1*f80ad8b4SAndroid Build Coastguard Worker /* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ 2*f80ad8b4SAndroid Build Coastguard Worker /* 3*f80ad8b4SAndroid Build Coastguard Worker * Userspace interface for AMD Secure Encrypted Virtualization (SEV) 4*f80ad8b4SAndroid Build Coastguard Worker * platform management commands. 5*f80ad8b4SAndroid Build Coastguard Worker * 6*f80ad8b4SAndroid Build Coastguard Worker * Copyright (C) 2016-2017 Advanced Micro Devices, Inc. 7*f80ad8b4SAndroid Build Coastguard Worker * 8*f80ad8b4SAndroid Build Coastguard Worker * Author: Brijesh Singh <[email protected]> 9*f80ad8b4SAndroid Build Coastguard Worker * 10*f80ad8b4SAndroid Build Coastguard Worker * SEV API specification is available at: https://developer.amd.com/sev/ 11*f80ad8b4SAndroid Build Coastguard Worker */ 12*f80ad8b4SAndroid Build Coastguard Worker 13*f80ad8b4SAndroid Build Coastguard Worker #ifndef __PSP_SEV_USER_H__ 14*f80ad8b4SAndroid Build Coastguard Worker #define __PSP_SEV_USER_H__ 15*f80ad8b4SAndroid Build Coastguard Worker 16*f80ad8b4SAndroid Build Coastguard Worker #include <linux/types.h> 17*f80ad8b4SAndroid Build Coastguard Worker 18*f80ad8b4SAndroid Build Coastguard Worker /** 19*f80ad8b4SAndroid Build Coastguard Worker * SEV platform commands 20*f80ad8b4SAndroid Build Coastguard Worker */ 21*f80ad8b4SAndroid Build Coastguard Worker enum { 22*f80ad8b4SAndroid Build Coastguard Worker SEV_FACTORY_RESET = 0, 23*f80ad8b4SAndroid Build Coastguard Worker SEV_PLATFORM_STATUS, 24*f80ad8b4SAndroid Build Coastguard Worker SEV_PEK_GEN, 25*f80ad8b4SAndroid Build Coastguard Worker SEV_PEK_CSR, 26*f80ad8b4SAndroid Build Coastguard Worker SEV_PDH_GEN, 27*f80ad8b4SAndroid Build Coastguard Worker SEV_PDH_CERT_EXPORT, 28*f80ad8b4SAndroid Build Coastguard Worker SEV_PEK_CERT_IMPORT, 29*f80ad8b4SAndroid Build Coastguard Worker SEV_GET_ID, /* This command is deprecated, use SEV_GET_ID2 */ 30*f80ad8b4SAndroid Build Coastguard Worker SEV_GET_ID2, 31*f80ad8b4SAndroid Build Coastguard Worker SNP_PLATFORM_STATUS, 32*f80ad8b4SAndroid Build Coastguard Worker SNP_COMMIT, 33*f80ad8b4SAndroid Build Coastguard Worker SNP_SET_CONFIG, 34*f80ad8b4SAndroid Build Coastguard Worker SNP_VLEK_LOAD, 35*f80ad8b4SAndroid Build Coastguard Worker 36*f80ad8b4SAndroid Build Coastguard Worker SEV_MAX, 37*f80ad8b4SAndroid Build Coastguard Worker }; 38*f80ad8b4SAndroid Build Coastguard Worker 39*f80ad8b4SAndroid Build Coastguard Worker /** 40*f80ad8b4SAndroid Build Coastguard Worker * SEV Firmware status code 41*f80ad8b4SAndroid Build Coastguard Worker */ 42*f80ad8b4SAndroid Build Coastguard Worker typedef enum { 43*f80ad8b4SAndroid Build Coastguard Worker /* 44*f80ad8b4SAndroid Build Coastguard Worker * This error code is not in the SEV spec. Its purpose is to convey that 45*f80ad8b4SAndroid Build Coastguard Worker * there was an error that prevented the SEV firmware from being called. 46*f80ad8b4SAndroid Build Coastguard Worker * The SEV API error codes are 16 bits, so the -1 value will not overlap 47*f80ad8b4SAndroid Build Coastguard Worker * with possible values from the specification. 48*f80ad8b4SAndroid Build Coastguard Worker */ 49*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_NO_FW_CALL = -1, 50*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_SUCCESS = 0, 51*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_PLATFORM_STATE, 52*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_GUEST_STATE, 53*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INAVLID_CONFIG, 54*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_CONFIG = SEV_RET_INAVLID_CONFIG, 55*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_LEN, 