drivers/s390/char/uvdevice.c

root/drivers/s390/char/uvdevice.c
// SPDX-License-Identifier: GPL-2.0
/*
 *  Copyright IBM Corp. 2022, 2024
 *  Author(s): Steffen Eiden <seiden@linux.ibm.com>
 *
 *  This file provides a Linux misc device to give userspace access to some
 *  Ultravisor (UV) functions. The device only accepts IOCTLs and will only
 *  be present if the Ultravisor facility (158) is present.
 *
 *  When userspace sends a valid IOCTL uvdevice will copy the input data to
 *  kernel space, do some basic validity checks to avoid kernel/system
 *  corruption. Any other check that the Ultravisor does will not be done by
 *  the uvdevice to keep changes minimal when adding new functionalities
 *  to existing UV-calls.
 *  After the checks uvdevice builds a corresponding
 *  Ultravisor Call Control Block, and sends the request to the Ultravisor.
 *  Then, it copies the response, including the return codes, back to userspace.
 *  It is the responsibility of the userspace to check for any error issued
 *  by UV and to interpret the UV response. The uvdevice acts as a communication
 *  channel for userspace to the Ultravisor.
 */

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/miscdevice.h>
#include <linux/types.h>
#include <linux/stddef.h>
#include <linux/vmalloc.h>
#include <linux/slab.h>
#include <linux/cpufeature.h>

#include <asm/uvdevice.h>
#include <asm/uv.h>

#define BIT_UVIO_INTERNAL U32_MAX
/* Mapping from IOCTL-nr to UVC-bit */
static const u32 ioctl_nr_to_uvc_bit[] __initconst = {
        [UVIO_IOCTL_UVDEV_INFO_NR] = BIT_UVIO_INTERNAL,
        [UVIO_IOCTL_ATT_NR] = BIT_UVC_CMD_RETR_ATTEST,
        [UVIO_IOCTL_ADD_SECRET_NR] = BIT_UVC_CMD_ADD_SECRET,
        [UVIO_IOCTL_LIST_SECRETS_NR] = BIT_UVC_CMD_LIST_SECRETS,
        [UVIO_IOCTL_LOCK_SECRETS_NR] = BIT_UVC_CMD_LOCK_SECRETS,
        [UVIO_IOCTL_RETR_SECRET_NR] = BIT_UVC_CMD_RETR_ATTEST,
};

static_assert(ARRAY_SIZE(ioctl_nr_to_uvc_bit) == UVIO_IOCTL_NUM_IOCTLS);

static struct uvio_uvdev_info uvdev_info = {
        .supp_uvio_cmds = GENMASK_ULL(UVIO_IOCTL_NUM_IOCTLS - 1, 0),
};

static void __init set_supp_uv_cmds(unsigned long *supp_uv_cmds)
{
        int i;

        for (i = 0; i < UVIO_IOCTL_NUM_IOCTLS; i++) {
                if (ioctl_nr_to_uvc_bit[i] == BIT_UVIO_INTERNAL)
                        continue;
                if (!test_bit_inv(ioctl_nr_to_uvc_bit[i], uv_info.inst_calls_list))
                        continue;
                __set_bit(i, supp_uv_cmds);
        }
}

/**
 * uvio_uvdev_info() - Get information about the uvdevice
 *
 * @uv_ioctl: ioctl control block
 *
 * Lists all IOCTLs that are supported by this uvdevice
 *
 * Return: 0 on success or a negative error code on error
 */
static int uvio_uvdev_info(struct uvio_ioctl_cb *uv_ioctl)
{
        void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;

        if (uv_ioctl->argument_len < sizeof(uvdev_info))
                return -EINVAL;
        if (copy_to_user(user_buf_arg, &uvdev_info, sizeof(uvdev_info)))
                return -EFAULT;

        uv_ioctl->uv_rc = UVC_RC_EXECUTED;
        return 0;
}

static int uvio_build_uvcb_attest(struct uv_cb_attest *uvcb_attest, u8 *arcb,
                                  u8 *meas, u8 *add_data, struct uvio_attest *uvio_attest)
{
        void __user *user_buf_arcb = (void __user *)uvio_attest->arcb_addr;

        if (copy_from_user(arcb, user_buf_arcb, uvio_attest->arcb_len))
                return -EFAULT;

