From: Xu Yilun <yilun.xu@intel.com>
To: Russ Weight <russell.h.weight@intel.com>
Cc: mdf@kernel.org, hao.wu@intel.com, lee.jones@linaro.org,
linux-fpga@vger.kernel.org, linux-kernel@vger.kernel.org,
trix@redhat.com, marpagan@redhat.com, lgoncalv@redhat.com,
matthew.gerlach@linux.intel.com,
basheer.ahmed.muddebihal@intel.com, tianfei.zhang@intel.com
Subject: Re: [PATCH v19 2/5] fpga: m10bmc-sec: create max10 bmc secure update
Date: Tue, 17 May 2022 00:19:07 +0800 [thread overview]
Message-ID: <20220516161907.GA37553@yilunxu-OptiPlex-7050> (raw)
In-Reply-To: <20220510195635.140722-3-russell.h.weight@intel.com>
On Tue, May 10, 2022 at 12:56:32PM -0700, Russ Weight wrote:
> Create a sub driver for the FPGA Card BMC in order to support secure
> updates. This patch creates the Max10 BMC Secure Update driver
> and provides sysfs files for displaying the current root entry hashes
> for the FPGA static region, the FPGA PR region, and the card BMC.
Could you describe a little more about what is the root entry, and how
the root entry hashes (maybe also the cancel code signing key) work to
ensure secure update?
>
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> Reviewed-by: Tom Rix <trix@redhat.com>
> ---
> v19:
> - Change "card bmc" naming back to "m10 bmc" naming to be consistent
> with the parent driver.
> v18:
> - Changed the ABI documentation for the Root Entry Hashes to specify
> string as the format for the output.
> - Updated comments, strings and config options to more consistently
> refer to the driver as the Intel FPGA Card BMC Secure Update driver.
> - Removed an instance of dev_dbg().
> - Deferred the call to firmware_upload_register() to a later patch
> where the required ops are provided. The bmc_sec_remove() function is
> also removed from this patch and added in a later patch.
> - Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
> of additional cards to be supported by the same driver.
> v17:
> - Update the Date and KernelVersion for the ABI documentation to Jul 2022
> and 5.19 respectively.
> - Updated the copyright end-date to 2022 for the secure update driver.
> - Change m10bmc to cardbmc to reflect the fact that the future devices
> will not necessarily use the MAX10. This affects filenames, configs, and
> symbol names.
> - Removed references to the FPGA Image Load class driver and replaced
> them with the new firmware-upload service from the firmware loader.
> - Firmware upload requires a unique name for the firmware device. Use
> xarray_alloc to generate a unique number to append to the name.
> - Changed the license from GPL to GPLv2 per commit bf7fbeeae6db: 'module:
> Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity'
> v16:
> - No Change
> v15:
> - Updated the Dates and KernelVersions in the ABI documentation
> - Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
> - Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
> - Change instances of *bmc-secure to *bmc-sec-update in file name
> and symbol names.
> - Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
> names.
> - Change instances of *lops* to *ops* in symbol names.
> v14:
> - Changed symbol and text references to reflect the renaming of the
> Security Manager Class driver to FPGA Image Load.
> v13:
> - Updated copyright to 2021
> - Updated ABI documentation date and kernel version
> - Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
> functions instead of devm_fpga_sec_mgr_create() and
> devm_fpga_sec_mgr_register().
> v12:
> - Updated Date and KernelVersion fields in ABI documentation
> v11:
> - Added Reviewed-by tag
> v10:
> - Changed the path expressions in the sysfs documentation to
> replace the n3000 reference with something more generic to
> accomodate other devices that use the same driver.
> v9:
> - Rebased to 5.12-rc2 next
> - Updated Date and KernelVersion in ABI documentation
> v8:
> - Previously patch 2/6, otherwise no change
> v7:
> - Updated Date and KernelVersion in ABI documentation
> v6:
> - Added WARN_ON() call for (sha_num_bytes / stride) to assert
> that the proper count is passed to regmap_bulk_read().
