uv.c source code [linux/arch/s390/kernel/uv.c]

1	// SPDX-License-Identifier: GPL-2.0
2	/*
3	* Common Ultravisor functions and initialization
4	*
5	* Copyright IBM Corp. 2019, 2024
6	*/
7	#define pr_fmt(fmt) "prot_virt: " fmt
8
9	#include <linux/export.h>
10	#include <linux/kernel.h>
11	#include <linux/types.h>
12	#include <linux/sizes.h>
13	#include <linux/bitmap.h>
14	#include <linux/memblock.h>
15	#include <linux/pagemap.h>
16	#include <linux/swap.h>
17	#include <linux/pagewalk.h>
18	#include <linux/backing-dev.h>
19	#include <asm/facility.h>
20	#include <asm/sections.h>
21	#include <asm/uv.h>
22
23	/ the bootdata_preserved fields come from ones in arch/s390/boot/uv.c /
24	int __bootdata_preserved(prot_virt_guest);
25	EXPORT_SYMBOL(prot_virt_guest);
26
27	/*
28	* uv_info contains both host and guest information but it's currently only
29	* expected to be used within modules if it's the KVM module or for
30	* any PV guest module.
31	*
32	* The kernel itself will write these values once in uv_query_info()
33	* and then make some of them readable via a sysfs interface.
34	*/
35	struct uv_info __bootdata_preserved(uv_info);
36	EXPORT_SYMBOL(uv_info);
37
38	int __bootdata_preserved(prot_virt_host);
39	EXPORT_SYMBOL(prot_virt_host);
40
41	static int __init uv_init(phys_addr_t stor_base, unsigned long stor_len)
42	{
43	struct uv_cb_init uvcb = {
44	.header.cmd = UVC_CMD_INIT_UV,
45	.header.len = sizeof(uvcb),
46	.stor_origin = stor_base,
47	.stor_len = stor_len,
48	};
49
50	if (uv_call(`0`, (uint64_t)&uvcb)) {
51	pr_err("Ultravisor init failed with rc: 0x%x rrc: 0%x\n",
52	uvcb.header.rc, uvcb.header.rrc);
53	return -`1`;
54	}
55	return `0`;
56	}
57
58	void __init setup_uv(void)
59	{
60	void *uv_stor_base;
61
62	if (!is_prot_virt_host())
63	return;
64
65	uv_stor_base = memblock_alloc_try_nid(
66	size: uv_info.uv_base_stor_len, SZ_1M, SZ_2G,
67	MEMBLOCK_ALLOC_ACCESSIBLE, NUMA_NO_NODE);
68	if (!uv_stor_base) {
69	pr_warn("Failed to reserve %lu bytes for ultravisor base storage\n",
70	uv_info.uv_base_stor_len);
71	goto fail;
72	}
73
74	if (uv_init(__pa(uv_stor_base), stor_len: uv_info.uv_base_stor_len)) {
75	memblock_free(ptr: uv_stor_base, size: uv_info.uv_base_stor_len);
76	goto fail;
77	}
78
79	pr_info("Reserving %luMB as ultravisor base storage\n",
80	uv_info.uv_base_stor_len >> `20`);
81	return;
82	fail:
83	pr_info("Disabling support for protected virtualization");
84	prot_virt_host = `0`;
85	}
86
87	/*
88	* Requests the Ultravisor to pin the page in the shared state. This will
89	* cause an intercept when the guest attempts to unshare the pinned page.
90	*/
91	int uv_pin_shared(unsigned long paddr)
92	{
93	struct uv_cb_cfs uvcb = {
94	.header.cmd = UVC_CMD_PIN_PAGE_SHARED,
95	.header.len = sizeof(uvcb),
96	.paddr = paddr,
97	};
98
99	if (uv_call(`0`, (u64)&uvcb))
100	return -EINVAL;
101	return `0`;
102	}
103	EXPORT_SYMBOL_GPL(uv_pin_shared);
104
105	/*
106	* Requests the Ultravisor to destroy a guest page and make it
107	* accessible to the host. The destroy clears the page instead of
108	* exporting.
109	*
110	* @paddr: Absolute host address of page to be destroyed
111	*/
112	static int uv_destroy(unsigned long paddr)
113	{
114	struct uv_cb_cfs uvcb = {
115	.header.cmd = UVC_CMD_DESTR_SEC_STOR,
116	.header.len = sizeof(uvcb),
117	.paddr = paddr
118	};
119
120	if (uv_call(`0`, (u64)&uvcb)) {
121	/*
122	* Older firmware uses 107/d as an indication of a non secure
123	* page. Let us emulate the newer variant (no-op).
