1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
|
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright IBM Corp. 2022
* Author(s): Steffen Eiden <seiden@linux.ibm.com>
*
* This file provides a Linux misc device to give userspace access to some
* Ultravisor (UV) functions. The device only accepts IOCTLs and will only
* be present if the Ultravisor facility (158) is present.
*
* When userspace sends a valid IOCTL uvdevice will copy the input data to
* kernel space, do some basic validity checks to avoid kernel/system
* corruption. Any other check that the Ultravisor does will not be done by
* the uvdevice to keep changes minimal when adding new functionalities
* to existing UV-calls.
* After the checks uvdevice builds a corresponding
* Ultravisor Call Control Block, and sends the request to the Ultravisor.
* Then, it copies the response, including the return codes, back to userspace.
* It is the responsibility of the userspace to check for any error issued
* by UV and to interpret the UV response. The uvdevice acts as a communication
* channel for userspace to the Ultravisor.
*/
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/miscdevice.h>
#include <linux/types.h>
#include <linux/stddef.h>
#include <linux/vmalloc.h>
#include <linux/slab.h>
#include <linux/cpufeature.h>
#include <asm/uvdevice.h>
#include <asm/uv.h>
#define BIT_UVIO_INTERNAL U32_MAX
/* Mapping from IOCTL-nr to UVC-bit */
static const u32 ioctl_nr_to_uvc_bit[] __initconst = {
[UVIO_IOCTL_UVDEV_INFO_NR] = BIT_UVIO_INTERNAL,
[UVIO_IOCTL_ATT_NR] = BIT_UVC_CMD_RETR_ATTEST,
[UVIO_IOCTL_ADD_SECRET_NR] = BIT_UVC_CMD_ADD_SECRET,
[UVIO_IOCTL_LIST_SECRETS_NR] = BIT_UVC_CMD_LIST_SECRETS,
[UVIO_IOCTL_LOCK_SECRETS_NR] = BIT_UVC_CMD_LOCK_SECRETS,
};
static_assert(ARRAY_SIZE(ioctl_nr_to_uvc_bit) == UVIO_IOCTL_NUM_IOCTLS);
static struct uvio_uvdev_info uvdev_info = {
.supp_uvio_cmds = GENMASK_ULL(UVIO_IOCTL_NUM_IOCTLS - 1, 0),
};
static void __init set_supp_uv_cmds(unsigned long *supp_uv_cmds)
{
int i;
for (i = 0; i < UVIO_IOCTL_NUM_IOCTLS; i++) {
if (ioctl_nr_to_uvc_bit[i] == BIT_UVIO_INTERNAL)
continue;
if (!test_bit_inv(ioctl_nr_to_uvc_bit[i], uv_info.inst_calls_list))
continue;
__set_bit(i, supp_uv_cmds);
}
}
/**
* uvio_uvdev_info() - get information about the uvdevice
*
* @uv_ioctl: ioctl control block
*
* Lists all IOCTLs that are supported by this uvdevice
*/
static int uvio_uvdev_info(struct uvio_ioctl_cb *uv_ioctl)
{
void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
if (uv_ioctl->argument_len < sizeof(uvdev_info))
return -EINVAL;
if (copy_to_user(user_buf_arg, &uvdev_info, sizeof(uvdev_info)))
return -EFAULT;
uv_ioctl->uv_rc = UVC_RC_EXECUTED;
return 0;
}
static int uvio_build_uvcb_attest(struct uv_cb_attest *uvcb_attest, u8 *arcb,
u8 *meas, u8 *add_data, struct uvio_attest *uvio_attest)
{
void __user *user_buf_arcb = (void __user *)uvio_attest->arcb_addr;
if (copy_from_user(arcb, user_buf_arcb, uvio_attest->arcb_len))
return -EFAULT;
uvcb_attest->header.len = sizeof(*uvcb_attest);
uvcb_attest->header.cmd = UVC_CMD_RETR_ATTEST;
uvcb_attest->arcb_addr = (u64)arcb;
uvcb_attest->cont_token = 0;
