Re: [RFC PATCH net-next v2 6/6] devlink: add overwrite mode to flash update

[Jacob Keller <jacob.e.keller@intel.com>]

On 7/22/2020 9:52 AM, Jakub Kicinski wrote:
> On Wed, 22 Jul 2020 15:30:05 +0000 Keller, Jacob E wrote:
>>>>>> one by one and then omit the one(s) which is config (guessing which
>>>>>> one that is based on the name).
>>>>>>
>>>>>> Wouldn't this be quite inconvenient?  
>>>>>
>>>>> I see it as an extra knob that is actually somehow provides degradation
>>>>> of components.  
>>>>
>>>> Hm. We have the exact opposite view on the matter. To me components
>>>> currently correspond to separate fw/hw entities, that's a very clear
>>>> meaning. PHY firmware, management FW, UNDI. Now we would add a
>>>> completely orthogonal meaning to the same API.  
>>>
>>> I understand. My concern is, we would have a component with some
>>> "subparts". Now it is some fuzzy vagely defined "config part",
>>> in the future it might be something else. That is what I'm concerned
>>> about. Components have clear api.
>>>
>>> So perhaps we can introduce something like "component mask", which would
>>> allow to flash only part of the component. That is basically what Jacob
>>> has, I would just like to have it well defined.
>>
>> So, we could make this selection a series of masked bits instead of a
>> single enumeration value.
> 
> I'd still argue that components (as defined in devlink info) and config
> are pretty orthogonal. In my experience config is stored in its own
> section of the flash, and some of the knobs are in no obvious way
> associated with components (used by components).
> 
> That said, if we rename the "component mask" to "update mask" that's
> fine with me.
> 
> Then we'd have
> 
> bit 0 - don't overwrite config
> bit 1 - don't overwrite identifiers
> 
> ? 
> 
> Let's define a bit for "don't update program" when we actually need it.
> 

One further wrinkle I was just reminded about. The ice hardware has a
section of the flash which defines a "minimum security revision". All
NVM images also have a "security revision". The firmware will fail to
load if the NVM image's security revision is less than the mimimum
security revision.

The minimum security revision is not updated automatically. Current
tools which had direct access have an optional "opt in to minimum
security revision update" which would optionally bump the minimum
security revision after an update. The intent is that once an image is
tested and verified to be stable, an administrator can opt in to prevent
downgrade below that security revision. (Thus preventing potential
downgrade to a known insecure image).

The folks adjusting our tools would like to continue to support this. I
think the best solution would be to have both the security revision and
minimum security revision become components, i.e.
"fw.mgmt.security_revision" and "fw.mgmt.min_security_revision" (maybe
shortened like "secrev or srev?), and then use the
fw.mgmt.min_security_revision component name in the flash update request.

The security revision is tied into the management firmware image and
would always be updated when an image is updated, but the minimum
revision is only updated on an explicit request request.

In theory this could be done as part of this overwrite, but since I
suspect this is somewhat device specific, (not sure other vendors have
something similar?), and because there is a valid/known version we can
report I think a component makes the most sense.