psp-sev.h (29945B)
1/* SPDX-License-Identifier: GPL-2.0-only */ 2/* 3 * AMD Secure Encrypted Virtualization (SEV) driver interface 4 * 5 * Copyright (C) 2016-2017 Advanced Micro Devices, Inc. 6 * 7 * Author: Brijesh Singh <brijesh.singh@amd.com> 8 * 9 * SEV API spec is available at https://developer.amd.com/sev 10 */ 11 12#ifndef __PSP_SEV_H__ 13#define __PSP_SEV_H__ 14 15#include <linux/sev.h> 16 17#include <uapi/linux/psp-sev.h> 18 19#ifdef CONFIG_X86 20#include <linux/mem_encrypt.h> 21 22#define __psp_pa(x) __sme_pa(x) 23#else 24#define __psp_pa(x) __pa(x) 25#endif 26 27#define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ 28 29/** 30 * SEV platform state 31 */ 32enum sev_state { 33 SEV_STATE_UNINIT = 0x0, 34 SEV_STATE_INIT = 0x1, 35 SEV_STATE_WORKING = 0x2, 36 37 SEV_STATE_MAX 38}; 39 40/** 41 * SEV platform and guest management commands 42 */ 43enum sev_cmd { 44 /* platform commands */ 45 SEV_CMD_INIT = 0x001, 46 SEV_CMD_SHUTDOWN = 0x002, 47 SEV_CMD_FACTORY_RESET = 0x003, 48 SEV_CMD_PLATFORM_STATUS = 0x004, 49 SEV_CMD_PEK_GEN = 0x005, 50 SEV_CMD_PEK_CSR = 0x006, 51 SEV_CMD_PEK_CERT_IMPORT = 0x007, 52 SEV_CMD_PDH_CERT_EXPORT = 0x008, 53 SEV_CMD_PDH_GEN = 0x009, 54 SEV_CMD_DF_FLUSH = 0x00A, 55 SEV_CMD_DOWNLOAD_FIRMWARE = 0x00B, 56 SEV_CMD_GET_ID = 0x00C, 57 SEV_CMD_INIT_EX = 0x00D, 58 59 /* Guest commands */ 60 SEV_CMD_DECOMMISSION = 0x020, 61 SEV_CMD_ACTIVATE = 0x021, 62 SEV_CMD_DEACTIVATE = 0x022, 63 SEV_CMD_GUEST_STATUS = 0x023, 64 65 /* Guest launch commands */ 66 SEV_CMD_LAUNCH_START = 0x030, 67 SEV_CMD_LAUNCH_UPDATE_DATA = 0x031, 68 SEV_CMD_LAUNCH_UPDATE_VMSA = 0x032, 69 SEV_CMD_LAUNCH_MEASURE = 0x033, 70 SEV_CMD_LAUNCH_UPDATE_SECRET = 0x034, 71 SEV_CMD_LAUNCH_FINISH = 0x035, 72 SEV_CMD_ATTESTATION_REPORT = 0x036, 73 74 /* Guest migration commands (outgoing) */ 75 SEV_CMD_SEND_START = 0x040, 76 SEV_CMD_SEND_UPDATE_DATA = 0x041, 77 SEV_CMD_SEND_UPDATE_VMSA = 0x042, 78 SEV_CMD_SEND_FINISH = 0x043, 79 SEV_CMD_SEND_CANCEL = 0x044, 80 81 /* Guest migration commands (incoming) */ 82 SEV_CMD_RECEIVE_START = 0x050, 83 SEV_CMD_RECEIVE_UPDATE_DATA = 0x051, 84 SEV_CMD_RECEIVE_UPDATE_VMSA = 0x052, 85 SEV_CMD_RECEIVE_FINISH = 0x053, 86 87 /* Guest debug commands */ 88 SEV_CMD_DBG_DECRYPT = 0x060, 89 SEV_CMD_DBG_ENCRYPT = 0x061, 90 91 /* SNP specific commands */ 92 SEV_CMD_SNP_INIT = 0x81, 93 SEV_CMD_SNP_SHUTDOWN = 0x82, 94 SEV_CMD_SNP_PLATFORM_STATUS = 0x83, 95 SEV_CMD_SNP_DF_FLUSH = 0x84, 96 SEV_CMD_SNP_INIT_EX = 0x85, 97 SEV_CMD_SNP_SHUTDOWN_EX = 0x86, 98 SEV_CMD_SNP_DECOMMISSION = 0x90, 99 SEV_CMD_SNP_ACTIVATE = 0x91, 100 SEV_CMD_SNP_GUEST_STATUS = 0x92, 101 SEV_CMD_SNP_GCTX_CREATE = 0x93, 102 SEV_CMD_SNP_GUEST_REQUEST = 0x94, 103 SEV_CMD_SNP_ACTIVATE_EX = 0x95, 104 SEV_CMD_SNP_LAUNCH_START = 0xA0, 105 SEV_CMD_SNP_LAUNCH_UPDATE = 0xA1, 106 SEV_CMD_SNP_LAUNCH_FINISH = 0xA2, 107 SEV_CMD_SNP_DBG_DECRYPT = 0xB0, 108 SEV_CMD_SNP_DBG_ENCRYPT = 0xB1, 109 SEV_CMD_SNP_PAGE_SWAP_OUT = 0xC0, 110 SEV_CMD_SNP_PAGE_SWAP_IN = 0xC1, 111 SEV_CMD_SNP_PAGE_MOVE = 0xC2, 112 SEV_CMD_SNP_PAGE_MD_INIT = 0xC3, 113 SEV_CMD_SNP_PAGE_MD_RECLAIM = 0xC4, 114 SEV_CMD_SNP_PAGE_RO_RECLAIM = 0xC5, 115 SEV_CMD_SNP_PAGE_RO_RESTORE = 0xC6, 116 SEV_CMD_SNP_PAGE_RECLAIM = 0xC7, 117 SEV_CMD_SNP_PAGE_UNSMASH = 0xC8, 118 SEV_CMD_SNP_CONFIG = 0xC9, 119 120 SEV_CMD_MAX, 121}; 122 123/** 124 * struct sev_data_init - INIT command parameters 125 * 126 * @flags: processing flags 127 * @tmr_address: system physical address used for SEV-ES 128 * @tmr_len: len of tmr_address 129 */ 130struct sev_data_init { 131 u32 flags; /* In */ 132 u32 reserved; /* In */ 133 u64 tmr_address; /* In */ 134 u32 tmr_len; /* In */ 135} __packed; 136 137/** 138 * struct sev_data_init_ex - INIT_EX command parameters 139 * 140 * @length: len of the command buffer read by the PSP 141 * @flags: processing flags 142 * @tmr_address: system physical address used for SEV-ES 143 * @tmr_len: len of tmr_address 144 * @nv_address: system physical address used for PSP NV storage 145 * @nv_len: len of nv_address 