linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v21 0/5] FPGA MAX10 BMC Secure Update Driver
@ 2022-05-21  0:36 Russ Weight
  2022-05-21  0:36 ` [PATCH v21 1/5] mfd: intel-m10-bmc: Rename n3000bmc-secure driver Russ Weight
                   ` (4 more replies)
  0 siblings, 5 replies; 17+ messages in thread
From: Russ Weight @ 2022-05-21  0:36 UTC (permalink / raw)
  To: mdf, hao.wu, yilun.xu, lee.jones, linux-fpga, linux-kernel
  Cc: trix, marpagan, lgoncalv, matthew.gerlach,
	basheer.ahmed.muddebihal, tianfei.zhang, Russ Weight

The MAX10 BMC Secure Update driver instantiates the new Firmware
Upload functionality of the Firmware Loader and provides the callback
functions required to support secure updates on Intel n3000 PAC
devices.  This driver is implemented as a sub-driver of the Intel MAX10
BMC mfd driver.

This driver interacts with the HW secure update engine of the FPGA
card BMC in order to transfer new FPGA and BMC images to FLASH on
the FPGA card.  Security is enforced by hardware and firmware.  The
FPGA Card BMC Secure Update driver interacts with the firmware to
initiate an update, pass in the necessary data, and collect status
on the update.

This driver provides sysfs files for displaying the flash count, the
root entry hashes (REH), and the code-signing-key (CSK) cancellation
vectors.

Changelog v20 -> v21:
  - Replace WARN_ON() calls in flash_count_show() and show_canceled_csk()
    with a more elaborate test. Return -EINVAL and write a message to the
    kernel log. Call WARN_ON_ONCE().
  - Update m10bmc_sec_prepare() to ensure that the base address for an
    update image is aligned with stride.
  - Update m10bmc_sec_write() to handle a block size that is not aligned
    with stride by allocating a zero-filled block that is aligned, and
    copying the data before calling regmap_bulk_write().

Changelog v19 -> v20:
  - Added text to commit messages to describe Root Entry Hashes (REH) and
    Code Signing Key (CSK) cancellation.
  - Use reverse christmas tree format for local variable declarations in
    show_root_entry_hash().
  - Remove WARN_ON() from show_root_entry_hash() and return -EINVAL if 
    sha_num_bytes is not a multiple of stride.
  - Move MODULE_DEVICE_TABLE() macro to just beneath the definition of
    intel_m10bmc_sec_ids[].

Changelog v18 -> v19:
  - Change "card bmc" naming back to "m10 bmc" naming to be consistent
    with the parent driver.

Changelog v17 -> v18:
  - Changed the ABI documentation for the Root Entry Hashes to specify
    string as the format for the output.
  - Updated comments, strings and config options to more consistently
    refer to the driver as the Intel FPGA Card BMC Secure Update driver.
  - Removed an instance of dev_dbg().
  - Deferred the call to firmware_upload_register() to a later patch
    where the required ops are provided.
  - Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
    of additional cards to be supported by the same driver.

Changelog v16 -> v17:
  - Change m10bmc to cardbmc to reflect the fact that the future devices
    will not necessarily use the MAX10. This affects filenames, configs,
    symbol names, and the driver name.
  - Update the Date and KernelVersion for the ABI documentation to Jul 2022
    and 5.19 respectively.
  - Updated the copyright end-date to 2022 for the secure update driver.
  - Removed references to the FPGA Image Load class driver and replaced
    them with the new firmware-upload service from the firmware loader.
  - Use xarray_alloc to generate a unique number/name firmware-upload.
  - Chang the license from GPL to GPLv2 per commit bf7fbeeae6db ("module:
    Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity")
  - fw_upload_ops functions will return "enum fw_upload_err" data types
    instead of integer values.

Changelog v15 -> v16:
  - Use 0 instead of FPGA_IMAGE_ERR_NONE to indicate success.
  - The size alignment check was moved from the FPGA Image Load framework
    to the prepare() op.
  - Added cancel_request boolean flag to struct m10bmc_sec.
  - Moved the RSU cancellation logic from m10bmc_sec_cancel() to a new
    rsu_cancel() function.
  - The m10bmc_sec_cancel() function ONLY sets the cancel_request flag.
    The cancel_request flag is checked at the beginning of the
    m10bmc_sec_write() and m10bmc_sec_poll_complete() functions.
  - Adapt to changed prototypes for the prepare() and write() ops. The
    m10bmc_sec_write_blk() function has been renamed to
    m10bmc_sec_write().
  - Created a cleanup op, m10bmc_sec_cleanup(), to attempt to cancel an
    ongoing op during when exiting the update process.

Changelog v14 -> v15:
  - Updated the Dates and KernelVersions in the ABI documentation
  - Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
  - Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
  - Change instances of *bmc-secure to *bmc-sec-update in file name
    and symbol names.
  - Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
    names.
  - Adapted to changes in the FPGA Image Load framework:
    (1) All enum types (progress and errors) are now type u32
    (2) m10bmc_sec_write_blk() adds *blk_size and max_size parameters
        and uses *blk_size as provided by the caller.
    (3) m10bmc_sec_poll_complete() no long checks the driver_unload
        flag.

Changelog v13 -> v14:
  - Changed symbol and text references to reflect the renaming of the
    Security Manager Class driver to FPGA Image Load.

Changelog v12 -> v13:
  - Updated copyright to 2021
  - Updated Date and KernelVersion fields in ABI documentation
  - Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
    functions instead of devm_fpga_sec_mgr_create() and
    devm_fpga_sec_mgr_register().

Changelog v11 -> v12:
  - Updated Date and KernelVersion fields in ABI documentation
  - Removed size parameter from the write_blk() op. m10bmc_sec_write_blk()
    no longer has a size parameter, and the block size is determined
    in this (the lower-level) driver.

Changelog v10 -> v11:
  - Added Reviewed-by tag to patch #1

Changelog v9 -> v10:
  - Changed the path expressions in the sysfs documentation to
    replace the n3000 reference with something more generic to
    accommodate other devices that use the same driver.

Changelog v8 -> v9:
  - Rebased to 5.12-rc2 next
  - Updated Date and KernelVersion in ABI documentation

Changelog v7 -> v8:
  - Split out patch "mfd: intel-m10-bmc: support for MAX10 BMC Secure
    Updates" and submitted it separately:
    https://marc.info/?l=linux-kernel&m=161126987101096&w=2

Changelog v6 -> v7:
  - Rebased patches for 5.11-rc2
  - Updated Date and KernelVersion in ABI documentation

Changelog v5 -> v6:
  - Added WARN_ON() prior to several calls to regmap_bulk_read()
    to assert that the (SIZE / stride) calculations did not result
    in remainders.
  - Changed the (size / stride) calculation in regmap_bulk_write()
    call to ensure that we don't write one less than intended.
  - Changed flash_count_show() parameter list to achieve
    reverse-christmas tree format.
  - Removed unnecessary call to rsu_check_complete() in
    m10bmc_sec_poll_complete() and changed while loop to
    do/while loop.
  - Initialized auth_result and doorbell to HW_ERRINFO_POISON
    in m10bmc_sec_hw_errinfo() and removed unnecessary if statements.

Changelog v4 -> v5:
  - Renamed sysfs node user_flash_count to flash_count and updated
    the sysfs documentation accordingly to more accurately descirbe
    the purpose of the count.

Changelog v3 -> v4:
  - Moved sysfs files for displaying the flash count, the root
    entry hashes (REH), and the code-signing-key (CSK) cancellation
    vectors from the FPGA Security Manager class driver to this
    driver (as they are not generic enough for the class driver).
  - Added a new ABI documentation file with informtaion about the
    new sysfs entries: sysfs-driver-intel-m10-bmc-secure
  - Updated the MAINTAINERS file to add the new ABI documentation
    file: sysfs-driver-intel-m10-bmc-secure
  - Removed unnecessary ret variable from m10bmc_secure_probe()
  - Incorporated new devm_fpga_sec_mgr_register() function into
    m10bmc_secure_probe() and removed the m10bmc_secure_remove()
    function.

Changelog v2 -> v3:
  - Changed "MAX10 BMC Security Engine driver" to "MAX10 BMC Secure
    Update driver"
  - Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
  - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
  - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
    underlying functions are now called directly.
  - Changed "_root_entry_hash" to "_reh", with a comment explaining
    what reh is.
  - Renamed get_csk_vector() to m10bmc_csk_vector()
  - Changed calling functions of functions that return "enum fpga_sec_err"
    to check for (ret != FPGA_SEC_ERR_NONE) instead of (ret)

Changelog v1 -> v2:
  - These patches were previously submitted as part of a larger V1
    patch set under the title "Intel FPGA Security Manager Class Driver".
  - Grouped all changes to include/linux/mfd/intel-m10-bmc.h into a
    single patch: "mfd: intel-m10-bmc: support for MAX10 BMC Security
    Engine".
  - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
  - Adapted to changes in the Intel FPGA Security Manager by splitting
    the single call to ifpga_sec_mgr_register() into two function
    calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
  - Replaced small function-creation macros for explicit function
    declarations.
  - Bug fix for the get_csk_vector() function to properly apply the
    stride variable in calls to m10bmc_raw_bulk_read().
  - Added m10bmc_ prefix to functions in m10bmc_iops structure
  - Implemented HW_ERRINFO_POISON for m10bmc_sec_hw_errinfo() to
    ensure that corresponding bits are set to 1 if we are unable
    to read the doorbell or auth_result registers.
  - Added comments and additional code cleanup per V1 review.

Russ Weight (5):
  mfd: intel-m10-bmc: Rename n3000bmc-secure driver
  fpga: m10bmc-sec: create max10 bmc secure update
  fpga: m10bmc-sec: expose max10 flash update count
  fpga: m10bmc-sec: expose max10 canceled keys in sysfs
  fpga: m10bmc-sec: add max10 secure update functions

 .../sysfs-driver-intel-m10-bmc-sec-update     |  61 ++
 MAINTAINERS                                   |   7 +
 drivers/fpga/Kconfig                          |  12 +
 drivers/fpga/Makefile                         |   3 +
 drivers/fpga/intel-m10-bmc-sec-update.c       | 640 ++++++++++++++++++
 drivers/mfd/intel-m10-bmc.c                   |   2 +-
 6 files changed, 724 insertions(+), 1 deletion(-)
 create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
 create mode 100644 drivers/fpga/intel-m10-bmc-sec-update.c


base-commit: 18ecd30af1a8402c162cca1bd58771c0e5be7815
-- 
2.25.1


^ permalink raw reply	[flat|nested] 17+ messages in thread

* [PATCH v21 1/5] mfd: intel-m10-bmc: Rename n3000bmc-secure driver
  2022-05-21  0:36 [PATCH v21 0/5] FPGA MAX10 BMC Secure Update Driver Russ Weight
@ 2022-05-21  0:36 ` Russ Weight
  2022-05-26  7:54   ` Xu Yilun
  2022-05-21  0:36 ` [PATCH v21 2/5] fpga: m10bmc-sec: create max10 bmc secure update Russ Weight
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 17+ messages in thread
From: Russ Weight @ 2022-05-21  0:36 UTC (permalink / raw)
  To: mdf, hao.wu, yilun.xu, lee.jones, linux-fpga, linux-kernel
  Cc: trix, marpagan, lgoncalv, matthew.gerlach,
	basheer.ahmed.muddebihal, tianfei.zhang, Russ Weight

The n3000bmc-secure driver has changed to n3000bmc-sec-update. Update
the name in the list of the intel-m10-bmc sub-drivers.

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
---
v21:
  - No change
v20:
  - No change
v19:
  - No change
v18:
  - No change
v17:
  - This is a new patch to change in the name of the secure update
    driver.
---
 drivers/mfd/intel-m10-bmc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mfd/intel-m10-bmc.c b/drivers/mfd/intel-m10-bmc.c
index 8db3bcf5fccc..f4d0d72573c8 100644
--- a/drivers/mfd/intel-m10-bmc.c
+++ b/drivers/mfd/intel-m10-bmc.c
@@ -26,7 +26,7 @@ static struct mfd_cell m10bmc_d5005_subdevs[] = {
 static struct mfd_cell m10bmc_pacn3000_subdevs[] = {
 	{ .name = "n3000bmc-hwmon" },
 	{ .name = "n3000bmc-retimer" },
-	{ .name = "n3000bmc-secure" },
+	{ .name = "n3000bmc-sec-update" },
 };
 
 static struct mfd_cell m10bmc_n5010_subdevs[] = {
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH v21 2/5] fpga: m10bmc-sec: create max10 bmc secure update
  2022-05-21  0:36 [PATCH v21 0/5] FPGA MAX10 BMC Secure Update Driver Russ Weight
  2022-05-21  0:36 ` [PATCH v21 1/5] mfd: intel-m10-bmc: Rename n3000bmc-secure driver Russ Weight
@ 2022-05-21  0:36 ` Russ Weight
  2022-05-26  7:55   ` Xu Yilun
  2022-05-26  8:04   ` Xu Yilun
  2022-05-21  0:36 ` [PATCH v21 3/5] fpga: m10bmc-sec: expose max10 flash update count Russ Weight
                   ` (2 subsequent siblings)
  4 siblings, 2 replies; 17+ messages in thread
From: Russ Weight @ 2022-05-21  0:36 UTC (permalink / raw)
  To: mdf, hao.wu, yilun.xu, lee.jones, linux-fpga, linux-kernel
  Cc: trix, marpagan, lgoncalv, matthew.gerlach,
	basheer.ahmed.muddebihal, tianfei.zhang, Russ Weight

Create a sub-driver for the FPGA Card BMC in order to support secure
updates.  This patch creates the Max10 BMC Secure Update driver and
provides sysfs files for displaying the root entry hashes (REH) for the
FPGA static region (SR), the FPGA Partial Reconfiguration (PR) region,
and the card BMC.

The Intel MAX10 BMC Root of Trust (RoT) requires that all BMC Nios firmware
and FPGA images are authenticated using ECDSA before loading and executing
on the card. Code Signing Keys (CSK) are used to sign images. CSKs are signed
by a root key. The root entry hash is created from the root public key.

The RoT provides authentication by storing an REH bitstream to a write-once
location. Image signatures are verified against the hash.

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
Reviewed-by: Tom Rix <trix@redhat.com>
---
v21:
  - No change
v20:
  - Added text to the commit message to describe Root Entry Hashes.
  - Use reverse christmas tree format for local variable declarations in
    show_root_entry_hash().
  - Remove WARN_ON() from show_root_entry_hash() and return -EINVAL if 
    sha_num_bytes is not a multiple of stride.
  - Move MODULE_DEVICE_TABLE() macro to just beneath the definition of
    intel_m10bmc_sec_ids[].
v19:
  - Change "card bmc" naming back to "m10 bmc" naming to be consistent
    with the parent driver.
v18:
  - Changed the ABI documentation for the Root Entry Hashes to specify
    string as the format for the output.
  - Updated comments, strings and config options to more consistently
    refer to the driver as the Intel FPGA Card BMC Secure Update driver.
  - Removed an instance of dev_dbg().
  - Deferred the call to firmware_upload_register() to a later patch
    where the required ops are provided. The bmc_sec_remove() function is
    also removed from this patch and added in a later patch.
  - Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
    of additional cards to be supported by the same driver.
v17:
  - Update the Date and KernelVersion for the ABI documentation to Jul 2022
    and 5.19 respectively.
  - Updated the copyright end-date to 2022 for the secure update driver.
  - Change m10bmc to cardbmc to reflect the fact that the future devices
    will not necessarily use the MAX10. This affects filenames, configs, and
    symbol names.
  - Removed references to the FPGA Image Load class driver and replaced
    them with the new firmware-upload service from the firmware loader.
  - Firmware upload requires a unique name for the firmware device. Use
    xarray_alloc to generate a unique number to append to the name.
  - Changed the license from GPL to GPLv2 per commit bf7fbeeae6db: 'module:
    Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity'
v16:
  - No Change
v15:
  - Updated the Dates and KernelVersions in the ABI documentation
  - Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
  - Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
  - Change instances of *bmc-secure to *bmc-sec-update in file name
    and symbol names.
  - Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
    names.
  - Change instances of *lops* to *ops* in symbol names.
v14:
  - Changed symbol and text references to reflect the renaming of the
    Security Manager Class driver to FPGA Image Load.
v13:
  - Updated copyright to 2021
  - Updated ABI documentation date and kernel version
  - Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
    functions instead of devm_fpga_sec_mgr_create() and
    devm_fpga_sec_mgr_register().
v12:
  - Updated Date and KernelVersion fields in ABI documentation
v11:
  - Added Reviewed-by tag
v10:
  - Changed the path expressions in the sysfs documentation to
    replace the n3000 reference with something more generic to
    accomodate other devices that use the same driver.
v9:
  - Rebased to 5.12-rc2 next
  - Updated Date and KernelVersion in ABI documentation
v8:
  - Previously patch 2/6, otherwise no change
v7:
  - Updated Date and KernelVersion in ABI documentation
v6:
  - Added WARN_ON() call for (sha_num_bytes / stride) to assert
    that the proper count is passed to regmap_bulk_read().
v5:
  - No change
v4:
  - Moved sysfs files for displaying the root entry hashes (REH)
    from the FPGA Security Manager class driver to here. The
    m10bmc_reh() and m10bmc_reh_size() functions are removed and
    the functionality from these functions is moved into a
    show_root_entry_hash() function for displaying the REHs.
  - Added ABI documentation for the new sysfs entries:
    sysfs-driver-intel-m10-bmc-secure
  - Updated the MAINTAINERS file to add the new ABI documentation
    file: sysfs-driver-intel-m10-bmc-secure
  - Removed unnecessary ret variable from m10bmc_secure_probe()
  - Incorporated new devm_fpga_sec_mgr_register() function into
    m10bmc_secure_probe() and removed the m10bmc_secure_remove()
    function.
v3:
  - Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
  - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
  - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure
    Update driver"
  - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
    underlying functions are now called directly.
  - Changed "_root_entry_hash" to "_reh", with a comment explaining
    what reh is.
v2:
  - Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
  - Switched to GENMASK(31, 16) for a couple of mask definitions.
  - Moved MAX10 BMC address and function definitions to a separate
    patch.
  - Replaced small function-creation macros with explicit function
    declarations.
  - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
  - Adapted to changes in the Intel FPGA Security Manager by splitting
    the single call to ifpga_sec_mgr_register() into two function
    calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
---
 .../sysfs-driver-intel-m10-bmc-sec-update     |  29 ++++
 MAINTAINERS                                   |   7 +
 drivers/fpga/Kconfig                          |  12 ++
 drivers/fpga/Makefile                         |   3 +
 drivers/fpga/intel-m10-bmc-sec-update.c       | 134 ++++++++++++++++++
 5 files changed, 185 insertions(+)
 create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
 create mode 100644 drivers/fpga/intel-m10-bmc-sec-update.c

diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
new file mode 100644
index 000000000000..2bb271695e14
--- /dev/null
+++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
@@ -0,0 +1,29 @@
+What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/sr_root_entry_hash
+Date:		Jul 2022
+KernelVersion:	5.19
+Contact:	Russ Weight <russell.h.weight@intel.com>
+Description:	Read only. Returns the root entry hash for the static
+		region if one is programmed, else it returns the
+		string: "hash not programmed".  This file is only
+		visible if the underlying device supports it.
+		Format: string.
+
+What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/pr_root_entry_hash
+Date:		Jul 2022
+KernelVersion:	5.19
+Contact:	Russ Weight <russell.h.weight@intel.com>
+Description:	Read only. Returns the root entry hash for the partial
+		reconfiguration region if one is programmed, else it
+		returns the string: "hash not programmed".  This file
+		is only visible if the underlying device supports it.
+		Format: string.
+
+What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/bmc_root_entry_hash
+Date:		Jul 2022
+KernelVersion:	5.19
+Contact:	Russ Weight <russell.h.weight@intel.com>
+Description:	Read only. Returns the root entry hash for the BMC image
+		if one is programmed, else it returns the string:
+		"hash not programmed".  This file is only visible if the
+		underlying device supports it.
+		Format: string.
diff --git a/MAINTAINERS b/MAINTAINERS
index a4ae11be9e5d..2f2a736ef790 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -7797,6 +7797,13 @@ F:	Documentation/fpga/
 F:	drivers/fpga/
 F:	include/linux/fpga/
 
+INTEL MAX10 BMC SECURE UPDATES
+M:	Russ Weight <russell.h.weight@intel.com>
+L:	linux-fpga@vger.kernel.org
+S:	Maintained
+F:	Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
+F:	drivers/fpga/intel-m10-bmc-sec-update.c
+
 FPU EMULATOR
 M:	Bill Metzenthen <billm@melbpc.org.au>
 S:	Maintained
diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
index 991b3f361ec9..0831eecc9a09 100644
--- a/drivers/fpga/Kconfig
+++ b/drivers/fpga/Kconfig
@@ -243,4 +243,16 @@ config FPGA_MGR_VERSAL_FPGA
 	  configure the programmable logic(PL).
 
 	  To compile this as a module, choose M here.
+
+config FPGA_M10_BMC_SEC_UPDATE
+	tristate "Intel MAX10 BMC Secure Update driver"
+	depends on MFD_INTEL_M10_BMC && FW_UPLOAD
+	help
+	  Secure update support for the Intel MAX10 board management
+	  controller.
+
+	  This is a subdriver of the Intel MAX10 board management controller
+	  (BMC) and provides support for secure updates for the BMC image,
+	  the FPGA image, the Root Entry Hashes, etc.
+
 endif # FPGA
diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
index 5935b3d0abd5..139ac1b573d3 100644
--- a/drivers/fpga/Makefile
+++ b/drivers/fpga/Makefile
@@ -22,6 +22,9 @@ obj-$(CONFIG_FPGA_MGR_VERSAL_FPGA)	+= versal-fpga.o
 obj-$(CONFIG_ALTERA_PR_IP_CORE)		+= altera-pr-ip-core.o
 obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT)	+= altera-pr-ip-core-plat.o
 
+# FPGA Secure Update Drivers
+obj-$(CONFIG_FPGA_M10_BMC_SEC_UPDATE)	+= intel-m10-bmc-sec-update.o
+
 # FPGA Bridge Drivers
 obj-$(CONFIG_FPGA_BRIDGE)		+= fpga-bridge.o
 obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE)	+= altera-hps2fpga.o altera-fpga2sdram.o
diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
new file mode 100644
index 000000000000..f9f39d2cfe5b
--- /dev/null
+++ b/drivers/fpga/intel-m10-bmc-sec-update.c
@@ -0,0 +1,134 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Intel MAX10 Board Management Controller Secure Update Driver
+ *
+ * Copyright (C) 2019-2022 Intel Corporation. All rights reserved.
+ *
+ */
+#include <linux/bitfield.h>
+#include <linux/device.h>
+#include <linux/firmware.h>
+#include <linux/mfd/intel-m10-bmc.h>
+#include <linux/mod_devicetable.h>
+#include <linux/module.h>
+#include <linux/platform_device.h>
+#include <linux/slab.h>
+
+struct m10bmc_sec {
+	struct device *dev;
+	struct intel_m10bmc *m10bmc;
+};
+
+/* Root Entry Hash (REH) support */
+#define REH_SHA256_SIZE		32
+#define REH_SHA384_SIZE		48
+#define REH_MAGIC		GENMASK(15, 0)
+#define REH_SHA_NUM_BYTES	GENMASK(31, 16)
+
+static ssize_t
+show_root_entry_hash(struct device *dev, u32 exp_magic,
+		     u32 prog_addr, u32 reh_addr, char *buf)
+{
+	struct m10bmc_sec *sec = dev_get_drvdata(dev);
+	int sha_num_bytes, i, ret, cnt = 0;
+	u8 hash[REH_SHA384_SIZE];
+	unsigned int stride;
+	u32 magic;
+
+	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+	ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
+	if (ret)
+		return ret;
+
+	if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
+		return sysfs_emit(buf, "hash not programmed\n");
+
+	sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
+	if ((sha_num_bytes % stride) ||
+	    (sha_num_bytes != REH_SHA256_SIZE &&
+	     sha_num_bytes != REH_SHA384_SIZE))   {
+		dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
+			sha_num_bytes);
+		return -EINVAL;
+	}
+
+	ret = regmap_bulk_read(sec->m10bmc->regmap, reh_addr,
+			       hash, sha_num_bytes / stride);
+	if (ret) {
+		dev_err(dev, "failed to read root entry hash: %x cnt %x: %d\n",
+			reh_addr, sha_num_bytes / stride, ret);
+		return ret;
+	}
+
+	for (i = 0; i < sha_num_bytes; i++)
+		cnt += sprintf(buf + cnt, "%02x", hash[i]);
+	cnt += sprintf(buf + cnt, "\n");
+
+	return cnt;
+}
+
+#define DEVICE_ATTR_SEC_REH_RO(_name, _magic, _prog_addr, _reh_addr) \
+static ssize_t _name##_root_entry_hash_show(struct device *dev, \
+					    struct device_attribute *attr, \
+					    char *buf) \
+{ return show_root_entry_hash(dev, _magic, _prog_addr, _reh_addr, buf); } \
+static DEVICE_ATTR_RO(_name##_root_entry_hash)
+
+DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
+DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
+DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
+
+static struct attribute *m10bmc_security_attrs[] = {
+	&dev_attr_bmc_root_entry_hash.attr,
+	&dev_attr_sr_root_entry_hash.attr,
+	&dev_attr_pr_root_entry_hash.attr,
+	NULL,
+};
+
+static struct attribute_group m10bmc_security_attr_group = {
+	.name = "security",
+	.attrs = m10bmc_security_attrs,
+};
+
+static const struct attribute_group *m10bmc_sec_attr_groups[] = {
+	&m10bmc_security_attr_group,
+	NULL,
+};
+
+#define SEC_UPDATE_LEN_MAX 32
+static int m10bmc_sec_probe(struct platform_device *pdev)
+{
+	struct m10bmc_sec *sec;
+
+	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
+	if (!sec)
+		return -ENOMEM;
+
+	sec->dev = &pdev->dev;
+	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
+	dev_set_drvdata(&pdev->dev, sec);
+
+	return 0;
+}
+
+static const struct platform_device_id intel_m10bmc_sec_ids[] = {
+	{
+		.name = "n3000bmc-sec-update",
+	},
+	{ }
+};
+MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
+
+static struct platform_driver intel_m10bmc_sec_driver = {
+	.probe = m10bmc_sec_probe,
+	.driver = {
+		.name = "intel-m10bmc-sec-update",
+		.dev_groups = m10bmc_sec_attr_groups,
+	},
+	.id_table = intel_m10bmc_sec_ids,
+};
+module_platform_driver(intel_m10bmc_sec_driver);
+
+MODULE_AUTHOR("Intel Corporation");
+MODULE_DESCRIPTION("Intel MAX10 BMC Secure Update");
+MODULE_LICENSE("GPL");
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH v21 3/5] fpga: m10bmc-sec: expose max10 flash update count
  2022-05-21  0:36 [PATCH v21 0/5] FPGA MAX10 BMC Secure Update Driver Russ Weight
  2022-05-21  0:36 ` [PATCH v21 1/5] mfd: intel-m10-bmc: Rename n3000bmc-secure driver Russ Weight
  2022-05-21  0:36 ` [PATCH v21 2/5] fpga: m10bmc-sec: create max10 bmc secure update Russ Weight
@ 2022-05-21  0:36 ` Russ Weight
  2022-05-26  7:55   ` Xu Yilun
  2022-05-21  0:36 ` [PATCH v21 4/5] fpga: m10bmc-sec: expose max10 canceled keys in sysfs Russ Weight
  2022-05-21  0:36 ` [PATCH v21 5/5] fpga: m10bmc-sec: add max10 secure update functions Russ Weight
  4 siblings, 1 reply; 17+ messages in thread
From: Russ Weight @ 2022-05-21  0:36 UTC (permalink / raw)
  To: mdf, hao.wu, yilun.xu, lee.jones, linux-fpga, linux-kernel
  Cc: trix, marpagan, lgoncalv, matthew.gerlach,
	basheer.ahmed.muddebihal, tianfei.zhang, Russ Weight

Extend the MAX10 BMC Secure Update driver to provide a sysfs file to
expose the flash update count.

