Received: by 2002:a5d:925a:0:0:0:0:0 with SMTP id e26csp29945iol; Wed, 8 Jun 2022 20:48:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfMAmJICvR1yeRnSn398tJlV/sg/k0WIJiZlx/7NNpOy5x/ZkeC5ecDQlpq+qYDiX89Jw0 X-Received: by 2002:a17:903:40d0:b0:167:5fe8:ce7f with SMTP id t16-20020a17090340d000b001675fe8ce7fmr26278133pld.85.1654746511789; Wed, 08 Jun 2022 20:48:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654746511; cv=none; d=google.com; s=arc-20160816; b=fCXpIJhvjKi6OYOwyzLGzVxJ5CEqtBfS/VlWXerAvADESnGaAcfXKJWSHQVyLASsG2 KCSgr9WNEv2Rp7okDMNSvzMapLdoc3GIgGHGkepilKY7XXebLJF9IpLJHmjbWBBr0J/7 c3QiQOfYcisGZ9WeUQAwIRx9XT9BErQTJWWtj8/JkFvd2pf0YQrE/FUmaddZvqoZRfw+ 1b+DQKo0PRb4IOC53sWHIznoMHlpXgygEOEMadqRu9WUdKrOA8XC8DsVXVqqGRmcREOh kXQPdpmA4TIluDHSbVJ4r+u9eLtp3IHJaEPoqDrpFWy/2PYodUEbfiphtJrarWYuU2xc ETjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=qTPVlH17ozlx7so+o2w8tIooXR8Y+1L+MKS4vS4PY5g=; b=YhWBc7seC2I5OFua9++e0D97vYnHP3HPuQzhMKN9fD3jE+z6R0bTv7J3O4iLvqD0gP uTQBlztY4uPn3b2JwWUqPXiaChI2DEiS4sR4xNDZxnRjHP6l5+AxQn0AbNSdcYXEyJxa BdDf08ssOPsuoE3r1MC9HGXhdLcXB95SMguttLWBrU8iGPD/zDl5H5OmNNhAYchzPjhr eVF+y9rIjJDp4WG/+IgouY7dOMCRJYerb9aOEUVD+304MnklIeRlsh/y3s7wdVkL4/B/ XF7W0YEiX+qcQ4LQPPACcIG0fE/dFPMg4qROfjsJ4zPdNRYBc+2zqp5f5i1wBngVuu21 /+tA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=bne1tLhA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j3-20020a056a00174300b0051bcd7f3cd6si29121521pfc.278.2022.06.08.20.48.19; Wed, 08 Jun 2022 20:48:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=bne1tLhA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237120AbiFICwr (ORCPT + 99 others); Wed, 8 Jun 2022 22:52:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37452 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230391AbiFICwo (ORCPT ); Wed, 8 Jun 2022 22:52:44 -0400 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1E451A0AEE for ; Wed, 8 Jun 2022 19:52:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1654743163; x=1686279163; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ii5F9/rZ5hHwyqOpOsuBRsHZtYvIYuomi9dXi6cGZOw=; b=bne1tLhAIODEdO+4Wqs23kO8iBAftOHoOgtQfr0Qh29+VHhYyOhnb5PS I0+AzBvolp3keLQ/bdqZw5eepG5QKF7+mz6V2JdqidLy81rK3BKEAeme1 rQzAFRCWiUrqqC+kdKNSh283UktdQg3rjw5BOFVDYOEHMIasK4zrXihNz MEZ+Je7wasibTbmESaT610JmKxjs5pTeCq6XRYVJcKmE5IDzLYIwDW/IE t+Kw+PBQdWTixY3/yb4tJ1JRO42sZs9f3heY+cNhUONSZHntW7qnwcjh6 7AUbVMpoKrxuMmBBXdV9df017mV/qD3VJwhCC00waEYU7ki6Jux68Dh/1 A==; X-IronPort-AV: E=McAfee;i="6400,9594,10372"; a="363452721" X-IronPort-AV: E=Sophos;i="5.91,287,1647327600"; d="scan'208";a="363452721" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jun 2022 19:52:42 -0700 X-IronPort-AV: E=Sophos;i="5.91,287,1647327600"; d="scan'208";a="683711288" Received: from smsarifr-mobl.amr.corp.intel.com (HELO skuppusw-desk1.home) ([10.212.139.233]) by fmsmga002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jun 2022 19:52:41 -0700 From: Kuppuswamy Sathyanarayanan To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org Cc: "H . Peter Anvin" , Kuppuswamy Sathyanarayanan , "Kirill A . Shutemov" , Tony Luck , Andi Kleen , Kai Huang , Wander Lairson Costa , Isaku Yamahata , marcelo.cerri@canonical.com, tim.gardner@canonical.com, khalid.elmously@canonical.com, philip.cox@canonical.com, linux-kernel@vger.kernel.org Subject: [PATCH v8 1/5] x86/tdx: Add TDX Guest attestation interface driver Date: Wed, 8 Jun 2022 19:52:16 -0700 Message-Id: <20220609025220.2615197-2-sathyanarayanan.kuppuswamy@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220609025220.2615197-1-sathyanarayanan.kuppuswamy@linux.intel.com> References: <20220609025220.2615197-1-sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In TDX guest, attestation is used to verify the trustworthiness of a TD to other entities before provisioning secrets to the TD. One usage