1/* SPDX-License-Identifier: GPL-2.0-only */ 2/* 3 * AMD Secure Encrypted Virtualization (SEV) driver interface 4 * 5 * Copyright (C) 2016-2017 Advanced Micro Devices, Inc. 6 * 7 * Author: Brijesh Singh <brijesh.singh@amd.com> 8 * 9 * SEV API spec is available at https://developer.amd.com/sev 10 */ 11 12#ifndef __PSP_SEV_H__ 13#define __PSP_SEV_H__ 14 15#include <uapi/linux/psp-sev.h> 16 17#define SEV_FW_BLOB_MAX_SIZE 0x4000 /* 16KB */ 18 19/** 20 * SEV platform state 21 */ 22enum sev_state { 23 SEV_STATE_UNINIT = 0x0, 24 SEV_STATE_INIT = 0x1, 25 SEV_STATE_WORKING = 0x2, 26 27 SEV_STATE_MAX 28}; 29 30/** 31 * SEV platform and guest management commands 32 */ 33enum sev_cmd { 34 /* platform commands */ 35 SEV_CMD_INIT = 0x001, 36 SEV_CMD_SHUTDOWN = 0x002, 37 SEV_CMD_FACTORY_RESET = 0x003, 38 SEV_CMD_PLATFORM_STATUS = 0x004, 39 SEV_CMD_PEK_GEN = 0x005, 40 SEV_CMD_PEK_CSR = 0x006, 41 SEV_CMD_PEK_CERT_IMPORT = 0x007, 42 SEV_CMD_PDH_CERT_EXPORT = 0x008, 43 SEV_CMD_PDH_GEN = 0x009, 44 SEV_CMD_DF_FLUSH = 0x00A, 45 SEV_CMD_DOWNLOAD_FIRMWARE = 0x00B, 46 SEV_CMD_GET_ID = 0x00C, 47 SEV_CMD_INIT_EX = 0x00D, 48 49 /* Guest commands */ 50 SEV_CMD_DECOMMISSION = 0x020, 51 SEV_CMD_ACTIVATE = 0x021, 52 SEV_CMD_DEACTIVATE = 0x022, 53 SEV_CMD_GUEST_STATUS = 0x023, 54 55 /* Guest launch commands */ 56 SEV_CMD_LAUNCH_START = 0x030, 57 SEV_CMD_LAUNCH_UPDATE_DATA = 0x031, 58 SEV_CMD_LAUNCH_UPDATE_VMSA = 0x032, 59 SEV_CMD_LAUNCH_MEASURE = 0x033, 60 SEV_CMD_LAUNCH_UPDATE_SECRET = 0x034, 61 SEV_CMD_LAUNCH_FINISH = 0x035, 62 SEV_CMD_ATTESTATION_REPORT = 0x036, 63 64 /* Guest migration commands (outgoing) */ 65 SEV_CMD_SEND_START = 0x040, 66 SEV_CMD_SEND_UPDATE_DATA = 0x041, 67 SEV_CMD_SEND_UPDATE_VMSA = 0x042, 68 SEV_CMD_SEND_FINISH = 0x043, 69 SEV_CMD_SEND_CANCEL = 0x044, 70 71 /* Guest migration commands (incoming) */ 72 SEV_CMD_RECEIVE_START = 0x050, 73 SEV_CMD_RECEIVE_UPDATE_DATA = 0x051, 74 SEV_CMD_RECEIVE_UPDATE_VMSA = 0x052, 75 SEV_CMD_RECEIVE_FINISH = 0x053, 76 77 /* Guest debug commands */ 78 SEV_CMD_DBG_DECRYPT = 0x060, 79 SEV_CMD_DBG_ENCRYPT = 0x061, 80 81 /* SNP specific commands */ 82 SEV_CMD_SNP_INIT = 0x081, 83 SEV_CMD_SNP_SHUTDOWN = 0x082, 84 SEV_CMD_SNP_PLATFORM_STATUS = 0x083, 85 SEV_CMD_SNP_DF_FLUSH = 0x084, 86 SEV_CMD_SNP_INIT_EX = 0x085, 87 SEV_CMD_SNP_SHUTDOWN_EX = 0x086, 88 SEV_CMD_SNP_DECOMMISSION = 0x090, 89 SEV_CMD_SNP_ACTIVATE = 0x091, 90 SEV_CMD_SNP_GUEST_STATUS = 0x092, 91 SEV_CMD_SNP_GCTX_CREATE = 0x093, 92 SEV_CMD_SNP_GUEST_REQUEST = 0x094, 93 SEV_CMD_SNP_ACTIVATE_EX = 0x095, 94 SEV_CMD_SNP_LAUNCH_START = 0x0A0, 95 SEV_CMD_SNP_LAUNCH_UPDATE = 0x0A1, 96 SEV_CMD_SNP_LAUNCH_FINISH = 0x0A2, 97 SEV_CMD_SNP_DBG_DECRYPT = 0x0B0, 98 SEV_CMD_SNP_DBG_ENCRYPT = 0x0B1, 99 SEV_CMD_SNP_PAGE_SWAP_OUT = 0x0C0, 100 SEV_CMD_SNP_PAGE_SWAP_IN = 0x0C1, 101 SEV_CMD_SNP_PAGE_MOVE = 0x0C2, 102 SEV_CMD_SNP_PAGE_MD_INIT = 0x0C3, 103 SEV_CMD_SNP_PAGE_SET_STATE = 0x0C6, 104 SEV_CMD_SNP_PAGE_RECLAIM = 0x0C7, 105 SEV_CMD_SNP_PAGE_UNSMASH = 0x0C8, 106 SEV_CMD_SNP_CONFIG = 0x0C9, 107 SEV_CMD_SNP_DOWNLOAD_FIRMWARE_EX = 0x0CA, 108 SEV_CMD_SNP_COMMIT = 0x0CB, 109 SEV_CMD_SNP_VLEK_LOAD = 0x0CD, 110 111 SEV_CMD_MAX, 112}; 113 114/** 115 * struct sev_data_init - INIT command parameters 116 * 117 * @flags: processing flags 118 * @tmr_address: system physical address used for SEV-ES 119 * @tmr_len: len of tmr_address 120 */ 121struct sev_data_init { 122 u32 flags; /* In */ 123 u32 reserved; /* In */ 124 u64 tmr_address; /* In */ 125 u32 tmr_len; /* In */ 126} __packed; 127 128/** 129 * struct sev_data_init_ex - INIT_EX command parameters 130 * 131 * @length: len of the command buffer read by the PSP 132 * @flags: processing flags 133 * @tmr_address: system physical address used