From f93541af145522e6e5a0369abc95cabd99015724 Mon Sep 17 00:00:00 2001 From: NiZhiguang Date: Tue, 10 Jun 2025 06:29:24 +0000 Subject: [PATCH 01/14] crypto: ccp: Introduce hygon specific interface to support driver hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICDX0U CVE: NA -------------------------------- Hygon secure processors provide a lot of security functions, which require a lot of code to support. In order to prevent Hygon function code from invading the driver's native code, we introduce specific files for Hygon. We'll leave the native code unchanged as much as possible. In this patch, we add files as below: a. files for codes to support Hygon secure processor: drivers/crypto/ccp/hygon/sp-dev.h drivers/crypto/ccp/hygon/sp-pci.c drivers/crypto/ccp/hygon/psp-dev.c drivers/crypto/ccp/hygon/psp-dev.h b. header file to define data types and structures for HYGON Platform Security Processor: include/linux/psp-hygon.h c. header file to define userspace interface for HYGON Platform Security Processor: include/uapi/linux/psp-hygon.h We'll add more Hygon specific code in the following commits. Signed-off-by: NiZhiguang --- drivers/crypto/ccp/Makefile | 6 ++-- drivers/crypto/ccp/hygon/psp-dev.c | 19 ++++++++++++ drivers/crypto/ccp/hygon/psp-dev.h | 30 +++++++++++++++++++ drivers/crypto/ccp/hygon/sp-dev.h | 30 +++++++++++++++++++ drivers/crypto/ccp/hygon/sp-pci.c | 48 ++++++++++++++++++++++++++++++ drivers/crypto/ccp/sev-dev.c | 19 ++++++++++++ include/linux/psp-hygon.h | 17 +++++++++++ include/uapi/linux/psp-hygon.h | 14 +++++++++ 8 files changed, 181 insertions(+), 2 deletions(-) create mode 100644 drivers/crypto/ccp/hygon/psp-dev.c create mode 100644 drivers/crypto/ccp/hygon/psp-dev.h create mode 100644 drivers/crypto/ccp/hygon/sp-dev.h create mode 100644 drivers/crypto/ccp/hygon/sp-pci.c create mode 100644 include/linux/psp-hygon.h create mode 100644 include/uapi/linux/psp-hygon.h diff --git a/drivers/crypto/ccp/Makefile b/drivers/crypto/ccp/Makefile index db362fe472ea..7f920a6d4002 100644 --- a/drivers/crypto/ccp/Makefile +++ b/drivers/crypto/ccp/Makefile @@ -7,10 +7,12 @@ ccp-$(CONFIG_CRYPTO_DEV_SP_CCP) += ccp-dev.o \ ccp-dev-v5.o \ ccp-dmaengine.o ccp-$(CONFIG_CRYPTO_DEV_CCP_DEBUGFS) += ccp-debugfs.o -ccp-$(CONFIG_PCI) += sp-pci.o +ccp-$(CONFIG_PCI) += sp-pci.o \ + hygon/sp-pci.o ccp-$(CONFIG_CRYPTO_DEV_SP_PSP) += psp-dev.o \ sev-dev.o \ - tee-dev.o + tee-dev.o \ + hygon/psp-dev.o obj-$(CONFIG_CRYPTO_DEV_CCP_CRYPTO) += ccp-crypto.o ccp-crypto-objs := ccp-crypto-main.o \ diff --git a/drivers/crypto/ccp/hygon/psp-dev.c b/drivers/crypto/ccp/hygon/psp-dev.c new file mode 100644 index 000000000000..736f9aaaa37a --- /dev/null +++ b/drivers/crypto/ccp/hygon/psp-dev.c @@ -0,0 +1,19 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * HYGON Platform Security Processor (PSP) interface + * + * Copyright (C) 2024 Hygon Info Technologies Ltd. + * + * Author: Liyang Han + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include + +#include "psp-dev.h" + +/* Function and variable pointers for hooks */ +struct hygon_psp_hooks_table hygon_psp_hooks; diff --git a/drivers/crypto/ccp/hygon/psp-dev.h b/drivers/crypto/ccp/hygon/psp-dev.h new file mode 100644 index 000000000000..ae5ea387d4af --- /dev/null +++ b/drivers/crypto/ccp/hygon/psp-dev.h @@ -0,0 +1,30 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * HYGON Platform Security Processor (PSP) driver interface + * + * Copyright (C) 2024 Hygon Info Technologies Ltd. + * + * Author: Liyang Han + */ + +#ifndef __CCP_HYGON_PSP_DEV_H__ +#define __CCP_HYGON_PSP_DEV_H__ + +#include + +#include "sp-dev.h" + +#include "../psp-dev.h" +#include "../sev-dev.h" + +/* + * Hooks table: a table of function and variable pointers filled in + * when psp init. + */ +extern struct hygon_psp_hooks_table { + bool sev_dev_hooks_installed; + struct mutex *sev_cmd_mutex; + int (*__sev_do_cmd_locked)(int cmd, void *data, int *psp_ret); +} hygon_psp_hooks; + +#endif /* __CCP_HYGON_PSP_DEV_H__ */ diff --git a/drivers/crypto/ccp/hygon/sp-dev.h b/drivers/crypto/ccp/hygon/sp-dev.h new file mode 100644 index 000000000000..5ca8680b3045 --- /dev/null +++ b/drivers/crypto/ccp/hygon/sp-dev.h @@ -0,0 +1,30 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * HYGON Secure Processor interface + * + * Copyright (C) 2024 Hygon Info Technologies Ltd. + * + * Author: Liyang Han + */ + +#ifndef __CCP_HYGON_SP_DEV_H__ +#define __CCP_HYGON_SP_DEV_H__ + +#include +#include + +#include "../ccp-dev.h" +#include "../sp-dev.h" + +#ifdef CONFIG_X86_64 +static inline bool is_vendor_hygon(void) +{ + return boot_cpu_data.x86_vendor == X86_VENDOR_HYGON; +} +#else +static inline bool is_vendor_hygon(void) { return false; } +#endif + +extern const struct sp_dev_vdata hygon_dev_vdata[]; + +#endif /* __CCP_HYGON_SP_DEV_H__ */ diff --git a/drivers/crypto/ccp/hygon/sp-pci.c b/drivers/crypto/ccp/hygon/sp-pci.c new file mode 100644 index 000000000000..5520760361cd --- /dev/null +++ b/drivers/crypto/ccp/hygon/sp-pci.c @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * HYGON Secure Processor interface driver + * + * Copyright (C) 2024 Hygon Info Technologies Ltd. + * + * Author: Liyang Han + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include "sp-dev.h" + +#ifdef CONFIG_CRYPTO_DEV_SP_PSP +static const struct sev_vdata csvv1 = { + .cmdresp_reg = 0x10580, /* C2PMSG_32 */ + .cmdbuff_addr_lo_reg = 0x105e0, /* C2PMSG_56 */ + .cmdbuff_addr_hi_reg = 0x105e4, /* C2PMSG_57 */ +}; + +static const struct psp_vdata pspv1 = { + .sev = &csvv1, + .feature_reg = 0x105fc, /* C2PMSG_63 */ + .inten_reg = 0x10610, /* P2CMSG_INTEN */ + .intsts_reg = 0x10614, /* P2CMSG_INTSTS */ +}; + +#endif + +const struct sp_dev_vdata hygon_dev_vdata[] = { + { /* 0 */ + .bar = 2, +#ifdef CONFIG_CRYPTO_DEV_SP_CCP + .ccp_vdata = &ccpv5a, +#endif +#ifdef CONFIG_CRYPTO_DEV_SP_PSP + .psp_vdata = &pspv1, +#endif + }, + { /* 1 */ + .bar = 2, +#ifdef CONFIG_CRYPTO_DEV_SP_CCP + .ccp_vdata = &ccpv5b, +#endif + }, +}; diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index b00dcc2be897..641ad963f301 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -24,6 +24,8 @@ #include "psp-dev.h" #include "sev-dev.h" +#include "hygon/psp-dev.h" + #define DEVICE_NAME "sev" #define SEV_FW_FILE "amd/sev.fw" #define SEV_FW_NAME_SIZE 64 @@ -936,12 +938,29 @@ static int sev_misc_init(struct sev_device *sev) return 0; } +/* Code to set all of the function and variable pointers */ +static void sev_dev_install_hooks(void) +{ + hygon_psp_hooks.sev_cmd_mutex = &sev_cmd_mutex; + hygon_psp_hooks.