1// SPDX-License-Identifier: GPL-2.0
2/*
3 *  Copyright IBM Corp. 2022
4 *  Author(s): Steffen Eiden <seiden@linux.ibm.com>
5 *
6 *  This file provides a Linux misc device to give userspace access to some
7 *  Ultravisor (UV) functions. The device only accepts IOCTLs and will only
8 *  be present if the Ultravisor facility (158) is present.
9 *
10 *  When userspace sends a valid IOCTL uvdevice will copy the input data to
11 *  kernel space, do some basic validity checks to avoid kernel/system
12 *  corruption. Any other check that the Ultravisor does will not be done by
13 *  the uvdevice to keep changes minimal when adding new functionalities
14 *  to existing UV-calls.
15 *  After the checks uvdevice builds a corresponding
16 *  Ultravisor Call Control Block, and sends the request to the Ultravisor.
17 *  Then, it copies the response, including the return codes, back to userspace.
18 *  It is the responsibility of the userspace to check for any error issued
19 *  by UV and to interpret the UV response. The uvdevice acts as a communication
20 *  channel for userspace to the Ultravisor.
21 */
22
23#include <linux/module.h>
24#include <linux/kernel.h>
25#include <linux/miscdevice.h>
26#include <linux/types.h>
27#include <linux/stddef.h>
28#include <linux/vmalloc.h>
29#include <linux/slab.h>
30#include <linux/cpufeature.h>
31
32#include <asm/uvdevice.h>
33#include <asm/uv.h>
34
35#define BIT_UVIO_INTERNAL U32_MAX
36/* Mapping from IOCTL-nr to UVC-bit */
37static const u32 ioctl_nr_to_uvc_bit[] __initconst = {
38	[UVIO_IOCTL_UVDEV_INFO_NR] = BIT_UVIO_INTERNAL,
39	[UVIO_IOCTL_ATT_NR] = BIT_UVC_CMD_RETR_ATTEST,
40	[UVIO_IOCTL_ADD_SECRET_NR] = BIT_UVC_CMD_ADD_SECRET,
41	[UVIO_IOCTL_LIST_SECRETS_NR] = BIT_UVC_CMD_LIST_SECRETS,
42	[UVIO_IOCTL_LOCK_SECRETS_NR] = BIT_UVC_CMD_LOCK_SECRETS,
43};
44
45static_assert(ARRAY_SIZE(ioctl_nr_to_uvc_bit) == UVIO_IOCTL_NUM_IOCTLS);
46
47static struct uvio_uvdev_info uvdev_info = {
48	.supp_uvio_cmds = GENMASK_ULL(UVIO_IOCTL_NUM_IOCTLS - 1, 0),
49};
50
51static void __init set_supp_uv_cmds(unsigned long *supp_uv_cmds)
52{
53	int i;
54
55	for (i = 0; i < UVIO_IOCTL_NUM_IOCTLS; i++) {
56		if (ioctl_nr_to_uvc_bit[i] == BIT_UVIO_INTERNAL)
57			continue;
58		if (!test_bit_inv(ioctl_nr_to_uvc_bit[i], uv_info.inst_calls_list))
59			continue;
60		__set_bit(i, supp_uv_cmds);
61	}
62}
63
64/**
65 * uvio_uvdev_info() - get information about the uvdevice
66 *
67 * @uv_ioctl: ioctl control block
68 *
69 * Lists all IOCTLs that are supported by this uvdevice
70 */
71static int uvio_uvdev_info(struct uvio_ioctl_cb *uv_ioctl)
72{
73	void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
74
75	if (uv_ioctl->argument_len < sizeof(uvdev_info))
76		return -EINVAL;
77	if (copy_to_user(user_buf_arg, &uvdev_info, sizeof(uvdev_info)))
78		return -EFAULT;
79
80	uv_ioctl->uv_rc = UVC_RC_EXECUTED;
81	return 0;
82}
83
84static int uvio_build_uvcb_attest(struct uv_cb_attest *uvcb_attest, u8 *arcb,
85				  u8 *meas, u8 *add_data, struct uvio_attest *uvio_attest)
86{