56*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_ALREADY_OWNED, 57*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_CERTIFICATE, 58*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_POLICY_FAILURE, 59*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INACTIVE, 60*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_ADDRESS, 61*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_BAD_SIGNATURE, 62*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_BAD_MEASUREMENT, 63*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_ASID_OWNED, 64*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_ASID, 65*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_WBINVD_REQUIRED, 66*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_DFFLUSH_REQUIRED, 67*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_GUEST, 68*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_COMMAND, 69*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_ACTIVE, 70*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_HWSEV_RET_PLATFORM, 71*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_HWSEV_RET_UNSAFE, 72*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_UNSUPPORTED, 73*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_PARAM, 74*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_RESOURCE_LIMIT, 75*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_SECURE_DATA_INVALID, 76*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_KEY = 0x27, 77*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_PAGE_SIZE, 78*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_PAGE_STATE, 79*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_MDATA_ENTRY, 80*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_PAGE_OWNER, 81*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_INVALID_PAGE_AEAD_OFLOW, 82*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_RMP_INIT_REQUIRED, 83*f80ad8b4SAndroid Build Coastguard Worker SEV_RET_MAX, 84*f80ad8b4SAndroid Build Coastguard Worker } sev_ret_code; 85*f80ad8b4SAndroid Build Coastguard Worker 86*f80ad8b4SAndroid Build Coastguard Worker /** 87*f80ad8b4SAndroid Build Coastguard Worker * struct sev_user_data_status - PLATFORM_STATUS command parameters 88*f80ad8b4SAndroid Build Coastguard Worker * 89*f80ad8b4SAndroid Build Coastguard Worker * @major: major API version 90*f80ad8b4SAndroid Build Coastguard Worker * @minor: minor API version 91*f80ad8b4SAndroid Build Coastguard Worker * @state: platform state 92*f80ad8b4SAndroid Build Coastguard Worker * @flags: platform config flags 93*f80ad8b4SAndroid Build Coastguard Worker * @build: firmware build id for API version 94*f80ad8b4SAndroid Build Coastguard Worker * @guest_count: number of active guests 95*f80ad8b4SAndroid Build Coastguard Worker */ 96*f80ad8b4SAndroid Build Coastguard Worker struct sev_user_data_status { 97*f80ad8b4SAndroid Build Coastguard Worker __u8 api_major; /* Out */ 98*f80ad8b4SAndroid Build Coastguard Worker __u8 api_minor; /* Out */ 99*f80ad8b4SAndroid Build Coastguard Worker __u8 state; /* Out */ 100*f80ad8b4SAndroid Build Coastguard Worker __u32 flags; /* Out */ 101*f80ad8b4SAndroid Build Coastguard Worker __u8 build; /* Out */ 102*f80ad8b4SAndroid Build Coastguard Worker __u32 guest_count; /* Out */ 103*f80ad8b4SAndroid Build Coastguard Worker } __packed; 104*f80ad8b4SAndroid Build Coastguard Worker 105*f80ad8b4SAndroid Build Coastguard Worker #define SEV_STATUS_FLAGS_CONFIG_ES 0x0100 106*f80ad8b4SAndroid Build Coastguard Worker 107*f80ad8b4SAndroid Build Coastguard Worker /** 108*f80ad8b4SAndroid Build Coastguard Worker * struct sev_user_data_pek_csr - PEK_CSR command parameters 109*f80ad8b4SAndroid Build Coastguard Worker * 110*f80ad8b4SAndroid Build