__sev_do_cmd_locked = __sev_do_cmd_locked; + + hygon_psp_hooks.sev_dev_hooks_installed = true; +} + int sev_dev_init(struct psp_device *psp) { struct device *dev = psp->dev; struct sev_device *sev; int ret = -ENOMEM; + /* + * Install sev-dev related function and variable pointers hooks only + * for Hygon vendor, install these hooks here, even though the + * following initialization fails. + */ + if (is_vendor_hygon()) + sev_dev_install_hooks(); + sev = devm_kzalloc(dev, sizeof(*sev), GFP_KERNEL); if (!sev) goto e_err; diff --git a/include/linux/psp-hygon.h b/include/linux/psp-hygon.h new file mode 100644 index 000000000000..a313ab74b75a --- /dev/null +++ b/include/linux/psp-hygon.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * HYGON Platform Security Processor (PSP) driver interface + * + * Copyright (C) 2024 Hygon Info Technologies Ltd. + * + * Author: Liyang Han + */ + +#ifndef __PSP_HYGON_H__ +#define __PSP_HYGON_H__ + +#ifdef CONFIG_CRYPTO_DEV_SP_PSP +#else /* !CONFIG_CRYPTO_DEV_SP_PSP */ +#endif /* CONFIG_CRYPTO_DEV_SP_PSP */ + +#endif /* __PSP_HYGON_H__ */ diff --git a/include/uapi/linux/psp-hygon.h b/include/uapi/linux/psp-hygon.h new file mode 100644 index 000000000000..cd9f2d4046c8 --- /dev/null +++ b/include/uapi/linux/psp-hygon.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ +/* + * Userspace interface for HYGON Platform Security Processor (PSP) + * commands. + * + * Copyright (C) 2024 Hygon Info Technologies Ltd. + * + * Author: Liyang Han + */ + +#ifndef __PSP_HYGON_USER_H__ +#define __PSP_HYGON_USER_H__ + +#endif /* __PSP_HYGON_USER_H__ */ -- Gitee From 508091d2b6b926464de3deef959887c9c7d56d18 Mon Sep 17 00:00:00 2001 From: NiZhiguang Date: Tue, 10 Jun 2025 06:31:06 +0000 Subject: [PATCH 02/14] crypto: ccp: Don't check tee support on Hygon platform hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICDX0U CVE: NA -------------------------------- The meaning of the data read from the feature register of Hygon PSP is not exactly the same as that from the feature register of AMD ASP. The bit 1 in the feature register is used to indicate TEE in AMD ASP, but not in Hygon PSP. This discrepancy will lead to initialization failure in the code path psp_init() -> tee_dev_init() on Hygon CPUs. Signed-off-by: NiZhiguang --- drivers/crypto/ccp/psp-dev.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c index e95e7aa5dbf1..0234aab184df 100644 --- a/drivers/crypto/ccp/psp-dev.c +++ b/drivers/crypto/ccp/psp-dev.c @@ -15,6 +15,8 @@ #include "sev-dev.h" #include "tee-dev.h" +#include "hygon/psp-dev.h" + struct psp_device *psp_master; static struct psp_device *psp_alloc_struct(struct sp_device *sp) @@ -91,6 +93,10 @@ static int psp_check_sev_support(struct psp_device *psp, static int psp_check_tee_support(struct psp_device *psp, unsigned int capability) { + /* Bit1 of the capability is not applied for Hygon psp */ + if (is_vendor_hygon()) + return -ENODEV; + /* Check if device supports TEE feature */ if (!(capability & 2)) { dev_dbg(psp->dev, "psp does not support TEE\n"); -- Gitee From a94ae0a9e36cc77bbcc22d9e24ed2462ad45fc82 Mon Sep 17 00:00:00 2001 From: NiZhiguang Date: Tue, 10 Jun 2025 06:31:48 +0000 Subject: [PATCH 03/14] crypto: ccp: Add support to detect CCP devices on Hygon 2nd and 3rd CPUs hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICDX0U CVE: NA -------------------------------- The are Secure Processor devices with 2 different PCI device IDs on Hygon 2nd and 3rd CPUs, add them in the device list. Signed-off-by: NiZhiguang --- drivers/crypto/ccp/sp-pci.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c index 6e70af6d91ed..8b6fbf14ed96 100644 --- a/drivers/crypto/ccp/sp-pci.c +++ b/drivers/crypto/ccp/sp-pci.c @@ -24,6 +24,8 @@ #include "ccp-dev.h" #include "psp-dev.h" +#include "hygon/sp-dev.h" + #define MSIX_VECTORS 2 struct sp_pci { @@ -420,6 +422,8 @@ static const struct pci_device_id sp_pci_table[] = { { PCI_VDEVICE(AMD, 0x15C7), (kernel_ulong_t)&dev_vdata[6] }, { PCI_VDEVICE(AMD, 0x17E0), (kernel_ulong_t)&dev_vdata[7] }, { PCI_VDEVICE(AMD, 0x156E), (kernel_ulong_t)&dev_vdata[8] }, + { PCI_VDEVICE(HYGON, 0x1456), (kernel_ulong_t)&hygon_dev_vdata[0] }, + { PCI_VDEVICE(HYGON, 0x1468), (kernel_ulong_t)&hygon_dev_vdata[1] }, /* Last entry must be zero */ { 0, } }; -- Gitee From 89e4d001d1692baf15e202e067b210e7a0151d91 Mon Sep 17 00:00:00 2001 From: NiZhiguang Date: Tue, 10 Jun 2025 06:32:31 +0000 Subject: [PATCH 04/14] crypto: ccp: Add support to detect CCP devices on Hygon 4th CPUs hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICDX0U CVE: NA -------------------------------- Since Hygon 4th CPUs, there are new Secure Processor devices with 3 different PCI device IDs, add them in the device list. Signed-off-by: NiZhiguang --- drivers/crypto/ccp/hygon/sp-pci.c | 16 ++++++++++++++++ drivers/crypto/ccp/sp-pci.c | 3 +++ 2 files changed, 19 insertions(+) diff --git a/drivers/crypto/ccp/hygon/sp-pci.c b/drivers/crypto/ccp/hygon/sp-pci.c index 5520760361cd..be31bf0764f6 100644 --- a/drivers/crypto/ccp/hygon/sp-pci.c +++ b/drivers/crypto/ccp/hygon/sp-pci.c @@ -27,6 +27,13 @@ static const struct psp_vdata pspv1 = { .intsts_reg = 0x10614, /* P2CMSG_INTSTS */ }; +static const struct psp_vdata pspv2 = { + .sev = &csvv1, + .feature_reg = 0x105fc, + .inten_reg = 0x10670, + .intsts_reg = 0x10674, +}; + #endif const struct sp_dev_vdata hygon_dev_vdata[] = { @@ -43,6 +50,15 @@ const struct sp_dev_vdata hygon_dev_vdata[] = { .bar = 2, #ifdef CONFIG_CRYPTO_DEV_SP_CCP .ccp_vdata = &ccpv5b, +#endif + }, + { /* 2 */ + .bar = 2, +#ifdef CONFIG_CRYPTO_DEV_SP_CCP + .ccp_vdata = &ccpv5a, +#endif +#ifdef CONFIG_CRYPTO_DEV_SP_PSP + .psp_vdata = &pspv2, #endif }, }; diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c index 8b6fbf14ed96..0767e7e6a772 100644 --- a/drivers/crypto/ccp/sp-pci.c +++ b/drivers/crypto/ccp/sp-pci.c @@ -424,6 +424,9 @@ static const struct pci_device_id sp_pci_table[] = { { PCI_VDEVICE(AMD, 0x156E), (kernel_ulong_t)&dev_vdata[8] }, { PCI_VDEVICE(HYGON, 0x1456), (kernel_ulong_t)&hygon_dev_vdata[0] }, { PCI_VDEVICE(HYGON, 0x1468), (kernel_ulong_t)&hygon_dev_vdata[1] }, + { PCI_VDEVICE(HYGON, 0x1486), (kernel_ulong_t)&hygon_dev_vdata[2] }, + { PCI_VDEVICE(HYGON, 0x14b8), (kernel_ulong_t)&hygon_dev_vdata[1] }, + { PCI_VDEVICE(HYGON, 0x14a6), (kernel_ulong_t)&hygon_dev_vdata[2] }, /* Last entry must be zero */ { 0, } }; -- Gitee From 49fc23c607722d4602edc9148a72099fa0d1f812 Mon Sep 17 00:00:00 2001 From: fangbaoshun Date: Thu, 22 Sep 2022 10:59:03 +0800 Subject: [PATCH 05/14] crypto: ccp: Implement CSV_HGSC_CERT_IMPORT ioctl command hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICF9T5 CVE: NA --------------------------- The CSV_HGSC_CERT_IMPORT command can be used to import hygon general secure cert to the Secure Proccessor, to enable Hygon Secure Functions, such as CSV, TPM, TPCM, TDM. Signed-off-by: fangbaoshun Signed-off-by: hanliyang Change-Id: I13b6d37378f61da84894bfebc41a15d39ad95ef7 --- drivers/crypto/ccp/Makefile | 3 +- drivers/crypto/ccp/hygon/csv-dev.c | 124 +++++++++++++++++++++++++++++ drivers/crypto/ccp/hygon/csv-dev.h | 19 +++++ drivers/crypto/ccp/hygon/psp-dev.h | 1 + drivers/crypto/ccp/sev-dev.c | 23 +++++- include/linux/psp-hygon.h | 30 +++++++ include/uapi/linux/psp-hygon.h | 30 +++++++ 7 files changed, 227 insertions(+), 3 deletions(-) create mode 100644 drivers/crypto/ccp/hygon/csv-dev.c create mode 100644 drivers/crypto/ccp/hygon/csv-dev.h diff --git a/drivers/crypto/ccp/Makefile b/drivers/crypto/ccp/Makefile index 7f920a6d4002..650d0ef69bd9 100644 --- a/drivers/crypto/ccp/Makefile +++ b/drivers/crypto/ccp/Makefile @@ -12,7 +12,8 @@ ccp-$(CONFIG_PCI) += sp-pci.o \ ccp-$(CONFIG_CRYPTO_DEV_SP_PSP) += psp-dev.o \ sev-dev.o \ tee-dev.o \ - hygon/psp-dev.o + hygon/psp-dev.o \ + hygon/csv-dev.o obj-$(CONFIG_CRYPTO_DEV_CCP_CRYPTO) += ccp-crypto.o ccp-crypto-objs := ccp-crypto-main.o \ diff --git a/drivers/crypto/ccp/hygon/csv-dev.c b/drivers/crypto/ccp/hygon/csv-dev.c new file mode 100644 index 000000000000..6e586f0e8ecd --- /dev/null +++ b/drivers/crypto/ccp/hygon/csv-dev.c @@ -0,0 +1,124 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * HYGON CSV interface + * + * Copyright (C) 2024 Hygon Info Technologies Ltd. + * + * Author: Liyang Han + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include +#include +#include +#include + +#include "csv-dev.h" +#include "psp-dev.h" + +int csv_cmd_buffer_len(int cmd) +{ + switch (cmd) { + case CSV_CMD_HGSC_CERT_IMPORT: return sizeof(struct csv_data_hgsc_cert_import); + default: return 0; + } +} + +static int csv_ioctl_do_hgsc_import(struct sev_issue_cmd *argp) +{ + struct csv_user_data_hgsc_cert_import input; + struct csv_data_hgsc_cert_import *data; + void *hgscsk_blob, *hgsc_blob; + int ret; + + if (copy_from_user(&input, (void __user *)argp->data, sizeof(input))) + return -EFAULT; + + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + + /* copy HGSCSK certificate blobs from userspace */ + hgscsk_blob = psp_copy_user_blob(input.hgscsk_cert_address, input.hgscsk_cert_len); + if (IS_ERR(hgscsk_blob)) { + ret = PTR_ERR(hgscsk_blob); + goto e_free; + } + + data->hgscsk_cert_address = __psp_pa(hgscsk_blob); + data->hgscsk_cert_len = input.hgscsk_cert_len; + + /* copy HGSC certificate blobs from userspace */ + hgsc_blob = psp_copy_user_blob(input.hgsc_cert_address, input.hgsc_cert_len); + if (IS_ERR(hgsc_blob)) { + ret = PTR_ERR(hgsc_blob); + goto e_free_hgscsk; + } + + data->hgsc_cert_address = __psp_pa(hgsc_blob); + data->hgsc_cert_len = input.hgsc_cert_len; + + ret = hygon_psp_hooks.__sev_do_cmd_locked(CSV_CMD_HGSC_CERT_IMPORT, + data, &argp->error); + + kfree(hgsc_blob); +e_free_hgscsk: + kfree(hgscsk_blob); +e_free: + kfree(data); + return ret; +} + +static long csv_ioctl(struct file *file, unsigned int ioctl, unsigned long arg) +{ + void __user *argp = (void __user *)arg; + struct sev_issue_cmd input; + int ret = -EFAULT; + + if (!hygon_psp_hooks.sev_dev_hooks_installed) + return -ENODEV; + + if (!psp_master || !psp_master->sev_data) + return -ENODEV; + + if (ioctl != SEV_ISSUE_CMD) + return -EINVAL; + + if (copy_from_user(&input, argp, sizeof(struct sev_issue_cmd))) + return -EFAULT; + + if (input.cmd > CSV_MAX) + return -EINVAL; + + mutex_lock(hygon_psp_hooks.sev_cmd_mutex); + + switch (input.cmd) { + case CSV_HGSC_CERT_IMPORT: + ret = csv_ioctl_do_hgsc_import(&input); + break; + default: + /* + * If the command is compatible between CSV and SEV, the + * native implementation of the driver is invoked. + * Release the mutex before calling the native ioctl function + * because it will acquires the mutex. + */ + mutex_unlock(hygon_psp_hooks.sev_cmd_mutex); + return hygon_psp_hooks.sev_ioctl(file, ioctl, arg); + } + + if (copy_to_user(argp, &input, sizeof(struct sev_issue_cmd))) + ret = -EFAULT; + + mutex_unlock(hygon_psp_hooks.sev_cmd_mutex); + + return ret; +} + +const struct file_operations csv_fops = { + .owner = THIS_MODULE, + .unlocked_ioctl = csv_ioctl, +}; diff --git a/drivers/crypto/ccp/hygon/csv-dev.h b/drivers/crypto/ccp/hygon/csv-dev.h new file mode 100644 index 000000000000..43ca224be610 --- /dev/null +++ b/drivers/crypto/ccp/hygon/csv-dev.h @@ -0,0 +1,19 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * HYGON CSV driver interface + * + * Copyright (C) 2024 Hygon Info Technologies Ltd. + * + * Author: Liyang Han + */ + +#ifndef __CCP_HYGON_CSV_DEV_H__ +#define __CCP_HYGON_CSV_DEV_H__ + +#include + +extern const struct file_operations csv_fops; + +int csv_cmd_buffer_len(int cmd); + +#endif /* __CCP_HYGON_CSV_DEV_H__ */ diff --git a/drivers/crypto/ccp/hygon/psp-dev.h b/drivers/crypto/ccp/hygon/psp-dev.h index ae5ea387d4af..7d8d244fdeef 100644 --- a/drivers/crypto/ccp/hygon/psp-dev.h +++ b/drivers/crypto/ccp/hygon/psp-dev.h @@ -25,6 +25,7 @@ extern struct hygon_psp_hooks_table { bool sev_dev_hooks_installed; struct mutex *sev_cmd_mutex; int (*__sev_do_cmd_locked)(int cmd, void *data, int *psp_ret); + long (*sev_ioctl)(struct file *file, unsigned int ioctl, unsigned long arg); } hygon_psp_hooks; #endif /* __CCP_HYGON_PSP_DEV_H__ */ diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 641ad963f301..3d567391bbd3 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -25,6 +25,7 @@ #include "sev-dev.h" #include "hygon/psp-dev.h" +#include "hygon/csv-dev.h" #define DEVICE_NAME "sev" #define SEV_FW_FILE "amd/sev.fw" @@ -95,6 +96,18 @@ static int sev_wait_cmd_ioc(struct sev_device *sev, static int sev_cmd_buffer_len(int cmd) { + /* + * The Hygon CSV command may conflict with AMD SEV command, so it's + * preferred to check whether it's a CSV-specific command for Hygon + * psp. + */ + if (is_vendor_hygon()) { + int r = csv_cmd_buffer_len(cmd); + + if (r) + return r; + } + switch (cmd) { case SEV_CMD_INIT: return sizeof(struct sev_data_init); case SEV_CMD_PLATFORM_STATUS: return sizeof(struct sev_user_data_status); @@ -920,7 +933,11 @@ static int sev_misc_init(struct sev_device *sev) misc = &misc_dev->misc; misc->minor = MISC_DYNAMIC_MINOR; misc->name = DEVICE_NAME; - misc->fops = &sev_fops; + + if (is_vendor_hygon()) + misc->fops = &csv_fops; + else + misc->fops = &sev_fops; ret = misc_register(misc); if (ret) @@ -943,6 +960,7 @@ static void sev_dev_install_hooks(void) { hygon_psp_hooks.sev_cmd_mutex = &sev_cmd_mutex; hygon_psp_hooks.__sev_do_cmd_locked = __sev_do_cmd_locked; + hygon_psp_hooks.sev_ioctl = sev_ioctl; hygon_psp_hooks.sev_dev_hooks_installed = true; } @@ -1015,7 +1033,8 @@ void sev_dev_destroy(struct psp_device *psp) int sev_issue_cmd_external_user(struct file *filep, unsigned int cmd, void *data, int *error) { - if (!filep || filep->f_op != &sev_fops) + if (!filep || filep->f_op != (is_vendor_hygon() + ? &csv_fops : &sev_fops)) return -EBADF; return sev_do_cmd(cmd, data, error); diff --git a/include/linux/psp-hygon.h b/include/linux/psp-hygon.h index a313ab74b75a..845f61781bca 100644 --- a/include/linux/psp-hygon.h +++ b/include/linux/psp-hygon.h @@ -10,6 +10,36 @@ #ifndef __PSP_HYGON_H__ #define __PSP_HYGON_H__ +#include + +/*****************************************************************************/ +/***************************** CSV interface *********************************/ +/*****************************************************************************/ + +/** + * Guest/platform management commands for CSV + */ +enum csv_cmd { + CSV_CMD_HGSC_CERT_IMPORT = 0x300, + CSV_CMD_MAX, +}; + +/** + * struct csv_data_hgsc_cert_import - HGSC_CERT_IMPORT command parameters + * + * @hgscsk_cert_address: HGSCSK certificate chain + * @hgscsk_cert_len: len of HGSCSK certificate + * @hgsc_cert_address: HGSC certificate chain + * @hgsc_cert_len: len of HGSC certificate + */ +struct csv_data_hgsc_cert_import { + u64 hgscsk_cert_address; /* In */ + u32 hgscsk_cert_len; /* In */ + u32 reserved; /* In */ + u64 hgsc_cert_address; /* In */ + u32 hgsc_cert_len; /* In */ +} __packed; + #ifdef CONFIG_CRYPTO_DEV_SP_PSP #else /* !CONFIG_CRYPTO_DEV_SP_PSP */ #endif /* CONFIG_CRYPTO_DEV_SP_PSP */ diff --git a/include/uapi/linux/psp-hygon.h b/include/uapi/linux/psp-hygon.h index cd9f2d4046c8..ac63a9def5d3 100644 --- a/include/uapi/linux/psp-hygon.h +++ b/include/uapi/linux/psp-hygon.h @@ -11,4 +11,34 @@ #ifndef __PSP_HYGON_USER_H__ #define __PSP_HYGON_USER_H__ +#include + +/*****************************************************************************/ +/***************************** CSV interface *********************************/ +/*****************************************************************************/ + +/** + * CSV guest/platform commands + */ +enum { + CSV_HGSC_CERT_IMPORT = 201, + + CSV_MAX, +}; + +/** + * struct csv_user_data_hgsc_cert_import - HGSC_CERT_IMPORT command parameters + * + * @hgscsk_cert_address: HGSCSK certificate chain + * @hgscsk_cert_len: length of HGSCSK certificate + * @hgsc_cert_address: HGSC certificate chain + * @hgsc_cert_len: length of HGSC certificate + */ +struct csv_user_data_hgsc_cert_import { + __u64 hgscsk_cert_address; /* In */ + __u32 hgscsk_cert_len; /* In */ + __u64 hgsc_cert_address; /* In */ + __u32 hgsc_cert_len; /* In */ +} __packed; + #endif /* __PSP_HYGON_USER_H__ */ -- Gitee From b986c638eb48ef2028380dcf0b38905ecee9aae0 Mon Sep 17 00:00:00 2001 From: Xin Jiang Date: Mon, 11 Mar 2024 10:36:36 +0800 Subject: [PATCH 06/14] Documentation/arch/x86: Add HYGON secure virtualization description hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICGAK6 CVE: NA --------------------------- Add the HYGON secure virtualization document describing the secure virtualization features. Signed-off-by: Xin Jiang Signed-off-by: hanliyang Change-Id: I60ff73974d58b244a215a57be61280c86c4e5e03 --- .../arch/x86/hygon-secure-virtualization.rst | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 Documentation/arch/x86/hygon-secure-virtualization.rst diff --git a/Documentation/arch/x86/hygon-secure-virtualization.rst b/Documentation/arch/x86/hygon-secure-virtualization.rst new file mode 100644 index 000000000000..3e709af93758 --- /dev/null +++ b/Documentation/arch/x86/hygon-secure-virtualization.rst @@ -0,0 +1,100 @@ +.. SPDX-License-Identifier: GPL-2.0 + +=========================== +HYGON Secure Virtualization +=========================== + +China Secure Virtualization (CSV) is a key virtualization feature on Hygon +processors. + +The 1st generation of CSV (CSV for short) is a secure virtualization technology +to provide memory encryption for the virtual machine (VM), each VM's memory is +encrypted by its unique encryption key which is managed by secure processor. + +The 2nd generation of CSV (CSV2 for short) provides security enhancement to CSV +by encrypting not only the VM's memory but also the vCPU's registers of the VM. + +The 3rd generation of CSV (CSV3 for short) is a more advanced secure +virtualization technology, it integrates secure processor, memory encryption and +memory isolation to provide the ability to protect guest's private data. The CSV3 +guest's context like CPU registers, control block and nested page table is accessed +only by the guest itself and the secure processor. Neither other guests nor the +host can tamper with the guest's context. + +The secure processor is a separate processor inside Hygon hardware. The firmware +running inside the secure processor performs activities in a secure way, such as +OVMF encryption, VM launch, secure memory management and nested page table +management etc. For more information, please see CSV spec and CSV3 spec from Hygon. + +A CSV guest is running in the memory that is encrypted with a dedicated encrypt +key which is set by the secure processor. And CSV guest's memory encrypt key is +unique from the others. A low latency crypto engine resides on Hygon hardware +to minimize the negative effect on memory bandwidth. In CSV guest, a guest private +page will be automatically decrypted when read from memory and encrypted when +written to memory. + +CSV3 provides an enhancement technology named memory isolation to improve the +security. A dedicated memory isolation hardware is built in Hygon hardware. Only +the secure processor has privilege to configure the isolation hardware. The VMM +allocates CMA memory and transfers them to secure processor. The secure processor +maps the memory to secure nested page table and manages them as guest's private +memory. Any memory access (read or write) to CSV3 guest's private memory outside +the guest will be blocked by isolation hardware. + +A CSV3 guest may declare some memory regions as shared to share data with the +host. When a page is set as shared, read/write on the page will bypass the +isolation hardware and the guest's shared memory can be accessed by the host. A +method named CSV3 secure call command is designed and CSV3 guest sends the secure +call command to the secure processor to change private memory to shared memory. +In the method, 2 dedicated pages are reserved at early stage of the guest. Any +read/write on the dedicated pages will trigger nested page fault. When NPF +happens, the host helps to issue an external command to the secure processor but +cannot tamper with the data in the guest's private memory. Then the secure +processor checks the fault address and handles the command if the address is +exactly the dedicated pages. + +Support for CSV can be determined through the CPUID instruction. The CPUID +function 0x8000001f reports information to CSV:: + + 0x8000001f[eax]: + Bit[1] indicates support for CSV + Bit[3] indicates support for CSV2 + Bit[30] indicates support for CSV3 + +If CSV is support, MSR 0xc0010131 can be used to determine if CSV is active:: + + 0xc0010131: + Bit[0] 0 = CSV is not active + 1 = CSV is active + Bit[1] 0 = CSV2 is not active + 1 = CSV2 is active + Bit[30] 0 = CSV3 is not active + 1 = CSV3 is active + +All CSV/CSV2's configurations must be enabled in CSV3. Linux can activate CSV3 by +default (CONFIG_HYGON_CSV=y, CONFIG_CMA=y). CSV3 guest's memory is managed by +CMA (Contiguous Memory Allocation). User must specify CSV3 total secure memory on +the linux kernel command line with csv_mem_size or csv_mem_percentage:: + + csv_mem_size=nn[MG] + [KNL,CSV] + Reserve specified CSV3 memory size in CMA. CSV3's memory will be + allocated from these CMAs. + For instance, csv_mem_size=40G, 40G memory is reserved for CSV3. + + csv_mem_percentage=nn + [KNL,CSV] + Reserve specified memory size which is prorated according to the + whole system memory size. CSV3 guest's memory will be allocated + from these CMAs. + For instance, csv_mem_percentage=60, means 60% system memory is + reserved for CSV3. + The maximum percentage is 80. And the default percentage is 0. + +Limitations +The reserved CSV3 memory within CMA cannot be used by kernel or any application that +may pin memory using long term gup during the application's life time. +For instance, if the whole system memory is 64G and 32G is reserved for CSV3 with +kernel command line csv_mem_percentage=50, only 32G memory is available for CSV/CSV2. +As a result, user will fail to run a CSV/CSV2 guest with memory size which exceeds +32G. -- Gitee From 425a9aafedb9615bf914381efce661ba4de9626d Mon Sep 17 00:00:00 2001 From: hanliyang Date: Fri, 14 Jul 2023 17:17:58 +0800 Subject: [PATCH 07/14] x86/mm: Provide a Kconfig entry to build the HYGON memory encryption support into the kernel hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICGAK6 CVE: NA --------------------------- Provide CONFIG_HYGON_CSV to the arch/x86/Kconfig, and build HYGON's specific memory encryption support into the kernel when CONFIG_HYGON_CSV=y. Besides, add arch/x86/include/asm/processor-hygon.h to contains helpers to determine the Hygon CPUs so that we can call functions specific to CSV in the native code and reduce code intruision. Signed-off-by: hanliyang --- arch/x86/Kconfig | 23 +++++++++++++++++++++++ arch/x86/include/asm/processor-hygon.h | 23 +++++++++++++++++++++++ arch/x86/mm/Makefile | 2 ++ arch/x86/mm/mem_encrypt_hygon.c | 16 ++++++++++++++++ 4 files changed, 64 insertions(+) create mode 100644 arch/x86/include/asm/processor-hygon.h create mode 100644 arch/x86/mm/mem_encrypt_hygon.c diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 908c1dad0dd2..8fb82ea927b6 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2091,6 +2091,29 @@ config SECCOMP If unsure, say Y. Only embedded should say N here. +config HYGON_CSV + bool "Hygon secure virtualization CSV support" + default y + depends on CPU_SUP_HYGON && AMD_MEM_ENCRYPT + help + Hygon CSV integrates secure processor, memory encryption and + memory isolation to provide the ability to protect guest's private + data. It has evolved from CSV, CSV2 to CSV3. + + For CSV, the guest's memory is encrypted. + + For CSV2, not only the guest's memory, but also the guest's vCPU + registers are encrypted, neither other guests nor the host can tamper + with the vCPU registers. + + For CSV3, the guest's context like vCPU registers, control block and + nested page table is accessed only by the guest itself and the secure + processor. Neither other guests nor the host can tamper with the + guest's context. + + Say Y here to enable support for the whole capbilities of Hygon secure + virtualization on hygon processor. + source "kernel/Kconfig.hz" config KEXEC diff --git a/arch/x86/include/asm/processor-hygon.h b/arch/x86/include/asm/processor-hygon.h new file mode 100644 index 000000000000..a19bda3ed005 --- /dev/null +++ b/arch/x86/include/asm/processor-hygon.