crypto: ccp: Fixup the capability of Hygon PSP during initialization

hygon inclusion
category: feature
CVE: NA

---------------------------

The meaning of the data read from feature register of Hygon PSP is not
exactly the same as AMD ASP. The bit 1 in feature register is used to
indicates TEE in AMD ASP, but not in Hygon PSP, which will cause host
to crash during module initialization, as shown below.

[   27.898723] BUG: kernel NULL pointer dereference, address: 0000000000000014
[   27.906503] #PF: supervisor read access in kernel mode
[   27.912242] #PF: error_code(0x0000) - not-present page
[   27.917981] PGD 0 P4D 0
[   27.920810] Oops: 0000 [#1] PREEMPT SMP NOPTI
[   27.925676] CPU: 67 PID: 1668 Comm: systemd-udevd Not tainted 6.6.7-for-gerrit #3
[   27.934033] Hardware name: HYGON Hygon65N32/65N32, BIOS A0173036 02/01/2023
[   27.941807] RIP: 0010:psp_firmware_is_visible+0x3c/0x70 [ccp]
[   27.948240] Code: 00 00 48 85 c0 74 12 48 81 fe e0 54 53 c1 74 2f 48 81 fe c0 54 53 c1 74 03 31 c0 c3 f6 40 70 02 74 f7 48 8b 50 10 48 8b 52 08 <8b> 52 14 85 d2 74 e8 48 03 50 38 48 89 d7 e8 51 71 0a d7 eb 14 48
[   27.969204] RSP: 0018:ffffc9000b80fa70 EFLAGS: 00010202
[   27.975039] RAX: ffff888113c2d9a8 RBX: ffffffffc1535460 RCX: 0000000000000124
[   27.983008] RDX: 0000000000000000 RSI: ffffffffc15354c0 RDI: ffff8888830dc0c0
[   27.993320] RBP: ffff888883060980 R08: 0000000000000001 R09: 00000006c8df7639
[   28.005756] R10: ffff888100258278 R11: 0000000000000100 R12: ffff8888830dc0c0
[   28.019695] R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffc1535490
[   28.032285] FS:  00007f7c9ba2b880(0000) GS:ffff88885fcc0000(0000) knlGS:0000000000000000
[   28.044626] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   28.054928] CR2: 0000000000000014 CR3: 0000800106e50000 CR4: 00000000003506e0
[   28.065028] Call Trace:
[   28.067751]  <TASK>
[   28.070095]  ? __die_body+0x1f/0x60
[   28.073995]  ? page_fault_oops+0x15d/0x460
[   28.078573]  ? exc_page_fault+0x78/0x170
[   28.082956]  ? asm_exc_page_fault+0x26/0x30
[   28.087632]  ? psp_firmware_is_visible+0x3c/0x70 [ccp]
[   28.093384]  internal_create_group+0xde/0x3a0
[   28.093392]  internal_create_groups.part.0+0x3d/0xa0
[   28.093396]  really_probe+0x197/0x3c0
[   28.093402]  ? __device_attach_driver+0x100/0x100
[[ 0 ;2382.m0 9 3O4K0 5 ] __driver_probe_device+0x78/0x160
[   28.093409]  driver_probe_device+0x1e/0xa0
[   28.126379]  __driver_attach+0xaa/0x160
[   28.130667]  ? __device_attach_driver+0x100/0x100
[   28.135921]  bus_for_each_dev+0x75/0xc0
[   28.142419]  bus_add_driver+0x112/0x210
[   28.149240]  driver_register+0x5c/0x110
[   28.154875]  ? 0xffffffffc14a4000
[   28.160197]  sp_mod_init+0x10/0x1000 [ccp]
[   28.166164]  do_one_initcall+0x45/0x210
[   28.170453]  ? kmalloc_trace+0x29/0x90
[   28.174642]  do_init_module+0x64/0x240
[   28.178831]  load_module+0x1d84/0x2010
[   28.183024]  ? init_module_from_file+0x8b/0xd0
[   28.187986]  init_module_from_file+0x8b/0xd0
[   28.192763]  do_syscall_64+0x39/0x80
[   28.206672]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   28.212318] RIP: 0033:0x7f7c9b91ea3d
[   28.216312] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c3 a3 0f 00 f7 d8 64 89 01 48
[   28.237272] RSP: 002b:00007ffe6cee5368 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   28.245725] RAX: ffffffffffffffda RBX: 000055700e302260 RCX: 00007f7c9b91ea3d
[   28.253691] RDX: 0000000000000000 RSI: 00007f7c9ba5cded RDI: 0000000000000006
[   28.261658] RBP: 0000000000020000 R08: 0000000000000000 R09: 000055700e4d3188
[   28.269624] R10: 0000000000000006 R11: 0000000000000246 R12: 00007f7c9ba5cded
[   28.277590] R13: 0000000000000000 R14: 000055700e4cb7b0 R15: 000055700e302260
[   28.285552]  </TASK>
[   28.287995] Modules linked in: k10temp ccp(+) drm_kms_helper ipmi_si(+) ipmi_devintf ipmi_msghandler mac_hid sch_fq_codel parport_pc ppdev lp parport ramoops drm reed_solomon efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear igb i2c_algo_bit dca ptp crc32_pclmul pps_core ahci libahci i2c_piix4 hid_generic usbhid hid
[   28.288027] CR2: 0000000000000014
[   28.288031] ---[ end trace 0000000000000000 ]---
[   28.533899] ipmi_si IPI0001:00: IPMI message handler: Found new BMC (man_id: 0x00d455, prod_id: 0x0202, dev_id: 0x20)
[   28.604507] RIP: 0010:psp_firmware_is_visible+0x3c/0x70 [ccp]
[   28.604527] Code: 00 00 48 85 c0 74 12 48 81 fe e0 54 53 c1 74 2f 48 81 fe c0 54 53 c1 74 03 31 c0 c3 f6 40 70 02 74 f7 48 8b 50 10 48 8b 52 08 <8b> 52 14 85 d2 74 e8 48 03 50 38 48 89 d7 e8 51 71 0a d7 eb 14 48
[   28.604530] RSP: 0018:ffffc9000b80fa70 EFLAGS: 00010202
[   28.604533] RAX: ffff888113c2d9a8 RBX: ffffffffc1535460 RCX: 0000000000000124
[   28.604535] RDX: 0000000000000000 RSI: ffffffffc15354c0 RDI: ffff8888830dc0c0
[   28.604536] RBP: ffff888883060980 R08: 0000000000000001 R09: 00000006c8df7639
[   28.604537] R10: ffff888100258278 R11: 0000000000000100 R12: ffff8888830dc0c0
[   28.604539] R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffc1535490
[   28.604540] FS:  00007f7c9ba2b880(0000) GS:ffff88885fcc0000(0000) knlGS:0000000000000000
[   28.604542] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   28.604543] CR2: 0000000000000014 CR3: 0000800106e50000 CR4: 00000000003506e0