Coastguard Worker * @address: PEK certificate chain 111*f80ad8b4SAndroid Build Coastguard Worker * @length: length of certificate 112*f80ad8b4SAndroid Build Coastguard Worker */ 113*f80ad8b4SAndroid Build Coastguard Worker struct sev_user_data_pek_csr { 114*f80ad8b4SAndroid Build Coastguard Worker __u64 address; /* In */ 115*f80ad8b4SAndroid Build Coastguard Worker __u32 length; /* In/Out */ 116*f80ad8b4SAndroid Build Coastguard Worker } __packed; 117*f80ad8b4SAndroid Build Coastguard Worker 118*f80ad8b4SAndroid Build Coastguard Worker /** 119*f80ad8b4SAndroid Build Coastguard Worker * struct sev_user_data_cert_import - PEK_CERT_IMPORT command parameters 120*f80ad8b4SAndroid Build Coastguard Worker * 121*f80ad8b4SAndroid Build Coastguard Worker * @pek_address: PEK certificate chain 122*f80ad8b4SAndroid Build Coastguard Worker * @pek_len: length of PEK certificate 123*f80ad8b4SAndroid Build Coastguard Worker * @oca_address: OCA certificate chain 124*f80ad8b4SAndroid Build Coastguard Worker * @oca_len: length of OCA certificate 125*f80ad8b4SAndroid Build Coastguard Worker */ 126*f80ad8b4SAndroid Build Coastguard Worker struct sev_user_data_pek_cert_import { 127*f80ad8b4SAndroid Build Coastguard Worker __u64 pek_cert_address; /* In */ 128*f80ad8b4SAndroid Build Coastguard Worker __u32 pek_cert_len; /* In */ 129*f80ad8b4SAndroid Build Coastguard Worker __u64 oca_cert_address; /* In */ 130*f80ad8b4SAndroid Build Coastguard Worker __u32 oca_cert_len; /* In */ 131*f80ad8b4SAndroid Build Coastguard Worker } __packed; 132*f80ad8b4SAndroid Build Coastguard Worker 133*f80ad8b4SAndroid Build Coastguard Worker /** 134*f80ad8b4SAndroid Build Coastguard Worker * struct sev_user_data_pdh_cert_export - PDH_CERT_EXPORT command parameters 135*f80ad8b4SAndroid Build Coastguard Worker * 136*f80ad8b4SAndroid Build Coastguard Worker * @pdh_address: PDH certificate address 137*f80ad8b4SAndroid Build Coastguard Worker * @pdh_len: length of PDH certificate 138*f80ad8b4SAndroid Build Coastguard Worker * @cert_chain_address: PDH certificate chain 139*f80ad8b4SAndroid Build Coastguard Worker * @cert_chain_len: length of PDH certificate chain 140*f80ad8b4SAndroid Build Coastguard Worker */ 141*f80ad8b4SAndroid Build Coastguard Worker struct sev_user_data_pdh_cert_export { 142*f80ad8b4SAndroid Build Coastguard Worker __u64 pdh_cert_address; /* In */ 143*f80ad8b4SAndroid Build Coastguard Worker __u32 pdh_cert_len; /* In/Out */ 144*f80ad8b4SAndroid Build Coastguard Worker __u64 cert_chain_address; /* In */ 145*f80ad8b4SAndroid Build Coastguard Worker __u32 cert_chain_len; /* In/Out */ 146*f80ad8b4SAndroid Build Coastguard Worker } __packed; 147*f80ad8b4SAndroid Build Coastguard Worker 148*f80ad8b4SAndroid Build Coastguard Worker /** 149*f80ad8b4SAndroid Build Coastguard Worker * struct sev_user_data_get_id - GET_ID command parameters (deprecated) 150*f80ad8b4SAndroid Build Coastguard Worker * 151*f80ad8b4SAndroid Build Coastguard Worker * @socket1: Buffer to pass unique ID of first socket 152*f80ad8b4SAndroid Build Coastguard Worker * @socket2: Buffer to pass unique ID of second socket 153*f80ad8b4SAndroid Build Coastguard Worker */ 154*f80ad8b4SAndroid Build Coastguard Worker struct sev_user_data_get_id { 155*f80ad8b4SAndroid Build Coastguard Worker __u8 socket1[64]; /* Out */ 156*f80ad8b4SAndroid Build Coastguard Worker __u8 socket2[64]; /* Out */ 157*f80ad8b4SAndroid Build Coastguard Worker } __packed; 158*f80ad8b4SAndroid Build Coastguard Worker 159*f80ad8b4SAndroid Build Coastguard Worker /** 160*f80ad8b4SAndroid Build Coastguard Worker * struct sev_user_data_get_id2 - GET_ID command parameters 161*f80ad8b4SAndroid Build Coastguard Worker * @address: Buffer