        uvcb_attest->header.len = sizeof(*uvcb_attest);
        uvcb_attest->header.cmd = UVC_CMD_RETR_ATTEST;
        uvcb_attest->arcb_addr = (u64)arcb;
        uvcb_attest->cont_token = 0;
        uvcb_attest->user_data_len = uvio_attest->user_data_len;
        memcpy(uvcb_attest->user_data, uvio_attest->user_data, sizeof(uvcb_attest->user_data));
        uvcb_attest->meas_len = uvio_attest->meas_len;
        uvcb_attest->meas_addr = (u64)meas;
        uvcb_attest->add_data_len = uvio_attest->add_data_len;
        uvcb_attest->add_data_addr = (u64)add_data;

        return 0;
}

static int uvio_copy_attest_result_to_user(struct uv_cb_attest *uvcb_attest,
                                           struct uvio_ioctl_cb *uv_ioctl,
                                           u8 *measurement, u8 *add_data,
                                           struct uvio_attest *uvio_attest)
{
        struct uvio_attest __user *user_uvio_attest = (void __user *)uv_ioctl->argument_addr;
        u32 __user *user_buf_add_len = (u32 __user *)&user_uvio_attest->add_data_len;
        void __user *user_buf_add = (void __user *)uvio_attest->add_data_addr;
        void __user *user_buf_meas = (void __user *)uvio_attest->meas_addr;
        void __user *user_buf_uid = &user_uvio_attest->config_uid;

        if (copy_to_user(user_buf_meas, measurement, uvio_attest->meas_len))
                return -EFAULT;
        if (add_data && copy_to_user(user_buf_add, add_data, uvio_attest->add_data_len))
                return -EFAULT;
        if (put_user(uvio_attest->add_data_len, user_buf_add_len))
                return -EFAULT;
        if (copy_to_user(user_buf_uid, uvcb_attest->config_uid, sizeof(uvcb_attest->config_uid)))
                return -EFAULT;
        return 0;
}

static int get_uvio_attest(struct uvio_ioctl_cb *uv_ioctl, struct uvio_attest *uvio_attest)
{
        u8 __user *user_arg_buf = (u8 __user *)uv_ioctl->argument_addr;

        if (copy_from_user(uvio_attest, user_arg_buf, sizeof(*uvio_attest)))
                return -EFAULT;

        if (uvio_attest->arcb_len > UVIO_ATT_ARCB_MAX_LEN)
                return -EINVAL;
        if (uvio_attest->arcb_len == 0)
                return -EINVAL;
        if (uvio_attest->meas_len > UVIO_ATT_MEASUREMENT_MAX_LEN)
                return -EINVAL;
        if (uvio_attest->meas_len == 0)
                return -EINVAL;
        if (uvio_attest->add_data_len > UVIO_ATT_ADDITIONAL_MAX_LEN)
                return -EINVAL;
        if (uvio_attest->reserved136)
                return -EINVAL;
        return 0;
}

/**
 * uvio_attestation() - Perform a Retrieve Attestation Measurement UVC.
 *
 * @uv_ioctl: ioctl control block
 *
 * uvio_attestation() does a Retrieve Attestation Measurement Ultravisor Call.
 * It verifies that the given userspace addresses are valid and request sizes
 * are sane. Every other check is made by the Ultravisor (UV) and won't result
 * in a negative return value. It copies the input to kernelspace, builds the
 * request, sends the UV-call, and copies the result to userspace.
 *
 * The Attestation Request has two input and two outputs.
 * ARCB and User Data are inputs for the UV generated by userspace.
 * Measurement and Additional Data are outputs for userspace generated by UV.
 *
 * The Attestation Request Control Block (ARCB) is a cryptographically verified
 * and secured request to UV and User Data is some plaintext data which is
 * going to be included in the Attestation Measurement calculation.
 *
 * Measurement is a cryptographic measurement of the callers properties,
 * optional data configured by the ARCB and the user data. If specified by the
 * ARCB, UV will add some Additional Data to the measurement calculation.
 * This Additional Data is then returned as well.
 *
 * If the Retrieve Attestation Measurement UV facility is not present,
 * UV will return invalid command rc. This won't be fenced in the driver
 * and does not result in a negative return value.
 *
 * Context: might sleep
 *
 * Return: 0 on success or a negative error code on error
 */
static int uvio_attestation(struct uvio_ioctl_cb *uv_ioctl)
{
        struct uv_cb_attest *uvcb_attest = NULL;
        struct uvio_attest *uvio_attest = NULL;
        u8 *measurement = NULL;
        u8 *add_data = NULL;
        u8 *arcb = NULL;
        int ret;