for SEV-ES 134 * @tmr_len: len of tmr_address 135 * @nv_address: system physical address used for PSP NV storage 136 * @nv_len: len of nv_address 137 */ 138struct sev_data_init_ex { 139 u32 length; /* In */ 140 u32 flags; /* In */ 141 u64 tmr_address; /* In */ 142 u32 tmr_len; /* In */ 143 u32 reserved; /* In */ 144 u64 nv_address; /* In/Out */ 145 u32 nv_len; /* In */ 146} __packed; 147 148#define SEV_INIT_FLAGS_SEV_ES 0x01 149 150/** 151 * struct sev_data_pek_csr - PEK_CSR command parameters 152 * 153 * @address: PEK certificate chain 154 * @len: len of certificate 155 */ 156struct sev_data_pek_csr { 157 u64 address; /* In */ 158 u32 len; /* In/Out */ 159} __packed; 160 161/** 162 * struct sev_data_cert_import - PEK_CERT_IMPORT command parameters 163 * 164 * @pek_address: PEK certificate chain 165 * @pek_len: len of PEK certificate 166 * @oca_address: OCA certificate chain 167 * @oca_len: len of OCA certificate 168 */ 169struct sev_data_pek_cert_import { 170 u64 pek_cert_address; /* In */ 171 u32 pek_cert_len; /* In */ 172 u32 reserved; /* In */ 173 u64 oca_cert_address; /* In */ 174 u32 oca_cert_len; /* In */ 175} __packed; 176 177/** 178 * struct sev_data_download_firmware - DOWNLOAD_FIRMWARE command parameters 179 * 180 * @address: physical address of firmware image 181 * @len: len of the firmware image 182 */ 183struct sev_data_download_firmware { 184 u64 address; /* In */ 185 u32 len; /* In */ 186} __packed; 187 188/** 189 * struct sev_data_get_id - GET_ID command parameters 190 * 191 * @address: physical address of region to place unique CPU ID(s) 192 * @len: len of the region 193 */ 194struct sev_data_get_id { 195 u64 address; /* In */ 196 u32 len; /* In/Out */ 197} __packed; 198/** 199 * struct sev_data_pdh_cert_export - PDH_CERT_EXPORT command parameters 200 * 201 * @pdh_address: PDH certificate address 202 * @pdh_len: len of PDH certificate 203 * @cert_chain_address: PDH certificate chain 204 * @cert_chain_len: len of PDH certificate chain 205 */ 206struct sev_data_pdh_cert_export { 207 u64 pdh_cert_address; /* In */ 208 u32 pdh_cert_len; /* In/Out */ 209 u32 reserved; /* In */ 210 u64 cert_chain_address; /* In */ 211 u32 cert_chain_len; /* In/Out */ 212} __packed; 213 214/** 215 * struct sev_data_decommission - DECOMMISSION command parameters 216 * 217 * @handle: handle of the VM to decommission 218 */ 219struct sev_data_decommission { 220 u32 handle; /* In */ 221} __packed; 222 223/** 224 * struct sev_data_activate - ACTIVATE command parameters 225 * 226 * @handle: handle of the VM to activate 227 * @asid: asid assigned to the VM 228 */ 229struct sev_data_activate { 230 u32 handle; /* In */ 231 u32 asid; /* In */ 232} __packed; 233 234/** 235 * struct sev_data_deactivate - DEACTIVATE command parameters 236 * 237 * @handle: handle of the VM to deactivate 238 */ 239struct sev_data_deactivate { 240 u32 handle; /* In */ 241} __packed; 242 243/** 244 * struct sev_data_guest_status - SEV GUEST_STATUS command parameters 245 * 246 * @handle: handle of the VM to retrieve status 247 * @policy: policy information for the VM 248 * @asid: current ASID of the VM 249 * @state: current state of the VM 250 */ 251struct sev_data_guest_status { 252 u32 handle; /* In */ 253 u32 policy; /* Out */ 254 u32 asid; /* Out */ 255 u8 state; /* Out */ 256} __packed; 257 258/** 259 * struct sev_data_launch_start - LAUNCH_START command parameters 260 * 261 * @handle: handle assigned to the VM 262 * @policy: guest launch policy 263 * @dh_cert_address: physical address of DH certificate blob 264 * @dh_cert_len: len of DH certificate blob 265 * @session_address: physical address of session parameters 266 * @session_len: len of session parameters 267 */ 268struct