87	void __user *user_buf_arcb = (void __user *)uvio_attest->arcb_addr;
88
89	if (copy_from_user(arcb, user_buf_arcb, uvio_attest->arcb_len))
90		return -EFAULT;
91
92	uvcb_attest->header.len = sizeof(*uvcb_attest);
93	uvcb_attest->header.cmd = UVC_CMD_RETR_ATTEST;
94	uvcb_attest->arcb_addr = (u64)arcb;
95	uvcb_attest->cont_token = 0;
96	uvcb_attest->user_data_len = uvio_attest->user_data_len;
97	memcpy(uvcb_attest->user_data, uvio_attest->user_data, sizeof(uvcb_attest->user_data));
98	uvcb_attest->meas_len = uvio_attest->meas_len;
99	uvcb_attest->meas_addr = (u64)meas;
100	uvcb_attest->add_data_len = uvio_attest->add_data_len;
101	uvcb_attest->add_data_addr = (u64)add_data;
102
103	return 0;
104}
105
106static int uvio_copy_attest_result_to_user(struct uv_cb_attest *uvcb_attest,
107					   struct uvio_ioctl_cb *uv_ioctl,
108					   u8 *measurement, u8 *add_data,
109					   struct uvio_attest *uvio_attest)
110{
111	struct uvio_attest __user *user_uvio_attest = (void __user *)uv_ioctl->argument_addr;
112	void __user *user_buf_add = (void __user *)uvio_attest->add_data_addr;
113	void __user *user_buf_meas = (void __user *)uvio_attest->meas_addr;
114	void __user *user_buf_uid = &user_uvio_attest->config_uid;
115
116	if (copy_to_user(user_buf_meas, measurement, uvio_attest->meas_len))
117		return -EFAULT;
118	if (add_data && copy_to_user(user_buf_add, add_data, uvio_attest->add_data_len))
119		return -EFAULT;
120	if (copy_to_user(user_buf_uid, uvcb_attest->config_uid, sizeof(uvcb_attest->config_uid)))
121		return -EFAULT;
122	return 0;
123}
124
125static int get_uvio_attest(struct uvio_ioctl_cb *uv_ioctl, struct uvio_attest *uvio_attest)
126{
127	u8 __user *user_arg_buf = (u8 __user *)uv_ioctl->argument_addr;
128
129	if (copy_from_user(uvio_attest, user_arg_buf, sizeof(*uvio_attest)))
130		return -EFAULT;
131
132	if (uvio_attest->arcb_len > UVIO_ATT_ARCB_MAX_LEN)
133		return -EINVAL;
134	if (uvio_attest->arcb_len == 0)
135		return -EINVAL;
136	if (uvio_attest->meas_len > UVIO_ATT_MEASUREMENT_MAX_LEN)
137		return -EINVAL;
138	if (uvio_attest->meas_len == 0)
139		return -EINVAL;
140	if (uvio_attest->add_data_len > UVIO_ATT_ADDITIONAL_MAX_LEN)
141		return -EINVAL;
142	if (uvio_attest->reserved136)
143		return -EINVAL;
144	return 0;
145}
146
147/**
148 * uvio_attestation() - Perform a Retrieve Attestation Measurement UVC.
149 *
150 * @uv_ioctl: ioctl control block
151 *
152 * uvio_attestation() does a Retrieve Attestation Measurement Ultravisor Call.
153 * It verifies that the given userspace addresses are valid and request sizes
154 * are sane. Every other check is made by the Ultravisor (UV) and won't result
155 * in a negative return value. It copies the input to kernelspace, builds the
156 * request, sends the UV-call, and copies the result to userspace.
157 *
158 * The Attestation Request has two input and two outputs.
159 * ARCB and User Data are inputs for the UV generated by userspace.
160 * Measurement and Additional Data are outputs for userspace generated by UV.
