1/* SPDX-License-Identifier: GPL-2.0-only */
2/*
3 * AMD Secure Encrypted Virtualization (SEV) driver interface
4 *
5 * Copyright (C) 2016-2017 Advanced Micro Devices, Inc.
6 *
7 * Author: Brijesh Singh <brijesh.singh@amd.com>
8 *
9 * SEV API spec is available at https://developer.amd.com/sev
10 */
11
12#ifndef __PSP_SEV_H__
13#define __PSP_SEV_H__
14
15#include <uapi/linux/psp-sev.h>
16
17#ifdef CONFIG_X86
18#include <linux/mem_encrypt.h>
19
20#define __psp_pa(x)	__sme_pa(x)
21#else
22#define __psp_pa(x)	__pa(x)
23#endif
24
25#define SEV_FW_BLOB_MAX_SIZE	0x4000	/* 16KB */
26
27/**
28 * SEV platform state
29 */
30enum sev_state {
31	SEV_STATE_UNINIT		= 0x0,
32	SEV_STATE_INIT			= 0x1,
33	SEV_STATE_WORKING		= 0x2,
34
35	SEV_STATE_MAX
36};
37
38/**
39 * SEV platform and guest management commands
40 */
41enum sev_cmd {
42	/* platform commands */
43	SEV_CMD_INIT			= 0x001,
44	SEV_CMD_SHUTDOWN		= 0x002,
45	SEV_CMD_FACTORY_RESET		= 0x003,
46	SEV_CMD_PLATFORM_STATUS		= 0x004,
47	SEV_CMD_PEK_GEN			= 0x005,
48	SEV_CMD_PEK_CSR			= 0x006,
49	SEV_CMD_PEK_CERT_IMPORT		= 0x007,
50	SEV_CMD_PDH_CERT_EXPORT		= 0x008,
51	SEV_CMD_PDH_GEN			= 0x009,
52	SEV_CMD_DF_FLUSH		= 0x00A,
53	SEV_CMD_DOWNLOAD_FIRMWARE	= 0x00B,
54	SEV_CMD_GET_ID			= 0x00C,
55
56	/* Guest commands */
57	SEV_CMD_DECOMMISSION		= 0x020,
58	SEV_CMD_ACTIVATE		= 0x021,
59	SEV_CMD_DEACTIVATE		= 0x022,
60	SEV_CMD_GUEST_STATUS		= 0x023,
61
62	/* Guest launch commands */
63	SEV_CMD_LAUNCH_START		= 0x030,
64	SEV_CMD_LAUNCH_UPDATE_DATA	= 0x031,
65	SEV_CMD_LAUNCH_UPDATE_VMSA	= 0x032,
66	SEV_CMD_LAUNCH_MEASURE		= 0x033,
67	SEV_CMD_LAUNCH_UPDATE_SECRET	= 0x034,
68	SEV_CMD_LAUNCH_FINISH		= 0x035,
69
70	/* Guest migration commands (outgoing) */
71	SEV_CMD_SEND_START		= 0x040,
72	SEV_CMD_SEND_UPDATE_DATA	= 0x041,
73	SEV_CMD_SEND_UPDATE_VMSA	= 0x042,
74	SEV_CMD_SEND_FINISH		= 0x043,
75
76	/* Guest migration commands (incoming) */
77	SEV_CMD_RECEIVE_START		= 0x050,
78	SEV_CMD_RECEIVE_UPDATE_DATA	= 0x051,
79	SEV_CMD_RECEIVE_UPDATE_VMSA	= 0x052,
80	SEV_CMD_RECEIVE_FINISH		= 0x053,
81
82	/* Guest debug commands */
83	SEV_CMD_DBG_DECRYPT		= 0x060,
84	SEV_CMD_DBG_ENCRYPT		= 0x061,
85
86	SEV_CMD_MAX,
87};
88
89/**
90 * struct sev_data_init - INIT command parameters
91 *
92 * @flags: processing flags
93 * @tmr_address: system physical address used for SEV-ES
94 * @tmr_len: len of tmr_address
95 */
96struct sev_data_init {
97	u32 flags;			/* In */
98	u32 reserved;			/* In */
99	u64 tmr_address;		/* In */
100	u32 tmr_len;			/* In */
101} __packed;
102
103#define SEV_INIT_FLAGS_SEV_ES	0x01
104
105/**
106 * struct sev_data_pek_csr - PEK_CSR command parameters
107 *
108 * @address: PEK certificate chain
109 * @len: len of certificate
110 */
111struct sev_data_pek_csr {
112	u64 address;				/* In */
113	u32 len;				/* In/Out */
114} __packed;
115
116/**
117 * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters
118 *
119 * @pek_address: PEK certificate chain
120 * @pek_len: len of PEK certificate
121 * @oca_address: OCA certificate chain
122 * @oca_len: len of OCA certificate
123 */
124struct sev_data_pek_cert_import {
125	u64 pek_cert_address;			/* In */
126	u32 pek_cert_len;			/* In */
127	u32 reserved;				/* In */
128	u64 oca_cert_address;			/* In */
129	u32 oca_cert_len;			/* In */
130} __packed;
131
132/**
133 * struct sev_data_download_firmware - DOWNLOAD_FIRMWARE command parameters
134 *
135 * @address: physical address of firmware image
136 * @len: len of the firmware image
137 */
138struct sev_data_download_firmware {
139	u64 address;				/* In */
140	u32 len;				/* In */
141} __packed;
142
143/**
144 * struct sev_data_get_id - GET_ID command parameters
145 *
146 * @address: physical address of region to place unique CPU ID(s)
147 * @len: len of the region
148 */
149struct sev_data_get_id {