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
Reviewed-by: Tom Rix <trix@redhat.com>
---
v21:
  - Replace WARN_ON(FLASH_COUNT_SIZE % stride) with a more elaborate test.
    Return -EINVAL and write a message to the kernel log. Call WARN_ON_ONCE().
v20:
  - No change
v19:
  - Change "card bmc" naming back to "m10 bmc" naming to be consistent
    with the parent driver.
v18:
  - No change
v17:
  - Update the Date and KernelVersion for the ABI documentation to Jul 2022
    and 5.19 respectively.
  - Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
    future devices will not necessarily use the MAX10.
v16:
  - No Change
v15:
  - Updated the Dates and KernelVersions in the ABI documentation
v14:
  - No change
v13:
  - Updated ABI documentation date and kernel version
v12:
  - Updated Date and KernelVersion fields in ABI documentation
v11:
  - No change
v10:
  - Changed the path expression in the sysfs documentation to
    replace the n3000 reference with something more generic to
    accomodate other devices that use the same driver.
v9:
  - Rebased to 5.12-rc2 next
  - Updated Date and KernelVersion in ABI documentation
v8:
  - Previously patch 3/6, otherwise no change
v7:
  - Updated Date and KernelVersion in ABI documentation
v6:
  - Changed flash_count_show() parameter list to achieve
    reverse-christmas tree format.
  - Added WARN_ON() call for (FLASH_COUNT_SIZE / stride) to ensure
    that the proper count is passed to regmap_bulk_read().
v5:
  - Renamed sysfs node user_flash_count to flash_count and updated the
    sysfs documentation accordingly.
v4:
  - Moved the sysfs file for displaying the flash count from the
    FPGA Security Manager class driver to here. The
    m10bmc_user_flash_count() function is removed and the
    functionality is moved into a user_flash_count_show()
    function.
  - Added ABI documentation for the new sysfs entry
v3:
  - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
  - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
    driver"
  - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
    underlying functions are now called directly.
v2:
  - Renamed get_qspi_flash_count() to m10bmc_user_flash_count()
  - Minor code cleanup per review comments
  - Added m10bmc_ prefix to functions in m10bmc_iops structure
---
 .../sysfs-driver-intel-m10-bmc-sec-update     |  8 ++++
 drivers/fpga/intel-m10-bmc-sec-update.c       | 43 +++++++++++++++++++
 2 files changed, 51 insertions(+)

diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
index 2bb271695e14..1132e39b2125 100644
--- a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
+++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
@@ -27,3 +27,11 @@ Description:	Read only. Returns the root entry hash for the BMC image
 		"hash not programmed".  This file is only visible if the
 		underlying device supports it.
 		Format: string.
+
+What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/flash_count
+Date:		Jul 2022
+KernelVersion:	5.19
+Contact:	Russ Weight <russell.h.weight@intel.com>
+Description:	Read only. Returns number of times the secure update
+		staging area has been flashed.
+		Format: "%u".
diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
index f9f39d2cfe5b..25b21f116976 100644
--- a/drivers/fpga/intel-m10-bmc-sec-update.c
+++ b/drivers/fpga/intel-m10-bmc-sec-update.c
@@ -78,7 +78,50 @@ DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
 DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
 DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
 
+#define FLASH_COUNT_SIZE 4096	/* count stored as inverted bit vector */
+
+static ssize_t flash_count_show(struct device *dev,
+				struct device_attribute *attr, char *buf)
+{
+	struct m10bmc_sec *sec = dev_get_drvdata(dev);
+	unsigned int stride, num_bits;
+	u8 *flash_buf;
+	int cnt, ret;
+
+	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+	num_bits = FLASH_COUNT_SIZE * 8;
+
+	flash_buf = kmalloc(FLASH_COUNT_SIZE, GFP_KERNEL);
+	if (!flash_buf)
+		return -ENOMEM;
+
+	if (FLASH_COUNT_SIZE % stride) {
+		dev_err(sec->dev,
+			"FLASH_COUNT_SIZE (0x%x) not aligned to stride (0x%x)\n",
+			FLASH_COUNT_SIZE, stride);
+		WARN_ON_ONCE(1);
+		return -EINVAL;
+	}
+
+	ret = regmap_bulk_read(sec->m10bmc->regmap, STAGING_FLASH_COUNT,
+			       flash_buf, FLASH_COUNT_SIZE / stride);
+	if (ret) {
+		dev_err(sec->dev,
+			"failed to read flash count: %x cnt %x: %d\n",
+			STAGING_FLASH_COUNT, FLASH_COUNT_SIZE / stride, ret);
+		goto exit_free;
+	}
+	cnt = num_bits - bitmap_weight((unsigned long *)flash_buf, num_bits);
+
+exit_free:
+	kfree(flash_buf);
+
+	return ret ? : sysfs_emit(buf, "%u\n", cnt);
+}
+static DEVICE_ATTR_RO(flash_count);
+
 static struct attribute *m10bmc_security_attrs[] = {
+	&dev_attr_flash_count.attr,
 	&dev_attr_bmc_root_entry_hash.attr,
 	&dev_attr_sr_root_entry_hash.attr,
 	&dev_attr_pr_root_entry_hash.attr,
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH v21 4/5] fpga: m10bmc-sec: expose max10 canceled keys in sysfs
  2022-05-21  0:36 [PATCH v21 0/5] FPGA MAX10 BMC Secure Update Driver Russ Weight
                   ` (2 preceding siblings ...)
  2022-05-21  0:36 ` [PATCH v21 3/5] fpga: m10bmc-sec: expose max10 flash update count Russ Weight
@ 2022-05-21  0:36 ` Russ Weight
  2022-05-26  7:56   ` Xu Yilun
  2022-05-21  0:36 ` [PATCH v21 5/5] fpga: m10bmc-sec: add max10 secure update functions Russ Weight
  4 siblings, 1 reply; 17+ messages in thread
From: Russ Weight @ 2022-05-21  0:36 UTC (permalink / raw)
  To: mdf, hao.wu, yilun.xu, lee.jones, linux-fpga, linux-kernel
  Cc: trix, marpagan, lgoncalv, matthew.gerlach,
	basheer.ahmed.muddebihal, tianfei.zhang, Russ Weight

Extend the MAX10 BMC Secure Update driver to provide sysfs files to
expose the 128 bit code signing key (CSK) cancellation vectors. These use
the standard bitmap list format (e.g. 1,2-6,9).

Each CSK is assigned an ID, a number between 0-127, during the signing
process. CSK ID cancellation information is stored in 128-bit fields in
write-once locations in flash.  The cancellation of a CSK can be used
to prevent the card from being rolled back to older images that were
signed with a CSK that is now cancelled.

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
Reviewed-by: Tom Rix <trix@redhat.com>
---
v21:
  - Replace WARN_ON(size % stride) with a more elaborate test. Return
    -EINVAL and write a message to the kernel log. Call WARN_ON_ONCE().
v20:
  - Added text to the commit message to further describe the cancellation of
    code signing keys.
v19:
  - Change "card bmc" naming back to "m10 bmc" naming to be consistent
    with the parent driver.
v18:
  - No change
v17:
  - Update the Date and KernelVersion for the ABI documentation to Jul 2022
    and 5.19 respectively.
  - Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
    future devices will not necessarily use the MAX10.
v16:
  - No Change
v15:
  - Updated the Dates and KernelVersions in the ABI documentation
v14:
  - No changes
v13:
  - Updated ABI documentation date and kernel version
v12:
  - Updated Date and KernelVersion fields in ABI documentation
v11:
  - No change
v10:
  - Changed the path expressions in the sysfs documentation to
    replace the n3000 reference with something more generic to
    accomodate other devices that use the same driver.
v9:
  - Rebased to 5.12-rc2 next
  - Updated Date and KernelVersion in ABI documentation
v8:
  - Previously patch 4/6, otherwise no change
v7:
  - Updated Date and KernelVersion in ABI documentation
v6:
  - Added WARN_ON() call for (size / stride) to ensure
    that the proper count is passed to regmap_bulk_read().
v5:
  - No change
v4:
  - Moved sysfs files for displaying the code-signing-key (CSK)
    cancellation vectors from the FPGA Security Manger class driver
    to here. The m10bmc_csk_vector() and m10bmc_csk_cancel_nbits()
    functions are removed and the functionality from these functions
    is moved into a show_canceled_csk() function for for displaying
    the CSK vectors.
  - Added ABI documentation for new sysfs entries
v3:
  - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
  - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
    driver"
  - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
    underlying functions are now called directly.
  - Renamed get_csk_vector() to m10bmc_csk_vector()
v2:
  - Replaced small function-creation macros for explicit function
    declarations.
  - Fixed get_csk_vector() function to properly apply the stride
    variable in calls to m10bmc_raw_bulk_read()
  - Added m10bmc_ prefix to functions in m10bmc_iops structure
---
 .../sysfs-driver-intel-m10-bmc-sec-update     | 24 +++++++++
 drivers/fpga/intel-m10-bmc-sec-update.c       | 54 +++++++++++++++++++
 2 files changed, 78 insertions(+)

diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
index 1132e39b2125..ca5a34c1c31f 100644
--- a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
+++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
@@ -28,6 +28,30 @@ Description:	Read only. Returns the root entry hash for the BMC image
 		underlying device supports it.
 		Format: string.
 
+What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/sr_canceled_csks
+Date:		Jul 2022
+KernelVersion:	5.19
+Contact:	Russ Weight <russell.h.weight@intel.com>
+Description:	Read only. Returns a list of indices for canceled code
+		signing keys for the static region. The standard bitmap
+		list format is used (e.g. "1,2-6,9").
+
+What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/pr_canceled_csks
+Date:		Jul 2022
+KernelVersion:	5.19
+Contact:	Russ Weight <russell.h.weight@intel.com>
+Description:	Read only. Returns a list of indices for canceled code
+		signing keys for the partial reconfiguration region. The
+		standard bitmap list format is used (e.g. "1,2-6,9").
+
+What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/bmc_canceled_csks
+Date:		Jul 2022
+KernelVersion:	5.19
+Contact:	Russ Weight <russell.h.weight@intel.com>
+Description:	Read only. Returns a list of indices for canceled code
+		signing keys for the BMC.  The standard bitmap list format
+		is used (e.g. "1,2-6,9").
+
 What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/flash_count
 Date:		Jul 2022
 KernelVersion:	5.19
diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
index 25b21f116976..65fec2a70901 100644
--- a/drivers/fpga/intel-m10-bmc-sec-update.c
+++ b/drivers/fpga/intel-m10-bmc-sec-update.c
@@ -78,6 +78,57 @@ DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
 DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
 DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
 
+#define CSK_BIT_LEN		128U
+#define CSK_32ARRAY_SIZE	DIV_ROUND_UP(CSK_BIT_LEN, 32)
+
+static ssize_t
+show_canceled_csk(struct device *dev, u32 addr, char *buf)
+{
+	unsigned int i, stride, size = CSK_32ARRAY_SIZE * sizeof(u32);
+	struct m10bmc_sec *sec = dev_get_drvdata(dev);
+	DECLARE_BITMAP(csk_map, CSK_BIT_LEN);
+	__le32 csk_le32[CSK_32ARRAY_SIZE];
+	u32 csk32[CSK_32ARRAY_SIZE];
+	int ret;
+
+	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+	if (size % stride) {
+		dev_err(sec->dev,
+			"CSK vector size (0x%x) not aligned to stride (0x%x)\n",
+			size, stride);
+		WARN_ON_ONCE(1);
+		return -EINVAL;
+	}
+
+	ret = regmap_bulk_read(sec->m10bmc->regmap, addr, csk_le32,
+			       size / stride);
+	if (ret) {
+		dev_err(sec->dev, "failed to read CSK vector: %x cnt %x: %d\n",
+			addr, size / stride, ret);
+		return ret;
+	}
+
+	for (i = 0; i < CSK_32ARRAY_SIZE; i++)
+		csk32[i] = le32_to_cpu(((csk_le32[i])));
+
+	bitmap_from_arr32(csk_map, csk32, CSK_BIT_LEN);
+	bitmap_complement(csk_map, csk_map, CSK_BIT_LEN);
+	return bitmap_print_to_pagebuf(1, buf, csk_map, CSK_BIT_LEN);
+}
+
+#define DEVICE_ATTR_SEC_CSK_RO(_name, _addr) \
+static ssize_t _name##_canceled_csks_show(struct device *dev, \
+					  struct device_attribute *attr, \
+					  char *buf) \
+{ return show_canceled_csk(dev, _addr, buf); } \
+static DEVICE_ATTR_RO(_name##_canceled_csks)
+
+#define CSK_VEC_OFFSET 0x34
+
+DEVICE_ATTR_SEC_CSK_RO(bmc, BMC_PROG_ADDR + CSK_VEC_OFFSET);
+DEVICE_ATTR_SEC_CSK_RO(sr, SR_PROG_ADDR + CSK_VEC_OFFSET);
+DEVICE_ATTR_SEC_CSK_RO(pr, PR_PROG_ADDR + CSK_VEC_OFFSET);
+
 #define FLASH_COUNT_SIZE 4096	/* count stored as inverted bit vector */
 
 static ssize_t flash_count_show(struct device *dev,
@@ -125,6 +176,9 @@ static struct attribute *m10bmc_security_attrs[] = {
 	&dev_attr_bmc_root_entry_hash.attr,
 	&dev_attr_sr_root_entry_hash.attr,
 	&dev_attr_pr_root_entry_hash.attr,
+	&dev_attr_sr_canceled_csks.attr,
+	&dev_attr_pr_canceled_csks.attr,
+	&dev_attr_bmc_canceled_csks.attr,
 	NULL,
 };
 
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH v21 5/5] fpga: m10bmc-sec: add max10 secure update functions
  2022-05-21  0:36 [PATCH v21 0/5] FPGA MAX10 BMC Secure Update Driver Russ Weight
                   ` (3 preceding siblings ...)
  2022-05-21  0:36 ` [PATCH v21 4/5] fpga: m10bmc-sec: expose max10 canceled keys in sysfs Russ Weight
@ 2022-05-21  0:36 ` Russ Weight
  2022-05-26  7:48   ` Xu Yilun
  4 siblings, 1 reply; 17+ messages in thread
From: Russ Weight @ 2022-05-21  0:36 UTC (permalink / raw)
  To: mdf, hao.wu, yilun.xu, lee.jones, linux-fpga, linux-kernel
  Cc: trix, marpagan, lgoncalv, matthew.gerlach,
	basheer.ahmed.muddebihal, tianfei.zhang, Russ Weight

Create firmware upload ops and call the Firmware Upload support of the
Firmware Loader subsystem to enable FPGA image uploads for secure
updates of BMC images, FPGA images, etc.

Signed-off-by: Russ Weight <russell.h.weight@intel.com>
---
v21:
  - Update m10bmc_sec_prepare() to ensure that the base address for an
    update image is aligned with stride.
  - Update m10bmc_sec_write() to handle a block size that is not aligned
    with stride by allocating a zero-filled block that is aligned, and
    copying the data before calling regmap_bulk_write().
v20:
  - No change.
v19:
  - Change "card bmc" naming back to "m10 bmc" naming to be consistent
    with the parent driver.
v18:
  - Moved the firmware_upload_register() function here from an earlier
    patch since this is where the required ops are provided.
  - Moved the bmc_sec_remove() function here from an earlier patch to
    unregister the firmware driver and do cleanup.
v17:
  - Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
    future devices will not necessarily use the MAX10.
  - Change from image_load class driver to the new firmware_upload 
    functionality of the firmware_loader.
  - fw_upload_ops functions will return "enum fw_upload_err" data types
    instead of integer values.
v16:
  - Use 0 instead of FPGA_IMAGE_ERR_NONE to indicate success.
  - The size alignment check was moved from the FPGA Image Load framework
    to the prepare() op.
  - Added cancel_request boolean flag to struct m10bmc_sec.
  - Moved the RSU cancellation logic from m10bmc_sec_cancel() to a new
    rsu_cancel() function.
  - The m10bmc_sec_cancel() function ONLY sets the cancel_request flag.
    The cancel_request flag is checked at the beginning of the
    m10bmc_sec_write() and m10bmc_sec_poll_complete() functions.
  - Adapt to changed prototypes for the prepare() and write() ops. The
    m10bmc_sec_write_blk() function has been renamed to
    m10bmc_sec_write().
  - Created a cleanup() op, m10bmc_sec_cleanup(), to attempt to cancel an
    ongoing op during when exiting the update process.
v15:
  - Adapted to changes in the FPGA Image Load framework:
    (1) All enum types (progress and errors) are now type u32
    (2) m10bmc_sec_write_blk() adds *blk_size and max_size parameters
        and uses *blk_size as provided by the caller.
    (3) m10bmc_sec_poll_complete() no long checks the driver_unload
        flag.
v14:
  - Changed symbol names to reflect the renaming of the Security Manager
    Class driver to FPGA Image Load.
v13:
  - No change
v12:
  - Updated Date and KernelVersion fields in ABI documentation
  - Removed size parameter from the write_blk() op. m10bmc_sec_write_blk()
    no longer has a size parameter, and the block size is determined
    in this (the lower-level) driver.
v11:
  - No change
v10:
  - No change
v9:
  - No change
v8:
  - Previously patch 5/6, otherwise no change
v7:
  - No change
v6:
  - Changed (size / stride) calculation to ((size + stride - 1) / stride)
    to ensure that the proper count is passed to regmap_bulk_write().
  - Removed unnecessary call to rsu_check_complete() in
    m10bmc_sec_poll_complete() and changed while loop to
    do/while loop.
v5:
  - No change
v4:
  - No change
v3:
  - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
  - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
    driver"
  - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
    underlying functions are now called directly.
  - Changed calling functions of functions that return "enum fpga_sec_err"
    to check for (ret != FPGA_SEC_ERR_NONE) instead of (ret)
v2:
  - Reworked the rsu_start_done() function to make it more readable
  - Reworked while-loop condition/content in rsu_prog_ready()
  - Minor code cleanup per review comments
  - Added a comment to the m10bmc_sec_poll_complete() function to
    explain the context (could take 30+ minutes to complete).
  - Added m10bmc_ prefix to functions in m10bmc_iops structure
  - Moved MAX10 BMC address and function definitions to a separate
    patch.
---
 drivers/fpga/intel-m10-bmc-sec-update.c | 409 ++++++++++++++++++++++++
 1 file changed, 409 insertions(+)

diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
index 65fec2a70901..7c48c47a74a6 100644
--- a/drivers/fpga/intel-m10-bmc-sec-update.c
+++ b/drivers/fpga/intel-m10-bmc-sec-update.c
@@ -17,8 +17,14 @@
 struct m10bmc_sec {
 	struct device *dev;
 	struct intel_m10bmc *m10bmc;
+	struct fw_upload *fwl;
+	char *fw_name;
+	u32 fw_name_id;
+	bool cancel_request;
 };
 
+static DEFINE_XARRAY_ALLOC(fw_upload_xa);
+
 /* Root Entry Hash (REH) support */
 #define REH_SHA256_SIZE		32
 #define REH_SHA384_SIZE		48
@@ -192,10 +198,380 @@ static const struct attribute_group *m10bmc_sec_attr_groups[] = {
 	NULL,
 };
 