to store unique ID 162*f80ad8b4SAndroid Build Coastguard Worker * @length: length of the unique ID 163*f80ad8b4SAndroid Build Coastguard Worker */ 164*f80ad8b4SAndroid Build Coastguard Worker struct sev_user_data_get_id2 { 165*f80ad8b4SAndroid Build Coastguard Worker __u64 address; /* In */ 166*f80ad8b4SAndroid Build Coastguard Worker __u32 length; /* In/Out */ 167*f80ad8b4SAndroid Build Coastguard Worker } __packed; 168*f80ad8b4SAndroid Build Coastguard Worker 169*f80ad8b4SAndroid Build Coastguard Worker /** 170*f80ad8b4SAndroid Build Coastguard Worker * struct sev_user_data_snp_status - SNP status 171*f80ad8b4SAndroid Build Coastguard Worker * 172*f80ad8b4SAndroid Build Coastguard Worker * @api_major: API major version 173*f80ad8b4SAndroid Build Coastguard Worker * @api_minor: API minor version 174*f80ad8b4SAndroid Build Coastguard Worker * @state: current platform state 175*f80ad8b4SAndroid Build Coastguard Worker * @is_rmp_initialized: whether RMP is initialized or not 176*f80ad8b4SAndroid Build Coastguard Worker * @rsvd: reserved 177*f80ad8b4SAndroid Build Coastguard Worker * @build_id: firmware build id for the API version 178*f80ad8b4SAndroid Build Coastguard Worker * @mask_chip_id: whether chip id is present in attestation reports or not 179*f80ad8b4SAndroid Build Coastguard Worker * @mask_chip_key: whether attestation reports are signed or not 180*f80ad8b4SAndroid Build Coastguard Worker * @vlek_en: VLEK (Version Loaded Endorsement Key) hashstick is loaded 181*f80ad8b4SAndroid Build Coastguard Worker * @rsvd1: reserved 182*f80ad8b4SAndroid Build Coastguard Worker * @guest_count: the number of guest currently managed by the firmware 183*f80ad8b4SAndroid Build Coastguard Worker * @current_tcb_version: current TCB version 184*f80ad8b4SAndroid Build Coastguard Worker * @reported_tcb_version: reported TCB version 185*f80ad8b4SAndroid Build Coastguard Worker */ 186*f80ad8b4SAndroid Build Coastguard Worker struct sev_user_data_snp_status { 187*f80ad8b4SAndroid Build Coastguard Worker __u8 api_major; /* Out */ 188*f80ad8b4SAndroid Build Coastguard Worker __u8 api_minor; /* Out */ 189*f80ad8b4SAndroid Build Coastguard Worker __u8 state; /* Out */ 190*f80ad8b4SAndroid Build Coastguard Worker __u8 is_rmp_initialized:1; /* Out */ 191*f80ad8b4SAndroid Build Coastguard Worker __u8 rsvd:7; 192*f80ad8b4SAndroid Build Coastguard Worker __u32 build_id; /* Out */ 193*f80ad8b4SAndroid Build Coastguard Worker __u32 mask_chip_id:1; /* Out */ 194*f80ad8b4SAndroid Build Coastguard Worker __u32 mask_chip_key:1; /* Out */ 195*f80ad8b4SAndroid Build Coastguard Worker __u32 vlek_en:1; /* Out */ 196*f80ad8b4SAndroid Build Coastguard Worker __u32 rsvd1:29; 197*f80ad8b4SAndroid Build Coastguard Worker __u32 guest_count; /* Out */ 198*f80ad8b4SAndroid Build Coastguard Worker __u64 current_tcb_version; /* Out */ 199*f80ad8b4SAndroid Build Coastguard Worker __u64 reported_tcb_version; /* Out */ 200*f80ad8b4SAndroid Build Coastguard Worker } __packed; 201*f80ad8b4SAndroid Build Coastguard Worker 202*f80ad8b4SAndroid Build Coastguard Worker /** 203*f80ad8b4SAndroid Build Coastguard Worker * struct sev_user_data_snp_config - system wide configuration value for SNP. 204*f80ad8b4SAndroid Build Coastguard Worker * 205*f80ad8b4SAndroid Build Coastguard Worker * @reported_tcb: the TCB version to report in the guest attestation report. 