> v5:
> - No change
> v4:
> - Moved sysfs files for displaying the root entry hashes (REH)
> from the FPGA Security Manager class driver to here. The
> m10bmc_reh() and m10bmc_reh_size() functions are removed and
> the functionality from these functions is moved into a
> show_root_entry_hash() function for displaying the REHs.
> - Added ABI documentation for the new sysfs entries:
> sysfs-driver-intel-m10-bmc-secure
> - Updated the MAINTAINERS file to add the new ABI documentation
> file: sysfs-driver-intel-m10-bmc-secure
> - Removed unnecessary ret variable from m10bmc_secure_probe()
> - Incorporated new devm_fpga_sec_mgr_register() function into
> m10bmc_secure_probe() and removed the m10bmc_secure_remove()
> function.
> v3:
> - Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
> - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
> - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure
> Update driver"
> - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
> underlying functions are now called directly.
> - Changed "_root_entry_hash" to "_reh", with a comment explaining
> what reh is.
> v2:
> - Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
> - Switched to GENMASK(31, 16) for a couple of mask definitions.
> - Moved MAX10 BMC address and function definitions to a separate
> patch.
> - Replaced small function-creation macros with explicit function
> declarations.
> - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
> - Adapted to changes in the Intel FPGA Security Manager by splitting
> the single call to ifpga_sec_mgr_register() into two function
> calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
> ---
> .../sysfs-driver-intel-m10-bmc-sec-update | 29 ++++
> MAINTAINERS | 7 +
> drivers/fpga/Kconfig | 12 ++
> drivers/fpga/Makefile | 3 +
> drivers/fpga/intel-m10-bmc-sec-update.c | 133 ++++++++++++++++++
> 5 files changed, 184 insertions(+)
> create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> create mode 100644 drivers/fpga/intel-m10-bmc-sec-update.c
>
> diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> new file mode 100644
> index 000000000000..2bb271695e14
> --- /dev/null
> +++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> @@ -0,0 +1,29 @@
> +What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/sr_root_entry_hash
> +Date: Jul 2022
> +KernelVersion: 5.19
> +Contact: Russ Weight <russell.h.weight@intel.com>
> +Description: Read only. Returns the root entry hash for the static
> + region if one is programmed, else it returns the
> + string: "hash not programmed". This file is only
> + visible if the underlying device supports it.
> + Format: string.
> +
> +What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/pr_root_entry_hash
> +Date: Jul 2022
> +KernelVersion: 5.19
> +Contact: Russ Weight <russell.h.weight@intel.com>
> +Description: Read only. Returns the root entry hash for the partial
> + reconfiguration region if one is programmed, else it
> + returns the string: "hash not programmed". This file
> + is only visible if the underlying device supports it.
> + Format: string.
> +
> +What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/bmc_root_entry_hash
> +Date: Jul 2022
> +KernelVersion: 5.19
> +Contact: Russ Weight <russell.h.weight@intel.com>
> +Description: Read only. Returns the root entry hash for the BMC image
> + if one is programmed, else it returns the string:
> + "hash not programmed". This file is only visible if the
> + underlying device supports it.
> + Format: string.
> diff --git a/MAINTAINERS b/MAINTAINERS
> index cf883b1ec852..759a7788dad9 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -7784,6 +7784,13 @@ F: Documentation/fpga/
> F: drivers/fpga/
> F: include/linux/fpga/
>
> +INTEL MAX10 BMC SECURE UPDATES
> +M: Russ Weight <russell.h.weight@intel.com>
> +L: linux-fpga@vger.kernel.org
> +S: Maintained
> +F: Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> +F: drivers/fpga/intel-m10-bmc-sec-update.c
> +
> FPU EMULATOR
> M: Bill Metzenthen <billm@melbpc.org.au>
> S: Maintained
> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
> index 991b3f361ec9..0831eecc9a09 100644
> --- a/drivers/fpga/Kconfig
> +++ b/drivers/fpga/Kconfig
> @@ -243,4 +243,16 @@ config FPGA_MGR_VERSAL_FPGA
> configure the programmable logic(PL).
