Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.12.80 2024-04-27T00:38:34+00:00 2024-04-27T00:38:34+00:00 Sudan Landge sudanl@amazon.com 2024-04-17T10:40:46+00:00 urn:sha1:7b1bcd6b50a615671d4dcb0ad0378a2660a1a368 Extend the vmgenid platform driver to support devicetree bindings. With this support, hypervisors can send vmgenid notifications to the virtual machine without the need to enable ACPI. The bindings are located at: Documentation/devicetree/bindings/rng/microsoft,vmgenid.yaml Since this is no longer ACPI-dependent, remove the dependency from Kconfig and protect the ACPI code with a single ifdef. Signed-off-by: Sudan Landge <sudanl@amazon.com> Reviewed-by: Alexander Graf <graf@amazon.com> Tested-by: Babis Chalios <bchalios@amazon.es> [Jason: - Small style cleanups and refactoring. - Re-work ACPI conditionalization. ] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2023-10-20T01:11:38+00:00 Dan Williams dan.j.williams@intel.com 2023-08-13T00:21:00+00:00 urn:sha1:ec51ffcf263016111f090b9440a3c5a8338648e8 In preparation for adding another coco build target, relieve drivers/virt/Makefile of the responsibility to track new compilation unit additions to drivers/virt/coco/, and do the same for drivers/virt/Kconfig. Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> Tested-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> 2022-11-17T19:04:23+00:00 Kuppuswamy Sathyanarayanan sathyanarayanan.kuppuswamy@linux.intel.com 2022-11-16T22:38:19+00:00 urn:sha1:6c8c1406a6d6a3f2e61ac590f5c0994231bc6be7 TDX guest driver exposes IOCTL interfaces to service TDX guest user-specific requests. Currently, it is only used to allow the user to get the TDREPORT to support TDX attestation. Details about the TDX attestation process are documented in Documentation/x86/tdx.rst, and the IOCTL details are documented in Documentation/virt/coco/tdx-guest.rst. Operations like getting TDREPORT involves sending a blob of data as input and getting another blob of data as output. It was considered to use a sysfs interface for this, but it doesn't fit well into the standard sysfs model for configuring values. It would be possible to do read/write on files, but it would need multiple file descriptors, which would be somewhat messy. IOCTLs seem to be the best fitting and simplest model for this use case. The AMD sev-guest driver also uses the IOCTL interface to support attestation. [Bagas Sanjaya: Ack is for documentation portion] Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Reviewed-by: Bagas Sanjaya <bagasdotme@gmail.com> Reviewed-by: Tony Luck <tony.luck@intel.com> Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com> Acked-by: Kai Huang <kai.huang@intel.com> Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Wander Lairson Costa <wander@redhat.com> Link: https://lore.kernel.org/all/20221116223820.819090-3-sathyanarayanan.kuppuswamy%40linux.intel.com 2022-05-24T00:38:01+00:00 Linus Torvalds torvalds@linux-foundation.org 2022-05-24T00:38:01+00:00 urn:sha1:eb39e37d5cebdf0f63ee2a315fc23b035d81b4b0 Pull AMD SEV-SNP support from Borislav Petkov: "The third AMD confidential computing feature called Secure Nested Paging. Add to confidential guests the necessary memory integrity protection against malicious hypervisor-based attacks like data replay, memory remapping and others, thus achieving a stronger isolation from the hypervisor. At the core of the functionality is a new structure called a reverse map table (RMP) with which the guest has a say in which pages get assigned to it and gets notified when a page which it owns, gets accessed/modified under the covers so that the guest can take an appropriate action. In addition, add support for the whole machinery needed to launch a SNP guest, details of which is properly explained in each patch. And last but not least, the series refactors and improves parts of the previous SEV support so that the new code is accomodated properly and not just bolted on" * tag 'x86_sev_for_v5.19_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (60 commits) x86/entry: Fixup objtool/ibt validation x86/sev: Mark the code returning to user space as syscall gap x86/sev: Annotate stack change in the #VC handler x86/sev: Remove duplicated assignment to variable info x86/sev: Fix address space sparse warning x86/sev: Get the AP jump table address from secrets page x86/sev: Add missing __init annotations to SEV init routines virt: sevguest: Rename the sevguest dir and files to sev-guest virt: sevguest: Change driver name to reflect generic SEV support x86/boot: Put globals that are accessed early into the .data section x86/boot: Add an efi.h header for the decompressor virt: sevguest: Fix bool function returning negative value virt: sevguest: Fix return value check in alloc_shared_pages() x86/sev-es: Replace open-coded hlt-loop with sev_es_terminate() virt: sevguest: Add documentation for SEV-SNP CPUID Enforcement virt: sevguest: Add support to get extended report virt: sevguest: Add support to derive key virt: Add SEV-SNP guest driver x86/sev: Register SEV-SNP guest request platform device x86/sev: Provide support for SNP guest request NAEs ... 2022-04-27T11:29:56+00:00 Tom Lendacky thomas.lendacky@amd.com 2022-04-20T14:14:14+00:00 urn:sha1:d63670d23e60f00210635ca7c62bce27bec55f1b Rename the drivers/virt/coco/sevguest directory and files to sev-guest so as to match the driver name. [ bp: Rename Documentation/virt/coco/sevguest.rst too, as reported by sfr: https://lore.kernel.org/r/20220427101059.3bf55262@canb.auug.org.au ] Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Borislav Petkov <bp@suse.de> Link: https://lore.kernel.org/r/2f5c9cb16e3a67599c8e3170f6c72c8712c47d53.1650464054.git.thomas.lendacky@amd.com 2022-04-13T17:11:20+00:00 Dov Murik dovmurik@linux.ibm.com 2022-04-12T21:21:25+00:00 urn:sha1:cbabf03c3ef3cce74a97f140cf57611a9e8a21bc The new efi_secret module exposes the confidential computing (coco) EFI secret area via securityfs interface. When the module is loaded (and securityfs is mounted, typically under /sys/kernel/security), a "secrets/coco" directory is created in securityfs. In it, a file is created for each secret entry. The name of each such file is the GUID of the secret entry, and its content is the secret data. This allows applications running in a confidential computing setting to read secrets provided by the guest owner via a secure secret injection mechanism (such as AMD SEV's LAUNCH_SECRET command). Removing (unlinking) files in the "secrets/coco" directory will zero out the secret in memory, and remove the filesystem entry. If the module is removed and loaded again, that secret will not appear in the filesystem. Signed-off-by: Dov Murik <dovmurik@linux.ibm.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Link: https://lore.kernel.org/r/20220412212127.154182-3-dovmurik@linux.ibm.com Signed-off-by: Ard Biesheuvel <ardb@kernel.org> 2022-04-07T14:47:12+00:00 Brijesh Singh brijesh.singh@amd.com 2022-03-07T21:33:53+00:00 urn:sha1:fce96cf0443083e37455eff8f78fd240c621dae3 The SEV-SNP specification provides the guest a mechanism to communicate with the PSP without risk from a malicious hypervisor who wishes to read, alter, drop or replay the messages sent. The driver uses snp_issue_guest_request() to issue GHCB SNP_GUEST_REQUEST or SNP_EXT_GUEST_REQUEST NAE events to submit the request to PSP. The PSP requires that all communication should be encrypted using key specified through a struct snp_guest_platform_data descriptor. Userspace can use SNP_GET_REPORT ioctl() to query the guest attestation report. See SEV-SNP spec section Guest Messages for more details. [ bp: Remove the "what" from the commit message, massage. ] Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Borislav Petkov <bp@suse.de> Link: https://lore.kernel.org/r/20220307213356.2797205-44-brijesh.singh@amd.com 2022-03-13T01:00:56+00:00 Jason A. Donenfeld Jason@zx2c4.com 2022-02-23T12:46:24+00:00 urn:sha1:af6b54e2b5baa54c844573b6d49cc91157bcdd7e VM Generation ID is a feature from Microsoft, described at <https://go.microsoft.com/fwlink/?LinkId=260709>, and supported by Hyper-V and QEMU. Its usage is described in Microsoft's RNG whitepaper, <https://aka.ms/win10rng>, as: If the OS is running in a VM, there is a problem that most hypervisors can snapshot