124	*/
125	if (uvcb.header.rc == `0x107` && uvcb.header.rrc == `0xd`)
126	return `0`;
127	return -EINVAL;
128	}
129	return `0`;
130	}
131
132	/*
133	* The caller must already hold a reference to the folio
134	*/
135	int uv_destroy_folio(struct folio *folio)
136	{
137	int rc;
138
139	/ Large folios cannot be secure /
140	if (unlikely(folio_test_large(folio)))
141	return `0`;
142
143	folio_get(folio);
144	rc = uv_destroy(paddr: folio_to_phys(folio));
145	if (!rc)
146	clear_bit(nr: PG_arch_1, addr: &folio->flags.f);
147	folio_put(folio);
148	return rc;
149	}
150	EXPORT_SYMBOL(uv_destroy_folio);
151
152	/*
153	* The present PTE still indirectly holds a folio reference through the mapping.
154	*/
155	int uv_destroy_pte(pte_t pte)
156	{
157	VM_WARN_ON(!pte_present(pte));
158	return uv_destroy_folio(pfn_folio(pfn: pte_pfn(pte)));
159	}
160
161	/*
162	* Requests the Ultravisor to encrypt a guest page and make it
163	* accessible to the host for paging (export).
164	*
165	* @paddr: Absolute host address of page to be exported
166	*/
167	int uv_convert_from_secure(unsigned long paddr)
168	{
169	struct uv_cb_cfs uvcb = {
170	.header.cmd = UVC_CMD_CONV_FROM_SEC_STOR,
171	.header.len = sizeof(uvcb),
172	.paddr = paddr
173	};
174
175	if (uv_call(`0`, (u64)&uvcb))
176	return -EINVAL;
177	return `0`;
178	}
179	EXPORT_SYMBOL_GPL(uv_convert_from_secure);
180
181	/*
182	* The caller must already hold a reference to the folio.
183	*/
184	int uv_convert_from_secure_folio(struct folio *folio)
185	{
186	int rc;
187
188	/ Large folios cannot be secure /
189	if (unlikely(folio_test_large(folio)))
190	return `0`;
191
192	folio_get(folio);
193	rc = uv_convert_from_secure(folio_to_phys(folio));
194	if (!rc)
195	clear_bit(nr: PG_arch_1, addr: &folio->flags.f);
196	folio_put(folio);
197	return rc;
198	}
199	EXPORT_SYMBOL_GPL(uv_convert_from_secure_folio);
200
201	/*
202	* The present PTE still indirectly holds a folio reference through the mapping.
203	*/
204	int uv_convert_from_secure_pte(pte_t pte)
205	{
206	VM_WARN_ON(!pte_present(pte));
207	return uv_convert_from_secure_folio(pfn_folio(pfn: pte_pfn(pte)));
208	}
209
210	/**
211	* should_export_before_import - Determine whether an export is needed
212	* before an import-like operation
213	* @uvcb: the Ultravisor control block of the UVC to be performed
214	* @mm: the mm of the process
215	*
216	* Returns whether an export is needed before every import-like operation.
217	* This is needed for shared pages, which don't trigger a secure storage
218	* exception when accessed from a different guest.
219	*
220	* Although considered as one, the Unpin Page UVC is not an actual import,
221	* so it is not affected.
222	*
223	* No export is needed also when there is only one protected VM, because the
224	* page cannot belong to the wrong VM in that case (there is no "other VM"
225	* it can belong to).
226	*
227	* Return: true if an export is needed before every import, otherwise false.
228	*/
229	static bool should_export_before_import(struct uv_cb_header uvcb, struct* mm_struct *mm)
230	{
231	/*
232	* The misc feature indicates, among other things, that importing a
233	* shared page from a different protected VM will automatically also
234	* transfer its ownership.
235	*/
236	if (uv_has_feature(BIT_UV_FEAT_MISC))
237	return false;
238	if (uvcb->cmd == UVC_CMD_UNPIN_PAGE_SHARED)
239	return false;
240	return atomic_read(v: &mm->context.protected_count) > `1`;
241	}
242
243	/*
244	* Calculate the expected ref_count for a folio that would otherwise have no
245	* further pins. This was cribbed from similar functions in other places in
246	* the kernel, but with some slight modifications. We know that a secure
247	* folio can not be a large folio, for example.
248	*/
249	static int expected_folio_refs(struct folio *folio)
250	{
251	int res;
252
253	res = folio_mapcount(folio);
254	if (folio_test_swapcache(folio)) {
255	res++;
256	} else if (folio_mapping(folio)) {
257	res++;
258	if (folio->private)
259	res++;
260	}
261	return res;
262	}
263
264	/**
265	* __make_folio_secure() - make a folio secure
266	* @folio: the folio to make secure
267	* @uvcb: the uvcb that describes the UVC to be used
268	*
269	* The folio @folio will be made secure if possible, @uvcb will be passed
270	* as-is to the UVC.