+static void log_error_regs(struct m10bmc_sec *sec, u32 doorbell)
+{
+	u32 auth_result;
+
+	dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
+
+	if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
+		dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
+}
+
+static enum fw_upload_err rsu_check_idle(struct m10bmc_sec *sec)
+{
+	u32 doorbell;
+	int ret;
+
+	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+	if (ret)
+		return FW_UPLOAD_ERR_RW_ERROR;
+
+	if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
+	    rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
+		log_error_regs(sec, doorbell);
+		return FW_UPLOAD_ERR_BUSY;
+	}
+
+	return FW_UPLOAD_ERR_NONE;
+}
+
+static inline bool rsu_start_done(u32 doorbell)
+{
+	u32 status, progress;
+
+	if (doorbell & DRBL_RSU_REQUEST)
+		return false;
+
+	status = rsu_stat(doorbell);
+	if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
+		return true;
+
+	progress = rsu_prog(doorbell);
+	if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
+		return true;
+
+	return false;
+}
+
+static enum fw_upload_err rsu_update_init(struct m10bmc_sec *sec)
+{
+	u32 doorbell, status;
+	int ret;
+
+	ret = regmap_update_bits(sec->m10bmc->regmap,
+				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
+				 DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
+				 DRBL_RSU_REQUEST |
+				 FIELD_PREP(DRBL_HOST_STATUS,
+					    HOST_STATUS_IDLE));
+	if (ret)
+		return FW_UPLOAD_ERR_RW_ERROR;
+
+	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
+				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
+				       doorbell,
+				       rsu_start_done(doorbell),
+				       NIOS_HANDSHAKE_INTERVAL_US,
+				       NIOS_HANDSHAKE_TIMEOUT_US);
+
+	if (ret == -ETIMEDOUT) {
+		log_error_regs(sec, doorbell);
+		return FW_UPLOAD_ERR_TIMEOUT;
+	} else if (ret) {
+		return FW_UPLOAD_ERR_RW_ERROR;
+	}
+
+	status = rsu_stat(doorbell);
+	if (status == RSU_STAT_WEAROUT) {
+		dev_warn(sec->dev, "Excessive flash update count detected\n");
+		return FW_UPLOAD_ERR_WEAROUT;
+	} else if (status == RSU_STAT_ERASE_FAIL) {
+		log_error_regs(sec, doorbell);
+		return FW_UPLOAD_ERR_HW_ERROR;
+	}
+
+	return FW_UPLOAD_ERR_NONE;
+}
+
+static enum fw_upload_err rsu_prog_ready(struct m10bmc_sec *sec)
+{
+	unsigned long poll_timeout;
+	u32 doorbell, progress;
+	int ret;
+
+	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+	if (ret)
+		return FW_UPLOAD_ERR_RW_ERROR;
+
+	poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
+	while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
+		msleep(RSU_PREP_INTERVAL_MS);
+		if (time_after(jiffies, poll_timeout))
+			break;
+
+		ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+		if (ret)
+			return FW_UPLOAD_ERR_RW_ERROR;
+	}
+
+	progress = rsu_prog(doorbell);
+	if (progress == RSU_PROG_PREPARE) {
+		log_error_regs(sec, doorbell);
+		return FW_UPLOAD_ERR_TIMEOUT;
+	} else if (progress != RSU_PROG_READY) {
+		log_error_regs(sec, doorbell);
+		return FW_UPLOAD_ERR_HW_ERROR;
+	}
+
+	return FW_UPLOAD_ERR_NONE;
+}
+
+static enum fw_upload_err rsu_send_data(struct m10bmc_sec *sec)
+{
+	u32 doorbell;
+	int ret;
+
+	ret = regmap_update_bits(sec->m10bmc->regmap,
+				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
+				 DRBL_HOST_STATUS,
+				 FIELD_PREP(DRBL_HOST_STATUS,
+					    HOST_STATUS_WRITE_DONE));
+	if (ret)
+		return FW_UPLOAD_ERR_RW_ERROR;
+
+	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
+				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
+				       doorbell,
+				       rsu_prog(doorbell) != RSU_PROG_READY,
+				       NIOS_HANDSHAKE_INTERVAL_US,
+				       NIOS_HANDSHAKE_TIMEOUT_US);
+
+	if (ret == -ETIMEDOUT) {
+		log_error_regs(sec, doorbell);
+		return FW_UPLOAD_ERR_TIMEOUT;
+	} else if (ret) {
+		return FW_UPLOAD_ERR_RW_ERROR;
+	}
+
+	switch (rsu_stat(doorbell)) {
+	case RSU_STAT_NORMAL:
+	case RSU_STAT_NIOS_OK:
+	case RSU_STAT_USER_OK:
+	case RSU_STAT_FACTORY_OK:
+		break;
+	default:
+		log_error_regs(sec, doorbell);
+		return FW_UPLOAD_ERR_HW_ERROR;
+	}
+
+	return FW_UPLOAD_ERR_NONE;
+}
+
+static int rsu_check_complete(struct m10bmc_sec *sec, u32 *doorbell)
+{
+	if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
+		return -EIO;
+
+	switch (rsu_stat(*doorbell)) {
+	case RSU_STAT_NORMAL:
+	case RSU_STAT_NIOS_OK:
+	case RSU_STAT_USER_OK:
+	case RSU_STAT_FACTORY_OK:
+		break;
+	default:
+		return -EINVAL;
+	}
+
+	switch (rsu_prog(*doorbell)) {
+	case RSU_PROG_IDLE:
+	case RSU_PROG_RSU_DONE:
+		return 0;
+	case RSU_PROG_AUTHENTICATING:
+	case RSU_PROG_COPYING:
+	case RSU_PROG_UPDATE_CANCEL:
+	case RSU_PROG_PROGRAM_KEY_HASH:
+		return -EAGAIN;
+	default:
+		return -EINVAL;
+	}
+}
+
+static enum fw_upload_err rsu_cancel(struct m10bmc_sec *sec)
+{
+	u32 doorbell;
+	int ret;
+
+	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+	if (ret)
+		return FW_UPLOAD_ERR_RW_ERROR;
+
+	if (rsu_prog(doorbell) != RSU_PROG_READY)
+		return FW_UPLOAD_ERR_BUSY;
+
+	ret = regmap_update_bits(sec->m10bmc->regmap,
+				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
+				 DRBL_HOST_STATUS,
+				 FIELD_PREP(DRBL_HOST_STATUS,
+					    HOST_STATUS_ABORT_RSU));
+	if (ret)
+		return FW_UPLOAD_ERR_RW_ERROR;
+
+	return FW_UPLOAD_ERR_CANCELED;
+}
+
+static enum fw_upload_err m10bmc_sec_prepare(struct fw_upload *fwl,
+					     const u8 *data, u32 size)
+{
+	struct m10bmc_sec *sec = fwl->dd_handle;
+	unsigned int stride;
+	u32 ret;
+
+	sec->cancel_request = false;
+
+	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+	if (!IS_ALIGNED((unsigned long)data, stride)) {
+		dev_err(sec->dev,
+			"%s address (0x%p) not aligned to stride (0x%x)\n",
+			__func__, data, stride);
+		return FW_UPLOAD_ERR_RW_ERROR;
+	}
+
+	if (!size || size > M10BMC_STAGING_SIZE)
+		return FW_UPLOAD_ERR_INVALID_SIZE;
+
+	ret = rsu_check_idle(sec);
+	if (ret != FW_UPLOAD_ERR_NONE)
+		return ret;
+
+	ret = rsu_update_init(sec);
+	if (ret != FW_UPLOAD_ERR_NONE)
+		return ret;
+
+	ret = rsu_prog_ready(sec);
+	if (ret != FW_UPLOAD_ERR_NONE)
+		return ret;
+
+	if (sec->cancel_request)
+		return rsu_cancel(sec);
+
+	return FW_UPLOAD_ERR_NONE;
+}
+
+#define WRITE_BLOCK_SIZE 0x4000	/* Default write-block size is 0x4000 bytes */
+
+static enum fw_upload_err m10bmc_sec_write(struct fw_upload *fwl, const u8 *data,
+					   u32 offset, u32 size, u32 *written)
+{
+	struct m10bmc_sec *sec = fwl->dd_handle;
+	u32 blk_size, doorbell;
+	unsigned int stride;
+	u8 *blk_addr;
+	int ret;
+
+	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+	if (sec->cancel_request)
+		return rsu_cancel(sec);
+
+	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+	if (ret) {
+		return FW_UPLOAD_ERR_RW_ERROR;
+	} else if (rsu_prog(doorbell) != RSU_PROG_READY) {
+		log_error_regs(sec, doorbell);
+		return FW_UPLOAD_ERR_HW_ERROR;
+	}
+
+	WARN_ON_ONCE(WRITE_BLOCK_SIZE % stride);
+	blk_size = min_t(u32, WRITE_BLOCK_SIZE, size);
+
+	/*
+	 * If the source data size does not align to stride, then create
+	 * a temporary buffer that is aligned, copy the data, and use the
+	 * temporary buffer as the source for the write.
+	 */
+	if (blk_size % stride) {
+		blk_addr = kzalloc(blk_size + blk_size % stride, GFP_KERNEL);
+		if (!blk_addr)
+			return FW_UPLOAD_ERR_RW_ERROR;
+		memcpy(blk_addr, data + offset, blk_size);
+	} else {
+		blk_addr = (u8 *)data + offset;
+	}
+
+	ret = regmap_bulk_write(sec->m10bmc->regmap,
+				M10BMC_STAGING_BASE + offset, blk_addr,
+				(blk_size + stride - 1) / stride);
+
+	if (blk_size % stride)
+		kfree(blk_addr);
+
+	if (ret)
+		return FW_UPLOAD_ERR_RW_ERROR;
+
+	*written = blk_size;
+	return FW_UPLOAD_ERR_NONE;
+}
+
+static enum fw_upload_err m10bmc_sec_poll_complete(struct fw_upload *fwl)
+{
+	struct m10bmc_sec *sec = fwl->dd_handle;
+	unsigned long poll_timeout;
+	u32 doorbell, result;
+	int ret;
+
+	if (sec->cancel_request)
+		return rsu_cancel(sec);
+
+	result = rsu_send_data(sec);
+	if (result != FW_UPLOAD_ERR_NONE)
+		return result;
+
+	poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
+	do {
+		msleep(RSU_COMPLETE_INTERVAL_MS);
+		ret = rsu_check_complete(sec, &doorbell);
+	} while (ret == -EAGAIN && !time_after(jiffies, poll_timeout));
+
+	if (ret == -EAGAIN) {
+		log_error_regs(sec, doorbell);
+		return FW_UPLOAD_ERR_TIMEOUT;
+	} else if (ret == -EIO) {
+		return FW_UPLOAD_ERR_RW_ERROR;
+	} else if (ret) {
+		log_error_regs(sec, doorbell);
+		return FW_UPLOAD_ERR_HW_ERROR;
+	}
+
+	return FW_UPLOAD_ERR_NONE;
+}
+
+/*
+ * m10bmc_sec_cancel() may be called asynchronously with an on-going update.
+ * All other functions are called sequentially in a single thread. To avoid
+ * contention on register accesses, m10bmc_sec_cancel() must only update
+ * the cancel_request flag. Other functions will check this flag and handle
+ * the cancel request synchronously.
+ */
+static void m10bmc_sec_cancel(struct fw_upload *fwl)
+{
+	struct m10bmc_sec *sec = fwl->dd_handle;
+
+	sec->cancel_request = true;
+}
+
+static void m10bmc_sec_cleanup(struct fw_upload *fwl)
+{
+	struct m10bmc_sec *sec = fwl->dd_handle;
+
+	(void)rsu_cancel(sec);
+}
+
+static const struct fw_upload_ops m10bmc_ops = {
+	.prepare = m10bmc_sec_prepare,
+	.write = m10bmc_sec_write,
+	.poll_complete = m10bmc_sec_poll_complete,
+	.cancel = m10bmc_sec_cancel,
+	.cleanup = m10bmc_sec_cleanup,
+};
+
 #define SEC_UPDATE_LEN_MAX 32
 static int m10bmc_sec_probe(struct platform_device *pdev)
 {
+	char buf[SEC_UPDATE_LEN_MAX];
 	struct m10bmc_sec *sec;
+	struct fw_upload *fwl;
+	unsigned int len;
+	int  ret;
 
 	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
 	if (!sec)
@@ -205,6 +581,38 @@ static int m10bmc_sec_probe(struct platform_device *pdev)
 	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
 	dev_set_drvdata(&pdev->dev, sec);
 
+	ret = xa_alloc(&fw_upload_xa, &sec->fw_name_id, sec,
+		       xa_limit_32b, GFP_KERNEL);
+	if (ret)
+		return ret;
+
+	len = scnprintf(buf, SEC_UPDATE_LEN_MAX, "secure-update%d",
+			sec->fw_name_id);
+	sec->fw_name = kmemdup_nul(buf, len, GFP_KERNEL);
+	if (!sec->fw_name)
+		return -ENOMEM;
+
+	fwl = firmware_upload_register(THIS_MODULE, sec->dev, sec->fw_name,
+				       &m10bmc_ops, sec);
+	if (IS_ERR(fwl)) {
+		dev_err(sec->dev, "Firmware Upload driver failed to start\n");
+		kfree(sec->fw_name);
+		xa_erase(&fw_upload_xa, sec->fw_name_id);
+		return PTR_ERR(fwl);
+	}
+
+	sec->fwl = fwl;
+	return 0;
+}
+
+static int m10bmc_sec_remove(struct platform_device *pdev)
+{
+	struct m10bmc_sec *sec = dev_get_drvdata(&pdev->dev);
+
+	firmware_upload_unregister(sec->fwl);
+	kfree(sec->fw_name);
+	xa_erase(&fw_upload_xa, sec->fw_name_id);
+
 	return 0;
 }
 
@@ -218,6 +626,7 @@ MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
 
 static struct platform_driver intel_m10bmc_sec_driver = {
 	.probe = m10bmc_sec_probe,
+	.remove = m10bmc_sec_remove,
 	.driver = {
 		.name = "intel-m10bmc-sec-update",
 		.dev_groups = m10bmc_sec_attr_groups,
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 5/5] fpga: m10bmc-sec: add max10 secure update functions
  2022-05-21  0:36 ` [PATCH v21 5/5] fpga: m10bmc-sec: add max10 secure update functions Russ Weight
@ 2022-05-26  7:48   ` Xu Yilun
  2022-05-26 21:27     ` Russ Weight
  0 siblings, 1 reply; 17+ messages in thread
From: Xu Yilun @ 2022-05-26  7:48 UTC (permalink / raw)
  To: Russ Weight
  Cc: mdf, hao.wu, lee.jones, linux-fpga, linux-kernel, trix, marpagan,
	lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang

On Fri, May 20, 2022 at 05:36:07PM -0700, Russ Weight wrote:
> Create firmware upload ops and call the Firmware Upload support of the
> Firmware Loader subsystem to enable FPGA image uploads for secure
> updates of BMC images, FPGA images, etc.
> 
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> ---
> v21:
>   - Update m10bmc_sec_prepare() to ensure that the base address for an
>     update image is aligned with stride.
>   - Update m10bmc_sec_write() to handle a block size that is not aligned
>     with stride by allocating a zero-filled block that is aligned, and
>     copying the data before calling regmap_bulk_write().
> v20:
>   - No change.
> v19:
>   - Change "card bmc" naming back to "m10 bmc" naming to be consistent
>     with the parent driver.
> v18:
>   - Moved the firmware_upload_register() function here from an earlier
>     patch since this is where the required ops are provided.
>   - Moved the bmc_sec_remove() function here from an earlier patch to
>     unregister the firmware driver and do cleanup.
> v17:
>   - Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
>     future devices will not necessarily use the MAX10.
>   - Change from image_load class driver to the new firmware_upload 
>     functionality of the firmware_loader.
>   - fw_upload_ops functions will return "enum fw_upload_err" data types
>     instead of integer values.
> v16:
>   - Use 0 instead of FPGA_IMAGE_ERR_NONE to indicate success.
>   - The size alignment check was moved from the FPGA Image Load framework
>     to the prepare() op.
>   - Added cancel_request boolean flag to struct m10bmc_sec.
>   - Moved the RSU cancellation logic from m10bmc_sec_cancel() to a new
>     rsu_cancel() function.
>   - The m10bmc_sec_cancel() function ONLY sets the cancel_request flag.
>     The cancel_request flag is checked at the beginning of the
>     m10bmc_sec_write() and m10bmc_sec_poll_complete() functions.
>   - Adapt to changed prototypes for the prepare() and write() ops. The
>     m10bmc_sec_write_blk() function has been renamed to
>     m10bmc_sec_write().
>   - Created a cleanup() op, m10bmc_sec_cleanup(), to attempt to cancel an
>     ongoing op during when exiting the update process.
> v15:
>   - Adapted to changes in the FPGA Image Load framework:
>     (1) All enum types (progress and errors) are now type u32
>     (2) m10bmc_sec_write_blk() adds *blk_size and max_size parameters
>         and uses *blk_size as provided by the caller.
>     (3) m10bmc_sec_poll_complete() no long checks the driver_unload
>         flag.
> v14:
>   - Changed symbol names to reflect the renaming of the Security Manager
>     Class driver to FPGA Image Load.
> v13:
>   - No change
> v12:
>   - Updated Date and KernelVersion fields in ABI documentation
>   - Removed size parameter from the write_blk() op. m10bmc_sec_write_blk()
>     no longer has a size parameter, and the block size is determined
>     in this (the lower-level) driver.
> v11:
>   - No change
> v10:
>   - No change
> v9:
>   - No change
> v8:
>   - Previously patch 5/6, otherwise no change
> v7:
>   - No change
> v6:
>   - Changed (size / stride) calculation to ((size + stride - 1) / stride)
>     to ensure that the proper count is passed to regmap_bulk_write().
>   - Removed unnecessary call to rsu_check_complete() in
>     m10bmc_sec_poll_complete() and changed while loop to
>     do/while loop.
> v5:
>   - No change
> v4:
>   - No change
> v3:
>   - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
>   - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
>     driver"
>   - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
>     underlying functions are now called directly.
>   - Changed calling functions of functions that return "enum fpga_sec_err"
>     to check for (ret != FPGA_SEC_ERR_NONE) instead of (ret)
> v2:
>   - Reworked the rsu_start_done() function to make it more readable
>   - Reworked while-loop condition/content in rsu_prog_ready()
>   - Minor code cleanup per review comments
>   - Added a comment to the m10bmc_sec_poll_complete() function to
>     explain the context (could take 30+ minutes to complete).
>   - Added m10bmc_ prefix to functions in m10bmc_iops structure
>   - Moved MAX10 BMC address and function definitions to a separate
>     patch.
> ---
>  drivers/fpga/intel-m10-bmc-sec-update.c | 409 ++++++++++++++++++++++++
>  1 file changed, 409 insertions(+)
> 
> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
> index 65fec2a70901..7c48c47a74a6 100644
> --- a/drivers/fpga/intel-m10-bmc-sec-update.c
> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
> @@ -17,8 +17,14 @@
>  struct m10bmc_sec {
>  	struct device *dev;
>  	struct intel_m10bmc *m10bmc;
> +	struct fw_upload *fwl;
> +	char *fw_name;
> +	u32 fw_name_id;
> +	bool cancel_request;
>  };
>  
> +static DEFINE_XARRAY_ALLOC(fw_upload_xa);
> +
>  /* Root Entry Hash (REH) support */
>  #define REH_SHA256_SIZE		32
>  #define REH_SHA384_SIZE		48
> @@ -192,10 +198,380 @@ static const struct attribute_group *m10bmc_sec_attr_groups[] = {
>  	NULL,
>  };
>  
> +static void log_error_regs(struct m10bmc_sec *sec, u32 doorbell)
> +{
> +	u32 auth_result;
> +
> +	dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
> +
> +	if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
> +		dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
> +}
> +
> +static enum fw_upload_err rsu_check_idle(struct m10bmc_sec *sec)
> +{
> +	u32 doorbell;
> +	int ret;
> +
> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> +	if (ret)
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +
> +	if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
> +	    rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
> +		log_error_regs(sec, doorbell);
> +		return FW_UPLOAD_ERR_BUSY;
> +	}
> +
> +	return FW_UPLOAD_ERR_NONE;
> +}
> +
> +static inline bool rsu_start_done(u32 doorbell)
> +{
> +	u32 status, progress;
> +
> +	if (doorbell & DRBL_RSU_REQUEST)
> +		return false;
> +
> +	status = rsu_stat(doorbell);
> +	if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
> +		return true;
> +
> +	progress = rsu_prog(doorbell);
> +	if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
> +		return true;
> +
> +	return false;
> +}
> +
> +static enum fw_upload_err rsu_update_init(struct m10bmc_sec *sec)
> +{
> +	u32 doorbell, status;
> +	int ret;
> +
> +	ret = regmap_update_bits(sec->m10bmc->regmap,
> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
> +				 DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
> +				 DRBL_RSU_REQUEST |
> +				 FIELD_PREP(DRBL_HOST_STATUS,
> +					    HOST_STATUS_IDLE));
> +	if (ret)
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +
> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
> +				       doorbell,
> +				       rsu_start_done(doorbell),
> +				       NIOS_HANDSHAKE_INTERVAL_US,
> +				       NIOS_HANDSHAKE_TIMEOUT_US);
> +
> +	if (ret == -ETIMEDOUT) {
> +		log_error_regs(sec, doorbell);
> +		return FW_UPLOAD_ERR_TIMEOUT;
> +	} else if (ret) {
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +	}
> +
> +	status = rsu_stat(doorbell);
> +	if (status == RSU_STAT_WEAROUT) {
> +		dev_warn(sec->dev, "Excessive flash update count detected\n");
> +		return FW_UPLOAD_ERR_WEAROUT;
> +	} else if (status == RSU_STAT_ERASE_FAIL) {
> +		log_error_regs(sec, doorbell);
> +		return FW_UPLOAD_ERR_HW_ERROR;
> +	}
> +
> +	return FW_UPLOAD_ERR_NONE;
> +}
> +
> +static enum fw_upload_err rsu_prog_ready(struct m10bmc_sec *sec)
> +{
> +	unsigned long poll_timeout;
> +	u32 doorbell, progress;
> +	int ret;
> +
> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> +	if (ret)
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +
> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
> +	while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
> +		msleep(RSU_PREP_INTERVAL_MS);
> +		if (time_after(jiffies, poll_timeout))
> +			break;
> +
> +		ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> +		if (ret)
> +			return FW_UPLOAD_ERR_RW_ERROR;
> +	}
> +
> +	progress = rsu_prog(doorbell);
> +	if (progress == RSU_PROG_PREPARE) {
> +		log_error_regs(sec, doorbell);
> +		return FW_UPLOAD_ERR_TIMEOUT;
> +	} else if (progress != RSU_PROG_READY) {
> +		log_error_regs(sec, doorbell);
> +		return FW_UPLOAD_ERR_HW_ERROR;
> +	}
> +
> +	return FW_UPLOAD_ERR_NONE;
> +}
> +
> +static enum fw_upload_err rsu_send_data(struct m10bmc_sec *sec)
> +{
> +	u32 doorbell;
> +	int ret;
> +
> +	ret = regmap_update_bits(sec->m10bmc->regmap,
> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
> +				 DRBL_HOST_STATUS,
> +				 FIELD_PREP(DRBL_HOST_STATUS,
> +					    HOST_STATUS_WRITE_DONE));
> +	if (ret)
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +
> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
> +				       doorbell,
> +				       rsu_prog(doorbell) != RSU_PROG_READY,
> +				       NIOS_HANDSHAKE_INTERVAL_US,
> +				       NIOS_HANDSHAKE_TIMEOUT_US);
> +
> +	if (ret == -ETIMEDOUT) {
> +		log_error_regs(sec, doorbell);
> +		return FW_UPLOAD_ERR_TIMEOUT;
> +	} else if (ret) {
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +	}
> +
> +	switch (rsu_stat(doorbell)) {
> +	case RSU_STAT_NORMAL:
> +	case RSU_STAT_NIOS_OK:
> +	case RSU_STAT_USER_OK:
> +	case RSU_STAT_FACTORY_OK:
> +		break;
> +	default:
> +		log_error_regs(sec, doorbell);
> +		return FW_UPLOAD_ERR_HW_ERROR;
> +	}
> +
> +	return FW_UPLOAD_ERR_NONE;
> +}
> +
> +static int rsu_check_complete(struct m10bmc_sec *sec, u32 *doorbell)
> +{
> +	if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
> +		return -EIO;
> +
> +	switch (rsu_stat(*doorbell)) {
> +	case RSU_STAT_NORMAL:
> +	case RSU_STAT_NIOS_OK:
> +	case RSU_STAT_USER_OK:
> +	case RSU_STAT_FACTORY_OK:
> +		break;
> +	default:
> +		return -EINVAL;
> +	}
> +
> +	switch (rsu_prog(*doorbell)) {
> +	case RSU_PROG_IDLE:
> +	case RSU_PROG_RSU_DONE:
> +		return 0;
> +	case RSU_PROG_AUTHENTICATING:
> +	case RSU_PROG_COPYING:
> +	case RSU_PROG_UPDATE_CANCEL:
> +	case RSU_PROG_PROGRAM_KEY_HASH:
> +		return -EAGAIN;
> +	default:
> +		return -EINVAL;
> +	}
> +}
> +
> +static enum fw_upload_err rsu_cancel(struct m10bmc_sec *sec)
> +{
> +	u32 doorbell;
> +	int ret;
> +
> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> +	if (ret)
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +
> +	if (rsu_prog(doorbell) != RSU_PROG_READY)
> +		return FW_UPLOAD_ERR_BUSY;
> +
> +	ret = regmap_update_bits(sec->m10bmc->regmap,
> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
> +				 DRBL_HOST_STATUS,
> +				 FIELD_PREP(DRBL_HOST_STATUS,
> +					    HOST_STATUS_ABORT_RSU));
> +	if (ret)
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +
> +	return FW_UPLOAD_ERR_CANCELED;
> +}
> +
> +static enum fw_upload_err m10bmc_sec_prepare(struct fw_upload *fwl,
> +					     const u8 *data, u32 size)
> +{
> +	struct m10bmc_sec *sec = fwl->dd_handle;
> +	unsigned int stride;
> +	u32 ret;
> +
> +	sec->cancel_request = false;
> +
> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> +	if (!IS_ALIGNED((unsigned long)data, stride)) {
> +		dev_err(sec->dev,
> +			"%s address (0x%p) not aligned to stride (0x%x)\n",
> +			__func__, data, stride);
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +	}

Why the base of the source data should be stride aligned? What prevents
the driver from reading out the unaligned data?

And this may be a too strict rule. I'm not sure who should ensure the
alignment of the firmware data? The firmware upload framework? Or a user
has no idea about the stride and cannot do the right thing.

> +
> +	if (!size || size > M10BMC_STAGING_SIZE)
> +		return FW_UPLOAD_ERR_INVALID_SIZE;
> +
> +	ret = rsu_check_idle(sec);
> +	if (ret != FW_UPLOAD_ERR_NONE)
> +		return ret;
> +
> +	ret = rsu_update_init(sec);
> +	if (ret != FW_UPLOAD_ERR_NONE)
> +		return ret;
> +
> +	ret = rsu_prog_ready(sec);
> +	if (ret != FW_UPLOAD_ERR_NONE)
> +		return ret;
> +
> +	if (sec->cancel_request)
> +		return rsu_cancel(sec);
> +
> +	return FW_UPLOAD_ERR_NONE;
> +}
> +
> +#define WRITE_BLOCK_SIZE 0x4000	/* Default write-block size is 0x4000 bytes */
> +
> +static enum fw_upload_err m10bmc_sec_write(struct fw_upload *fwl, const u8 *data,
> +					   u32 offset, u32 size, u32 *written)
> +{
> +	struct m10bmc_sec *sec = fwl->dd_handle;
> +	u32 blk_size, doorbell;
> +	unsigned int stride;
> +	u8 *blk_addr;
> +	int ret;
> +
> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> +	if (sec->cancel_request)
> +		return rsu_cancel(sec);
> +
> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> +	if (ret) {
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +	} else if (rsu_prog(doorbell) != RSU_PROG_READY) {
> +		log_error_regs(sec, doorbell);
> +		return FW_UPLOAD_ERR_HW_ERROR;
> +	}
> +
> +	WARN_ON_ONCE(WRITE_BLOCK_SIZE % stride);
> +	blk_size = min_t(u32, WRITE_BLOCK_SIZE, size);
> +
> +	/*
> +	 * If the source data size does not align to stride, then create
> +	 * a temporary buffer that is aligned, copy the data, and use the
> +	 * temporary buffer as the source for the write.
> +	 */
> +	if (blk_size % stride) {
> +		blk_addr = kzalloc(blk_size + blk_size % stride, GFP_KERNEL);
> +		if (!blk_addr)
> +			return FW_UPLOAD_ERR_RW_ERROR;
> +		memcpy(blk_addr, data + offset, blk_size);

You don't have to alloc and copy the whole block, just copy the last unaligned
bytes to a local variable and regmap_write().

Others are good to me.

