RE: [PATCH v2 3/7] fpga: sec-mgr: expose sec-mgr update status

From: "Wu, Hao" <hao.wu@intel.com>
To: "Weight, Russell H" <russell.h.weight@intel.com>,
	"mdf@kernel.org" <mdf@kernel.org>,
	"linux-fpga@vger.kernel.org" <linux-fpga@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: "trix@redhat.com" <trix@redhat.com>,
	"lgoncalv@redhat.com" <lgoncalv@redhat.com>,
	"Xu, Yilun" <yilun.xu@intel.com>,
	"Gerlach, Matthew" <matthew.gerlach@intel.com>,
	"Weight, Russell H" <russell.h.weight@intel.com>
Subject: RE: [PATCH v2 3/7] fpga: sec-mgr: expose sec-mgr update status
Date: Mon, 5 Oct 2020 08:41:56 +0000	[thread overview]
Message-ID: <DM6PR11MB3819276C0C4F12E3CEF33F3E850C0@DM6PR11MB3819.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20201002223701.1317-4-russell.h.weight@intel.com>

> Subject: [PATCH v2 3/7] fpga: sec-mgr: expose sec-mgr update status
> 
> Extend the Intel Security Manager class driver to
> include an update/status sysfs node that can be polled
> and read to monitor the progress of an ongoing secure
> update. Sysfs_notify() is used to signal transitions
> between different phases of the update process.
> 
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> ---
> v2:
>   - Bumped documentation date and version
>   - Changed progress state "read_file" to "reading"
> ---
>  .../ABI/testing/sysfs-class-ifpga-sec-mgr     | 11 +++++
>  drivers/fpga/ifpga-sec-mgr.c                  | 40 +++++++++++++++++--
>  2 files changed, 47 insertions(+), 4 deletions(-)
> 
> diff --git a/Documentation/ABI/testing/sysfs-class-ifpga-sec-mgr
> b/Documentation/ABI/testing/sysfs-class-ifpga-sec-mgr
> index 4f375f132c34..73a5246fea1b 100644
> --- a/Documentation/ABI/testing/sysfs-class-ifpga-sec-mgr
> +++ b/Documentation/ABI/testing/sysfs-class-ifpga-sec-mgr
> @@ -78,3 +78,14 @@ Description:	Write only. Write the filename of an
> Intel image
>  		BMC images, BMC firmware, Static Region images,
>  		and Root Entry Hashes, and to cancel Code Signing
>  		Keys (CSK).
> +
> +What: 		/sys/class/ifpga_sec_mgr/ifpga_secX/update/status
> +Date:		Oct 2020
> +KernelVersion:  5.11
> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read-only. Returns a string describing the current
> +		status of an update. The string will be one of the
> +		following: idle, reading, preparing, writing,
> +		programming. Userspace code can poll on this file,
> +		as it will be signaled by sysfs_notify() on each
> +		state change.
> diff --git a/drivers/fpga/ifpga-sec-mgr.c b/drivers/fpga/ifpga-sec-mgr.c
> index 7d5a4979554b..ad918fb42dc2 100644
> --- a/drivers/fpga/ifpga-sec-mgr.c
> +++ b/drivers/fpga/ifpga-sec-mgr.c
> @@ -139,6 +139,13 @@ static struct attribute *sec_mgr_security_attrs[] = {
>  	NULL,
>  };
> 
> +static void update_progress(struct ifpga_sec_mgr *imgr,
> +			    enum ifpga_sec_prog new_progress)
> +{
> +	imgr->progress = new_progress;
> +	sysfs_notify(&imgr->dev.kobj, "update", "status");
> +}
> +
>  static void ifpga_sec_dev_error(struct ifpga_sec_mgr *imgr,
>  				enum ifpga_sec_err err_code)
>  {
> @@ -149,7 +156,7 @@ static void ifpga_sec_dev_error(struct ifpga_sec_mgr
> *imgr,
>  static void progress_complete(struct ifpga_sec_mgr *imgr)
>  {
>  	mutex_lock(&imgr->lock);
> -	imgr->progress = IFPGA_SEC_PROG_IDLE;
> +	update_progress(imgr, IFPGA_SEC_PROG_IDLE);
>  	complete_all(&imgr->update_done);
>  	mutex_unlock(&imgr->lock);
>  }
> @@ -177,14 +184,14 @@ static void ifpga_sec_mgr_update(struct
> work_struct *work)
>  		goto release_fw_exit;
>  	}
> 
> -	imgr->progress = IFPGA_SEC_PROG_PREPARING;
> +	update_progress(imgr, IFPGA_SEC_PROG_PREPARING);
>  	ret = imgr->iops->prepare(imgr);
>  	if (ret) {
>  		ifpga_sec_dev_error(imgr, ret);
>  		goto modput_exit;
>  	}
> 
> -	imgr->progress = IFPGA_SEC_PROG_WRITING;
> +	update_progress(imgr, IFPGA_SEC_PROG_WRITING);
>  	size = imgr->remaining_size;
>  	while (size) {
>  		blk_size = min_t(u32, size, WRITE_BLOCK_SIZE);
> @@ -199,7 +206,7 @@ static void ifpga_sec_mgr_update(struct work_struct
> *work)
>  		offset += blk_size;
>  	}
> 
> -	imgr->progress = IFPGA_SEC_PROG_PROGRAMMING;
> +	update_progress(imgr, IFPGA_SEC_PROG_PROGRAMMING);
>  	ret = imgr->iops->poll_complete(imgr);
>  	if (ret) {
>  		ifpga_sec_dev_error(imgr, ret);
> @@ -259,6 +266,30 @@ static struct attribute_group
> sec_mgr_security_attr_group = {
>  	.is_visible = sec_mgr_visible,
>  };
> 
> +static const char * const sec_mgr_prog_str[] = {
> +	"idle",			/* IFPGA_SEC_PROG_IDLE */
> +	"reading",		/* IFPGA_SEC_PROG_READING */
> +	"preparing",		/* IFPGA_SEC_PROG_PREPARING */
> +	"writing",		/* IFPGA_SEC_PROG_WRITING */
> +	"programming"		/* IFPGA_SEC_PROG_PROGRAMMING */
> +};
> +
> +static ssize_t
> +status_show(struct device *dev, struct device_attribute *attr, char *buf)
> +{
> +	struct ifpga_sec_mgr *imgr = to_sec_mgr(dev);
> +	const char *status = "unknown-status";
> +
> +	if (imgr->progress < IFPGA_SEC_PROG_MAX)
> +		status = sec_mgr_prog_str[imgr->progress];

I am not sure if this would be a problem that as there is no lock protection for
the progress value. If someone changes imgr->progress into a bad value just
after the first check imgr->progress < IFPGA_SEC_PROG_MAX passed.

> +	else
> +		dev_warn(dev, "Invalid status during secure update: %d\n",
> +			 imgr->progress);

One minor thing, dev_err or even WARN_ON should be better, and I think 
if it hits this, that will be a critical issue in the driver, isn't it?

Thanks
Hao

> +
> +	return sprintf(buf, "%s\n", status);
> +}
> +static DEVICE_ATTR_RO(status);
> +
>  static ssize_t filename_store(struct device *dev, struct device_attribute *attr,
>  			      const char *buf, size_t count)
>  {
> @@ -293,6 +324,7 @@ static DEVICE_ATTR_WO(filename);
> 
>  static struct attribute *sec_mgr_update_attrs[] = {
>  	&dev_attr_filename.attr,
> +	&dev_attr_status.attr,
>  	NULL,
>  };
> 
> --
> 2.17.1