the state of the machine and later rewind the VM state to the saved state. This results in the machine running a second time with the exact same RNG state, which leads to serious security problems. To reduce the window of vulnerability, Windows 10 on a Hyper-V VM will detect when the VM state is reset, retrieve a unique (not random) value from the hypervisor, and reseed the root RNG with that unique value. This does not eliminate the vulnerability, but it greatly reduces the time during which the RNG system will produce the same outputs as it did during a previous instantiation of the same VM state. Linux has the same issue, and given that vmgenid is supported already by multiple hypervisors, we can implement more or less the same solution. So this commit wires up the vmgenid ACPI notification to the RNG's newly added add_vmfork_randomness() function. It can be used from qemu via the `-device vmgenid,guid=auto` parameter. After setting that, use `savevm` in the monitor to save the VM state, then quit QEMU, start it again, and use `loadvm`. That will trigger this driver's notify function, which hands the new UUID to the RNG. This is described in <https://git.qemu.org/?p=qemu.git;a=blob;f=docs/specs/vmgenid.txt>. And there are hooks for this in libvirt as well, described in <https://libvirt.org/formatdomain.html#general-metadata>. Note, however, that the treatment of this as a UUID is considered to be an accidental QEMU nuance, per <https://github.com/libguestfs/virt-v2v/blob/master/docs/vm-generation-id-across-hypervisors.txt>, so this driver simply treats these bytes as an opaque 128-bit binary blob, as per the spec. This doesn't really make a difference anyway, considering that's how it ends up when handed to the RNG in the end. Cc: Alexander Graf <graf@amazon.com> Cc: Adrian Catangiu <adrian@parity.io> Cc: Daniel P. Berrangé <berrange@redhat.com> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Cc: Wei Yongjun <weiyongjun1@huawei.com> Tested-by: Souradeep Chakrabarti <souradch.linux@gmail.com> # With Hyper-V's virtual hardware Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-09T09:58:18+00:00 Shuo Liu shuo.a.liu@intel.com 2021-02-07T03:10:27+00:00 urn:sha1:666834c47d3b41da550bbcbc709148e5fc14879c ACRN Hypervisor Service Module (HSM) is a kernel module in Service VM which communicates with ACRN userspace through ioctls and talks to ACRN Hypervisor through hypercalls. Add a basic HSM driver which allows Service VM userspace to communicate with ACRN. The following patches will add more ioctls, guest VM memory mapping caching, I/O request processing, ioeventfd and irqfd into this module. HSM exports a char device interface (/dev/acrn_hsm) to userspace. Cc: Dave Hansen <dave.hansen@intel.com> Cc: Zhi Wang <zhi.a.wang@intel.com> Cc: Zhenyu Wang <zhenyuw@linux.intel.com> Cc: Yu Wang <yu1.wang@intel.com> Cc: Reinette Chatre <reinette.chatre@intel.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: Shuo Liu <shuo.a.liu@intel.com> Link: https://lore.kernel.org/r/20210207031040.49576-6-shuo.a.liu@intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-09-22T11:58:41+00:00 Andra Paraschiv andraprs@amazon.com 2020-09-21T12:17:28+00:00 urn:sha1:07499cc661a926eb4ca19604502e3f0bda2aa4bf Add kernel config entry for Nitro Enclaves, including dependencies. Changelog v9 -> v10 * Update commit message to include the changelog before the SoB tag(s). v8 -> v9 * No changes. v7 -> v8 * No changes. v6 -> v7 * Remove, for now, the dependency on ARM64 arch. x86 is currently supported, with Arm to come afterwards. The NE kernel driver can be built for aarch64 arch. v5 -> v6 * No changes. v4 -> v5 * Add arch dependency for Arm / x86. v3 -> v4 * Add PCI and SMP dependencies. v2 -> v3 * Remove the GPL additional wording as SPDX-License-Identifier is already in place. v1 -> v2 * Update path to Kconfig to match the drivers/virt/nitro_enclaves directory. * Update help in Kconfig. Reviewed-by: Alexander Graf <graf@amazon.com> Signed-off-by: Andra Paraschiv <andraprs@amazon.com> Link: https://lore.kernel.org/r/20200921121732.44291-15-andraprs@amazon.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>