Merge tag 'powerpc-7.0-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

+58

Documentation/ABI/testing/sysfs-firmware-plpks

··· 1 + What: /sys/firmware/plpks/config 2 + Date: February 2023 3 + Contact: Nayna Jain <nayna@linux.ibm.com> 4 + Description: This optional directory contains read-only config attributes as 5 + defined by the PLPKS implementation. All data is in ASCII 6 + format. 7 + 8 + What: /sys/firmware/plpks/config/version 9 + Date: February 2023 10 + Contact: Nayna Jain <nayna@linux.ibm.com> 11 + Description: Config version as reported by the hypervisor in ASCII decimal 12 + format. 13 + 14 + What: /sys/firmware/plpks/config/max_object_size 15 + Date: February 2023 16 + Contact: Nayna Jain <nayna@linux.ibm.com> 17 + Description: Maximum allowed size of objects in the keystore in bytes, 18 + represented in ASCII decimal format. 19 + 20 + This is not necessarily the same as the max size that can be 21 + written to an update file as writes can contain more than 22 + object data, you should use the size of the update file for 23 + that purpose. 24 + 25 + What: /sys/firmware/plpks/config/total_size 26 + Date: February 2023 27 + Contact: Nayna Jain <nayna@linux.ibm.com> 28 + Description: Total size of the PLPKS in bytes, represented in ASCII decimal 29 + format. 30 + 31 + What: /sys/firmware/plpks/config/used_space 32 + Date: February 2023 33 + Contact: Nayna Jain <nayna@linux.ibm.com> 34 + Description: Current space consumed by the key store, in bytes, represented 35 + in ASCII decimal format. 36 + 37 + What: /sys/firmware/plpks/config/supported_policies 38 + Date: February 2023 39 + Contact: Nayna Jain <nayna@linux.ibm.com> 40 + Description: Bitmask of supported policy flags by the hypervisor, represented 41 + as an 8 byte hexadecimal ASCII string. Consult the hypervisor 42 + documentation for what these flags are. 43 + 44 + What: /sys/firmware/plpks/config/signed_update_algorithms 45 + Date: February 2023 46 + Contact: Nayna Jain <nayna@linux.ibm.com> 47 + Description: Bitmask of flags indicating which algorithms the hypervisor 48 + supports for signed update of objects, represented as a 16 byte 49 + hexadecimal ASCII string. Consult the hypervisor documentation 50 + for what these flags mean. 51 + 52 + What: /sys/firmware/plpks/config/wrapping_features 53 + Date: November 2025 54 + Contact: Srish Srinivasan <ssrish@linux.ibm.com> 55 + Description: Bitmask of the wrapping features indicating the wrapping 56 + algorithms that are supported for the H_PKS_WRAP_OBJECT requests 57 + , represented as a 8 byte hexadecimal ASCII string. Consult the 58 + hypervisor documentation for what these flags mean.

-65

Documentation/ABI/testing/sysfs-secvar

··· 63 63 Description: A write-only file that is used to submit the new value for the 64 64 variable. The size of the file represents the maximum size of 65 65 the variable data that can be written. 66 - 67 - What: /sys/firmware/secvar/config 68 - Date: February 2023 69 - Contact: Nayna Jain <nayna@linux.ibm.com> 70 - Description: This optional directory contains read-only config attributes as 71 - defined by the secure variable implementation. All data is in 72 - ASCII format. The directory is only created if the backing 73 - implementation provides variables to populate it, which at 74 - present is only PLPKS on the pseries platform. 75 - 76 - What: /sys/firmware/secvar/config/version 77 - Date: February 2023 78 - Contact: Nayna Jain <nayna@linux.ibm.com> 79 - Description: Config version as reported by the hypervisor in ASCII decimal 80 - format. 81 - 82 - Currently only provided by PLPKS on the pseries platform. 83 - 84 - What: /sys/firmware/secvar/config/max_object_size 85 - Date: February 2023 86 - Contact: Nayna Jain <nayna@linux.ibm.com> 87 - Description: Maximum allowed size of objects in the keystore in bytes, 88 - represented in ASCII decimal format. 89 - 90 - This is not necessarily the same as the max size that can be 91 - written to an update file as writes can contain more than 92 - object data, you should use the size of the update file for 93 - that purpose. 94 - 95 - Currently only provided by PLPKS on the pseries platform. 96 - 97 - What: /sys/firmware/secvar/config/total_size 98 - Date: February 2023 99 - Contact: Nayna Jain <nayna@linux.ibm.com> 100 - Description: Total size of the PLPKS in bytes, represented in ASCII decimal 101 - format. 102 - 103 - Currently only provided by PLPKS on the pseries platform. 104 - 105 - What: /sys/firmware/secvar/config/used_space 106 - Date: February 2023 107 - Contact: Nayna Jain <nayna@linux.ibm.com> 108 - Description: Current space consumed by the key store, in bytes, represented 109 - in ASCII decimal format. 110 - 111 - Currently only provided by PLPKS on the pseries platform. 112 - 113 - What: /sys/firmware/secvar/config/supported_policies 114 - Date: February 2023 115 - Contact: Nayna Jain <nayna@linux.ibm.com> 116 - Description: Bitmask of supported policy flags by the hypervisor, 117 - represented as an 8 byte hexadecimal ASCII string. Consult the 118 - hypervisor documentation for what these flags are. 119 - 120 - Currently only provided by PLPKS on the pseries platform. 121 - 122 - What: /sys/firmware/secvar/config/signed_update_algorithms 123 - Date: February 2023 124 - Contact: Nayna Jain <nayna@linux.ibm.com> 125 - Description: Bitmask of flags indicating which algorithms the hypervisor 126 - supports for signed update of objects, represented as a 16 byte 127 - hexadecimal ASCII string. Consult the hypervisor documentation 128 - for what these flags mean. 129 - 130 - Currently only provided by PLPKS on the pseries platform.

+1

Documentation/admin-guide/kernel-parameters.txt

··· 7794 7794 - "tee" 7795 7795 - "caam" 7796 7796 - "dcp" 7797 + - "pkwm" 7797 7798 If not specified then it defaults to iterating through 7798 7799 the trust source list starting with TPM and assigns the 7799 7800 first trust source as a backend which is initialized

+43

Documentation/arch/powerpc/papr_hcalls.rst

··· 300 300 Macro (HTM) function and its data. HTM buffer stores tracing data for functions 301 301 like core instruction, core LLAT and nest. 302 302 303 + **H_PKS_GEN_KEY** 304 + 305 + | Input: authorization, objectlabel, objectlabellen, policy, out, outlen 306 + | Out: *Hypervisor Generated Key, or None when the wrapping key policy is set* 307 + | Return Value: *H_SUCCESS, H_Function, H_State, H_R_State, H_Parameter, H_P2, 308 + H_P3, H_P4, H_P5, H_P6, H_Authority, H_Nomem, H_Busy, H_Resource, 309 + H_Aborted* 310 + 311 + H_PKS_GEN_KEY is used to have the hypervisor generate a new random key. 312 + This key is stored as an object in the Power LPAR Platform KeyStore with 313 + the provided object label. With the wrapping key policy set the key is only 314 + visible to the hypervisor, while the key's label would still be visible to 315 + the user. Generation of wrapping keys is supported only for a key size of 316 + 32 bytes. 317 + 318 + **H_PKS_WRAP_OBJECT** 319 + 320 + | Input: authorization, wrapkeylabel, wrapkeylabellen, objectwrapflags, in, 321 + | inlen, out, outlen, continue-token 322 + | Out: *continue-token, byte size of wrapped object, wrapped object* 323 + | Return Value: *H_SUCCESS, H_Function, H_State, H_R_State, H_Parameter, H_P2, 324 + H_P3, H_P4, H_P5, H_P6, H_P7, H_P8, H_P9, H_Authority, H_Invalid_Key, 325 + H_NOT_FOUND, H_Busy, H_LongBusy, H_Aborted* 326 + 327 + H_PKS_WRAP_OBJECT is used to wrap an object using a wrapping key stored in the 328 + Power LPAR Platform KeyStore and return the wrapped object to the caller. The 329 + caller provides a label to a wrapping key with the 'wrapping key' policy set, 330 + which must have been previously created with H_PKS_GEN_KEY. The provided object 331 + is then encrypted with the wrapping key and additional metadata and the result 332 + is returned to the caller. 333 + 334 + 335 + **H_PKS_UNWRAP_OBJECT** 336 + 337 + | Input: authorization, objectwrapflags, in, inlen, out, outlen, continue-token 338 + | Out: *continue-token, byte size of unwrapped object, unwrapped object* 339 + | Return Value: *H_SUCCESS, H_Function, H_State, H_R_State, H_Parameter, H_P2, 340 + H_P3, H_P4, H_P5, H_P6, H_P7, H_Authority, H_Unsupported, H_Bad_Data, 341 + H_NOT_FOUND, H_Invalid_Key, H_Busy, H_LongBusy, H_Aborted* 342 + 343 + H_PKS_UNWRAP_OBJECT is used to unwrap an object that was previously warapped with 344 + H_PKS_WRAP_OBJECT. 345 + 303 346 References 304 347 ========== 305 348 .. [1] "Power Architecture Platform Reference"

+50

Documentation/security/keys/trusted-encrypted.rst

··· 81 81 and the UNIQUE key. Default is to use the UNIQUE key, but selecting 82 82 the OTP key can be done via a module parameter (dcp_use_otp_key). 83 83 84 + (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore) 85 + 86 + Rooted to a unique, per-LPAR key, which is derived from a system-wide, 87 + randomly generated LPAR root key. Both the per-LPAR keys and the LPAR 88 + root key are stored in hypervisor-owned secure memory at runtime, 89 + and the LPAR root key is additionally persisted in secure locations 90 + such as the processor SEEPROMs and encrypted NVRAM. 91 + 84 92 * Execution isolation 85 93 86 94 (1) TPM ··· 109 101 Fixed set of cryptographic operations running in isolated execution 110 102 environment. Only basic blob key encryption is executed there. 111 103 The actual key sealing/unsealing is done on main processor/kernel space. 104 + 105 + (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore) 106 + 107 + Fixed set of cryptographic operations done on on-chip hardware 108 + cryptographic acceleration unit NX. Keys for wrapping and unwrapping 109 + are managed by PowerVM Platform KeyStore, which stores keys in an 110 + isolated in-memory copy in secure hypervisor memory, as well as in a 111 + persistent copy in hypervisor-encrypted NVRAM. 112 112 113 113 * Optional binding to platform integrity state 114 114 ··· 145 129 Relies on Secure/Trusted boot process (called HAB by vendor) for 146 130 platform integrity. 147 131 132 + (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore) 133 + 134 + Relies on secure and trusted boot process of IBM Power systems for 135 + platform integrity. 136 + 148 137 * Interfaces and APIs 149 138 150 139 (1) TPM ··· 169 148 170 149 Vendor-specific API that is implemented as part of the DCP crypto driver in 171 150 ``drivers/crypto/mxs-dcp.c``. 151 + 152 + (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore) 153 + 154 + Platform Keystore has well documented interfaces in PAPR document. 155 + Refer to ``Documentation/arch/powerpc/papr_hcalls.rst`` 172 156 173 157 * Threat model 174 158 ··· 216 190 so the kernel default RNG is used. SoCs with DCP like the i.MX6ULL do have 217 191 a dedicated hardware RNG that is independent from DCP which can be enabled 218 192 to back the kernel RNG. 193 + 194 + * PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore) 195 + 196 + The normal kernel random number generator is used to generate keys. 219 197 220 198 Users may override this by specifying ``trusted.rng=kernel`` on the kernel 221 199 command-line to override the used RNG with the kernel's random number pool. ··· 349 319 350 320 "keyctl print" returns an ASCII hex copy of the sealed key, which is in format 351 321 specific to this DCP key-blob implementation. The key length for new keys is 322 + always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). 323 + 324 + Trusted Keys usage: PKWM 325 + ------------------------ 326 + 327 + Usage:: 328 + 329 + keyctl add trusted name "new keylen [options]" ring 330 + keyctl add trusted name "load hex_blob" ring 331 + keyctl print keyid 332 + 333 + options: 334 + wrap_flags= ascii hex value of security policy requirement 335 + 0x00: no secure boot requirement (default) 336 + 0x01: require secure boot to be in either audit or 337 + enforced mode 338 + 0x02: require secure boot to be in enforced mode 339 + 340 + "keyctl print" returns an ASCII hex copy of the sealed key, which is in format 341 + specific to PKWM key-blob implementation. The key length for new keys is 352 342 always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). 353 343 354 344 Encrypted Keys usage

+9

MAINTAINERS

··· 14034 14034 F: include/keys/trusted_dcp.h 14035 14035 F: security/keys/trusted-keys/trusted_dcp.c 14036 14036 14037 + KEYS-TRUSTED-PLPKS 14038 + M: Srish Srinivasan <ssrish@linux.ibm.com> 14039 + M: Nayna Jain <nayna@linux.ibm.com> 14040 + L: linux-integrity@vger.kernel.org 14041 + L: keyrings@vger.kernel.org 14042 + S: Supported 14043 + F: include/keys/trusted_pkwm.h 14044 + F: security/keys/trusted-keys/trusted_pkwm.c 14045 + 14037 14046 KEYS-TRUSTED-TEE 14038 14047 M: Sumit Garg <sumit.garg@kernel.org> 14039 14048 L: linux-integrity@vger.kernel.org

+1 -2

arch/powerpc/Kconfig

··· 1293 1293 Say N here unless you know what you are doing. 1294 1294 1295 1295 config TASK_SIZE 1296 - hex "Size of user task space" if TASK_SIZE_BOOL 1296 + hex "Size of maximum user task space" if TASK_SIZE_BOOL 1297 1297 default "0x80000000" if PPC_8xx 1298 - default "0xb0000000" if PPC_BOOK3S_32 && EXECMEM 1299 1298 default "0xc0000000" 1300 1299 1301 1300 config MODULES_SIZE_BOOL

+1 -1

arch/powerpc/include/asm/barrier.h

··· 102 102 103 103 #else /* !CONFIG_PPC_BARRIER_NOSPEC */ 104 104 #define barrier_nospec_asm 105 - #define barrier_nospec() 105 + #define barrier_nospec() do {} while (0) 106 106 #endif /* CONFIG_PPC_BARRIER_NOSPEC */ 107 107 108 108 /*

+1 -2

arch/powerpc/include/asm/book3s/32/kup.h

··· 97 97 } 98 98 #define __kuap_get_and_assert_locked __kuap_get_and_assert_locked 99 99 100 - static __always_inline void allow_user_access(void __user *to, const void __user *from, 101 - u32 size, unsigned long dir) 100 + static __always_inline void allow_user_access(void __user *to, unsigned long dir) 102 101 { 103 102 BUILD_BUG_ON(!__builtin_constant_p(dir)); 104 103

+4 -1

arch/powerpc/include/asm/book3s/32/mmu-hash.h

··· 192 192 extern s32 patch__flush_hash_A0, patch__flush_hash_A1, patch__flush_hash_A2; 193 193 extern s32 patch__flush_hash_B; 194 194 195 + #include <linux/sizes.h> 196 + #include <linux/align.h> 197 + 195 198 #include <asm/reg.h> 196 199 #include <asm/task_size_32.h> 197 200 198 201 static __always_inline void update_user_segment(u32 n, u32 val) 199 202 { 200 - if (n << 28 < TASK_SIZE) 203 + if (n << 28 < ALIGN(TASK_SIZE, SZ_256M)) 201 204 mtsr(val + n * 0x111, n << 28); 202 205 } 203 206

-4

arch/powerpc/include/asm/book3s/32/pgtable.h

··· 195 195 #define VMALLOC_END ioremap_bot 196 196 #endif 197 197 198 - #define MODULES_END ALIGN_DOWN(PAGE_OFFSET, SZ_256M) 199 - #define MODULES_SIZE (CONFIG_MODULES_SIZE * SZ_1M) 200 - #define MODULES_VADDR (MODULES_END - MODULES_SIZE) 201 - 202 198 #ifndef __ASSEMBLER__ 203 199 #include <linux/sched.h> 204 200 #include <linux/threads.h>

+2 -4

arch/powerpc/include/asm/book3s/64/kup.h

··· 353 353 return (regs->amr & AMR_KUAP_BLOCK_READ) == AMR_KUAP_BLOCK_READ; 354 354 } 355 355 356 - static __always_inline void allow_user_access(void __user *to, const void __user *from, 357 - unsigned long size, unsigned long dir) 356 + static __always_inline void allow_user_access(void __user *to, unsigned long dir) 358 357 { 359 358 unsigned long thread_amr = 0; 360 359 ··· 382 383 383 384 static __always_inline void set_kuap(unsigned long value) { } 384 385 385 - static __always_inline void allow_user_access(void __user *to, const void __user *from, 386 - unsigned long size, unsigned long dir) 386 + static __always_inline void allow_user_access(void __user *to, unsigned long dir) 387 387 { } 388 388 389 389 #endif /* !CONFIG_PPC_KUAP */

+2

arch/powerpc/include/asm/eeh.h

··· 289 289 void eeh_pe_restore_bars(struct eeh_pe *pe); 290 290 const char *eeh_pe_loc_get(struct eeh_pe *pe); 291 291 struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe); 292 + const char *eeh_pe_loc_get_bus(struct pci_bus *bus); 293 + struct pci_bus *eeh_pe_bus_get_nolock(struct eeh_pe *pe); 292 294 293 295 void eeh_show_enabled(void); 294 296 int __init eeh_init(struct eeh_ops *ops);

+3 -1

arch/powerpc/include/asm/hvcall.h

··· 360 360 #define H_GUEST_RUN_VCPU 0x480 361 361 #define H_GUEST_COPY_MEMORY 0x484 362 362 #define H_GUEST_DELETE 0x488 363 - #define MAX_HCALL_OPCODE H_GUEST_DELETE 363 + #define H_PKS_WRAP_OBJECT 0x490 364 + #define H_PKS_UNWRAP_OBJECT 0x494 365 + #define MAX_HCALL_OPCODE H_PKS_UNWRAP_OBJECT 364 366 365 367 /* Scope args for H_SCM_UNBIND_ALL */ 366 368 #define H_UNBIND_SCOPE_ALL (0x1)