271	*
272	* Return: 0 on success;
273	* -EBUSY if the folio is in writeback or has too many references;
274	* -EAGAIN if the UVC needs to be attempted again;
275	* -ENXIO if the address is not mapped;
276	* -EINVAL if the UVC failed for other reasons.
277	*
278	* Context: The caller must hold exactly one extra reference on the folio
279	* (it's the same logic as split_folio()), and the folio must be
280	* locked.
281	*/
282	static int __make_folio_secure(struct folio folio, struct* uv_cb_header *uvcb)
283	{
284	int expected, cc = `0`;
285
286	if (folio_test_writeback(folio))
287	return -EBUSY;
288	expected = expected_folio_refs(folio) + `1`;
289	if (!folio_ref_freeze(folio, count: expected))
290	return -EBUSY;
291	set_bit(nr: PG_arch_1, addr: &folio->flags.f);
292	/*
293	* If the UVC does not succeed or fail immediately, we don't want to
294	* loop for long, or we might get stall notifications.
295	* On the other hand, this is a complex scenario and we are holding a lot of
296	* locks, so we can't easily sleep and reschedule. We try only once,
297	* and if the UVC returned busy or partial completion, we return
298	* -EAGAIN and we let the callers deal with it.
299	*/
300	cc = __uv_call(`0`, (u64)uvcb);
301	folio_ref_unfreeze(folio, count: expected);
302	/*
303	* Return -ENXIO if the folio was not mapped, -EINVAL for other errors.
304	* If busy or partially completed, return -EAGAIN.
305	*/
306	if (cc == UVC_CC_OK)
307	return `0`;
308	else if (cc == UVC_CC_BUSY \|\| cc == UVC_CC_PARTIAL)
309	return -EAGAIN;
310	return uvcb->rc == `0x10a` ? -ENXIO : -EINVAL;
311	}
312
313	static int make_folio_secure(struct mm_struct mm, struct* folio folio, struct* uv_cb_header *uvcb)
314	{
315	int rc;
316
317	if (!folio_trylock(folio))
318	return -EAGAIN;
319	if (should_export_before_import(uvcb, mm))
320	uv_convert_from_secure(folio_to_phys(folio));
321	rc = __make_folio_secure(folio, uvcb);
322	folio_unlock(folio);
323
324	return rc;
325	}
326
327	/**
328	* s390_wiggle_split_folio() - try to drain extra references to a folio and
329	* split the folio if it is large.
330	* @mm: the mm containing the folio to work on
331	* @folio: the folio
332	*
333	* Context: Must be called while holding an extra reference to the folio;
334	* the mm lock should not be held.
335	* Return: 0 if the operation was successful;
336	* -EAGAIN if splitting the large folio was not successful,
337	* but another attempt can be made;
338	* -EINVAL in case of other folio splitting errors. See split_folio().
339	*/
340	static int s390_wiggle_split_folio(struct mm_struct mm, struct* folio *folio)
341	{
342	int rc, tried_splits;
343
344	lockdep_assert_not_held(&mm->mmap_lock);
345	folio_wait_writeback(folio);
346	lru_add_drain_all();
347
348	if (!folio_test_large(folio))
349	return `0`;
350
351	for (tried_splits = `0`; tried_splits < `2`; tried_splits++) {
352	struct address_space *mapping;
353	loff_t lstart, lend;
354	struct inode *inode;
355
356	folio_lock(folio);
357	rc = split_folio(folio);
358	if (rc != -EBUSY) {
359	folio_unlock(folio);
360	return rc;
361	}
362
363	/*
364	* Splitting with -EBUSY can fail for various reasons, but we
365	* have to handle one case explicitly for now: some mappings
366	* don't allow for splitting dirty folios; writeback will
367	* mark them clean again, including marking all page table
368	* entries mapping the folio read-only, to catch future write
369	* attempts.
370	*
371	* While the system should be writing back dirty folios in the
372	* background, we obtained this folio by looking up a writable
373	* page table entry. On these problematic mappings, writable
374	* page table entries imply dirty folios, preventing the
375	* split in the first place.
376	*
377	* To prevent a livelock when trigger writeback manually and
378	* letting the caller look up the folio again in the page
379	* table (turning it dirty), immediately try to split again.
380	*
381	* This is only a problem for some mappings (e.g., XFS);
382	* mappings that do not support writeback (e.g., shmem) do not
383	* apply.