161 *
162 * The Attestation Request Control Block (ARCB) is a cryptographically verified
163 * and secured request to UV and User Data is some plaintext data which is
164 * going to be included in the Attestation Measurement calculation.
165 *
166 * Measurement is a cryptographic measurement of the callers properties,
167 * optional data configured by the ARCB and the user data. If specified by the
168 * ARCB, UV will add some Additional Data to the measurement calculation.
169 * This Additional Data is then returned as well.
170 *
171 * If the Retrieve Attestation Measurement UV facility is not present,
172 * UV will return invalid command rc. This won't be fenced in the driver
173 * and does not result in a negative return value.
174 *
175 * Context: might sleep
176 *
177 * Return: 0 on success or a negative error code on error.
178 */
179static int uvio_attestation(struct uvio_ioctl_cb *uv_ioctl)
180{
181	struct uv_cb_attest *uvcb_attest = NULL;
182	struct uvio_attest *uvio_attest = NULL;
183	u8 *measurement = NULL;
184	u8 *add_data = NULL;
185	u8 *arcb = NULL;
186	int ret;
187
188	ret = -EINVAL;
189	if (uv_ioctl->argument_len != sizeof(*uvio_attest))
190		goto out;
191
192	ret = -ENOMEM;
193	uvio_attest = kzalloc(sizeof(*uvio_attest), GFP_KERNEL);
194	if (!uvio_attest)
195		goto out;
196
197	ret = get_uvio_attest(uv_ioctl, uvio_attest);
198	if (ret)
199		goto out;
200
201	ret = -ENOMEM;
202	arcb = kvzalloc(uvio_attest->arcb_len, GFP_KERNEL);
203	measurement = kvzalloc(uvio_attest->meas_len, GFP_KERNEL);
204	if (!arcb || !measurement)
205		goto out;
206
207	if (uvio_attest->add_data_len) {
208		add_data = kvzalloc(uvio_attest->add_data_len, GFP_KERNEL);
209		if (!add_data)
210			goto out;
211	}
212
213	uvcb_attest = kzalloc(sizeof(*uvcb_attest), GFP_KERNEL);
214	if (!uvcb_attest)
215		goto out;
216
217	ret = uvio_build_uvcb_attest(uvcb_attest, arcb,  measurement, add_data, uvio_attest);
218	if (ret)
219		goto out;
220
221	uv_call_sched(0, (u64)uvcb_attest);
222
223	uv_ioctl->uv_rc = uvcb_attest->header.rc;
224	uv_ioctl->uv_rrc = uvcb_attest->header.rrc;
225
226	ret = uvio_copy_attest_result_to_user(uvcb_attest, uv_ioctl, measurement, add_data,
227					      uvio_attest);
228out:
229	kvfree(arcb);
230	kvfree(measurement);
231	kvfree(add_data);
232	kfree(uvio_attest);
233	kfree(uvcb_attest);
234	return ret;
235}
236
237/** uvio_add_secret() - perform an Add Secret UVC
238 *
239 * @uv_ioctl: ioctl control block
240 *
241 * uvio_add_secret() performs the Add Secret Ultravisor Call.
242 *
243 * The given userspace argument address and size are verified to be
244 * valid but every other check is made by the Ultravisor
245 * (UV). Therefore UV errors won't result in a negative return
246 * value. The request is then copied to kernelspace, the UV-call is
247 * performed and the results are copied back to userspace.
248 *
249 * The argument has to point to an Add Secret Request Control Block
250 * which is an encrypted and cryptographically verified request that
251 * inserts a protected guest's secrets into the Ultravisor for later
252 * use.
253 *
254 * If the Add Secret UV facility is not present, UV will return
255 * invalid command rc. This won't be fenced in the driver and does not
256 * result in a negative return value.
257 *
258 * Context: might sleep
259 *
260 * Return: 0 on success or a negative error code on error.