-1

arch/powerpc/include/asm/kgdb.h

··· 25 25 26 26 #define BREAK_INSTR_SIZE 4 27 27 #define BUFMAX ((NUMREGBYTES * 2) + 512) 28 - #define OUTBUFMAX ((NUMREGBYTES * 2) + 512) 29 28 30 29 #define BREAK_INSTR 0x7d821008 /* twge r2, r2 */ 31 30

+1 -51

arch/powerpc/include/asm/kup.h

··· 72 72 * platforms. 73 73 */ 74 74 #ifndef CONFIG_PPC_BOOK3S_64 75 - static __always_inline void allow_user_access(void __user *to, const void __user *from, 76 - unsigned long size, unsigned long dir) { } 75 + static __always_inline void allow_user_access(void __user *to, unsigned long dir) { } 77 76 static __always_inline void prevent_user_access(unsigned long dir) { } 78 77 static __always_inline unsigned long prevent_user_access_return(void) { return 0UL; } 79 78 static __always_inline void restore_user_access(unsigned long flags) { } ··· 129 130 { 130 131 if (IS_ENABLED(CONFIG_PPC_KUAP_DEBUG)) 131 132 kuap_get_and_assert_locked(); 132 - } 133 - 134 - static __always_inline void allow_read_from_user(const void __user *from, unsigned long size) 135 - { 136 - barrier_nospec(); 137 - allow_user_access(NULL, from, size, KUAP_READ); 138 - } 139 - 140 - static __always_inline void allow_write_to_user(void __user *to, unsigned long size) 141 - { 142 - allow_user_access(to, NULL, size, KUAP_WRITE); 143 - } 144 - 145 - static __always_inline void allow_read_write_user(void __user *to, const void __user *from, 146 - unsigned long size) 147 - { 148 - barrier_nospec(); 149 - allow_user_access(to, from, size, KUAP_READ_WRITE); 150 - } 151 - 152 - static __always_inline void prevent_read_from_user(const void __user *from, unsigned long size) 153 - { 154 - prevent_user_access(KUAP_READ); 155 - } 156 - 157 - static __always_inline void prevent_write_to_user(void __user *to, unsigned long size) 158 - { 159 - prevent_user_access(KUAP_WRITE); 160 - } 161 - 162 - static __always_inline void prevent_read_write_user(void __user *to, const void __user *from, 163 - unsigned long size) 164 - { 165 - prevent_user_access(KUAP_READ_WRITE); 166 - } 167 - 168 - static __always_inline void prevent_current_access_user(void) 169 - { 170 - prevent_user_access(KUAP_READ_WRITE); 171 - } 172 - 173 - static __always_inline void prevent_current_read_from_user(void) 174 - { 175 - prevent_user_access(KUAP_READ); 176 - } 177 - 178 - static __always_inline void prevent_current_write_to_user(void) 179 - { 180 - prevent_user_access(KUAP_WRITE); 181 133 } 182 134 183 135 #endif /* !__ASSEMBLER__ */

+1 -2

arch/powerpc/include/asm/nohash/32/kup-8xx.h

··· 49 49 "i"(SPRN_MD_AP), "r"(MD_APG_KUAP), "i"(MMU_FTR_KUAP) : "memory"); 50 50 } 51 51 52 - static __always_inline void allow_user_access(void __user *to, const void __user *from, 53 - unsigned long size, unsigned long dir) 52 + static __always_inline void allow_user_access(void __user *to, unsigned long dir) 54 53 { 55 54 uaccess_begin_8xx(MD_APG_INIT); 56 55 }

-4

arch/powerpc/include/asm/nohash/32/mmu-8xx.h

··· 170 170 171 171 #define mmu_linear_psize MMU_PAGE_8M 172 172 173 - #define MODULES_END PAGE_OFFSET 174 - #define MODULES_SIZE (CONFIG_MODULES_SIZE * SZ_1M) 175 - #define MODULES_VADDR (MODULES_END - MODULES_SIZE) 176 - 177 173 #ifndef __ASSEMBLER__ 178 174 179 175 #include <linux/mmdebug.h>

+1 -2

arch/powerpc/include/asm/nohash/kup-booke.h

··· 73 73 "i"(SPRN_PID), "r"(0), "i"(MMU_FTR_KUAP) : "memory"); 74 74 } 75 75 76 - static __always_inline void allow_user_access(void __user *to, const void __user *from, 77 - unsigned long size, unsigned long dir) 76 + static __always_inline void allow_user_access(void __user *to, unsigned long dir) 78 77 { 79 78 uaccess_begin_booke(current->thread.pid); 80 79 }

+18 -77

arch/powerpc/include/asm/plpks.h

··· 13 13 14 14 #include <linux/types.h> 15 15 #include <linux/list.h> 16 + #include <linux/kobject.h> 16 17 17 18 // Object policy flags from supported_policies 18 19 #define PLPKS_OSSECBOOTAUDIT PPC_BIT32(1) // OS secure boot must be audit/enforce ··· 23 22 #define PLPKS_IMMUTABLE PPC_BIT32(5) // Once written, object cannot be removed 24 23 #define PLPKS_TRANSIENT PPC_BIT32(6) // Object does not persist through reboot 25 24 #define PLPKS_SIGNEDUPDATE PPC_BIT32(7) // Object can only be modified by signed updates 25 + #define PLPKS_WRAPPINGKEY PPC_BIT32(8) // Object contains a wrapping key 26 26 #define PLPKS_HVPROVISIONED PPC_BIT32(28) // Hypervisor has provisioned this object 27 27 28 28 // Signature algorithm flags from signed_update_algorithms ··· 69 67 struct plpks_var_name varlist[]; 70 68 }; 71 69 72 - /** 73 - * Updates the authenticated variable. It expects NULL as the component. 74 - */ 75 70 int plpks_signed_update_var(struct plpks_var *var, u64 flags); 76 71 77 - /** 78 - * Writes the specified var and its data to PKS. 79 - * Any caller of PKS driver should present a valid component type for 80 - * their variable. 81 - */ 82 72 int plpks_write_var(struct plpks_var var); 83 73 84 - /** 85 - * Removes the specified var and its data from PKS. 86 - */ 87 74 int plpks_remove_var(char *component, u8 varos, 88 75 struct plpks_var_name vname); 89 76 90 - /** 91 - * Returns the data for the specified os variable. 92 - * 93 - * Caller must allocate a buffer in var->data with length in var->datalen. 94 - * If no buffer is provided, var->datalen will be populated with the object's 95 - * size. 96 - */ 97 77 int plpks_read_os_var(struct plpks_var *var); 98 78 99 - /** 100 - * Returns the data for the specified firmware variable. 101 - * 102 - * Caller must allocate a buffer in var->data with length in var->datalen. 103 - * If no buffer is provided, var->datalen will be populated with the object's 104 - * size. 105 - */ 106 79 int plpks_read_fw_var(struct plpks_var *var); 107 80 108 - /** 109 - * Returns the data for the specified bootloader variable. 110 - * 111 - * Caller must allocate a buffer in var->data with length in var->datalen. 112 - * If no buffer is provided, var->datalen will be populated with the object's 113 - * size. 114 - */ 115 81 int plpks_read_bootloader_var(struct plpks_var *var); 116 82 117 - /** 118 - * Returns if PKS is available on this LPAR. 119 - */ 120 83 bool plpks_is_available(void); 121 84 122 - /** 123 - * Returns version of the Platform KeyStore. 124 - */ 125 85 u8 plpks_get_version(void); 126 86 127 - /** 128 - * Returns hypervisor storage overhead per object, not including the size of 129 - * the object or label. Only valid for config version >= 2 130 - */ 131 87 u16 plpks_get_objoverhead(void); 132 88 133 - /** 134 - * Returns maximum password size. Must be >= 32 bytes 135 - */ 136 89 u16 plpks_get_maxpwsize(void); 137 90 138 - /** 139 - * Returns maximum object size supported by Platform KeyStore. 140 - */ 141 91 u16 plpks_get_maxobjectsize(void); 142 92 143 - /** 144 - * Returns maximum object label size supported by Platform KeyStore. 145 - */ 146 93 u16 plpks_get_maxobjectlabelsize(void); 147 94 148 - /** 149 - * Returns total size of the configured Platform KeyStore. 150 - */ 151 95 u32 plpks_get_totalsize(void); 152 96 153 - /** 154 - * Returns used space from the total size of the Platform KeyStore. 155 - */ 156 97 u32 plpks_get_usedspace(void); 157 98 158 - /** 159 - * Returns bitmask of policies supported by the hypervisor. 160 - */ 161 99 u32 plpks_get_supportedpolicies(void); 162 100 163 - /** 164 - * Returns maximum byte size of a single object supported by the hypervisor. 165 - * Only valid for config version >= 3 166 - */ 167 101 u32 plpks_get_maxlargeobjectsize(void); 168 102 169 - /** 170 - * Returns bitmask of signature algorithms supported for signed updates. 171 - * Only valid for config version >= 3 172 - */ 173 103 u64 plpks_get_signedupdatealgorithms(void); 174 104 175 - /** 176 - * Returns the length of the PLPKS password in bytes. 177 - */ 105 + u64 plpks_get_wrappingfeatures(void); 106 + 178 107 u16 plpks_get_passwordlen(void); 179 108 180 - /** 181 - * Called in early init to retrieve and clear the PLPKS password from the DT. 182 - */ 183 109 void plpks_early_init_devtree(void); 184 110 185 - /** 186 - * Populates the FDT with the PLPKS password to prepare for kexec. 187 - */ 188 111 int plpks_populate_fdt(void *fdt); 112 + 113 + int plpks_config_create_softlink(struct kobject *from); 114 + 115 + bool plpks_wrapping_is_supported(void); 116 + 117 + int plpks_gen_wrapping_key(void); 118 + 119 + int plpks_wrap_object(u8 **input_buf, u32 input_len, u16 wrap_flags, 120 + u8 **output_buf, u32 *output_len); 121 + 122 + int plpks_unwrap_object(u8 **input_buf, u32 input_len, 123 + u8 **output_buf, u32 *output_len); 189 124 #else // CONFIG_PSERIES_PLPKS 190 125 static inline bool plpks_is_available(void) { return false; } 191 126 static inline u16 plpks_get_passwordlen(void) { BUILD_BUG(); } 192 127 static inline void plpks_early_init_devtree(void) { } 193 128 static inline int plpks_populate_fdt(void *fdt) { BUILD_BUG(); } 129 + static inline int plpks_config_create_softlink(struct kobject *from) 130 + { return 0; } 194 131 #endif // CONFIG_PSERIES_PLPKS 195 132 196 133 #endif // _ASM_POWERPC_PLPKS_H

-1

arch/powerpc/include/asm/secvar.h

··· 20 20 int (*set)(const char *key, u64 key_len, u8 *data, u64 data_size); 21 21 ssize_t (*format)(char *buf, size_t bufsize); 22 22 int (*max_size)(u64 *max_size); 23 - const struct attribute **config_attrs; 24 23 25 24 // NULL-terminated array of fixed variable names 26 25 // Only used if get_next() isn't provided

+27 -1

arch/powerpc/include/asm/task_size_32.h

··· 2 2 #ifndef _ASM_POWERPC_TASK_SIZE_32_H 3 3 #define _ASM_POWERPC_TASK_SIZE_32_H 4 4 5 + #include <linux/sizes.h> 6 + 5 7 #if CONFIG_TASK_SIZE > CONFIG_KERNEL_START 6 8 #error User TASK_SIZE overlaps with KERNEL_START address 7 9 #endif 8 10 9 - #define TASK_SIZE (CONFIG_TASK_SIZE) 11 + #ifdef CONFIG_PPC_8xx 12 + #define MODULES_END ASM_CONST(CONFIG_PAGE_OFFSET) 13 + #define MODULES_SIZE (CONFIG_MODULES_SIZE * SZ_1M) 14 + #define MODULES_VADDR (MODULES_END - MODULES_SIZE) 15 + #define MODULES_BASE (MODULES_VADDR & ~(UL(SZ_4M) - 1)) 16 + #define USER_TOP (MODULES_BASE - SZ_4M) 17 + #endif 18 + 19 + #ifdef CONFIG_PPC_BOOK3S_32 20 + #define MODULES_END (ASM_CONST(CONFIG_PAGE_OFFSET) & ~(UL(SZ_256M) - 1)) 21 + #define MODULES_SIZE (CONFIG_MODULES_SIZE * SZ_1M) 22 + #define MODULES_VADDR (MODULES_END - MODULES_SIZE) 23 + #define MODULES_BASE (MODULES_VADDR & ~(UL(SZ_256M) - 1)) 24 + #define USER_TOP (MODULES_BASE - SZ_4M) 25 + #endif 26 + 27 + #ifndef USER_TOP 28 + #define USER_TOP ((ASM_CONST(CONFIG_PAGE_OFFSET) - SZ_128K) & ~(UL(SZ_128K) - 1)) 29 + #endif 30 + 31 + #if CONFIG_TASK_SIZE < USER_TOP 32 + #define TASK_SIZE ASM_CONST(CONFIG_TASK_SIZE) 33 + #else 34 + #define TASK_SIZE USER_TOP 35 + #endif 10 36 11 37 /* 12 38 * This decides where the kernel will search for a free chunk of vm space during

+100 -40

arch/powerpc/include/asm/uaccess.h

··· 2 2 #ifndef _ARCH_POWERPC_UACCESS_H 3 3 #define _ARCH_POWERPC_UACCESS_H 4 4 5 + #include <linux/sizes.h> 6 + 5 7 #include <asm/processor.h> 6 8 #include <asm/page.h> 7 9 #include <asm/extable.h> ··· 47 45 do { \ 48 46 __label__ __pu_failed; \ 49 47 \ 50 - allow_write_to_user(__pu_addr, __pu_size); \ 48 + allow_user_access(__pu_addr, KUAP_WRITE); \ 51 49 __put_user_size_goto(__pu_val, __pu_addr, __pu_size, __pu_failed); \ 52 - prevent_write_to_user(__pu_addr, __pu_size); \ 50 + prevent_user_access(KUAP_WRITE); \ 53 51 __pu_err = 0; \ 54 52 break; \ 55 53 \ 56 54 __pu_failed: \ 57 - prevent_write_to_user(__pu_addr, __pu_size); \ 55 + prevent_user_access(KUAP_WRITE); \ 58 56 __pu_err = -EFAULT; \ 59 57 } while (0); \ 60 58 \ ··· 303 301 __typeof__(sizeof(*(ptr))) __gu_size = sizeof(*(ptr)); \ 304 302 \ 305 303 might_fault(); \ 306 - allow_read_from_user(__gu_addr, __gu_size); \ 304 + barrier_nospec(); \ 305 + allow_user_access(NULL, KUAP_READ); \ 307 306 __get_user_size_allowed(__gu_val, __gu_addr, __gu_size, __gu_err); \ 308 - prevent_read_from_user(__gu_addr, __gu_size); \ 307 + prevent_user_access(KUAP_READ); \ 309 308 (x) = (__typeof__(*(ptr)))__gu_val; \ 310 309 \ 311 310 __gu_err; \ ··· 332 329 { 333 330 unsigned long ret; 334 331 335 - allow_read_write_user(to, from, n); 332 + barrier_nospec(); 333 + allow_user_access(to, KUAP_READ_WRITE); 336 334 ret = __copy_tofrom_user(to, from, n); 337 - prevent_read_write_user(to, from, n); 335 + prevent_user_access(KUAP_READ_WRITE); 338 336 return ret; 339 337 } 340 338 #endif /* __powerpc64__ */ ··· 345 341 { 346 342 unsigned long ret; 347 343 348 - allow_read_from_user(from, n); 344 + allow_user_access(NULL, KUAP_READ); 349 345 ret = __copy_tofrom_user((__force void __user *)to, from, n); 350 - prevent_read_from_user(from, n); 346 + prevent_user_access(KUAP_READ); 351 347 return ret; 352 348 } 353 349 ··· 356 352 { 357 353 unsigned long ret; 358 354 359 - allow_write_to_user(to, n); 355 + allow_user_access(to, KUAP_WRITE); 360 356 ret = __copy_tofrom_user(to, (__force const void __user *)from, n); 361 - prevent_write_to_user(to, n); 357 + prevent_user_access(KUAP_WRITE); 362 358 return ret; 363 359 } 364 360 ··· 369 365 unsigned long ret; 370 366 371 367 might_fault(); 372 - allow_write_to_user(addr, size); 368 + allow_user_access(addr, KUAP_WRITE); 373 369 ret = __arch_clear_user(addr, size); 374 - prevent_write_to_user(addr, size); 370 + prevent_user_access(KUAP_WRITE); 375 371 return ret; 376 372 } 377 373 ··· 399 395 { 400 396 if (check_copy_size(from, n, true)) { 401 397 if (access_ok(to, n)) { 402 - allow_write_to_user(to, n); 398 + allow_user_access(to, KUAP_WRITE); 403 399 n = copy_mc_generic((void __force *)to, from, n); 404 - prevent_write_to_user(to, n); 400 + prevent_user_access(KUAP_WRITE); 405 401 } 406 402 } 407 403 ··· 412 408 extern long __copy_from_user_flushcache(void *dst, const void __user *src, 413 409 unsigned size); 414 410 415 - static __must_check __always_inline bool user_access_begin(const void __user *ptr, size_t len) 411 + static __must_check __always_inline bool __user_access_begin(const void __user *ptr, size_t len, 412 + unsigned long dir) 416 413 { 417 414 if (unlikely(!access_ok(ptr, len))) 418 415 return false; 419 416 420 417 might_fault(); 421 418 422 - allow_read_write_user((void __user *)ptr, ptr, len); 419 + if (dir & KUAP_READ) 420 + barrier_nospec(); 421 + allow_user_access((void __user *)ptr, dir); 423 422 return true; 424 423 } 425 - #define user_access_begin user_access_begin 426 - #define user_access_end prevent_current_access_user 424 + 425 + #define user_access_begin(p, l) __user_access_begin(p, l, KUAP_READ_WRITE) 426 + #define user_read_access_begin(p, l) __user_access_begin(p, l, KUAP_READ) 427 + #define user_write_access_begin(p, l) __user_access_begin(p, l, KUAP_WRITE) 428 + 429 + #define user_access_end() prevent_user_access(KUAP_READ_WRITE) 430 + #define user_read_access_end() prevent_user_access(KUAP_READ) 431 + #define user_write_access_end() prevent_user_access(KUAP_WRITE) 432 + 427 433 #define user_access_save prevent_user_access_return 428 434 #define user_access_restore restore_user_access 429 435 430 - static __must_check __always_inline bool 431 - user_read_access_begin(const void __user *ptr, size_t len) 436 + /* 437 + * Masking the user address is an alternative to a conditional 438 + * user_access_begin that can avoid the fencing. This only works 439 + * for dense accesses starting at the address. 440 + */ 441 + static inline void __user *mask_user_address_simple(const void __user *ptr) 432 442 { 433 - if (unlikely(!access_ok(ptr, len))) 434 - return false; 443 + unsigned long addr = (unsigned long)ptr; 444 + unsigned long mask = (unsigned long)(((long)addr >> (BITS_PER_LONG - 1)) & LONG_MAX); 445 + 446 + return (void __user *)(addr & ~mask); 447 + } 448 + 449 + static inline void __user *mask_user_address_isel(const void __user *ptr) 450 + { 451 + unsigned long addr; 452 + 453 + asm("cmplw %1, %2; iselgt %0, %2, %1" : "=r"(addr) : "r"(ptr), "r"(TASK_SIZE) : "cr0"); 454 + 455 + return (void __user *)addr; 456 + } 457 + 458 + /* TASK_SIZE is a multiple of 128K for shifting by 17 to the right */ 459 + static inline void __user *mask_user_address_32(const void __user *ptr) 460 + { 461 + unsigned long addr = (unsigned long)ptr; 462 + unsigned long mask = (unsigned long)((long)((TASK_SIZE >> 17) - 1 - (addr >> 17)) >> 31); 463 + 464 + addr = (addr & ~mask) | (TASK_SIZE & mask); 465 + 466 + return (void __user *)addr; 467 + } 468 + 469 + static inline void __user *mask_user_address_fallback(const void __user *ptr) 470 + { 471 + unsigned long addr = (unsigned long)ptr; 472 + 473 + return (void __user *)(likely(addr < TASK_SIZE) ? addr : TASK_SIZE); 474 + } 475 + 476 + static inline void __user *mask_user_address(const void __user *ptr) 477 + { 478 + #ifdef MODULES_VADDR 479 + const unsigned long border = MODULES_VADDR; 480 + #else 481 + const unsigned long border = PAGE_OFFSET; 482 + #endif 483 + 484 + if (IS_ENABLED(CONFIG_PPC64)) 485 + return mask_user_address_simple(ptr); 486 + if (IS_ENABLED(CONFIG_E500)) 487 + return mask_user_address_isel(ptr); 488 + if (TASK_SIZE <= UL(SZ_2G) && border >= UL(SZ_2G)) 489 + return mask_user_address_simple(ptr); 490 + if (IS_ENABLED(CONFIG_PPC_BARRIER_NOSPEC)) 491 + return mask_user_address_32(ptr); 492 + return mask_user_address_fallback(ptr); 493 + } 494 + 495 + static __always_inline void __user *__masked_user_access_begin(const void __user *p, 496 + unsigned long dir) 497 + { 498 + void __user *ptr = mask_user_address(p); 435 499 436 500 might_fault(); 501 + allow_user_access(ptr, dir); 437 502 438 - allow_read_from_user(ptr, len); 439 - return true; 503 + return ptr; 440 504 } 441 - #define user_read_access_begin user_read_access_begin 442 - #define user_read_access_end prevent_current_read_from_user 443 505 444 - static __must_check __always_inline bool 445 - user_write_access_begin(const void __user *ptr, size_t len) 446 - { 447 - if (unlikely(!access_ok(ptr, len))) 448 - return false; 449 - 450 - might_fault(); 451 - 452 - allow_write_to_user((void __user *)ptr, len); 453 - return true; 454 - } 455 - #define user_write_access_begin user_write_access_begin 456 - #define user_write_access_end prevent_current_write_to_user 506 + #define masked_user_access_begin(p) __masked_user_access_begin(p, KUAP_READ_WRITE) 507 + #define masked_user_read_access_begin(p) __masked_user_access_begin(p, KUAP_READ) 508 + #define masked_user_write_access_begin(p) __masked_user_access_begin(p, KUAP_WRITE) 457 509 458 510 #define arch_unsafe_get_user(x, p, e) do { \ 459 511 __long_type(*(p)) __gu_val; \

