From: Joakim Bech <joakim.bech@linaro.org>
To: "Alex Bennée" <alex.bennee@linaro.org>
Cc: jean-philippe@linaro.org, maxim.uvarov@linaro.org,
bing.zhu@intel.com, Matti.Moell@opensynergy.com,
virtualization@lists.linuxfoundation.org,
ilias.apalodimas@linaro.org, qemu-devel@nongnu.org,
arnd@linaro.org, takahiro.akashi@linaro.org,
tomas.winkler@intel.com, stratos-dev@op-lists.linaro.org,
hmo@opensynergy.com, yang.huang@intel.com
Subject: Re: [RFC PATCH 15/19] tools/vhost-user-rpmb: implement VIRTIO_RPMB_REQ_DATA_WRITE
Date: Mon, 28 Sep 2020 15:52:01 +0200 [thread overview]
Message-ID: <20200928135201.GA9143@goby> (raw)
In-Reply-To: <20200925125147.26943-16-alex.bennee@linaro.org>
On Fri, Sep 25, 2020 at 01:51:43PM +0100, Alex Bennée wrote:
> With this command we are finally updating data to the backing store
> and cycling the write_count and each successful write. We also include
> the write count in all response frames as the spec is a little unclear
> but the example test code expected it.
>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> ---
> tools/vhost-user-rpmb/main.c | 111 +++++++++++++++++++++++++++++++++--
> 1 file changed, 105 insertions(+), 6 deletions(-)
>
> diff --git a/tools/vhost-user-rpmb/main.c b/tools/vhost-user-rpmb/main.c
> index 88747c50fa44..a17c3b4bcc4e 100644
> --- a/tools/vhost-user-rpmb/main.c
> +++ b/tools/vhost-user-rpmb/main.c
> @@ -62,6 +62,7 @@ enum {
> #define KiB (1UL << 10)
> #define MAX_RPMB_SIZE (KiB * 128 * 256)
> #define RPMB_KEY_MAC_SIZE 32
> +#define RPMB_BLOCK_SIZE 256
>
> /* RPMB Request Types */
> #define VIRTIO_RPMB_REQ_PROGRAM_KEY 0x0001
> @@ -100,7 +101,7 @@ struct virtio_rpmb_config {
> struct virtio_rpmb_frame {
> uint8_t stuff[196];
> uint8_t key_mac[RPMB_KEY_MAC_SIZE];
> - uint8_t data[256];
> + uint8_t data[RPMB_BLOCK_SIZE];
> uint8_t nonce[16];
> /* remaining fields are big-endian */
> uint32_t write_counter;
> @@ -124,6 +125,7 @@ typedef struct VuRpmb {
> uint8_t last_nonce[16];
> uint16_t last_result;
> uint16_t last_reqresp;
> + uint16_t last_address;
> uint32_t write_count;
> } VuRpmb;
>
> @@ -239,17 +241,30 @@ vrpmb_set_config(VuDev *dev, const uint8_t *data,
> * which itself uses a 3 clause BSD chunk of code.
> */
>
> +static const int rpmb_frame_dlen = (sizeof(struct virtio_rpmb_frame) -
> + offsetof(struct virtio_rpmb_frame, data));
> +
> static void vrpmb_update_mac_in_frame(VuRpmb *r, struct virtio_rpmb_frame *frm)
> {
> hmac_sha256_ctx ctx;
> - static const int dlen = (sizeof(struct virtio_rpmb_frame) -
> - offsetof(struct virtio_rpmb_frame, data));
>
> hmac_sha256_init(&ctx, r->key, RPMB_KEY_MAC_SIZE);
> - hmac_sha256_update(&ctx, frm->data, dlen);
> + hmac_sha256_update(&ctx, frm->data, rpmb_frame_dlen);
> hmac_sha256_final(&ctx, &frm->key_mac[0], 32);
> }
>
> +static bool vrpmb_verify_mac_in_frame(VuRpmb *r, struct virtio_rpmb_frame *frm)
> +{
> + hmac_sha256_ctx ctx;
> + uint8_t calculated_mac[RPMB_KEY_MAC_SIZE];
> +
> + hmac_sha256_init(&ctx, r->key, RPMB_KEY_MAC_SIZE);
> + hmac_sha256_update(&ctx, frm->data, rpmb_frame_dlen);
> + hmac_sha256_final(&ctx, calculated_mac, RPMB_KEY_MAC_SIZE);
> +
> + return memcmp(calculated_mac, frm->key_mac, RPMB_KEY_MAC_SIZE) == 0;
>
I'd prefer using a constant time comparison function for this one
instead of memcmp (regardless if it's used for simulation or not) to
prevent eventual timing attacks.