150	u64 address;				/* In */
151	u32 len;				/* In/Out */
152} __packed;
153/**
154 * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters
155 *
156 * @pdh_address: PDH certificate address
157 * @pdh_len: len of PDH certificate
158 * @cert_chain_address: PDH certificate chain
159 * @cert_chain_len: len of PDH certificate chain
160 */
161struct sev_data_pdh_cert_export {
162	u64 pdh_cert_address;			/* In */
163	u32 pdh_cert_len;			/* In/Out */
164	u32 reserved;				/* In */
165	u64 cert_chain_address;			/* In */
166	u32 cert_chain_len;			/* In/Out */
167} __packed;
168
169/**
170 * struct sev_data_decommission - DECOMMISSION command parameters
171 *
172 * @handle: handle of the VM to decommission
173 */
174struct sev_data_decommission {
175	u32 handle;				/* In */
176} __packed;
177
178/**
179 * struct sev_data_activate - ACTIVATE command parameters
180 *
181 * @handle: handle of the VM to activate
182 * @asid: asid assigned to the VM
183 */
184struct sev_data_activate {
185	u32 handle;				/* In */
186	u32 asid;				/* In */
187} __packed;
188
189/**
190 * struct sev_data_deactivate - DEACTIVATE command parameters
191 *
192 * @handle: handle of the VM to deactivate
193 */
194struct sev_data_deactivate {
195	u32 handle;				/* In */
196} __packed;
197
198/**
199 * struct sev_data_guest_status - SEV GUEST_STATUS command parameters
200 *
201 * @handle: handle of the VM to retrieve status
202 * @policy: policy information for the VM
203 * @asid: current ASID of the VM
204 * @state: current state of the VM
205 */
206struct sev_data_guest_status {
207	u32 handle;				/* In */
208	u32 policy;				/* Out */
209	u32 asid;				/* Out */
210	u8 state;				/* Out */
211} __packed;
212
213/**
214 * struct sev_data_launch_start - LAUNCH_START command parameters
215 *
216 * @handle: handle assigned to the VM
217 * @policy: guest launch policy
218 * @dh_cert_address: physical address of DH certificate blob
219 * @dh_cert_len: len of DH certificate blob
220 * @session_address: physical address of session parameters
221 * @session_len: len of session parameters
222 */
223struct sev_data_launch_start {
224	u32 handle;				/* In/Out */
225	u32 policy;				/* In */
226	u64 dh_cert_address;			/* In */
227	u32 dh_cert_len;			/* In */
228	u32 reserved;				/* In */
229	u64 session_address;			/* In */
230	u32 session_len;			/* In */
231} __packed;
232
233/**
234 * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter
235 *
236 * @handle: handle of the VM to update
237 * @len: len of memory to be encrypted
238 * @address: physical address of memory region to encrypt
239 */
240struct sev_data_launch_update_data {
241	u32 handle;				/* In */
242	u32 reserved;
243	u64 address;				/* In */
244	u32 len;				/* In */
245} __packed;
246
247/**
248 * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command
249 *
250 * @handle: handle of the VM
251 * @address: physical address of memory region to encrypt
252 * @len: len of memory region to encrypt
253 */
254struct sev_data_launch_update_vmsa {
255	u32 handle;				/* In */
256	u32 reserved;
257	u64 address;				/* In */
258	u32 len;				/* In */
259} __packed;
260
261/**
262 * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters
263 *
264 * @handle: handle of the VM to process
265 * @address: physical address containing the measurement blob
266 * @len: len of measurement blob
267 */
268struct sev_data_launch_measure {
269	u32 handle;				/* In */
270	u32 reserved;
271	u64 address;				/* In */
272	u32 len;				/* In/Out */
273} __packed;
274
275/**
276 * struct sev_data_launch_secret - LAUNCH_SECRET command parameters
277 *
278 * @handle: handle of the VM to process
279 * @hdr_address: physical address containing the packet header
280 * @hdr_len: len of packet header
281 * @guest_address: system physical address of guest memory region
