Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp2536293iob; Sat, 30 Apr 2022 11:14:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz9n7fwEVFCVLCo+oOo6wwB/i2XGpcB5AIONWErqI1H6v/mSUlA3CbgJGQ8SWiaQ8MrLQft X-Received: by 2002:a19:6b19:0:b0:471:f39c:7d1d with SMTP id d25-20020a196b19000000b00471f39c7d1dmr3708637lfa.443.1651342469733; Sat, 30 Apr 2022 11:14:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651342469; cv=none; d=google.com; s=arc-20160816; b=B/JisRs48v3GJBr+1grJolPlnJmsg6KM4egDjFQJkJQ2x3Qg+QHaA1hOf6NbWACild 7bZRAZILenhdtdAgvK4bngrxOl0VSS5mrJ3SjjzTaBBzoEZv5e9xsgjMrevT0BVLe/R9 qszdHVeeQqumDYMPXsUyYhk3dM797GZ0apgW89DkXkWzw3cWepw9R144UHhKZa8ZHD7+ /AU6h6LQ26rb6nR97UjRO+zejdtc7G/5IY87GPCBpe34lGxuhLVIvede1qY5XOv3ePeS M67N7g+r91BES5iv/dgI64dr1Q/EK+gjYZRHYeiuaQVShIAhlrHVbOr3TfyJl1CcZ5EO i0Yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=M27HOorOXTqPFr4cSwIwRJ6Ow2eW6/Q6ecTtNZzv/Ww=; b=lWa7gTqY4m4OBGsdGhzyvyE/OIPytFsSNUqBX8Ow2PpecDqRT2N9YGbjSRha18pZ0w qWb2CR8VDbCO0DMVCK2nc318A75lo/C5NSZhcRwABPbJSq1ZrslPUlyKWvS4LAuPWatE zfY3zVH6bpAwDWtS/vsf8j5WmF+ghho8eRxUUW1uHTdb1EgZ6J9KMdENfJudlMb9tOa4 nmsbh7AvUrognAWb0VpUWPaaNzxNUx6T8aV1MTNUOJlpf8jW8BVngXCWU/jGg8fFIj+r lSNU3sVEWMvQoM6G7g9uqBBOh1aKWU50SMregy6HNMQsHKlx2FSHH7jtm1SwXI4FVsYm FklQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=BVYYKOaT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f8-20020a05651232c800b0046bb3be6878si12138998lfg.101.2022.04.30.11.13.22; Sat, 30 Apr 2022 11:14:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=BVYYKOaT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350786AbiD1SPT (ORCPT + 99 others); Thu, 28 Apr 2022 14:15:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350785AbiD1SPR (ORCPT ); Thu, 28 Apr 2022 14:15:17 -0400 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90A69B8205 for ; Thu, 28 Apr 2022 11:11:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1651169519; x=1682705519; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=YN8ESn/HRWKtJH/jwZ9GPFxcpNmP9Vxhgsndj/11SCA=; b=BVYYKOaTADyQ/u2r2YcOlrdcFQqSxKCtQqzMyLBQDysawszSbSw34lwu 1HGz7ARP2MGMmyZzjdGsC34BS4iJLkq9ZMZsoFov+fg9sJZP2g9TWsaem Dp8VtuYAbP88ARdpmrVUGioEqSodyw6pV8NlljJ2BUUzebr+JPjah8nlA LVMves9Zhu0ap3H48GAq/u5BIfqHvjZUYvly8rkVMptwBFtH4G7a4KpvA 0aqL2jN3dUcPWta8YmbPErxoezL50PpgYfr2jiXjX2PKAx7Ezfl4kYo5U Zglq0z3hxZIA8brOBCYOImh/Y14u3fqnSUltfVRsBXHNuntiL53DcOyzP w==; X-IronPort-AV: E=McAfee;i="6400,9594,10331"; a="246931487" X-IronPort-AV: E=Sophos;i="5.91,296,1647327600"; d="scan'208";a="246931487" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Apr 2022 11:11:59 -0700 X-IronPort-AV: E=Sophos;i="5.91,296,1647327600"; d="scan'208";a="661915488" Received: from rbopardi-mobl.amr.corp.intel.com (HELO [10.251.19.231]) ([10.251.19.231]) by fmsmga002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Apr 2022 11:11:58 -0700 Message-ID: <1f2ec95a-f7ac-5a89-09bc-2c5a7fdc2f3c@linux.intel.com> Date: Thu, 28 Apr 2022 11:11:57 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Thunderbird/91.7.0 Subject: Re: [PATCH v4 3/3] x86/tdx: Add Quote generation support Content-Language: en-US To: Wander Lairson Costa Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H . Peter Anvin" , "Kirill A . Shutemov" , Tony Luck , Andi Kleen , Kai Huang , linux-kernel@vger.kernel.org References: <20220422233418.1203092-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20220422233418.1203092-4-sathyanarayanan.kuppuswamy@linux.intel.com> From: Sathyanarayanan Kuppuswamy In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/28/22 10:58 AM, Wander Lairson Costa wrote: > On Fri, Apr 22, 2022 at 04:34:18PM -0700, Kuppuswamy Sathyanarayanan wrote: > > [snip] > >> +static long tdx_get_tdquote(void __user *argp) >> +{ >> + struct tdx_quote_hdr *quote_hdr; >> + struct tdx_quote_req quote_req; >> + void *quote_buf = NULL; >> + dma_addr_t handle; >> + long