> +}
> +
> /*
> * Handlers for individual control messages
> */
> @@ -324,6 +339,82 @@ vrpmb_handle_get_write_counter(VuDev *dev, struct virtio_rpmb_frame *frame)
> return resp;
> }
>
> +/*
> + * vrpmb_handle_write:
> + *
> + * We will report the success/fail on receipt of
> + * VIRTIO_RPMB_REQ_RESULT_READ. Returns the number of extra frames
> + * processed in the request.
> + */
> +static int vrpmb_handle_write(VuDev *dev, struct virtio_rpmb_frame *frame)
> +{
> + VuRpmb *r = container_of(dev, VuRpmb, dev.parent);
> + int extra_frames = 0;
> + uint16_t block_count = be16toh(frame->block_count);
> + uint32_t write_counter = be32toh(frame->write_counter);
> + size_t offset;
> +
> + r->last_reqresp = VIRTIO_RPMB_RESP_DATA_WRITE;
> + r->last_address = be16toh(frame->address);
> + offset = r->last_address * RPMB_BLOCK_SIZE;
> +
> + /*
> + * Run the checks from:
> + * 5.12.6.1.3 Device Requirements: Device Operation: Data Write
> + */
> + if (!r->key) {
> + g_warning("no key programmed");
> + r->last_result = VIRTIO_RPMB_RES_NO_AUTH_KEY;
> + } else if (block_count == 0 ||
> + block_count > r->virtio_config.max_wr_cnt) {
> + r->last_result = VIRTIO_RPMB_RES_GENERAL_FAILURE;
> + } else if (false /* what does an expired write counter mean? */) {
>
IIRC, the counter has room for a 32-bit value and the counter will never
wrap around. So once the counter have reached max for uint32_t, then
there is an additional bit set (permanently) in the operation result.
I.e., writes are no longer possible once that has happened. That is
probably what you're referring to here I suppose.
> + r->last_result = VIRTIO_RPMB_RES_WRITE_COUNTER_EXPIRED;
> + } else if (offset > (r->virtio_config.capacity * (128 * KiB))) {
> + r->last_result = VIRTIO_RPMB_RES_ADDR_FAILURE;
> + } else if (!vrpmb_verify_mac_in_frame(r, frame)) {
> + r->last_result = VIRTIO_RPMB_RES_AUTH_FAILURE;
> + } else if (write_counter != r->write_count) {
> + r->last_result = VIRTIO_RPMB_RES_COUNT_FAILURE;
> + } else {
> + int i;
> + /* At this point we have a valid authenticated write request
> + * so the counter can incremented and we can attempt to
> + * update the backing device.
> + */
> + r->write_count++;
> + for (i = 0; i < block_count; i++) {
> + void *blk = r->flash_map + offset;
> + g_debug("%s: writing block %d", __func__, i);
> + if (mprotect(blk, RPMB_BLOCK_SIZE, PROT_WRITE) != 0) {
> + r->last_result = VIRTIO_RPMB_RES_WRITE_FAILURE;
> + break;
> + }
> + memcpy(blk, frame[i].data, RPMB_BLOCK_SIZE);
> + if (msync(blk, RPMB_BLOCK_SIZE, MS_SYNC) != 0) {
> + g_warning("%s: failed to sync update", __func__);
> + r->last_result = VIRTIO_RPMB_RES_WRITE_FAILURE;
> + break;
> + }
> + if (mprotect(blk, RPMB_BLOCK_SIZE, PROT_READ) != 0) {
> + g_warning("%s: failed to re-apply read protection", __func__);
> + r->last_result = VIRTIO_RPMB_RES_GENERAL_FAILURE;
> + break;
> + }
> + offset += RPMB_BLOCK_SIZE;
> + }
> + r->last_result = VIRTIO_RPMB_RES_OK;
> + extra_frames = i - 1;
> + }
> +
> + g_info("%s: %s (%x, %d extra frames processed), write_count=%d", __func__,
> + r->last_result == VIRTIO_RPMB_RES_OK ? "successful":"failed",
> + r->last_result, extra_frames, r->write_count);
> +
> + return extra_frames;
> +}
> +
> +
> /*
> * Return the result of the last message. This is only valid if the
> * previous message was VIRTIO_RPMB_REQ_PROGRAM_KEY or
> @@ -339,10 +430,14 @@ static struct virtio_rpmb_frame * vrpmb_handle_result_read(VuDev *dev)
> g_info("%s: for request:%x result:%x", __func__,
> r->last_reqresp, r->last_result);
>
> - if (r->last_reqresp == VIRTIO_RPMB_RESP_PROGRAM_KEY ||
> - r->last_reqresp == VIRTIO_RPMB_REQ_DATA_WRITE) {
> + if (r->last_reqresp == VIRTIO_RPMB_RESP_PROGRAM_KEY) {
> resp->result = htobe16(r->last_result);
> resp->req_resp = htobe16(r->last_reqresp);
> + } else if (r->last_reqresp == VIRTIO_RPMB_RESP_DATA_WRITE) {
> + resp->result = htobe16(r->last_result);
> + resp->req_resp = htobe16(r->last_reqresp);