        ret = -EINVAL;
        if (uv_ioctl->argument_len != sizeof(*uvio_attest))
                goto out;

        ret = -ENOMEM;
        uvio_attest = kzalloc_obj(*uvio_attest);
        if (!uvio_attest)
                goto out;

        ret = get_uvio_attest(uv_ioctl, uvio_attest);
        if (ret)
                goto out;

        ret = -ENOMEM;
        arcb = kvzalloc(uvio_attest->arcb_len, GFP_KERNEL);
        measurement = kvzalloc(uvio_attest->meas_len, GFP_KERNEL);
        if (!arcb || !measurement)
                goto out;

        if (uvio_attest->add_data_len) {
                add_data = kvzalloc(uvio_attest->add_data_len, GFP_KERNEL);
                if (!add_data)
                        goto out;
        }

        uvcb_attest = kzalloc_obj(*uvcb_attest);
        if (!uvcb_attest)
                goto out;

        ret = uvio_build_uvcb_attest(uvcb_attest, arcb,  measurement, add_data, uvio_attest);
        if (ret)
                goto out;

        uv_call_sched(0, (u64)uvcb_attest);

        uv_ioctl->uv_rc = uvcb_attest->header.rc;
        uv_ioctl->uv_rrc = uvcb_attest->header.rrc;

        ret = uvio_copy_attest_result_to_user(uvcb_attest, uv_ioctl, measurement, add_data,
                                              uvio_attest);
out:
        kvfree(arcb);
        kvfree(measurement);
        kvfree(add_data);
        kfree(uvio_attest);
        kfree(uvcb_attest);
        return ret;
}

/**
 * uvio_add_secret() - Perform an Add Secret UVC
 *
 * @uv_ioctl: ioctl control block
 *
 * uvio_add_secret() performs the Add Secret Ultravisor Call.
 *
 * The given userspace argument address and size are verified to be
 * valid but every other check is made by the Ultravisor
 * (UV). Therefore UV errors won't result in a negative return
 * value. The request is then copied to kernelspace, the UV-call is
 * performed and the results are copied back to userspace.
 *
 * The argument has to point to an Add Secret Request Control Block
 * which is an encrypted and cryptographically verified request that
 * inserts a protected guest's secrets into the Ultravisor for later
 * use.
 *
 * If the Add Secret UV facility is not present, UV will return
 * invalid command rc. This won't be fenced in the driver and does not
 * result in a negative return value.
 *
 * Context: might sleep
 *
 * Return: 0 on success or a negative error code on error
 */
static int uvio_add_secret(struct uvio_ioctl_cb *uv_ioctl)
{
        void __user *user_buf_arg = (void __user *)uv_ioctl->argument_addr;
        struct uv_cb_guest_addr uvcb = {
                .header.len = sizeof(uvcb),
                .header.cmd = UVC_CMD_ADD_SECRET,
        };
        void *asrcb = NULL;
        int ret;

        if (uv_ioctl->argument_len > UVIO_ADD_SECRET_MAX_LEN)
                return -EINVAL;
        if (uv_ioctl->argument_len == 0)
                return -EINVAL;

        asrcb = kvzalloc(uv_ioctl->argument_len, GFP_KERNEL);
        if (!asrcb)
                return -ENOMEM;

        ret = -EFAULT;
        if (copy_from_user(asrcb, user_buf_arg, uv_ioctl->argument_len))
                goto out;

        ret = 0;
        uvcb.addr = (u64)asrcb;
        uv_call_sched(0, (u64)&uvcb);
        uv_ioctl->uv_rc = uvcb.header.rc;
        uv_ioctl->uv_rrc = uvcb.header.rrc;

out:
        kvfree(asrcb);
        return ret;
}

/*
 * Do the actual secret list creation. Calls the list secrets UVC until there
 * is no more space in the user buffer, or the list ends.
 */
static int uvio_get_list(void *zpage, struct uvio_ioctl_cb *uv_ioctl)
{
        const size_t data_off = offsetof(struct uv_secret_list, secrets);
        u8 __user *user_buf = (u8 __user *)uv_ioctl->argument_addr;
        struct uv_secret_list *list = zpage;
        u16 num_secrets_stored = 0;
        size_t user_off = data_off;
        size_t copy_len;