ret = 0, err; >> + u64 quote_buf_len; >> + >> + mutex_lock("e_lock); >> + >> + reinit_completion(&req_compl); >> + >> + /* Copy Quote request struct from user buffer */ >> + if (copy_from_user("e_req, argp, sizeof(struct tdx_quote_req))) >> + return -EFAULT; >> + >> + /* Make sure the length & timeout is valid */ >> + if (quote_req.len <= 0 || quote_req.timeout <= 0) > > len and timeout are unsigned values, so they will never be negative. Yes. I will change it to non-zero check. > >> + return -EINVAL; >> + >> + /* Align with page size to meet 4K alignment */ >> + quote_buf_len = PAGE_ALIGN(quote_req.len); >> + >> + /* >> + * Allocate DMA buffer to get TDQUOTE data from the VMM. >> + * dma_alloc_coherent() API internally marks allocated >> + * memory as shared with VMM. So explicit shared mapping is >> + * not required. >> + */ >> + quote_buf = dma_alloc_coherent(&pdev->dev, quote_buf_len, &handle, >> + GFP_KERNEL | __GFP_ZERO); >> + if (!quote_buf) { >> + ret = -ENOMEM; >> + goto quote_failed; >> + } >> + >> + /* Copy TDREPORT from user Quote data buffer to kernel Quote buffer */ >> + if (copy_from_user(quote_buf, (void __user *)quote_req.buf, quote_req.len)) { >> + ret = -EFAULT; >> + goto quote_failed; >> + } >> + >> + /* Submit GetQuote Request */ >> + err = tdx_hcall_get_quote(quote_buf, quote_buf_len); >> + if (err) { >> + /* if failed, copy hypercall error code to user buffer */ >> + ret = put_user(err, (long __user *)argp); > > The assigment to ret is unused. Since we are already in error path and setting ret to -EIO I did not handle the pur_user() error case. > >> + ret = -EIO; >> + goto quote_failed; >> + } >> + >> + /* Wait for attestation completion */ >> + ret = wait_for_completion_interruptible_timeout( >> + &req_compl, >> + msecs_to_jiffies(quote_req.timeout)); >> + if (ret <= 0) { >> + ret = -EIO; >> + goto quote_failed; >> + } >> + >> + /* Copy generated Quote data back to user buffer */ >> + if (copy_to_user((void __user *)quote_req.buf, quote_buf, quote_buf_len)) { > > Shouldn't we use quote_req.len instead of quote_buf_len here? Good catch. I will fix it in next version. > >> + ret = -EFAULT; >> + goto quote_failed; >> + } >> + >> + quote_hdr = (struct tdx_quote_hdr *)quote_buf; >> + >> + /* Make sure quote generation is successful */ >> + if (!quote_hdr->status) >> + ret = 0; >> + else >> + ret = -EIO; >> + > > Shouldn't copy_to_user be called after checking the status? IMO, since GetQuote TDVMCALL is successful, we can copy the buffer back to the user. My idea is to let the attestation agent handle the error in GetQuote header (like IN_FLIGHT scenario). Maybe I should remove quote_hdr->status check in kernel and let user agent handle it. Isaku/Kai, any comments? > >> +quote_failed: >> + if (quote_buf) >> + dma_free_coherent(&pdev->dev, quote_buf_len, quote_buf, handle); >> + >> + mutex_unlock("e_lock); >> + >> + return ret; >> +} >> + >> +static void attestation_callback_handler(void) >> +{ >> + complete(&req_compl); >> +} >> + >> static long tdx_attest_ioctl(struct file *file, unsigned int cmd, >> unsigned long arg) >> { >> @@ -89,6 +183,9 @@ static long tdx_attest_ioctl(struct file *file, unsigned int cmd, >> case TDX_CMD_GET_TDREPORT: >> ret = tdx_get_tdreport(argp); >> break; >> + case TDX_CMD_GEN_QUOTE: >> + ret = tdx_get_tdquote(argp); >> + break; >> default: >> pr_err("cmd %d not supported\n", cmd); >> break; >> @@ -103,6 +200,14 @@ static const struct file_operations tdx_attest_fops = { >> .llseek = no_llseek, >> }; >> >> +/* Helper function to cleanup attestation related allocations */ >> +static void _tdx_attest_remove(void) >> +{ >> + misc_deregister(&miscdev); > > Won't misc_deregister be called even if misc_register fails? Yes. I will fix this in next version. > >> + >> + tdx_remove_ev_notify_handler(); >> +} >> + > -- Sathyanarayanan Kuppuswamy Linux Kernel Developer