 asm("r3") = 0xf000; > + register uint64_t arg2 asm("r4") = args; > + > + asm volatile("sc 1\n" : "=r" (arg1) : > + "r" (arg1), > + "r" (arg2) :); > + return arg1; > +} > + > +static struct rtas_args __prombss os_term_args; > + > +static void __init prom_rtas_os_term(char *str) > +{ > + phandle rtas_node; > + __be32 val; > + u32 token; > + > + prom_printf("%s: start...\n", __func__); > + rtas_node = call_prom("finddevice", 1, 1, ADDR("/rtas")); > + prom_printf("rtas_node: %x\n", rtas_node); > + if (!PHANDLE_VALID(rtas_node)) > + return; > + > + val = 0; > + prom_getprop(rtas_node, "ibm,os-term", &val, sizeof(val)); > + token = be32_to_cpu(val); > + prom_printf("ibm,os-term: %x\n", token); > + if (token == 0) > + prom_panic("Could not get token for ibm,os-term\n"); > + os_term_args.token = cpu_to_be32(token); > + prom_rtas_os_term_hcall((uint64_t)&os_term_args); > +} > +#endif /* CONFIG_PPC_SVM */ > + > /* > * Allocate room for and instantiate RTAS > */ > @@ -3162,6 +3215,74 @@ static void unreloc_toc(void) > #endif > #endif > > +#ifdef CONFIG_PPC_SVM > +/* > + * The ESM blob is a data structure with information needed by the Ultravisor to > + * validate the integrity of the secure guest. > + */ > +static void *get_esm_blob(void) > +{ > + /* > + * FIXME: We are still finalizing the details on how prom_init will grab > + * the ESM blob. When that is done, this function will be updated. > + */ > + return (void *)0xdeadbeef; > +} > + > +/* > + * Perform the Enter Secure Mode ultracall. > + */ > +static int enter_secure_mode(void *esm_blob, void *retaddr, void *fdt) > +{ > + register uint64_t func asm("r0") = UV_ESM; > + register uint64_t arg1 asm("r3") = (uint64_t)esm_blob; > + register uint64_t arg2 asm("r4") = (uint64_t)retaddr; > + register uint64_t arg3 asm("r5") = (uint64_t)fdt; > + > + asm volatile("sc 2\n" > + : "=r"(arg1) > + : "r"(func), "0"(arg1), "r"(arg2), "r"(arg3) > + :); > + > + return (int)arg1; > +} > + > +/* > + * Call the Ultravisor to transfer us to secure memory if we have an ESM blob. > + */ > +static void setup_secure_guest(void *fdt) > +{ > + void *esm_blob; > + int ret; > + > + if (prom_svm_disable) { > + prom_printf("Secure mode is OFF\n"); > + return; > + } > + > + esm_blob = get_esm_blob(); > + if (esm_blob == NULL) > + /* > + * Absence of an ESM blob isn't an error, it just means we > + * shouldn't switch to secure mode. > + */ > + return; > + > + /* Switch to secure mode. */ > + prom_printf("Switching to secure mode.\n"); > + > + ret = enter_secure_mode(esm_blob, NULL, fdt); > + if (ret != U_SUCCESS) { > + prom_printf("Returned %d from switching to secure mode.\n", ret); > + prom_rtas_os_term("Switch to secure mode failed.\n"); > + } > +} > +#else > +static void setup_secure_guest(void *fdt) > +{ > +} > +#endif /* CONFIG_PPC_SVM */ > + > /* > * We enter here early on, when the Open Firmware prom is still > * handling exceptions and the MMU hash table for us. > @@ -3360,6 +3481,9 @@ unsigned long __init prom_init(unsigned long r3, unsigned long r4, > unreloc_toc(); > #endif > > + /* Move to secure memory if we're supposed to be secure guests. */ > + setup_secure_guest((void *)hdr); > + > __start(hdr, kbase, 0, 0, 0, 0, 0); > > return 0; >
Hello Alexey, Thanks for reviewing this patch! Alexey Kardashevskiy <aik@ozlabs.ru> writes: > On 21/05/2019 14:49, Thiago Jung Bauermann wrote: >> @@ -1707,6 +1723,43 @@ static void __init prom_close_stdin(void) >> } >> } >> >> +#ifdef CONFIG_PPC_SVM >> +static int prom_rtas_os_term_hcall(uint64_t args) > > > This is just an rtas hcall, nothing special about "os-term". Sorry, unfortunately I don't understand how we're treating os-term especially. Do you mean that we should inline this function directly into prom_rtas_os_term()? >> +{ >> + register uint64_t arg1 asm("r3") = 0xf000; >> + register uint64_t arg2 asm("r4") = args; >> + >> + asm volatile("sc 1\n" : "=r" (arg1) : >> + "r" (arg1), >> + "r" (arg2) :); >> + return arg1; >> +} >> + >> +static struct rtas_args __prombss os_term_args; >> + >> +static void __init prom_rtas_os_term(char *str) >> +{ >> + phandle rtas_node; >> + __be32 val; >> + u32 token; >> + >> + prom_printf("%s: start...