+1 -1

arch/powerpc/kernel/asm-offsets.c

··· 331 331 332 332 #ifndef CONFIG_PPC64 333 333 DEFINE(TASK_SIZE, TASK_SIZE); 334 - DEFINE(NUM_USER_SEGMENTS, TASK_SIZE>>28); 334 + DEFINE(NUM_USER_SEGMENTS, ALIGN(TASK_SIZE, SZ_256M) >> 28); 335 335 #endif /* ! CONFIG_PPC64 */ 336 336 337 337 /* datapage offsets for use by vdso */

+20 -10

arch/powerpc/kernel/dma-iommu.c

··· 65 65 66 66 return true; 67 67 } 68 + bool arch_dma_alloc_direct(struct device *dev) 69 + { 70 + if (dev->dma_ops_bypass) 71 + return true; 72 + 73 + return false; 74 + } 75 + 76 + bool arch_dma_free_direct(struct device *dev, dma_addr_t dma_handle) 77 + { 78 + if (!dev->dma_ops_bypass) 79 + return false; 80 + 81 + return is_direct_handle(dev, dma_handle); 82 + } 68 83 #endif /* CONFIG_ARCH_HAS_DMA_MAP_DIRECT */ 69 84 70 85 /* ··· 161 146 162 147 if (dev_is_pci(dev) && dma_iommu_bypass_supported(dev, mask)) { 163 148 /* 164 - * dma_iommu_bypass_supported() sets dma_max when there is 165 - * 1:1 mapping but it is somehow limited. 166 - * ibm,pmemory is one example. 149 + * fixed ops will be used for RAM. This is limited by 150 + * bus_dma_limit which is set when RAM is pre-mapped. 167 151 */ 168 - dev->dma_ops_bypass = dev->bus_dma_limit == 0; 169 - if (!dev->dma_ops_bypass) 170 - dev_warn(dev, 171 - "iommu: 64-bit OK but direct DMA is limited by %llx\n", 172 - dev->bus_dma_limit); 173 - else 174 - dev_dbg(dev, "iommu: 64-bit OK, using fixed ops\n"); 152 + dev->dma_ops_bypass = true; 153 + dev_info(dev, "iommu: 64-bit OK but direct DMA is limited by %llx\n", 154 + dev->bus_dma_limit); 175 155 return 1; 176 156 } 177 157

+6 -5

arch/powerpc/kernel/eeh_driver.c

··· 846 846 847 847 pci_lock_rescan_remove(); 848 848 849 - bus = eeh_pe_bus_get(pe); 849 + bus = eeh_pe_bus_get_nolock(pe); 850 850 if (!bus) { 851 851 pr_err("%s: Cannot find PCI bus for PHB#%x-PE#%x\n", 852 852 __func__, pe->phb->global_number, pe->addr); ··· 886 886 /* Log the event */ 887 887 if (pe->type & EEH_PE_PHB) { 888 888 pr_err("EEH: Recovering PHB#%x, location: %s\n", 889 - pe->phb->global_number, eeh_pe_loc_get(pe)); 889 + pe->phb->global_number, eeh_pe_loc_get_bus(bus)); 890 890 } else { 891 891 struct eeh_pe *phb_pe = eeh_phb_pe_get(pe->phb); 892 892 893 893 pr_err("EEH: Recovering PHB#%x-PE#%x\n", 894 894 pe->phb->global_number, pe->addr); 895 895 pr_err("EEH: PE location: %s, PHB location: %s\n", 896 - eeh_pe_loc_get(pe), eeh_pe_loc_get(phb_pe)); 896 + eeh_pe_loc_get_bus(bus), 897 + eeh_pe_loc_get_bus(eeh_pe_bus_get_nolock(phb_pe))); 897 898 } 898 899 899 900 #ifdef CONFIG_STACKTRACE ··· 1099 1098 eeh_pe_state_clear(pe, EEH_PE_PRI_BUS, true); 1100 1099 eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED); 1101 1100 1102 - bus = eeh_pe_bus_get(pe); 1101 + bus = eeh_pe_bus_get_nolock(pe); 1103 1102 if (bus) 1104 1103 pci_hp_remove_devices(bus); 1105 1104 else ··· 1223 1222 (phb_pe->state & EEH_PE_RECOVERING)) 1224 1223 continue; 1225 1224 1226 - bus = eeh_pe_bus_get(phb_pe); 1225 + bus = eeh_pe_bus_get_nolock(phb_pe); 1227 1226 if (!bus) { 1228 1227 pr_err("%s: Cannot find PCI bus for " 1229 1228 "PHB#%x-PE#%x\n",

+70 -4

arch/powerpc/kernel/eeh_pe.c

··· 812 812 const char *eeh_pe_loc_get(struct eeh_pe *pe) 813 813 { 814 814 struct pci_bus *bus = eeh_pe_bus_get(pe); 815 + return eeh_pe_loc_get_bus(bus); 816 + } 817 + 818 + /** 819 + * eeh_pe_loc_get_bus - Retrieve location code binding to the given PCI bus 820 + * @bus: PCI bus 821 + * 822 + * Retrieve the location code associated with the given PCI bus. If the bus 823 + * is a root bus, the location code is fetched from the PHB device tree node 824 + * or root port. Otherwise, the location code is obtained from the device 825 + * tree node of the upstream bridge of the bus. The function walks up the 826 + * bus hierarchy if necessary, checking each node for the appropriate 827 + * location code property ("ibm,io-base-loc-code" for root buses, 828 + * "ibm,slot-location-code" for others). If no location code is found, 829 + * returns "N/A". 830 + */ 831 + const char *eeh_pe_loc_get_bus(struct pci_bus *bus) 832 + { 815 833 struct device_node *dn; 816 834 const char *loc = NULL; 817 835 ··· 856 838 } 857 839 858 840 /** 859 - * eeh_pe_bus_get - Retrieve PCI bus according to the given PE 841 + * _eeh_pe_bus_get - Retrieve PCI bus according to the given PE 860 842 * @pe: EEH PE 843 + * @do_lock: Is the caller already held the pci_lock_rescan_remove? 861 844 * 862 845 * Retrieve the PCI bus according to the given PE. Basically, 863 846 * there're 3 types of PEs: PHB/Bus/Device. For PHB PE, the ··· 866 847 * returned for BUS PE. However, we don't have associated PCI 867 848 * bus for DEVICE PE. 868 849 */ 869 - struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe) 850 + static struct pci_bus *_eeh_pe_bus_get(struct eeh_pe *pe, bool do_lock) 870 851 { 871 852 struct eeh_dev *edev; 872 853 struct pci_dev *pdev; ··· 881 862 882 863 /* Retrieve the parent PCI bus of first (top) PCI device */ 883 864 edev = list_first_entry_or_null(&pe->edevs, struct eeh_dev, entry); 884 - pci_lock_rescan_remove(); 865 + if (do_lock) 866 + pci_lock_rescan_remove(); 885 867 pdev = eeh_dev_to_pci_dev(edev); 886 868 if (pdev) 887 869 bus = pdev->bus; 888 - pci_unlock_rescan_remove(); 870 + if (do_lock) 871 + pci_unlock_rescan_remove(); 889 872 890 873 return bus; 874 + } 875 + 876 + /** 877 + * eeh_pe_bus_get - Retrieve PCI bus associated with the given EEH PE, locking 878 + * if needed 879 + * @pe: Pointer to the EEH PE 880 + * 881 + * This function is a wrapper around _eeh_pe_bus_get(), which retrieves the PCI 882 + * bus associated with the provided EEH PE structure. It acquires the PCI 883 + * rescans lock to ensure safe access to shared data during the retrieval 884 + * process. This function should be used when the caller requires the PCI bus 885 + * while holding the rescan/remove lock, typically during operations that modify 886 + * or inspect PCIe device state in a safe manner. 887 + * 888 + * RETURNS: 889 + * A pointer to the PCI bus associated with the EEH PE, or NULL if none found. 890 + */ 891 + 892 + struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe) 893 + { 894 + return _eeh_pe_bus_get(pe, true); 895 + } 896 + 897 + /** 898 + * eeh_pe_bus_get_nolock - Retrieve PCI bus associated with the given EEH PE 899 + * without locking 900 + * @pe: Pointer to the EEH PE 901 + * 902 + * This function is a variant of _eeh_pe_bus_get() that retrieves the PCI bus 903 + * associated with the specified EEH PE without acquiring the 904 + * pci_lock_rescan_remove lock. It should only be used when the caller can 905 + * guarantee safe access to PE structures without the need for that lock, 906 + * typically in contexts where the lock is already held locking is otherwise 907 + * managed. 908 + * 909 + * RETURNS: 910 + * pointer to the PCI bus associated with the EEH PE, or NULL if none is found. 911 + * 912 + * NOTE: 913 + * Use this function carefully to avoid race conditions and data corruption. 914 + */ 915 + 916 + struct pci_bus *eeh_pe_bus_get_nolock(struct eeh_pe *pe) 917 + { 918 + return _eeh_pe_bus_get(pe, false); 891 919 }

+3 -3

arch/powerpc/kernel/head_book3s_32.S

··· 420 420 lwz r2,0(r2) /* get pmd entry */ 421 421 #ifdef CONFIG_EXECMEM 422 422 rlwinm r3, r0, 4, 0xf 423 - subi r3, r3, (TASK_SIZE >> 28) & 0xf 423 + subi r3, r3, NUM_USER_SEGMENTS 424 424 #endif 425 425 rlwinm. r2,r2,0,0,19 /* extract address of pte page */ 426 426 beq- InstructionAddressInvalid /* return if no mapping */ ··· 475 475 lwz r2,0(r1) /* get pmd entry */ 476 476 rlwinm r3, r0, 4, 0xf 477 477 rlwinm. r2,r2,0,0,19 /* extract address of pte page */ 478 - subi r3, r3, (TASK_SIZE >> 28) & 0xf 478 + subi r3, r3, NUM_USER_SEGMENTS 479 479 beq- 2f /* bail if no mapping */ 480 480 1: rlwimi r2,r0,22,20,29 /* insert next 10 bits of address */ 481 481 lwz r2,0(r2) /* get linux-style pte */ ··· 554 554 lwz r2,0(r1) /* get pmd entry */ 555 555 rlwinm r3, r0, 4, 0xf 556 556 rlwinm. r2,r2,0,0,19 /* extract address of pte page */ 557 - subi r3, r3, (TASK_SIZE >> 28) & 0xf 557 + subi r3, r3, NUM_USER_SEGMENTS 558 558 beq- 2f /* bail if no mapping */ 559 559 1: 560 560 rlwimi r2,r0,22,20,29 /* insert next 10 bits of address */

+6 -15

arch/powerpc/kernel/secvar-sysfs.c

··· 12 12 #include <linux/string.h> 13 13 #include <linux/of.h> 14 14 #include <asm/secvar.h> 15 + #include <asm/plpks.h> 15 16 16 17 #define NAME_MAX_SIZE 1024 17 18 ··· 146 145 return 0; 147 146 } 148 147 149 - static __init int secvar_sysfs_config(struct kobject *kobj) 150 - { 151 - struct attribute_group config_group = { 152 - .name = "config", 153 - .attrs = (struct attribute **)secvar_ops->config_attrs, 154 - }; 155 - 156 - if (secvar_ops->config_attrs) 157 - return sysfs_create_group(kobj, &config_group); 158 - 159 - return 0; 160 - } 161 - 162 148 static __init int add_var(const char *name) 163 149 { 164 150 struct kobject *kobj; ··· 248 260 goto err; 249 261 } 250 262 251 - rc = secvar_sysfs_config(secvar_kobj); 263 + rc = plpks_config_create_softlink(secvar_kobj); 252 264 if (rc) { 253 - pr_err("Failed to create config directory\n"); 265 + pr_err("Failed to create softlink to PLPKS config directory"); 254 266 goto err; 255 267 } 268 + 269 + pr_info("/sys/firmware/secvar/config is now deprecated.\n"); 270 + pr_info("Will be removed in future versions.\n"); 256 271 257 272 if (secvar_ops->get_next) 258 273 rc = secvar_sysfs_load();

+2

arch/powerpc/kernel/smp.c

··· 822 822 823 823 count = of_property_count_u32_elems(dn, "ibm,thread-groups"); 824 824 thread_group_array = kcalloc(count, sizeof(u32), GFP_KERNEL); 825 + if (!thread_group_array) 826 + return -ENOMEM; 825 827 ret = of_property_read_u32_array(dn, "ibm,thread-groups", 826 828 thread_group_array, count); 827 829 if (ret)

+1 -3

arch/powerpc/mm/book3s32/mmu.c

··· 223 223 224 224 update_bats(); 225 225 226 - BUILD_BUG_ON(ALIGN_DOWN(MODULES_VADDR, SZ_256M) < TASK_SIZE); 227 - 228 - for (i = TASK_SIZE >> 28; i < 16; i++) { 226 + for (i = ALIGN(TASK_SIZE, SZ_256M) >> 28; i < 16; i++) { 229 227 /* Do not set NX on VM space for modules */ 230 228 if (is_module_segment(i << 28)) 231 229 continue;

-2

arch/powerpc/mm/mem.c

··· 401 401 #ifdef MODULES_VADDR 402 402 unsigned long limit = (unsigned long)_etext - SZ_32M; 403 403 404 - BUILD_BUG_ON(TASK_SIZE > MODULES_VADDR); 405 - 406 404 /* First try within 32M limit from _etext to avoid branch trampolines */ 407 405 if (MODULES_VADDR < PAGE_OFFSET && MODULES_END > limit) { 408 406 start = limit;

-2

arch/powerpc/mm/nohash/8xx.c

··· 209 209 210 210 /* 8xx can only access 32MB at the moment */ 211 211 memblock_set_current_limit(min_t(u64, first_memblock_size, SZ_32M)); 212 - 213 - BUILD_BUG_ON(ALIGN_DOWN(MODULES_VADDR, PGDIR_SIZE) < TASK_SIZE); 214 212 } 215 213 216 214 int pud_clear_huge(pud_t *pud)