sev_data_launch_start { 269 u32 handle; /* In/Out */ 270 u32 policy; /* In */ 271 u64 dh_cert_address; /* In */ 272 u32 dh_cert_len; /* In */ 273 u32 reserved; /* In */ 274 u64 session_address; /* In */ 275 u32 session_len; /* In */ 276} __packed; 277 278/** 279 * struct sev_data_launch_update_data - LAUNCH_UPDATE_DATA command parameter 280 * 281 * @handle: handle of the VM to update 282 * @len: len of memory to be encrypted 283 * @address: physical address of memory region to encrypt 284 */ 285struct sev_data_launch_update_data { 286 u32 handle; /* In */ 287 u32 reserved; 288 u64 address; /* In */ 289 u32 len; /* In */ 290} __packed; 291 292/** 293 * struct sev_data_launch_update_vmsa - LAUNCH_UPDATE_VMSA command 294 * 295 * @handle: handle of the VM 296 * @address: physical address of memory region to encrypt 297 * @len: len of memory region to encrypt 298 */ 299struct sev_data_launch_update_vmsa { 300 u32 handle; /* In */ 301 u32 reserved; 302 u64 address; /* In */ 303 u32 len; /* In */ 304} __packed; 305 306/** 307 * struct sev_data_launch_measure - LAUNCH_MEASURE command parameters 308 * 309 * @handle: handle of the VM to process 310 * @address: physical address containing the measurement blob 311 * @len: len of measurement blob 312 */ 313struct sev_data_launch_measure { 314 u32 handle; /* In */ 315 u32 reserved; 316 u64 address; /* In */ 317 u32 len; /* In/Out */ 318} __packed; 319 320/** 321 * struct sev_data_launch_secret - LAUNCH_SECRET command parameters 322 * 323 * @handle: handle of the VM to process 324 * @hdr_address: physical address containing the packet header 325 * @hdr_len: len of packet header 326 * @guest_address: system physical address of guest memory region 327 * @guest_len: len of guest_paddr 328 * @trans_address: physical address of transport memory buffer 329 * @trans_len: len of transport memory buffer 330 */ 331struct sev_data_launch_secret { 332 u32 handle; /* In */ 333 u32 reserved1; 334 u64 hdr_address; /* In */ 335 u32 hdr_len; /* In */ 336 u32 reserved2; 337 u64 guest_address; /* In */ 338 u32 guest_len; /* In */ 339 u32 reserved3; 340 u64 trans_address; /* In */ 341 u32 trans_len; /* In */ 342} __packed; 343 344/** 345 * struct sev_data_launch_finish - LAUNCH_FINISH command parameters 346 * 347 * @handle: handle of the VM to process 348 */ 349struct sev_data_launch_finish { 350 u32 handle; /* In */ 351} __packed; 352 353/** 354 * struct sev_data_send_start - SEND_START command parameters 355 * 356 * @handle: handle of the VM to process 357 * @policy: policy information for the VM 358 * @pdh_cert_address: physical address containing PDH certificate 359 * @pdh_cert_len: len of PDH certificate 360 * @plat_certs_address: physical address containing platform certificate 361 * @plat_certs_len: len of platform certificate 362 * @amd_certs_address: physical address containing AMD certificate 363 * @amd_certs_len: len of AMD certificate 364 * @session_address: physical address containing Session data 365 * @session_len: len of session data 366 */ 367struct sev_data_send_start { 368 u32 handle; /* In */ 369 u32 policy; /* Out */ 370 u64 pdh_cert_address; /* In */ 371 u32 pdh_cert_len; /* In */ 372 u32 reserved1; 373 u64 plat_certs_address; /* In */ 374 u32 plat_certs_len; /* In */ 375 u32 reserved2; 376 u64 amd_certs_address; /* In */ 377 u32 amd_certs_len; /* In */ 378 u32 reserved3; 379 u64 session_address; /* In */ 380 u32 session_len; /* In/Out */ 381} __packed; 382 383/** 384 * struct sev_data_send_update - SEND_UPDATE_DATA command 385 * 386 * @handle: handle of the VM to process 387 * @hdr_address: physical address containing packet header 388 * @hdr_len: len of packet header 389 * @guest_address: physical