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * The helpers to support Hygon CPU specific code path. + * + * Copyright (C) 2024 Hygon Info Technologies Ltd. + * + * Author: Liyang Han + */ + +#ifndef _ASM_X86_PROCESSOR_HYGON_H +#define _ASM_X86_PROCESSOR_HYGON_H + +#include + +/* + * helper to determine HYGON CPU + */ +static inline bool is_x86_vendor_hygon(void) +{ + return boot_cpu_data.x86_vendor == X86_VENDOR_HYGON; +} + +#endif /* _ASM_X86_PROCESSOR_HYGON_H */ diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile index bbc68a54795e..eaa372e3a1a9 100644 --- a/arch/x86/mm/Makefile +++ b/arch/x86/mm/Makefile @@ -53,3 +53,5 @@ obj-$(CONFIG_PAGE_TABLE_ISOLATION) += pti.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_identity.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_boot.o + +obj-$(CONFIG_HYGON_CSV) += mem_encrypt_hygon.o diff --git a/arch/x86/mm/mem_encrypt_hygon.c b/arch/x86/mm/mem_encrypt_hygon.c new file mode 100644 index 000000000000..371eb977a5ec --- /dev/null +++ b/arch/x86/mm/mem_encrypt_hygon.c @@ -0,0 +1,16 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * HYGON Memory Encryption Support + * + * Copyright (C) 2024 Hygon Info Technologies Ltd. + * + * Author: Liyang Han + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#define DISABLE_BRANCH_PROFILING + +#include -- Gitee From 615630a23ff915c74d073fcc6643cc803b2715a7 Mon Sep 17 00:00:00 2001 From: hanliyang Date: Thu, 22 May 2025 15:13:01 +0800 Subject: [PATCH 08/14] x86/config: Set CONFIG_HYGON_CSV by default hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICGAK6 CVE: NA --------------------------- Configure CONFIG_HYGON_CSV=y so that Hygon Confidential Computing support will be compiled. Signed-off-by: hanliyang --- arch/x86/configs/tencent.config | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/configs/tencent.config b/arch/x86/configs/tencent.config index 0f0b8d23d4ab..1f92672151a9 100644 --- a/arch/x86/configs/tencent.config +++ b/arch/x86/configs/tencent.config @@ -88,6 +88,7 @@ CONFIG_X86_INTEL_MPX=y CONFIG_X86_SGX=y CONFIG_EFI=y CONFIG_EFI_STUB=y +CONFIG_HYGON_CSV=y CONFIG_HZ_1000=y CONFIG_KEXEC=y CONFIG_KEXEC_FILE=y -- Gitee From b52727cf7e5de198836e4f32dab64cb7a422ea6a Mon Sep 17 00:00:00 2001 From: hanliyang Date: Fri, 14 Jul 2023 17:17:58 +0800 Subject: [PATCH 09/14] x86/mm: Print CSV info into the kernel log hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICGAK6 CVE: NA --------------------------- Add CSV and CSV2 to the list of memory encryption features. Also print CPU vendor while printing CSV infos. Signed-off-by: hanliyang --- arch/x86/include/asm/mem_encrypt.h | 6 ++++++ arch/x86/mm/mem_encrypt.c | 7 +++++++ arch/x86/mm/mem_encrypt_hygon.c | 19 +++++++++++++++++++ 3 files changed, 32 insertions(+) diff --git a/arch/x86/include/asm/mem_encrypt.h b/arch/x86/include/asm/mem_encrypt.h index 848ce43b9040..e304388c76bd 100644 --- a/arch/x86/include/asm/mem_encrypt.h +++ b/arch/x86/include/asm/mem_encrypt.h @@ -102,6 +102,12 @@ static inline u64 sme_get_me_mask(void) return sme_me_mask; } +#ifdef CONFIG_HYGON_CSV +extern void print_hygon_cc_feature_info(void); +#else /* !CONFIG_HYGON_CSV */ +static inline void print_hygon_cc_feature_info(void) { } +#endif /* CONFIG_HYGON_CSV */ + #endif /* __ASSEMBLY__ */ #endif /* __X86_MEM_ENCRYPT_H__ */ diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c index 7b558939b89c..06e615f41bcc 100644 --- a/arch/x86/mm/mem_encrypt.c +++ b/arch/x86/mm/mem_encrypt.c @@ -32,6 +32,8 @@ #include "mm_internal.h" +#include + /* * Since SME related variables are set early in the boot process they must * reside in the .data section so as not to be zeroed out when the .bss @@ -416,6 +418,11 @@ void __init mem_encrypt_init(void) if (sev_active()) static_branch_enable(&sev_enable_key); + if (is_x86_vendor_hygon()) { + print_hygon_cc_feature_info(); + return; + } + pr_info("AMD %s active\n", sev_active() ? "Secure Encrypted Virtualization (SEV)" : "Secure Memory Encryption (SME)"); diff --git a/arch/x86/mm/mem_encrypt_hygon.c b/arch/x86/mm/mem_encrypt_hygon.c index 371eb977a5ec..cc5e5f2e6344 100644 --- a/arch/x86/mm/mem_encrypt_hygon.c +++ b/arch/x86/mm/mem_encrypt_hygon.c @@ -14,3 +14,22 @@ #define DISABLE_BRANCH_PROFILING #include +#include + +void print_hygon_cc_feature_info(void) +{ + pr_info("Memory Encryption Features active:"); + + /* Secure Memory Encryption */ + if (!sev_active()) { + /* + * HYGON SME is mutually exclusive with any of the + * HYGON CSV features below. + */ + pr_info(" HYGON SME"); + return; + } else { + /* Secure Encrypted Virtualization */ + pr_info(" HYGON CSV"); + } +} -- Gitee From 9eb0edc1d487f0a37d2a43d1f37d2d476e195a41 Mon Sep 17 00:00:00 2001 From: hanliyang Date: Mon, 17 Jul 2023 18:44:56 +0800 Subject: [PATCH 10/14] crypto: ccp: Print Hygon CSV API version when CSV support is detected hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICGAK6 CVE: NA --------------------------- The Cryptographic Co-Processor module will print 'SEV API' instead of 'CSV API' on Hygon CPU if CSV is supported. Fix this confused message here. Signed-off-by: hanliyang --- drivers/crypto/ccp/hygon/csv-dev.c | 20 ++++++++++++++++++++ drivers/crypto/ccp/hygon/csv-dev.h | 3 +++ drivers/crypto/ccp/sev-dev.c | 15 +++++++++++++-- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/ccp/hygon/csv-dev.c b/drivers/crypto/ccp/hygon/csv-dev.c index 6e586f0e8ecd..beac1e6e2e3b 100644 --- a/drivers/crypto/ccp/hygon/csv-dev.c +++ b/drivers/crypto/ccp/hygon/csv-dev.c @@ -19,6 +19,26 @@ #include "csv-dev.h" #include "psp-dev.h" +/* + * Hygon CSV build info: + * Hygon CSV build info is 32-bit in length other than 8-bit as that + * in AMD SEV. + */ +u32 hygon_csv_build; + +/* + * csv_update_api_version used to update the api version of HYGON CSV + * firmwareat driver side. + * Currently, we only need to update @hygon_csv_build. + */ +void csv_update_api_version(struct sev_user_data_status *status) +{ + if (status) { + hygon_csv_build = (status->flags >> 9) | + ((u32)status->build << 23); + } +} + int csv_cmd_buffer_len(int cmd) { switch (cmd) { diff --git a/drivers/crypto/ccp/hygon/csv-dev.h b/drivers/crypto/ccp/hygon/csv-dev.h index 43ca224be610..677669e2371f 100644 --- a/drivers/crypto/ccp/hygon/csv-dev.h +++ b/drivers/crypto/ccp/hygon/csv-dev.h @@ -11,9 +11,12 @@ #define __CCP_HYGON_CSV_DEV_H__ #include +#include +extern u32 hygon_csv_build; extern const struct file_operations csv_fops; +void csv_update_api_version(struct sev_user_data_status *status); int csv_cmd_buffer_len(int cmd); #endif /* __CCP_HYGON_CSV_DEV_H__ */ diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 3d567391bbd3..e406820d1b19 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -457,6 +457,13 @@ static int sev_get_api_version(void) sev->build = status->build; sev->state = status->state; + /* + * The api version fields of HYGON CSV firmware are not consistent + * with AMD SEV firmware. + */ + if (is_vendor_hygon()) + csv_update_api_version(status); + return 0; } @@ -1092,8 +1099,12 @@ void sev_pci_init(void) return; } - dev_info(sev->dev, "SEV API:%d.%d build:%d\n", sev->api_major, - sev->api_minor, sev->build); + if (is_vendor_hygon()) + dev_info(sev->dev, "CSV API:%d.%d build:%d\n", sev->api_major, + sev->api_minor, hygon_csv_build); + else + dev_info(sev->dev, "SEV API:%d.%d build:%d\n", sev->api_major, + sev->api_minor, sev->build); return; -- Gitee From 18c7795a9051a97bb39fefc0c1aa1c795dbdd8f3 Mon Sep 17 00:00:00 2001 From: hanliyang Date: Mon, 17 Jul 2023 19:02:27 +0800 Subject: [PATCH 11/14] KVM: SVM: Print Hygon CSV support info if support is detected hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICGAK6 CVE: NA --------------------------- The KVM will print 'SEV supported' instead of 'CSV supported' on Hygon CPU if CSV is supported. Fix these confused messages here. Fix other 'SEV' messages in arch/x86/kvm/svm/svm.c. For firmware with a build ID < 1878, the CSV guest cannot run if the host kernel is not using SME. Signed-off-by: hanliyang --- arch/x86/kvm/svm/csv.h | 17 +++++++++++++++++ arch/x86/kvm/svm/svm.c | 15 +++++++++++++-- drivers/crypto/ccp/hygon/csv-dev.c | 1 + 3 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 arch/x86/kvm/svm/csv.h diff --git a/arch/x86/kvm/svm/csv.h b/arch/x86/kvm/svm/csv.h new file mode 100644 index 000000000000..9004cc71b0ef --- /dev/null +++ b/arch/x86/kvm/svm/csv.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * CSV driver for KVM + * + * HYGON CSV support + * + * Copyright (C) Hygon Info Technologies Ltd. + */ + +#ifndef __SVM_CSV_H +#define __SVM_CSV_H + +#include + +extern u32 hygon_csv_build; + +#endif /* __SVM_CSV_H */ diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 179a2301c4ce..cc9fb380b68d 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -52,6 +52,9 @@ #include #include "trace.h" +#include +#include "csv.h" + #define __ex(x) __kvm_handle_fault_on_reboot(x) MODULE_AUTHOR("Qumranet"); @@ -903,7 +906,8 @@ static int has_svm(void) } if (sev_active()) { - pr_info("KVM is unsupported when running as an SEV guest\n"); + pr_info("KVM is unsupported when running as an %s guest\n", + is_x86_vendor_hygon() ? "CSV" : "SEV"); return 0; } @@ -1241,6 +1245,13 @@ static __init int sev_hardware_setup(void) struct sev_user_data_status *status; int rc; + /* + * For firmware with a build ID < 1878, the CSV guest cannot run if the + * host kernel is not using SME. + */ + if (is_x86_vendor_hygon() && hygon_csv_build < 1878 && !sme_me_mask) + return 1; + /* Maximum number of encrypted guests supported simultaneously */ max_sev_asid = cpuid_ecx(0x8000001F); @@ -1270,7 +1281,7 @@ static __init int sev_hardware_setup(void) if (rc) goto err; - pr_info("SEV supported\n"); + pr_info("%s supported\n", is_x86_vendor_hygon() ? "CSV" : "SEV"); err: kfree(status); diff --git a/drivers/crypto/ccp/hygon/csv-dev.c b/drivers/crypto/ccp/hygon/csv-dev.c index beac1e6e2e3b..0f1a07c876b0 100644 --- a/drivers/crypto/ccp/hygon/csv-dev.c +++ b/drivers/crypto/ccp/hygon/csv-dev.c @@ -25,6 +25,7 @@ * in AMD SEV. */ u32 hygon_csv_build; +EXPORT_SYMBOL_GPL(hygon_csv_build); /* * csv_update_api_version used to update the api version of HYGON CSV -- Gitee From 3009561b43dc2ffdf942c2d9ab1e4c19938391aa Mon Sep 17 00:00:00 2001 From: hanliyang Date: Mon, 31 Jul 2023 23:35:42 +0800 Subject: [PATCH 12/14] x86/cpu: Detect memory encryption features on Hygon CPUs hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICGAK6 CVE: NA --------------------------- Hygon SME is identified by CPUID 0x8000001f, but requires BIOS support to enable it (set bit 23 of MSR_K8_SYSCFG). Hygon CSV and CSV2 are identified by CPUID 0x8000001f, but requires BIOS support to enable it (set bit 23 of MSR_K8_SYSCFG and set bit 0 of MSR_K7_HWCR). Only show the SME, CSV, CSV2 features as available if reported by CPUID and enabled by BIOS. Signed-off-by: hanliyang --- arch/x86/kernel/cpu/hygon.c | 46 +++++++++++++++++++++++++++++++++++++ arch/x86/kernel/cpu/proc.c | 10 ++++++-- 2 files changed, 54 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/cpu/hygon.c b/arch/x86/kernel/cpu/hygon.c index a3a7482ac63a..3c6f268dbc92 100644 --- a/arch/x86/kernel/cpu/hygon.c +++ b/arch/x86/kernel/cpu/hygon.c @@ -267,6 +267,50 @@ static void bsp_init_hygon(struct cpuinfo_x86 *c) resctrl_cpu_detect(c); } +static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) +{ + u64 msr; + u32 eax; + + eax = cpuid_eax(0x8000001f); + + /* Check whether SME or CSV is supported */ + if (!