Thanks,
Yilun

> +	} else {
> +		blk_addr = (u8 *)data + offset;
> +	}
> +
> +	ret = regmap_bulk_write(sec->m10bmc->regmap,
> +				M10BMC_STAGING_BASE + offset, blk_addr,
> +				(blk_size + stride - 1) / stride);
> +
> +	if (blk_size % stride)
> +		kfree(blk_addr);
> +
> +	if (ret)
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +
> +	*written = blk_size;
> +	return FW_UPLOAD_ERR_NONE;
> +}
> +
> +static enum fw_upload_err m10bmc_sec_poll_complete(struct fw_upload *fwl)
> +{
> +	struct m10bmc_sec *sec = fwl->dd_handle;
> +	unsigned long poll_timeout;
> +	u32 doorbell, result;
> +	int ret;
> +
> +	if (sec->cancel_request)
> +		return rsu_cancel(sec);
> +
> +	result = rsu_send_data(sec);
> +	if (result != FW_UPLOAD_ERR_NONE)
> +		return result;
> +
> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
> +	do {
> +		msleep(RSU_COMPLETE_INTERVAL_MS);
> +		ret = rsu_check_complete(sec, &doorbell);
> +	} while (ret == -EAGAIN && !time_after(jiffies, poll_timeout));
> +
> +	if (ret == -EAGAIN) {
> +		log_error_regs(sec, doorbell);
> +		return FW_UPLOAD_ERR_TIMEOUT;
> +	} else if (ret == -EIO) {
> +		return FW_UPLOAD_ERR_RW_ERROR;
> +	} else if (ret) {
> +		log_error_regs(sec, doorbell);
> +		return FW_UPLOAD_ERR_HW_ERROR;
> +	}
> +
> +	return FW_UPLOAD_ERR_NONE;
> +}
> +
> +/*
> + * m10bmc_sec_cancel() may be called asynchronously with an on-going update.
> + * All other functions are called sequentially in a single thread. To avoid
> + * contention on register accesses, m10bmc_sec_cancel() must only update
> + * the cancel_request flag. Other functions will check this flag and handle
> + * the cancel request synchronously.
> + */
> +static void m10bmc_sec_cancel(struct fw_upload *fwl)
> +{
> +	struct m10bmc_sec *sec = fwl->dd_handle;
> +
> +	sec->cancel_request = true;
> +}
> +
> +static void m10bmc_sec_cleanup(struct fw_upload *fwl)
> +{
> +	struct m10bmc_sec *sec = fwl->dd_handle;
> +
> +	(void)rsu_cancel(sec);
> +}
> +
> +static const struct fw_upload_ops m10bmc_ops = {
> +	.prepare = m10bmc_sec_prepare,
> +	.write = m10bmc_sec_write,
> +	.poll_complete = m10bmc_sec_poll_complete,
> +	.cancel = m10bmc_sec_cancel,
> +	.cleanup = m10bmc_sec_cleanup,
> +};
> +
>  #define SEC_UPDATE_LEN_MAX 32
>  static int m10bmc_sec_probe(struct platform_device *pdev)
>  {
> +	char buf[SEC_UPDATE_LEN_MAX];
>  	struct m10bmc_sec *sec;
> +	struct fw_upload *fwl;
> +	unsigned int len;
> +	int  ret;
>  
>  	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
>  	if (!sec)
> @@ -205,6 +581,38 @@ static int m10bmc_sec_probe(struct platform_device *pdev)
>  	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
>  	dev_set_drvdata(&pdev->dev, sec);
>  
> +	ret = xa_alloc(&fw_upload_xa, &sec->fw_name_id, sec,
> +		       xa_limit_32b, GFP_KERNEL);
> +	if (ret)
> +		return ret;
> +
> +	len = scnprintf(buf, SEC_UPDATE_LEN_MAX, "secure-update%d",
> +			sec->fw_name_id);
> +	sec->fw_name = kmemdup_nul(buf, len, GFP_KERNEL);
> +	if (!sec->fw_name)
> +		return -ENOMEM;
> +
> +	fwl = firmware_upload_register(THIS_MODULE, sec->dev, sec->fw_name,
> +				       &m10bmc_ops, sec);
> +	if (IS_ERR(fwl)) {
> +		dev_err(sec->dev, "Firmware Upload driver failed to start\n");
> +		kfree(sec->fw_name);
> +		xa_erase(&fw_upload_xa, sec->fw_name_id);
> +		return PTR_ERR(fwl);
> +	}
> +
> +	sec->fwl = fwl;
> +	return 0;
> +}
> +
> +static int m10bmc_sec_remove(struct platform_device *pdev)
> +{
> +	struct m10bmc_sec *sec = dev_get_drvdata(&pdev->dev);
> +
> +	firmware_upload_unregister(sec->fwl);
> +	kfree(sec->fw_name);
> +	xa_erase(&fw_upload_xa, sec->fw_name_id);
> +
>  	return 0;
>  }
>  
> @@ -218,6 +626,7 @@ MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
>  
>  static struct platform_driver intel_m10bmc_sec_driver = {
>  	.probe = m10bmc_sec_probe,
> +	.remove = m10bmc_sec_remove,
>  	.driver = {
>  		.name = "intel-m10bmc-sec-update",
>  		.dev_groups = m10bmc_sec_attr_groups,
> -- 
> 2.25.1

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 1/5] mfd: intel-m10-bmc: Rename n3000bmc-secure driver
  2022-05-21  0:36 ` [PATCH v21 1/5] mfd: intel-m10-bmc: Rename n3000bmc-secure driver Russ Weight
@ 2022-05-26  7:54   ` Xu Yilun
  2022-05-26  8:31     ` Lee Jones
  0 siblings, 1 reply; 17+ messages in thread
From: Xu Yilun @ 2022-05-26  7:54 UTC (permalink / raw)
  To: Russ Weight
  Cc: mdf, hao.wu, lee.jones, linux-fpga, linux-kernel, trix, marpagan,
	lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang

On Fri, May 20, 2022 at 05:36:03PM -0700, Russ Weight wrote:
> The n3000bmc-secure driver has changed to n3000bmc-sec-update. Update
> the name in the list of the intel-m10-bmc sub-drivers.
> 
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> ---
> v21:
>   - No change
> v20:
>   - No change
> v19:
>   - No change
> v18:
>   - No change
> v17:
>   - This is a new patch to change in the name of the secure update
>     driver.
> ---
>  drivers/mfd/intel-m10-bmc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/mfd/intel-m10-bmc.c b/drivers/mfd/intel-m10-bmc.c
> index 8db3bcf5fccc..f4d0d72573c8 100644
> --- a/drivers/mfd/intel-m10-bmc.c
> +++ b/drivers/mfd/intel-m10-bmc.c
> @@ -26,7 +26,7 @@ static struct mfd_cell m10bmc_d5005_subdevs[] = {
>  static struct mfd_cell m10bmc_pacn3000_subdevs[] = {
>  	{ .name = "n3000bmc-hwmon" },
>  	{ .name = "n3000bmc-retimer" },
> -	{ .name = "n3000bmc-secure" },
> +	{ .name = "n3000bmc-sec-update" },

Acked-by: Xu Yilun <yilun.xu@intel.com>

Hi Lee:

Is it good to you? If yes, could I apply this patch to linux-fpga
and submit along with the other patches in this series?

Thanks,
Yilun

>  };
>  
>  static struct mfd_cell m10bmc_n5010_subdevs[] = {
> -- 
> 2.25.1

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 2/5] fpga: m10bmc-sec: create max10 bmc secure update
  2022-05-21  0:36 ` [PATCH v21 2/5] fpga: m10bmc-sec: create max10 bmc secure update Russ Weight
@ 2022-05-26  7:55   ` Xu Yilun
  2022-05-26  8:04   ` Xu Yilun
  1 sibling, 0 replies; 17+ messages in thread
From: Xu Yilun @ 2022-05-26  7:55 UTC (permalink / raw)
  To: Russ Weight
  Cc: mdf, hao.wu, lee.jones, linux-fpga, linux-kernel, trix, marpagan,
	lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang

On Fri, May 20, 2022 at 05:36:04PM -0700, Russ Weight wrote:
> Create a sub-driver for the FPGA Card BMC in order to support secure
> updates.  This patch creates the Max10 BMC Secure Update driver and
> provides sysfs files for displaying the root entry hashes (REH) for the
> FPGA static region (SR), the FPGA Partial Reconfiguration (PR) region,
> and the card BMC.
> 
> The Intel MAX10 BMC Root of Trust (RoT) requires that all BMC Nios firmware
> and FPGA images are authenticated using ECDSA before loading and executing
> on the card. Code Signing Keys (CSK) are used to sign images. CSKs are signed
> by a root key. The root entry hash is created from the root public key.
> 
> The RoT provides authentication by storing an REH bitstream to a write-once
> location. Image signatures are verified against the hash.
> 
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> Reviewed-by: Tom Rix <trix@redhat.com>
> ---
> v21:
>   - No change
> v20:
>   - Added text to the commit message to describe Root Entry Hashes.
>   - Use reverse christmas tree format for local variable declarations in
>     show_root_entry_hash().
>   - Remove WARN_ON() from show_root_entry_hash() and return -EINVAL if 
>     sha_num_bytes is not a multiple of stride.
>   - Move MODULE_DEVICE_TABLE() macro to just beneath the definition of
>     intel_m10bmc_sec_ids[].
> v19:
>   - Change "card bmc" naming back to "m10 bmc" naming to be consistent
>     with the parent driver.
> v18:
>   - Changed the ABI documentation for the Root Entry Hashes to specify
>     string as the format for the output.
>   - Updated comments, strings and config options to more consistently
>     refer to the driver as the Intel FPGA Card BMC Secure Update driver.
>   - Removed an instance of dev_dbg().
>   - Deferred the call to firmware_upload_register() to a later patch
>     where the required ops are provided. The bmc_sec_remove() function is
>     also removed from this patch and added in a later patch.
>   - Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
>     of additional cards to be supported by the same driver.
> v17:
>   - Update the Date and KernelVersion for the ABI documentation to Jul 2022
>     and 5.19 respectively.
>   - Updated the copyright end-date to 2022 for the secure update driver.
>   - Change m10bmc to cardbmc to reflect the fact that the future devices
>     will not necessarily use the MAX10. This affects filenames, configs, and
>     symbol names.
>   - Removed references to the FPGA Image Load class driver and replaced
>     them with the new firmware-upload service from the firmware loader.
>   - Firmware upload requires a unique name for the firmware device. Use
>     xarray_alloc to generate a unique number to append to the name.
>   - Changed the license from GPL to GPLv2 per commit bf7fbeeae6db: 'module:
>     Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity'
> v16:
>   - No Change
> v15:
>   - Updated the Dates and KernelVersions in the ABI documentation
>   - Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
>   - Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
>   - Change instances of *bmc-secure to *bmc-sec-update in file name
>     and symbol names.
>   - Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
>     names.
>   - Change instances of *lops* to *ops* in symbol names.
> v14:
>   - Changed symbol and text references to reflect the renaming of the
>     Security Manager Class driver to FPGA Image Load.
> v13:
>   - Updated copyright to 2021
>   - Updated ABI documentation date and kernel version
>   - Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
>     functions instead of devm_fpga_sec_mgr_create() and
>     devm_fpga_sec_mgr_register().
> v12:
>   - Updated Date and KernelVersion fields in ABI documentation
> v11:
>   - Added Reviewed-by tag
> v10:
>   - Changed the path expressions in the sysfs documentation to
>     replace the n3000 reference with something more generic to
>     accomodate other devices that use the same driver.
> v9:
>   - Rebased to 5.12-rc2 next
>   - Updated Date and KernelVersion in ABI documentation
> v8:
>   - Previously patch 2/6, otherwise no change
> v7:
>   - Updated Date and KernelVersion in ABI documentation
> v6:
>   - Added WARN_ON() call for (sha_num_bytes / stride) to assert
>     that the proper count is passed to regmap_bulk_read().
> v5:
>   - No change
> v4:
>   - Moved sysfs files for displaying the root entry hashes (REH)
>     from the FPGA Security Manager class driver to here. The
>     m10bmc_reh() and m10bmc_reh_size() functions are removed and
>     the functionality from these functions is moved into a
>     show_root_entry_hash() function for displaying the REHs.
>   - Added ABI documentation for the new sysfs entries:
>     sysfs-driver-intel-m10-bmc-secure
>   - Updated the MAINTAINERS file to add the new ABI documentation
>     file: sysfs-driver-intel-m10-bmc-secure
>   - Removed unnecessary ret variable from m10bmc_secure_probe()
>   - Incorporated new devm_fpga_sec_mgr_register() function into
>     m10bmc_secure_probe() and removed the m10bmc_secure_remove()
>     function.
> v3:
>   - Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
>   - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
>   - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure
>     Update driver"
>   - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
>     underlying functions are now called directly.
>   - Changed "_root_entry_hash" to "_reh", with a comment explaining
>     what reh is.
> v2:
>   - Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
>   - Switched to GENMASK(31, 16) for a couple of mask definitions.
>   - Moved MAX10 BMC address and function definitions to a separate
>     patch.
>   - Replaced small function-creation macros with explicit function
>     declarations.
>   - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
>   - Adapted to changes in the Intel FPGA Security Manager by splitting
>     the single call to ifpga_sec_mgr_register() into two function
>     calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
> ---
>  .../sysfs-driver-intel-m10-bmc-sec-update     |  29 ++++
>  MAINTAINERS                                   |   7 +
>  drivers/fpga/Kconfig                          |  12 ++
>  drivers/fpga/Makefile                         |   3 +
>  drivers/fpga/intel-m10-bmc-sec-update.c       | 134 ++++++++++++++++++
>  5 files changed, 185 insertions(+)
>  create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
>  create mode 100644 drivers/fpga/intel-m10-bmc-sec-update.c
> 
> diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> new file mode 100644
> index 000000000000..2bb271695e14
> --- /dev/null
> +++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> @@ -0,0 +1,29 @@
> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/sr_root_entry_hash
> +Date:		Jul 2022
> +KernelVersion:	5.19
> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read only. Returns the root entry hash for the static
> +		region if one is programmed, else it returns the
> +		string: "hash not programmed".  This file is only
> +		visible if the underlying device supports it.
> +		Format: string.
> +
> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/pr_root_entry_hash
> +Date:		Jul 2022
> +KernelVersion:	5.19
> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read only. Returns the root entry hash for the partial
> +		reconfiguration region if one is programmed, else it
> +		returns the string: "hash not programmed".  This file
> +		is only visible if the underlying device supports it.
> +		Format: string.
> +
> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/bmc_root_entry_hash
> +Date:		Jul 2022
> +KernelVersion:	5.19
> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read only. Returns the root entry hash for the BMC image
> +		if one is programmed, else it returns the string:
> +		"hash not programmed".  This file is only visible if the
> +		underlying device supports it.
> +		Format: string.
> diff --git a/MAINTAINERS b/MAINTAINERS
> index a4ae11be9e5d..2f2a736ef790 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -7797,6 +7797,13 @@ F:	Documentation/fpga/
>  F:	drivers/fpga/
>  F:	include/linux/fpga/
>  
> +INTEL MAX10 BMC SECURE UPDATES
> +M:	Russ Weight <russell.h.weight@intel.com>
> +L:	linux-fpga@vger.kernel.org
> +S:	Maintained
> +F:	Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> +F:	drivers/fpga/intel-m10-bmc-sec-update.c
> +
>  FPU EMULATOR
>  M:	Bill Metzenthen <billm@melbpc.org.au>
>  S:	Maintained
> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
> index 991b3f361ec9..0831eecc9a09 100644
> --- a/drivers/fpga/Kconfig
> +++ b/drivers/fpga/Kconfig
> @@ -243,4 +243,16 @@ config FPGA_MGR_VERSAL_FPGA
>  	  configure the programmable logic(PL).
>  
>  	  To compile this as a module, choose M here.
> +
> +config FPGA_M10_BMC_SEC_UPDATE
> +	tristate "Intel MAX10 BMC Secure Update driver"
> +	depends on MFD_INTEL_M10_BMC && FW_UPLOAD
> +	help
> +	  Secure update support for the Intel MAX10 board management
> +	  controller.
> +
> +	  This is a subdriver of the Intel MAX10 board management controller
> +	  (BMC) and provides support for secure updates for the BMC image,
> +	  the FPGA image, the Root Entry Hashes, etc.
> +
>  endif # FPGA
> diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
> index 5935b3d0abd5..139ac1b573d3 100644
> --- a/drivers/fpga/Makefile
> +++ b/drivers/fpga/Makefile
> @@ -22,6 +22,9 @@ obj-$(CONFIG_FPGA_MGR_VERSAL_FPGA)	+= versal-fpga.o
>  obj-$(CONFIG_ALTERA_PR_IP_CORE)		+= altera-pr-ip-core.o
>  obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT)	+= altera-pr-ip-core-plat.o
>  
> +# FPGA Secure Update Drivers
> +obj-$(CONFIG_FPGA_M10_BMC_SEC_UPDATE)	+= intel-m10-bmc-sec-update.o
> +
>  # FPGA Bridge Drivers
>  obj-$(CONFIG_FPGA_BRIDGE)		+= fpga-bridge.o
>  obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE)	+= altera-hps2fpga.o altera-fpga2sdram.o
> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
> new file mode 100644
> index 000000000000..f9f39d2cfe5b
> --- /dev/null
> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
> @@ -0,0 +1,134 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Intel MAX10 Board Management Controller Secure Update Driver
> + *
> + * Copyright (C) 2019-2022 Intel Corporation. All rights reserved.
> + *
> + */
> +#include <linux/bitfield.h>
> +#include <linux/device.h>
> +#include <linux/firmware.h>
> +#include <linux/mfd/intel-m10-bmc.h>
> +#include <linux/mod_devicetable.h>
> +#include <linux/module.h>
> +#include <linux/platform_device.h>
> +#include <linux/slab.h>
> +
> +struct m10bmc_sec {
> +	struct device *dev;
> +	struct intel_m10bmc *m10bmc;
> +};
> +
> +/* Root Entry Hash (REH) support */
> +#define REH_SHA256_SIZE		32
> +#define REH_SHA384_SIZE		48
> +#define REH_MAGIC		GENMASK(15, 0)
> +#define REH_SHA_NUM_BYTES	GENMASK(31, 16)
> +
> +static ssize_t
> +show_root_entry_hash(struct device *dev, u32 exp_magic,
> +		     u32 prog_addr, u32 reh_addr, char *buf)
> +{
> +	struct m10bmc_sec *sec = dev_get_drvdata(dev);
> +	int sha_num_bytes, i, ret, cnt = 0;
> +	u8 hash[REH_SHA384_SIZE];
> +	unsigned int stride;
> +	u32 magic;
> +
> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> +	ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
> +	if (ret)
> +		return ret;
> +
> +	if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
> +		return sysfs_emit(buf, "hash not programmed\n");
> +
> +	sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
> +	if ((sha_num_bytes % stride) ||
> +	    (sha_num_bytes != REH_SHA256_SIZE &&
> +	     sha_num_bytes != REH_SHA384_SIZE))   {
> +		dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
> +			sha_num_bytes);
> +		return -EINVAL;
> +	}
> +
> +	ret = regmap_bulk_read(sec->m10bmc->regmap, reh_addr,
> +			       hash, sha_num_bytes / stride);
> +	if (ret) {
> +		dev_err(dev, "failed to read root entry hash: %x cnt %x: %d\n",
> +			reh_addr, sha_num_bytes / stride, ret);
> +		return ret;
> +	}
> +
> +	for (i = 0; i < sha_num_bytes; i++)
> +		cnt += sprintf(buf + cnt, "%02x", hash[i]);
> +	cnt += sprintf(buf + cnt, "\n");
> +
> +	return cnt;
> +}
> +
> +#define DEVICE_ATTR_SEC_REH_RO(_name, _magic, _prog_addr, _reh_addr) \
> +static ssize_t _name##_root_entry_hash_show(struct device *dev, \
> +					    struct device_attribute *attr, \
> +					    char *buf) \
> +{ return show_root_entry_hash(dev, _magic, _prog_addr, _reh_addr, buf); } \
> +static DEVICE_ATTR_RO(_name##_root_entry_hash)
> +
> +DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
> +DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
> +DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
> +
> +static struct attribute *m10bmc_security_attrs[] = {
> +	&dev_attr_bmc_root_entry_hash.attr,
> +	&dev_attr_sr_root_entry_hash.attr,
> +	&dev_attr_pr_root_entry_hash.attr,
> +	NULL,
> +};
> +
> +static struct attribute_group m10bmc_security_attr_group = {
> +	.name = "security",
> +	.attrs = m10bmc_security_attrs,
> +};
> +
> +static const struct attribute_group *m10bmc_sec_attr_groups[] = {
> +	&m10bmc_security_attr_group,
> +	NULL,
> +};
> +
> +#define SEC_UPDATE_LEN_MAX 32
> +static int m10bmc_sec_probe(struct platform_device *pdev)
> +{
> +	struct m10bmc_sec *sec;
> +
> +	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
> +	if (!sec)
> +		return -ENOMEM;
> +
> +	sec->dev = &pdev->dev;
> +	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
> +	dev_set_drvdata(&pdev->dev, sec);
> +
> +	return 0;
> +}
> +
> +static const struct platform_device_id intel_m10bmc_sec_ids[] = {
> +	{
> +		.name = "n3000bmc-sec-update",
> +	},
> +	{ }
> +};
> +MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
> +
> +static struct platform_driver intel_m10bmc_sec_driver = {
> +	.probe = m10bmc_sec_probe,
> +	.driver = {
> +		.name = "intel-m10bmc-sec-update",
> +		.dev_groups = m10bmc_sec_attr_groups,
> +	},
> +	.id_table = intel_m10bmc_sec_ids,
> +};
> +module_platform_driver(intel_m10bmc_sec_driver);
> +
> +MODULE_AUTHOR("Intel Corporation");
> +MODULE_DESCRIPTION("Intel MAX10 BMC Secure Update");
> +MODULE_LICENSE("GPL");

Acked-by: Xu Yilun <yilun.xu@intel.com>

> -- 
> 2.25.1

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 3/5] fpga: m10bmc-sec: expose max10 flash update count
  2022-05-21  0:36 ` [PATCH v21 3/5] fpga: m10bmc-sec: expose max10 flash update count Russ Weight
@ 2022-05-26  7:55   ` Xu Yilun
  0 siblings, 0 replies; 17+ messages in thread
From: Xu Yilun @ 2022-05-26  7:55 UTC (permalink / raw)
  To: Russ Weight
  Cc: mdf, hao.wu, lee.jones, linux-fpga, linux-kernel, trix, marpagan,
	lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang

On Fri, May 20, 2022 at 05:36:05PM -0700, Russ Weight wrote:
> Extend the MAX10 BMC Secure Update driver to provide a sysfs file to
> expose the flash update count.
> 
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> Reviewed-by: Tom Rix <trix@redhat.com>

Acked-by: Xu Yilun <yilun.xu@intel.com>

> ---
> v21:
>   - Replace WARN_ON(FLASH_COUNT_SIZE % stride) with a more elaborate test.
>     Return -EINVAL and write a message to the kernel log. Call WARN_ON_ONCE().
> v20:
>   - No change
> v19:
>   - Change "card bmc" naming back to "m10 bmc" naming to be consistent
>     with the parent driver.
> v18:
>   - No change
> v17:
>   - Update the Date and KernelVersion for the ABI documentation to Jul 2022
>     and 5.19 respectively.
>   - Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
>     future devices will not necessarily use the MAX10.
> v16:
>   - No Change
> v15:
>   - Updated the Dates and KernelVersions in the ABI documentation
> v14:
>   - No change
> v13:
>   - Updated ABI documentation date and kernel version
> v12:
>   - Updated Date and KernelVersion fields in ABI documentation
> v11:
>   - No change
> v10:
>   - Changed the path expression in the sysfs documentation to
>     replace the n3000 reference with something more generic to
>     accomodate other devices that use the same driver.
> v9:
>   - Rebased to 5.12-rc2 next
>   - Updated Date and KernelVersion in ABI documentation
> v8:
>   - Previously patch 3/6, otherwise no change
> v7:
>   - Updated Date and KernelVersion in ABI documentation
> v6:
>   - Changed flash_count_show() parameter list to achieve
>     reverse-christmas tree format.
>   - Added WARN_ON() call for (FLASH_COUNT_SIZE / stride) to ensure
>     that the proper count is passed to regmap_bulk_read().
> v5:
>   - Renamed sysfs node user_flash_count to flash_count and updated the
>     sysfs documentation accordingly.
> v4:
>   - Moved the sysfs file for displaying the flash count from the
>     FPGA Security Manager class driver to here. The
>     m10bmc_user_flash_count() function is removed and the
>     functionality is moved into a user_flash_count_show()
>     function.
>   - Added ABI documentation for the new sysfs entry
> v3:
>   - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
>   - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
>     driver"
>   - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
>     underlying functions are now called directly.
> v2:
>   - Renamed get_qspi_flash_count() to m10bmc_user_flash_count()
>   - Minor code cleanup per review comments
>   - Added m10bmc_ prefix to functions in m10bmc_iops structure
> ---
>  .../sysfs-driver-intel-m10-bmc-sec-update     |  8 ++++
>  drivers/fpga/intel-m10-bmc-sec-update.c       | 43 +++++++++++++++++++
>  2 files changed, 51 insertions(+)
> 
> diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> index 2bb271695e14..1132e39b2125 100644
> --- a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> +++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> @@ -27,3 +27,11 @@ Description:	Read only. Returns the root entry hash for the BMC image
>  		"hash not programmed".  This file is only visible if the
>  		underlying device supports it.
>  		Format: string.
> +
> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/flash_count
> +Date:		Jul 2022
> +KernelVersion:	5.19
> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read only. Returns number of times the secure update
> +		staging area has been flashed.
> +		Format: "%u".
> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
> index f9f39d2cfe5b..25b21f116976 100644
> --- a/drivers/fpga/intel-m10-bmc-sec-update.c
> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
> @@ -78,7 +78,50 @@ DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
>  DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
>  DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
>  
> +#define FLASH_COUNT_SIZE 4096	/* count stored as inverted bit vector */
> +
> +static ssize_t flash_count_show(struct device *dev,
> +				struct device_attribute *attr, char *buf)
> +{
> +	struct m10bmc_sec *sec = dev_get_drvdata(dev);
> +	unsigned int stride, num_bits;
> +	u8 *flash_buf;
> +	int cnt, ret;
> +
> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> +	num_bits = FLASH_COUNT_SIZE * 8;
> +
> +	flash_buf = kmalloc(FLASH_COUNT_SIZE, GFP_KERNEL);
> +	if (!flash_buf)
> +		return -ENOMEM;
> +
> +	if (FLASH_COUNT_SIZE % stride) {
> +		dev_err(sec->dev,
> +			"FLASH_COUNT_SIZE (0x%x) not aligned to stride (0x%x)\n",
> +			FLASH_COUNT_SIZE, stride);
> +		WARN_ON_ONCE(1);
> +		return -EINVAL;
> +	}
> +
> +	ret = regmap_bulk_read(sec->m10bmc->regmap, STAGING_FLASH_COUNT,
> +			       flash_buf, FLASH_COUNT_SIZE / stride);
> +	if (ret) {
> +		dev_err(sec->dev,
> +			"failed to read flash count: %x cnt %x: %d\n",
> +			STAGING_FLASH_COUNT, FLASH_COUNT_SIZE / stride, ret);
> +		goto exit_free;
> +	}
> +	cnt = num_bits - bitmap_weight((unsigned long *)flash_buf, num_bits);
> +
> +exit_free:
> +	kfree(flash_buf);
> +
> +	return ret ? : sysfs_emit(buf, "%u\n", cnt);
> +}
> +static DEVICE_ATTR_RO(flash_count);
> +
>  static struct attribute *m10bmc_security_attrs[] = {
> +	&dev_attr_flash_count.attr,
>  	&dev_attr_bmc_root_entry_hash.attr,
>  	&dev_attr_sr_root_entry_hash.attr,
>  	&dev_attr_pr_root_entry_hash.attr,
> -- 
> 2.25.1