261 */
262static int uvio_add_secret(struct uvio_ioctl_cb *uv_ioctl)
263{
264	void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
265	struct uv_cb_guest_addr uvcb = {
266		.header.len = sizeof(uvcb),
267		.header.cmd = UVC_CMD_ADD_SECRET,
268	};
269	void *asrcb = NULL;
270	int ret;
271
272	if (uv_ioctl->argument_len > UVIO_ADD_SECRET_MAX_LEN)
273		return -EINVAL;
274	if (uv_ioctl->argument_len == 0)
275		return -EINVAL;
276
277	asrcb = kvzalloc(uv_ioctl->argument_len, GFP_KERNEL);
278	if (!asrcb)
279		return -ENOMEM;
280
281	ret = -EFAULT;
282	if (copy_from_user(asrcb, user_buf_arg, uv_ioctl->argument_len))
283		goto out;
284
285	ret = 0;
286	uvcb.addr = (u64)asrcb;
287	uv_call_sched(0, (u64)&uvcb);
288	uv_ioctl->uv_rc = uvcb.header.rc;
289	uv_ioctl->uv_rrc = uvcb.header.rrc;
290
291out:
292	kvfree(asrcb);
293	return ret;
294}
295
296/** uvio_list_secrets() - perform a List Secret UVC
297 * @uv_ioctl: ioctl control block
298 *
299 * uvio_list_secrets() performs the List Secret Ultravisor Call. It verifies
300 * that the given userspace argument address is valid and its size is sane.
301 * Every other check is made by the Ultravisor (UV) and won't result in a
302 * negative return value. It builds the request, performs the UV-call, and
303 * copies the result to userspace.
304 *
305 * The argument specifies the location for the result of the UV-Call.
306 *
307 * If the List Secrets UV facility is not present, UV will return invalid
308 * command rc. This won't be fenced in the driver and does not result in a
309 * negative return value.
310 *
311 * Context: might sleep
312 *
313 * Return: 0 on success or a negative error code on error.
314 */
315static int uvio_list_secrets(struct uvio_ioctl_cb *uv_ioctl)
316{
317	void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
318	struct uv_cb_guest_addr uvcb = {
319		.header.len = sizeof(uvcb),
320		.header.cmd = UVC_CMD_LIST_SECRETS,
321	};
322	void *secrets = NULL;
323	int ret = 0;
324
325	if (uv_ioctl->argument_len != UVIO_LIST_SECRETS_LEN)
326		return -EINVAL;
327
328	secrets = kvzalloc(UVIO_LIST_SECRETS_LEN, GFP_KERNEL);
329	if (!secrets)
330		return -ENOMEM;
331
332	uvcb.addr = (u64)secrets;
333	uv_call_sched(0, (u64)&uvcb);
334	uv_ioctl->uv_rc = uvcb.header.rc;
335	uv_ioctl->uv_rrc = uvcb.header.rrc;
336
337	if (copy_to_user(user_buf_arg, secrets, UVIO_LIST_SECRETS_LEN))
338		ret = -EFAULT;
339
340	kvfree(secrets);
341	return ret;
342}
343
344/** uvio_lock_secrets() - perform a Lock Secret Store UVC
345 * @uv_ioctl: ioctl control block
346 *
347 * uvio_lock_secrets() performs the Lock Secret Store Ultravisor Call. It
348 * performs the UV-call and copies the return codes to the ioctl control block.
349 * After this call was dispatched successfully every following Add Secret UVC
350 * and Lock Secrets UVC will fail with return code 0x102.
351 *
352 * The argument address and size must be 0.
353 *
354 * If the Lock Secrets UV facility is not present, UV will return invalid
355 * command rc. This won't be fenced in the driver and does not result in a
356 * negative return value.
357 *
358 * Context: might sleep
359 *
360 * Return: 0 on success or a negative error code on error.