282 * @guest_len: len of guest_paddr
283 * @trans_address: physical address of transport memory buffer
284 * @trans_len: len of transport memory buffer
285 */
286struct sev_data_launch_secret {
287	u32 handle;				/* In */
288	u32 reserved1;
289	u64 hdr_address;			/* In */
290	u32 hdr_len;				/* In */
291	u32 reserved2;
292	u64 guest_address;			/* In */
293	u32 guest_len;				/* In */
294	u32 reserved3;
295	u64 trans_address;			/* In */
296	u32 trans_len;				/* In */
297} __packed;
298
299/**
300 * struct sev_data_launch_finish - LAUNCH_FINISH command parameters
301 *
302 * @handle: handle of the VM to process
303 */
304struct sev_data_launch_finish {
305	u32 handle;				/* In */
306} __packed;
307
308/**
309 * struct sev_data_send_start - SEND_START command parameters
310 *
311 * @handle: handle of the VM to process
312 * @policy: policy information for the VM
313 * @pdh_cert_address: physical address containing PDH certificate
314 * @pdh_cert_len: len of PDH certificate
315 * @plat_certs_address: physical address containing platform certificate
316 * @plat_certs_len: len of platform certificate
317 * @amd_certs_address: physical address containing AMD certificate
318 * @amd_certs_len: len of AMD certificate
319 * @session_address: physical address containing Session data
320 * @session_len: len of session data
321 */
322struct sev_data_send_start {
323	u32 handle;				/* In */
324	u32 policy;				/* Out */
325	u64 pdh_cert_address;			/* In */
326	u32 pdh_cert_len;			/* In */
327	u32 reserved1;
328	u64 plat_cert_address;			/* In */
329	u32 plat_cert_len;			/* In */
330	u32 reserved2;
331	u64 amd_cert_address;			/* In */
332	u32 amd_cert_len;			/* In */
333	u32 reserved3;
334	u64 session_address;			/* In */
335	u32 session_len;			/* In/Out */
336} __packed;
337
338/**
339 * struct sev_data_send_update - SEND_UPDATE_DATA command
340 *
341 * @handle: handle of the VM to process
342 * @hdr_address: physical address containing packet header
343 * @hdr_len: len of packet header
344 * @guest_address: physical address of guest memory region to send
345 * @guest_len: len of guest memory region to send
346 * @trans_address: physical address of host memory region
347 * @trans_len: len of host memory region
348 */
349struct sev_data_send_update_data {
350	u32 handle;				/* In */
351	u32 reserved1;
352	u64 hdr_address;			/* In */
353	u32 hdr_len;				/* In/Out */
354	u32 reserved2;
355	u64 guest_address;			/* In */
356	u32 guest_len;				/* In */
357	u32 reserved3;
358	u64 trans_address;			/* In */
359	u32 trans_len;				/* In */
360} __packed;
361
362/**
363 * struct sev_data_send_update - SEND_UPDATE_VMSA command
364 *
365 * @handle: handle of the VM to process
366 * @hdr_address: physical address containing packet header
367 * @hdr_len: len of packet header
368 * @guest_address: physical address of guest memory region to send
369 * @guest_len: len of guest memory region to send
370 * @trans_address: physical address of host memory region
371 * @trans_len: len of host memory region
372 */
373struct sev_data_send_update_vmsa {
374	u32 handle;				/* In */
375	u64 hdr_address;			/* In */
376	u32 hdr_len;				/* In/Out */
377	u32 reserved2;
378	u64 guest_address;			/* In */
379	u32 guest_len;				/* In */
380	u32 reserved3;
381	u64 trans_address;			/* In */
382	u32 trans_len;				/* In */
383} __packed;
384
385/**
386 * struct sev_data_send_finish - SEND_FINISH command parameters
387 *
388 * @handle: handle of the VM to process
389 */
390struct sev_data_send_finish {
391	u32 handle;				/* In */
392} __packed;
393
394/**
395 * struct sev_data_receive_start - RECEIVE_START command parameters
396 *
397 * @handle: handle of the VM to perform receive operation
398 * @pdh_cert_address: system physical address containing PDH certificate blob
399 * @pdh_cert_len: len of PDH certificate blob