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 4/5] fpga: m10bmc-sec: expose max10 canceled keys in sysfs
  2022-05-21  0:36 ` [PATCH v21 4/5] fpga: m10bmc-sec: expose max10 canceled keys in sysfs Russ Weight
@ 2022-05-26  7:56   ` Xu Yilun
  0 siblings, 0 replies; 17+ messages in thread
From: Xu Yilun @ 2022-05-26  7:56 UTC (permalink / raw)
  To: Russ Weight
  Cc: mdf, hao.wu, lee.jones, linux-fpga, linux-kernel, trix, marpagan,
	lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang

On Fri, May 20, 2022 at 05:36:06PM -0700, Russ Weight wrote:
> Extend the MAX10 BMC Secure Update driver to provide sysfs files to
> expose the 128 bit code signing key (CSK) cancellation vectors. These use
> the standard bitmap list format (e.g. 1,2-6,9).
> 
> Each CSK is assigned an ID, a number between 0-127, during the signing
> process. CSK ID cancellation information is stored in 128-bit fields in
> write-once locations in flash.  The cancellation of a CSK can be used
> to prevent the card from being rolled back to older images that were
> signed with a CSK that is now cancelled.
> 
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> Reviewed-by: Tom Rix <trix@redhat.com>

Acked-by: Xu Yilun <yilun.xu@intel.com>

> ---
> v21:
>   - Replace WARN_ON(size % stride) with a more elaborate test. Return
>     -EINVAL and write a message to the kernel log. Call WARN_ON_ONCE().
> v20:
>   - Added text to the commit message to further describe the cancellation of
>     code signing keys.
> v19:
>   - Change "card bmc" naming back to "m10 bmc" naming to be consistent
>     with the parent driver.
> v18:
>   - No change
> v17:
>   - Update the Date and KernelVersion for the ABI documentation to Jul 2022
>     and 5.19 respectively.
>   - Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
>     future devices will not necessarily use the MAX10.
> v16:
>   - No Change
> v15:
>   - Updated the Dates and KernelVersions in the ABI documentation
> v14:
>   - No changes
> v13:
>   - Updated ABI documentation date and kernel version
> v12:
>   - Updated Date and KernelVersion fields in ABI documentation
> v11:
>   - No change
> v10:
>   - Changed the path expressions in the sysfs documentation to
>     replace the n3000 reference with something more generic to
>     accomodate other devices that use the same driver.
> v9:
>   - Rebased to 5.12-rc2 next
>   - Updated Date and KernelVersion in ABI documentation
> v8:
>   - Previously patch 4/6, otherwise no change
> v7:
>   - Updated Date and KernelVersion in ABI documentation
> v6:
>   - Added WARN_ON() call for (size / stride) to ensure
>     that the proper count is passed to regmap_bulk_read().
> v5:
>   - No change
> v4:
>   - Moved sysfs files for displaying the code-signing-key (CSK)
>     cancellation vectors from the FPGA Security Manger class driver
>     to here. The m10bmc_csk_vector() and m10bmc_csk_cancel_nbits()
>     functions are removed and the functionality from these functions
>     is moved into a show_canceled_csk() function for for displaying
>     the CSK vectors.
>   - Added ABI documentation for new sysfs entries
> v3:
>   - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
>   - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
>     driver"
>   - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
>     underlying functions are now called directly.
>   - Renamed get_csk_vector() to m10bmc_csk_vector()
> v2:
>   - Replaced small function-creation macros for explicit function
>     declarations.
>   - Fixed get_csk_vector() function to properly apply the stride
>     variable in calls to m10bmc_raw_bulk_read()
>   - Added m10bmc_ prefix to functions in m10bmc_iops structure
> ---
>  .../sysfs-driver-intel-m10-bmc-sec-update     | 24 +++++++++
>  drivers/fpga/intel-m10-bmc-sec-update.c       | 54 +++++++++++++++++++
>  2 files changed, 78 insertions(+)
> 
> diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> index 1132e39b2125..ca5a34c1c31f 100644
> --- a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> +++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> @@ -28,6 +28,30 @@ Description:	Read only. Returns the root entry hash for the BMC image
>  		underlying device supports it.
>  		Format: string.
>  
> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/sr_canceled_csks
> +Date:		Jul 2022
> +KernelVersion:	5.19
> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read only. Returns a list of indices for canceled code
> +		signing keys for the static region. The standard bitmap
> +		list format is used (e.g. "1,2-6,9").
> +
> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/pr_canceled_csks
> +Date:		Jul 2022
> +KernelVersion:	5.19
> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read only. Returns a list of indices for canceled code
> +		signing keys for the partial reconfiguration region. The
> +		standard bitmap list format is used (e.g. "1,2-6,9").
> +
> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/bmc_canceled_csks
> +Date:		Jul 2022
> +KernelVersion:	5.19
> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read only. Returns a list of indices for canceled code
> +		signing keys for the BMC.  The standard bitmap list format
> +		is used (e.g. "1,2-6,9").
> +
>  What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/flash_count
>  Date:		Jul 2022
>  KernelVersion:	5.19
> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
> index 25b21f116976..65fec2a70901 100644
> --- a/drivers/fpga/intel-m10-bmc-sec-update.c
> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
> @@ -78,6 +78,57 @@ DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
>  DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
>  DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
>  
> +#define CSK_BIT_LEN		128U
> +#define CSK_32ARRAY_SIZE	DIV_ROUND_UP(CSK_BIT_LEN, 32)
> +
> +static ssize_t
> +show_canceled_csk(struct device *dev, u32 addr, char *buf)
> +{
> +	unsigned int i, stride, size = CSK_32ARRAY_SIZE * sizeof(u32);
> +	struct m10bmc_sec *sec = dev_get_drvdata(dev);
> +	DECLARE_BITMAP(csk_map, CSK_BIT_LEN);
> +	__le32 csk_le32[CSK_32ARRAY_SIZE];
> +	u32 csk32[CSK_32ARRAY_SIZE];
> +	int ret;
> +
> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> +	if (size % stride) {
> +		dev_err(sec->dev,
> +			"CSK vector size (0x%x) not aligned to stride (0x%x)\n",
> +			size, stride);
> +		WARN_ON_ONCE(1);
> +		return -EINVAL;
> +	}
> +
> +	ret = regmap_bulk_read(sec->m10bmc->regmap, addr, csk_le32,
> +			       size / stride);
> +	if (ret) {
> +		dev_err(sec->dev, "failed to read CSK vector: %x cnt %x: %d\n",
> +			addr, size / stride, ret);
> +		return ret;
> +	}
> +
> +	for (i = 0; i < CSK_32ARRAY_SIZE; i++)
> +		csk32[i] = le32_to_cpu(((csk_le32[i])));
> +
> +	bitmap_from_arr32(csk_map, csk32, CSK_BIT_LEN);
> +	bitmap_complement(csk_map, csk_map, CSK_BIT_LEN);
> +	return bitmap_print_to_pagebuf(1, buf, csk_map, CSK_BIT_LEN);
> +}
> +
> +#define DEVICE_ATTR_SEC_CSK_RO(_name, _addr) \
> +static ssize_t _name##_canceled_csks_show(struct device *dev, \
> +					  struct device_attribute *attr, \
> +					  char *buf) \
> +{ return show_canceled_csk(dev, _addr, buf); } \
> +static DEVICE_ATTR_RO(_name##_canceled_csks)
> +
> +#define CSK_VEC_OFFSET 0x34
> +
> +DEVICE_ATTR_SEC_CSK_RO(bmc, BMC_PROG_ADDR + CSK_VEC_OFFSET);
> +DEVICE_ATTR_SEC_CSK_RO(sr, SR_PROG_ADDR + CSK_VEC_OFFSET);
> +DEVICE_ATTR_SEC_CSK_RO(pr, PR_PROG_ADDR + CSK_VEC_OFFSET);
> +
>  #define FLASH_COUNT_SIZE 4096	/* count stored as inverted bit vector */
>  
>  static ssize_t flash_count_show(struct device *dev,
> @@ -125,6 +176,9 @@ static struct attribute *m10bmc_security_attrs[] = {
>  	&dev_attr_bmc_root_entry_hash.attr,
>  	&dev_attr_sr_root_entry_hash.attr,
>  	&dev_attr_pr_root_entry_hash.attr,
> +	&dev_attr_sr_canceled_csks.attr,
> +	&dev_attr_pr_canceled_csks.attr,
> +	&dev_attr_bmc_canceled_csks.attr,
>  	NULL,
>  };
>  
> -- 
> 2.25.1

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 2/5] fpga: m10bmc-sec: create max10 bmc secure update
  2022-05-21  0:36 ` [PATCH v21 2/5] fpga: m10bmc-sec: create max10 bmc secure update Russ Weight
  2022-05-26  7:55   ` Xu Yilun
@ 2022-05-26  8:04   ` Xu Yilun
  2022-05-26 20:48     ` Russ Weight
  1 sibling, 1 reply; 17+ messages in thread
From: Xu Yilun @ 2022-05-26  8:04 UTC (permalink / raw)
  To: Russ Weight
  Cc: mdf, hao.wu, lee.jones, linux-fpga, linux-kernel, trix, marpagan,
	lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang

On Fri, May 20, 2022 at 05:36:04PM -0700, Russ Weight wrote:
> Create a sub-driver for the FPGA Card BMC in order to support secure
> updates.  This patch creates the Max10 BMC Secure Update driver and
> provides sysfs files for displaying the root entry hashes (REH) for the
> FPGA static region (SR), the FPGA Partial Reconfiguration (PR) region,
> and the card BMC.
> 
> The Intel MAX10 BMC Root of Trust (RoT) requires that all BMC Nios firmware
> and FPGA images are authenticated using ECDSA before loading and executing
> on the card. Code Signing Keys (CSK) are used to sign images. CSKs are signed
> by a root key. The root entry hash is created from the root public key.
> 
> The RoT provides authentication by storing an REH bitstream to a write-once
> location. Image signatures are verified against the hash.
> 
> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> Reviewed-by: Tom Rix <trix@redhat.com>
> ---
> v21:
>   - No change
> v20:
>   - Added text to the commit message to describe Root Entry Hashes.
>   - Use reverse christmas tree format for local variable declarations in
>     show_root_entry_hash().
>   - Remove WARN_ON() from show_root_entry_hash() and return -EINVAL if 
>     sha_num_bytes is not a multiple of stride.
>   - Move MODULE_DEVICE_TABLE() macro to just beneath the definition of
>     intel_m10bmc_sec_ids[].
> v19:
>   - Change "card bmc" naming back to "m10 bmc" naming to be consistent
>     with the parent driver.
> v18:
>   - Changed the ABI documentation for the Root Entry Hashes to specify
>     string as the format for the output.
>   - Updated comments, strings and config options to more consistently
>     refer to the driver as the Intel FPGA Card BMC Secure Update driver.
>   - Removed an instance of dev_dbg().
>   - Deferred the call to firmware_upload_register() to a later patch
>     where the required ops are provided. The bmc_sec_remove() function is
>     also removed from this patch and added in a later patch.
>   - Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
>     of additional cards to be supported by the same driver.
> v17:
>   - Update the Date and KernelVersion for the ABI documentation to Jul 2022
>     and 5.19 respectively.
>   - Updated the copyright end-date to 2022 for the secure update driver.
>   - Change m10bmc to cardbmc to reflect the fact that the future devices
>     will not necessarily use the MAX10. This affects filenames, configs, and
>     symbol names.
>   - Removed references to the FPGA Image Load class driver and replaced
>     them with the new firmware-upload service from the firmware loader.
>   - Firmware upload requires a unique name for the firmware device. Use
>     xarray_alloc to generate a unique number to append to the name.
>   - Changed the license from GPL to GPLv2 per commit bf7fbeeae6db: 'module:
>     Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity'
> v16:
>   - No Change
> v15:
>   - Updated the Dates and KernelVersions in the ABI documentation
>   - Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
>   - Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
>   - Change instances of *bmc-secure to *bmc-sec-update in file name
>     and symbol names.
>   - Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
>     names.
>   - Change instances of *lops* to *ops* in symbol names.
> v14:
>   - Changed symbol and text references to reflect the renaming of the
>     Security Manager Class driver to FPGA Image Load.
> v13:
>   - Updated copyright to 2021
>   - Updated ABI documentation date and kernel version
>   - Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
>     functions instead of devm_fpga_sec_mgr_create() and
>     devm_fpga_sec_mgr_register().
> v12:
>   - Updated Date and KernelVersion fields in ABI documentation
> v11:
>   - Added Reviewed-by tag
> v10:
>   - Changed the path expressions in the sysfs documentation to
>     replace the n3000 reference with something more generic to
>     accomodate other devices that use the same driver.
> v9:
>   - Rebased to 5.12-rc2 next
>   - Updated Date and KernelVersion in ABI documentation
> v8:
>   - Previously patch 2/6, otherwise no change
> v7:
>   - Updated Date and KernelVersion in ABI documentation
> v6:
>   - Added WARN_ON() call for (sha_num_bytes / stride) to assert
>     that the proper count is passed to regmap_bulk_read().
> v5:
>   - No change
> v4:
>   - Moved sysfs files for displaying the root entry hashes (REH)
>     from the FPGA Security Manager class driver to here. The
>     m10bmc_reh() and m10bmc_reh_size() functions are removed and
>     the functionality from these functions is moved into a
>     show_root_entry_hash() function for displaying the REHs.
>   - Added ABI documentation for the new sysfs entries:
>     sysfs-driver-intel-m10-bmc-secure
>   - Updated the MAINTAINERS file to add the new ABI documentation
>     file: sysfs-driver-intel-m10-bmc-secure
>   - Removed unnecessary ret variable from m10bmc_secure_probe()
>   - Incorporated new devm_fpga_sec_mgr_register() function into
>     m10bmc_secure_probe() and removed the m10bmc_secure_remove()
>     function.
> v3:
>   - Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
>   - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
>   - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure
>     Update driver"
>   - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
>     underlying functions are now called directly.
>   - Changed "_root_entry_hash" to "_reh", with a comment explaining
>     what reh is.
> v2:
>   - Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
>   - Switched to GENMASK(31, 16) for a couple of mask definitions.
>   - Moved MAX10 BMC address and function definitions to a separate
>     patch.
>   - Replaced small function-creation macros with explicit function
>     declarations.
>   - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
>   - Adapted to changes in the Intel FPGA Security Manager by splitting
>     the single call to ifpga_sec_mgr_register() into two function
>     calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
> ---
>  .../sysfs-driver-intel-m10-bmc-sec-update     |  29 ++++
>  MAINTAINERS                                   |   7 +
>  drivers/fpga/Kconfig                          |  12 ++
>  drivers/fpga/Makefile                         |   3 +
>  drivers/fpga/intel-m10-bmc-sec-update.c       | 134 ++++++++++++++++++
>  5 files changed, 185 insertions(+)
>  create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
>  create mode 100644 drivers/fpga/intel-m10-bmc-sec-update.c
> 
> diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> new file mode 100644
> index 000000000000..2bb271695e14
> --- /dev/null
> +++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> @@ -0,0 +1,29 @@
> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/sr_root_entry_hash
> +Date:		Jul 2022
> +KernelVersion:	5.19

Oh, please also update the Date & KernelVersion when 5.19-rc1 comes.

Thanks,
Yilun

> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read only. Returns the root entry hash for the static
> +		region if one is programmed, else it returns the
> +		string: "hash not programmed".  This file is only
> +		visible if the underlying device supports it.
> +		Format: string.
> +
> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/pr_root_entry_hash
> +Date:		Jul 2022
> +KernelVersion:	5.19
> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read only. Returns the root entry hash for the partial
> +		reconfiguration region if one is programmed, else it
> +		returns the string: "hash not programmed".  This file
> +		is only visible if the underlying device supports it.
> +		Format: string.
> +
> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/bmc_root_entry_hash
> +Date:		Jul 2022
> +KernelVersion:	5.19
> +Contact:	Russ Weight <russell.h.weight@intel.com>
> +Description:	Read only. Returns the root entry hash for the BMC image
> +		if one is programmed, else it returns the string:
> +		"hash not programmed".  This file is only visible if the
> +		underlying device supports it.
> +		Format: string.
> diff --git a/MAINTAINERS b/MAINTAINERS
> index a4ae11be9e5d..2f2a736ef790 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -7797,6 +7797,13 @@ F:	Documentation/fpga/
>  F:	drivers/fpga/
>  F:	include/linux/fpga/
>  
> +INTEL MAX10 BMC SECURE UPDATES
> +M:	Russ Weight <russell.h.weight@intel.com>
> +L:	linux-fpga@vger.kernel.org
> +S:	Maintained
> +F:	Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> +F:	drivers/fpga/intel-m10-bmc-sec-update.c
> +
>  FPU EMULATOR
>  M:	Bill Metzenthen <billm@melbpc.org.au>
>  S:	Maintained
> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
> index 991b3f361ec9..0831eecc9a09 100644
> --- a/drivers/fpga/Kconfig
> +++ b/drivers/fpga/Kconfig
> @@ -243,4 +243,16 @@ config FPGA_MGR_VERSAL_FPGA
>  	  configure the programmable logic(PL).
>  
>  	  To compile this as a module, choose M here.
> +
> +config FPGA_M10_BMC_SEC_UPDATE
> +	tristate "Intel MAX10 BMC Secure Update driver"
> +	depends on MFD_INTEL_M10_BMC && FW_UPLOAD
> +	help
> +	  Secure update support for the Intel MAX10 board management
> +	  controller.
> +
> +	  This is a subdriver of the Intel MAX10 board management controller
> +	  (BMC) and provides support for secure updates for the BMC image,
> +	  the FPGA image, the Root Entry Hashes, etc.
> +
>  endif # FPGA
> diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
> index 5935b3d0abd5..139ac1b573d3 100644
> --- a/drivers/fpga/Makefile
> +++ b/drivers/fpga/Makefile
> @@ -22,6 +22,9 @@ obj-$(CONFIG_FPGA_MGR_VERSAL_FPGA)	+= versal-fpga.o
>  obj-$(CONFIG_ALTERA_PR_IP_CORE)		+= altera-pr-ip-core.o
>  obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT)	+= altera-pr-ip-core-plat.o
>  
> +# FPGA Secure Update Drivers
> +obj-$(CONFIG_FPGA_M10_BMC_SEC_UPDATE)	+= intel-m10-bmc-sec-update.o
> +
>  # FPGA Bridge Drivers
>  obj-$(CONFIG_FPGA_BRIDGE)		+= fpga-bridge.o
>  obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE)	+= altera-hps2fpga.o altera-fpga2sdram.o
> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
> new file mode 100644
> index 000000000000..f9f39d2cfe5b
> --- /dev/null
> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
> @@ -0,0 +1,134 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Intel MAX10 Board Management Controller Secure Update Driver
> + *
> + * Copyright (C) 2019-2022 Intel Corporation. All rights reserved.
> + *
> + */
> +#include <linux/bitfield.h>
> +#include <linux/device.h>
> +#include <linux/firmware.h>
> +#include <linux/mfd/intel-m10-bmc.h>
> +#include <linux/mod_devicetable.h>
> +#include <linux/module.h>
> +#include <linux/platform_device.h>
> +#include <linux/slab.h>
> +
> +struct m10bmc_sec {
> +	struct device *dev;
> +	struct intel_m10bmc *m10bmc;
> +};
> +
> +/* Root Entry Hash (REH) support */
> +#define REH_SHA256_SIZE		32
> +#define REH_SHA384_SIZE		48
> +#define REH_MAGIC		GENMASK(15, 0)
> +#define REH_SHA_NUM_BYTES	GENMASK(31, 16)
> +
> +static ssize_t
> +show_root_entry_hash(struct device *dev, u32 exp_magic,
> +		     u32 prog_addr, u32 reh_addr, char *buf)
> +{
> +	struct m10bmc_sec *sec = dev_get_drvdata(dev);
> +	int sha_num_bytes, i, ret, cnt = 0;
> +	u8 hash[REH_SHA384_SIZE];
> +	unsigned int stride;
> +	u32 magic;
> +
> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> +	ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
> +	if (ret)
> +		return ret;
> +
> +	if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
> +		return sysfs_emit(buf, "hash not programmed\n");
> +
> +	sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
> +	if ((sha_num_bytes % stride) ||
> +	    (sha_num_bytes != REH_SHA256_SIZE &&
> +	     sha_num_bytes != REH_SHA384_SIZE))   {
> +		dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
> +			sha_num_bytes);
> +		return -EINVAL;
> +	}
> +
> +	ret = regmap_bulk_read(sec->m10bmc->regmap, reh_addr,
> +			       hash, sha_num_bytes / stride);
> +	if (ret) {
> +		dev_err(dev, "failed to read root entry hash: %x cnt %x: %d\n",
> +			reh_addr, sha_num_bytes / stride, ret);
> +		return ret;
> +	}
> +
> +	for (i = 0; i < sha_num_bytes; i++)
> +		cnt += sprintf(buf + cnt, "%02x", hash[i]);
> +	cnt += sprintf(buf + cnt, "\n");
> +
> +	return cnt;
> +}
> +
> +#define DEVICE_ATTR_SEC_REH_RO(_name, _magic, _prog_addr, _reh_addr) \
> +static ssize_t _name##_root_entry_hash_show(struct device *dev, \
> +					    struct device_attribute *attr, \
> +					    char *buf) \
> +{ return show_root_entry_hash(dev, _magic, _prog_addr, _reh_addr, buf); } \
> +static DEVICE_ATTR_RO(_name##_root_entry_hash)
> +
> +DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
> +DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
> +DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
> +
> +static struct attribute *m10bmc_security_attrs[] = {
> +	&dev_attr_bmc_root_entry_hash.attr,
> +	&dev_attr_sr_root_entry_hash.attr,
> +	&dev_attr_pr_root_entry_hash.attr,
> +	NULL,
> +};
> +
> +static struct attribute_group m10bmc_security_attr_group = {
> +	.name = "security",
> +	.attrs = m10bmc_security_attrs,
> +};
> +
> +static const struct attribute_group *m10bmc_sec_attr_groups[] = {
> +	&m10bmc_security_attr_group,
> +	NULL,
> +};
> +
> +#define SEC_UPDATE_LEN_MAX 32
> +static int m10bmc_sec_probe(struct platform_device *pdev)
> +{
> +	struct m10bmc_sec *sec;
> +
> +	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
> +	if (!sec)
> +		return -ENOMEM;
> +
> +	sec->dev = &pdev->dev;
> +	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
> +	dev_set_drvdata(&pdev->dev, sec);
> +
> +	return 0;
> +}
> +
> +static const struct platform_device_id intel_m10bmc_sec_ids[] = {
> +	{
> +		.name = "n3000bmc-sec-update",
> +	},
> +	{ }
> +};
> +MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
> +
> +static struct platform_driver intel_m10bmc_sec_driver = {
> +	.probe = m10bmc_sec_probe,
> +	.driver = {
> +		.name = "intel-m10bmc-sec-update",
> +		.dev_groups = m10bmc_sec_attr_groups,
> +	},
> +	.id_table = intel_m10bmc_sec_ids,
> +};
> +module_platform_driver(intel_m10bmc_sec_driver);
> +
> +MODULE_AUTHOR("Intel Corporation");
> +MODULE_DESCRIPTION("Intel MAX10 BMC Secure Update");
> +MODULE_LICENSE("GPL");
> -- 
> 2.25.1

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 1/5] mfd: intel-m10-bmc: Rename n3000bmc-secure driver
  2022-05-26  7:54   ` Xu Yilun
@ 2022-05-26  8:31     ` Lee Jones
  0 siblings, 0 replies; 17+ messages in thread
From: Lee Jones @ 2022-05-26  8:31 UTC (permalink / raw)
  To: Xu Yilun
  Cc: Russ Weight, mdf, hao.wu, linux-fpga, linux-kernel, trix,
	marpagan, lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang

On Thu, 26 May 2022, Xu Yilun wrote:

> On Fri, May 20, 2022 at 05:36:03PM -0700, Russ Weight wrote:
> > The n3000bmc-secure driver has changed to n3000bmc-sec-update. Update
> > the name in the list of the intel-m10-bmc sub-drivers.
> > 
> > Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> > ---
> > v21:
> >   - No change
> > v20:
> >   - No change
> > v19:
> >   - No change
> > v18:
> >   - No change
> > v17:
> >   - This is a new patch to change in the name of the secure update
> >     driver.
> > ---
> >  drivers/mfd/intel-m10-bmc.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/mfd/intel-m10-bmc.c b/drivers/mfd/intel-m10-bmc.c
> > index 8db3bcf5fccc..f4d0d72573c8 100644
> > --- a/drivers/mfd/intel-m10-bmc.c
> > +++ b/drivers/mfd/intel-m10-bmc.c
> > @@ -26,7 +26,7 @@ static struct mfd_cell m10bmc_d5005_subdevs[] = {
> >  static struct mfd_cell m10bmc_pacn3000_subdevs[] = {
> >  	{ .name = "n3000bmc-hwmon" },
> >  	{ .name = "n3000bmc-retimer" },
> > -	{ .name = "n3000bmc-secure" },
> > +	{ .name = "n3000bmc-sec-update" },
> 
> Acked-by: Xu Yilun <yilun.xu@intel.com>
> 
> Hi Lee:
> 
> Is it good to you? If yes, could I apply this patch to linux-fpga
> and submit along with the other patches in this series?