(eax & (BIT(0) | BIT(1)))) + return; + + /* If BIOS has not enabled SME then don't advertise the SME feature. */ + rdmsrl(MSR_K8_SYSCFG, msr); + if (!(msr & MSR_K8_SYSCFG_MEM_ENCRYPT)) + goto clear_all; + + /* + * Always adjust physical address bits. Even though this will be a + * value above 32-bits this is still done for CONFIG_X86_32 so that + * accurate values are reported. + */ + c->x86_phys_bits -= (cpuid_ebx(0x8000001f) >> 6) & 0x3f; + + /* Don't advertise SME and CSV features under CONFIG_X86_32. */ + if (IS_ENABLED(CONFIG_X86_32)) + goto clear_all; + + /* + * If BIOS has not enabled CSV then don't advertise the CSV and CSV2 + * feature. + */ + rdmsrl(MSR_K7_HWCR, msr); + if (!(msr & MSR_K7_HWCR_SMMLOCK)) + goto clear_csv; + + return; + +clear_all: + setup_clear_cpu_cap(X86_FEATURE_SME); +clear_csv: + setup_clear_cpu_cap(X86_FEATURE_SEV); + setup_clear_cpu_cap(X86_FEATURE_SEV_ES); +} + static void early_init_hygon(struct cpuinfo_x86 *c) { u32 dummy; @@ -311,6 +355,8 @@ static void early_init_hygon(struct cpuinfo_x86 *c) set_cpu_cap(c, X86_FEATURE_VMMCALL); hygon_get_topology_early(c); + + early_detect_mem_encrypt(c); } static void init_hygon(struct cpuinfo_x86 *c) diff --git a/arch/x86/kernel/cpu/proc.c b/arch/x86/kernel/cpu/proc.c index cb2e49810d68..e0a01fee9264 100644 --- a/arch/x86/kernel/cpu/proc.c +++ b/arch/x86/kernel/cpu/proc.c @@ -99,8 +99,14 @@ static int show_cpuinfo(struct seq_file *m, void *v) seq_puts(m, "flags\t\t:"); for (i = 0; i < 32*NCAPINTS; i++) - if (cpu_has(c, i) && x86_cap_flags[i] != NULL) - seq_printf(m, " %s", x86_cap_flags[i]); + if (cpu_has(c, i) && x86_cap_flags[i] != NULL) { + if (c->x86_vendor == X86_VENDOR_HYGON) + seq_printf(m, " %s", i == X86_FEATURE_SEV ? "csv" : + (i == X86_FEATURE_SEV_ES ? "csv2" : + x86_cap_flags[i])); + else + seq_printf(m, " %s", x86_cap_flags[i]); + } seq_puts(m, "\nbugs\t\t:"); for (i = 0; i < 32*NBUGINTS; i++) { -- Gitee From c66f271939dc97f62e04de25f1531458f2e2c2e5 Mon Sep 17 00:00:00 2001 From: hanliyang Date: Fri, 4 Aug 2023 03:20:47 +0800 Subject: [PATCH 13/14] x86/cpufeatures: Add CPUID_8C86_0000_EDX CPUID leaf hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICGAK6 CVE: NA --------------------------- This is a pure feature bits leaf. Add SM3 and SM4 feature bits from this leaf on Hygon CPUs. Signed-off-by: hanliyang --- arch/x86/include/asm/cpufeatures.h | 4 ++++ arch/x86/kernel/cpu/hygon.c | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index 9e87d60f1bdd..aa1ab770348b 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -255,6 +255,10 @@ #define X86_FEATURE_VMCALL ( 8*32+18) /* "" Hypervisor supports the VMCALL instruction */ #define X86_FEATURE_VMW_VMMCALL ( 8*32+19) /* "" VMware prefers VMMCALL hypercall instruction */ +/* HYGON-defined CPU features, CPUID level 0x8c860000:0 (EDX), word 8 */ +#define X86_FEATURE_HYGON_SM3 (8*32+21) /* "sm3" SM3 instructions */ +#define X86_FEATURE_HYGON_SM4 (8*32+22) /* "sm4" SM4 instructions */ + /* Intel-defined CPU features, CPUID level 0x00000007:0 (EBX), word 9 */ #define X86_FEATURE_FSGSBASE ( 9*32+ 0) /* RDFSBASE, WRFSBASE, RDGSBASE, WRGSBASE instructions*/ #define X86_FEATURE_TSC_ADJUST ( 9*32+ 1) /* TSC adjustment MSR 0x3B */ diff --git a/arch/x86/kernel/cpu/hygon.c b/arch/x86/kernel/cpu/hygon.c index 3c6f268dbc92..9f70219ad741 100644 --- a/arch/x86/kernel/cpu/hygon.c +++ b/arch/x86/kernel/cpu/hygon.c @@ -267,6 +267,22 @@ static void bsp_init_hygon(struct cpuinfo_x86 *c) resctrl_cpu_detect(c); } +static void init_hygon_cap(struct cpuinfo_x86 *c) +{ + /* Test for Extended Feature Flags presence */ + if (cpuid_eax(0x8C860000) >= 0x8C860000) { + /* + * Store Extended Feature Flags of the CPU capability + * bit array + */ + if (cpuid_edx(0x8C860000) & BIT(1)) + set_cpu_cap(c, X86_FEATURE_HYGON_SM3); + + if (cpuid_edx(0x8C860000) & BIT(2)) + set_cpu_cap(c, X86_FEATURE_HYGON_SM4); + } +} + static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) { u64 msr; @@ -416,6 +432,8 @@ static void init_hygon(struct cpuinfo_x86 *c) check_null_seg_clears_base(c); + init_hygon_cap(c); + /* Hygon CPUs don't need fencing after x2APIC/TSC_DEADLINE MSR writes. */ clear_cpu_cap(c, X86_FEATURE_APIC_MSRS_FENCE); } -- Gitee From 30090cef3e969072c93872612447e5c0bb46f730 Mon Sep 17 00:00:00 2001 From: hanliyang Date: Wed, 18 Jun 2025 13:06:57 +0000 Subject: [PATCH 14/14] x86/cpufeatures: Add CSV3 CPU feature hygon inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/ICGAK6 CVE: NA --------------------------- Add CPU feature detection for Hygon 3rd-generation CSV. This feature enhances CSV2 by also isolating NPT and VMCB, making them in-accessible to the hypervisor. Signed-off-by: hanliyang --- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/kernel/cpu/hygon.c | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h index aa1ab770348b..3e80b8928d84 100644 --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -414,6 +414,7 @@ #define X86_FEATURE_VM_PAGE_FLUSH (19*32+ 2) /* "" VM Page Flush MSR is supported */ #define X86_FEATURE_SEV_ES (19*32+ 3) /* AMD Secure Encrypted Virtualization - Encrypted State */ #define X86_FEATURE_SME_COHERENT (19*32+10) /* "" AMD hardware-enforced cache coherency */ +#define X86_FEATURE_CSV3 (19*32+30) /* HYGON 3rd-generation CSV */ /* * BUG word(s) diff --git a/arch/x86/kernel/cpu/hygon.c b/arch/x86/kernel/cpu/hygon.c index 9f70219ad741..0c97b53ec762 100644 --- a/arch/x86/kernel/cpu/hygon.c +++ b/arch/x86/kernel/cpu/hygon.c @@ -325,6 +325,7 @@ static void early_detect_mem_encrypt(struct cpuinfo_x86 *c) clear_csv: setup_clear_cpu_cap(X86_FEATURE_SEV); setup_clear_cpu_cap(X86_FEATURE_SEV_ES); + setup_clear_cpu_cap(X86_FEATURE_CSV3); } static void early_init_hygon(struct cpuinfo_x86 *c) -- Gitee