address of guest memory region to send 390 * @guest_len: len of guest memory region to send 391 * @trans_address: physical address of host memory region 392 * @trans_len: len of host memory region 393 */ 394struct sev_data_send_update_data { 395 u32 handle; /* In */ 396 u32 reserved1; 397 u64 hdr_address; /* In */ 398 u32 hdr_len; /* In/Out */ 399 u32 reserved2; 400 u64 guest_address; /* In */ 401 u32 guest_len; /* In */ 402 u32 reserved3; 403 u64 trans_address; /* In */ 404 u32 trans_len; /* In */ 405} __packed; 406 407/** 408 * struct sev_data_send_update - SEND_UPDATE_VMSA command 409 * 410 * @handle: handle of the VM to process 411 * @hdr_address: physical address containing packet header 412 * @hdr_len: len of packet header 413 * @guest_address: physical address of guest memory region to send 414 * @guest_len: len of guest memory region to send 415 * @trans_address: physical address of host memory region 416 * @trans_len: len of host memory region 417 */ 418struct sev_data_send_update_vmsa { 419 u32 handle; /* In */ 420 u64 hdr_address; /* In */ 421 u32 hdr_len; /* In/Out */ 422 u32 reserved2; 423 u64 guest_address; /* In */ 424 u32 guest_len; /* In */ 425 u32 reserved3; 426 u64 trans_address; /* In */ 427 u32 trans_len; /* In */ 428} __packed; 429 430/** 431 * struct sev_data_send_finish - SEND_FINISH command parameters 432 * 433 * @handle: handle of the VM to process 434 */ 435struct sev_data_send_finish { 436 u32 handle; /* In */ 437} __packed; 438 439/** 440 * struct sev_data_send_cancel - SEND_CANCEL command parameters 441 * 442 * @handle: handle of the VM to process 443 */ 444struct sev_data_send_cancel { 445 u32 handle; /* In */ 446} __packed; 447 448/** 449 * struct sev_data_receive_start - RECEIVE_START command parameters 450 * 451 * @handle: handle of the VM to perform receive operation 452 * @pdh_cert_address: system physical address containing PDH certificate blob 453 * @pdh_cert_len: len of PDH certificate blob 454 * @session_address: system physical address containing session blob 455 * @session_len: len of session blob 456 */ 457struct sev_data_receive_start { 458 u32 handle; /* In/Out */ 459 u32 policy; /* In */ 460 u64 pdh_cert_address; /* In */ 461 u32 pdh_cert_len; /* In */ 462 u32 reserved1; 463 u64 session_address; /* In */ 464 u32 session_len; /* In */ 465} __packed; 466 467/** 468 * struct sev_data_receive_update_data - RECEIVE_UPDATE_DATA command parameters 469 * 470 * @handle: handle of the VM to update 471 * @hdr_address: physical address containing packet header blob 472 * @hdr_len: len of packet header 473 * @guest_address: system physical address of guest memory region 474 * @guest_len: len of guest memory region 475 * @trans_address: system physical address of transport buffer 476 * @trans_len: len of transport buffer 477 */ 478struct sev_data_receive_update_data { 479 u32 handle; /* In */ 480 u32 reserved1; 481 u64 hdr_address; /* In */ 482 u32 hdr_len; /* In */ 483 u32 reserved2; 484 u64 guest_address; /* In */ 485 u32 guest_len; /* In */ 486 u32 reserved3; 487 u64 trans_address; /* In */ 488 u32 trans_len; /* In */ 489} __packed; 490 491/** 492 * struct sev_data_receive_update_vmsa - RECEIVE_UPDATE_VMSA command parameters 493 * 494 * @handle: handle of the VM to update 495 * @hdr_address: physical address containing packet header blob 496 * @hdr_len: len of packet header 497 * @guest_address: system physical address of guest memory region 498 * @guest_len: len of guest memory region 499 * @trans_address: system physical address of transport buffer 500 * @trans_len: len of transport buffer 501 */ 502struct sev_data_receive_update_vmsa { 503 u32 handle; /* In */ 504 u32 reserved1; 505 u64 hdr_address; /* In */ 