+1 -1

arch/powerpc/mm/ptdump/segment_regs.c

··· 31 31 int i; 32 32 33 33 seq_puts(m, "---[ User Segments ]---\n"); 34 - for (i = 0; i < TASK_SIZE >> 28; i++) 34 + for (i = 0; i < ALIGN(TASK_SIZE, SZ_256M) >> 28; i++) 35 35 seg_show(m, i); 36 36 37 37 seq_puts(m, "\n---[ Kernel Segments ]---\n");

+16

arch/powerpc/net/bpf_jit.h

··· 24 24 25 25 #define SZL sizeof(unsigned long) 26 26 #define BPF_INSN_SAFETY 64 27 + #define BPF_PPC_TAILCALL 8 27 28 28 29 #define PLANT_INSTR(d, idx, instr) \ 29 30 do { if (d) { (d)[idx] = instr; } idx++; } while (0) ··· 52 51 EMIT(PPC_INST_BRANCH_COND | (((cond) & 0x3ff) << 16) | (offset & 0xfffc)); \ 53 52 } while (0) 54 53 54 + /* When constant jump offset is known prior */ 55 + #define PPC_BCC_CONST_SHORT(cond, offset) \ 56 + do { \ 57 + BUILD_BUG_ON(offset < -0x8000 || offset > 0x7fff || (offset & 0x3)); \ 58 + EMIT(PPC_INST_BRANCH_COND | (((cond) & 0x3ff) << 16) | (offset & 0xfffc)); \ 59 + } while (0) 60 + 55 61 /* 56 62 * Sign-extended 32-bit immediate load 57 63 * ··· 80 72 } } while (0) 81 73 82 74 #ifdef CONFIG_PPC64 75 + 76 + /* for gpr non volatile registers BPG_REG_6 to 10 */ 77 + #define BPF_PPC_STACK_SAVE (6 * 8) 78 + 83 79 /* If dummy pass (!image), account for maximum possible instructions */ 84 80 #define PPC_LI64(d, i) do { \ 85 81 if (!image) \ ··· 178 166 unsigned int alt_exit_addr; 179 167 u64 arena_vm_start; 180 168 u64 user_vm_start; 169 + bool is_subprog; 170 + bool exception_boundary; 171 + bool exception_cb; 181 172 }; 182 173 183 174 #define bpf_to_ppc(r) (ctx->b2p[r]) ··· 220 205 struct codegen_context *ctx, int insn_idx, 221 206 int jmp_off, int dst_reg, u32 code); 222 207 208 + int bpf_jit_stack_tailcallinfo_offset(struct codegen_context *ctx); 223 209 #endif 224 210 225 211 #endif

+87 -15

arch/powerpc/net/bpf_jit_comp.c

··· 206 206 cgctx.stack_size = round_up(fp->aux->stack_depth, 16); 207 207 cgctx.arena_vm_start = bpf_arena_get_kern_vm_start(fp->aux->arena); 208 208 cgctx.user_vm_start = bpf_arena_get_user_vm_start(fp->aux->arena); 209 + cgctx.is_subprog = bpf_is_subprog(fp); 210 + cgctx.exception_boundary = fp->aux->exception_boundary; 211 + cgctx.exception_cb = fp->aux->exception_cb; 209 212 210 213 /* Scouting faux-generate pass 0 */ 211 214 if (bpf_jit_build_body(fp, NULL, NULL, &cgctx, addrs, 0, false)) { ··· 438 435 bpf_prog_unlock_free(fp); 439 436 } 440 437 438 + bool bpf_jit_supports_exceptions(void) 439 + { 440 + return IS_ENABLED(CONFIG_PPC64); 441 + } 442 + 443 + bool bpf_jit_supports_subprog_tailcalls(void) 444 + { 445 + return IS_ENABLED(CONFIG_PPC64); 446 + } 447 + 441 448 bool bpf_jit_supports_kfunc_call(void) 442 449 { 443 450 return true; ··· 477 464 return IS_ENABLED(CONFIG_PPC64); 478 465 } 479 466 return true; 467 + } 468 + 469 + bool bpf_jit_supports_percpu_insn(void) 470 + { 471 + return IS_ENABLED(CONFIG_PPC64); 472 + } 473 + 474 + bool bpf_jit_inlines_helper_call(s32 imm) 475 + { 476 + switch (imm) { 477 + case BPF_FUNC_get_smp_processor_id: 478 + case BPF_FUNC_get_current_task: 479 + case BPF_FUNC_get_current_task_btf: 480 + return true; 481 + default: 482 + return false; 483 + } 480 484 } 481 485 482 486 void *arch_alloc_bpf_trampoline(unsigned int size) ··· 630 600 return 0; 631 601 } 632 602 633 - static void bpf_trampoline_setup_tail_call_cnt(u32 *image, struct codegen_context *ctx, 634 - int func_frame_offset, int r4_off) 603 + /* 604 + * Refer __arch_prepare_bpf_trampoline() for stack component details. 605 + * 606 + * The tailcall count/reference is present in caller's stack frame. The 607 + * tail_call_info is saved at the same offset on the trampoline frame 608 + * for the traced function (BPF subprog/callee) to fetch it. 609 + */ 610 + static void bpf_trampoline_setup_tail_call_info(u32 *image, struct codegen_context *ctx, 611 + int func_frame_offset, 612 + int bpf_dummy_frame_size, int r4_off) 635 613 { 636 614 if (IS_ENABLED(CONFIG_PPC64)) { 637 - /* See bpf_jit_stack_tailcallcnt() */ 638 - int tailcallcnt_offset = 7 * 8; 615 + /* See Generated stack layout */ 616 + int tailcallinfo_offset = BPF_PPC_TAILCALL; 639 617 640 - EMIT(PPC_RAW_LL(_R3, _R1, func_frame_offset - tailcallcnt_offset)); 641 - EMIT(PPC_RAW_STL(_R3, _R1, -tailcallcnt_offset)); 618 + /* 619 + * func_frame_offset = ...(1) 620 + * bpf_dummy_frame_size + trampoline_frame_size 621 + */ 622 + EMIT(PPC_RAW_LD(_R4, _R1, func_frame_offset)); 623 + EMIT(PPC_RAW_LD(_R3, _R4, -tailcallinfo_offset)); 624 + 625 + /* 626 + * Setting the tail_call_info in trampoline's frame 627 + * depending on if previous frame had value or reference. 628 + */ 629 + EMIT(PPC_RAW_CMPLWI(_R3, MAX_TAIL_CALL_CNT)); 630 + PPC_BCC_CONST_SHORT(COND_GT, 8); 631 + EMIT(PPC_RAW_ADDI(_R3, _R4, bpf_jit_stack_tailcallinfo_offset(ctx))); 632 + /* 633 + * From ...(1) above: 634 + * trampoline_frame_bottom = ...(2) 635 + * func_frame_offset - bpf_dummy_frame_size 636 + * 637 + * Using ...(2) derived above: 638 + * trampoline_tail_call_info_offset = ...(3) 639 + * trampoline_frame_bottom - tailcallinfo_offset 640 + * 641 + * From ...(3): 642 + * Use trampoline_tail_call_info_offset to write reference of main's 643 + * tail_call_info in trampoline frame. 644 + */ 645 + EMIT(PPC_RAW_STL(_R3, _R1, (func_frame_offset - bpf_dummy_frame_size) 646 + - tailcallinfo_offset)); 642 647 } else { 643 648 /* See bpf_jit_stack_offsetof() and BPF_PPC_TC */ 644 649 EMIT(PPC_RAW_LL(_R4, _R1, r4_off)); ··· 683 618 static void bpf_trampoline_restore_tail_call_cnt(u32 *image, struct codegen_context *ctx, 684 619 int func_frame_offset, int r4_off) 685 620 { 686 - if (IS_ENABLED(CONFIG_PPC64)) { 687 - /* See bpf_jit_stack_tailcallcnt() */ 688 - int tailcallcnt_offset = 7 * 8; 689 - 690 - EMIT(PPC_RAW_LL(_R3, _R1, -tailcallcnt_offset)); 691 - EMIT(PPC_RAW_STL(_R3, _R1, func_frame_offset - tailcallcnt_offset)); 692 - } else { 693 - /* See bpf_jit_stack_offsetof() and BPF_PPC_TC */ 621 + if (IS_ENABLED(CONFIG_PPC32)) { 622 + /* 623 + * Restore tailcall for 32-bit powerpc 624 + * See bpf_jit_stack_offsetof() and BPF_PPC_TC 625 + */ 694 626 EMIT(PPC_RAW_STL(_R4, _R1, r4_off)); 695 627 } 696 628 } ··· 776 714 * LR save area [ r0 save (64-bit) ] | header 777 715 * [ r0 save (32-bit) ] | 778 716 * dummy frame for unwind [ back chain 1 ] -- 717 + * [ tail_call_info ] optional - 64-bit powerpc 779 718 * [ padding ] align stack frame 780 719 * r4_off [ r4 (tailcallcnt) ] optional - 32-bit powerpc 781 720 * alt_lr_off [ real lr (ool stub)] optional - actual lr ··· 857 794 r4_off = regs_off + SZL; 858 795 } 859 796 } 797 + 798 + /* 799 + * Save tailcall count pointer at the same offset on the 800 + * stack where subprogs expect it 801 + */ 802 + if ((flags & BPF_TRAMP_F_CALL_ORIG) && 803 + (flags & BPF_TRAMP_F_TAIL_CALL_CTX)) 804 + bpf_frame_size += BPF_PPC_TAILCALL; 860 805 861 806 /* Padding to align stack frame, if any */ 862 807 bpf_frame_size = round_up(bpf_frame_size, SZL * 2); ··· 967 896 968 897 /* Replicate tail_call_cnt before calling the original BPF prog */ 969 898 if (flags & BPF_TRAMP_F_TAIL_CALL_CTX) 970 - bpf_trampoline_setup_tail_call_cnt(image, ctx, func_frame_offset, r4_off); 899 + bpf_trampoline_setup_tail_call_info(image, ctx, func_frame_offset, 900 + bpf_dummy_frame_size, r4_off); 971 901 972 902 /* Restore args */ 973 903 bpf_trampoline_restore_args_stack(image, ctx, func_frame_offset, nr_regs, regs_off);