Also, the meaning of bit 7 in the feature register of Hygon PSP is not
the same as AMD ASP.

The Hygon PSP works only when CSV is configured in feature register.

Signed-off-by: hanliyang <[email protected]>

Author: hanliyang

drivers/crypto/ccp/hygon/psp-dev.c

@@ -17,3 +17,14 @@
 
 /* Function and variable pointers for hooks */
 struct hygon_psp_hooks_table hygon_psp_hooks;
+
+int fixup_hygon_psp_caps(struct psp_device *psp)
+{
+	/* the hygon psp is unavailable if bit0 is cleared in feature reg */
+	if (!(psp->capability & PSP_CAPABILITY_SEV))
+		return -ENODEV;
+
+	psp->capability &= ~(PSP_CAPABILITY_TEE |
+			     PSP_CAPABILITY_PSP_SECURITY_REPORTING);
+	return 0;
+}

drivers/crypto/ccp/hygon/psp-dev.h

@@ -27,4 +27,6 @@ extern struct hygon_psp_hooks_table {
 	int (*__sev_do_cmd_locked)(int cmd, void *data, int *psp_ret);
 } hygon_psp_hooks;
 
+int fixup_hygon_psp_caps(struct psp_device *psp);
+
 #endif	/* __CCP_HYGON_PSP_DEV_H__ */

drivers/crypto/ccp/psp-dev.c

@@ -17,6 +17,8 @@
 #include "platform-access.h"
 #include "dbc.h"
 
+#include "hygon/psp-dev.h"
+
 struct psp_device *psp_master;
 
 static struct psp_device *psp_alloc_struct(struct sp_device *sp)
@@ -73,6 +75,17 @@ static unsigned int psp_get_capability(struct psp_device *psp)
 	}
 	psp->capability = val;
 
+	/*
+	 * Fix capability of Hygon psp, the meaning of Hygon psp feature
+	 * register is not exactly the same as AMD.
+	 * Return -ENODEV directly if hygon psp not configured with CSV
+	 * capability.
+	 */
+	if (is_vendor_hygon()) {
+		if (fixup_hygon_psp_caps(psp))
+			return -ENODEV;
+	}
+
 	/* Detect if TSME and SME are both enabled */
 	if (psp->capability & PSP_CAPABILITY_PSP_SECURITY_REPORTING &&
 	    psp->capability & (PSP_SECURITY_TSME_STATUS << PSP_CAPABILITY_PSP_SECURITY_OFFSET) &&