146 */ 147struct sev_data_init_ex { 148 u32 length; /* In */ 149 u32 flags; /* In */ 150 u64 tmr_address; /* In */ 151 u32 tmr_len; /* In */ 152 u32 reserved; /* In */ 153 u64 nv_address; /* In/Out */ 154 u32 nv_len; /* In */ 155} __packed; 156 157#define SEV_INIT_FLAGS_SEV_ES 0x01 158 159/** 160 * struct sev_data_pek_csr - PEK_CSR command parameters 161 * 162 * @address: PEK certificate chain 163 * @len: len of certificate 164 */ 165struct sev_data_pek_csr { 166 u64 address; /* In */ 167 u32 len; /* In/Out */ 168} __packed; 169 170/** 171 * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters 172 * 173 * @pek_address: PEK certificate chain 174 * @pek_len: len of PEK certificate 175 * @oca_address: OCA certificate chain 176 * @oca_len: len of OCA certificate 177 */ 178struct sev_data_pek_cert_import { 179 u64 pek_cert_address; /* In */ 180 u32 pek_cert_len; /* In */ 181 u32 reserved; /* In */ 182 u64 oca_cert_address; /* In */ 183 u32 oca_cert_len; /* In */ 184} __packed; 185 186/** 187 * struct sev_data_download_firmware - DOWNLOAD_FIRMWARE command parameters 188 * 189 * @address: physical address of firmware image 190 * @len: len of the firmware image 191 */ 192struct sev_data_download_firmware { 193 u64 address; /* In */ 194 u32 len; /* In */ 195} __packed; 196 197/** 198 * struct sev_data_get_id - GET_ID command parameters 199 * 200 * @address: physical address of region to place unique CPU ID(s) 201 * @len: len of the region 202 */ 203struct sev_data_get_id { 204 u64 address; /* In */ 205 u32 len; /* In/Out */ 206} __packed; 207/** 208 * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters 209 * 210 * @pdh_address: PDH certificate address 211 * @pdh_len: len of PDH certificate 212 * @cert_chain_address: PDH certificate chain 213 * @cert_chain_len: len of PDH certificate chain 214 */ 215struct sev_data_pdh_cert_export { 216 u64 pdh_cert_address; /* In */ 217 u32 pdh_cert_len; /* In/Out */ 218 u32 reserved; /* In */ 219 u64 cert_chain_address; /* In */ 220 u32 cert_chain_len; /* In/Out */ 221} __packed; 222 223/** 224 * struct sev_data_decommission - DECOMMISSION command parameters 225 * 226 * @handle: handle of the VM to decommission 227 */ 228struct sev_data_decommission { 229 u32 handle; /* In */ 230} __packed; 231 232/** 233 * struct sev_data_activate - ACTIVATE command parameters 234 * 235 * @handle: handle of the VM to activate 236 * @asid: asid assigned to the VM 237 */ 238struct sev_data_activate { 239 u32 handle; /* In */ 240 u32 asid; /* In */ 241} __packed; 242 243/** 244 * struct sev_data_deactivate - DEACTIVATE command parameters 245 * 246 * @handle: handle of the VM to deactivate 247 */ 248struct sev_data_deactivate { 249 u32 handle; /* In */ 250} __packed; 251 252/** 253 * struct sev_data_guest_status - SEV GUEST_STATUS command parameters 254 * 255 * @handle: handle of the VM to retrieve status 256 * @policy: policy information for the VM 257 * @asid: current ASID of the VM 258 * @state: current state of the VM 259 */ 260struct sev_data_guest_status { 261 u32 handle; /* In */ 262 u32 policy; /* Out */ 263 u32 asid; /* Out */ 264 u8 state; /* Out */ 265} __packed; 266 267/** 268 * struct sev_data_launch_start - LAUNCH_START command parameters 269 * 270 * @handle: handle assigned to the VM 271 * @policy: guest launch policy 272 * @dh_cert_address: physical address of DH certificate blob 273 * @dh_cert_len: len of DH certificate blob 274 * @session_address: physical address of session parameters 275 * @session_len: len of session parameters 276 */ 277struct sev_data_launch_start { 278 u32 handle; /* In/Out */ 279 u32 policy; /* In */ 280 u64 dh_cert_address; /* In */ 281 u32 dh_cert_len; /* In */ 282 u32 reserved; /* In */ 283 u64 session_address; /* In */ 284 u32 session_len; /* In */ 285} __packed; 286 287/** 288 * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter 289 * 290 * @handle: handle of the VM to update 291 * @len: len of memory to be encrypted 292 * @address: physical address of memory region to