384	*/
385	if (!folio_test_dirty(folio) \|\| folio_test_anon(folio) \|\|
386	!folio->mapping \|\| !mapping_can_writeback(mapping: folio->mapping)) {
387	folio_unlock(folio);
388	break;
389	}
390
391	/*
392	* Ideally, we'd only trigger writeback on this exact folio. But
393	* there is no easy way to do that, so we'll stabilize the
394	* mapping while we still hold the folio lock, so we can drop
395	* the folio lock to trigger writeback on the range currently
396	* covered by the folio instead.
397	*/
398	mapping = folio->mapping;
399	lstart = folio_pos(folio);
400	lend = lstart + folio_size(folio) - `1`;
401	inode = igrab(mapping->host);
402	folio_unlock(folio);
403
404	if (unlikely(!inode))
405	break;
406
407	filemap_write_and_wait_range(mapping, lstart, lend);
408	iput(mapping->host);
409	}
410	return -EAGAIN;
411	}
412
413	int make_hva_secure(struct mm_struct mm, unsigned* long hva, struct uv_cb_header *uvcb)
414	{
415	struct vm_area_struct *vma;
416	struct folio_walk fw;
417	struct folio *folio;
418	int rc;
419
420	mmap_read_lock(mm);
421	vma = vma_lookup(mm, addr: hva);
422	if (!vma) {
423	mmap_read_unlock(mm);
424	return -EFAULT;
425	}
426	folio = folio_walk_start(fw: &fw, vma, addr: hva, flags: `0`);
427	if (!folio) {
428	mmap_read_unlock(mm);
429	return -ENXIO;
430	}
431
432	folio_get(folio);
433	/*
434	* Secure pages cannot be huge and userspace should not combine both.
435	* In case userspace does it anyway this will result in an -EFAULT for
436	* the unpack. The guest is thus never reaching secure mode.
437	* If userspace plays dirty tricks and decides to map huge pages at a
438	* later point in time, it will receive a segmentation fault or
439	* KVM_RUN will return -EFAULT.
440	*/
441	if (folio_test_hugetlb(folio))
442	rc = -EFAULT;
443	else if (folio_test_large(folio))
444	rc = -E2BIG;
445	else if (!pte_write(pte: fw.pte) \|\| (pte_val(pte: fw.pte) & _PAGE_INVALID))
446	rc = -ENXIO;
447	else
448	rc = make_folio_secure(mm, folio, uvcb);
449	folio_walk_end(&fw, vma);
450	mmap_read_unlock(mm);
451
452	if (rc == -E2BIG \|\| rc == -EBUSY) {
453	rc = s390_wiggle_split_folio(mm, folio);
454	if (!rc)
455	rc = -EAGAIN;
456	}
457	folio_put(folio);
458
459	return rc;
460	}
461	EXPORT_SYMBOL_GPL(make_hva_secure);
462
463	/*
464	* To be called with the folio locked or with an extra reference! This will
465	* prevent kvm_s390_pv_make_secure() from touching the folio concurrently.
466	* Having 2 parallel arch_make_folio_accessible is fine, as the UV calls will
467	* become a no-op if the folio is already exported.
468	*/
469	int arch_make_folio_accessible(struct folio *folio)
470	{
471	int rc = `0`;
472
473	/ Large folios cannot be secure /
474	if (unlikely(folio_test_large(folio)))
475	return `0`;
476
477	/*
478	* PG_arch_1 is used in 2 places:
479	* 1. for storage keys of hugetlb folios and KVM
480	* 2. As an indication that this small folio might be secure. This can
481	* overindicate, e.g. we set the bit before calling
482	* convert_to_secure.
483	* As secure pages are never large folios, both variants can co-exists.