+253 -50

arch/powerpc/net/bpf_jit_comp64.c

··· 20 20 #include "bpf_jit.h" 21 21 22 22 /* 23 - * Stack layout: 23 + * Stack layout with frame: 24 + * Layout when setting up our own stack frame. 25 + * Note: r1 at bottom, component offsets positive wrt r1. 24 26 * Ensure the top half (upto local_tmp_var) stays consistent 25 27 * with our redzone usage. 26 28 * 29 + * tail_call_info - stores tailcall count value in main program's 30 + * frame, stores reference to tail_call_info of 31 + * main's frame in sub-prog's frame. 32 + * 27 33 * [ prev sp ] <------------- 28 - * [ nv gpr save area ] 6*8 | 29 - * [ tail_call_cnt ] 8 | 34 + * [ tail_call_info ] 8 | 35 + * [ nv gpr save area ] 6*8 + (12*8) | 30 36 * [ local_tmp_var ] 24 | 31 37 * fp (r31) --> [ ebpf stack space ] upto 512 | 32 38 * [ frame header ] 32/112 | 33 39 * sp (r1) ---> [ stack pointer ] -------------- 40 + * 41 + * Additional (12*8) in 'nv gpr save area' only in case of 42 + * exception boundary. 34 43 */ 35 44 36 - /* for gpr non volatile registers BPG_REG_6 to 10 */ 37 - #define BPF_PPC_STACK_SAVE (6*8) 38 45 /* for bpf JIT code internal usage */ 39 - #define BPF_PPC_STACK_LOCALS 32 46 + #define BPF_PPC_STACK_LOCALS 24 47 + /* 48 + * for additional non volatile registers(r14-r25) to be saved 49 + * at exception boundary 50 + */ 51 + #define BPF_PPC_EXC_STACK_SAVE (12*8) 52 + 40 53 /* stack frame excluding BPF stack, ensure this is quadword aligned */ 41 54 #define BPF_PPC_STACKFRAME (STACK_FRAME_MIN_SIZE + \ 42 - BPF_PPC_STACK_LOCALS + BPF_PPC_STACK_SAVE) 55 + BPF_PPC_STACK_LOCALS + \ 56 + BPF_PPC_STACK_SAVE + \ 57 + BPF_PPC_TAILCALL) 58 + 59 + /* 60 + * same as BPF_PPC_STACKFRAME with save area for additional 61 + * non volatile registers saved at exception boundary. 62 + * This is quad-word aligned. 63 + */ 64 + #define BPF_PPC_EXC_STACKFRAME (BPF_PPC_STACKFRAME + BPF_PPC_EXC_STACK_SAVE) 43 65 44 66 /* BPF register usage */ 45 67 #define TMP_REG_1 (MAX_BPF_JIT_REG + 0) ··· 104 82 * - we call other functions (kernel helpers), or 105 83 * - the bpf program uses its stack area 106 84 * The latter condition is deduced from the usage of BPF_REG_FP 85 + * 86 + * bpf_throw() leads to exception callback from a BPF (sub)program. 87 + * The (sub)program is always marked as SEEN_FUNC, creating a stack 88 + * frame. The exception callback uses the frame of the exception 89 + * boundary, so the exception boundary program must have a frame. 107 90 */ 108 - return ctx->seen & SEEN_FUNC || bpf_is_seen_register(ctx, bpf_to_ppc(BPF_REG_FP)); 91 + return ctx->seen & SEEN_FUNC || 92 + bpf_is_seen_register(ctx, bpf_to_ppc(BPF_REG_FP)) || 93 + ctx->exception_cb || 94 + ctx->exception_boundary; 109 95 } 110 96 111 97 /* 98 + * Stack layout with redzone: 112 99 * When not setting up our own stackframe, the redzone (288 bytes) usage is: 100 + * Note: r1 from prev frame. Component offset negative wrt r1. 113 101 * 114 102 * [ prev sp ] <------------- 115 103 * [ ... ] | 116 104 * sp (r1) ---> [ stack pointer ] -------------- 117 - * [ nv gpr save area ] 6*8 118 - * [ tail_call_cnt ] 8 105 + * [ tail_call_info ] 8 106 + * [ nv gpr save area ] 6*8 + (12*8) 119 107 * [ local_tmp_var ] 24 120 108 * [ unused red zone ] 224 109 + * 110 + * Additional (12*8) in 'nv gpr save area' only in case of 111 + * exception boundary. 121 112 */ 122 113 static int bpf_jit_stack_local(struct codegen_context *ctx) 123 114 { 124 - if (bpf_has_stack_frame(ctx)) 115 + if (bpf_has_stack_frame(ctx)) { 116 + /* Stack layout with frame */ 125 117 return STACK_FRAME_MIN_SIZE + ctx->stack_size; 126 - else 127 - return -(BPF_PPC_STACK_SAVE + 32); 118 + } else { 119 + /* Stack layout with redzone */ 120 + return -(BPF_PPC_TAILCALL 121 + +BPF_PPC_STACK_SAVE 122 + +(ctx->exception_boundary || ctx->exception_cb ? 123 + BPF_PPC_EXC_STACK_SAVE : 0) 124 + +BPF_PPC_STACK_LOCALS 125 + ); 126 + } 128 127 } 129 128 130 - static int bpf_jit_stack_tailcallcnt(struct codegen_context *ctx) 129 + int bpf_jit_stack_tailcallinfo_offset(struct codegen_context *ctx) 131 130 { 132 - return bpf_jit_stack_local(ctx) + 24; 131 + return bpf_jit_stack_local(ctx) + BPF_PPC_STACK_LOCALS + BPF_PPC_STACK_SAVE; 133 132 } 134 133 135 134 static int bpf_jit_stack_offsetof(struct codegen_context *ctx, int reg) 136 135 { 137 - if (reg >= BPF_PPC_NVR_MIN && reg < 32) 136 + int min_valid_nvreg = BPF_PPC_NVR_MIN; 137 + /* Default frame size for all cases except exception boundary */ 138 + int frame_nvr_size = BPF_PPC_STACKFRAME; 139 + 140 + /* Consider all nv regs for handling exceptions */ 141 + if (ctx->exception_boundary || ctx->exception_cb) { 142 + min_valid_nvreg = _R14; 143 + frame_nvr_size = BPF_PPC_EXC_STACKFRAME; 144 + } 145 + 146 + if (reg >= min_valid_nvreg && reg < 32) 138 147 return (bpf_has_stack_frame(ctx) ? 139 - (BPF_PPC_STACKFRAME + ctx->stack_size) : 0) 140 - - (8 * (32 - reg)); 148 + (frame_nvr_size + ctx->stack_size) : 0) 149 + - (8 * (32 - reg)) - BPF_PPC_TAILCALL; 141 150 142 151 pr_err("BPF JIT is asking about unknown registers"); 143 152 BUG(); ··· 176 123 177 124 void bpf_jit_realloc_regs(struct codegen_context *ctx) 178 125 { 126 + } 127 + 128 + /* 129 + * For exception boundary & exception_cb progs: 130 + * return increased size to accommodate additional NVRs. 131 + */ 132 + static int bpf_jit_stack_size(struct codegen_context *ctx) 133 + { 134 + return ctx->exception_boundary || ctx->exception_cb ? 135 + BPF_PPC_EXC_STACKFRAME : 136 + BPF_PPC_STACKFRAME; 179 137 } 180 138 181 139 void bpf_jit_build_prologue(u32 *image, struct codegen_context *ctx) ··· 202 138 #endif 203 139 204 140 /* 205 - * Initialize tail_call_cnt if we do tail calls. 206 - * Otherwise, put in NOPs so that it can be skipped when we are 207 - * invoked through a tail call. 141 + * Tail call count(tcc) is saved & updated only in main 142 + * program's frame and the address of tcc in main program's 143 + * frame (tcc_ptr) is saved in subprogs frame. 144 + * 145 + * Offset of tail_call_info on any frame will be interpreted 146 + * as either tcc_ptr or tcc value depending on whether it is 147 + * greater than MAX_TAIL_CALL_CNT or not. 208 148 */ 209 - if (ctx->seen & SEEN_TAILCALL) { 149 + if (!ctx->is_subprog) { 210 150 EMIT(PPC_RAW_LI(bpf_to_ppc(TMP_REG_1), 0)); 211 151 /* this goes in the redzone */ 212 - EMIT(PPC_RAW_STD(bpf_to_ppc(TMP_REG_1), _R1, -(BPF_PPC_STACK_SAVE + 8))); 213 - } else { 214 - EMIT(PPC_RAW_NOP()); 215 - EMIT(PPC_RAW_NOP()); 152 + EMIT(PPC_RAW_STD(bpf_to_ppc(TMP_REG_1), _R1, -(BPF_PPC_TAILCALL))); 153 + } else if (!ctx->exception_cb) { 154 + /* 155 + * Tailcall jitting for non exception_cb progs only. 156 + * exception_cb won't require tail_call_info to be setup. 157 + * 158 + * tail_call_info interpretation logic: 159 + * 160 + * if tail_call_info < MAX_TAIL_CALL_CNT 161 + * main prog calling first subprog -> copy reference 162 + * else 163 + * subsequent subprog calling another subprog -> directly copy content 164 + */ 165 + EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_2), _R1, 0)); 166 + EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_2), -(BPF_PPC_TAILCALL))); 167 + EMIT(PPC_RAW_CMPLWI(bpf_to_ppc(TMP_REG_1), MAX_TAIL_CALL_CNT)); 168 + PPC_BCC_CONST_SHORT(COND_GT, 8); 169 + EMIT(PPC_RAW_ADDI(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_2), 170 + -(BPF_PPC_TAILCALL))); 171 + EMIT(PPC_RAW_STD(bpf_to_ppc(TMP_REG_1), _R1, -(BPF_PPC_TAILCALL))); 216 172 } 217 173 218 - if (bpf_has_stack_frame(ctx)) { 174 + if (bpf_has_stack_frame(ctx) && !ctx->exception_cb) { 219 175 /* 176 + * exception_cb uses boundary frame after stack walk. 177 + * It can simply use redzone, this optimization reduces 178 + * stack walk loop by one level. 179 + * 220 180 * We need a stack frame, but we don't necessarily need to 221 181 * save/restore LR unless we call other functions 222 182 */ ··· 249 161 EMIT(PPC_RAW_STD(_R0, _R1, PPC_LR_STKOFF)); 250 162 } 251 163 252 - EMIT(PPC_RAW_STDU(_R1, _R1, -(BPF_PPC_STACKFRAME + ctx->stack_size))); 164 + EMIT(PPC_RAW_STDU(_R1, _R1, 165 + -(bpf_jit_stack_size(ctx) + ctx->stack_size))); 253 166 } 254 167 255 168 /* 256 - * Back up non-volatile regs -- BPF registers 6-10 257 - * If we haven't created our own stack frame, we save these 258 - * in the protected zone below the previous stack frame 169 + * Program acting as exception boundary pushes R14..R25 in addition to 170 + * BPF callee-saved non volatile registers. Exception callback uses 171 + * the boundary program's stack frame, recover additionally saved 172 + * registers in epilogue of exception callback. 259 173 */ 260 - for (i = BPF_REG_6; i <= BPF_REG_10; i++) 261 - if (bpf_is_seen_register(ctx, bpf_to_ppc(i))) 262 - EMIT(PPC_RAW_STD(bpf_to_ppc(i), _R1, bpf_jit_stack_offsetof(ctx, bpf_to_ppc(i)))); 174 + if (ctx->exception_boundary) { 175 + for (i = _R14; i <= _R25; i++) 176 + EMIT(PPC_RAW_STD(i, _R1, bpf_jit_stack_offsetof(ctx, i))); 177 + } 263 178 264 - if (ctx->arena_vm_start) 265 - EMIT(PPC_RAW_STD(bpf_to_ppc(ARENA_VM_START), _R1, 179 + if (!ctx->exception_cb) { 180 + /* 181 + * Back up non-volatile regs -- BPF registers 6-10 182 + * If we haven't created our own stack frame, we save these 183 + * in the protected zone below the previous stack frame 184 + */ 185 + for (i = BPF_REG_6; i <= BPF_REG_10; i++) 186 + if (ctx->exception_boundary || bpf_is_seen_register(ctx, bpf_to_ppc(i))) 187 + EMIT(PPC_RAW_STD(bpf_to_ppc(i), _R1, 188 + bpf_jit_stack_offsetof(ctx, bpf_to_ppc(i)))); 189 + 190 + if (ctx->exception_boundary || ctx->arena_vm_start) 191 + EMIT(PPC_RAW_STD(bpf_to_ppc(ARENA_VM_START), _R1, 266 192 bpf_jit_stack_offsetof(ctx, bpf_to_ppc(ARENA_VM_START)))); 193 + } else { 194 + /* 195 + * Exception callback receives Frame Pointer of boundary 196 + * program(main prog) as third arg 197 + */ 198 + EMIT(PPC_RAW_MR(_R1, _R5)); 199 + } 267 200 268 - /* Setup frame pointer to point to the bpf stack area */ 201 + /* 202 + * Exception_cb not restricted from using stack area or arena. 203 + * Setup frame pointer to point to the bpf stack area 204 + */ 269 205 if (bpf_is_seen_register(ctx, bpf_to_ppc(BPF_REG_FP))) 270 206 EMIT(PPC_RAW_ADDI(bpf_to_ppc(BPF_REG_FP), _R1, 271 - STACK_FRAME_MIN_SIZE + ctx->stack_size)); 207 + STACK_FRAME_MIN_SIZE + ctx->stack_size)); 272 208 273 209 if (ctx->arena_vm_start) 274 210 PPC_LI64(bpf_to_ppc(ARENA_VM_START), ctx->arena_vm_start); ··· 304 192 305 193 /* Restore NVRs */ 306 194 for (i = BPF_REG_6; i <= BPF_REG_10; i++) 307 - if (bpf_is_seen_register(ctx, bpf_to_ppc(i))) 195 + if (ctx->exception_cb || bpf_is_seen_register(ctx, bpf_to_ppc(i))) 308 196 EMIT(PPC_RAW_LD(bpf_to_ppc(i), _R1, bpf_jit_stack_offsetof(ctx, bpf_to_ppc(i)))); 309 197 310 - if (ctx->arena_vm_start) 198 + if (ctx->exception_cb || ctx->arena_vm_start) 311 199 EMIT(PPC_RAW_LD(bpf_to_ppc(ARENA_VM_START), _R1, 312 200 bpf_jit_stack_offsetof(ctx, bpf_to_ppc(ARENA_VM_START)))); 313 201 202 + if (ctx->exception_cb) { 203 + /* 204 + * Recover additionally saved non volatile registers from stack 205 + * frame of exception boundary program. 206 + */ 207 + for (i = _R14; i <= _R25; i++) 208 + EMIT(PPC_RAW_LD(i, _R1, bpf_jit_stack_offsetof(ctx, i))); 209 + } 210 + 314 211 /* Tear down our stack frame */ 315 212 if (bpf_has_stack_frame(ctx)) { 316 - EMIT(PPC_RAW_ADDI(_R1, _R1, BPF_PPC_STACKFRAME + ctx->stack_size)); 317 - if (ctx->seen & SEEN_FUNC) { 213 + EMIT(PPC_RAW_ADDI(_R1, _R1, bpf_jit_stack_size(ctx) + ctx->stack_size)); 214 + 215 + if (ctx->seen & SEEN_FUNC || ctx->exception_cb) { 318 216 EMIT(PPC_RAW_LD(_R0, _R1, PPC_LR_STKOFF)); 319 217 EMIT(PPC_RAW_MTLR(_R0)); 320 218 } ··· 341 219 EMIT(PPC_RAW_BLR()); 342 220 343 221 bpf_jit_build_fentry_stubs(image, ctx); 222 + } 223 + 224 + /* 225 + * arch_bpf_stack_walk() - BPF stack walker for PowerPC 226 + * 227 + * Based on arch_stack_walk() from stacktrace.c. 228 + * PowerPC uses stack frames rather than stack pointers. See [1] for 229 + * the equivalence between frame pointers and stack pointers. 230 + * Additional reference at [2]. 231 + * TODO: refactor with arch_stack_walk() 232 + * 233 + * [1]: https://lore.kernel.org/all/20200220115141.2707-1-mpe@ellerman.id.au/ 234 + * [2]: https://lore.kernel.org/bpf/20260122211854.5508-5-adubey@linux.ibm.com/ 235 + */ 236 + 237 + void arch_bpf_stack_walk(bool (*consume_fn)(void *, u64, u64, u64), void *cookie) 238 + { 239 + // callback processing always in current context 240 + unsigned long sp = current_stack_frame(); 241 + 242 + for (;;) { 243 + unsigned long *stack = (unsigned long *) sp; 244 + unsigned long ip; 245 + 246 + if (!validate_sp(sp, current)) 247 + return; 248 + 249 + ip = stack[STACK_FRAME_LR_SAVE]; 250 + if (!ip) 251 + break; 252 + 253 + /* 254 + * consume_fn common code expects stack pointer in third 255 + * argument. There is no sp in ppc64, rather pass frame 256 + * pointer(named sp here). 257 + */ 258 + if (ip && !consume_fn(cookie, ip, sp, sp)) 259 + break; 260 + 261 + sp = stack[0]; 262 + } 344 263 } 345 264 346 265 int bpf_jit_emit_func_call_rel(u32 *image, u32 *fimage, struct codegen_context *ctx, u64 func) ··· 506 343 EMIT(PPC_RAW_CMPLW(b2p_index, bpf_to_ppc(TMP_REG_1))); 507 344 PPC_BCC_SHORT(COND_GE, out); 508 345 509 - /* 510 - * if (tail_call_cnt >= MAX_TAIL_CALL_CNT) 511 - * goto out; 512 - */ 513 - EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_1), _R1, bpf_jit_stack_tailcallcnt(ctx))); 346 + EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_1), _R1, bpf_jit_stack_tailcallinfo_offset(ctx))); 514 347 EMIT(PPC_RAW_CMPLWI(bpf_to_ppc(TMP_REG_1), MAX_TAIL_CALL_CNT)); 515 - PPC_BCC_SHORT(COND_GE, out); 348 + PPC_BCC_CONST_SHORT(COND_LE, 8); 349 + 350 + /* dereference TMP_REG_1 */ 351 + EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1), 0)); 516 352 517 353 /* 518 - * tail_call_cnt++; 354 + * if (tail_call_info == MAX_TAIL_CALL_CNT) 355 + * goto out; 356 + */ 357 + EMIT(PPC_RAW_CMPLWI(bpf_to_ppc(TMP_REG_1), MAX_TAIL_CALL_CNT)); 358 + PPC_BCC_SHORT(COND_EQ, out); 359 + 360 + /* 361 + * tail_call_info++; <- Actual value of tcc here 519 362 */ 520 363 EMIT(PPC_RAW_ADDI(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_1), 1)); 521 - EMIT(PPC_RAW_STD(bpf_to_ppc(TMP_REG_1), _R1, bpf_jit_stack_tailcallcnt(ctx))); 364 + 365 + /* 366 + * Before writing updated tail_call_info, distinguish if current frame 367 + * is storing a reference to tail_call_info or actual tcc value in 368 + * tail_call_info. 369 + */ 370 + EMIT(PPC_RAW_LD(bpf_to_ppc(TMP_REG_2), _R1, bpf_jit_stack_tailcallinfo_offset(ctx))); 371 + EMIT(PPC_RAW_CMPLWI(bpf_to_ppc(TMP_REG_2), MAX_TAIL_CALL_CNT)); 372 + PPC_BCC_CONST_SHORT(COND_GT, 8); 373 + 374 + /* First get address of tail_call_info */ 375 + EMIT(PPC_RAW_ADDI(bpf_to_ppc(TMP_REG_2), _R1, bpf_jit_stack_tailcallinfo_offset(ctx))); 376 + /* Writeback updated value to tail_call_info */ 377 + EMIT(PPC_RAW_STD(bpf_to_ppc(TMP_REG_1), bpf_to_ppc(TMP_REG_2), 0)); 522 378 523 379 /* prog = array->ptrs[index]; */ 524 380 EMIT(PPC_RAW_MULI(bpf_to_ppc(TMP_REG_1), b2p_index, 8)); ··· 1100 918 case BPF_ALU | BPF_MOV | BPF_X: /* (u32) dst = src */ 1101 919 case BPF_ALU64 | BPF_MOV | BPF_X: /* dst = src */ 1102 920 921 + if (insn_is_mov_percpu_addr(&insn[i])) { 922 + if (IS_ENABLED(CONFIG_SMP)) { 923 + EMIT(PPC_RAW_LD(tmp1_reg, _R13, offsetof(struct paca_struct, data_offset))); 924 + EMIT(PPC_RAW_ADD(dst_reg, src_reg, tmp1_reg)); 925 + } else if (src_reg != dst_reg) { 926 + EMIT(PPC_RAW_MR(dst_reg, src_reg)); 927 + } 928 + break; 929 + } 930 + 1103 931 if (insn_is_cast_user(&insn[i])) { 1104 932 EMIT(PPC_RAW_RLDICL_DOT(tmp1_reg, src_reg, 0, 32)); 1105 933 PPC_LI64(dst_reg, (ctx->user_vm_start & 0xffffffff00000000UL)); ··· 1581 1389 */ 1582 1390 case BPF_JMP | BPF_CALL: 1583 1391 ctx->seen |= SEEN_FUNC; 1392 + 1393 + if (src_reg == bpf_to_ppc(BPF_REG_0)) { 1394 + if (imm == BPF_FUNC_get_smp_processor_id) { 1395 + EMIT(PPC_RAW_LHZ(src_reg, _R13, offsetof(struct paca_struct, paca_index))); 1396 + break; 1397 + } else if (imm == BPF_FUNC_get_current_task || 1398 + imm == BPF_FUNC_get_current_task_btf) { 1399 + EMIT(PPC_RAW_LD(src_reg, _R13, offsetof(struct paca_struct, __current))); 1400 + break; 1401 + } 1402 + } 1584 1403 1585 1404 ret = bpf_jit_get_func_addr(fp, &insn[i], extra_pass, 1586 1405 &func_addr, &func_addr_fixed);

+1 -1

arch/powerpc/platforms/pseries/Makefile

··· 30 30 obj-$(CONFIG_PPC_SPLPAR) += vphn.o 31 31 obj-$(CONFIG_PPC_SVM) += svm.o 32 32 obj-$(CONFIG_FA_DUMP) += rtas-fadump.o 33 - obj-$(CONFIG_PSERIES_PLPKS) += plpks.o 33 + obj-$(CONFIG_PSERIES_PLPKS) += plpks.o plpks-sysfs.o 34 34 obj-$(CONFIG_PPC_SECURE_BOOT) += plpks-secvar.o 35 35 obj-$(CONFIG_PSERIES_PLPKS_SED) += plpks_sed_ops.o 36 36 obj-$(CONFIG_SUSPEND) += suspend.o

+2 -4

arch/powerpc/platforms/pseries/iommu.c

··· 1769 1769 out_unlock: 1770 1770 mutex_unlock(&dma_win_init_mutex); 1771 1771 1772 - /* If we have persistent memory and the window size is not big enough 1773 - * to directly map both RAM and vPMEM, then we need to set DMA limit. 1774 - */ 1775 - if (pmem_present && direct_mapping && len != MAX_PHYSMEM_BITS) 1772 + /* For pre-mapped memory, set bus_dma_limit to the max RAM */ 1773 + if (direct_mapping) 1776 1774 dev->dev.bus_dma_limit = dev->dev.archdata.dma_offset + 1777 1775 (1ULL << max_ram_len); 1778 1776

+41 -3

arch/powerpc/platforms/pseries/msi.c

··· 19 19 20 20 #include "pseries.h" 21 21 22 + struct pseries_msi_device { 23 + unsigned int msi_quota; 24 + unsigned int msi_used; 25 + }; 26 + 22 27 static int query_token, change_token; 23 28 24 29 #define RTAS_QUERY_FN 0 ··· 438 433 struct msi_domain_info *info = domain->host_data; 439 434 struct pci_dev *pdev = to_pci_dev(dev); 440 435 int type = (info->flags & MSI_FLAG_PCI_MSIX) ? PCI_CAP_ID_MSIX : PCI_CAP_ID_MSI; 436 + int ret; 441 437 442 - return rtas_prepare_msi_irqs(pdev, nvec, type, arg); 438 + struct pseries_msi_device *pseries_dev __free(kfree) 439 + = kmalloc(sizeof(*pseries_dev), GFP_KERNEL); 440 + if (!pseries_dev) 441 + return -ENOMEM; 442 + 443 + while (1) { 444 + ret = rtas_prepare_msi_irqs(pdev, nvec, type, arg); 445 + if (!ret) 446 + break; 447 + else if (ret > 0) 448 + nvec = ret; 449 + else 450 + return ret; 451 + } 452 + 453 + pseries_dev->msi_quota = nvec; 454 + pseries_dev->msi_used = 0; 455 + 456 + arg->scratchpad[0].ptr = no_free_ptr(pseries_dev); 457 + return 0; 443 458 } 444 459 445 460 /* ··· 468 443 */ 469 444 static void pseries_msi_ops_teardown(struct irq_domain *domain, msi_alloc_info_t *arg) 470 445 { 446 + struct pseries_msi_device *pseries_dev = arg->scratchpad[0].ptr; 471 447 struct pci_dev *pdev = to_pci_dev(domain->dev); 472 448 473 449 rtas_disable_msi(pdev); 450 + 451 + WARN_ON(pseries_dev->msi_used); 452 + kfree(pseries_dev); 474 453 } 475 454 476 455 static void pseries_msi_shutdown(struct irq_data *d) ··· 575 546 unsigned int nr_irqs, void *arg) 576 547 { 577 548 struct pci_controller *phb = domain->host_data; 549 + struct pseries_msi_device *pseries_dev; 578 550 msi_alloc_info_t *info = arg; 579 551 struct msi_desc *desc = info->desc; 580 552 struct pci_dev *pdev = msi_desc_to_pci_dev(desc); 581 553 int hwirq; 582 554 int i, ret; 555 + 556 + pseries_dev = info->scratchpad[0].ptr; 557 + 558 + if (pseries_dev->msi_used + nr_irqs > pseries_dev->msi_quota) 559 + return -ENOSPC; 583 560 584 561 hwirq = rtas_query_irq_number(pci_get_pdn(pdev), desc->msi_index); 585 562 if (hwirq < 0) { ··· 602 567 goto out; 603 568 604 569 irq_domain_set_hwirq_and_chip(domain, virq + i, hwirq + i, 605 - &pseries_msi_irq_chip, domain->host_data); 570 + &pseries_msi_irq_chip, pseries_dev); 606 571 } 607 572 573 + pseries_dev->msi_used++; 608 574 return 0; 609 575 610 576 out: ··· 618 582 unsigned int nr_irqs) 619 583 { 620 584 struct irq_data *d = irq_domain_get_irq_data(domain, virq); 621 - struct pci_controller *phb = irq_data_get_irq_chip_data(d); 585 + struct pseries_msi_device *pseries_dev = irq_data_get_irq_chip_data(d); 586 + struct pci_controller *phb = domain->host_data; 622 587 623 588 pr_debug("%s bridge %pOF %d #%d\n", __func__, phb->dn, virq, nr_irqs); 589 + pseries_dev->msi_used -= nr_irqs; 624 590 irq_domain_free_irqs_parent(domain, virq, nr_irqs); 625 591 } 626 592