example is, when a TD guest uses encrypted drive and if the decryption keys required to access the drive are stored in a secure 3rd party keyserver, the key server can use attestation to verify TD's trustworthiness and release the decryption keys to the TD. The attestation process consists of two steps: TDREPORT generation and Quote generation. TDREPORT (TDREPORT_STRUCT) is a fixed-size data structure generated by the TDX module which contains TD-specific information (such as TD measurements), platform security version, and the MAC to protect the integrity of the TDREPORT. The TD kernel uses TDCALL[TDG.MR.REPORT] to get the TDREPORT from the TDX module. A user-provided 64-Byte REPORTDATA is used as input and included in the TDREPORT. Typically it can be some nonce provided by attestation service so the TDREPORT can be verified uniquely. More details about TDREPORT can be found in Intel TDX Module specification, section titled "TDG.MR.REPORT Leaf". TDREPORT can only be verified on local platform as the MAC key is bound to the platform. To support remote verification of the TDREPORT, TDX leverages Intel SGX Quote Enclave (QE) to verify the TDREPORT locally and convert it to a remote verifiable Quote. After getting the TDREPORT, the second step of the attestation process is to send it to the QE to generate the Quote. TDX doesn't support SGX inside the TD, so the QE can be deployed in the host, or in another legacy VM with SGX support. How to send the TDREPORT to QE and receive the Quote is implementation and deployment specific. Implement a basic attestation driver to allow TD userspace to get the TDREPORT. The TD userspace attestation software can get the TDREPORT and then choose whatever communication channel available (i.e. vsock) to send the TDREPORT to QE and receive the Quote. Also note that explicit access permissions are not enforced in this driver because the quote and measurements are not a secret. However the access permissions of the device node can be used to set any desired access policy. The udev default is usually root access only. Operations like getting TDREPORT or Quote generation involves sending a blob of data as input and getting another blob of data as output. It was considered to use a sysfs interface for this, but it doesn't fit well into the standard sysfs model for configuring values. It would be possible to do read/write on files, but it would need multiple file descriptors, which would be somewhat messy. IOCTLs seems to be the best fitting and simplest model for this use case. Also, the REPORTDATA used in TDREPORT generation can possibly come from attestation service to uniquely verify the Quote (like per instance verification). In such case, since REPORTDATA is a secret, using sysfs to share it is insecure compared to sending it via IOCTL. Reviewed-by: Tony Luck Reviewed-by: Andi Kleen Acked-by: Kirill A. Shutemov Acked-by: Kai Huang Acked-by: Wander Lairson Costa Signed-off-by: Kuppuswamy Sathyanarayanan --- arch/x86/coco/tdx/Makefile | 2 +- arch/x86/coco/tdx/attest.c | 118 ++++++++++++++++++++++++++++++++ arch/x86/include/uapi/asm/tdx.h | 42 ++++++++++++ 3 files changed, 161 insertions(+), 1 deletion(-) create mode 100644 arch/x86/coco/tdx/attest.c create mode 100644 arch/x86/include/uapi/asm/tdx.h diff --git a/arch/x86/coco/tdx/Makefile b/arch/x86/coco/tdx/Makefile index 46c55998557d..d2db3e6770e5 100644 --- a/arch/x86/coco/tdx/Makefile +++ b/arch/x86/coco/tdx/Makefile @@ -1,3 +1,3 @@ # SPDX-License-Identifier: GPL-2.0 -obj-y += tdx.o tdcall.o +obj-y += tdx.o tdcall.o attest.o diff --git a/arch/x86/coco/tdx/attest.c b/arch/x86/coco/tdx/attest.c new file mode 100644 index 000000000000..24db0bad4923 --- /dev/null +++ b/arch/x86/coco/tdx/attest.c @@ -0,0 +1,118 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * attest.c - TDX guest