encrypt 293 */ 294struct sev_data_launch_update_data { 295 u32 handle; /* In */ 296 u32 reserved; 297 u64 address; /* In */ 298 u32 len; /* In */ 299} __packed; 300 301/** 302 * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command 303 * 304 * @handle: handle of the VM 305 * @address: physical address of memory region to encrypt 306 * @len: len of memory region to encrypt 307 */ 308struct sev_data_launch_update_vmsa { 309 u32 handle; /* In */ 310 u32 reserved; 311 u64 address; /* In */ 312 u32 len; /* In */ 313} __packed; 314 315/** 316 * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters 317 * 318 * @handle: handle of the VM to process 319 * @address: physical address containing the measurement blob 320 * @len: len of measurement blob 321 */ 322struct sev_data_launch_measure { 323 u32 handle; /* In */ 324 u32 reserved; 325 u64 address; /* In */ 326 u32 len; /* In/Out */ 327} __packed; 328 329/** 330 * struct sev_data_launch_secret - LAUNCH_SECRET command parameters 331 * 332 * @handle: handle of the VM to process 333 * @hdr_address: physical address containing the packet header 334 * @hdr_len: len of packet header 335 * @guest_address: system physical address of guest memory region 336 * @guest_len: len of guest_paddr 337 * @trans_address: physical address of transport memory buffer 338 * @trans_len: len of transport memory buffer 339 */ 340struct sev_data_launch_secret { 341 u32 handle; /* In */ 342 u32 reserved1; 343 u64 hdr_address; /* In */ 344 u32 hdr_len; /* In */ 345 u32 reserved2; 346 u64 guest_address; /* In */ 347 u32 guest_len; /* In */ 348 u32 reserved3; 349 u64 trans_address; /* In */ 350 u32 trans_len; /* In */ 351} __packed; 352 353/** 354 * struct sev_data_launch_finish - LAUNCH_FINISH command parameters 355 * 356 * @handle: handle of the VM to process 357 */ 358struct sev_data_launch_finish { 359 u32 handle; /* In */ 360} __packed; 361 362/** 363 * struct sev_data_send_start - SEND_START command parameters 364 * 365 * @handle: handle of the VM to process 366 * @policy: policy information for the VM 367 * @pdh_cert_address: physical address containing PDH certificate 368 * @pdh_cert_len: len of PDH certificate 369 * @plat_certs_address: physical address containing platform certificate 370 * @plat_certs_len: len of platform certificate 371 * @amd_certs_address: physical address containing AMD certificate 372 * @amd_certs_len: len of AMD certificate 373 * @session_address: physical address containing Session data 374 * @session_len: len of session data 375 */ 376struct sev_data_send_start { 377 u32 handle; /* In */ 378 u32 policy; /* Out */ 379 u64 pdh_cert_address; /* In */ 380 u32 pdh_cert_len; /* In */ 381 u32 reserved1; 382 u64 plat_certs_address; /* In */ 383 u32 plat_certs_len; /* In */ 384 u32 reserved2; 385 u64 amd_certs_address; /* In */ 386 u32 amd_certs_len; /* In */ 387 u32 reserved3; 388 u64 session_address; /* In */ 389 u32 session_len; /* In/Out */ 390} __packed; 391 392/** 393 * struct sev_data_send_update - SEND_UPDATE_DATA command 394 * 395 * @handle: handle of the VM to process 396 * @hdr_address: physical address containing packet header 397 * @hdr_len: len of packet header 398 * @guest_address: physical address of guest memory region to send 399 * @guest_len: len of guest memory region to send 400 * @trans_address: physical address of host memory region 401 * @trans_len: len of host memory region 402 */ 403struct sev_data_send_update_data { 404 u32 handle; /* In */ 405 u32 reserved1; 406 u64 hdr_address; /* In */ 407 u32 hdr_len; /* In/Out */ 408 u32 reserved2; 409 u64 guest_address; /* In */ 410 u32 guest_len; /* In */ 411 u32 reserved3; 412 u64 trans_address; /* In */ 413 u32 trans_len; /* In */ 414} __packed; 415 416/** 417 * struct sev_data_send_update - SEND_UPDATE_VMSA command 418 * 419 * @handle: handle of the VM to process 420 * @hdr_address: physical address containing packet header 421 * @hdr_len: len of packet header 422 * @guest_address: physical address of guest memory region to