>
> To compile this as a module, choose M here.
> +
> +config FPGA_M10_BMC_SEC_UPDATE
> + tristate "Intel MAX10 BMC Secure Update driver"
> + depends on MFD_INTEL_M10_BMC && FW_UPLOAD
> + help
> + Secure update support for the Intel MAX10 board management
> + controller.
> +
> + This is a subdriver of the Intel MAX10 board management controller
> + (BMC) and provides support for secure updates for the BMC image,
> + the FPGA image, the Root Entry Hashes, etc.
> +
> endif # FPGA
> diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
> index 5935b3d0abd5..139ac1b573d3 100644
> --- a/drivers/fpga/Makefile
> +++ b/drivers/fpga/Makefile
> @@ -22,6 +22,9 @@ obj-$(CONFIG_FPGA_MGR_VERSAL_FPGA) += versal-fpga.o
> obj-$(CONFIG_ALTERA_PR_IP_CORE) += altera-pr-ip-core.o
> obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT) += altera-pr-ip-core-plat.o
>
> +# FPGA Secure Update Drivers
> +obj-$(CONFIG_FPGA_M10_BMC_SEC_UPDATE) += intel-m10-bmc-sec-update.o
> +
> # FPGA Bridge Drivers
> obj-$(CONFIG_FPGA_BRIDGE) += fpga-bridge.o
> obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE) += altera-hps2fpga.o altera-fpga2sdram.o
> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
> new file mode 100644
> index 000000000000..a36856d897c9
> --- /dev/null
> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
> @@ -0,0 +1,133 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Intel MAX10 Board Management Controller Secure Update Driver
> + *
> + * Copyright (C) 2019-2022 Intel Corporation. All rights reserved.
> + *
> + */
> +#include <linux/bitfield.h>
> +#include <linux/device.h>
> +#include <linux/firmware.h>
> +#include <linux/mfd/intel-m10-bmc.h>
> +#include <linux/mod_devicetable.h>
> +#include <linux/module.h>
> +#include <linux/platform_device.h>
> +#include <linux/slab.h>
> +
> +struct m10bmc_sec {
> + struct device *dev;
> + struct intel_m10bmc *m10bmc;
> +};
> +
> +/* Root Entry Hash (REH) support */
> +#define REH_SHA256_SIZE 32
> +#define REH_SHA384_SIZE 48
> +#define REH_MAGIC GENMASK(15, 0)
> +#define REH_SHA_NUM_BYTES GENMASK(31, 16)
> +
> +static ssize_t
> +show_root_entry_hash(struct device *dev, u32 exp_magic,
> + u32 prog_addr, u32 reh_addr, char *buf)
> +{
> + struct m10bmc_sec *sec = dev_get_drvdata(dev);
> + unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
reverse xmax tree declarations is recommended. You may initiate the
variable after declaration.
> + int sha_num_bytes, i, ret, cnt = 0;
> + u8 hash[REH_SHA384_SIZE];
> + u32 magic;
> +
> + ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
> + if (ret)
> + return ret;
> +
> + if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
> + return sysfs_emit(buf, "hash not programmed\n");
> +
> + sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
> + if (sha_num_bytes != REH_SHA256_SIZE &&
> + sha_num_bytes != REH_SHA384_SIZE) {
> + dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
> + sha_num_bytes);
> + return -EINVAL;
> + }
> +
> + WARN_ON(sha_num_bytes % stride);
The user will still get the output value which is broken. So why not
check the condition earlier, and stop user from accessing the interface
if it cannot work.