484	*/
485	if (!test_bit(PG_arch_1, &folio->flags.f))
486	return `0`;
487
488	rc = uv_pin_shared(folio_to_phys(folio));
489	if (!rc) {
490	clear_bit(nr: PG_arch_1, addr: &folio->flags.f);
491	return `0`;
492	}
493
494	rc = uv_convert_from_secure(folio_to_phys(folio));
495	if (!rc) {
496	clear_bit(nr: PG_arch_1, addr: &folio->flags.f);
497	return `0`;
498	}
499
500	return rc;
501	}
502	EXPORT_SYMBOL_GPL(arch_make_folio_accessible);
503
504	static ssize_t uv_query_facilities(struct kobject *kobj,
505	struct kobj_attribute attr, char* *buf)
506	{
507	return sysfs_emit(buf, fmt: "%lx\n%lx\n%lx\n%lx\n",
508	uv_info.inst_calls_list[`0`],
509	uv_info.inst_calls_list[`1`],
510	uv_info.inst_calls_list[`2`],
511	uv_info.inst_calls_list[`3`]);
512	}
513
514	static struct kobj_attribute uv_query_facilities_attr =
515	__ATTR(facilities, `0444`, uv_query_facilities, NULL);
516
517	static ssize_t uv_query_supp_se_hdr_ver(struct kobject *kobj,
518	struct kobj_attribute attr, char* *buf)
519	{
520	return sysfs_emit(buf, fmt: "%lx\n", uv_info.supp_se_hdr_ver);
521	}
522
523	static struct kobj_attribute uv_query_supp_se_hdr_ver_attr =
524	__ATTR(supp_se_hdr_ver, `0444`, uv_query_supp_se_hdr_ver, NULL);
525
526	static ssize_t uv_query_supp_se_hdr_pcf(struct kobject *kobj,
527	struct kobj_attribute attr, char* *buf)
528	{
529	return sysfs_emit(buf, fmt: "%lx\n", uv_info.supp_se_hdr_pcf);
530	}
531
532	static struct kobj_attribute uv_query_supp_se_hdr_pcf_attr =
533	__ATTR(supp_se_hdr_pcf, `0444`, uv_query_supp_se_hdr_pcf, NULL);
534
535	static ssize_t uv_query_dump_cpu_len(struct kobject *kobj,
536	struct kobj_attribute attr, char* *buf)
537	{
538	return sysfs_emit(buf, fmt: "%lx\n", uv_info.guest_cpu_stor_len);
539	}
540
541	static struct kobj_attribute uv_query_dump_cpu_len_attr =
542	__ATTR(uv_query_dump_cpu_len, `0444`, uv_query_dump_cpu_len, NULL);
543
544	static ssize_t uv_query_dump_storage_state_len(struct kobject *kobj,
545	struct kobj_attribute attr, char* *buf)
546	{
547	return sysfs_emit(buf, fmt: "%lx\n", uv_info.conf_dump_storage_state_len);
548	}
549
550	static struct kobj_attribute uv_query_dump_storage_state_len_attr =
551	__ATTR(dump_storage_state_len, `0444`, uv_query_dump_storage_state_len, NULL);
552
553	static ssize_t uv_query_dump_finalize_len(struct kobject *kobj,
554	struct kobj_attribute attr, char* *buf)
555	{
556	return sysfs_emit(buf, fmt: "%lx\n", uv_info.conf_dump_finalize_len);
557	}
558
559	static struct kobj_attribute uv_query_dump_finalize_len_attr =
560	__ATTR(dump_finalize_len, `0444`, uv_query_dump_finalize_len, NULL);
561
562	static ssize_t uv_query_feature_indications(struct kobject *kobj,
563	struct kobj_attribute attr, char* *buf)
564	{
565	return sysfs_emit(buf, fmt: "%lx\n", uv_info.uv_feature_indications);
566	}
567
568	static struct kobj_attribute uv_query_feature_indications_attr =
569	__ATTR(feature_indications, `0444`, uv_query_feature_indications, NULL);
570
571	static ssize_t uv_query_max_guest_cpus(struct kobject *kobj,
572	struct kobj_attribute attr, char* *buf)
573	{
574	return sysfs_emit(buf, fmt: "%d\n", uv_info.max_guest_cpu_id + `1`);
575	}
576
577	static struct kobj_attribute uv_query_max_guest_cpus_attr =
578	__ATTR(max_cpus, `0444`, uv_query_max_guest_cpus, NULL);
579
580	static ssize_t uv_query_max_guest_vms(struct kobject *kobj,
581	struct kobj_attribute attr, char* *buf)
582	{
583	return sysfs_emit(buf, fmt: "%d\n", uv_info.max_num_sec_conf);
584	}
585
586	static struct kobj_attribute uv_query_max_guest_vms_attr =
587	__ATTR(max_guests, `0444`, uv_query_max_guest_vms, NULL);
588
589	static ssize_t uv_query_max_guest_addr(struct kobject *kobj,
590	struct kobj_attribute attr, char* *buf)
591	{
592	return sysfs_emit(buf, fmt: "%lx\n", uv_info.max_sec_stor_addr);
593	}
594
595	static struct kobj_attribute uv_query_max_guest_addr_attr =
596	__ATTR(max_address, `0444`, uv_query_max_guest_addr, NULL);
597
598	static ssize_t uv_query_supp_att_req_hdr_ver(struct kobject *kobj,