506 u32 hdr_len; /* In */ 507 u32 reserved2; 508 u64 guest_address; /* In */ 509 u32 guest_len; /* In */ 510 u32 reserved3; 511 u64 trans_address; /* In */ 512 u32 trans_len; /* In */ 513} __packed; 514 515/** 516 * struct sev_data_receive_finish - RECEIVE_FINISH command parameters 517 * 518 * @handle: handle of the VM to finish 519 */ 520struct sev_data_receive_finish { 521 u32 handle; /* In */ 522} __packed; 523 524/** 525 * struct sev_data_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters 526 * 527 * @handle: handle of the VM to perform debug operation 528 * @src_addr: source address of data to operate on 529 * @dst_addr: destination address of data to operate on 530 * @len: len of data to operate on 531 */ 532struct sev_data_dbg { 533 u32 handle; /* In */ 534 u32 reserved; 535 u64 src_addr; /* In */ 536 u64 dst_addr; /* In */ 537 u32 len; /* In */ 538} __packed; 539 540/** 541 * struct sev_data_attestation_report - SEV_ATTESTATION_REPORT command parameters 542 * 543 * @handle: handle of the VM 544 * @mnonce: a random nonce that will be included in the report. 545 * @address: physical address where the report will be copied. 546 * @len: length of the physical buffer. 547 */ 548struct sev_data_attestation_report { 549 u32 handle; /* In */ 550 u32 reserved; 551 u64 address; /* In */ 552 u8 mnonce[16]; /* In */ 553 u32 len; /* In/Out */ 554} __packed; 555 556/** 557 * struct sev_data_snp_download_firmware - SNP_DOWNLOAD_FIRMWARE command params 558 * 559 * @address: physical address of firmware image 560 * @len: length of the firmware image 561 */ 562struct sev_data_snp_download_firmware { 563 u64 address; /* In */ 564 u32 len; /* In */ 565} __packed; 566 567/** 568 * struct sev_data_snp_activate - SNP_ACTIVATE command params 569 * 570 * @gctx_paddr: system physical address guest context page 571 * @asid: ASID to bind to the guest 572 */ 573struct sev_data_snp_activate { 574 u64 gctx_paddr; /* In */ 575 u32 asid; /* In */ 576} __packed; 577 578/** 579 * struct sev_data_snp_addr - generic SNP command params 580 * 581 * @address: physical address of generic data param 582 */ 583struct sev_data_snp_addr { 584 u64 address; /* In/Out */ 585} __packed; 586 587/** 588 * struct sev_data_snp_launch_start - SNP_LAUNCH_START command params 589 * 590 * @gctx_paddr: system physical address of guest context page 591 * @policy: guest policy 592 * @ma_gctx_paddr: system physical address of migration agent 593 * @ma_en: the guest is associated with a migration agent 594 * @imi_en: launch flow is launching an IMI (Incoming Migration Image) for the 595 * purpose of guest-assisted migration. 596 * @rsvd: reserved 597 * @gosvw: guest OS-visible workarounds, as defined by hypervisor 598 */ 599struct sev_data_snp_launch_start { 600 u64 gctx_paddr; /* In */ 601 u64 policy; /* In */ 602 u64 ma_gctx_paddr; /* In */ 603 u32 ma_en:1; /* In */ 604 u32 imi_en:1; /* In */ 605 u32 rsvd:30; 606 u8 gosvw[16]; /* In */ 607} __packed; 608 609/* SNP support page type */ 610enum { 611 SNP_PAGE_TYPE_NORMAL = 0x1, 612 SNP_PAGE_TYPE_VMSA = 0x2, 613 SNP_PAGE_TYPE_ZERO = 0x3, 614 SNP_PAGE_TYPE_UNMEASURED = 0x4, 615 SNP_PAGE_TYPE_SECRET = 0x5, 616 SNP_PAGE_TYPE_CPUID = 0x6, 617 618 SNP_PAGE_TYPE_MAX 619}; 620 621/** 622 * struct sev_data_snp_launch_update - SNP_LAUNCH_UPDATE command params 623 * 624 * @gctx_paddr: system physical address of guest context page 625 * @page_size: page size 0 indicates 4K and 1 indicates 2MB page 626 * @page_type: encoded page type 627 * @imi_page: indicates that this page is part of the IMI (Incoming Migration 628 * Image) of the guest 629 * @rsvd: reserved 630 * @rsvd2: reserved 631 * @address: system physical address of destination page to encrypt 