        do {
                uv_list_secrets(list, list->next_secret_idx, &uv_ioctl->uv_rc,
                                &uv_ioctl->uv_rrc);
                if (uv_ioctl->uv_rc != UVC_RC_EXECUTED &&
                    uv_ioctl->uv_rc != UVC_RC_MORE_DATA)
                        break;

                copy_len = sizeof(list->secrets[0]) * list->num_secr_stored;
                if (copy_to_user(user_buf + user_off, list->secrets, copy_len))
                        return -EFAULT;

                user_off += copy_len;
                num_secrets_stored += list->num_secr_stored;
        } while (uv_ioctl->uv_rc == UVC_RC_MORE_DATA &&
                 user_off + sizeof(*list) <= uv_ioctl->argument_len);

        list->num_secr_stored = num_secrets_stored;
        if (copy_to_user(user_buf, list, data_off))
                return -EFAULT;
        return 0;
}

/**
 * uvio_list_secrets() - Perform a List Secret UVC
 *
 * @uv_ioctl: ioctl control block
 *
 * uvio_list_secrets() performs the List Secret Ultravisor Call. It verifies
 * that the given userspace argument address is valid and its size is sane.
 * Every other check is made by the Ultravisor (UV) and won't result in a
 * negative return value. It builds the request, performs the UV-call, and
 * copies the result to userspace.
 *
 * The argument specifies the location for the result of the UV-Call.
 *
 * Argument length must be a multiple of a page.
 * The list secrets IOCTL will call the list UVC multiple times and fill
 * the provided user-buffer with list elements until either the list ends or
 * the buffer is full. The list header is merged over all list header from the
 * individual UVCs.
 *
 * If the List Secrets UV facility is not present, UV will return invalid
 * command rc. This won't be fenced in the driver and does not result in a
 * negative return value.
 *
 * Context: might sleep
 *
 * Return: 0 on success or a negative error code on error
 */
static int uvio_list_secrets(struct uvio_ioctl_cb *uv_ioctl)
{
        void *zpage;
        int rc;

        if (uv_ioctl->argument_len == 0 ||
            uv_ioctl->argument_len % UVIO_LIST_SECRETS_LEN != 0)
                return -EINVAL;

        zpage = (void *)get_zeroed_page(GFP_KERNEL);
        if (!zpage)
                return -ENOMEM;

        rc = uvio_get_list(zpage, uv_ioctl);

        free_page((unsigned long)zpage);
        return rc;
}

/**
 * uvio_lock_secrets() - Perform a Lock Secret Store UVC
 *
 * @ioctl: ioctl control block
 *
 * uvio_lock_secrets() performs the Lock Secret Store Ultravisor Call. It
 * performs the UV-call and copies the return codes to the ioctl control block.
 * After this call was dispatched successfully every following Add Secret UVC
 * and Lock Secrets UVC will fail with return code 0x102.
 *
 * The argument address and size must be 0.
 *
 * If the Lock Secrets UV facility is not present, UV will return invalid
 * command rc. This won't be fenced in the driver and does not result in a
 * negative return value.
 *
 * Context: might sleep
 *
 * Return: 0 on success or a negative error code on error
 */
static int uvio_lock_secrets(struct uvio_ioctl_cb *ioctl)
{
        struct uv_cb_nodata uvcb = {
                .header.len = sizeof(uvcb),
                .header.cmd = UVC_CMD_LOCK_SECRETS,
        };

        if (ioctl->argument_addr || ioctl->argument_len)
                return -EINVAL;

        uv_call(0, (u64)&uvcb);
        ioctl->uv_rc = uvcb.header.rc;
        ioctl->uv_rrc = uvcb.header.rrc;

        return 0;
}

/**
 * uvio_retr_secret() - Perform a retrieve secret UVC
 *
 * @uv_ioctl: ioctl control block.
 *
 * uvio_retr_secret() performs the Retrieve Secret Ultravisor Call.
 * The first two bytes of the argument specify the index of the secret to be
 * retrieved. The retrieved secret is copied into the argument buffer if there
 * is enough space.
 * The argument length must be at least two bytes and at max 8192 bytes.
 *
 * Context: might sleep
 *
 * Return: 0 on success or a negative error code on error
 */
static int uvio_retr_secret(struct uvio_ioctl_cb *uv_ioctl)
{
        u16 __user *user_index = (u16 __user *)uv_ioctl->argument_addr;
        struct uv_cb_retr_secr uvcb = {
                .header.len = sizeof(uvcb),
                .header.cmd = UVC_CMD_RETR_SECRET,
        };
        u32 buf_len = uv_ioctl->argument_len;
        void *buf = NULL;
        int ret;