attestation interface driver. + * + * Implements user interface to trigger attestation process. + * + * Copyright (C) 2022 Intel Corporation + * + */ + +#define pr_fmt(fmt) "x86/tdx: attest: " fmt + +#include +#include +#include +#include +#include + +#define DRIVER_NAME "tdx-attest" + +/* TDREPORT module call leaf ID */ +#define TDX_GET_REPORT 4 + +static struct miscdevice miscdev; + +static long tdx_get_report(void __user *argp) +{ + void *reportdata = NULL, *tdreport = NULL; + long ret; + + /* Allocate buffer space for REPORTDATA */ + reportdata = kmalloc(TDX_REPORTDATA_LEN, GFP_KERNEL); + if (!reportdata) + return -ENOMEM; + + /* Allocate buffer space for TDREPORT */ + tdreport = kmalloc(TDX_REPORT_LEN, GFP_KERNEL); + if (!tdreport) { + ret = -ENOMEM; + goto out; + } + + /* Copy REPORTDATA from the user buffer */ + if (copy_from_user(reportdata, argp, TDX_REPORTDATA_LEN)) { + ret = -EFAULT; + goto out; + } + + /* + * Generate TDREPORT using "TDG.MR.REPORT" TDCALL. + * + * Get the TDREPORT using REPORTDATA as input. Refer to + * section 22.3.3 TDG.MR.REPORT leaf in the TDX Module 1.0 + * Specification for detailed information. + */ + ret = __tdx_module_call(TDX_GET_REPORT, virt_to_phys(tdreport), + virt_to_phys(reportdata), 0, 0, NULL); + if (ret) { + pr_debug("TDREPORT TDCALL failed, status:%lx\n", ret); + ret = -EIO; + goto out; + } + + /* Copy TDREPORT back to the user buffer */ + if (copy_to_user(argp, tdreport, TDX_REPORT_LEN)) + ret = -EFAULT; + +out: + kfree(reportdata); + kfree(tdreport); + return ret; +} + +static long tdx_attest_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) +{ + void __user *argp = (void __user *)arg; + long ret = -EINVAL; + + switch (cmd) { + case TDX_CMD_GET_REPORT: + ret = tdx_get_report(argp); + break; + default: + pr_debug("cmd %d not supported\n", cmd); + break; + } + + return ret; +} + +static const struct file_operations tdx_attest_fops = { + .owner = THIS_MODULE, + .unlocked_ioctl = tdx_attest_ioctl, + .llseek = no_llseek, +}; + +static int __init tdx_attestation_init(void) +{ + int ret; + + /* Make sure we are in a valid TDX platform */ + if (!cpu_feature_enabled(X86_FEATURE_TDX_GUEST)) + return -EIO; + + miscdev.name = DRIVER_NAME; + miscdev.minor = MISC_DYNAMIC_MINOR; + miscdev.fops = &tdx_attest_fops; + + ret = misc_register(&miscdev); + if (ret) { + pr_err("misc device registration failed\n"); + return ret; + } + + return 0; +} +device_initcall(tdx_attestation_init) diff --git a/arch/x86/include/uapi/asm/tdx.h b/arch/x86/include/uapi/asm/tdx.h new file mode 100644 index 000000000000..8b57dea67eab --- /dev/null +++ b/arch/x86/include/uapi/asm/tdx.h @@ -0,0 +1,42 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +#ifndef _UAPI_ASM_X86_TDX_H +#define _UAPI_ASM_X86_TDX_H + +#include +#include + +/* Length of the REPORTDATA used in TDG.MR.REPORT TDCALL */ +#define TDX_REPORTDATA_LEN 64 + +/* Length of TDREPORT used in TDG.MR.REPORT TDCALL */ +#define TDX_REPORT_LEN 1024 + +/** + * struct tdx_report_req: Get TDREPORT using REPORTDATA as input. + * + * @reportdata : User-defined 64-Byte REPORTDATA to be included into + * TDREPORT. Typically it can be some nonce provided by + * attestation service, so the generated TDREPORT can be + * uniquely verified. + * @tdreport : TDREPORT output from TDCALL[TDG.MR.REPORT] of size + * TDX_REPORT_LEN. + * + * Used in TDX_CMD_GET_REPORT IOCTL request. + */ +struct tdx_report_req { + union { + __u8 reportdata[TDX_REPORTDATA_LEN]; + __u8 tdreport[TDX_REPORT_LEN]; + }; +}; + +/* + * TDX_CMD_GET_REPORT - Get TDREPORT using TDCALL[TDG.MR.REPORT] + * + * Return 0 on success, -EIO on TDCALL execution failure, and + * standard errno on other general error cases. + * + */ +#define TDX_CMD_GET_REPORT _IOWR('T', 0x01, struct tdx_report_req) + +#endif /* _UAPI_ASM_X86_TDX_H */ -- 2.25.1