632 * @rsvd3: reserved 633 * @vmpl1_perms: VMPL permission mask for VMPL1 634 * @vmpl2_perms: VMPL permission mask for VMPL2 635 * @vmpl3_perms: VMPL permission mask for VMPL3 636 * @rsvd4: reserved 637 */ 638struct sev_data_snp_launch_update { 639 u64 gctx_paddr; /* In */ 640 u32 page_size:1; /* In */ 641 u32 page_type:3; /* In */ 642 u32 imi_page:1; /* In */ 643 u32 rsvd:27; 644 u32 rsvd2; 645 u64 address; /* In */ 646 u32 rsvd3:8; 647 u32 vmpl1_perms:8; /* In */ 648 u32 vmpl2_perms:8; /* In */ 649 u32 vmpl3_perms:8; /* In */ 650 u32 rsvd4; 651} __packed; 652 653/** 654 * struct sev_data_snp_launch_finish - SNP_LAUNCH_FINISH command params 655 * 656 * @gctx_paddr: system physical address of guest context page 657 * @id_block_paddr: system physical address of ID block 658 * @id_auth_paddr: system physical address of ID block authentication structure 659 * @id_block_en: indicates whether ID block is present 660 * @auth_key_en: indicates whether author key is present in authentication structure 661 * @rsvd: reserved 662 * @host_data: host-supplied data for guest, not interpreted by firmware 663 */ 664struct sev_data_snp_launch_finish { 665 u64 gctx_paddr; 666 u64 id_block_paddr; 667 u64 id_auth_paddr; 668 u8 id_block_en:1; 669 u8 auth_key_en:1; 670 u64 rsvd:62; 671 u8 host_data[32]; 672} __packed; 673 674/** 675 * struct sev_data_snp_guest_status - SNP_GUEST_STATUS command params 676 * 677 * @gctx_paddr: system physical address of guest context page 678 * @address: system physical address of guest status page 679 */ 680struct sev_data_snp_guest_status { 681 u64 gctx_paddr; 682 u64 address; 683} __packed; 684 685/** 686 * struct sev_data_snp_page_reclaim - SNP_PAGE_RECLAIM command params 687 * 688 * @paddr: system physical address of page to be claimed. The 0th bit in the 689 * address indicates the page size. 0h indicates 4KB and 1h indicates 690 * 2MB page. 691 */ 692struct sev_data_snp_page_reclaim { 693 u64 paddr; 694} __packed; 695 696/** 697 * struct sev_data_snp_page_unsmash - SNP_PAGE_UNSMASH command params 698 * 699 * @paddr: system physical address of page to be unsmashed. The 0th bit in the 700 * address indicates the page size. 0h indicates 4 KB and 1h indicates 701 * 2 MB page. 702 */ 703struct sev_data_snp_page_unsmash { 704 u64 paddr; 705} __packed; 706 707/** 708 * struct sev_data_snp_dbg - DBG_ENCRYPT/DBG_DECRYPT command parameters 709 * 710 * @gctx_paddr: system physical address of guest context page 711 * @src_addr: source address of data to operate on 712 * @dst_addr: destination address of data to operate on 713 */ 714struct sev_data_snp_dbg { 715 u64 gctx_paddr; /* In */ 716 u64 src_addr; /* In */ 717 u64 dst_addr; /* In */ 718} __packed; 719 720/** 721 * struct sev_data_snp_guest_request - SNP_GUEST_REQUEST command params 722 * 723 * @gctx_paddr: system physical address of guest context page 724 * @req_paddr: system physical address of request page 725 * @res_paddr: system physical address of response page 726 */ 727struct sev_data_snp_guest_request { 728 u64 gctx_paddr; /* In */ 729 u64 req_paddr; /* In */ 730 u64 res_paddr; /* In */ 731} __packed; 732 733/** 734 * struct sev_data_snp_init_ex - SNP_INIT_EX structure 735 * 736 * @init_rmp: indicate that the RMP should be initialized. 