send 423 * @guest_len: len of guest memory region to send 424 * @trans_address: physical address of host memory region 425 * @trans_len: len of host memory region 426 */ 427struct sev_data_send_update_vmsa { 428 u32 handle; /* In */ 429 u64 hdr_address; /* In */ 430 u32 hdr_len; /* In/Out */ 431 u32 reserved2; 432 u64 guest_address; /* In */ 433 u32 guest_len; /* In */ 434 u32 reserved3; 435 u64 trans_address; /* In */ 436 u32 trans_len; /* In */ 437} __packed; 438 439/** 440 * struct sev_data_send_finish - SEND_FINISH command parameters 441 * 442 * @handle: handle of the VM to process 443 */ 444struct sev_data_send_finish { 445 u32 handle; /* In */ 446} __packed; 447 448/** 449 * struct sev_data_send_cancel - SEND_CANCEL command parameters 450 * 451 * @handle: handle of the VM to process 452 */ 453struct sev_data_send_cancel { 454 u32 handle; /* In */ 455} __packed; 456 457/** 458 * struct sev_data_receive_start - RECEIVE_START command parameters 459 * 460 * @handle: handle of the VM to perform receive operation 461 * @pdh_cert_address: system physical address containing PDH certificate blob 462 * @pdh_cert_len: len of PDH certificate blob 463 * @session_address: system physical address containing session blob 464 * @session_len: len of session blob 465 */ 466struct sev_data_receive_start { 467 u32 handle; /* In/Out */ 468 u32 policy; /* In */ 469 u64 pdh_cert_address; /* In */ 470 u32 pdh_cert_len; /* In */ 471 u32 reserved1; 472 u64 session_address; /* In */ 473 u32 session_len; /* In */ 474} __packed; 475 476/** 477 * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters 478 * 479 * @handle: handle of the VM to update 480 * @hdr_address: physical address containing packet header blob 481 * @hdr_len: len of packet header 482 * @guest_address: system physical address of guest memory region 483 * @guest_len: len of guest memory region 484 * @trans_address: system physical address of transport buffer 485 * @trans_len: len of transport buffer 486 */ 487struct sev_data_receive_update_data { 488 u32 handle; /* In */ 489 u32 reserved1; 490 u64 hdr_address; /* In */ 491 u32 hdr_len; /* In */ 492 u32 reserved2; 493 u64 guest_address; /* In */ 494 u32 guest_len; /* In */ 495 u32 reserved3; 496 u64 trans_address; /* In */ 497 u32 trans_len; /* In */ 498} __packed; 499 500/** 501 * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters 502 * 503 * @handle: handle of the VM to update 504 * @hdr_address: physical address containing packet header blob 505 * @hdr_len: len of packet header 506 * @guest_address: system physical address of guest memory region 507 * @guest_len: len of guest memory region 508 * @trans_address: system physical address of transport buffer 509 * @trans_len: len of transport buffer 510 */ 511struct sev_data_receive_update_vmsa { 512 u32 handle; /* In */ 513 u32 reserved1; 514 u64 hdr_address; /* In */ 515 u32 hdr_len; /* In */ 516 u32 reserved2; 517 u64 guest_address; /* In */ 518 u32 guest_len; /* In */ 519 u32 reserved3; 520 u64 trans_address; /* In */ 521 u32 trans_len; /* In */ 522} __packed; 523 524/** 525 * struct sev_data_receive_finish - RECEIVE_FINISH command parameters 526 * 527 * @handle: handle of the VM to finish 528 */ 529struct sev_data_receive_finish { 530 u32 handle; /* In */ 531} __packed; 532 533/** 534 * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters 535 * 536 * @handle: handle of the VM to perform debug operation 537 * @src_addr: source address of data to operate on 538 * @dst_addr: destination address of data to operate on 539 * @len: len of data to operate on 540 */ 541struct sev_data_dbg { 542 u32 handle; /* In */ 543 u32 reserved; 544 u64 src_addr; /* In */ 545 u64 dst_addr; /* In */ 546 u32 len; /* In */ 547} __packed; 548 549/** 550 * struct sev_data_attestation_report - SEV_ATTESTATION_REPORT command parameters 551 * 552 * @handle: handle of the VM 553 * @mnonce: a random nonce that will be included in the report. 554 * @address: physical address where the report will be copied. 