uvcb_attest->user_data_len = uvio_attest->user_data_len;
memcpy(uvcb_attest->user_data, uvio_attest->user_data, sizeof(uvcb_attest->user_data));
uvcb_attest->meas_len = uvio_attest->meas_len;
uvcb_attest->meas_addr = (u64)meas;
uvcb_attest->add_data_len = uvio_attest->add_data_len;
uvcb_attest->add_data_addr = (u64)add_data;
return 0;
}
static int uvio_copy_attest_result_to_user(struct uv_cb_attest *uvcb_attest,
struct uvio_ioctl_cb *uv_ioctl,
u8 *measurement, u8 *add_data,
struct uvio_attest *uvio_attest)
{
struct uvio_attest __user *user_uvio_attest = (void __user *)uv_ioctl->argument_addr;
void __user *user_buf_add = (void __user *)uvio_attest->add_data_addr;
void __user *user_buf_meas = (void __user *)uvio_attest->meas_addr;
void __user *user_buf_uid = &user_uvio_attest->config_uid;
if (copy_to_user(user_buf_meas, measurement, uvio_attest->meas_len))
return -EFAULT;
if (add_data && copy_to_user(user_buf_add, add_data, uvio_attest->add_data_len))
return -EFAULT;
if (copy_to_user(user_buf_uid, uvcb_attest->config_uid, sizeof(uvcb_attest->config_uid)))
return -EFAULT;
return 0;
}
static int get_uvio_attest(struct uvio_ioctl_cb *uv_ioctl, struct uvio_attest *uvio_attest)
{
u8 __user *user_arg_buf = (u8 __user *)uv_ioctl->argument_addr;
if (copy_from_user(uvio_attest, user_arg_buf, sizeof(*uvio_attest)))
return -EFAULT;
if (uvio_attest->arcb_len > UVIO_ATT_ARCB_MAX_LEN)
return -EINVAL;
if (uvio_attest->arcb_len == 0)
return -EINVAL;
if (uvio_attest->meas_len > UVIO_ATT_MEASUREMENT_MAX_LEN)
return -EINVAL;
if (uvio_attest->meas_len == 0)
return -EINVAL;
if (uvio_attest->add_data_len > UVIO_ATT_ADDITIONAL_MAX_LEN)
return -EINVAL;
if (uvio_attest->reserved136)
return -EINVAL;
return 0;
}
/**
* uvio_attestation() - Perform a Retrieve Attestation Measurement UVC.
*
* @uv_ioctl: ioctl control block
*
* uvio_attestation() does a Retrieve Attestation Measurement Ultravisor Call.
* It verifies that the given userspace addresses are valid and request sizes
* are sane. Every other check is made by the Ultravisor (UV) and won't result
* in a negative return value. It copies the input to kernelspace, builds the
* request, sends the UV-call, and copies the result to userspace.
*
* The Attestation Request has two input and two outputs.
* ARCB and User Data are inputs for the UV generated by userspace.
* Measurement and Additional Data are outputs for userspace generated by UV.
*
* The Attestation Request Control Block (ARCB) is a cryptographically verified
* and secured request to UV and User Data is some plaintext data which is
* going to be included in the Attestation Measurement calculation.
*
* Measurement is a cryptographic measurement of the callers properties,
* optional data configured by the ARCB and the user data. If specified by the
* ARCB, UV will add some Additional Data to the measurement calculation.
* This Additional Data is then returned as well.
*
* If the Retrieve Attestation Measurement UV facility is not present,
* UV will return invalid command rc. This won't be fenced in the driver
* and does not result in a negative return value.
*
* Context: might sleep
*
* Return: 0 on success or a negative error code on error.