599	struct kobj_attribute attr, char* *buf)
600	{
601	return sysfs_emit(buf, fmt: "%lx\n", uv_info.supp_att_req_hdr_ver);
602	}
603
604	static struct kobj_attribute uv_query_supp_att_req_hdr_ver_attr =
605	__ATTR(supp_att_req_hdr_ver, `0444`, uv_query_supp_att_req_hdr_ver, NULL);
606
607	static ssize_t uv_query_supp_att_pflags(struct kobject *kobj,
608	struct kobj_attribute attr, char* *buf)
609	{
610	return sysfs_emit(buf, fmt: "%lx\n", uv_info.supp_att_pflags);
611	}
612
613	static struct kobj_attribute uv_query_supp_att_pflags_attr =
614	__ATTR(supp_att_pflags, `0444`, uv_query_supp_att_pflags, NULL);
615
616	static ssize_t uv_query_supp_add_secret_req_ver(struct kobject *kobj,
617	struct kobj_attribute attr, char* *buf)
618	{
619	return sysfs_emit(buf, fmt: "%lx\n", uv_info.supp_add_secret_req_ver);
620	}
621
622	static struct kobj_attribute uv_query_supp_add_secret_req_ver_attr =
623	__ATTR(supp_add_secret_req_ver, `0444`, uv_query_supp_add_secret_req_ver, NULL);
624
625	static ssize_t uv_query_supp_add_secret_pcf(struct kobject *kobj,
626	struct kobj_attribute attr, char* *buf)
627	{
628	return sysfs_emit(buf, fmt: "%lx\n", uv_info.supp_add_secret_pcf);
629	}
630
631	static struct kobj_attribute uv_query_supp_add_secret_pcf_attr =
632	__ATTR(supp_add_secret_pcf, `0444`, uv_query_supp_add_secret_pcf, NULL);
633
634	static ssize_t uv_query_supp_secret_types(struct kobject *kobj,
635	struct kobj_attribute attr, char* *buf)
636	{
637	return sysfs_emit(buf, fmt: "%lx\n", uv_info.supp_secret_types);
638	}
639
640	static struct kobj_attribute uv_query_supp_secret_types_attr =
641	__ATTR(supp_secret_types, `0444`, uv_query_supp_secret_types, NULL);
642
643	static ssize_t uv_query_max_secrets(struct kobject *kobj,
644	struct kobj_attribute attr, char* *buf)
645	{
646	return sysfs_emit(buf, fmt: "%d\n",
647	uv_info.max_assoc_secrets + uv_info.max_retr_secrets);
648	}
649
650	static struct kobj_attribute uv_query_max_secrets_attr =
651	__ATTR(max_secrets, `0444`, uv_query_max_secrets, NULL);
652
653	static ssize_t uv_query_max_retr_secrets(struct kobject *kobj,
654	struct kobj_attribute attr, char* *buf)
655	{
656	return sysfs_emit(buf, fmt: "%d\n", uv_info.max_retr_secrets);
657	}
658
659	static struct kobj_attribute uv_query_max_retr_secrets_attr =
660	__ATTR(max_retr_secrets, `0444`, uv_query_max_retr_secrets, NULL);
661
662	static ssize_t uv_query_max_assoc_secrets(struct kobject *kobj,
663	struct kobj_attribute *attr,
664	char *buf)
665	{
666	return sysfs_emit(buf, fmt: "%d\n", uv_info.max_assoc_secrets);
667	}
668
669	static struct kobj_attribute uv_query_max_assoc_secrets_attr =
670	__ATTR(max_assoc_secrets, `0444`, uv_query_max_assoc_secrets, NULL);
671
672	static struct attribute *uv_query_attrs[] = {
673	&uv_query_facilities_attr.attr,
674	&uv_query_feature_indications_attr.attr,
675	&uv_query_max_guest_cpus_attr.attr,
676	&uv_query_max_guest_vms_attr.attr,
677	&uv_query_max_guest_addr_attr.attr,
678	&uv_query_supp_se_hdr_ver_attr.attr,
679	&uv_query_supp_se_hdr_pcf_attr.attr,
680	&uv_query_dump_storage_state_len_attr.attr,
681	&uv_query_dump_finalize_len_attr.attr,
682	&uv_query_dump_cpu_len_attr.attr,
683	&uv_query_supp_att_req_hdr_ver_attr.attr,
684	&uv_query_supp_att_pflags_attr.attr,
685	&uv_query_supp_add_secret_req_ver_attr.attr,
686	&uv_query_supp_add_secret_pcf_attr.attr,
687	&uv_query_supp_secret_types_attr.attr,
688	&uv_query_max_secrets_attr.attr,
689	&uv_query_max_assoc_secrets_attr.attr,
690	&uv_query_max_retr_secrets_attr.attr,
691	NULL,
692	};
693
694	static inline struct uv_cb_query_keys uv_query_keys(void)
695	{
696	struct uv_cb_query_keys uvcb = {
697	.header.cmd = UVC_CMD_QUERY_KEYS,
698	.header.len = sizeof(uvcb)
699	};
700
701	uv_call(`0`, (uint64_t)&uvcb);
702	return uvcb;
703	}
704
705	static inline ssize_t emit_hash(struct uv_key_hash hash, char* buf, int* at)
706	{
707	return sysfs_emit_at(buf, at, fmt: "%016llx%016llx%016llx%016llx\n",