555 * @len: length of the physical buffer. 556 */ 557struct sev_data_attestation_report { 558 u32 handle; /* In */ 559 u32 reserved; 560 u64 address; /* In */ 561 u8 mnonce[16]; /* In */ 562 u32 len; /* In/Out */ 563} __packed; 564 565/** 566 * struct sev_data_snp_platform_status_buf - SNP_PLATFORM_STATUS command params 567 * 568 * @address: physical address where the status should be copied 569 */ 570struct sev_data_snp_platform_status_buf { 571 u64 status_paddr; /* In */ 572} __packed; 573 574/** 575 * struct sev_data_snp_download_firmware - SNP_DOWNLOAD_FIRMWARE command params 576 * 577 * @address: physical address of firmware image 578 * @len: len of the firmware image 579 */ 580struct sev_data_snp_download_firmware { 581 u64 address; /* In */ 582 u32 len; /* In */ 583} __packed; 584 585/** 586 * struct sev_data_snp_gctx_create - SNP_GCTX_CREATE command params 587 * 588 * @gctx_paddr: system physical address of the page donated to firmware by 589 * the hypervisor to contain the guest context. 590 */ 591struct sev_data_snp_gctx_create { 592 u64 gctx_paddr; /* In */ 593} __packed; 594 595/** 596 * struct sev_data_snp_activate - SNP_ACTIVATE command params 597 * 598 * @gctx_paddr: system physical address guest context page 599 * @asid: ASID to bind to the guest 600 */ 601struct sev_data_snp_activate { 602 u64 gctx_paddr; /* In */ 603 u32 asid; /* In */ 604} __packed; 605 606/** 607 * struct sev_data_snp_decommission - SNP_DECOMMISSION command params 608 * 609 * @address: system physical address guest context page 610 */ 611struct sev_data_snp_decommission { 612 u64 gctx_paddr; /* In */ 613} __packed; 614 615/** 616 * struct sev_data_snp_launch_start - SNP_LAUNCH_START command params 617 * 618 * @gctx_addr: system physical address of guest context page 619 * @policy: guest policy 620 * @ma_gctx_addr: system physical address of migration agent 621 * @imi_en: launch flow is launching an IMI for the purpose of 622 * guest-assisted migration. 623 * @ma_en: the guest is associated with a migration agent 624 */ 625struct sev_data_snp_launch_start { 626 u64 gctx_paddr; /* In */ 627 u64 policy; /* In */ 628 u64 ma_gctx_paddr; /* In */ 629 u32 ma_en:1; /* In */ 630 u32 imi_en:1; /* In */ 631 u32 rsvd:30; 632 u8 gosvw[16]; /* In */ 633} __packed; 634 635/* SNP support page type */ 636enum { 637 SNP_PAGE_TYPE_NORMAL = 0x1, 638 SNP_PAGE_TYPE_VMSA = 0x2, 639 SNP_PAGE_TYPE_ZERO = 0x3, 640 SNP_PAGE_TYPE_UNMEASURED = 0x4, 641 SNP_PAGE_TYPE_SECRET = 0x5, 642 SNP_PAGE_TYPE_CPUID = 0x6, 643 644 SNP_PAGE_TYPE_MAX 645}; 646 647/** 648 * struct sev_data_snp_launch_update - SNP_LAUNCH_UPDATE command params 649 * 650 * @gctx_addr: system physical address of guest context page 651 * @imi_page: indicates that this page is part of the IMI of the guest 652 * @page_type: encoded page type 653 * @page_size: page size 0 indicates 4K and 1 indicates 2MB page 654 * @address: system physical address of destination page to encrypt 655 * @vmpl1_perms: VMPL permission mask for VMPL1 656 * @vmpl2_perms: VMPL permission mask for VMPL2 657 * @vmpl3_perms: VMPL permission mask for VMPL3 658 */ 659struct sev_data_snp_launch_update { 660 u64 gctx_paddr; /* In */ 661 u32 page_size:1; /* In */ 662 u32 page_type:3; /* In */ 663 u32 imi_page:1; /* In */ 664 u32 rsvd:27; 665 u32 rsvd2; 666 u64 address; /* In */ 667 u32 rsvd3:8; 668 u32 vmpl1_perms:8; /* In */ 669 u32 vmpl2_perms:8; /* In */ 670 u32 vmpl3_perms:8; /* In */ 671 u32 rsvd4; 672} __packed; 673 674/** 675 * struct sev_data_snp_launch_finish - SNP_LAUNCH_FINISH command params 676 * 677 * @gctx_addr: system pphysical address of guest context page 678 */ 679struct sev_data_snp_launch_finish { 680 u64 gctx_paddr; 681 u64 id_block_paddr; 682 u64 id_auth_paddr; 683 u8 id_block_en:1; 684 u8 auth_key_en:1; 685 u64 rsvd:62; 686 u8 host_data[32]; 687} __packed; 688 689/** 690 * struct sev_data_snp_guest_status - SNP_GUEST_STATUS command params 691 * 692 * @gctx_paddr: system physical address of guest context page 693 * @address: system