*/
static int uvio_attestation(struct uvio_ioctl_cb *uv_ioctl)
{
struct uv_cb_attest *uvcb_attest = NULL;
struct uvio_attest *uvio_attest = NULL;
u8 *measurement = NULL;
u8 *add_data = NULL;
u8 *arcb = NULL;
int ret;
ret = -EINVAL;
if (uv_ioctl->argument_len != sizeof(*uvio_attest))
goto out;
ret = -ENOMEM;
uvio_attest = kzalloc(sizeof(*uvio_attest), GFP_KERNEL);
if (!uvio_attest)
goto out;
ret = get_uvio_attest(uv_ioctl, uvio_attest);
if (ret)
goto out;
ret = -ENOMEM;
arcb = kvzalloc(uvio_attest->arcb_len, GFP_KERNEL);
measurement = kvzalloc(uvio_attest->meas_len, GFP_KERNEL);
if (!arcb || !measurement)
goto out;
if (uvio_attest->add_data_len) {
add_data = kvzalloc(uvio_attest->add_data_len, GFP_KERNEL);
if (!add_data)
goto out;
}
uvcb_attest = kzalloc(sizeof(*uvcb_attest), GFP_KERNEL);
if (!uvcb_attest)
goto out;
ret = uvio_build_uvcb_attest(uvcb_attest, arcb, measurement, add_data, uvio_attest);
if (ret)
goto out;
uv_call_sched(0, (u64)uvcb_attest);
uv_ioctl->uv_rc = uvcb_attest->header.rc;
uv_ioctl->uv_rrc = uvcb_attest->header.rrc;
ret = uvio_copy_attest_result_to_user(uvcb_attest, uv_ioctl, measurement, add_data,
uvio_attest);
out:
kvfree(arcb);
kvfree(measurement);
kvfree(add_data);
kfree(uvio_attest);
kfree(uvcb_attest);
return ret;
}
/** uvio_add_secret() - perform an Add Secret UVC
*
* @uv_ioctl: ioctl control block
*
* uvio_add_secret() performs the Add Secret Ultravisor Call.
*
* The given userspace argument address and size are verified to be
* valid but every other check is made by the Ultravisor
* (UV). Therefore UV errors won't result in a negative return
* value. The request is then copied to kernelspace, the UV-call is
* performed and the results are copied back to userspace.
*
* The argument has to point to an Add Secret Request Control Block
* which is an encrypted and cryptographically verified request that
* inserts a protected guest's secrets into the Ultravisor for later
* use.
*
* If the Add Secret UV facility is not present, UV will return
* invalid command rc. This won't be fenced in the driver and does not
* result in a negative return value.
*
* Context: might sleep
*
* Return: 0 on success or a negative error code on error.
*/
static int uvio_add_secret(struct uvio_ioctl_cb *uv_ioctl)
{
void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
struct uv_cb_guest_addr uvcb = {
.header.len = sizeof(uvcb),
.header.cmd = UVC_CMD_ADD_SECRET,
};
void *asrcb = NULL;
int ret;
if (uv_ioctl->argument_len > UVIO_ADD_SECRET_MAX_LEN)
return -EINVAL;
if (uv_ioctl->argument_len == 0)
return -EINVAL;
asrcb = kvzalloc(uv_ioctl->argument_len, GFP_KERNEL);
if (!asrcb)
return -ENOMEM;
ret = -EFAULT;
if (copy_from_user(asrcb, user_buf_arg, uv_ioctl->argument_len))
goto out;
ret = 0;
uvcb.addr = (u64)asrcb;
uv_call_sched(0, (u64)&uvcb);
uv_ioctl->uv_rc = uvcb.header.rc;
uv_ioctl->uv_rrc = uvcb.header.rrc;
out:
kvfree(asrcb);
return ret;
}
/** uvio_list_secrets() - perform a List Secret UVC
* @uv_ioctl: ioctl control block
*
* uvio_list_secrets() performs the List Secret Ultravisor Call. It verifies
* that the given userspace argument address is valid and its size is sane.
* Every other check is made by the Ultravisor (UV) and won't result in a
* negative return value. It builds the request, performs the UV-call, and
* copies the result to userspace.
*
* The argument specifies the location for the result of the UV-Call.
*
* If the List Secrets UV facility is not present, UV will return invalid
* command rc. This won't be fenced in the driver and does not result in a
* negative return value.
*
* Context: might sleep
*
* Return: 0 on success or a negative error code on error.
*/
static int uvio_list_secrets(struct uvio_ioctl_cb *uv_ioctl)
{
void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
struct uv_cb_guest_addr uvcb = {
.header.len = sizeof(uvcb),
.header.cmd = UVC_CMD_LIST_SECRETS,
};
void *secrets = NULL;
int ret = 0;
if (uv_ioctl->argument_len != UVIO_LIST_SECRETS_LEN)
return -EINVAL;
secrets = kvzalloc(UVIO_LIST_SECRETS_LEN, GFP_KERNEL);
if (!secrets)
return -ENOMEM;
uvcb.addr = (u64)secrets;
uv_call_sched(0, (u64)&uvcb);
uv_ioctl->uv_rc = uvcb.header.rc;
uv_ioctl->uv_rrc = uvcb.header.rrc;
if (copy_to_user(user_buf_arg, secrets, UVIO_LIST_SECRETS_LEN))
ret = -EFAULT;
kvfree(secrets);
return ret;
}
/** uvio_lock_secrets() - perform a Lock Secret Store UVC
* @uv_ioctl: ioctl control block
*
* uvio_lock_secrets() performs the Lock Secret Store Ultravisor Call. It
* performs the UV-call and copies the return codes to the ioctl control block.