> + resp->write_counter = htobe32(r->write_count);
> + resp->address = htobe16(r->last_address);
> } else {
> resp->result = htobe16(VIRTIO_RPMB_RES_GENERAL_FAILURE);
> }
> @@ -445,6 +540,10 @@ vrpmb_handle_ctrl(VuDev *dev, int qidx)
> __func__);
> }
> break;
> + case VIRTIO_RPMB_REQ_DATA_WRITE:
> + /* we can have multiple blocks handled */
> + n += vrpmb_handle_write(dev, f);
> + break;
> default:
> g_debug("un-handled request: %x", f->req_resp);
> break;
> --
> 2.20.1
>
--
Regards,
Joakim
next prev parent reply other threads:[~2020-09-28 16:18 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-25 12:51 [RFC PATCH 00/19] vhost-user-rpmb (Replay Protected Memory Block) Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 01/19] tools/virtiofsd: add support for --socket-group Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-10-07 10:48 ` Dr. David Alan Gilbert
2020-10-07 10:48 ` Dr. David Alan Gilbert
2020-09-25 12:51 ` [RFC PATCH 02/19] hw/block: add boilerplate for vhost-user-rpmb device Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 03/19] hw/virtio: move virtio-pci.h into shared include space Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 04/19] hw/block: add vhost-user-rpmb-pci boilerplate Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 05/19] virtio-pci: add notification trace points Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 13:06 ` Philippe Mathieu-Daudé
2020-09-25 12:51 ` [RFC PATCH 06/19] tools/vhost-user-rpmb: add boilerplate and initial main Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 07/19] tools/vhost-user-rpmb: implement --print-capabilities Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 08/19] tools/vhost-user-rpmb: connect to fd and instantiate basic run loop Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 09/19] tools/vhost-user-rpmb: add a --verbose/debug flags for logging Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 10/19] tools/vhost-user-rpmb: handle shutdown and SIGINT/SIGHUP cleanly Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 11/19] tools/vhost-user-rpmb: add --flash-path for backing store Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 12/19] tools/vhost-user-rpmb: import hmac_sha256 functions Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 13/19] tools/vhost-user-rpmb: implement the PROGRAM_KEY handshake Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 14/19] tools/vhost-user-rpmb: implement VIRTIO_RPMB_REQ_GET_WRITE_COUNTER Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 15/19] tools/vhost-user-rpmb: implement VIRTIO_RPMB_REQ_DATA_WRITE Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-28 13:52 ` Joakim Bech [this message]
2020-09-28 14:56 ` Alex Bennée
2020-09-28 14:56 ` Alex Bennée
2020-09-28 15:18 ` Joakim Bech
2020-09-25 12:51 ` [RFC PATCH 16/19] tools/vhost-user-rpmb: implement VIRTIO_RPMB_REQ_DATA_READ Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 17/19] tools/vhost-user-rpmb: add key persistence Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 18/19] tools/vhost-user-rpmb: allow setting of the write_count Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 12:51 ` [RFC PATCH 19/19] docs: add a man page for vhost-user-rpmb Alex Bennée
2020-09-25 12:51 ` Alex Bennée
2020-09-25 14:07 ` [RFC PATCH 00/19] vhost-user-rpmb (Replay Protected Memory Block) no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200928135201.GA9143@goby \
--to=joakim.bech@linaro.org \
--cc=Matti.Moell@opensynergy.com \
--cc=alex.bennee@linaro.org \
--cc=arnd@linaro.org \
--cc=bing.zhu@intel.com \
--cc=hmo@opensynergy.com \
--cc=ilias.apalodimas@linaro.org \
--cc=jean-philippe@linaro.org \
--cc=maxim.uvarov@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stratos-dev@op-lists.linaro.org \
--cc=takahiro.akashi@linaro.org \
--cc=tomas.winkler@intel.com \
--cc=virtualization@lists.linuxfoundation.org \
--cc=yang.huang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.