400 * @session_address: system physical address containing session blob
401 * @session_len: len of session blob
402 */
403struct sev_data_receive_start {
404	u32 handle;				/* In/Out */
405	u32 policy;				/* In */
406	u64 pdh_cert_address;			/* In */
407	u32 pdh_cert_len;			/* In */
408	u32 reserved1;
409	u64 session_address;			/* In */
410	u32 session_len;			/* In */
411} __packed;
412
413/**
414 * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters
415 *
416 * @handle: handle of the VM to update
417 * @hdr_address: physical address containing packet header blob
418 * @hdr_len: len of packet header
419 * @guest_address: system physical address of guest memory region
420 * @guest_len: len of guest memory region
421 * @trans_address: system physical address of transport buffer
422 * @trans_len: len of transport buffer
423 */
424struct sev_data_receive_update_data {
425	u32 handle;				/* In */
426	u32 reserved1;
427	u64 hdr_address;			/* In */
428	u32 hdr_len;				/* In */
429	u32 reserved2;
430	u64 guest_address;			/* In */
431	u32 guest_len;				/* In */
432	u32 reserved3;
433	u64 trans_address;			/* In */
434	u32 trans_len;				/* In */
435} __packed;
436
437/**
438 * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters
439 *
440 * @handle: handle of the VM to update
441 * @hdr_address: physical address containing packet header blob
442 * @hdr_len: len of packet header
443 * @guest_address: system physical address of guest memory region
444 * @guest_len: len of guest memory region
445 * @trans_address: system physical address of transport buffer
446 * @trans_len: len of transport buffer
447 */
448struct sev_data_receive_update_vmsa {
449	u32 handle;				/* In */
450	u32 reserved1;
451	u64 hdr_address;			/* In */
452	u32 hdr_len;				/* In */
453	u32 reserved2;
454	u64 guest_address;			/* In */
455	u32 guest_len;				/* In */
456	u32 reserved3;
457	u64 trans_address;			/* In */
458	u32 trans_len;				/* In */
459} __packed;
460
461/**
462 * struct sev_data_receive_finish - RECEIVE_FINISH command parameters
463 *
464 * @handle: handle of the VM to finish
465 */
466struct sev_data_receive_finish {
467	u32 handle;				/* In */
468} __packed;
469
470/**
471 * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters
472 *
473 * @handle: handle of the VM to perform debug operation
474 * @src_addr: source address of data to operate on
475 * @dst_addr: destination address of data to operate on
476 * @len: len of data to operate on
477 */
478struct sev_data_dbg {
479	u32 handle;				/* In */
480	u32 reserved;
481	u64 src_addr;				/* In */
482	u64 dst_addr;				/* In */
483	u32 len;				/* In */
484} __packed;
485
486#ifdef CONFIG_CRYPTO_DEV_SP_PSP
487
488/**
489 * sev_platform_init - perform SEV INIT command
490 *
491 * @error: SEV command return code
492 *
493 * Returns:
494 * 0 if the SEV successfully processed the command
495 * -%ENODEV    if the SEV device is not available
496 * -%ENOTSUPP  if the SEV does not support SEV
497 * -%ETIMEDOUT if the SEV command timed out
498 * -%EIO       if the SEV returned a non-zero return code
499 */
500int sev_platform_init(int *error);
501
502/**
503 * sev_platform_status - perform SEV PLATFORM_STATUS command
504 *
505 * @status: sev_user_data_status structure to be processed
506 * @error: SEV command return code
507 *
508 * Returns:
509 * 0 if the SEV successfully processed the command
510 * -%ENODEV    if the SEV device is not available
511 * -%ENOTSUPP  if the SEV does not support SEV
512 * -%ETIMEDOUT if the SEV command timed out
513 * -%EIO       if the SEV returned a non-zero return code
514 */
515int sev_platform_status(struct sev_user_data_status *status, int *error);
516
517/**
518 * sev_issue_cmd_external_user - issue SEV command by other driver with a file
519 * handle.
