Commit 770de678 authored by Stefano Garzarella's avatar Stefano Garzarella Committed by Borislav Petkov (AMD)
Browse files

x86/sev: Add SVSM vTPM probe/send_command functions 



Add two new functions to probe and send commands to the SVSM vTPM. They
leverage the two calls defined by the AMD SVSM specification [1] for the vTPM
protocol: SVSM_VTPM_QUERY and SVSM_VTPM_CMD.

Expose snp_svsm_vtpm_send_command() to be used by a TPM driver.

  [1] "Secure VM Service Module for SEV-SNP Guests"
      Publication # 58019 Revision: 1.00

  [ bp: Some doc touchups. ]

Co-developed-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
Co-developed-by: default avatarClaudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: default avatarClaudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: default avatarStefano Garzarella <sgarzare@redhat.com>
Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Link: https://lore.kernel.org/r/20250403100943.120738-2-sgarzare@redhat.com
parent 0af2f6be

arch/x86/coco/sev/core.c

+58 −0
Original line number Diff line number Diff line
@@ -2625,6 +2625,64 @@ static int snp_issue_guest_request(struct snp_guest_req *req, struct snp_req_dat 
	return ret;

}



/**

 * snp_svsm_vtpm_probe() - Probe if SVSM provides a vTPM device

 *

 * Check that there is SVSM and that it supports at least TPM_SEND_COMMAND

 * which is the only request used so far.

 *

 * Return: true if the platform provides a vTPM SVSM device, false otherwise.

 */

static bool snp_svsm_vtpm_probe(void)

{

	struct svsm_call call = {};



	/* The vTPM device is available only if a SVSM is present */

	if (!snp_vmpl)

		return false;



	call.caa = svsm_get_caa();

	call.rax = SVSM_VTPM_CALL(SVSM_VTPM_QUERY);



	if (svsm_perform_call_protocol(&call))

		return false;



	/* Check platform commands contains TPM_SEND_COMMAND - platform command 8 */

	return call.rcx_out & BIT_ULL(8);

}



/**

 * snp_svsm_vtpm_send_command() - Execute a vTPM operation on SVSM

 * @buffer: A buffer used to both send the command and receive the response.

 *

 * Execute a SVSM_VTPM_CMD call as defined by

 * "Secure VM Service Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00

 *

 * All command request/response buffers have a common structure as specified by

 * the following table:

 *     Byte      Size       In/Out    Description

 *     Offset    (Bytes)

 *     0x000     4          In        Platform command

 *                          Out       Platform command response size

 *

 * Each command can build upon this common request/response structure to create

 * a structure specific to the command. See include/linux/tpm_svsm.h for more

 * details.

 *

 * Return: 0 on success, -errno on failure

 */

int snp_svsm_vtpm_send_command(u8 *buffer)

{

	struct svsm_call call = {};



	call.caa = svsm_get_caa();

	call.rax = SVSM_VTPM_CALL(SVSM_VTPM_CMD);

	call.rcx = __pa(buffer);



	return svsm_perform_call_protocol(&call);

}

EXPORT_SYMBOL_GPL(snp_svsm_vtpm_send_command);



static struct platform_device sev_guest_device = {

	.name		= "sev-guest",

	.id		= -1,

arch/x86/include/asm/sev.h

+7 −0
Original line number Diff line number Diff line
@@ -384,6 +384,10 @@ struct svsm_call { 
#define SVSM_ATTEST_SERVICES		0

#define SVSM_ATTEST_SINGLE_SERVICE	1



#define SVSM_VTPM_CALL(x)		((2ULL << 32) | (x))

#define SVSM_VTPM_QUERY			0

#define SVSM_VTPM_CMD			1



#ifdef CONFIG_AMD_MEM_ENCRYPT



extern u8 snp_vmpl;
@@ -481,6 +485,8 @@ void snp_msg_free(struct snp_msg_desc *mdesc); 
int snp_send_guest_request(struct snp_msg_desc *mdesc, struct snp_guest_req *req,

			   struct snp_guest_request_ioctl *rio);



int snp_svsm_vtpm_send_command(u8 *buffer);



void __init snp_secure_tsc_prepare(void);

void __init snp_secure_tsc_init(void);
@@ -524,6 +530,7 @@ static inline struct snp_msg_desc *snp_msg_alloc(void) { return NULL; } 
static inline void snp_msg_free(struct snp_msg_desc *mdesc) { }

static inline int snp_send_guest_request(struct snp_msg_desc *mdesc, struct snp_guest_req *req,

					 struct snp_guest_request_ioctl *rio) { return -ENODEV; }

static inline int snp_svsm_vtpm_send_command(u8 *buffer) { return -ENODEV; }

static inline void __init snp_secure_tsc_prepare(void) { }

static inline void __init snp_secure_tsc_init(void) { }