Download raw body.
AMD SEV 1/5: ccp(4): pledge for ioctl(2
Hi,
this is the last batch of diffs for AMD SEV support.
This one limits the ccp(4) ioctl(2) to the pledge vmm. This will allow
vmd(8) to access ccp(4).
Take care,
HJ.
-----------------------------------------------------------------------
commit 3e5cdfe32cd0416fd232ae0a4bc064b2a04b1c7a
Author: Hans-Joerg Hoexer <hshoexer@genua.de>
Date: Wed Jul 24 13:54:17 2024 +0200
ccp(4): pledge for ioctl(2)
Limit ccp(4) ioctls to processes that pledge vmm.
diff --git a/sys/arch/amd64/include/conf.h b/sys/arch/amd64/include/conf.h
index 5a2b10fe45b..7e87c2f539d 100644
--- a/sys/arch/amd64/include/conf.h
+++ b/sys/arch/amd64/include/conf.h
@@ -54,3 +54,6 @@ cdev_decl(pctr);
#include "vmm.h"
cdev_decl(vmm);
+
+#include "ccp.h"
+cdev_decl(psp);
diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index 6ee11243037..e33d65ae1de 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -76,6 +76,7 @@
#if NVMM > 0
#include <machine/conf.h>
#endif
+#include "ccp.h"
#endif
#include "drm.h"
@@ -1349,6 +1350,18 @@ pledge_ioctl(struct proc *p, long com, struct file *fp)
}
#endif
+#if NCCP > 0
+#if NVMM > 0
+ if ((pledge & PLEDGE_VMM)) {
+ if ((fp->f_type == DTYPE_VNODE) &&
+ (vp->v_type == VCHR) &&
+ (cdevsw[major(vp->v_rdev)].d_open == pspopen)) {
+ return (0);
+ }
+ }
+#endif
+#endif
+
return pledge_fail(p, error, PLEDGE_TTY);
}
AMD SEV 1/5: ccp(4): pledge for ioctl(2