\n", __func__); >> + rtas_node = call_prom("finddevice", 1, 1, ADDR("/rtas")); >> + prom_printf("rtas_node: %x\n", rtas_node); >> + if (!PHANDLE_VALID(rtas_node)) >> + return; >> + >> + val = 0; >> + prom_getprop(rtas_node, "ibm,os-term", &val, sizeof(val)); >> + token = be32_to_cpu(val); >> + prom_printf("ibm,os-term: %x\n", token); >> + if (token == 0) >> + prom_panic("Could not get token for ibm,os-term\n"); >> + os_term_args.token = cpu_to_be32(token); >> + prom_rtas_os_term_hcall((uint64_t)&os_term_args); >> +} >> +#endif /* CONFIG_PPC_SVM */ >> + >> /* >> * Allocate room for and instantiate RTAS >> */
On 29/06/2019 08:33, Thiago Jung Bauermann wrote: > > Hello Alexey, > > Thanks for reviewing this patch! > > Alexey Kardashevskiy <aik@ozlabs.ru> writes: > >> On 21/05/2019 14:49, Thiago Jung Bauermann wrote: >>> @@ -1707,6 +1723,43 @@ static void __init prom_close_stdin(void) >>> } >>> } >>> >>> +#ifdef CONFIG_PPC_SVM >>> +static int prom_rtas_os_term_hcall(uint64_t args) >> >> >> This is just an rtas hcall, nothing special about "os-term". > > Sorry, unfortunately I don't understand how we're treating os-term > especially. Do you mean that we should inline this function directly > into prom_rtas_os_term()? I meant the function name - prom_rtas_os_term_hcall - should rather be prom_rtas_hcall. > >>> +{ >>> + register uint64_t arg1 asm("r3") = 0xf000; >>> + register uint64_t arg2 asm("r4") = args; >>> + >>> + asm volatile("sc 1\n" : "=r" (arg1) : >>> + "r" (arg1), >>> + "r" (arg2) :); >>> + return arg1; >>> +} >>> + >>> +static struct rtas_args __prombss os_term_args; >>> + >>> +static void __init prom_rtas_os_term(char *str) >>> +{ >>> + phandle rtas_node; >>> + __be32 val; >>> + u32 token; >>> + >>> + prom_printf("%s: start...\n", __func__); >>> + rtas_node = call_prom("finddevice", 1, 1, ADDR("/rtas")); >>> + prom_printf("rtas_node: %x\n", rtas_node); >>> + if (!PHANDLE_VALID(rtas_node)) >>> + return; >>> + >>> + val = 0; >>> + prom_getprop(rtas_node, "ibm,os-term", &val, sizeof(val)); >>> + token = be32_to_cpu(val); >>> + prom_printf("ibm,os-term: %x\n", token); >>> + if (token == 0) >>> + prom_panic("Could not get token for ibm,os-term\n"); >>> + os_term_args.token = cpu_to_be32(token); >>> + prom_rtas_os_term_hcall((uint64_t)&os_term_args); >>> +} >>> +#endif /* CONFIG_PPC_SVM */ >>> + >>> /* >>> * Allocate room for and instantiate RTAS >>> */ >
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index c45a19d654f3..7237d86b25c6 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4501,6 +4501,11 @@ /sys/power/pm_test). Only available when CONFIG_PM_DEBUG is set. Default value is 5. + svm= [PPC] + Format: { on | off | y | n | 1 | 0 } + This parameter controls use of the Protected + Execution Facility on pSeries. + swapaccount=[0|1] [KNL] Enable accounting of swap in memory resource controller if no parameter or 1 is given or disable diff --git a/arch/powerpc/include/asm/ultravisor-api.h b/arch/powerpc/include/asm/ultravisor-api.h index 15e6ce77a131..0e8b72081718 100644 --- a/arch/powerpc/include/asm/ultravisor-api.h +++ b/arch/powerpc/include/asm/ultravisor-api.h @@ -19,6 +19,7 @@ /* opcodes */ #define UV_WRITE_PATE 0xF104 +#define UV_ESM 0xF110 #define UV_RETURN 0xF11C #endif /* _ASM_POWERPC_ULTRAVISOR_API_H */ diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c index 523bb99d7676..5d8a3efb54f2 100644 --- a/arch/powerpc/kernel/prom_init.c +++ b/arch/powerpc/kernel/prom_init.c @@ -44,6 +44,7 @@ #include <asm/sections.h> #include <asm/machdep.h> #include <asm/asm-prototypes.h> +#include <asm/ultravisor-api.h> #include <linux/linux_logo.h> @@ -174,6 +175,10 @@ static unsigned long __prombss prom_tce_alloc_end; static bool __prombss prom_radix_disable; #endif +#ifdef CONFIG_PPC_SVM +static bool __prombss prom_svm_disable; +#endif + struct platform_support { bool hash_mmu; bool radix_mmu; @@ -809,6 +814,17 @@ static void __init early_cmdline_parse(void) if (prom_radix_disable) prom_debug("Radix disabled from cmdline\n"); #endif /* CONFIG_PPC_PSERIES */ + +#ifdef CONFIG_PPC_SVM + opt = prom_strstr(prom_cmd_line, "svm="); + if (opt) { + bool val; + + opt += sizeof("svm=") - 1; + if (!prom_strtobool(opt, &val)) + prom_svm_disable = !val; + } +#endif /* CONFIG_PPC_SVM */ } #ifdef CONFIG_PPC_PSERIES @@ -1707,6 +1723,43 @@ static void __init prom_close_stdin(void) } } +#ifdef CONFIG_PPC_SVM +static int prom_rtas_os_term_hcall(uint64_t args) +{ + register uint64_t arg1 asm("r3") = 0xf000; + register uint64_t arg2 asm("r4") = args; + + asm volatile("sc 1\n" : "=r" (arg1) : + "r" (arg1), + "r" (arg2) :); + return arg1; +} + +static struct rtas_args __prombss os_term_args; + +static void __init prom_rtas_os_term(char *str) +{ + phandle rtas_node; + __be32 val; + u32 token; + + prom_printf("%s: start...\n", __func__); + rtas_node = call_prom("finddevice", 1, 1, ADDR("/rtas")); + prom_printf("rtas_node: %x\n", rtas_node); + if (!PHANDLE_VALID(rtas_node)) + return; + + val = 0; + prom_getprop(rtas_node, "ibm,os-term", &val, sizeof(val)); + token = be32_to_cpu(val); + prom_printf("ibm,os-term: %x\n", token); + if (token == 0) + prom_panic("Could not get token for ibm,os-term\n"); + os_term_args.token = cpu_to_be32(token); + prom_rtas_os_term_hcall((uint64_t)&os_term_args); +} +#endif /* CONFIG_PPC_SVM */ + /* * Allocate room for and instantiate RTAS */ @@ -3162,6 +3215,74 @@ static void unreloc_toc(void) #endif #endif +#ifdef CONFIG_PPC_SVM +/* + * The ESM blob is a data structure with information needed by the Ultravisor to + * validate the integrity of the secure guest. + */ +static void *get_esm_blob(void) +{ + /* + * FIXME: We are still finalizing the details on how prom_init will grab + * the ESM blob. When that is done, this function will be updated. + */ + return (void *)0xdeadbeef; +} + +/* + * Perform the Enter Secure Mode ultracall. + */ +static int enter_secure_mode(void *esm_blob, void *retaddr, void *fdt) +{ + register uint64_t func asm("r0") = UV_ESM; + register uint64_t arg1 asm("r3") = (uint64_t)esm_blob; + register uint64_t arg2 asm("r4") = (uint64_t)retaddr; + register uint64_t arg3 asm("r5") = (uint64_t)fdt; + + asm volatile("sc 2\n" + : "=r"(arg1) + : "r"(func), "0"(arg1), "r"(arg2), "r"(arg3) + :); + + return (int)arg1; +} + +/* + * Call the Ultravisor to transfer us to secure memory if we have an ESM blob. + */ +static void setup_secure_guest(void *fdt) +{ + void *esm_blob; + int ret; + + if (prom_svm_disable) { + prom_printf("Secure mode is OFF\n"); + return; + } + + esm_blob = get_esm_blob(); + if (esm_blob == NULL) + /* + * Absence of an ESM blob isn't an error, it just means we + * shouldn't switch to secure mode. + */ + return; + + /* Switch to secure mode. */ + prom_printf("Switching to secure mode.\n"); + + ret = enter_secure_mode(esm_blob, NULL, fdt); + if (ret != U_SUCCESS) { + prom_printf("Returned %d from switching to secure mode.\n", ret); + prom_rtas_os_term("Switch to secure mode failed.\n"); + } +} +#else +static void setup_secure_guest(void *fdt) +{ +} +#endif /* CONFIG_PPC_SVM */ + /* * We enter here early on, when the Open Firmware prom is still * handling exceptions and the MMU hash table for us. @@ -3360,6 +3481,9 @@ unsigned long __init prom_init(unsigned long r3, unsigned long r4, unreloc_toc(); #endif + /* Move to secure memory if we're supposed to be secure guests. */ + setup_secure_guest((void *)hdr); + __start(hdr, kbase, 0, 0, 0, 0, 0); return 0;