Linux kernel development work - see feature branches https://git.zx2c4.com/linux-dev/atom/drivers/crypto/ccp?h=linus%2Fmaster 2022-04-29T05:44:57Z 2022-04-29T05:44:57Z Jacky Li jackyli@google.com 2022-04-14T16:23:25Z urn:sha1:05def5cacfa0bd5ba380116046747da07ff5bd78 There are 2 common cases when INIT_EX data file might not be opened successfully and fail the sev initialization: 1. In user namespaces, normal user tasks (e.g. VMM) can change their current->fs->root to point to arbitrary directories. While init_ex_path is provided as a module param related to root file system. Solution: use the root directory of init_task to avoid accessing the wrong file. 2. Normal user tasks (e.g. VMM) don't have the privilege to access the INIT_EX data file. Solution: open the file as root and restore permissions immediately. Fixes: 3d725965f836 ("crypto: ccp - Add SEV_INIT_EX support") Signed-off-by: Jacky Li <jackyli@google.com> Reviewed-by: Peter Gonda <pgonda@google.com> Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-04-21T09:53:55Z Peter Gonda pgonda@google.com 2022-04-13T15:58:35Z urn:sha1:a77aba3109363ae89711fa2dc3523520c760937f Currently when the PSP returns a SECURE_DATA_INVALID error on INIT or INIT_EX the driver retries the command once which should reset the PSP's state SEV related state, meaning the PSP will regenerate its keying material. This is logged with a dbg log but given this will change system state this should be logged at a higher priority and with more information. Signed-off-by: Peter Gonda <pgonda@google.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: David Rientjes <rientjes@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: John Allen <john.allen@amd.com> Cc: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-04-08T08:26:43Z Mario Limonciello mario.limonciello@amd.com 2022-03-31T21:12:13Z urn:sha1:4e2c87949f2b9909d3daa8d9cd4b6d5077b6e0c2 CC_ATTR_HOST_MEM_ENCRYPT is used to relay that memory encryption has been activated by the kernel. As it's technically possible to enable both SME and TSME at the same time, detect this scenario and notify the user that enabling TSME and SME at the same time is unnecessary. Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-04-08T08:26:43Z Mario Limonciello mario.limonciello@amd.com 2022-03-31T21:12:12Z urn:sha1:84ee393b1e82628ac7f183d8a68d8ac2cf0ed876 Previously the PSP probe routine would fail if both SEV and TEE were missing. This is possibly the case for some client parts. As capabilities can now be accessed from userspace, it may still be useful to have the PSP driver finish loading so that those capabilities can be read. Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-04-08T08:26:43Z Mario Limonciello mario.limonciello@amd.com 2022-03-31T21:12:11Z urn:sha1:50c4decc1b15313afa31f9a99da0904fa9c9b071 The PSP sets several pre-defined bits in the capabilities register to indicate that security attributes of the platform. Export these attributes into userspace for administrators to confirm platform is properly locked down. Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-04-08T08:25:19Z Mario Limonciello mario.limonciello@amd.com 2022-03-31T21:12:10Z urn:sha1:cac32cd4f1436b0f926a9112039d3f7ce1cd6cab The results of the capability register will be used by future code at runtime rather than just initialization. Acked-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-03-09T03:12:31Z Dāvis Mosāns davispuh@gmail.com 2022-02-28T03:15:45Z urn:sha1:54cce8ecb9254f971b40a72911c6da403720a2d2 ccp_dmaengine_register adds dma_chan->device_node to dma_dev->channels list but ccp_dmaengine_unregister didn't remove them. That can cause crashes in various dmaengine methods that tries to use dma_dev->channels Fixes: 58ea8abf4904 ("crypto: ccp - Register the CCP as a DMA...") Signed-off-by: Dāvis Mosāns <davispuh@gmail.com> Acked-by: John Allen <john.allen@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-01-31T00:21:36Z Minghao Chi chi.minghao@zte.com.cn 2022-01-12T08:05:44Z urn:sha1:735efea69d36347c6c7a6bf6e13f032d09c63c6f Return value from ccp_crypto_enqueue_request() directly instead of taking this in another redundant variable. Reported-by: Zeal Robot <zealci@zte.com.cn> Signed-off-by: Minghao Chi <chi.minghao@zte.com.cn> Signed-off-by: CGEL ZTE <cgel.zte@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-01-28T05:51:11Z Peter Gonda pgonda@google.com 2022-01-10T21:18:37Z urn:sha1:1e1ec11d3ec3134e05d4710f4dee5f9bd05e828d Initialize psp_ret inside of __sev_platform_init_locked() because there are many failure paths with PSP initialization that do not set __sev_do_cmd_locked(). Fixes: e423b9d75e77: ("crypto: ccp - Move SEV_INIT retry for corrupted data") Signed-off-by: Peter Gonda <pgonda@google.com> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Marc Orr <marcorr@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: John Allen <john.allen@amd.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2021-12-31T07:10:55Z Yang Li yang.lee@linux.alibaba.com 2021-12-21T00:38:28Z urn:sha1:ef4d891499442a156655b0c0df56bdf539897495 Eliminate the following coccicheck warning: ./drivers/crypto/ccp/sev-dev.c:263:2-3: Unneeded semicolon Reported-by: Abaci Robot <abaci@linux.alibaba.com> Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>