-29

arch/powerpc/platforms/pseries/plpks-secvar.c

··· 20 20 #include <asm/secvar.h> 21 21 #include <asm/plpks.h> 22 22 23 - // Config attributes for sysfs 24 - #define PLPKS_CONFIG_ATTR(name, fmt, func) \ 25 - static ssize_t name##_show(struct kobject *kobj, \ 26 - struct kobj_attribute *attr, \ 27 - char *buf) \ 28 - { \ 29 - return sysfs_emit(buf, fmt, func()); \ 30 - } \ 31 - static struct kobj_attribute attr_##name = __ATTR_RO(name) 32 - 33 - PLPKS_CONFIG_ATTR(version, "%u\n", plpks_get_version); 34 - PLPKS_CONFIG_ATTR(max_object_size, "%u\n", plpks_get_maxobjectsize); 35 - PLPKS_CONFIG_ATTR(total_size, "%u\n", plpks_get_totalsize); 36 - PLPKS_CONFIG_ATTR(used_space, "%u\n", plpks_get_usedspace); 37 - PLPKS_CONFIG_ATTR(supported_policies, "%08x\n", plpks_get_supportedpolicies); 38 - PLPKS_CONFIG_ATTR(signed_update_algorithms, "%016llx\n", plpks_get_signedupdatealgorithms); 39 - 40 - static const struct attribute *config_attrs[] = { 41 - &attr_version.attr, 42 - &attr_max_object_size.attr, 43 - &attr_total_size.attr, 44 - &attr_used_space.attr, 45 - &attr_supported_policies.attr, 46 - &attr_signed_update_algorithms.attr, 47 - NULL, 48 - }; 49 - 50 23 static u32 get_policy(const char *name) 51 24 { 52 25 if ((strcmp(name, "db") == 0) || ··· 198 225 .set = plpks_set_variable, 199 226 .format = plpks_secvar_format, 200 227 .max_size = plpks_max_size, 201 - .config_attrs = config_attrs, 202 228 .var_names = plpks_var_names_static, 203 229 }; 204 230 ··· 206 234 .set = plpks_set_variable, 207 235 .format = plpks_secvar_format, 208 236 .max_size = plpks_max_size, 209 - .config_attrs = config_attrs, 210 237 .var_names = plpks_var_names_dynamic, 211 238 }; 212 239

+96

arch/powerpc/platforms/pseries/plpks-sysfs.c

··· 1 + // SPDX-License-Identifier: GPL-2.0-only 2 + /* 3 + * Copyright (C) 2025 IBM Corporation, Srish Srinivasan <ssrish@linux.ibm.com> 4 + * 5 + * This code exposes PLPKS config to user via sysfs 6 + */ 7 + 8 + #define pr_fmt(fmt) "plpks-sysfs: "fmt 9 + 10 + #include <linux/init.h> 11 + #include <linux/printk.h> 12 + #include <linux/types.h> 13 + #include <asm/machdep.h> 14 + #include <asm/plpks.h> 15 + 16 + /* config attributes for sysfs */ 17 + #define PLPKS_CONFIG_ATTR(name, fmt, func) \ 18 + static ssize_t name##_show(struct kobject *kobj, \ 19 + struct kobj_attribute *attr, \ 20 + char *buf) \ 21 + { \ 22 + return sysfs_emit(buf, fmt, func()); \ 23 + } \ 24 + static struct kobj_attribute attr_##name = __ATTR_RO(name) 25 + 26 + PLPKS_CONFIG_ATTR(version, "%u\n", plpks_get_version); 27 + PLPKS_CONFIG_ATTR(max_object_size, "%u\n", plpks_get_maxobjectsize); 28 + PLPKS_CONFIG_ATTR(total_size, "%u\n", plpks_get_totalsize); 29 + PLPKS_CONFIG_ATTR(used_space, "%u\n", plpks_get_usedspace); 30 + PLPKS_CONFIG_ATTR(supported_policies, "%08x\n", plpks_get_supportedpolicies); 31 + PLPKS_CONFIG_ATTR(signed_update_algorithms, "%016llx\n", 32 + plpks_get_signedupdatealgorithms); 33 + PLPKS_CONFIG_ATTR(wrapping_features, "%016llx\n", plpks_get_wrappingfeatures); 34 + 35 + static const struct attribute *config_attrs[] = { 36 + &attr_version.attr, 37 + &attr_max_object_size.attr, 38 + &attr_total_size.attr, 39 + &attr_used_space.attr, 40 + &attr_supported_policies.attr, 41 + &attr_signed_update_algorithms.attr, 42 + &attr_wrapping_features.attr, 43 + NULL, 44 + }; 45 + 46 + static struct kobject *plpks_kobj, *plpks_config_kobj; 47 + 48 + int plpks_config_create_softlink(struct kobject *from) 49 + { 50 + if (!plpks_config_kobj) 51 + return -EINVAL; 52 + return sysfs_create_link(from, plpks_config_kobj, "config"); 53 + } 54 + 55 + static __init int plpks_sysfs_config(struct kobject *kobj) 56 + { 57 + struct attribute_group config_group = { 58 + .name = NULL, 59 + .attrs = (struct attribute **)config_attrs, 60 + }; 61 + 62 + return sysfs_create_group(kobj, &config_group); 63 + } 64 + 65 + static __init int plpks_sysfs_init(void) 66 + { 67 + int rc; 68 + 69 + if (!plpks_is_available()) 70 + return -ENODEV; 71 + 72 + plpks_kobj = kobject_create_and_add("plpks", firmware_kobj); 73 + if (!plpks_kobj) { 74 + pr_err("Failed to create plpks kobj\n"); 75 + return -ENOMEM; 76 + } 77 + 78 + plpks_config_kobj = kobject_create_and_add("config", plpks_kobj); 79 + if (!plpks_config_kobj) { 80 + pr_err("Failed to create plpks config kobj\n"); 81 + kobject_put(plpks_kobj); 82 + return -ENOMEM; 83 + } 84 + 85 + rc = plpks_sysfs_config(plpks_config_kobj); 86 + if (rc) { 87 + pr_err("Failed to create attribute group for plpks config\n"); 88 + kobject_put(plpks_config_kobj); 89 + kobject_put(plpks_kobj); 90 + return rc; 91 + } 92 + 93 + return 0; 94 + } 95 + 96 + machine_subsys_initcall(pseries, plpks_sysfs_init);