physical address of guest status page 694 */ 695struct sev_data_snp_guest_status { 696 u64 gctx_paddr; 697 u64 address; 698} __packed; 699 700/** 701 * struct sev_data_snp_page_reclaim - SNP_PAGE_RECLAIM command params 702 * 703 * @paddr: system physical address of page to be claimed. The BIT0 indicate 704 * the page size. 0h indicates 4 kB and 1h indicates 2 MB page. 705 */ 706struct sev_data_snp_page_reclaim { 707 u64 paddr; 708} __packed; 709 710/** 711 * struct sev_data_snp_page_unsmash - SNP_PAGE_UNMASH command params 712 * 713 * @paddr: system physical address of page to be unmashed. The BIT0 indicate 714 * the page size. 0h indicates 4 kB and 1h indicates 2 MB page. 715 */ 716struct sev_data_snp_page_unsmash { 717 u64 paddr; 718} __packed; 719 720/** 721 * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters 722 * 723 * @handle: handle of the VM to perform debug operation 724 * @src_addr: source address of data to operate on 725 * @dst_addr: destination address of data to operate on 726 * @len: len of data to operate on 727 */ 728struct sev_data_snp_dbg { 729 u64 gctx_paddr; /* In */ 730 u64 src_addr; /* In */ 731 u64 dst_addr; /* In */ 732 u32 len; /* In */ 733} __packed; 734 735/** 736 * struct sev_snp_guest_request - SNP_GUEST_REQUEST command params 737 * 738 * @gctx_paddr: system physical address of guest context page 739 * @req_paddr: system physical address of request page 740 * @res_paddr: system physical address of response page 741 */ 742struct sev_data_snp_guest_request { 743 u64 gctx_paddr; /* In */ 744 u64 req_paddr; /* In */ 745 u64 res_paddr; /* In */ 746} __packed; 747 748/** 749 * struct sev_data_snp_init - SNP_INIT_EX structure 750 * 751 * @init_rmp: indicate that the RMP should be initialized. 752 * @list_paddr_en: indicate that list_paddr is valid 753 * #list_paddr: system physical address of range list 754 */ 755struct sev_data_snp_init_ex { 756 u32 init_rmp:1; 757 u32 list_paddr_en:1; 758 u32 rsvd:30; 759 u32 rsvd1; 760 u64 list_paddr; 761 u8 rsvd2[48]; 762} __packed; 763 764/** 765 * struct sev_data_range - RANGE structure 766 * 767 * @base: system physical address of first byte of range 768 * @page_count: number of 4KB pages in this range 769 */ 770struct sev_data_range { 771 u64 base; 772 u32 page_count; 773 u32 rsvd; 774} __packed; 775 776/** 777 * struct sev_data_range_list - RANGE_LIST structure 778 * 779 * @num_elements: number of elements in RANGE_ARRAY 780 * @ranges: array of num_elements of type RANGE 781 */ 782struct sev_data_range_list { 783 u32 num_elements; 784 u32 rsvd; 785 struct sev_data_range ranges[0]; 786} __packed; 787 788/** 789 * struct sev_data_snp_shutdown_ex - SNP_SHUTDOWN_EX structure 790 * 791 * @length: len of the command buffer read by the PSP 792 * @iommu_snp_shutdown: Disable enforcement of SNP in the IOMMU 793 */ 794struct sev_data_snp_shutdown_ex { 795 u32 length; 796 u32 iommu_snp_shutdown:1; 797 u32 rsvd1:31; 798} __packed; 799 800#ifdef CONFIG_CRYPTO_DEV_SP_PSP 801 802/** 803 * sev_platform_init - perform SEV INIT command 804 * 805 * @error: SEV command return code 806 * 807 * Returns: 808 * 0 if the SEV successfully processed the command 809 * -%ENODEV if the SEV device is not available 810 * -%ENOTSUPP if the SEV does not support SEV 811 * -%ETIMEDOUT if the SEV command timed out 812 * -%EIO if the SEV returned a non-zero return code 813 */ 814int sev_platform_init(int *error); 815 816/** 817 * sev_snp_init - perform SEV SNP_INIT command 818 * 819 * @error: SEV command return code 820 * 821 * Returns: 822 * 0 if the SEV successfully processed the command 823 * -%ENODEV if the SEV device is not available 824 * -%ENOTSUPP if the SEV does not support SEV 825 * -%ETIMEDOUT if the SEV command timed out 826 * -%EIO if the SEV returned a non-zero return code 827 */ 828int sev_snp_init(int *error); 829 830/** 831 * sev_platform_status - perform SEV PLATFORM_STATUS command 832 * 833 * @status: sev_user_data_status structure to be processed 834 * @error: SEV command return code 835 * 836 * Returns: 837 * 0 if the SEV successfully processed the command 838 * -%ENODEV if the SEV device is not available 839 * -%ENOTSUPP if the SEV does not support SEV 840 * -%ETIMEDOUT if the SEV command timed out 841 * -%EIO if the SEV returned a non-zero return code 842 */ 843int sev_platform_status(struct sev_user_data_status *status, int *error); 844 845/** 846 * sev_issue_cmd_external_user - issue SEV command by other driver with a file 847 * handle. 