708	hash->dword[`0`], hash->dword[`1`], hash->dword[`2`], hash->dword[`3`]);
709	}
710
711	static ssize_t uv_keys_host_key(struct kobject *kobj,
712	struct kobj_attribute attr, char* *buf)
713	{
714	struct uv_cb_query_keys uvcb = uv_query_keys();
715
716	return emit_hash(&uvcb.key_hashes[UVC_QUERY_KEYS_IDX_HK], buf, `0`);
717	}
718
719	static struct kobj_attribute uv_keys_host_key_attr =
720	__ATTR(host_key, `0444`, uv_keys_host_key, NULL);
721
722	static ssize_t uv_keys_backup_host_key(struct kobject *kobj,
723	struct kobj_attribute attr, char* *buf)
724	{
725	struct uv_cb_query_keys uvcb = uv_query_keys();
726
727	return emit_hash(&uvcb.key_hashes[UVC_QUERY_KEYS_IDX_BACK_HK], buf, `0`);
728	}
729
730	static struct kobj_attribute uv_keys_backup_host_key_attr =
731	__ATTR(backup_host_key, `0444`, uv_keys_backup_host_key, NULL);
732
733	static ssize_t uv_keys_all(struct kobject *kobj,
734	struct kobj_attribute attr, char* *buf)
735	{
736	struct uv_cb_query_keys uvcb = uv_query_keys();
737	ssize_t len = `0`;
738	int i;
739
740	for (i = `0`; i < ARRAY_SIZE(uvcb.key_hashes); i++)
741	len += emit_hash(hash: uvcb.key_hashes + i, buf, at: len);
742
743	return len;
744	}
745
746	static struct kobj_attribute uv_keys_all_attr =
747	__ATTR(all, `0444`, uv_keys_all, NULL);
748
749	static struct attribute_group uv_query_attr_group = {
750	.attrs = uv_query_attrs,
751	};
752
753	static struct attribute *uv_keys_attrs[] = {
754	&uv_keys_host_key_attr.attr,
755	&uv_keys_backup_host_key_attr.attr,
756	&uv_keys_all_attr.attr,
757	NULL,
758	};
759
760	static struct attribute_group uv_keys_attr_group = {
761	.attrs = uv_keys_attrs,
762	};
763
764	static ssize_t uv_is_prot_virt_guest(struct kobject *kobj,
765	struct kobj_attribute attr, char* *buf)
766	{
767	return sysfs_emit(buf, fmt: "%d\n", prot_virt_guest);
768	}
769
770	static ssize_t uv_is_prot_virt_host(struct kobject *kobj,
771	struct kobj_attribute attr, char* *buf)
772	{
773	return sysfs_emit(buf, fmt: "%d\n", prot_virt_host);
774	}
775
776	static struct kobj_attribute uv_prot_virt_guest =
777	__ATTR(prot_virt_guest, `0444`, uv_is_prot_virt_guest, NULL);
778
779	static struct kobj_attribute uv_prot_virt_host =
780	__ATTR(prot_virt_host, `0444`, uv_is_prot_virt_host, NULL);
781
782	static const struct attribute *uv_prot_virt_attrs[] = {
783	&uv_prot_virt_guest.attr,
784	&uv_prot_virt_host.attr,
785	NULL,
786	};
787
788	static struct kset *uv_query_kset;
789	static struct kset *uv_keys_kset;
790	static struct kobject *uv_kobj;
791
792	static int __init uv_sysfs_dir_init(const struct attribute_group *grp,
793	struct kset *uv_dir_kset, const* char *name)
794	{
795	struct kset *kset;
796	int rc;
797
798	kset = kset_create_and_add(name, NULL, parent_kobj: uv_kobj);
799	if (!kset)
800	return -ENOMEM;
801	*uv_dir_kset = kset;
802
803	rc = sysfs_create_group(kobj: &kset->kobj, grp);
804	if (rc)
805	kset_unregister(kset);
806	return rc;
807	}
808
809	static int __init uv_sysfs_init(void)
810	{
811	int rc = -ENOMEM;
812
813	if (!test_facility(`158`))
814	return `0`;
815
816	uv_kobj = kobject_create_and_add(name: "uv", parent: firmware_kobj);
817	if (!uv_kobj)
818	return -ENOMEM;
819
820	rc = sysfs_create_files(kobj: uv_kobj, attr: uv_prot_virt_attrs);
821	if (rc)
822	goto out_kobj;
823
824	rc = uv_sysfs_dir_init(grp: &uv_query_attr_group, uv_dir_kset: &uv_query_kset, name: "query");
825	if (rc)
826	goto out_ind_files;
827
828	/ Get installed key hashes if available, ignore any errors /
829	if (test_bit_inv(BIT_UVC_CMD_QUERY_KEYS, uv_info.inst_calls_list))
830	uv_sysfs_dir_init(grp: &uv_keys_attr_group, uv_dir_kset: &uv_keys_kset, name: "keys");
831
832	return `0`;
833
834	out_ind_files:
835	sysfs_remove_files(kobj: uv_kobj, attr: uv_prot_virt_attrs);
836	out_kobj:
837	kobject_del(kobj: uv_kobj);
838	kobject_put(kobj: uv_kobj);
839	return rc;
840	}
841	device_initcall(uv_sysfs_init);
842
843	/*
844	* Locate a secret in the list by its id.