That's fine.

Acked-by: Lee Jones <lee.jones@linaro.org>

-- 
Lee Jones [李琼斯]
Principal Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 2/5] fpga: m10bmc-sec: create max10 bmc secure update
  2022-05-26  8:04   ` Xu Yilun
@ 2022-05-26 20:48     ` Russ Weight
  0 siblings, 0 replies; 17+ messages in thread
From: Russ Weight @ 2022-05-26 20:48 UTC (permalink / raw)
  To: Xu Yilun
  Cc: mdf, hao.wu, lee.jones, linux-fpga, linux-kernel, trix, marpagan,
	lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang



On 5/26/22 01:04, Xu Yilun wrote:
> On Fri, May 20, 2022 at 05:36:04PM -0700, Russ Weight wrote:
>> Create a sub-driver for the FPGA Card BMC in order to support secure
>> updates.  This patch creates the Max10 BMC Secure Update driver and
>> provides sysfs files for displaying the root entry hashes (REH) for the
>> FPGA static region (SR), the FPGA Partial Reconfiguration (PR) region,
>> and the card BMC.
>>
>> The Intel MAX10 BMC Root of Trust (RoT) requires that all BMC Nios firmware
>> and FPGA images are authenticated using ECDSA before loading and executing
>> on the card. Code Signing Keys (CSK) are used to sign images. CSKs are signed
>> by a root key. The root entry hash is created from the root public key.
>>
>> The RoT provides authentication by storing an REH bitstream to a write-once
>> location. Image signatures are verified against the hash.
>>
>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>> Reviewed-by: Tom Rix <trix@redhat.com>
>> ---
>> v21:
>>   - No change
>> v20:
>>   - Added text to the commit message to describe Root Entry Hashes.
>>   - Use reverse christmas tree format for local variable declarations in
>>     show_root_entry_hash().
>>   - Remove WARN_ON() from show_root_entry_hash() and return -EINVAL if 
>>     sha_num_bytes is not a multiple of stride.
>>   - Move MODULE_DEVICE_TABLE() macro to just beneath the definition of
>>     intel_m10bmc_sec_ids[].
>> v19:
>>   - Change "card bmc" naming back to "m10 bmc" naming to be consistent
>>     with the parent driver.
>> v18:
>>   - Changed the ABI documentation for the Root Entry Hashes to specify
>>     string as the format for the output.
>>   - Updated comments, strings and config options to more consistently
>>     refer to the driver as the Intel FPGA Card BMC Secure Update driver.
>>   - Removed an instance of dev_dbg().
>>   - Deferred the call to firmware_upload_register() to a later patch
>>     where the required ops are provided. The bmc_sec_remove() function is
>>     also removed from this patch and added in a later patch.
>>   - Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
>>     of additional cards to be supported by the same driver.
>> v17:
>>   - Update the Date and KernelVersion for the ABI documentation to Jul 2022
>>     and 5.19 respectively.
>>   - Updated the copyright end-date to 2022 for the secure update driver.
>>   - Change m10bmc to cardbmc to reflect the fact that the future devices
>>     will not necessarily use the MAX10. This affects filenames, configs, and
>>     symbol names.
>>   - Removed references to the FPGA Image Load class driver and replaced
>>     them with the new firmware-upload service from the firmware loader.
>>   - Firmware upload requires a unique name for the firmware device. Use
>>     xarray_alloc to generate a unique number to append to the name.
>>   - Changed the license from GPL to GPLv2 per commit bf7fbeeae6db: 'module:
>>     Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity'
>> v16:
>>   - No Change
>> v15:
>>   - Updated the Dates and KernelVersions in the ABI documentation
>>   - Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
>>   - Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
>>   - Change instances of *bmc-secure to *bmc-sec-update in file name
>>     and symbol names.
>>   - Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
>>     names.
>>   - Change instances of *lops* to *ops* in symbol names.
>> v14:
>>   - Changed symbol and text references to reflect the renaming of the
>>     Security Manager Class driver to FPGA Image Load.
>> v13:
>>   - Updated copyright to 2021
>>   - Updated ABI documentation date and kernel version
>>   - Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
>>     functions instead of devm_fpga_sec_mgr_create() and
>>     devm_fpga_sec_mgr_register().
>> v12:
>>   - Updated Date and KernelVersion fields in ABI documentation
>> v11:
>>   - Added Reviewed-by tag
>> v10:
>>   - Changed the path expressions in the sysfs documentation to
>>     replace the n3000 reference with something more generic to
>>     accomodate other devices that use the same driver.
>> v9:
>>   - Rebased to 5.12-rc2 next
>>   - Updated Date and KernelVersion in ABI documentation
>> v8:
>>   - Previously patch 2/6, otherwise no change
>> v7:
>>   - Updated Date and KernelVersion in ABI documentation
>> v6:
>>   - Added WARN_ON() call for (sha_num_bytes / stride) to assert
>>     that the proper count is passed to regmap_bulk_read().
>> v5:
>>   - No change
>> v4:
>>   - Moved sysfs files for displaying the root entry hashes (REH)
>>     from the FPGA Security Manager class driver to here. The
>>     m10bmc_reh() and m10bmc_reh_size() functions are removed and
>>     the functionality from these functions is moved into a
>>     show_root_entry_hash() function for displaying the REHs.
>>   - Added ABI documentation for the new sysfs entries:
>>     sysfs-driver-intel-m10-bmc-secure
>>   - Updated the MAINTAINERS file to add the new ABI documentation
>>     file: sysfs-driver-intel-m10-bmc-secure
>>   - Removed unnecessary ret variable from m10bmc_secure_probe()
>>   - Incorporated new devm_fpga_sec_mgr_register() function into
>>     m10bmc_secure_probe() and removed the m10bmc_secure_remove()
>>     function.
>> v3:
>>   - Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
>>   - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
>>   - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure
>>     Update driver"
>>   - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
>>     underlying functions are now called directly.
>>   - Changed "_root_entry_hash" to "_reh", with a comment explaining
>>     what reh is.
>> v2:
>>   - Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
>>   - Switched to GENMASK(31, 16) for a couple of mask definitions.
>>   - Moved MAX10 BMC address and function definitions to a separate
>>     patch.
>>   - Replaced small function-creation macros with explicit function
>>     declarations.
>>   - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
>>   - Adapted to changes in the Intel FPGA Security Manager by splitting
>>     the single call to ifpga_sec_mgr_register() into two function
>>     calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
>> ---
>>  .../sysfs-driver-intel-m10-bmc-sec-update     |  29 ++++
>>  MAINTAINERS                                   |   7 +
>>  drivers/fpga/Kconfig                          |  12 ++
>>  drivers/fpga/Makefile                         |   3 +
>>  drivers/fpga/intel-m10-bmc-sec-update.c       | 134 ++++++++++++++++++
>>  5 files changed, 185 insertions(+)
>>  create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
>>  create mode 100644 drivers/fpga/intel-m10-bmc-sec-update.c
>>
>> diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
>> new file mode 100644
>> index 000000000000..2bb271695e14
>> --- /dev/null
>> +++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
>> @@ -0,0 +1,29 @@
>> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/sr_root_entry_hash
>> +Date:		Jul 2022
>> +KernelVersion:	5.19
> Oh, please also update the Date & KernelVersion when 5.19-rc1 comes.
OK - I'll update for Sep 2022 and 5.20

Thanks,
- Russ
>
> Thanks,
> Yilun
>
>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>> +Description:	Read only. Returns the root entry hash for the static
>> +		region if one is programmed, else it returns the
>> +		string: "hash not programmed".  This file is only
>> +		visible if the underlying device supports it.
>> +		Format: string.
>> +
>> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/pr_root_entry_hash
>> +Date:		Jul 2022
>> +KernelVersion:	5.19
>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>> +Description:	Read only. Returns the root entry hash for the partial
>> +		reconfiguration region if one is programmed, else it
>> +		returns the string: "hash not programmed".  This file
>> +		is only visible if the underlying device supports it.
>> +		Format: string.
>> +
>> +What:		/sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/bmc_root_entry_hash
>> +Date:		Jul 2022
>> +KernelVersion:	5.19
>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>> +Description:	Read only. Returns the root entry hash for the BMC image
>> +		if one is programmed, else it returns the string:
>> +		"hash not programmed".  This file is only visible if the
>> +		underlying device supports it.
>> +		Format: string.
>> diff --git a/MAINTAINERS b/MAINTAINERS
>> index a4ae11be9e5d..2f2a736ef790 100644
>> --- a/MAINTAINERS
>> +++ b/MAINTAINERS
>> @@ -7797,6 +7797,13 @@ F:	Documentation/fpga/
>>  F:	drivers/fpga/
>>  F:	include/linux/fpga/
>>  
>> +INTEL MAX10 BMC SECURE UPDATES
>> +M:	Russ Weight <russell.h.weight@intel.com>
>> +L:	linux-fpga@vger.kernel.org
>> +S:	Maintained
>> +F:	Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
>> +F:	drivers/fpga/intel-m10-bmc-sec-update.c
>> +
>>  FPU EMULATOR
>>  M:	Bill Metzenthen <billm@melbpc.org.au>
>>  S:	Maintained
>> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
>> index 991b3f361ec9..0831eecc9a09 100644
>> --- a/drivers/fpga/Kconfig
>> +++ b/drivers/fpga/Kconfig
>> @@ -243,4 +243,16 @@ config FPGA_MGR_VERSAL_FPGA
>>  	  configure the programmable logic(PL).
>>  
>>  	  To compile this as a module, choose M here.
>> +
>> +config FPGA_M10_BMC_SEC_UPDATE
>> +	tristate "Intel MAX10 BMC Secure Update driver"
>> +	depends on MFD_INTEL_M10_BMC && FW_UPLOAD
>> +	help
>> +	  Secure update support for the Intel MAX10 board management
>> +	  controller.
>> +
>> +	  This is a subdriver of the Intel MAX10 board management controller
>> +	  (BMC) and provides support for secure updates for the BMC image,
>> +	  the FPGA image, the Root Entry Hashes, etc.
>> +
>>  endif # FPGA
>> diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
>> index 5935b3d0abd5..139ac1b573d3 100644
>> --- a/drivers/fpga/Makefile
>> +++ b/drivers/fpga/Makefile
>> @@ -22,6 +22,9 @@ obj-$(CONFIG_FPGA_MGR_VERSAL_FPGA)	+= versal-fpga.o
>>  obj-$(CONFIG_ALTERA_PR_IP_CORE)		+= altera-pr-ip-core.o
>>  obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT)	+= altera-pr-ip-core-plat.o
>>  
>> +# FPGA Secure Update Drivers
>> +obj-$(CONFIG_FPGA_M10_BMC_SEC_UPDATE)	+= intel-m10-bmc-sec-update.o
>> +
>>  # FPGA Bridge Drivers
>>  obj-$(CONFIG_FPGA_BRIDGE)		+= fpga-bridge.o
>>  obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE)	+= altera-hps2fpga.o altera-fpga2sdram.o
>> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
>> new file mode 100644
>> index 000000000000..f9f39d2cfe5b
>> --- /dev/null
>> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
>> @@ -0,0 +1,134 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/*
>> + * Intel MAX10 Board Management Controller Secure Update Driver
>> + *
>> + * Copyright (C) 2019-2022 Intel Corporation. All rights reserved.
>> + *
>> + */
>> +#include <linux/bitfield.h>
>> +#include <linux/device.h>
>> +#include <linux/firmware.h>
>> +#include <linux/mfd/intel-m10-bmc.h>
>> +#include <linux/mod_devicetable.h>
>> +#include <linux/module.h>
>> +#include <linux/platform_device.h>
>> +#include <linux/slab.h>
>> +
>> +struct m10bmc_sec {
>> +	struct device *dev;
>> +	struct intel_m10bmc *m10bmc;
>> +};
>> +
>> +/* Root Entry Hash (REH) support */
>> +#define REH_SHA256_SIZE		32
>> +#define REH_SHA384_SIZE		48
>> +#define REH_MAGIC		GENMASK(15, 0)
>> +#define REH_SHA_NUM_BYTES	GENMASK(31, 16)
>> +
>> +static ssize_t
>> +show_root_entry_hash(struct device *dev, u32 exp_magic,
>> +		     u32 prog_addr, u32 reh_addr, char *buf)
>> +{
>> +	struct m10bmc_sec *sec = dev_get_drvdata(dev);
>> +	int sha_num_bytes, i, ret, cnt = 0;
>> +	u8 hash[REH_SHA384_SIZE];
>> +	unsigned int stride;
>> +	u32 magic;
>> +
>> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
>> +	ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
>> +	if (ret)
>> +		return ret;
>> +
>> +	if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
>> +		return sysfs_emit(buf, "hash not programmed\n");
>> +
>> +	sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
>> +	if ((sha_num_bytes % stride) ||
>> +	    (sha_num_bytes != REH_SHA256_SIZE &&
>> +	     sha_num_bytes != REH_SHA384_SIZE))   {
>> +		dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
>> +			sha_num_bytes);
>> +		return -EINVAL;
>> +	}
>> +
>> +	ret = regmap_bulk_read(sec->m10bmc->regmap, reh_addr,
>> +			       hash, sha_num_bytes / stride);
>> +	if (ret) {
>> +		dev_err(dev, "failed to read root entry hash: %x cnt %x: %d\n",
>> +			reh_addr, sha_num_bytes / stride, ret);
>> +		return ret;
>> +	}
>> +
>> +	for (i = 0; i < sha_num_bytes; i++)
>> +		cnt += sprintf(buf + cnt, "%02x", hash[i]);
>> +	cnt += sprintf(buf + cnt, "\n");
>> +
>> +	return cnt;
>> +}
>> +
>> +#define DEVICE_ATTR_SEC_REH_RO(_name, _magic, _prog_addr, _reh_addr) \
>> +static ssize_t _name##_root_entry_hash_show(struct device *dev, \
>> +					    struct device_attribute *attr, \
>> +					    char *buf) \
>> +{ return show_root_entry_hash(dev, _magic, _prog_addr, _reh_addr, buf); } \
>> +static DEVICE_ATTR_RO(_name##_root_entry_hash)
>> +
>> +DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
>> +DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
>> +DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
>> +
>> +static struct attribute *m10bmc_security_attrs[] = {
>> +	&dev_attr_bmc_root_entry_hash.attr,
>> +	&dev_attr_sr_root_entry_hash.attr,
>> +	&dev_attr_pr_root_entry_hash.attr,
>> +	NULL,
>> +};
>> +
>> +static struct attribute_group m10bmc_security_attr_group = {
>> +	.name = "security",
>> +	.attrs = m10bmc_security_attrs,
>> +};
>> +
>> +static const struct attribute_group *m10bmc_sec_attr_groups[] = {
>> +	&m10bmc_security_attr_group,
>> +	NULL,
>> +};
>> +
>> +#define SEC_UPDATE_LEN_MAX 32
>> +static int m10bmc_sec_probe(struct platform_device *pdev)
>> +{
>> +	struct m10bmc_sec *sec;
>> +
>> +	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
>> +	if (!sec)
>> +		return -ENOMEM;
>> +
>> +	sec->dev = &pdev->dev;
>> +	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
>> +	dev_set_drvdata(&pdev->dev, sec);
>> +
>> +	return 0;
>> +}
>> +
>> +static const struct platform_device_id intel_m10bmc_sec_ids[] = {
>> +	{
>> +		.name = "n3000bmc-sec-update",
>> +	},
>> +	{ }
>> +};
>> +MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
>> +
>> +static struct platform_driver intel_m10bmc_sec_driver = {
>> +	.probe = m10bmc_sec_probe,
>> +	.driver = {
>> +		.name = "intel-m10bmc-sec-update",
>> +		.dev_groups = m10bmc_sec_attr_groups,
>> +	},
>> +	.id_table = intel_m10bmc_sec_ids,
>> +};
>> +module_platform_driver(intel_m10bmc_sec_driver);
>> +
>> +MODULE_AUTHOR("Intel Corporation");
>> +MODULE_DESCRIPTION("Intel MAX10 BMC Secure Update");
>> +MODULE_LICENSE("GPL");
>> -- 
>> 2.25.1


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 5/5] fpga: m10bmc-sec: add max10 secure update functions
  2022-05-26  7:48   ` Xu Yilun
@ 2022-05-26 21:27     ` Russ Weight
  2022-05-27  4:47       ` Xu Yilun
  0 siblings, 1 reply; 17+ messages in thread
From: Russ Weight @ 2022-05-26 21:27 UTC (permalink / raw)
  To: Xu Yilun
  Cc: mdf, hao.wu, lee.jones, linux-fpga, linux-kernel, trix, marpagan,
	lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang



On 5/26/22 00:48, Xu Yilun wrote:
> On Fri, May 20, 2022 at 05:36:07PM -0700, Russ Weight wrote:
>> Create firmware upload ops and call the Firmware Upload support of the
>> Firmware Loader subsystem to enable FPGA image uploads for secure
>> updates of BMC images, FPGA images, etc.
>>
>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>> ---
>> v21:
>>   - Update m10bmc_sec_prepare() to ensure that the base address for an
>>     update image is aligned with stride.
>>   - Update m10bmc_sec_write() to handle a block size that is not aligned
>>     with stride by allocating a zero-filled block that is aligned, and
>>     copying the data before calling regmap_bulk_write().
>> v20:
>>   - No change.
>> v19:
>>   - Change "card bmc" naming back to "m10 bmc" naming to be consistent
>>     with the parent driver.
>> v18:
>>   - Moved the firmware_upload_register() function here from an earlier
>>     patch since this is where the required ops are provided.
>>   - Moved the bmc_sec_remove() function here from an earlier patch to
>>     unregister the firmware driver and do cleanup.
>> v17:
>>   - Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
>>     future devices will not necessarily use the MAX10.
>>   - Change from image_load class driver to the new firmware_upload 
>>     functionality of the firmware_loader.
>>   - fw_upload_ops functions will return "enum fw_upload_err" data types
>>     instead of integer values.
>> v16:
>>   - Use 0 instead of FPGA_IMAGE_ERR_NONE to indicate success.
>>   - The size alignment check was moved from the FPGA Image Load framework
>>     to the prepare() op.
>>   - Added cancel_request boolean flag to struct m10bmc_sec.
>>   - Moved the RSU cancellation logic from m10bmc_sec_cancel() to a new
>>     rsu_cancel() function.
>>   - The m10bmc_sec_cancel() function ONLY sets the cancel_request flag.
>>     The cancel_request flag is checked at the beginning of the
>>     m10bmc_sec_write() and m10bmc_sec_poll_complete() functions.
>>   - Adapt to changed prototypes for the prepare() and write() ops. The
>>     m10bmc_sec_write_blk() function has been renamed to
>>     m10bmc_sec_write().
>>   - Created a cleanup() op, m10bmc_sec_cleanup(), to attempt to cancel an
>>     ongoing op during when exiting the update process.
>> v15:
>>   - Adapted to changes in the FPGA Image Load framework:
>>     (1) All enum types (progress and errors) are now type u32
>>     (2) m10bmc_sec_write_blk() adds *blk_size and max_size parameters
>>         and uses *blk_size as provided by the caller.
>>     (3) m10bmc_sec_poll_complete() no long checks the driver_unload
>>         flag.
>> v14:
>>   - Changed symbol names to reflect the renaming of the Security Manager
>>     Class driver to FPGA Image Load.
>> v13:
>>   - No change
>> v12:
>>   - Updated Date and KernelVersion fields in ABI documentation
>>   - Removed size parameter from the write_blk() op. m10bmc_sec_write_blk()
>>     no longer has a size parameter, and the block size is determined
>>     in this (the lower-level) driver.
>> v11:
>>   - No change
>> v10:
>>   - No change
>> v9:
>>   - No change
>> v8:
>>   - Previously patch 5/6, otherwise no change
>> v7:
>>   - No change
>> v6:
>>   - Changed (size / stride) calculation to ((size + stride - 1) / stride)
>>     to ensure that the proper count is passed to regmap_bulk_write().
>>   - Removed unnecessary call to rsu_check_complete() in
>>     m10bmc_sec_poll_complete() and changed while loop to
>>     do/while loop.
>> v5:
>>   - No change
>> v4:
>>   - No change
>> v3:
>>   - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
>>   - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
>>     driver"
>>   - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
>>     underlying functions are now called directly.
>>   - Changed calling functions of functions that return "enum fpga_sec_err"
>>     to check for (ret != FPGA_SEC_ERR_NONE) instead of (ret)
>> v2:
>>   - Reworked the rsu_start_done() function to make it more readable
>>   - Reworked while-loop condition/content in rsu_prog_ready()
>>   - Minor code cleanup per review comments
>>   - Added a comment to the m10bmc_sec_poll_complete() function to
>>     explain the context (could take 30+ minutes to complete).
>>   - Added m10bmc_ prefix to functions in m10bmc_iops structure
>>   - Moved MAX10 BMC address and function definitions to a separate
>>     patch.
>> ---
>>  drivers/fpga/intel-m10-bmc-sec-update.c | 409 ++++++++++++++++++++++++
>>  1 file changed, 409 insertions(+)
>>
>> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
>> index 65fec2a70901..7c48c47a74a6 100644
>> --- a/drivers/fpga/intel-m10-bmc-sec-update.c
>> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
>> @@ -17,8 +17,14 @@
>>  struct m10bmc_sec {
>>  	struct device *dev;
>>  	struct intel_m10bmc *m10bmc;
>> +	struct fw_upload *fwl;
>> +	char *fw_name;
>> +	u32 fw_name_id;
>> +	bool cancel_request;
>>  };
>>  
>> +static DEFINE_XARRAY_ALLOC(fw_upload_xa);
>> +
>>  /* Root Entry Hash (REH) support */
>>  #define REH_SHA256_SIZE		32
>>  #define REH_SHA384_SIZE		48
>> @@ -192,10 +198,380 @@ static const struct attribute_group *m10bmc_sec_attr_groups[] = {
>>  	NULL,
>>  };
>>  
>> +static void log_error_regs(struct m10bmc_sec *sec, u32 doorbell)
>> +{
>> +	u32 auth_result;
>> +
>> +	dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
>> +
>> +	if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
>> +		dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
>> +}
>> +
>> +static enum fw_upload_err rsu_check_idle(struct m10bmc_sec *sec)
>> +{
>> +	u32 doorbell;
>> +	int ret;
>> +
>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>> +	if (ret)
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +
>> +	if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
>> +	    rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
>> +		log_error_regs(sec, doorbell);
>> +		return FW_UPLOAD_ERR_BUSY;
>> +	}
>> +
>> +	return FW_UPLOAD_ERR_NONE;
>> +}
>> +
>> +static inline bool rsu_start_done(u32 doorbell)
>> +{
>> +	u32 status, progress;
>> +
>> +	if (doorbell & DRBL_RSU_REQUEST)
>> +		return false;
>> +
>> +	status = rsu_stat(doorbell);
>> +	if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
>> +		return true;
>> +
>> +	progress = rsu_prog(doorbell);
>> +	if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
>> +		return true;
>> +
>> +	return false;
>> +}
>> +
>> +static enum fw_upload_err rsu_update_init(struct m10bmc_sec *sec)
>> +{
>> +	u32 doorbell, status;
>> +	int ret;
>> +
>> +	ret = regmap_update_bits(sec->m10bmc->regmap,
>> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
>> +				 DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
>> +				 DRBL_RSU_REQUEST |
>> +				 FIELD_PREP(DRBL_HOST_STATUS,
>> +					    HOST_STATUS_IDLE));
>> +	if (ret)
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +
>> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
>> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
>> +				       doorbell,
>> +				       rsu_start_done(doorbell),
>> +				       NIOS_HANDSHAKE_INTERVAL_US,
>> +				       NIOS_HANDSHAKE_TIMEOUT_US);
>> +
>> +	if (ret == -ETIMEDOUT) {
>> +		log_error_regs(sec, doorbell);
>> +		return FW_UPLOAD_ERR_TIMEOUT;
>> +	} else if (ret) {
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +	}
>> +
>> +	status = rsu_stat(doorbell);
>> +	if (status == RSU_STAT_WEAROUT) {
>> +		dev_warn(sec->dev, "Excessive flash update count detected\n");
>> +		return FW_UPLOAD_ERR_WEAROUT;
>> +	} else if (status == RSU_STAT_ERASE_FAIL) {
>> +		log_error_regs(sec, doorbell);
>> +		return FW_UPLOAD_ERR_HW_ERROR;
>> +	}
>> +
>> +	return FW_UPLOAD_ERR_NONE;
>> +}
>> +
>> +static enum fw_upload_err rsu_prog_ready(struct m10bmc_sec *sec)
>> +{
>> +	unsigned long poll_timeout;
>> +	u32 doorbell, progress;
>> +	int ret;
>> +
>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>> +	if (ret)
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +
>> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
>> +	while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
>> +		msleep(RSU_PREP_INTERVAL_MS);
>> +		if (time_after(jiffies, poll_timeout))
>> +			break;
>> +
>> +		ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>> +		if (ret)
>> +			return FW_UPLOAD_ERR_RW_ERROR;
>> +	}
>> +
>> +	progress = rsu_prog(doorbell);
>> +	if (progress == RSU_PROG_PREPARE) {
>> +		log_error_regs(sec, doorbell);
>> +		return FW_UPLOAD_ERR_TIMEOUT;
>> +	} else if (progress != RSU_PROG_READY) {
>> +		log_error_regs(sec, doorbell);
>> +		return FW_UPLOAD_ERR_HW_ERROR;
>> +	}
>> +
>> +	return FW_UPLOAD_ERR_NONE;
>> +}
>> +
>> +static enum fw_upload_err rsu_send_data(struct m10bmc_sec *sec)
>> +{
>> +	u32 doorbell;
>> +	int ret;
>> +
>> +	ret = regmap_update_bits(sec->m10bmc->regmap,
>> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
>> +				 DRBL_HOST_STATUS,
>> +				 FIELD_PREP(DRBL_HOST_STATUS,
>> +					    HOST_STATUS_WRITE_DONE));
>> +	if (ret)
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +
>> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
>> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
>> +				       doorbell,
>> +				       rsu_prog(doorbell) != RSU_PROG_READY,
>> +				       NIOS_HANDSHAKE_INTERVAL_US,
>> +				       NIOS_HANDSHAKE_TIMEOUT_US);
>> +
>> +	if (ret == -ETIMEDOUT) {
>> +		log_error_regs(sec, doorbell);
>> +		return FW_UPLOAD_ERR_TIMEOUT;
>> +	} else if (ret) {
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +	}
>> +
>> +	switch (rsu_stat(doorbell)) {
>> +	case RSU_STAT_NORMAL:
>> +	case RSU_STAT_NIOS_OK:
>> +	case RSU_STAT_USER_OK:
>> +	case RSU_STAT_FACTORY_OK:
>> +		break;
>> +	default:
>> +		log_error_regs(sec, doorbell);
>> +		return FW_UPLOAD_ERR_HW_ERROR;
>> +	}
>> +
>> +	return FW_UPLOAD_ERR_NONE;
>> +}
>> +
>> +static int rsu_check_complete(struct m10bmc_sec *sec, u32 *doorbell)
>> +{
>> +	if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
>> +		return -EIO;
>> +
>> +	switch (rsu_stat(*doorbell)) {
>> +	case RSU_STAT_NORMAL:
>> +	case RSU_STAT_NIOS_OK:
>> +	case RSU_STAT_USER_OK:
>> +	case RSU_STAT_FACTORY_OK:
>> +		break;
>> +	default:
>> +		return -EINVAL;
>> +	}
>> +
>> +	switch (rsu_prog(*doorbell)) {
>> +	case RSU_PROG_IDLE:
>> +	case RSU_PROG_RSU_DONE:
>> +		return 0;
>> +	case RSU_PROG_AUTHENTICATING:
>> +	case RSU_PROG_COPYING:
>> +	case RSU_PROG_UPDATE_CANCEL:
>> +	case RSU_PROG_PROGRAM_KEY_HASH:
>> +		return -EAGAIN;
>> +	default:
>> +		return -EINVAL;
>> +	}
>> +}
>> +
>> +static enum fw_upload_err rsu_cancel(struct m10bmc_sec *sec)
>> +{
>> +	u32 doorbell;
>> +	int ret;
>> +
>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>> +	if (ret)
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +
>> +	if (rsu_prog(doorbell) != RSU_PROG_READY)
>> +		return FW_UPLOAD_ERR_BUSY;
>> +
>> +	ret = regmap_update_bits(sec->m10bmc->regmap,
>> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
>> +				 DRBL_HOST_STATUS,
>> +				 FIELD_PREP(DRBL_HOST_STATUS,
>> +					    HOST_STATUS_ABORT_RSU));
>> +	if (ret)
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +
>> +	return FW_UPLOAD_ERR_CANCELED;
>> +}
>> +
>> +static enum fw_upload_err m10bmc_sec_prepare(struct fw_upload *fwl,
>> +					     const u8 *data, u32 size)
>> +{
>> +	struct m10bmc_sec *sec = fwl->dd_handle;
>> +	unsigned int stride;
>> +	u32 ret;
>> +
>> +	sec->cancel_request = false;
>> +
>> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
>> +	if (!IS_ALIGNED((unsigned long)data, stride)) {
>> +		dev_err(sec->dev,
>> +			"%s address (0x%p) not aligned to stride (0x%x)\n",
>> +			__func__, data, stride);
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +	}
> Why the base of the source data should be stride aligned? What prevents
> the driver from reading out the unaligned data?