206*f80ad8b4SAndroid Build Coastguard Worker * @mask_chip_id: whether chip id is present in attestation reports or not 207*f80ad8b4SAndroid Build Coastguard Worker * @mask_chip_key: whether attestation reports are signed or not 208*f80ad8b4SAndroid Build Coastguard Worker * @rsvd: reserved 209*f80ad8b4SAndroid Build Coastguard Worker * @rsvd1: reserved 210*f80ad8b4SAndroid Build Coastguard Worker */ 211*f80ad8b4SAndroid Build Coastguard Worker struct sev_user_data_snp_config { 212*f80ad8b4SAndroid Build Coastguard Worker __u64 reported_tcb ; /* In */ 213*f80ad8b4SAndroid Build Coastguard Worker __u32 mask_chip_id:1; /* In */ 214*f80ad8b4SAndroid Build Coastguard Worker __u32 mask_chip_key:1; /* In */ 215*f80ad8b4SAndroid Build Coastguard Worker __u32 rsvd:30; /* In */ 216*f80ad8b4SAndroid Build Coastguard Worker __u8 rsvd1[52]; 217*f80ad8b4SAndroid Build Coastguard Worker } __packed; 218*f80ad8b4SAndroid Build Coastguard Worker 219*f80ad8b4SAndroid Build Coastguard Worker /** 220*f80ad8b4SAndroid Build Coastguard Worker * struct sev_data_snp_vlek_load - SNP_VLEK_LOAD structure 221*f80ad8b4SAndroid Build Coastguard Worker * 222*f80ad8b4SAndroid Build Coastguard Worker * @len: length of the command buffer read by the PSP 223*f80ad8b4SAndroid Build Coastguard Worker * @vlek_wrapped_version: version of wrapped VLEK hashstick (Must be 0h) 224*f80ad8b4SAndroid Build Coastguard Worker * @rsvd: reserved 225*f80ad8b4SAndroid Build Coastguard Worker * @vlek_wrapped_address: address of a wrapped VLEK hashstick 226*f80ad8b4SAndroid Build Coastguard Worker * (struct sev_user_data_snp_wrapped_vlek_hashstick) 227*f80ad8b4SAndroid Build Coastguard Worker */ 228*f80ad8b4SAndroid Build Coastguard Worker struct sev_user_data_snp_vlek_load { 229*f80ad8b4SAndroid Build Coastguard Worker __u32 len; /* In */ 230*f80ad8b4SAndroid Build Coastguard Worker __u8 vlek_wrapped_version; /* In */ 231*f80ad8b4SAndroid Build Coastguard Worker __u8 rsvd[3]; /* In */ 232*f80ad8b4SAndroid Build Coastguard Worker __u64 vlek_wrapped_address; /* In */ 233*f80ad8b4SAndroid Build Coastguard Worker } __packed; 234*f80ad8b4SAndroid Build Coastguard Worker 235*f80ad8b4SAndroid Build Coastguard Worker /** 236*f80ad8b4SAndroid Build Coastguard Worker * struct sev_user_data_snp_vlek_wrapped_vlek_hashstick - Wrapped VLEK data 237*f80ad8b4SAndroid Build Coastguard Worker * 238*f80ad8b4SAndroid Build Coastguard Worker * @data: Opaque data provided by AMD KDS (as described in SEV-SNP Firmware ABI 239*f80ad8b4SAndroid Build Coastguard Worker * 1.54, SNP_VLEK_LOAD) 240*f80ad8b4SAndroid Build Coastguard Worker */ 241*f80ad8b4SAndroid Build Coastguard Worker struct sev_user_data_snp_wrapped_vlek_hashstick { 242*f80ad8b4SAndroid Build Coastguard Worker __u8 data[432]; /* In */ 243*f80ad8b4SAndroid Build Coastguard Worker } __packed; 244*f80ad8b4SAndroid Build Coastguard Worker 245*f80ad8b4SAndroid Build Coastguard Worker /** 246*f80ad8b4SAndroid Build Coastguard Worker * struct sev_issue_cmd - SEV ioctl parameters 247*f80ad8b4SAndroid Build Coastguard Worker * 248*f80ad8b4SAndroid Build Coastguard Worker * @cmd: SEV commands to execute 249*f80ad8b4SAndroid Build Coastguard Worker * @opaque: pointer to the command structure 250*f80ad8b4SAndroid Build Coastguard Worker * @error: SEV FW return code on failure 251*f80ad8b4SAndroid Build Coastguard Worker */ 252*f80ad8b4SAndroid Build Coastguard Worker struct sev_issue_cmd { 253*f80ad8b4SAndroid Build Coastguard Worker __u32 cmd; /* In */ 254*f80ad8b4SAndroid Build Coastguard Worker __u64 data; /* In */ 255*f80ad8b4SAndroid Build Coastguard Worker __u32 error; /* Out */ 256*f80ad8b4SAndroid Build Coastguard Worker } __packed; 257*f80ad8b4SAndroid Build Coastguard Worker 258*f80ad8b4SAndroid Build Coastguard Worker #define SEV_IOC_TYPE 'S' 259*f80ad8b4SAndroid Build Coastguard Worker #define SEV_ISSUE_CMD _IOWR(SEV_IOC_TYPE, 0x0, struct sev_issue_cmd) 260*f80ad8b4SAndroid Build Coastguard Worker 261*f80ad8b4SAndroid Build Coastguard Worker #endif /* __PSP_USER_SEV_H */ 262