        if (buf_len > UVIO_RETR_SECRET_MAX_LEN || buf_len < sizeof(*user_index))
                return -EINVAL;

        buf = kvzalloc(buf_len, GFP_KERNEL);
        if (!buf)
                return -ENOMEM;

        ret = -EFAULT;
        if (get_user(uvcb.secret_idx, user_index))
                goto err;

        uvcb.buf_addr = (u64)buf;
        uvcb.buf_size = buf_len;
        uv_call_sched(0, (u64)&uvcb);

        if (copy_to_user((__user void *)uv_ioctl->argument_addr, buf, buf_len))
                goto err;

        ret = 0;
        uv_ioctl->uv_rc = uvcb.header.rc;
        uv_ioctl->uv_rrc = uvcb.header.rrc;

err:
        kvfree_sensitive(buf, buf_len);
        return ret;
}

static int uvio_copy_and_check_ioctl(struct uvio_ioctl_cb *ioctl, void __user *argp,
                                     unsigned long cmd)
{
        u8 nr = _IOC_NR(cmd);

        if (_IOC_DIR(cmd) != (_IOC_READ | _IOC_WRITE))
                return -ENOIOCTLCMD;
        if (_IOC_TYPE(cmd) != UVIO_TYPE_UVC)
                return -ENOIOCTLCMD;
        if (nr >= UVIO_IOCTL_NUM_IOCTLS)
                return -ENOIOCTLCMD;
        if (_IOC_SIZE(cmd) != sizeof(*ioctl))
                return -ENOIOCTLCMD;
        if (copy_from_user(ioctl, argp, sizeof(*ioctl)))
                return -EFAULT;
        if (ioctl->flags != 0)
                return -EINVAL;
        if (memchr_inv(ioctl->reserved14, 0, sizeof(ioctl->reserved14)))
                return -EINVAL;

        return nr;
}

/*
 * IOCTL entry point for the Ultravisor device.
 */
static long uvio_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
        void __user *argp = (void __user *)arg;
        struct uvio_ioctl_cb uv_ioctl = { };
        long ret;
        int nr;

        nr = uvio_copy_and_check_ioctl(&uv_ioctl, argp, cmd);
        if (nr < 0)
                return nr;

        switch (nr) {
        case UVIO_IOCTL_UVDEV_INFO_NR:
                ret = uvio_uvdev_info(&uv_ioctl);
                break;
        case UVIO_IOCTL_ATT_NR:
                ret = uvio_attestation(&uv_ioctl);
                break;
        case UVIO_IOCTL_ADD_SECRET_NR:
                ret = uvio_add_secret(&uv_ioctl);
                break;
        case UVIO_IOCTL_LIST_SECRETS_NR:
                ret = uvio_list_secrets(&uv_ioctl);
                break;
        case UVIO_IOCTL_LOCK_SECRETS_NR:
                ret = uvio_lock_secrets(&uv_ioctl);
                break;
        case UVIO_IOCTL_RETR_SECRET_NR:
                ret = uvio_retr_secret(&uv_ioctl);
                break;
        default:
                ret = -ENOIOCTLCMD;
                break;
        }
        if (ret)
                return ret;

        if (copy_to_user(argp, &uv_ioctl, sizeof(uv_ioctl)))
                ret = -EFAULT;

        return ret;
}

static const struct file_operations uvio_dev_fops = {
        .owner = THIS_MODULE,
        .unlocked_ioctl = uvio_ioctl,
};

static struct miscdevice uvio_dev_miscdev = {
        .minor = MISC_DYNAMIC_MINOR,
        .name = UVIO_DEVICE_NAME,
        .fops = &uvio_dev_fops,
};

static void __exit uvio_dev_exit(void)
{
        misc_deregister(&uvio_dev_miscdev);
}

static int __init uvio_dev_init(void)
{
        set_supp_uv_cmds((unsigned long *)&uvdev_info.supp_uv_cmds);
        return misc_register(&uvio_dev_miscdev);
}

module_cpu_feature_match(S390_CPU_FEATURE_UV, uvio_dev_init);
module_exit(uvio_dev_exit);

MODULE_AUTHOR("IBM Corporation");
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Ultravisor UAPI driver");