This check also exists in regmap_bulk_write(), so regmap_bulk_write() would
fail for an unaligned base address with -EINVAL:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/base/regmap/regmap.c#n2274

By checking it here, I am able to print something useful to the kernel log.

>
> And this may be a too strict rule. I'm not sure who should ensure the
> alignment of the firmware data? The firmware upload framework? Or a user
> has no idea about the stride and cannot do the right thing.
The firmware upload framework uses an array of pages to allocate space
for the firmware image, so in its current implementation it will always
be aligned.

Would it be better to use regmap_write() for an unaligned start and
then follow up with regmap_bulk_write()?

>
>> +
>> +	if (!size || size > M10BMC_STAGING_SIZE)
>> +		return FW_UPLOAD_ERR_INVALID_SIZE;
>> +
>> +	ret = rsu_check_idle(sec);
>> +	if (ret != FW_UPLOAD_ERR_NONE)
>> +		return ret;
>> +
>> +	ret = rsu_update_init(sec);
>> +	if (ret != FW_UPLOAD_ERR_NONE)
>> +		return ret;
>> +
>> +	ret = rsu_prog_ready(sec);
>> +	if (ret != FW_UPLOAD_ERR_NONE)
>> +		return ret;
>> +
>> +	if (sec->cancel_request)
>> +		return rsu_cancel(sec);
>> +
>> +	return FW_UPLOAD_ERR_NONE;
>> +}
>> +
>> +#define WRITE_BLOCK_SIZE 0x4000	/* Default write-block size is 0x4000 bytes */
>> +
>> +static enum fw_upload_err m10bmc_sec_write(struct fw_upload *fwl, const u8 *data,
>> +					   u32 offset, u32 size, u32 *written)
>> +{
>> +	struct m10bmc_sec *sec = fwl->dd_handle;
>> +	u32 blk_size, doorbell;
>> +	unsigned int stride;
>> +	u8 *blk_addr;
>> +	int ret;
>> +
>> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
>> +	if (sec->cancel_request)
>> +		return rsu_cancel(sec);
>> +
>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>> +	if (ret) {
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +	} else if (rsu_prog(doorbell) != RSU_PROG_READY) {
>> +		log_error_regs(sec, doorbell);
>> +		return FW_UPLOAD_ERR_HW_ERROR;
>> +	}
>> +
>> +	WARN_ON_ONCE(WRITE_BLOCK_SIZE % stride);
>> +	blk_size = min_t(u32, WRITE_BLOCK_SIZE, size);
>> +
>> +	/*
>> +	 * If the source data size does not align to stride, then create
>> +	 * a temporary buffer that is aligned, copy the data, and use the
>> +	 * temporary buffer as the source for the write.
>> +	 */
>> +	if (blk_size % stride) {
>> +		blk_addr = kzalloc(blk_size + blk_size % stride, GFP_KERNEL);
>> +		if (!blk_addr)
>> +			return FW_UPLOAD_ERR_RW_ERROR;
>> +		memcpy(blk_addr, data + offset, blk_size);
> You don't have to alloc and copy the whole block, just copy the last unaligned
> bytes to a local variable and regmap_write().
OK - I'll do that. And I'll look at doing something similar for a misaligned start.

Thanks,
- Russ
>
> Others are good to me.
>
> Thanks,
> Yilun
>
>> +	} else {
>> +		blk_addr = (u8 *)data + offset;
>> +	}
>> +
>> +	ret = regmap_bulk_write(sec->m10bmc->regmap,
>> +				M10BMC_STAGING_BASE + offset, blk_addr,
>> +				(blk_size + stride - 1) / stride);
>> +
>> +	if (blk_size % stride)
>> +		kfree(blk_addr);
>> +
>> +	if (ret)
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +
>> +	*written = blk_size;
>> +	return FW_UPLOAD_ERR_NONE;
>> +}
>> +
>> +static enum fw_upload_err m10bmc_sec_poll_complete(struct fw_upload *fwl)
>> +{
>> +	struct m10bmc_sec *sec = fwl->dd_handle;
>> +	unsigned long poll_timeout;
>> +	u32 doorbell, result;
>> +	int ret;
>> +
>> +	if (sec->cancel_request)
>> +		return rsu_cancel(sec);
>> +
>> +	result = rsu_send_data(sec);
>> +	if (result != FW_UPLOAD_ERR_NONE)
>> +		return result;
>> +
>> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
>> +	do {
>> +		msleep(RSU_COMPLETE_INTERVAL_MS);
>> +		ret = rsu_check_complete(sec, &doorbell);
>> +	} while (ret == -EAGAIN && !time_after(jiffies, poll_timeout));
>> +
>> +	if (ret == -EAGAIN) {
>> +		log_error_regs(sec, doorbell);
>> +		return FW_UPLOAD_ERR_TIMEOUT;
>> +	} else if (ret == -EIO) {
>> +		return FW_UPLOAD_ERR_RW_ERROR;
>> +	} else if (ret) {
>> +		log_error_regs(sec, doorbell);
>> +		return FW_UPLOAD_ERR_HW_ERROR;
>> +	}
>> +
>> +	return FW_UPLOAD_ERR_NONE;
>> +}
>> +
>> +/*
>> + * m10bmc_sec_cancel() may be called asynchronously with an on-going update.
>> + * All other functions are called sequentially in a single thread. To avoid
>> + * contention on register accesses, m10bmc_sec_cancel() must only update
>> + * the cancel_request flag. Other functions will check this flag and handle
>> + * the cancel request synchronously.
>> + */
>> +static void m10bmc_sec_cancel(struct fw_upload *fwl)
>> +{
>> +	struct m10bmc_sec *sec = fwl->dd_handle;
>> +
>> +	sec->cancel_request = true;
>> +}
>> +
>> +static void m10bmc_sec_cleanup(struct fw_upload *fwl)
>> +{
>> +	struct m10bmc_sec *sec = fwl->dd_handle;
>> +
>> +	(void)rsu_cancel(sec);
>> +}
>> +
>> +static const struct fw_upload_ops m10bmc_ops = {
>> +	.prepare = m10bmc_sec_prepare,
>> +	.write = m10bmc_sec_write,
>> +	.poll_complete = m10bmc_sec_poll_complete,
>> +	.cancel = m10bmc_sec_cancel,
>> +	.cleanup = m10bmc_sec_cleanup,
>> +};
>> +
>>  #define SEC_UPDATE_LEN_MAX 32
>>  static int m10bmc_sec_probe(struct platform_device *pdev)
>>  {
>> +	char buf[SEC_UPDATE_LEN_MAX];
>>  	struct m10bmc_sec *sec;
>> +	struct fw_upload *fwl;
>> +	unsigned int len;
>> +	int  ret;
>>  
>>  	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
>>  	if (!sec)
>> @@ -205,6 +581,38 @@ static int m10bmc_sec_probe(struct platform_device *pdev)
>>  	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
>>  	dev_set_drvdata(&pdev->dev, sec);
>>  
>> +	ret = xa_alloc(&fw_upload_xa, &sec->fw_name_id, sec,
>> +		       xa_limit_32b, GFP_KERNEL);
>> +	if (ret)
>> +		return ret;
>> +
>> +	len = scnprintf(buf, SEC_UPDATE_LEN_MAX, "secure-update%d",
>> +			sec->fw_name_id);
>> +	sec->fw_name = kmemdup_nul(buf, len, GFP_KERNEL);
>> +	if (!sec->fw_name)
>> +		return -ENOMEM;
>> +
>> +	fwl = firmware_upload_register(THIS_MODULE, sec->dev, sec->fw_name,
>> +				       &m10bmc_ops, sec);
>> +	if (IS_ERR(fwl)) {
>> +		dev_err(sec->dev, "Firmware Upload driver failed to start\n");
>> +		kfree(sec->fw_name);
>> +		xa_erase(&fw_upload_xa, sec->fw_name_id);
>> +		return PTR_ERR(fwl);
>> +	}
>> +
>> +	sec->fwl = fwl;
>> +	return 0;
>> +}
>> +
>> +static int m10bmc_sec_remove(struct platform_device *pdev)
>> +{
>> +	struct m10bmc_sec *sec = dev_get_drvdata(&pdev->dev);
>> +
>> +	firmware_upload_unregister(sec->fwl);
>> +	kfree(sec->fw_name);
>> +	xa_erase(&fw_upload_xa, sec->fw_name_id);
>> +
>>  	return 0;
>>  }
>>  
>> @@ -218,6 +626,7 @@ MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
>>  
>>  static struct platform_driver intel_m10bmc_sec_driver = {
>>  	.probe = m10bmc_sec_probe,
>> +	.remove = m10bmc_sec_remove,
>>  	.driver = {
>>  		.name = "intel-m10bmc-sec-update",
>>  		.dev_groups = m10bmc_sec_attr_groups,
>> -- 
>> 2.25.1


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 5/5] fpga: m10bmc-sec: add max10 secure update functions
  2022-05-26 21:27     ` Russ Weight
@ 2022-05-27  4:47       ` Xu Yilun
  2022-05-27 19:26         ` Russ Weight
  0 siblings, 1 reply; 17+ messages in thread
From: Xu Yilun @ 2022-05-27  4:47 UTC (permalink / raw)
  To: Russ Weight
  Cc: mdf, hao.wu, lee.jones, linux-fpga, linux-kernel, trix, marpagan,
	lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang

On Thu, May 26, 2022 at 02:27:15PM -0700, Russ Weight wrote:
> 
> 
> On 5/26/22 00:48, Xu Yilun wrote:
> > On Fri, May 20, 2022 at 05:36:07PM -0700, Russ Weight wrote:
> >> Create firmware upload ops and call the Firmware Upload support of the
> >> Firmware Loader subsystem to enable FPGA image uploads for secure
> >> updates of BMC images, FPGA images, etc.
> >>
> >> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
> >> ---
> >> v21:
> >>   - Update m10bmc_sec_prepare() to ensure that the base address for an
> >>     update image is aligned with stride.
> >>   - Update m10bmc_sec_write() to handle a block size that is not aligned
> >>     with stride by allocating a zero-filled block that is aligned, and
> >>     copying the data before calling regmap_bulk_write().
> >> v20:
> >>   - No change.
> >> v19:
> >>   - Change "card bmc" naming back to "m10 bmc" naming to be consistent
> >>     with the parent driver.
> >> v18:
> >>   - Moved the firmware_upload_register() function here from an earlier
> >>     patch since this is where the required ops are provided.
> >>   - Moved the bmc_sec_remove() function here from an earlier patch to
> >>     unregister the firmware driver and do cleanup.
> >> v17:
> >>   - Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
> >>     future devices will not necessarily use the MAX10.
> >>   - Change from image_load class driver to the new firmware_upload 
> >>     functionality of the firmware_loader.
> >>   - fw_upload_ops functions will return "enum fw_upload_err" data types
> >>     instead of integer values.
> >> v16:
> >>   - Use 0 instead of FPGA_IMAGE_ERR_NONE to indicate success.
> >>   - The size alignment check was moved from the FPGA Image Load framework
> >>     to the prepare() op.
> >>   - Added cancel_request boolean flag to struct m10bmc_sec.
> >>   - Moved the RSU cancellation logic from m10bmc_sec_cancel() to a new
> >>     rsu_cancel() function.
> >>   - The m10bmc_sec_cancel() function ONLY sets the cancel_request flag.
> >>     The cancel_request flag is checked at the beginning of the
> >>     m10bmc_sec_write() and m10bmc_sec_poll_complete() functions.
> >>   - Adapt to changed prototypes for the prepare() and write() ops. The
> >>     m10bmc_sec_write_blk() function has been renamed to
> >>     m10bmc_sec_write().
> >>   - Created a cleanup() op, m10bmc_sec_cleanup(), to attempt to cancel an
> >>     ongoing op during when exiting the update process.
> >> v15:
> >>   - Adapted to changes in the FPGA Image Load framework:
> >>     (1) All enum types (progress and errors) are now type u32
> >>     (2) m10bmc_sec_write_blk() adds *blk_size and max_size parameters
> >>         and uses *blk_size as provided by the caller.
> >>     (3) m10bmc_sec_poll_complete() no long checks the driver_unload
> >>         flag.
> >> v14:
> >>   - Changed symbol names to reflect the renaming of the Security Manager
> >>     Class driver to FPGA Image Load.
> >> v13:
> >>   - No change
> >> v12:
> >>   - Updated Date and KernelVersion fields in ABI documentation
> >>   - Removed size parameter from the write_blk() op. m10bmc_sec_write_blk()
> >>     no longer has a size parameter, and the block size is determined
> >>     in this (the lower-level) driver.
> >> v11:
> >>   - No change
> >> v10:
> >>   - No change
> >> v9:
> >>   - No change
> >> v8:
> >>   - Previously patch 5/6, otherwise no change
> >> v7:
> >>   - No change
> >> v6:
> >>   - Changed (size / stride) calculation to ((size + stride - 1) / stride)
> >>     to ensure that the proper count is passed to regmap_bulk_write().
> >>   - Removed unnecessary call to rsu_check_complete() in
> >>     m10bmc_sec_poll_complete() and changed while loop to
> >>     do/while loop.
> >> v5:
> >>   - No change
> >> v4:
> >>   - No change
> >> v3:
> >>   - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
> >>   - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
> >>     driver"
> >>   - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
> >>     underlying functions are now called directly.
> >>   - Changed calling functions of functions that return "enum fpga_sec_err"
> >>     to check for (ret != FPGA_SEC_ERR_NONE) instead of (ret)
> >> v2:
> >>   - Reworked the rsu_start_done() function to make it more readable
> >>   - Reworked while-loop condition/content in rsu_prog_ready()
> >>   - Minor code cleanup per review comments
> >>   - Added a comment to the m10bmc_sec_poll_complete() function to
> >>     explain the context (could take 30+ minutes to complete).
> >>   - Added m10bmc_ prefix to functions in m10bmc_iops structure
> >>   - Moved MAX10 BMC address and function definitions to a separate
> >>     patch.
> >> ---
> >>  drivers/fpga/intel-m10-bmc-sec-update.c | 409 ++++++++++++++++++++++++
> >>  1 file changed, 409 insertions(+)
> >>
> >> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
> >> index 65fec2a70901..7c48c47a74a6 100644
> >> --- a/drivers/fpga/intel-m10-bmc-sec-update.c
> >> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
> >> @@ -17,8 +17,14 @@
> >>  struct m10bmc_sec {
> >>  	struct device *dev;
> >>  	struct intel_m10bmc *m10bmc;
> >> +	struct fw_upload *fwl;
> >> +	char *fw_name;
> >> +	u32 fw_name_id;
> >> +	bool cancel_request;
> >>  };
> >>  
> >> +static DEFINE_XARRAY_ALLOC(fw_upload_xa);
> >> +
> >>  /* Root Entry Hash (REH) support */
> >>  #define REH_SHA256_SIZE		32
> >>  #define REH_SHA384_SIZE		48
> >> @@ -192,10 +198,380 @@ static const struct attribute_group *m10bmc_sec_attr_groups[] = {
> >>  	NULL,
> >>  };
> >>  
> >> +static void log_error_regs(struct m10bmc_sec *sec, u32 doorbell)
> >> +{
> >> +	u32 auth_result;
> >> +
> >> +	dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
> >> +
> >> +	if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
> >> +		dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
> >> +}
> >> +
> >> +static enum fw_upload_err rsu_check_idle(struct m10bmc_sec *sec)
> >> +{
> >> +	u32 doorbell;
> >> +	int ret;
> >> +
> >> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> >> +	if (ret)
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +
> >> +	if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
> >> +	    rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
> >> +		log_error_regs(sec, doorbell);
> >> +		return FW_UPLOAD_ERR_BUSY;
> >> +	}
> >> +
> >> +	return FW_UPLOAD_ERR_NONE;
> >> +}
> >> +
> >> +static inline bool rsu_start_done(u32 doorbell)
> >> +{
> >> +	u32 status, progress;
> >> +
> >> +	if (doorbell & DRBL_RSU_REQUEST)
> >> +		return false;
> >> +
> >> +	status = rsu_stat(doorbell);
> >> +	if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
> >> +		return true;
> >> +
> >> +	progress = rsu_prog(doorbell);
> >> +	if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
> >> +		return true;
> >> +
> >> +	return false;
> >> +}
> >> +
> >> +static enum fw_upload_err rsu_update_init(struct m10bmc_sec *sec)
> >> +{
> >> +	u32 doorbell, status;
> >> +	int ret;
> >> +
> >> +	ret = regmap_update_bits(sec->m10bmc->regmap,
> >> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
> >> +				 DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
> >> +				 DRBL_RSU_REQUEST |
> >> +				 FIELD_PREP(DRBL_HOST_STATUS,
> >> +					    HOST_STATUS_IDLE));
> >> +	if (ret)
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +
> >> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
> >> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
> >> +				       doorbell,
> >> +				       rsu_start_done(doorbell),
> >> +				       NIOS_HANDSHAKE_INTERVAL_US,
> >> +				       NIOS_HANDSHAKE_TIMEOUT_US);
> >> +
> >> +	if (ret == -ETIMEDOUT) {
> >> +		log_error_regs(sec, doorbell);
> >> +		return FW_UPLOAD_ERR_TIMEOUT;
> >> +	} else if (ret) {
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +	}
> >> +
> >> +	status = rsu_stat(doorbell);
> >> +	if (status == RSU_STAT_WEAROUT) {
> >> +		dev_warn(sec->dev, "Excessive flash update count detected\n");
> >> +		return FW_UPLOAD_ERR_WEAROUT;
> >> +	} else if (status == RSU_STAT_ERASE_FAIL) {
> >> +		log_error_regs(sec, doorbell);
> >> +		return FW_UPLOAD_ERR_HW_ERROR;
> >> +	}
> >> +
> >> +	return FW_UPLOAD_ERR_NONE;
> >> +}
> >> +
> >> +static enum fw_upload_err rsu_prog_ready(struct m10bmc_sec *sec)
> >> +{
> >> +	unsigned long poll_timeout;
> >> +	u32 doorbell, progress;
> >> +	int ret;
> >> +
> >> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> >> +	if (ret)
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +
> >> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
> >> +	while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
> >> +		msleep(RSU_PREP_INTERVAL_MS);
> >> +		if (time_after(jiffies, poll_timeout))
> >> +			break;
> >> +
> >> +		ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> >> +		if (ret)
> >> +			return FW_UPLOAD_ERR_RW_ERROR;
> >> +	}
> >> +
> >> +	progress = rsu_prog(doorbell);
> >> +	if (progress == RSU_PROG_PREPARE) {
> >> +		log_error_regs(sec, doorbell);
> >> +		return FW_UPLOAD_ERR_TIMEOUT;
> >> +	} else if (progress != RSU_PROG_READY) {
> >> +		log_error_regs(sec, doorbell);
> >> +		return FW_UPLOAD_ERR_HW_ERROR;
> >> +	}
> >> +
> >> +	return FW_UPLOAD_ERR_NONE;
> >> +}
> >> +
> >> +static enum fw_upload_err rsu_send_data(struct m10bmc_sec *sec)
> >> +{
> >> +	u32 doorbell;
> >> +	int ret;
> >> +
> >> +	ret = regmap_update_bits(sec->m10bmc->regmap,
> >> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
> >> +				 DRBL_HOST_STATUS,
> >> +				 FIELD_PREP(DRBL_HOST_STATUS,
> >> +					    HOST_STATUS_WRITE_DONE));
> >> +	if (ret)
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +
> >> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
> >> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
> >> +				       doorbell,
> >> +				       rsu_prog(doorbell) != RSU_PROG_READY,
> >> +				       NIOS_HANDSHAKE_INTERVAL_US,
> >> +				       NIOS_HANDSHAKE_TIMEOUT_US);
> >> +
> >> +	if (ret == -ETIMEDOUT) {
> >> +		log_error_regs(sec, doorbell);
> >> +		return FW_UPLOAD_ERR_TIMEOUT;
> >> +	} else if (ret) {
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +	}
> >> +
> >> +	switch (rsu_stat(doorbell)) {
> >> +	case RSU_STAT_NORMAL:
> >> +	case RSU_STAT_NIOS_OK:
> >> +	case RSU_STAT_USER_OK:
> >> +	case RSU_STAT_FACTORY_OK:
> >> +		break;
> >> +	default:
> >> +		log_error_regs(sec, doorbell);
> >> +		return FW_UPLOAD_ERR_HW_ERROR;
> >> +	}
> >> +
> >> +	return FW_UPLOAD_ERR_NONE;
> >> +}
> >> +
> >> +static int rsu_check_complete(struct m10bmc_sec *sec, u32 *doorbell)
> >> +{
> >> +	if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
> >> +		return -EIO;
> >> +
> >> +	switch (rsu_stat(*doorbell)) {
> >> +	case RSU_STAT_NORMAL:
> >> +	case RSU_STAT_NIOS_OK:
> >> +	case RSU_STAT_USER_OK:
> >> +	case RSU_STAT_FACTORY_OK:
> >> +		break;
> >> +	default:
> >> +		return -EINVAL;
> >> +	}
> >> +
> >> +	switch (rsu_prog(*doorbell)) {
> >> +	case RSU_PROG_IDLE:
> >> +	case RSU_PROG_RSU_DONE:
> >> +		return 0;
> >> +	case RSU_PROG_AUTHENTICATING:
> >> +	case RSU_PROG_COPYING:
> >> +	case RSU_PROG_UPDATE_CANCEL:
> >> +	case RSU_PROG_PROGRAM_KEY_HASH:
> >> +		return -EAGAIN;
> >> +	default:
> >> +		return -EINVAL;
> >> +	}
> >> +}
> >> +
> >> +static enum fw_upload_err rsu_cancel(struct m10bmc_sec *sec)
> >> +{
> >> +	u32 doorbell;
> >> +	int ret;
> >> +
> >> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> >> +	if (ret)
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +
> >> +	if (rsu_prog(doorbell) != RSU_PROG_READY)
> >> +		return FW_UPLOAD_ERR_BUSY;
> >> +
> >> +	ret = regmap_update_bits(sec->m10bmc->regmap,
> >> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
> >> +				 DRBL_HOST_STATUS,
> >> +				 FIELD_PREP(DRBL_HOST_STATUS,
> >> +					    HOST_STATUS_ABORT_RSU));
> >> +	if (ret)
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +
> >> +	return FW_UPLOAD_ERR_CANCELED;
> >> +}
> >> +
> >> +static enum fw_upload_err m10bmc_sec_prepare(struct fw_upload *fwl,
> >> +					     const u8 *data, u32 size)
> >> +{
> >> +	struct m10bmc_sec *sec = fwl->dd_handle;
> >> +	unsigned int stride;
> >> +	u32 ret;
> >> +
> >> +	sec->cancel_request = false;
> >> +
> >> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> >> +	if (!IS_ALIGNED((unsigned long)data, stride)) {
> >> +		dev_err(sec->dev,
> >> +			"%s address (0x%p) not aligned to stride (0x%x)\n",
> >> +			__func__, data, stride);
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +	}
> > Why the base of the source data should be stride aligned? What prevents
> > the driver from reading out the unaligned data?
> 
> This check also exists in regmap_bulk_write(), so regmap_bulk_write() would
> fail for an unaligned base address with -EINVAL:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/base/regmap/regmap.c#n2274

I'm sorry I just see the regmap_bulk_write() checks the alignment of
register addr, but not the data. Am I missed something?