737 * @list_paddr_en: indicate that list_paddr is valid 738 * @rsvd: reserved 739 * @rsvd1: reserved 740 * @list_paddr: system physical address of range list 741 * @rsvd2: reserved 742 */ 743struct sev_data_snp_init_ex { 744 u32 init_rmp:1; 745 u32 list_paddr_en:1; 746 u32 rsvd:30; 747 u32 rsvd1; 748 u64 list_paddr; 749 u8 rsvd2[48]; 750} __packed; 751 752/** 753 * struct sev_data_range - RANGE structure 754 * 755 * @base: system physical address of first byte of range 756 * @page_count: number of 4KB pages in this range 757 * @rsvd: reserved 758 */ 759struct sev_data_range { 760 u64 base; 761 u32 page_count; 762 u32 rsvd; 763} __packed; 764 765/** 766 * struct sev_data_range_list - RANGE_LIST structure 767 * 768 * @num_elements: number of elements in RANGE_ARRAY 769 * @rsvd: reserved 770 * @ranges: array of num_elements of type RANGE 771 */ 772struct sev_data_range_list { 773 u32 num_elements; 774 u32 rsvd; 775 struct sev_data_range ranges[]; 776} __packed; 777 778/** 779 * struct sev_data_snp_shutdown_ex - SNP_SHUTDOWN_EX structure 780 * 781 * @len: length of the command buffer read by the PSP 782 * @iommu_snp_shutdown: Disable enforcement of SNP in the IOMMU 783 * @rsvd1: reserved 784 */ 785struct sev_data_snp_shutdown_ex { 786 u32 len; 787 u32 iommu_snp_shutdown:1; 788 u32 rsvd1:31; 789} __packed; 790 791/** 792 * struct sev_platform_init_args 793 * 794 * @error: SEV firmware error code 795 * @probe: True if this is being called as part of CCP module probe, which 796 * will defer SEV_INIT/SEV_INIT_EX firmware initialization until needed 797 * unless psp_init_on_probe module param is set 798 */ 799struct sev_platform_init_args { 800 int error; 801 bool probe; 802}; 803 804/** 805 * struct sev_data_snp_commit - SNP_COMMIT structure 806 * 807 * @len: length of the command buffer read by the PSP 808 */ 809struct sev_data_snp_commit { 810 u32 len; 811} __packed; 812 813#ifdef CONFIG_CRYPTO_DEV_SP_PSP 814 815/** 816 * sev_platform_init - perform SEV INIT command 817 * 818 * @args: struct sev_platform_init_args to pass in arguments 819 * 820 * Returns: 821 * 0 if the SEV successfully processed the command 822 * -%ENODEV if the SEV device is not available 823 * -%ENOTSUPP if the SEV does not support SEV 824 * -%ETIMEDOUT if the SEV command timed out 825 * -%EIO if the SEV returned a non-zero return code 826 */ 827int sev_platform_init(struct sev_platform_init_args *args); 828 829/** 830 * sev_platform_status - perform SEV PLATFORM_STATUS command 831 * 832 * @status: sev_user_data_status structure to be processed 833 * @error: SEV command return code 834 * 835 * Returns: 836 * 0 if the SEV successfully processed the command 837 * -%ENODEV if the SEV device is not available 838 * -%ENOTSUPP if the SEV does not support SEV 839 * -%ETIMEDOUT if the SEV command timed out 840 * -%EIO if the SEV returned a non-zero return code 841 */ 842int sev_platform_status(struct sev_user_data_status *status, int *error); 843 844/** 845 * sev_issue_cmd_external_user - issue SEV command by other driver with a file 846 * handle. 847 * 848 * This function can be used by other drivers to issue a SEV command on 849 * behalf of userspace. The caller must pass a valid SEV file descriptor 850 * so that we know that it has access to SEV device. 851 * 852 * @filep - SEV device file pointer 853 * @cmd - command to issue 854 * @data - command buffer 855 * @error: SEV command return code 856 * 857 * Returns: 858 * 0 if the SEV successfully processed the command 859 * -%ENODEV if the SEV device is not available 860 * -%ENOTSUPP if the SEV does not support SEV 861 * -%ETIMEDOUT if the SEV command timed out 862 * -%EIO if the SEV returned a non-zero return code 863 * -%EINVAL if the SEV file descriptor is not valid 864 */ 865int sev_issue_cmd_external_user(struct file *filep, unsigned int id, 866 void *data, int *error); 867 868/** 869 * sev_guest_deactivate - perform SEV DEACTIVATE command 870 * 871 * @deactivate: sev_data_deactivate structure to be processed 872 * @sev_ret: sev command return code 873 * 874 * Returns: 875 * 0 if the sev successfully processed the command 876 * -%ENODEV if the sev device is not