520 *
521 * This function can be used by other drivers to issue a SEV command on
522 * behalf of userspace. The caller must pass a valid SEV file descriptor
523 * so that we know that it has access to SEV device.
524 *
525 * @filep - SEV device file pointer
526 * @cmd - command to issue
527 * @data - command buffer
528 * @error: SEV command return code
529 *
530 * Returns:
531 * 0 if the SEV successfully processed the command
532 * -%ENODEV    if the SEV device is not available
533 * -%ENOTSUPP  if the SEV does not support SEV
534 * -%ETIMEDOUT if the SEV command timed out
535 * -%EIO       if the SEV returned a non-zero return code
536 * -%EINVAL    if the SEV file descriptor is not valid
537 */
538int sev_issue_cmd_external_user(struct file *filep, unsigned int id,
539				void *data, int *error);
540
541/**
542 * sev_guest_deactivate - perform SEV DEACTIVATE command
543 *
544 * @deactivate: sev_data_deactivate structure to be processed
545 * @sev_ret: sev command return code
546 *
547 * Returns:
548 * 0 if the sev successfully processed the command
549 * -%ENODEV    if the sev device is not available
550 * -%ENOTSUPP  if the sev does not support SEV
551 * -%ETIMEDOUT if the sev command timed out
552 * -%EIO       if the sev returned a non-zero return code
553 */
554int sev_guest_deactivate(struct sev_data_deactivate *data, int *error);
555
556/**
557 * sev_guest_activate - perform SEV ACTIVATE command
558 *
559 * @activate: sev_data_activate structure to be processed
560 * @sev_ret: sev command return code
561 *
562 * Returns:
563 * 0 if the sev successfully processed the command
564 * -%ENODEV    if the sev device is not available
565 * -%ENOTSUPP  if the sev does not support SEV
566 * -%ETIMEDOUT if the sev command timed out
567 * -%EIO       if the sev returned a non-zero return code
568 */
569int sev_guest_activate(struct sev_data_activate *data, int *error);
570
571/**
572 * sev_guest_df_flush - perform SEV DF_FLUSH command
573 *
574 * @sev_ret: sev command return code
575 *
576 * Returns:
577 * 0 if the sev successfully processed the command
578 * -%ENODEV    if the sev device is not available
579 * -%ENOTSUPP  if the sev does not support SEV
580 * -%ETIMEDOUT if the sev command timed out
581 * -%EIO       if the sev returned a non-zero return code
582 */
583int sev_guest_df_flush(int *error);
584
585/**
586 * sev_guest_decommission - perform SEV DECOMMISSION command
587 *
588 * @decommission: sev_data_decommission structure to be processed
589 * @sev_ret: sev command return code
590 *
591 * Returns:
592 * 0 if the sev successfully processed the command
593 * -%ENODEV    if the sev device is not available
594 * -%ENOTSUPP  if the sev does not support SEV
595 * -%ETIMEDOUT if the sev command timed out
596 * -%EIO       if the sev returned a non-zero return code
597 */
598int sev_guest_decommission(struct sev_data_decommission *data, int *error);
599
600void *psp_copy_user_blob(u64 uaddr, u32 len);
601
602#else	/* !CONFIG_CRYPTO_DEV_SP_PSP */
603
604static inline int
605sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; }
606
607static inline int sev_platform_init(int *error) { return -ENODEV; }
608
609static inline int
610sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; }
611
612static inline int
613sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; }
614
615static inline int
616sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; }
617
618static inline int sev_guest_df_flush(int *error) { return -ENODEV; }
619
620static inline int
621sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; }
622
623static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); }
624
625#endif	/* CONFIG_CRYPTO_DEV_SP_PSP */
626
627#endif	/* __PSP_SEV_H__ */
628