848 * 849 * This function can be used by other drivers to issue a SEV command on 850 * behalf of userspace. The caller must pass a valid SEV file descriptor 851 * so that we know that it has access to SEV device. 852 * 853 * @filep - SEV device file pointer 854 * @cmd - command to issue 855 * @data - command buffer 856 * @error: SEV command return code 857 * 858 * Returns: 859 * 0 if the SEV successfully processed the command 860 * -%ENODEV if the SEV device is not available 861 * -%ENOTSUPP if the SEV does not support SEV 862 * -%ETIMEDOUT if the SEV command timed out 863 * -%EIO if the SEV returned a non-zero return code 864 * -%EINVAL if the SEV file descriptor is not valid 865 */ 866int sev_issue_cmd_external_user(struct file *filep, unsigned int id, 867 void *data, int *error); 868 869/** 870 * sev_guest_deactivate - perform SEV DEACTIVATE command 871 * 872 * @deactivate: sev_data_deactivate structure to be processed 873 * @sev_ret: sev command return code 874 * 875 * Returns: 876 * 0 if the sev successfully processed the command 877 * -%ENODEV if the sev device is not available 878 * -%ENOTSUPP if the sev does not support SEV 879 * -%ETIMEDOUT if the sev command timed out 880 * -%EIO if the sev returned a non-zero return code 881 */ 882int sev_guest_deactivate(struct sev_data_deactivate *data, int *error); 883 884/** 885 * sev_guest_activate - perform SEV ACTIVATE command 886 * 887 * @activate: sev_data_activate structure to be processed 888 * @sev_ret: sev command return code 889 * 890 * Returns: 891 * 0 if the sev successfully processed the command 892 * -%ENODEV if the sev device is not available 893 * -%ENOTSUPP if the sev does not support SEV 894 * -%ETIMEDOUT if the sev command timed out 895 * -%EIO if the sev returned a non-zero return code 896 */ 897int sev_guest_activate(struct sev_data_activate *data, int *error); 898 899/** 900 * sev_guest_df_flush - perform SEV DF_FLUSH command 901 * 902 * @sev_ret: sev command return code 903 * 904 * Returns: 905 * 0 if the sev successfully processed the command 906 * -%ENODEV if the sev device is not available 907 * -%ENOTSUPP if the sev does not support SEV 908 * -%ETIMEDOUT if the sev command timed out 909 * -%EIO if the sev returned a non-zero return code 910 */ 911int sev_guest_df_flush(int *error); 912 913/** 914 * sev_guest_decommission - perform SEV DECOMMISSION command 915 * 916 * @decommission: sev_data_decommission structure to be processed 917 * @sev_ret: sev command return code 918 * 919 * Returns: 920 * 0 if the sev successfully processed the command 921 * -%ENODEV if the sev device is not available 922 * -%ENOTSUPP if the sev does not support SEV 923 * -%ETIMEDOUT if the sev command timed out 924 * -%EIO if the sev returned a non-zero return code 925 */ 926int sev_guest_decommission(struct sev_data_decommission *data, int *error); 927 928/** 929 * snp_guest_df_flush - perform SNP DF_FLUSH command 930 * 931 * @sev_ret: sev command return code 932 * 933 * Returns: 934 * 0 if the sev successfully processed the command 935 * -%ENODEV if the sev device is not available 936 * -%ENOTSUPP if the sev does not support SEV 937 * -%ETIMEDOUT if the sev command timed out 938 * -%EIO if the sev returned a non-zero return code 939 */ 940int snp_guest_df_flush(int *error); 941 942/** 943 * snp_guest_decommission - perform SNP_DECOMMISSION command 944 * 945 * @decommission: sev_data_decommission structure to be processed 946 * @sev_ret: sev command return code 947 * 948 * Returns: 949 * 0 if the sev successfully processed the command 