From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751266AbdFBOFc (ORCPT <rfc822;w@1wt.eu>);
        Fri, 2 Jun 2017 10:05:32 -0400
Received: from mga05.intel.com ([192.55.52.43]:18129 "EHLO mga05.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751189AbdFBOFa (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Jun 2017 10:05:30 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.39,285,1493708400"; 
   d="scan'208";a="94820461"
From: Mika Westerberg <mika.westerberg@linux.intel.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Andreas Noever <andreas.noever@gmail.com>,
        Michael Jamet <michael.jamet@intel.com>,
        Yehezkel Bernat <yehezkel.bernat@intel.com>,
        Lukas Wunner <lukas@wunner.de>, Amir Levy <amir.jer.levy@intel.com>,
        Andy Lutomirski <luto@kernel.org>, Mario.Limonciello@dell.com,
        Jared.Dominguez@dell.com,
        Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
        Mika Westerberg <mika.westerberg@linux.intel.com>,
        linux-kernel@vger.kernel.org
Subject: [PATCH v3 00/27] Thunderbolt security levels and NVM firmware upgrade
Date: Fri,  2 Jun 2017 17:04:57 +0300
Message-Id: <20170602140524.23367-1-mika.westerberg@linux.intel.com>
X-Mailer: git-send-email 2.11.0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

This is a third version of the patch series adding support for Thunderbolt
security levels and NVM firmware upgrade. PCs running Intel Falcon Ridge or
newer need these in order to connect devices if the security level is set
to "user(SL1) or secure(SL2)" from BIOS.

The security levels were added to to prevent DMA attacks when PCIe is
tunneled over Thunderbolt fabric where IOMMU is not available or cannot be
enabled for different reasons.

This series converts the Thunderbolt driver to a Linux bus and makes each
Thunderbolt device (aka Thunderbolt switch or router or endpoint) a Linux
device which is connected to that bus addressed by their routing string
(this is the addressing Thunderbolt uses).

With these patches the user can authorize devices using sysfs attributes
like (following USB):

  # echo 1 > /sys/bus/thunderbolt/devices/0-1/authorized

If the BIOS security level is set to "secure" and the device supports
secure connect on the first connect the device is uploaded a random key:

  # key=$(openssl rand -hex 32)
  # echo $key > /sys/bus/thunderbolt/devices/0-1/key
  # echo 1 > /sys/bus/thunderbolt/devices/0-1/authorized

Next time the device is plugged in the user can verify (challenge) the
device using the same key:

  # echo $key > /sys/bus/thunderbolt/devices/0-1/key
  # echo 2 > /sys/bus/thunderbolt/devices/0-1/authorized

The device identification information is found below each device sysfs
node and includes following attributes:

  device	- Device ID
  device_name	- Name of the device
  vendor	- Vendor ID
  vendor_name	- Name of the vendor
  unique_id	- Unique ID string identifying this particular device

In addition these patches add support for upgrading NVM firmware running on
a host or device by running something like:

  # dd if=KYK_TBT_FW_0018.bin of=/sys/bus/thunderbolt/devices/0-0/nvm_non_active0/nvmem
  # echo 1 > /sys/bus/thunderbolt/devices/0-0/nvm_authenticate

More information how to use the Thunderbolt bus can be found in patch [26/27].

Where Internal Connection Manager (ICM) firmware is available and usable,
we use it in the driver. This also includes newer Apple Macbooks with
Alpine Ridge. For older Macbooks the driver works as before but in addition
the Thunderbolt bus is available there as well (including possibility to
upgrade NVM firmware of connected devices).

Note for Macs the Linux native PCIe hotplug support does not work well with
the Thunderbolt PCIe topologies where there is need to put all available
resources to the PCIe downstream port where the PCIe chain is extended.
This is something we need to fix. In the mean time is a way to work it
around by passing "pci=hpbussize=10,hpmemsize=2M" or so to the kernel
command line.

Regarding Christoph's UUID series here [1], they now include the existing
types for backwards compatibility so this series compiles and works fine
with them. We will convert the Thunderbolt driver to use these new types
once that series hits mainline.

Andreas and Lukas, do you have any comments or concerns regarding this
series?

We are currently porting Amir's network driver on top of the Thunderbolt
bus.

The previous version (v2) can be found in [2].

[1] http://git.infradead.org/users/hch/misc.git/shortlog/refs/heads/uuid-types
[2] https://lwn.net/Articles/723935/

Changes from the previos version (v2):

[PATCH v2 03/27] thunderbolt: Do not try to read UID if DROM offset is read as 0
  - Add Suggested-by Andreas

[PATCH v2 07/27] thunderbolt: Allow passing NULL to tb_ctl_free()
  - Add Suggested-by Andy

[PATCH v2 09/27] thunderbolt: Convert switch to a device
  - Rework comment regarding UUID to mention that it is not strictly
    following rules of UUID format.
  - Update Documentation/ABI/testing/sysfs-bus-thunderbolt unique_id
    attribute description accordingly.