845	* @secret_id: search pattern.
846	* @list: ephemeral buffer space
847	* @secret: output data, containing the secret's metadata.
848	*
849	* Search for a secret with the given secret_id in the Ultravisor secret store.
850	*
851	* Context: might sleep.
852	*/
853	static int find_secret_in_page(const u8 secret_id[UV_SECRET_ID_LEN],
854	const struct uv_secret_list *list,
855	struct uv_secret_list_item_hdr *secret)
856	{
857	u16 i;
858
859	for (i = `0`; i < list->total_num_secrets; i++) {
860	if (memcmp(secret_id, list->secrets[i].id, UV_SECRET_ID_LEN) == `0`) {
861	*secret = list->secrets[i].hdr;
862	return `0`;
863	}
864	}
865	return -ENOENT;
866	}
867
868	/**
869	* uv_find_secret() - search secret metadata for a given secret id.
870	* @secret_id: search pattern.
871	* @list: ephemeral buffer space
872	* @secret: output data, containing the secret's metadata.
873	*
874	* Context: might sleep.
875	*/
876	int uv_find_secret(const u8 secret_id[UV_SECRET_ID_LEN],
877	struct uv_secret_list *list,
878	struct uv_secret_list_item_hdr *secret)
879	{
880	u16 start_idx = `0`;
881	u16 list_rc;
882	int ret;
883
884	do {
885	uv_list_secrets(list, start_idx, &list_rc, NULL);
886	if (list_rc != UVC_RC_EXECUTED && list_rc != UVC_RC_MORE_DATA) {
887	if (list_rc == UVC_RC_INV_CMD)
888	return -ENODEV;
889	else
890	return -EIO;
891	}
892	ret = find_secret_in_page(secret_id, list, secret);
893	if (ret == `0`)
894	return ret;
895	start_idx = list->next_secret_idx;
896	} while (list_rc == UVC_RC_MORE_DATA && start_idx < list->next_secret_idx);
897
898	return -ENOENT;
899	}
900	EXPORT_SYMBOL_GPL(uv_find_secret);
901
902	/**
903	* uv_retrieve_secret() - get the secret value for the secret index.
904	* @secret_idx: Secret index for which the secret should be retrieved.
905	* @buf: Buffer to store retrieved secret.
906	* @buf_size: Size of the buffer. The correct buffer size is reported as part of
907	* the result from `uv_get_secret_metadata`.
908	*
909	* Calls the Retrieve Secret UVC and translates the UV return code into an errno.
910	*
911	* Context: might sleep.
912	*
913	* Return:
914	* * %0 - Entry found; buffer contains a valid secret.
915	* * %ENOENT: - No entry found or secret at the index is non-retrievable.
916	* * %ENODEV: - Not supported: UV not available or command not available.
917	* * %EINVAL: - Buffer too small for content.
918	* * %EIO: - Other unexpected UV error.
919	*/
920	int uv_retrieve_secret(u16 secret_idx, u8 *buf, size_t buf_size)
921	{
922	struct uv_cb_retr_secr uvcb = {
923	.header.len = sizeof(uvcb),
924	.header.cmd = UVC_CMD_RETR_SECRET,
925	.secret_idx = secret_idx,
926	.buf_addr = (u64)buf,
927	.buf_size = buf_size,
928	};
929
930	uv_call_sched(`0`, (u64)&uvcb);
931
932	switch (uvcb.header.rc) {
933	case UVC_RC_EXECUTED:
934	return `0`;
935	case UVC_RC_INV_CMD:
936	return -ENODEV;
937	case UVC_RC_RETR_SECR_STORE_EMPTY:
938	case UVC_RC_RETR_SECR_INV_SECRET:
939	case UVC_RC_RETR_SECR_INV_IDX:
940	return -ENOENT;
941	case UVC_RC_RETR_SECR_BUF_SMALL:
942	return -EINVAL;
943	default:
944	return -EIO;
945	}
946	}
947	EXPORT_SYMBOL_GPL(uv_retrieve_secret);
948

source code of linux/arch/s390/kernel/uv.c