361 */
362static int uvio_lock_secrets(struct uvio_ioctl_cb *ioctl)
363{
364	struct uv_cb_nodata uvcb = {
365		.header.len = sizeof(uvcb),
366		.header.cmd = UVC_CMD_LOCK_SECRETS,
367	};
368
369	if (ioctl->argument_addr || ioctl->argument_len)
370		return -EINVAL;
371
372	uv_call(0, (u64)&uvcb);
373	ioctl->uv_rc = uvcb.header.rc;
374	ioctl->uv_rrc = uvcb.header.rrc;
375
376	return 0;
377}
378
379static int uvio_copy_and_check_ioctl(struct uvio_ioctl_cb *ioctl, void __user *argp,
380				     unsigned long cmd)
381{
382	u8 nr = _IOC_NR(cmd);
383
384	if (_IOC_DIR(cmd) != (_IOC_READ | _IOC_WRITE))
385		return -ENOIOCTLCMD;
386	if (_IOC_TYPE(cmd) != UVIO_TYPE_UVC)
387		return -ENOIOCTLCMD;
388	if (nr >= UVIO_IOCTL_NUM_IOCTLS)
389		return -ENOIOCTLCMD;
390	if (_IOC_SIZE(cmd) != sizeof(*ioctl))
391		return -ENOIOCTLCMD;
392	if (copy_from_user(ioctl, argp, sizeof(*ioctl)))
393		return -EFAULT;
394	if (ioctl->flags != 0)
395		return -EINVAL;
396	if (memchr_inv(ioctl->reserved14, 0, sizeof(ioctl->reserved14)))
397		return -EINVAL;
398
399	return nr;
400}
401
402/*
403 * IOCTL entry point for the Ultravisor device.
404 */
405static long uvio_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
406{
407	void __user *argp = (void __user *)arg;
408	struct uvio_ioctl_cb uv_ioctl = { };
409	long ret;
410	int nr;
411
412	nr = uvio_copy_and_check_ioctl(&uv_ioctl, argp, cmd);
413	if (nr < 0)
414		return nr;
415
416	switch (nr) {
417	case UVIO_IOCTL_UVDEV_INFO_NR:
418		ret = uvio_uvdev_info(&uv_ioctl);
419		break;
420	case UVIO_IOCTL_ATT_NR:
421		ret = uvio_attestation(&uv_ioctl);
422		break;
423	case UVIO_IOCTL_ADD_SECRET_NR:
424		ret = uvio_add_secret(&uv_ioctl);
425		break;
426	case UVIO_IOCTL_LIST_SECRETS_NR:
427		ret = uvio_list_secrets(&uv_ioctl);
428		break;
429	case UVIO_IOCTL_LOCK_SECRETS_NR:
430		ret = uvio_lock_secrets(&uv_ioctl);
431		break;
432	default:
433		ret = -ENOIOCTLCMD;
434		break;
435	}
436	if (ret)
437		return ret;
438
439	if (copy_to_user(argp, &uv_ioctl, sizeof(uv_ioctl)))
440		ret = -EFAULT;
441
442	return ret;
443}
444
445static const struct file_operations uvio_dev_fops = {
446	.owner = THIS_MODULE,
447	.unlocked_ioctl = uvio_ioctl,
448	.llseek = no_llseek,
449};
450
451static struct miscdevice uvio_dev_miscdev = {
452	.minor = MISC_DYNAMIC_MINOR,
453	.name = UVIO_DEVICE_NAME,
454	.fops = &uvio_dev_fops,
455};
456
457static void __exit uvio_dev_exit(void)
458{
459	misc_deregister(&uvio_dev_miscdev);
460}
461
462static int __init uvio_dev_init(void)
463{
464	set_supp_uv_cmds((unsigned long *)&uvdev_info.supp_uv_cmds);
465	return misc_register(&uvio_dev_miscdev);
466}
467
468module_cpu_feature_match(S390_CPU_FEATURE_UV, uvio_dev_init);
469module_exit(uvio_dev_exit);
470
471MODULE_AUTHOR("IBM Corporation");
472MODULE_LICENSE("GPL");
473MODULE_DESCRIPTION("Ultravisor UAPI driver");
474