Re: [Part2 PATCH v7 18/38] crypto: ccp: Implement SEV_PEK_CSR ioctl command

From: Borislav Petkov
Date: Fri Nov 03 2017 - 15:42:27 EST

Next message: Mark Brown: "[PATCH] regmap: Also protect hwspinlock in error handling path"
Previous message: Joe Perches: "Re: [RFC PATCH] scripts: checkpatch.pl: remove obsolete in_atomic rule"
In reply to: Brijesh Singh: "[Part2 PATCH v7 18/38] crypto: ccp: Implement SEV_PEK_CSR ioctl command"
Next in thread: Brijesh Singh: "Re: [Part2 PATCH v7 18/38] crypto: ccp: Implement SEV_PEK_CSR ioctl command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 01, 2017 at 04:16:03PM -0500, Brijesh Singh wrote:
> The SEV_PEK_CSR command can be used to generate a PEK certificate
> signing request. The command is defined in SEV spec section 5.7.
>
> Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> Cc: "Radim KrÄmÃÅ" <rkrcmar@xxxxxxxxxx>
> Cc: Borislav Petkov <bp@xxxxxxx>
> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Cc: Gary Hook <gary.hook@xxxxxxx>
> Cc: Tom Lendacky <thomas.lendacky@xxxxxxx>
> Cc: linux-crypto@xxxxxxxxxxxxxxx
> Cc: kvm@xxxxxxxxxxxxxxx
> Cc: linux-kernel@xxxxxxxxxxxxxxx
> Improvements-by: Borislav Petkov <bp@xxxxxxx>
> Signed-off-by: Brijesh Singh <brijesh.singh@xxxxxxx>
> Acked-by: Gary R Hook <gary.hook@xxxxxxx>
> ---
> drivers/crypto/ccp/psp-dev.c | 68 ++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 68 insertions(+)
>
> diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
> index 42991c2e9085..4e2f9d037f0a 100644
> --- a/drivers/crypto/ccp/psp-dev.c
> +++ b/drivers/crypto/ccp/psp-dev.c
> @@ -298,6 +298,71 @@ static int sev_ioctl_do_pek_pdh_gen(int cmd, struct sev_issue_cmd *argp)
> return __sev_do_cmd_locked(cmd, 0, &argp->error);
> }
>
> +static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp)
> +{
> + struct sev_user_data_pek_csr input;
> + struct sev_data_pek_csr *data;
> + void *blob = NULL;
> + int ret;
> +
> + if (copy_from_user(&input, (void __user *)argp->data, sizeof(input)))
> + return -EFAULT;
> +
> + data = kzalloc(sizeof(*data), GFP_KERNEL);
> + if (!data)
> + return -ENOMEM;
> +
> + /* userspace wants to query CSR length */
> + if (!input.address || !input.length)
> + goto cmd;
> +
> + /* allocate a physically contiguous buffer to store the CSR blob */
> + if (!access_ok(VERIFY_WRITE, input.address, input.length) ||
> + input.length > SEV_FW_BLOB_MAX_SIZE) {
> + ret = -EFAULT;
> + goto e_free;
> + }
> +
> + blob = kmalloc(input.length, GFP_KERNEL);
> + if (!blob) {
> + ret = -ENOMEM;
> + goto e_free;
> + }
> +
> + data->address = __psp_pa(blob);
> + data->len = input.length;
> +
> +cmd:
> + if (psp_master->sev_state == SEV_STATE_UNINIT) {
> + ret = __sev_platform_init_locked(psp_master->sev_init, &argp->error);

Right, you're passing psp_master->sev_init (or whatever you're going to
end up calling it) down but then in __sev_platform_init_locked() you end
up doing

if (!data)
data = &psp->cmd_buf;

which looks silly.

IOW, if not really required, __sev_platform_init_locked() could have
only one argument instead:

static int __sev_platform_init_locked(int *error)

unless some later patch needs to pass in a different command buffer. I
guess I need to keep on reviewing...

--
Regards/Gruss,
Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Next message: Mark Brown: "[PATCH] regmap: Also protect hwspinlock in error handling path"
Previous message: Joe Perches: "Re: [RFC PATCH] scripts: checkpatch.pl: remove obsolete in_atomic rule"
In reply to: Brijesh Singh: "[Part2 PATCH v7 18/38] crypto: ccp: Implement SEV_PEK_CSR ioctl command"
Next in thread: Brijesh Singh: "Re: [Part2 PATCH v7 18/38] crypto: ccp: Implement SEV_PEK_CSR ioctl command"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]