available 877 * -%ENOTSUPP if the sev does not support SEV 878 * -%ETIMEDOUT if the sev command timed out 879 * -%EIO if the sev returned a non-zero return code 880 */ 881int sev_guest_deactivate(struct sev_data_deactivate *data, int *error); 882 883/** 884 * sev_guest_activate - perform SEV ACTIVATE command 885 * 886 * @activate: sev_data_activate structure to be processed 887 * @sev_ret: sev command return code 888 * 889 * Returns: 890 * 0 if the sev successfully processed the command 891 * -%ENODEV if the sev device is not available 892 * -%ENOTSUPP if the sev does not support SEV 893 * -%ETIMEDOUT if the sev command timed out 894 * -%EIO if the sev returned a non-zero return code 895 */ 896int sev_guest_activate(struct sev_data_activate *data, int *error); 897 898/** 899 * sev_guest_df_flush - perform SEV DF_FLUSH command 900 * 901 * @sev_ret: sev command return code 902 * 903 * Returns: 904 * 0 if the sev successfully processed the command 905 * -%ENODEV if the sev device is not available 906 * -%ENOTSUPP if the sev does not support SEV 907 * -%ETIMEDOUT if the sev command timed out 908 * -%EIO if the sev returned a non-zero return code 909 */ 910int sev_guest_df_flush(int *error); 911 912/** 913 * sev_guest_decommission - perform SEV DECOMMISSION command 914 * 915 * @decommission: sev_data_decommission structure to be processed 916 * @sev_ret: sev command return code 917 * 918 * Returns: 919 * 0 if the sev successfully processed the command 920 * -%ENODEV if the sev device is not available 921 * -%ENOTSUPP if the sev does not support SEV 922 * -%ETIMEDOUT if the sev command timed out 923 * -%EIO if the sev returned a non-zero return code 924 */ 925int sev_guest_decommission(struct sev_data_decommission *data, int *error); 926 927/** 928 * sev_do_cmd - issue an SEV or an SEV-SNP command 929 * 930 * @cmd: SEV or SEV-SNP firmware command to issue 931 * @data: arguments for firmware command 932 * @psp_ret: SEV command return code 933 * 934 * Returns: 935 * 0 if the SEV device successfully processed the command 936 * -%ENODEV if the PSP device is not available 937 * -%ENOTSUPP if PSP device does not support SEV 938 * -%ETIMEDOUT if the SEV command timed out 939 * -%EIO if PSP device returned a non-zero return code 940 */ 941int sev_do_cmd(int cmd, void *data, int *psp_ret); 942 943void *psp_copy_user_blob(u64 uaddr, u32 len); 944void *snp_alloc_firmware_page(gfp_t mask); 945void snp_free_firmware_page(void *addr); 946 947#else /* !CONFIG_CRYPTO_DEV_SP_PSP */ 948 949static inline int 950sev_platform_status(struct sev_user_data_status *status, int *error) { return -ENODEV; } 951 952static inline int sev_platform_init(struct sev_platform_init_args *args) { return -ENODEV; } 953 954static inline int 955sev_guest_deactivate(struct sev_data_deactivate *data, int *error) { return -ENODEV; } 956 957static inline int 958sev_guest_decommission(struct sev_data_decommission *data, int *error) { return -ENODEV; } 959 960static inline int 961sev_do_cmd(int cmd, void *data, int *psp_ret) { return -ENODEV; } 962 963static inline int 964sev_guest_activate(struct sev_data_activate *data, int *error) { return -ENODEV; } 965 966static inline int sev_guest_df_flush(int *error) { return -ENODEV; } 967 968static inline int 969sev_issue_cmd_external_user(struct file *filep, unsigned int id, void *data, int *error) { return -ENODEV; } 970 971static inline void *psp_copy_user_blob(u64 __user uaddr, u32 len) { return ERR_PTR(-EINVAL); } 972 973static inline void *snp_alloc_firmware_page(gfp_t mask) 974{ 975 return NULL; 976} 977 978static inline void snp_free_firmware_page(void *addr) { } 979 980#endif /* CONFIG_CRYPTO_DEV_SP_PSP */ 981 982#endif /* __PSP_SEV_H__ */ 983