> + ret = regmap_bulk_read(sec->m10bmc->regmap, reh_addr,
> + hash, sha_num_bytes / stride);
> + if (ret) {
> + dev_err(dev, "failed to read root entry hash: %x cnt %x: %d\n",
> + reh_addr, sha_num_bytes / stride, ret);
> + return ret;
> + }
> +
> + for (i = 0; i < sha_num_bytes; i++)
> + cnt += sprintf(buf + cnt, "%02x", hash[i]);
> + cnt += sprintf(buf + cnt, "\n");
> +
> + return cnt;
> +}
> +
> +#define DEVICE_ATTR_SEC_REH_RO(_name, _magic, _prog_addr, _reh_addr) \
> +static ssize_t _name##_root_entry_hash_show(struct device *dev, \
> + struct device_attribute *attr, \
> + char *buf) \
> +{ return show_root_entry_hash(dev, _magic, _prog_addr, _reh_addr, buf); } \
> +static DEVICE_ATTR_RO(_name##_root_entry_hash)
> +
> +DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
> +DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
> +DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
> +
> +static struct attribute *m10bmc_security_attrs[] = {
> + &dev_attr_bmc_root_entry_hash.attr,
> + &dev_attr_sr_root_entry_hash.attr,
> + &dev_attr_pr_root_entry_hash.attr,
> + NULL,
> +};
> +
> +static struct attribute_group m10bmc_security_attr_group = {
> + .name = "security",
> + .attrs = m10bmc_security_attrs,
> +};
> +
> +static const struct attribute_group *m10bmc_sec_attr_groups[] = {
> + &m10bmc_security_attr_group,
> + NULL,
> +};
> +
> +#define SEC_UPDATE_LEN_MAX 32
> +static int m10bmc_sec_probe(struct platform_device *pdev)
> +{
> + struct m10bmc_sec *sec;
> +
> + sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
> + if (!sec)
> + return -ENOMEM;
> +
> + sec->dev = &pdev->dev;
> + sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
> + dev_set_drvdata(&pdev->dev, sec);
> +
> + return 0;
> +}
> +
> +static const struct platform_device_id intel_m10bmc_sec_ids[] = {
> + {
> + .name = "n3000bmc-sec-update",
> + },
> + { }
> +};
Please move the MODULE_DEVICE_TABLE() here, without blank lines.
Thanks,
Yilun
> +
> +static struct platform_driver intel_m10bmc_sec_driver = {
> + .probe = m10bmc_sec_probe,
> + .driver = {
> + .name = "intel-m10bmc-sec-update",
> + .dev_groups = m10bmc_sec_attr_groups,
> + },
> + .id_table = intel_m10bmc_sec_ids,
> +};
> +module_platform_driver(intel_m10bmc_sec_driver);
> +
> +MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
> +MODULE_AUTHOR("Intel Corporation");
> +MODULE_DESCRIPTION("Intel MAX10 BMC Secure Update");
> +MODULE_LICENSE("GPL");
> --
> 2.25.1
next prev parent reply other threads:[~2022-05-16 16:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-10 19:56 [PATCH v19 0/5] FPGA MAX10 BMC Secure Update Driver Russ Weight
2022-05-10 19:56 ` [PATCH v19 1/5] mfd: intel-m10-bmc: Rename n3000bmc-secure driver Russ Weight
2022-05-10 19:56 ` [PATCH v19 2/5] fpga: m10bmc-sec: create max10 bmc secure update Russ Weight
2022-05-16 16:19 ` Xu Yilun [this message]
2022-05-16 20:44 ` Russ Weight
2022-05-10 19:56 ` [PATCH v19 3/5] fpga: m10bmc-sec: expose max10 flash update count Russ Weight
2022-05-10 19:56 ` [PATCH v19 4/5] fpga: m10bmc-sec: expose max10 canceled keys in sysfs Russ Weight
2022-05-10 19:56 ` [PATCH v19 5/5] fpga: m10bmc-sec: add max10 secure update functions Russ Weight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220516161907.GA37553@yilunxu-OptiPlex-7050 \
--to=yilun.xu@intel.com \
--cc=basheer.ahmed.muddebihal@intel.com \
--cc=hao.wu@intel.com \
--cc=lee.jones@linaro.org \
--cc=lgoncalv@redhat.com \
--cc=linux-fpga@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marpagan@redhat.com \
--cc=matthew.gerlach@linux.intel.com \
--cc=mdf@kernel.org \
--cc=russell.h.weight@intel.com \
--cc=tianfei.zhang@intel.com \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.