+678 -10

arch/powerpc/platforms/pseries/plpks.c

··· 9 9 10 10 #define pr_fmt(fmt) "plpks: " fmt 11 11 12 + #define PLPKS_WRAPKEY_COMPONENT "PLPKSWR" 13 + #define PLPKS_WRAPKEY_NAME "default-wrapping-key" 14 + 15 + /* 16 + * To 4K align the {input, output} buffers to the {UN}WRAP H_CALLs 17 + */ 18 + #define PLPKS_WRAPPING_BUF_ALIGN 4096 19 + 20 + /* 21 + * To ensure the output buffer's length is at least 1024 bytes greater 22 + * than the input buffer's length during the WRAP H_CALL 23 + */ 24 + #define PLPKS_WRAPPING_BUF_DIFF 1024 25 + 26 + #define PLPKS_WRAP_INTERFACE_BIT 3 27 + #define PLPKS_WRAPPING_KEY_LENGTH 32 28 + 29 + #define WRAPFLAG_BE_BIT_SET(be_bit) \ 30 + BIT_ULL(63 - (be_bit)) 31 + 32 + #define WRAPFLAG_BE_GENMASK(be_bit_hi, be_bit_lo) \ 33 + GENMASK_ULL(63 - (be_bit_hi), 63 - (be_bit_lo)) 34 + 35 + #define WRAPFLAG_BE_FIELD_PREP(be_bit_hi, be_bit_lo, val) \ 36 + FIELD_PREP(WRAPFLAG_BE_GENMASK(be_bit_hi, be_bit_lo), (val)) 37 + 12 38 #include <linux/delay.h> 13 39 #include <linux/errno.h> 14 40 #include <linux/io.h> ··· 45 19 #include <linux/of_fdt.h> 46 20 #include <linux/libfdt.h> 47 21 #include <linux/memblock.h> 22 + #include <linux/bitfield.h> 48 23 #include <asm/hvcall.h> 49 24 #include <asm/machdep.h> 50 25 #include <asm/plpks.h> ··· 65 38 static u32 supportedpolicies; 66 39 static u32 maxlargeobjectsize; 67 40 static u64 signedupdatealgorithms; 41 + static u64 wrappingfeatures; 42 + static bool wrapsupport; 68 43 69 44 struct plpks_auth { 70 45 u8 version; ··· 277 248 __be32 supportedpolicies; 278 249 __be32 maxlargeobjectsize; 279 250 __be64 signedupdatealgorithms; 251 + __be64 wrappingfeatures; 280 252 u8 rsvd1[476]; 281 253 } __packed * config; 282 254 size_t size; ··· 310 280 supportedpolicies = be32_to_cpu(config->supportedpolicies); 311 281 maxlargeobjectsize = be32_to_cpu(config->maxlargeobjectsize); 312 282 signedupdatealgorithms = be64_to_cpu(config->signedupdatealgorithms); 283 + wrappingfeatures = be64_to_cpu(config->wrappingfeatures); 284 + wrapsupport = config->flags & PPC_BIT8(PLPKS_WRAP_INTERFACE_BIT); 313 285 314 286 // Validate that the numbers we get back match the requirements of the spec 315 287 if (maxpwsize < 32) { ··· 344 312 return rc; 345 313 } 346 314 315 + /** 316 + * plpks_get_version() - Get the version of the PLPKS config structure. 317 + * 318 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 319 + * reads the PLPKS config structure version and saves it in a file local static 320 + * version variable. 321 + * 322 + * Returns: On success the saved PLPKS config structure version is returned, 0 323 + * if not. 324 + */ 347 325 u8 plpks_get_version(void) 348 326 { 349 327 return version; 350 328 } 351 329 330 + /** 331 + * plpks_get_objoverhead() - Get the hypervisor storage overhead per object. 332 + * 333 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 334 + * reads the per object hypervisor storage overhead in bytes into the local 335 + * static objoverhead variable, excluding the size of the object or the label. 336 + * This value can be treated as valid only when the PLPKS config structure 337 + * version >= 2. 338 + * 339 + * Returns: If PLPKS config structure version >= 2 then the storage overhead is 340 + * returned, 0 otherwise. 341 + */ 352 342 u16 plpks_get_objoverhead(void) 353 343 { 354 344 return objoverhead; 355 345 } 356 346 347 + /** 348 + * plpks_get_maxpwsize() - Get the maximum password size. 349 + * 350 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 351 + * reads the maximum password size and checks if it is 32 bytes at the least 352 + * before storing it in the local static maxpwsize variable. 353 + * 354 + * Returns: On success the maximum password size is returned, 0 if not. 355 + */ 357 356 u16 plpks_get_maxpwsize(void) 358 357 { 359 358 return maxpwsize; 360 359 } 361 360 361 + /** 362 + * plpks_get_maxobjectsize() - Get the maximum object size supported by the 363 + * PLPKS. 364 + * 365 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 366 + * reads the maximum object size into the file local static maxobjsize variable. 367 + * 368 + * Returns: On success the maximum object size is returned, 0 if not. 369 + */ 362 370 u16 plpks_get_maxobjectsize(void) 363 371 { 364 372 return maxobjsize; 365 373 } 366 374 375 + /** 376 + * plpks_get_maxobjectlabelsize() - Get the maximum object label size supported 377 + * by the PLPKS. 378 + * 379 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 380 + * reads the maximum object label size into the local static maxobjlabelsize 381 + * variable. 382 + * 383 + * Returns: On success the maximum object label size is returned, 0 if not. 384 + */ 367 385 u16 plpks_get_maxobjectlabelsize(void) 368 386 { 369 387 return maxobjlabelsize; 370 388 } 371 389 390 + /** 391 + * plpks_get_totalsize() - Get the total size of the PLPKS that is configured. 392 + * 393 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 394 + * reads the total size of the PLPKS that is configured for the LPAR into the 395 + * file local static totalsize variable. 396 + * 397 + * Returns: On success the total size of the PLPKS configured is returned, 0 if 398 + * not. 399 + */ 372 400 u32 plpks_get_totalsize(void) 373 401 { 374 402 return totalsize; 375 403 } 376 404 405 + /** 406 + * plpks_get_usedspace() - Get the used space from the total size of the PLPKS. 407 + * 408 + * Invoke the H_PKS_GET_CONFIG HCALL to refresh the latest value for the used 409 + * space as this keeps changing with the creation and removal of objects in the 410 + * PLPKS. 411 + * 412 + * Returns: On success the used space is returned, 0 if not. 413 + */ 377 414 u32 plpks_get_usedspace(void) 378 415 { 379 - // Unlike other config values, usedspace regularly changes as objects 380 - // are updated, so we need to refresh. 381 416 int rc = _plpks_get_config(); 382 417 if (rc) { 383 418 pr_err("Couldn't get config, rc: %d\n", rc); ··· 453 354 return usedspace; 454 355 } 455 356 357 + /** 358 + * plpks_get_supportedpolicies() - Get a bitmask of the policies supported by 359 + * the hypervisor. 360 + * 361 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 362 + * reads a bitmask of the policies supported by the hypervisor into the file 363 + * local static supportedpolicies variable. 364 + * 365 + * Returns: On success the bitmask of the policies supported by the hypervisor 366 + * are returned, 0 if not. 367 + */ 456 368 u32 plpks_get_supportedpolicies(void) 457 369 { 458 370 return supportedpolicies; 459 371 } 460 372 373 + /** 374 + * plpks_get_maxlargeobjectsize() - Get the maximum object size supported for 375 + * PLPKS config structure version >= 3 376 + * 377 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 378 + * reads the maximum object size into the local static maxlargeobjectsize 379 + * variable for PLPKS config structure version >= 3. This was introduced 380 + * starting with PLPKS config structure version 3 to allow for objects of 381 + * size >= 64K. 382 + * 383 + * Returns: If PLPKS config structure version >= 3 then the new maximum object 384 + * size is returned, 0 if not. 385 + */ 461 386 u32 plpks_get_maxlargeobjectsize(void) 462 387 { 463 388 return maxlargeobjectsize; 464 389 } 465 390 391 + /** 392 + * plpks_get_signedupdatealgorithms() - Get a bitmask of the signature 393 + * algorithms supported for signed updates. 394 + * 395 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 396 + * reads a bitmask of the signature algorithms supported for signed updates into 397 + * the file local static signedupdatealgorithms variable. This is valid only 398 + * when the PLPKS config structure version >= 3. 399 + * 400 + * Returns: On success the bitmask of the signature algorithms supported for 401 + * signed updates is returned, 0 if not. 402 + */ 466 403 u64 plpks_get_signedupdatealgorithms(void) 467 404 { 468 405 return signedupdatealgorithms; 469 406 } 470 407 408 + /** 409 + * plpks_get_wrappingfeatures() - Returns a bitmask of the wrapping features 410 + * supported by the hypervisor. 411 + * 412 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 413 + * reads a bitmask of the wrapping features supported by the hypervisor into the 414 + * file local static wrappingfeatures variable. This is valid only when the 415 + * PLPKS config structure version >= 3. 416 + * 417 + * Return: 418 + * bitmask of the wrapping features supported by the hypervisor 419 + */ 420 + u64 plpks_get_wrappingfeatures(void) 421 + { 422 + return wrappingfeatures; 423 + } 424 + 425 + /** 426 + * plpks_get_passwordlen() - Get the length of the PLPKS password in bytes. 427 + * 428 + * The H_PKS_GEN_PASSWORD HCALL makes the hypervisor generate a random password 429 + * for the specified consumer, apply that password to the PLPKS and return it to 430 + * the caller. In this process, the password length for the OS consumer is 431 + * stored in the local static ospasswordlength variable. 432 + * 433 + * Returns: On success the password length for the OS consumer in bytes is 434 + * returned, 0 if not. 435 + */ 471 436 u16 plpks_get_passwordlen(void) 472 437 { 473 438 return ospasswordlength; 474 439 } 475 440 441 + /** 442 + * plpks_is_available() - Get the PLPKS availability status for the LPAR. 443 + * 444 + * The availability of PLPKS is inferred based upon the successful execution of 445 + * the H_PKS_GET_CONFIG HCALL provided the firmware supports this feature. The 446 + * H_PKS_GET_CONFIG HCALL reads the configuration and status information related 447 + * to the PLPKS. The configuration structure provides a version number to inform 448 + * the caller of the supported features. 449 + * 450 + * Returns: true is returned if PLPKS is available, false if not. 451 + */ 476 452 bool plpks_is_available(void) 477 453 { 478 454 int rc; ··· 599 425 return pseries_status_to_err(rc); 600 426 } 601 427 428 + /** 429 + * plpks_signed_update_var() - Update the specified authenticated variable. 430 + * @var: authenticated variable to be updated 431 + * @flags: signed update request operation flags 432 + * 433 + * The H_PKS_SIGNED_UPDATE HCALL performs a signed update to an object in the 434 + * PLPKS. The object must have the signed update policy flag set. 435 + * 436 + * Possible reasons for the returned errno values: 437 + * 438 + * -ENXIO if PLPKS is not supported 439 + * -EIO if PLPKS access is blocked due to the LPAR's state 440 + * if PLPKS modification is blocked due to the LPAR's state 441 + * if an error occurred while processing the request 442 + * -EINVAL if invalid authorization parameter 443 + * if invalid object label parameter 444 + * if invalid object label len parameter 445 + * if invalid or unsupported policy declaration 446 + * if invalid signed update flags 447 + * if invalid input data parameter 448 + * if invalid input data len parameter 449 + * if invalid continue token parameter 450 + * -EPERM if access is denied 451 + * -ENOMEM if there is inadequate memory to perform the operation 452 + * -EBUSY if unable to handle the request or long running operation 453 + * initiated, retry later 454 + * 455 + * Returns: On success 0 is returned, a negative errno if not. 456 + */ 602 457 int plpks_signed_update_var(struct plpks_var *var, u64 flags) 603 458 { 604 459 unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0}; ··· 641 438 return -EINVAL; 642 439 643 440 if (!(var->policy & PLPKS_SIGNEDUPDATE)) 441 + return -EINVAL; 442 + 443 + if (var->policy & PLPKS_WRAPPINGKEY) 644 444 return -EINVAL; 645 445 646 446 // Signed updates need the component to be NULL. ··· 687 481 return rc; 688 482 } 689 483 484 + /** 485 + * plpks_write_var() - Write the specified variable and its data to PLPKS. 486 + * @var: variable to be written into the PLPKS 487 + * 488 + * The H_PKS_WRITE_OBJECT HCALL writes an object into the PLPKS. The caller must 489 + * provide a valid component type for the variable, and the signed update policy 490 + * flag must not be set. 491 + * 492 + * Possible reasons for the returned errno values: 493 + * 494 + * -ENXIO if PLPKS is not supported 495 + * -EIO if PLPKS access is blocked due to the LPAR's state 496 + * if PLPKS modification is blocked due to the LPAR's state 497 + * if an error occurred while processing the request 498 + * -EINVAL if invalid authorization parameter 499 + * if invalid object label parameter 500 + * if invalid object label len parameter 501 + * if invalid or unsupported policy declaration 502 + * if invalid input data parameter 503 + * if invalid input data len parameter 504 + * -EPERM if access is denied 505 + * -ENOMEM if unable to store the requested object in the space available 506 + * -EBUSY if unable to handle the request 507 + * -EEXIST if the object label already exists 508 + * 509 + * Returns: On success 0 is returned, a negative errno if not. 510 + */ 690 511 int plpks_write_var(struct plpks_var var) 691 512 { 692 513 unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 }; ··· 726 493 return -EINVAL; 727 494 728 495 if (var.policy & PLPKS_SIGNEDUPDATE) 496 + return -EINVAL; 497 + 498 + if (var.policy & PLPKS_WRAPPINGKEY) 729 499 return -EINVAL; 730 500 731 501 auth = construct_auth(PLPKS_OS_OWNER); ··· 756 520 return rc; 757 521 } 758 522 523 + /** 524 + * plpks_remove_var() - Remove the specified variable and its data from PLPKS. 525 + * @component: metadata prefix in the object label metadata structure 526 + * @varos: metadata OS flags in the object label metadata structure 527 + * @vname: object label for the object that needs to be removed 528 + * 529 + * The H_PKS_REMOVE_OBJECT HCALL removes an object from the PLPKS. The removal 530 + * is independent of the policy bits that are set. 531 + * 532 + * Possible reasons for the returned errno values: 533 + * 534 + * -ENXIO if PLPKS is not supported 535 + * -EIO if PLPKS access is blocked due to the LPAR's state 536 + * if PLPKS modification is blocked due to the LPAR's state 537 + * if an error occurred while processing the request 538 + * -EINVAL if invalid authorization parameter 539 + * if invalid object label parameter 540 + * if invalid object label len parameter 541 + * -EPERM if access is denied 542 + * -ENOENT if the requested object was not found 543 + * -EBUSY if unable to handle the request 544 + * 545 + * Returns: On success 0 is returned, a negative errno if not. 546 + */ 759 547 int plpks_remove_var(char *component, u8 varos, struct plpks_var_name vname) 760 548 { 761 549 unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 }; ··· 823 563 int rc; 824 564 825 565 if (var->namelen > PLPKS_MAX_NAME_SIZE) 566 + return -EINVAL; 567 + 568 + if (var->policy & PLPKS_WRAPPINGKEY) 826 569 return -EINVAL; 827 570 828 571 auth = construct_auth(consumer); ··· 882 619 return rc; 883 620 } 884 621 622 + /** 623 + * plpks_wrapping_is_supported() - Get the H_PKS_WRAP_OBJECT interface 624 + * availability status for the LPAR. 625 + * 626 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 627 + * sets bit 3 of the flags variable in the PLPKS config structure if the 628 + * H_PKS_WRAP_OBJECT interface is supported. 629 + * 630 + * Returns: true if the H_PKS_WRAP_OBJECT interface is supported, false if not. 631 + */ 632 + bool plpks_wrapping_is_supported(void) 633 + { 634 + return wrapsupport; 635 + } 636 + EXPORT_SYMBOL_GPL(plpks_wrapping_is_supported); 637 + 638 + /** 639 + * plpks_gen_wrapping_key() - Generate a new random key with the 'wrapping key' 640 + * policy set. 641 + * 642 + * The H_PKS_GEN_KEY HCALL makes the hypervisor generate a new random key and 643 + * store the key in a PLPKS object with the provided object label. With the 644 + * 'wrapping key' policy set, only the label to the newly generated random key 645 + * would be visible to the user. 646 + * 647 + * Possible reasons for the returned errno values: 648 + * 649 + * -ENXIO if PLPKS is not supported 650 + * -EIO if PLPKS access is blocked due to the LPAR's state 651 + * if PLPKS modification is blocked due to the LPAR's state 652 + * if an error occurred while processing the request 653 + * -EINVAL if invalid authorization parameter 654 + * if invalid object label parameter 655 + * if invalid object label len parameter 656 + * if invalid or unsupported policy declaration 657 + * if invalid output buffer parameter 658 + * if invalid output buffer length parameter 659 + * -EPERM if access is denied 660 + * -ENOMEM if there is inadequate memory to perform this operation 661 + * -EBUSY if unable to handle the request 662 + * -EEXIST if the object label already exists 663 + * 664 + * Returns: On success 0 is returned, a negative errno if not. 665 + */ 666 + int plpks_gen_wrapping_key(void) 667 + { 668 + unsigned long retbuf[PLPAR_HCALL_BUFSIZE] = { 0 }; 669 + struct plpks_auth *auth; 670 + struct label *label; 671 + int rc = 0, pseries_status = 0; 672 + struct plpks_var var = { 673 + .name = PLPKS_WRAPKEY_NAME, 674 + .namelen = strlen(var.name), 675 + .policy = PLPKS_WRAPPINGKEY, 676 + .os = PLPKS_VAR_LINUX, 677 + .component = PLPKS_WRAPKEY_COMPONENT 678 + }; 679 + 680 + auth = construct_auth(PLPKS_OS_OWNER); 681 + if (IS_ERR(auth)) 682 + return PTR_ERR(auth); 683 + 684 + label = construct_label(var.component, var.os, var.name, var.namelen); 685 + if (IS_ERR(label)) { 686 + rc = PTR_ERR(label); 687 + goto out; 688 + } 689 + 690 + rc = plpar_hcall(H_PKS_GEN_KEY, retbuf, 691 + virt_to_phys(auth), virt_to_phys(label), 692 + label->size, var.policy, 693 + NULL, PLPKS_WRAPPING_KEY_LENGTH); 694 + 695 + if (!rc) 696 + rc = plpks_confirm_object_flushed(label, auth); 697 + 698 + pseries_status = rc; 699 + rc = pseries_status_to_err(rc); 700 + 701 + if (rc && rc != -EEXIST) { 702 + pr_err("H_PKS_GEN_KEY failed. pseries_status=%d, rc=%d", 703 + pseries_status, rc); 704 + } else { 705 + rc = 0; 706 + } 707 + 708 + kfree(label); 709 + out: 710 + kfree(auth); 711 + return rc; 712 + } 713 + EXPORT_SYMBOL_GPL(plpks_gen_wrapping_key); 714 + 715 + /** 716 + * plpks_wrap_object() - Wrap an object using the default wrapping key stored in 717 + * the PLPKS. 718 + * @input_buf: buffer containing the data to be wrapped 719 + * @input_len: length of the input buffer 720 + * @wrap_flags: object wrapping flags 721 + * @output_buf: buffer to store the wrapped data 722 + * @output_len: length of the output buffer 723 + * 724 + * The H_PKS_WRAP_OBJECT HCALL wraps an object using a wrapping key stored in 725 + * the PLPKS and returns the wrapped object to the caller. The caller provides a 726 + * label to the wrapping key with the 'wrapping key' policy set that must have 727 + * been previously created with the H_PKS_GEN_KEY HCALL. The provided object is 728 + * then encrypted with the wrapping key and additional metadata and the result 729 + * is returned to the user. The metadata includes the wrapping algorithm and the 730 + * wrapping key name so those parameters are not required during unwrap. 731 + * 732 + * Possible reasons for the returned errno values: 733 + * 734 + * -ENXIO if PLPKS is not supported 735 + * -EIO if PLPKS access is blocked due to the LPAR's state 736 + * if PLPKS modification is blocked due to the LPAR's state 737 + * if an error occurred while processing the request 738 + * -EINVAL if invalid authorization parameter 739 + * if invalid wrapping key label parameter 740 + * if invalid wrapping key label length parameter 741 + * if invalid or unsupported object wrapping flags 742 + * if invalid input buffer parameter 743 + * if invalid input buffer length parameter 744 + * if invalid output buffer parameter 745 + * if invalid output buffer length parameter 746 + * if invalid continue token parameter 747 + * if the wrapping key is not compatible with the wrapping 748 + * algorithm 749 + * -EPERM if access is denied 750 + * -ENOENT if the requested wrapping key was not found 751 + * -EBUSY if unable to handle the request or long running operation 752 + * initiated, retry later. 753 + * 754 + * Returns: On success 0 is returned, a negative errno if not. 755 + */ 756 + int plpks_wrap_object(u8 **input_buf, u32 input_len, u16 wrap_flags, 757 + u8 **output_buf, u32 *output_len) 758 + { 759 + unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = { 0 }; 760 + struct plpks_auth *auth; 761 + struct label *label; 762 + u64 continuetoken = 0; 763 + u64 objwrapflags = 0; 764 + int rc = 0, pseries_status = 0; 765 + bool sb_audit_or_enforce_bit = wrap_flags & BIT(0); 766 + bool sb_enforce_bit = wrap_flags & BIT(1); 767 + struct plpks_var var = { 768 + .name = PLPKS_WRAPKEY_NAME, 769 + .namelen = strlen(var.name), 770 + .os = PLPKS_VAR_LINUX, 771 + .component = PLPKS_WRAPKEY_COMPONENT 772 + }; 773 + 774 + auth = construct_auth(PLPKS_OS_OWNER); 775 + if (IS_ERR(auth)) 776 + return PTR_ERR(auth); 777 + 778 + label = construct_label(var.component, var.os, var.name, var.namelen); 779 + if (IS_ERR(label)) { 780 + rc = PTR_ERR(label); 781 + goto out; 782 + } 783 + 784 + /* Set the consumer password requirement bit. A must have. */ 785 + objwrapflags |= WRAPFLAG_BE_BIT_SET(3); 786 + 787 + /* Set the wrapping algorithm bit. Just one algorithm option for now */ 788 + objwrapflags |= WRAPFLAG_BE_FIELD_PREP(60, 63, 0x1); 789 + 790 + if (sb_audit_or_enforce_bit & sb_enforce_bit) { 791 + pr_err("Cannot set both audit/enforce and enforce bits."); 792 + rc = -EINVAL; 793 + goto out_free_label; 794 + } else if (sb_audit_or_enforce_bit) { 795 + objwrapflags |= WRAPFLAG_BE_BIT_SET(1); 796 + } else if (sb_enforce_bit) { 797 + objwrapflags |= WRAPFLAG_BE_BIT_SET(2); 798 + } 799 + 800 + *output_len = input_len + PLPKS_WRAPPING_BUF_DIFF; 801 + 802 + *output_buf = kzalloc(ALIGN(*output_len, PLPKS_WRAPPING_BUF_ALIGN), 803 + GFP_KERNEL); 804 + if (!(*output_buf)) { 805 + pr_err("Output buffer allocation failed. Returning -ENOMEM."); 806 + rc = -ENOMEM; 807 + goto out_free_label; 808 + } 809 + 810 + do { 811 + rc = plpar_hcall9(H_PKS_WRAP_OBJECT, retbuf, 812 + virt_to_phys(auth), virt_to_phys(label), 813 + label->size, objwrapflags, 814 + virt_to_phys(*input_buf), input_len, 815 + virt_to_phys(*output_buf), *output_len, 816 + continuetoken); 817 + 818 + continuetoken = retbuf[0]; 819 + pseries_status = rc; 820 + rc = pseries_status_to_err(rc); 821 + } while (rc == -EBUSY); 822 + 823 + if (rc) { 824 + pr_err("H_PKS_WRAP_OBJECT failed. pseries_status=%d, rc=%d", 825 + pseries_status, rc); 826 + kfree(*output_buf); 827 + *output_buf = NULL; 828 + } else { 829 + *output_len = retbuf[1]; 830 + } 831 + 832 + out_free_label: 833 + kfree(label); 834 + out: 835 + kfree(auth); 836 + return rc; 837 + } 838 + EXPORT_SYMBOL_GPL(plpks_wrap_object); 839 + 840 + /** 841 + * plpks_unwrap_object() - Unwrap an object using the default wrapping key 842 + * stored in the PLPKS. 843 + * @input_buf: buffer containing the data to be unwrapped 844 + * @input_len: length of the input buffer 845 + * @output_buf: buffer to store the unwrapped data 846 + * @output_len: length of the output buffer 847 + * 848 + * The H_PKS_UNWRAP_OBJECT HCALL unwraps an object that was previously wrapped 849 + * using the H_PKS_WRAP_OBJECT HCALL. 850 + * 851 + * Possible reasons for the returned errno values: 852 + * 853 + * -ENXIO if PLPKS is not supported 854 + * -EIO if PLPKS access is blocked due to the LPAR's state 855 + * if PLPKS modification is blocked due to the LPAR's state 856 + * if an error occurred while processing the request 857 + * -EINVAL if invalid authorization parameter 858 + * if invalid or unsupported object unwrapping flags 859 + * if invalid input buffer parameter 860 + * if invalid input buffer length parameter 861 + * if invalid output buffer parameter 862 + * if invalid output buffer length parameter 863 + * if invalid continue token parameter 864 + * if the wrapping key is not compatible with the wrapping 865 + * algorithm 866 + * if the wrapped object's format is not supported 867 + * if the wrapped object is invalid 868 + * -EPERM if access is denied 869 + * -ENOENT if the wrapping key for the provided object was not found 870 + * -EBUSY if unable to handle the request or long running operation 871 + * initiated, retry later. 872 + * 873 + * Returns: On success 0 is returned, a negative errno if not. 874 + */ 875 + int plpks_unwrap_object(u8 **input_buf, u32 input_len, u8 **output_buf, 876 + u32 *output_len) 877 + { 878 + unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = { 0 }; 879 + struct plpks_auth *auth; 880 + u64 continuetoken = 0; 881 + u64 objwrapflags = 0; 882 + int rc = 0, pseries_status = 0; 883 + 884 + auth = construct_auth(PLPKS_OS_OWNER); 885 + if (IS_ERR(auth)) 886 + return PTR_ERR(auth); 887 + 888 + *output_len = input_len - PLPKS_WRAPPING_BUF_DIFF; 889 + *output_buf = kzalloc(ALIGN(*output_len, PLPKS_WRAPPING_BUF_ALIGN), 890 + GFP_KERNEL); 891 + if (!(*output_buf)) { 892 + pr_err("Output buffer allocation failed. Returning -ENOMEM."); 893 + rc = -ENOMEM; 894 + goto out; 895 + } 896 + 897 + do { 898 + rc = plpar_hcall9(H_PKS_UNWRAP_OBJECT, retbuf, 899 + virt_to_phys(auth), objwrapflags, 900 + virt_to_phys(*input_buf), input_len, 901 + virt_to_phys(*output_buf), *output_len, 902 + continuetoken); 903 + 904 + continuetoken = retbuf[0]; 905 + pseries_status = rc; 906 + rc = pseries_status_to_err(rc); 907 + } while (rc == -EBUSY); 908 + 909 + if (rc) { 910 + pr_err("H_PKS_UNWRAP_OBJECT failed. pseries_status=%d, rc=%d", 911 + pseries_status, rc); 912 + kfree(*output_buf); 913 + *output_buf = NULL; 914 + } else { 915 + *output_len = retbuf[1]; 916 + } 917 + 918 + out: 919 + kfree(auth); 920 + return rc; 921 + } 922 + EXPORT_SYMBOL_GPL(plpks_unwrap_object); 923 + 924 + /** 925 + * plpks_read_os_var() - Fetch the data for the specified variable that is owned 926 + * by the OS consumer. 927 + * @var: variable to be read from the PLPKS 928 + * 929 + * The consumer or the owner of the object is the os kernel. The 930 + * H_PKS_READ_OBJECT HCALL reads an object from the PLPKS. The caller must 931 + * allocate the buffer var->data and specify the length for this buffer in 932 + * var->datalen. If no buffer is provided, var->datalen will be populated with 933 + * the requested object's size. 934 + * 935 + * Possible reasons for the returned errno values: 936 + * 937 + * -ENXIO if PLPKS is not supported 938 + * -EIO if PLPKS access is blocked due to the LPAR's state 939 + * if an error occurred while processing the request 940 + * -EINVAL if invalid authorization parameter 941 + * if invalid object label parameter 942 + * if invalid object label len parameter 943 + * if invalid output data parameter 944 + * if invalid output data len parameter 945 + * -EPERM if access is denied 946 + * -ENOENT if the requested object was not found 947 + * -EFBIG if the requested object couldn't be 948 + * stored in the buffer provided 949 + * -EBUSY if unable to handle the request 950 + * 951 + * Returns: On success 0 is returned, a negative errno if not. 952 + */ 885 953 int plpks_read_os_var(struct plpks_var *var) 886 954 { 887 955 return plpks_read_var(PLPKS_OS_OWNER, var); 888 956 } 889 957 958 + /** 959 + * plpks_read_fw_var() - Fetch the data for the specified variable that is 960 + * owned by the firmware consumer. 961 + * @var: variable to be read from the PLPKS 962 + * 963 + * The consumer or the owner of the object is the firmware. The 964 + * H_PKS_READ_OBJECT HCALL reads an object from the PLPKS. The caller must 965 + * allocate the buffer var->data and specify the length for this buffer in 966 + * var->datalen. If no buffer is provided, var->datalen will be populated with 967 + * the requested object's size. 968 + * 969 + * Possible reasons for the returned errno values: 970 + * 971 + * -ENXIO if PLPKS is not supported 972 + * -EIO if PLPKS access is blocked due to the LPAR's state 973 + * if an error occurred while processing the request 974 + * -EINVAL if invalid authorization parameter 975 + * if invalid object label parameter 976 + * if invalid object label len parameter 977 + * if invalid output data parameter 978 + * if invalid output data len parameter 979 + * -EPERM if access is denied 980 + * -ENOENT if the requested object was not found 981 + * -EFBIG if the requested object couldn't be 982 + * stored in the buffer provided 983 + * -EBUSY if unable to handle the request 984 + * 985 + * Returns: On success 0 is returned, a negative errno if not. 986 + */ 890 987 int plpks_read_fw_var(struct plpks_var *var) 891 988 { 892 989 return plpks_read_var(PLPKS_FW_OWNER, var); 893 990 } 894 991 992 + /** 993 + * plpks_read_bootloader_var() - Fetch the data for the specified variable 994 + * owned by the bootloader consumer. 995 + * @var: variable to be read from the PLPKS 996 + * 997 + * The consumer or the owner of the object is the bootloader. The 998 + * H_PKS_READ_OBJECT HCALL reads an object from the PLPKS. The caller must 999 + * allocate the buffer var->data and specify the length for this buffer in 1000 + * var->datalen. If no buffer is provided, var->datalen will be populated with 1001 + * the requested object's size. 1002 + * 1003 + * Possible reasons for the returned errno values: 1004 + * 1005 + * -ENXIO if PLPKS is not supported 1006 + * -EIO if PLPKS access is blocked due to the LPAR's state 1007 + * if an error occurred while processing the request 1008 + * -EINVAL if invalid authorization parameter 1009 + * if invalid object label parameter 1010 + * if invalid object label len parameter 1011 + * if invalid output data parameter 1012 + * if invalid output data len parameter 1013 + * -EPERM if access is denied 1014 + * -ENOENT if the requested object was not found 1015 + * -EFBIG if the requested object couldn't be 1016 + * stored in the buffer provided 1017 + * -EBUSY if unable to handle the request 1018 + * 1019 + * Returns: On success 0 is returned, a negative errno if not. 1020 + */ 895 1021 int plpks_read_bootloader_var(struct plpks_var *var) 896 1022 { 897 1023 return plpks_read_var(PLPKS_BOOTLOADER_OWNER, var); 898 1024 } 899 1025 1026 + /** 1027 + * plpks_populate_fdt(): Populates the FDT with the PLPKS password to prepare 1028 + * for kexec. 1029 + * @fdt: pointer to the device tree blob 1030 + * 1031 + * Upon confirming the existence of the chosen node, invoke fdt_setprop to 1032 + * populate the device tree with the PLPKS password in order to prepare for 1033 + * kexec. 1034 + * 1035 + * Returns: On success 0 is returned, a negative value if not. 1036 + */ 900 1037 int plpks_populate_fdt(void *fdt) 901 1038 { 902 1039 int chosen_offset = fdt_path_offset(fdt, "/chosen"); ··· 1310 647 return fdt_setprop(fdt, chosen_offset, "ibm,plpks-pw", ospassword, ospasswordlength); 1311 648 } 1312 649 1313 - // Once a password is registered with the hypervisor it cannot be cleared without 1314 - // rebooting the LPAR, so to keep using the PLPKS across kexec boots we need to 1315 - // recover the previous password from the FDT. 1316 - // 1317 - // There are a few challenges here. We don't want the password to be visible to 1318 - // users, so we need to clear it from the FDT. This has to be done in early boot. 1319 - // Clearing it from the FDT would make the FDT's checksum invalid, so we have to 1320 - // manually cause the checksum to be recalculated. 650 + /** 651 + * plpks_early_init_devtree() - Retrieves and clears the PLPKS password from the 652 + * DT in early init. 653 + * 654 + * Once a password is registered with the hypervisor it cannot be cleared 655 + * without rebooting the LPAR, so to keep using the PLPKS across kexec boots we 656 + * need to recover the previous password from the FDT. 657 + * 658 + * There are a few challenges here. We don't want the password to be visible to 659 + * users, so we need to clear it from the FDT. This has to be done in early 660 + * boot. Clearing it from the FDT would make the FDT's checksum invalid, so we 661 + * have to manually cause the checksum to be recalculated. 662 + */ 1321 663 void __init plpks_early_init_devtree(void) 1322 664 { 1323 665 void *fdt = initial_boot_params;