[PATCH v2 12/27] thunderbolt: Refactor and fix parsing of port drom entries
  - Add Reviewed-by Andy

[PATCH v2 13/27] thunderbolt: Read vendor and device name from DROM
  - Use ksrtndup() instead and drop parse_name()

[PATCH v2 21/27] thunderbolt: Store Thunderbolt generation in the switch structure
  - Make the unknown switch defaulting to generation 1 more explicit
  - Add Reviewed-by Andy

[PATCH v2 24/27] thunderbolt: Add support for Internal Connection Manager (ICM)
  - Allow secure connect only when BIOS setting is in "secure
    connect/SL2" to follow what Windows does.

[PATCH v2 25/27] thunderbolt: Add support for host and device NVM firmware upgrade
  - Add check for sw->nvm in nvm_authenticate_store() to prevent NULL
    pointer dereference when NVMem devices are not yet added.

[PATCH v2 26/27] thunderbolt: Add documentation how Thunderbolt bus can be used
  - Update documentation to mention that secure connect is only
    available when the BIOS setting is in "secure connect/SL2".

Lukas Wunner (1):
  thunderbolt: Refactor and fix parsing of port drom entries

Mika Westerberg (26):
  thunderbolt: Use const buffer pointer in write operations
  thunderbolt: No need to read UID of the root switch on resume
  thunderbolt: Do not try to read UID if DROM offset is read as 0
  thunderbolt: Do not warn about newer DROM versions
  thunderbolt: Add MSI-X support
  thunderbolt: Rework capability handling
  thunderbolt: Allow passing NULL to tb_ctl_free()
  thunderbolt: Introduce thunderbolt bus and connection manager
  thunderbolt: Convert switch to a device
  thunderbolt: Fail switch adding operation if reading DROM fails
  thunderbolt: Do not fail if DROM data CRC32 is invalid
  thunderbolt: Read vendor and device name from DROM
  thunderbolt: Move control channel messages to tb_msgs.h
  thunderbolt: Expose get_route() to other files
  thunderbolt: Expose make_header() to other files
  thunderbolt: Let the connection manager handle all notifications
  thunderbolt: Rework control channel to be more reliable
  thunderbolt: Add new Thunderbolt PCI IDs
  thunderbolt: Add support for NHI mailbox
  thunderbolt: Store Thunderbolt generation in the switch structure
  thunderbolt: Add support for DMA configuration based mailbox
  thunderbolt: Do not touch the hardware if the NHI is gone on resume
  thunderbolt: Add support for Internal Connection Manager (ICM)
  thunderbolt: Add support for host and device NVM firmware upgrade
  thunderbolt: Add documentation how Thunderbolt bus can be used
  MAINTAINERS: Add maintainers for Thunderbolt driver

 Documentation/ABI/testing/sysfs-bus-thunderbolt |  110 +++
 Documentation/admin-guide/index.rst             |    1 +
 Documentation/admin-guide/thunderbolt.rst       |  199 ++++
 MAINTAINERS                                     |    3 +
 drivers/thunderbolt/Kconfig                     |   13 +-
 drivers/thunderbolt/Makefile                    |    2 +-
 drivers/thunderbolt/cap.c                       |  169 ++--
 drivers/thunderbolt/ctl.c                       |  665 +++++++++----
 drivers/thunderbolt/ctl.h                       |  105 +-
 drivers/thunderbolt/dma_port.c                  |  524 ++++++++++
 drivers/thunderbolt/dma_port.h                  |   34 +
 drivers/thunderbolt/domain.c                    |  455 +++++++++
 drivers/thunderbolt/eeprom.c                    |  119 ++-
 drivers/thunderbolt/icm.c                       | 1089 +++++++++++++++++++++
 drivers/thunderbolt/nhi.c                       |  306 +++++-
 drivers/thunderbolt/nhi.h                       |   93 +-
 drivers/thunderbolt/nhi_regs.h                  |   27 +
 drivers/thunderbolt/switch.c                    | 1178 +++++++++++++++++++++--
 drivers/thunderbolt/tb.c                        |  237 +++--
 drivers/thunderbolt/tb.h                        |  251 ++++-
 drivers/thunderbolt/tb_msgs.h                   |  260 +++++
 drivers/thunderbolt/tb_regs.h                   |   50 +-
 drivers/thunderbolt/tunnel_pci.c                |   17 +-
 23 files changed, 5323 insertions(+), 584 deletions(-)
 create mode 100644 Documentation/ABI/testing/sysfs-bus-thunderbolt
 create mode 100644 Documentation/admin-guide/thunderbolt.rst
 create mode 100644 drivers/thunderbolt/dma_port.c
 create mode 100644 drivers/thunderbolt/dma_port.h
 create mode 100644 drivers/thunderbolt/domain.c
 create mode 100644 drivers/thunderbolt/icm.c
 create mode 100644 drivers/thunderbolt/tb_msgs.h

-- 
2.11.0