* After this call was dispatched successfully every following Add Secret UVC
* and Lock Secrets UVC will fail with return code 0x102.
*
* The argument address and size must be 0.
*
* If the Lock Secrets UV facility is not present, UV will return invalid
* command rc. This won't be fenced in the driver and does not result in a
* negative return value.
*
* Context: might sleep
*
* Return: 0 on success or a negative error code on error.
*/
static int uvio_lock_secrets(struct uvio_ioctl_cb *ioctl)
{
struct uv_cb_nodata uvcb = {
.header.len = sizeof(uvcb),
.header.cmd = UVC_CMD_LOCK_SECRETS,
};
if (ioctl->argument_addr || ioctl->argument_len)
return -EINVAL;
uv_call(0, (u64)&uvcb);
ioctl->uv_rc = uvcb.header.rc;
ioctl->uv_rrc = uvcb.header.rrc;
return 0;
}
static int uvio_copy_and_check_ioctl(struct uvio_ioctl_cb *ioctl, void __user *argp,
unsigned long cmd)
{
u8 nr = _IOC_NR(cmd);
if (_IOC_DIR(cmd) != (_IOC_READ | _IOC_WRITE))
return -ENOIOCTLCMD;
if (_IOC_TYPE(cmd) != UVIO_TYPE_UVC)
return -ENOIOCTLCMD;
if (nr >= UVIO_IOCTL_NUM_IOCTLS)
return -ENOIOCTLCMD;
if (_IOC_SIZE(cmd) != sizeof(*ioctl))
return -ENOIOCTLCMD;
if (copy_from_user(ioctl, argp, sizeof(*ioctl)))
return -EFAULT;
if (ioctl->flags != 0)
return -EINVAL;
if (memchr_inv(ioctl->reserved14, 0, sizeof(ioctl->reserved14)))
return -EINVAL;
return nr;
}
/*
* IOCTL entry point for the Ultravisor device.
*/
static long uvio_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
void __user *argp = (void __user *)arg;
struct uvio_ioctl_cb uv_ioctl = { };
long ret;
int nr;
nr = uvio_copy_and_check_ioctl(&uv_ioctl, argp, cmd);
if (nr < 0)
return nr;
switch (nr) {
case UVIO_IOCTL_UVDEV_INFO_NR:
ret = uvio_uvdev_info(&uv_ioctl);
break;
case UVIO_IOCTL_ATT_NR:
ret = uvio_attestation(&uv_ioctl);
break;
case UVIO_IOCTL_ADD_SECRET_NR:
ret = uvio_add_secret(&uv_ioctl);
break;
case UVIO_IOCTL_LIST_SECRETS_NR:
ret = uvio_list_secrets(&uv_ioctl);
break;
case UVIO_IOCTL_LOCK_SECRETS_NR:
ret = uvio_lock_secrets(&uv_ioctl);
break;
default:
ret = -ENOIOCTLCMD;
break;
}
if (ret)
return ret;
if (copy_to_user(argp, &uv_ioctl, sizeof(uv_ioctl)))
ret = -EFAULT;
return ret;
}
static const struct file_operations uvio_dev_fops = {
.owner = THIS_MODULE,
.unlocked_ioctl = uvio_ioctl,
.llseek = no_llseek,
};
static struct miscdevice uvio_dev_miscdev = {
.minor = MISC_DYNAMIC_MINOR,
.name = UVIO_DEVICE_NAME,
.fops = &uvio_dev_fops,
};
static void __exit uvio_dev_exit(void)
{
misc_deregister(&uvio_dev_miscdev);
}
static int __init uvio_dev_init(void)
{
set_supp_uv_cmds((unsigned long *)&uvdev_info.supp_uv_cmds);
return misc_register(&uvio_dev_miscdev);
}
module_cpu_feature_match(S390_CPU_FEATURE_UV, uvio_dev_init);
module_exit(uvio_dev_exit);
MODULE_AUTHOR("IBM Corporation");
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Ultravisor UAPI driver");
|