+6 -1

include/keys/trusted-type.h

··· 19 19 20 20 #define MIN_KEY_SIZE 32 21 21 #define MAX_KEY_SIZE 128 22 - #define MAX_BLOB_SIZE 512 22 + #if IS_ENABLED(CONFIG_TRUSTED_KEYS_PKWM) 23 + #define MAX_BLOB_SIZE 1152 24 + #else 25 + #define MAX_BLOB_SIZE 512 26 + #endif 23 27 #define MAX_PCRINFO_SIZE 64 24 28 #define MAX_DIGEST_SIZE 64 25 29 ··· 50 46 uint32_t policydigest_len; 51 47 unsigned char policydigest[MAX_DIGEST_SIZE]; 52 48 uint32_t policyhandle; 49 + void *private; 53 50 }; 54 51 55 52 struct trusted_key_ops {

+33

include/keys/trusted_pkwm.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + #ifndef __PKWM_TRUSTED_KEY_H 3 + #define __PKWM_TRUSTED_KEY_H 4 + 5 + #include <keys/trusted-type.h> 6 + #include <linux/bitops.h> 7 + #include <linux/printk.h> 8 + 9 + extern struct trusted_key_ops pkwm_trusted_key_ops; 10 + 11 + struct trusted_pkwm_options { 12 + u16 wrap_flags; 13 + }; 14 + 15 + static inline void dump_options(struct trusted_key_options *o) 16 + { 17 + const struct trusted_pkwm_options *pkwm; 18 + bool sb_audit_or_enforce_bit; 19 + bool sb_enforce_bit; 20 + 21 + pkwm = o->private; 22 + sb_audit_or_enforce_bit = pkwm->wrap_flags & BIT(0); 23 + sb_enforce_bit = pkwm->wrap_flags & BIT(1); 24 + 25 + if (sb_audit_or_enforce_bit) 26 + pr_debug("secure boot mode required: audit or enforce"); 27 + else if (sb_enforce_bit) 28 + pr_debug("secure boot mode required: enforce"); 29 + else 30 + pr_debug("secure boot mode required: disabled"); 31 + } 32 + 33 + #endif

+4

include/linux/dma-map-ops.h

··· 395 395 int nents); 396 396 bool arch_dma_unmap_sg_direct(struct device *dev, struct scatterlist *sg, 397 397 int nents); 398 + bool arch_dma_alloc_direct(struct device *dev); 399 + bool arch_dma_free_direct(struct device *dev, dma_addr_t dma_handle); 398 400 #else 399 401 #define arch_dma_map_phys_direct(d, a) (false) 400 402 #define arch_dma_unmap_phys_direct(d, a) (false) 401 403 #define arch_dma_map_sg_direct(d, s, n) (false) 402 404 #define arch_dma_unmap_sg_direct(d, s, n) (false) 405 + #define arch_dma_alloc_direct(d) (false) 406 + #define arch_dma_free_direct(d, a) (false) 403 407 #endif 404 408 405 409 #ifdef CONFIG_ARCH_HAS_SETUP_DMA_OPS

+2 -2

kernel/dma/mapping.c

··· 638 638 /* let the implementation decide on the zone to allocate from: */ 639 639 flag &= ~(__GFP_DMA | __GFP_DMA32 | __GFP_HIGHMEM); 640 640 641 - if (dma_alloc_direct(dev, ops)) { 641 + if (dma_alloc_direct(dev, ops) || arch_dma_alloc_direct(dev)) { 642 642 cpu_addr = dma_direct_alloc(dev, size, dma_handle, flag, attrs); 643 643 } else if (use_dma_iommu(dev)) { 644 644 cpu_addr = iommu_dma_alloc(dev, size, dma_handle, flag, attrs); ··· 679 679 return; 680 680 681 681 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle); 682 - if (dma_alloc_direct(dev, ops)) 682 + if (dma_alloc_direct(dev, ops) || arch_dma_free_direct(dev, dma_handle)) 683 683 dma_direct_free(dev, size, cpu_addr, dma_handle, attrs); 684 684 else if (use_dma_iommu(dev)) 685 685 iommu_dma_free(dev, size, cpu_addr, dma_handle, attrs);

+8

security/keys/trusted-keys/Kconfig

··· 46 46 help 47 47 Enable use of NXP's DCP (Data Co-Processor) as trusted key backend. 48 48 49 + config TRUSTED_KEYS_PKWM 50 + bool "PKWM-based trusted keys" 51 + depends on PSERIES_PLPKS >= TRUSTED_KEYS 52 + default y 53 + select HAVE_TRUSTED_KEYS 54 + help 55 + Enable use of IBM PowerVM Key Wrapping Module (PKWM) as a trusted key backend. 56 + 49 57 if !HAVE_TRUSTED_KEYS 50 58 comment "No trust source selected!" 51 59 endif

+2

security/keys/trusted-keys/Makefile

··· 16 16 trusted-$(CONFIG_TRUSTED_KEYS_CAAM) += trusted_caam.o 17 17 18 18 trusted-$(CONFIG_TRUSTED_KEYS_DCP) += trusted_dcp.o 19 + 20 + trusted-$(CONFIG_TRUSTED_KEYS_PKWM) += trusted_pkwm.o

+5 -1

security/keys/trusted-keys/trusted_core.c

··· 12 12 #include <keys/trusted_caam.h> 13 13 #include <keys/trusted_dcp.h> 14 14 #include <keys/trusted_tpm.h> 15 + #include <keys/trusted_pkwm.h> 15 16 #include <linux/capability.h> 16 17 #include <linux/err.h> 17 18 #include <linux/init.h> ··· 32 31 33 32 static char *trusted_key_source; 34 33 module_param_named(source, trusted_key_source, charp, 0); 35 - MODULE_PARM_DESC(source, "Select trusted keys source (tpm, tee, caam or dcp)"); 34 + MODULE_PARM_DESC(source, "Select trusted keys source (tpm, tee, caam, dcp or pkwm)"); 36 35 37 36 static const struct trusted_key_source trusted_key_sources[] = { 38 37 #if defined(CONFIG_TRUSTED_KEYS_TPM) ··· 46 45 #endif 47 46 #if defined(CONFIG_TRUSTED_KEYS_DCP) 48 47 { "dcp", &dcp_trusted_key_ops }, 48 + #endif 49 + #if defined(CONFIG_TRUSTED_KEYS_PKWM) 50 + { "pkwm", &pkwm_trusted_key_ops }, 49 51 #endif 50 52 }; 51 53

+190

security/keys/trusted-keys/trusted_pkwm.c

··· 1 + // SPDX-License-Identifier: GPL-2.0-only 2 + /* 3 + * Copyright (C) 2025 IBM Corporation, Srish Srinivasan <ssrish@linux.ibm.com> 4 + */ 5 + 6 + #include <keys/trusted_pkwm.h> 7 + #include <keys/trusted-type.h> 8 + #include <linux/build_bug.h> 9 + #include <linux/key-type.h> 10 + #include <linux/parser.h> 11 + #include <asm/plpks.h> 12 + 13 + enum { 14 + Opt_err, 15 + Opt_wrap_flags, 16 + }; 17 + 18 + static const match_table_t key_tokens = { 19 + {Opt_wrap_flags, "wrap_flags=%s"}, 20 + {Opt_err, NULL} 21 + }; 22 + 23 + static int getoptions(char *datablob, struct trusted_key_options *opt) 24 + { 25 + substring_t args[MAX_OPT_ARGS]; 26 + char *p = datablob; 27 + int token; 28 + int res; 29 + u16 wrap_flags; 30 + unsigned long token_mask = 0; 31 + struct trusted_pkwm_options *pkwm; 32 + 33 + if (!datablob) 34 + return 0; 35 + 36 + pkwm = opt->private; 37 + 38 + while ((p = strsep(&datablob, " \t"))) { 39 + if (*p == '\0' || *p == ' ' || *p == '\t') 40 + continue; 41 + 42 + token = match_token(p, key_tokens, args); 43 + if (test_and_set_bit(token, &token_mask)) 44 + return -EINVAL; 45 + 46 + switch (token) { 47 + case Opt_wrap_flags: 48 + res = kstrtou16(args[0].from, 16, &wrap_flags); 49 + if (res < 0 || wrap_flags > 2) 50 + return -EINVAL; 51 + pkwm->wrap_flags = wrap_flags; 52 + break; 53 + default: 54 + return -EINVAL; 55 + } 56 + } 57 + return 0; 58 + } 59 + 60 + static struct trusted_key_options *trusted_options_alloc(void) 61 + { 62 + struct trusted_key_options *options; 63 + struct trusted_pkwm_options *pkwm; 64 + 65 + options = kzalloc(sizeof(*options), GFP_KERNEL); 66 + 67 + if (options) { 68 + pkwm = kzalloc(sizeof(*pkwm), GFP_KERNEL); 69 + 70 + if (!pkwm) { 71 + kfree_sensitive(options); 72 + options = NULL; 73 + } else { 74 + options->private = pkwm; 75 + } 76 + } 77 + 78 + return options; 79 + } 80 + 81 + static int trusted_pkwm_seal(struct trusted_key_payload *p, char *datablob) 82 + { 83 + struct trusted_key_options *options = NULL; 84 + struct trusted_pkwm_options *pkwm = NULL; 85 + u8 *input_buf, *output_buf; 86 + u32 output_len, input_len; 87 + int rc; 88 + 89 + options = trusted_options_alloc(); 90 + 91 + if (!options) 92 + return -ENOMEM; 93 + 94 + rc = getoptions(datablob, options); 95 + if (rc < 0) 96 + goto out; 97 + dump_options(options); 98 + 99 + input_len = p->key_len; 100 + input_buf = kmalloc(ALIGN(input_len, 4096), GFP_KERNEL); 101 + if (!input_buf) { 102 + pr_err("Input buffer allocation failed. Returning -ENOMEM."); 103 + rc = -ENOMEM; 104 + goto out; 105 + } 106 + 107 + memcpy(input_buf, p->key, p->key_len); 108 + 109 + pkwm = options->private; 110 + 111 + rc = plpks_wrap_object(&input_buf, input_len, pkwm->wrap_flags, 112 + &output_buf, &output_len); 113 + if (!rc) { 114 + memcpy(p->blob, output_buf, output_len); 115 + p->blob_len = output_len; 116 + dump_payload(p); 117 + } else { 118 + pr_err("Wrapping of payload key failed: %d\n", rc); 119 + } 120 + 121 + kfree(input_buf); 122 + kfree(output_buf); 123 + 124 + out: 125 + kfree_sensitive(options->private); 126 + kfree_sensitive(options); 127 + return rc; 128 + } 129 + 130 + static int trusted_pkwm_unseal(struct trusted_key_payload *p, char *datablob) 131 + { 132 + u8 *input_buf, *output_buf; 133 + u32 input_len, output_len; 134 + int rc; 135 + 136 + input_len = p->blob_len; 137 + input_buf = kmalloc(ALIGN(input_len, 4096), GFP_KERNEL); 138 + if (!input_buf) { 139 + pr_err("Input buffer allocation failed. Returning -ENOMEM."); 140 + return -ENOMEM; 141 + } 142 + 143 + memcpy(input_buf, p->blob, p->blob_len); 144 + 145 + rc = plpks_unwrap_object(&input_buf, input_len, &output_buf, 146 + &output_len); 147 + if (!rc) { 148 + memcpy(p->key, output_buf, output_len); 149 + p->key_len = output_len; 150 + dump_payload(p); 151 + } else { 152 + pr_err("Unwrapping of payload failed: %d\n", rc); 153 + } 154 + 155 + kfree(input_buf); 156 + kfree(output_buf); 157 + 158 + return rc; 159 + } 160 + 161 + static int trusted_pkwm_init(void) 162 + { 163 + int ret; 164 + 165 + if (!plpks_wrapping_is_supported()) { 166 + pr_err("H_PKS_WRAP_OBJECT interface not supported\n"); 167 + return -ENODEV; 168 + } 169 + 170 + ret = plpks_gen_wrapping_key(); 171 + if (ret) { 172 + pr_err("Failed to generate default wrapping key\n"); 173 + return -EINVAL; 174 + } 175 + 176 + return register_key_type(&key_type_trusted); 177 + } 178 + 179 + static void trusted_pkwm_exit(void) 180 + { 181 + unregister_key_type(&key_type_trusted); 182 + } 183 + 184 + struct trusted_key_ops pkwm_trusted_key_ops = { 185 + .migratable = 0, /* non-migratable */ 186 + .init = trusted_pkwm_init, 187 + .seal = trusted_pkwm_seal, 188 + .unseal = trusted_pkwm_unseal, 189 + .exit = trusted_pkwm_exit, 190 + };

Configure Feed

Configure Feed