950 * -%ENODEV if the sev device is not available 951 * -%ENOTSUPP if the sev does not support SEV 952 * -%ETIMEDOUT if the sev command timed out 953 * -%EIO if the sev returned a non-zero return code 954 */ 955int snp_guest_decommission(struct sev_data_snp_decommission *data, int *error); 956 957/** 958 * snp_guest_page_reclaim - perform SNP_PAGE_RECLAIM command 959 * 960 * @decommission: sev_snp_page_reclaim structure to be processed 961 * @sev_ret: sev command return code 962 * 963 * Returns: 964 * 0 if the sev successfully processed the command 965 * -%ENODEV if the sev device is not available 966 * -%ENOTSUPP if the sev does not support SEV 967 * -%ETIMEDOUT if the sev command timed out 968 * -%EIO if the sev returned a non-zero return code 969 */ 970int snp_guest_page_reclaim(struct sev_data_snp_page_reclaim *data, int *error); 971 972/** 973 * snp_guest_dbg_decrypt_page - perform SEV SNP_DBG_DECRYPT command 974 * 975 * @sev_ret: sev command return code 976 * 977 * Returns: 978 * 0 if the sev successfully processed the command 979 * -%ENODEV if the sev device is not available 980 * -%ENOTSUPP if the sev does not support SEV 981 * -%ETIMEDOUT if the sev command timed out 982 * -%EIO if the sev returned a non-zero return code 983 */ 984int snp_guest_dbg_decrypt_page(u64 gctx_pfn, u64 src_pfn, u64 dst_pfn, int *error); 985 986void *psp_copy_user_blob(u64 uaddr, u32 len); 987void *snp_alloc_firmware_page(gfp_t mask); 988void snp_free_firmware_page(void *addr); 989 990/** 991 * snp_guest_ext_guest_request - perform the SNP extended guest request command 992 * defined in the GHCB specification. 993 * 994 * @data: the input guest request structure 995 * @vaddr: address where the certificate blob need to be copied. 996 * @npages: number of pages for the certificate blob. 997 * If the specified page count is less than the certificate blob size, then the 998 * required page count is returned with error code defined in the GHCB spec. 999 * If the specified page count is more than the certificate blob size, then 1000 * page count is updated to reflect the amount of valid data copied in the 1001 * vaddr. 1002 */ 1003int snp_guest_ext_guest_request(struct sev_data_snp_guest_request *data, 1004 unsigned long vaddr, unsigned long *npages, 1005 unsigned long *error); 1006 1007#else /* !CONFIG_CRYPTO_DEV_SP_PSP */ 1008 1009static inline int 1010sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; } 1011 1012static inline int sev_platform_init(int *error) { return -ENODEV; } 1013 1014static inline int sev_snp_init(int *error) { return -ENODEV; } 1015 1016static inline int 1017sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; } 1018 1019static inline int 1020sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; } 1021 1022static inline int 1023sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; } 1024 1025static inline int sev_guest_df_flush(int *error) { return -ENODEV; } 1026 1027static inline int 1028sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; } 1029 1030static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); } 1031 1032static inline int 1033snp_guest_decommission(struct sev_data_snp_decommission *data, int *error) { return -ENODEV; } 1034 1035static inline int snp_guest_df_flush(int *error) { return -ENODEV; } 1036 1037static inline int snp_guest_page_reclaim(struct sev_data_snp_page_reclaim *data, int *error) 1038{ 1039 return -ENODEV; 1040} 1041 1042static inline int snp_guest_dbg_decrypt_page(u64 gctx_pfn, u64 src_pfn, u64 dst_pfn, int *error) 1043{ 1044 return -ENODEV; 1045} 1046 1047static inline void *snp_alloc_firmware_page(gfp_t mask) 1048{ 1049 return NULL; 1050} 1051 1052static inline void snp_free_firmware_page(void *addr) { } 1053 1054static inline int snp_guest_ext_guest_request(struct sev_data_snp_guest_request *data, 1055 unsigned long vaddr, unsigned long *n, 1056 unsigned long *error) 1057{ 1058 return -ENODEV; 1059} 1060 1061#endif /* CONFIG_CRYPTO_DEV_SP_PSP */ 1062 1063#endif /* __PSP_SEV_H__ */