> 
> By checking it here, I am able to print something useful to the kernel log.
> 
> >
> > And this may be a too strict rule. I'm not sure who should ensure the
> > alignment of the firmware data? The firmware upload framework? Or a user
> > has no idea about the stride and cannot do the right thing.
> The firmware upload framework uses an array of pages to allocate space
> for the firmware image, so in its current implementation it will always
> be aligned.
> 
> Would it be better to use regmap_write() for an unaligned start and
> then follow up with regmap_bulk_write()?

The driver only supports the firmware upload framework, is it? So if the
framework ensures the alignment, the extra check is not a must for drivers.

> 
> >
> >> +
> >> +	if (!size || size > M10BMC_STAGING_SIZE)
> >> +		return FW_UPLOAD_ERR_INVALID_SIZE;
> >> +
> >> +	ret = rsu_check_idle(sec);
> >> +	if (ret != FW_UPLOAD_ERR_NONE)
> >> +		return ret;
> >> +
> >> +	ret = rsu_update_init(sec);
> >> +	if (ret != FW_UPLOAD_ERR_NONE)
> >> +		return ret;
> >> +
> >> +	ret = rsu_prog_ready(sec);
> >> +	if (ret != FW_UPLOAD_ERR_NONE)
> >> +		return ret;
> >> +
> >> +	if (sec->cancel_request)
> >> +		return rsu_cancel(sec);
> >> +
> >> +	return FW_UPLOAD_ERR_NONE;
> >> +}
> >> +
> >> +#define WRITE_BLOCK_SIZE 0x4000	/* Default write-block size is 0x4000 bytes */
> >> +
> >> +static enum fw_upload_err m10bmc_sec_write(struct fw_upload *fwl, const u8 *data,
> >> +					   u32 offset, u32 size, u32 *written)
> >> +{
> >> +	struct m10bmc_sec *sec = fwl->dd_handle;
> >> +	u32 blk_size, doorbell;
> >> +	unsigned int stride;
> >> +	u8 *blk_addr;
> >> +	int ret;
> >> +
> >> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> >> +	if (sec->cancel_request)
> >> +		return rsu_cancel(sec);
> >> +
> >> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
> >> +	if (ret) {
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +	} else if (rsu_prog(doorbell) != RSU_PROG_READY) {
> >> +		log_error_regs(sec, doorbell);
> >> +		return FW_UPLOAD_ERR_HW_ERROR;
> >> +	}
> >> +
> >> +	WARN_ON_ONCE(WRITE_BLOCK_SIZE % stride);
> >> +	blk_size = min_t(u32, WRITE_BLOCK_SIZE, size);
> >> +
> >> +	/*
> >> +	 * If the source data size does not align to stride, then create
> >> +	 * a temporary buffer that is aligned, copy the data, and use the
> >> +	 * temporary buffer as the source for the write.
> >> +	 */
> >> +	if (blk_size % stride) {
> >> +		blk_addr = kzalloc(blk_size + blk_size % stride, GFP_KERNEL);
> >> +		if (!blk_addr)
> >> +			return FW_UPLOAD_ERR_RW_ERROR;
> >> +		memcpy(blk_addr, data + offset, blk_size);
> > You don't have to alloc and copy the whole block, just copy the last unaligned
> > bytes to a local variable and regmap_write().
> OK - I'll do that. And I'll look at doing something similar for a misaligned start.

Please double confirm if the checking for misaligned start is necessary.

Thanks,
Yilun

> 
> Thanks,
> - Russ
> >
> > Others are good to me.
> >
> > Thanks,
> > Yilun
> >
> >> +	} else {
> >> +		blk_addr = (u8 *)data + offset;
> >> +	}
> >> +
> >> +	ret = regmap_bulk_write(sec->m10bmc->regmap,
> >> +				M10BMC_STAGING_BASE + offset, blk_addr,
> >> +				(blk_size + stride - 1) / stride);
> >> +
> >> +	if (blk_size % stride)
> >> +		kfree(blk_addr);
> >> +
> >> +	if (ret)
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +
> >> +	*written = blk_size;
> >> +	return FW_UPLOAD_ERR_NONE;
> >> +}
> >> +
> >> +static enum fw_upload_err m10bmc_sec_poll_complete(struct fw_upload *fwl)
> >> +{
> >> +	struct m10bmc_sec *sec = fwl->dd_handle;
> >> +	unsigned long poll_timeout;
> >> +	u32 doorbell, result;
> >> +	int ret;
> >> +
> >> +	if (sec->cancel_request)
> >> +		return rsu_cancel(sec);
> >> +
> >> +	result = rsu_send_data(sec);
> >> +	if (result != FW_UPLOAD_ERR_NONE)
> >> +		return result;
> >> +
> >> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
> >> +	do {
> >> +		msleep(RSU_COMPLETE_INTERVAL_MS);
> >> +		ret = rsu_check_complete(sec, &doorbell);
> >> +	} while (ret == -EAGAIN && !time_after(jiffies, poll_timeout));
> >> +
> >> +	if (ret == -EAGAIN) {
> >> +		log_error_regs(sec, doorbell);
> >> +		return FW_UPLOAD_ERR_TIMEOUT;
> >> +	} else if (ret == -EIO) {
> >> +		return FW_UPLOAD_ERR_RW_ERROR;
> >> +	} else if (ret) {
> >> +		log_error_regs(sec, doorbell);
> >> +		return FW_UPLOAD_ERR_HW_ERROR;
> >> +	}
> >> +
> >> +	return FW_UPLOAD_ERR_NONE;
> >> +}
> >> +
> >> +/*
> >> + * m10bmc_sec_cancel() may be called asynchronously with an on-going update.
> >> + * All other functions are called sequentially in a single thread. To avoid
> >> + * contention on register accesses, m10bmc_sec_cancel() must only update
> >> + * the cancel_request flag. Other functions will check this flag and handle
> >> + * the cancel request synchronously.
> >> + */
> >> +static void m10bmc_sec_cancel(struct fw_upload *fwl)
> >> +{
> >> +	struct m10bmc_sec *sec = fwl->dd_handle;
> >> +
> >> +	sec->cancel_request = true;
> >> +}
> >> +
> >> +static void m10bmc_sec_cleanup(struct fw_upload *fwl)
> >> +{
> >> +	struct m10bmc_sec *sec = fwl->dd_handle;
> >> +
> >> +	(void)rsu_cancel(sec);
> >> +}
> >> +
> >> +static const struct fw_upload_ops m10bmc_ops = {
> >> +	.prepare = m10bmc_sec_prepare,
> >> +	.write = m10bmc_sec_write,
> >> +	.poll_complete = m10bmc_sec_poll_complete,
> >> +	.cancel = m10bmc_sec_cancel,
> >> +	.cleanup = m10bmc_sec_cleanup,
> >> +};
> >> +
> >>  #define SEC_UPDATE_LEN_MAX 32
> >>  static int m10bmc_sec_probe(struct platform_device *pdev)
> >>  {
> >> +	char buf[SEC_UPDATE_LEN_MAX];
> >>  	struct m10bmc_sec *sec;
> >> +	struct fw_upload *fwl;
> >> +	unsigned int len;
> >> +	int  ret;
> >>  
> >>  	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
> >>  	if (!sec)
> >> @@ -205,6 +581,38 @@ static int m10bmc_sec_probe(struct platform_device *pdev)
> >>  	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
> >>  	dev_set_drvdata(&pdev->dev, sec);
> >>  
> >> +	ret = xa_alloc(&fw_upload_xa, &sec->fw_name_id, sec,
> >> +		       xa_limit_32b, GFP_KERNEL);
> >> +	if (ret)
> >> +		return ret;
> >> +
> >> +	len = scnprintf(buf, SEC_UPDATE_LEN_MAX, "secure-update%d",
> >> +			sec->fw_name_id);
> >> +	sec->fw_name = kmemdup_nul(buf, len, GFP_KERNEL);
> >> +	if (!sec->fw_name)
> >> +		return -ENOMEM;
> >> +
> >> +	fwl = firmware_upload_register(THIS_MODULE, sec->dev, sec->fw_name,
> >> +				       &m10bmc_ops, sec);
> >> +	if (IS_ERR(fwl)) {
> >> +		dev_err(sec->dev, "Firmware Upload driver failed to start\n");
> >> +		kfree(sec->fw_name);
> >> +		xa_erase(&fw_upload_xa, sec->fw_name_id);
> >> +		return PTR_ERR(fwl);
> >> +	}
> >> +
> >> +	sec->fwl = fwl;
> >> +	return 0;
> >> +}
> >> +
> >> +static int m10bmc_sec_remove(struct platform_device *pdev)
> >> +{
> >> +	struct m10bmc_sec *sec = dev_get_drvdata(&pdev->dev);
> >> +
> >> +	firmware_upload_unregister(sec->fwl);
> >> +	kfree(sec->fw_name);
> >> +	xa_erase(&fw_upload_xa, sec->fw_name_id);
> >> +
> >>  	return 0;
> >>  }
> >>  
> >> @@ -218,6 +626,7 @@ MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
> >>  
> >>  static struct platform_driver intel_m10bmc_sec_driver = {
> >>  	.probe = m10bmc_sec_probe,
> >> +	.remove = m10bmc_sec_remove,
> >>  	.driver = {
> >>  		.name = "intel-m10bmc-sec-update",
> >>  		.dev_groups = m10bmc_sec_attr_groups,
> >> -- 
> >> 2.25.1

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH v21 5/5] fpga: m10bmc-sec: add max10 secure update functions
  2022-05-27  4:47       ` Xu Yilun
@ 2022-05-27 19:26         ` Russ Weight
  0 siblings, 0 replies; 17+ messages in thread
From: Russ Weight @ 2022-05-27 19:26 UTC (permalink / raw)
  To: Xu Yilun
  Cc: mdf, hao.wu, lee.jones, linux-fpga, linux-kernel, trix, marpagan,
	lgoncalv, matthew.gerlach, basheer.ahmed.muddebihal,
	tianfei.zhang



On 5/26/22 21:47, Xu Yilun wrote:
> On Thu, May 26, 2022 at 02:27:15PM -0700, Russ Weight wrote:
>>
>> On 5/26/22 00:48, Xu Yilun wrote:
>>> On Fri, May 20, 2022 at 05:36:07PM -0700, Russ Weight wrote:
>>>> Create firmware upload ops and call the Firmware Upload support of the
>>>> Firmware Loader subsystem to enable FPGA image uploads for secure
>>>> updates of BMC images, FPGA images, etc.
>>>>
>>>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>>>> ---
>>>> v21:
>>>>   - Update m10bmc_sec_prepare() to ensure that the base address for an
>>>>     update image is aligned with stride.
>>>>   - Update m10bmc_sec_write() to handle a block size that is not aligned
>>>>     with stride by allocating a zero-filled block that is aligned, and
>>>>     copying the data before calling regmap_bulk_write().
>>>> v20:
>>>>   - No change.
>>>> v19:
>>>>   - Change "card bmc" naming back to "m10 bmc" naming to be consistent
>>>>     with the parent driver.
>>>> v18:
>>>>   - Moved the firmware_upload_register() function here from an earlier
>>>>     patch since this is where the required ops are provided.
>>>>   - Moved the bmc_sec_remove() function here from an earlier patch to
>>>>     unregister the firmware driver and do cleanup.
>>>> v17:
>>>>   - Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
>>>>     future devices will not necessarily use the MAX10.
>>>>   - Change from image_load class driver to the new firmware_upload 
>>>>     functionality of the firmware_loader.
>>>>   - fw_upload_ops functions will return "enum fw_upload_err" data types
>>>>     instead of integer values.
>>>> v16:
>>>>   - Use 0 instead of FPGA_IMAGE_ERR_NONE to indicate success.
>>>>   - The size alignment check was moved from the FPGA Image Load framework
>>>>     to the prepare() op.
>>>>   - Added cancel_request boolean flag to struct m10bmc_sec.
>>>>   - Moved the RSU cancellation logic from m10bmc_sec_cancel() to a new
>>>>     rsu_cancel() function.
>>>>   - The m10bmc_sec_cancel() function ONLY sets the cancel_request flag.
>>>>     The cancel_request flag is checked at the beginning of the
>>>>     m10bmc_sec_write() and m10bmc_sec_poll_complete() functions.
>>>>   - Adapt to changed prototypes for the prepare() and write() ops. The
>>>>     m10bmc_sec_write_blk() function has been renamed to
>>>>     m10bmc_sec_write().
>>>>   - Created a cleanup() op, m10bmc_sec_cleanup(), to attempt to cancel an
>>>>     ongoing op during when exiting the update process.
>>>> v15:
>>>>   - Adapted to changes in the FPGA Image Load framework:
>>>>     (1) All enum types (progress and errors) are now type u32
>>>>     (2) m10bmc_sec_write_blk() adds *blk_size and max_size parameters
>>>>         and uses *blk_size as provided by the caller.
>>>>     (3) m10bmc_sec_poll_complete() no long checks the driver_unload
>>>>         flag.
>>>> v14:
>>>>   - Changed symbol names to reflect the renaming of the Security Manager
>>>>     Class driver to FPGA Image Load.
>>>> v13:
>>>>   - No change
>>>> v12:
>>>>   - Updated Date and KernelVersion fields in ABI documentation
>>>>   - Removed size parameter from the write_blk() op. m10bmc_sec_write_blk()
>>>>     no longer has a size parameter, and the block size is determined
>>>>     in this (the lower-level) driver.
>>>> v11:
>>>>   - No change
>>>> v10:
>>>>   - No change
>>>> v9:
>>>>   - No change
>>>> v8:
>>>>   - Previously patch 5/6, otherwise no change
>>>> v7:
>>>>   - No change
>>>> v6:
>>>>   - Changed (size / stride) calculation to ((size + stride - 1) / stride)
>>>>     to ensure that the proper count is passed to regmap_bulk_write().
>>>>   - Removed unnecessary call to rsu_check_complete() in
>>>>     m10bmc_sec_poll_complete() and changed while loop to
>>>>     do/while loop.
>>>> v5:
>>>>   - No change
>>>> v4:
>>>>   - No change
>>>> v3:
>>>>   - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
>>>>   - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
>>>>     driver"
>>>>   - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
>>>>     underlying functions are now called directly.
>>>>   - Changed calling functions of functions that return "enum fpga_sec_err"
>>>>     to check for (ret != FPGA_SEC_ERR_NONE) instead of (ret)
>>>> v2:
>>>>   - Reworked the rsu_start_done() function to make it more readable
>>>>   - Reworked while-loop condition/content in rsu_prog_ready()
>>>>   - Minor code cleanup per review comments
>>>>   - Added a comment to the m10bmc_sec_poll_complete() function to
>>>>     explain the context (could take 30+ minutes to complete).
>>>>   - Added m10bmc_ prefix to functions in m10bmc_iops structure
>>>>   - Moved MAX10 BMC address and function definitions to a separate
>>>>     patch.
>>>> ---
>>>>  drivers/fpga/intel-m10-bmc-sec-update.c | 409 ++++++++++++++++++++++++
>>>>  1 file changed, 409 insertions(+)
>>>>
>>>> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
>>>> index 65fec2a70901..7c48c47a74a6 100644
>>>> --- a/drivers/fpga/intel-m10-bmc-sec-update.c
>>>> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
>>>> @@ -17,8 +17,14 @@
>>>>  struct m10bmc_sec {
>>>>  	struct device *dev;
>>>>  	struct intel_m10bmc *m10bmc;
>>>> +	struct fw_upload *fwl;
>>>> +	char *fw_name;
>>>> +	u32 fw_name_id;
>>>> +	bool cancel_request;
>>>>  };
>>>>  
>>>> +static DEFINE_XARRAY_ALLOC(fw_upload_xa);
>>>> +
>>>>  /* Root Entry Hash (REH) support */
>>>>  #define REH_SHA256_SIZE		32
>>>>  #define REH_SHA384_SIZE		48
>>>> @@ -192,10 +198,380 @@ static const struct attribute_group *m10bmc_sec_attr_groups[] = {
>>>>  	NULL,
>>>>  };
>>>>  
>>>> +static void log_error_regs(struct m10bmc_sec *sec, u32 doorbell)
>>>> +{
>>>> +	u32 auth_result;
>>>> +
>>>> +	dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
>>>> +
>>>> +	if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
>>>> +		dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
>>>> +}
>>>> +
>>>> +static enum fw_upload_err rsu_check_idle(struct m10bmc_sec *sec)
>>>> +{
>>>> +	u32 doorbell;
>>>> +	int ret;
>>>> +
>>>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>>>> +	if (ret)
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +
>>>> +	if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
>>>> +	    rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
>>>> +		log_error_regs(sec, doorbell);
>>>> +		return FW_UPLOAD_ERR_BUSY;
>>>> +	}
>>>> +
>>>> +	return FW_UPLOAD_ERR_NONE;
>>>> +}
>>>> +
>>>> +static inline bool rsu_start_done(u32 doorbell)
>>>> +{
>>>> +	u32 status, progress;
>>>> +
>>>> +	if (doorbell & DRBL_RSU_REQUEST)
>>>> +		return false;
>>>> +
>>>> +	status = rsu_stat(doorbell);
>>>> +	if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
>>>> +		return true;
>>>> +
>>>> +	progress = rsu_prog(doorbell);
>>>> +	if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
>>>> +		return true;
>>>> +
>>>> +	return false;
>>>> +}
>>>> +
>>>> +static enum fw_upload_err rsu_update_init(struct m10bmc_sec *sec)
>>>> +{
>>>> +	u32 doorbell, status;
>>>> +	int ret;
>>>> +
>>>> +	ret = regmap_update_bits(sec->m10bmc->regmap,
>>>> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
>>>> +				 DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
>>>> +				 DRBL_RSU_REQUEST |
>>>> +				 FIELD_PREP(DRBL_HOST_STATUS,
>>>> +					    HOST_STATUS_IDLE));
>>>> +	if (ret)
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +
>>>> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
>>>> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
>>>> +				       doorbell,
>>>> +				       rsu_start_done(doorbell),
>>>> +				       NIOS_HANDSHAKE_INTERVAL_US,
>>>> +				       NIOS_HANDSHAKE_TIMEOUT_US);
>>>> +
>>>> +	if (ret == -ETIMEDOUT) {
>>>> +		log_error_regs(sec, doorbell);
>>>> +		return FW_UPLOAD_ERR_TIMEOUT;
>>>> +	} else if (ret) {
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +	}
>>>> +
>>>> +	status = rsu_stat(doorbell);
>>>> +	if (status == RSU_STAT_WEAROUT) {
>>>> +		dev_warn(sec->dev, "Excessive flash update count detected\n");
>>>> +		return FW_UPLOAD_ERR_WEAROUT;
>>>> +	} else if (status == RSU_STAT_ERASE_FAIL) {
>>>> +		log_error_regs(sec, doorbell);
>>>> +		return FW_UPLOAD_ERR_HW_ERROR;
>>>> +	}
>>>> +
>>>> +	return FW_UPLOAD_ERR_NONE;
>>>> +}
>>>> +
>>>> +static enum fw_upload_err rsu_prog_ready(struct m10bmc_sec *sec)
>>>> +{
>>>> +	unsigned long poll_timeout;
>>>> +	u32 doorbell, progress;
>>>> +	int ret;
>>>> +
>>>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>>>> +	if (ret)
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +
>>>> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
>>>> +	while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
>>>> +		msleep(RSU_PREP_INTERVAL_MS);
>>>> +		if (time_after(jiffies, poll_timeout))
>>>> +			break;
>>>> +
>>>> +		ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>>>> +		if (ret)
>>>> +			return FW_UPLOAD_ERR_RW_ERROR;
>>>> +	}
>>>> +
>>>> +	progress = rsu_prog(doorbell);
>>>> +	if (progress == RSU_PROG_PREPARE) {
>>>> +		log_error_regs(sec, doorbell);
>>>> +		return FW_UPLOAD_ERR_TIMEOUT;
>>>> +	} else if (progress != RSU_PROG_READY) {
>>>> +		log_error_regs(sec, doorbell);
>>>> +		return FW_UPLOAD_ERR_HW_ERROR;
>>>> +	}
>>>> +
>>>> +	return FW_UPLOAD_ERR_NONE;
>>>> +}
>>>> +
>>>> +static enum fw_upload_err rsu_send_data(struct m10bmc_sec *sec)
>>>> +{
>>>> +	u32 doorbell;
>>>> +	int ret;
>>>> +
>>>> +	ret = regmap_update_bits(sec->m10bmc->regmap,
>>>> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
>>>> +				 DRBL_HOST_STATUS,
>>>> +				 FIELD_PREP(DRBL_HOST_STATUS,
>>>> +					    HOST_STATUS_WRITE_DONE));
>>>> +	if (ret)
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +
>>>> +	ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
>>>> +				       M10BMC_SYS_BASE + M10BMC_DOORBELL,
>>>> +				       doorbell,
>>>> +				       rsu_prog(doorbell) != RSU_PROG_READY,
>>>> +				       NIOS_HANDSHAKE_INTERVAL_US,
>>>> +				       NIOS_HANDSHAKE_TIMEOUT_US);
>>>> +
>>>> +	if (ret == -ETIMEDOUT) {
>>>> +		log_error_regs(sec, doorbell);
>>>> +		return FW_UPLOAD_ERR_TIMEOUT;
>>>> +	} else if (ret) {
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +	}
>>>> +
>>>> +	switch (rsu_stat(doorbell)) {
>>>> +	case RSU_STAT_NORMAL:
>>>> +	case RSU_STAT_NIOS_OK:
>>>> +	case RSU_STAT_USER_OK:
>>>> +	case RSU_STAT_FACTORY_OK:
>>>> +		break;
>>>> +	default:
>>>> +		log_error_regs(sec, doorbell);
>>>> +		return FW_UPLOAD_ERR_HW_ERROR;
>>>> +	}
>>>> +
>>>> +	return FW_UPLOAD_ERR_NONE;
>>>> +}
>>>> +
>>>> +static int rsu_check_complete(struct m10bmc_sec *sec, u32 *doorbell)
>>>> +{
>>>> +	if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
>>>> +		return -EIO;
>>>> +
>>>> +	switch (rsu_stat(*doorbell)) {
>>>> +	case RSU_STAT_NORMAL:
>>>> +	case RSU_STAT_NIOS_OK:
>>>> +	case RSU_STAT_USER_OK:
>>>> +	case RSU_STAT_FACTORY_OK:
>>>> +		break;
>>>> +	default:
>>>> +		return -EINVAL;
>>>> +	}
>>>> +
>>>> +	switch (rsu_prog(*doorbell)) {
>>>> +	case RSU_PROG_IDLE:
>>>> +	case RSU_PROG_RSU_DONE:
>>>> +		return 0;
>>>> +	case RSU_PROG_AUTHENTICATING:
>>>> +	case RSU_PROG_COPYING:
>>>> +	case RSU_PROG_UPDATE_CANCEL:
>>>> +	case RSU_PROG_PROGRAM_KEY_HASH:
>>>> +		return -EAGAIN;
>>>> +	default:
>>>> +		return -EINVAL;
>>>> +	}
>>>> +}
>>>> +
>>>> +static enum fw_upload_err rsu_cancel(struct m10bmc_sec *sec)
>>>> +{
>>>> +	u32 doorbell;
>>>> +	int ret;
>>>> +
>>>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>>>> +	if (ret)
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +
>>>> +	if (rsu_prog(doorbell) != RSU_PROG_READY)
>>>> +		return FW_UPLOAD_ERR_BUSY;
>>>> +
>>>> +	ret = regmap_update_bits(sec->m10bmc->regmap,
>>>> +				 M10BMC_SYS_BASE + M10BMC_DOORBELL,
>>>> +				 DRBL_HOST_STATUS,
>>>> +				 FIELD_PREP(DRBL_HOST_STATUS,
>>>> +					    HOST_STATUS_ABORT_RSU));
>>>> +	if (ret)
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +
>>>> +	return FW_UPLOAD_ERR_CANCELED;
>>>> +}
>>>> +
>>>> +static enum fw_upload_err m10bmc_sec_prepare(struct fw_upload *fwl,
>>>> +					     const u8 *data, u32 size)
>>>> +{
>>>> +	struct m10bmc_sec *sec = fwl->dd_handle;
>>>> +	unsigned int stride;
>>>> +	u32 ret;
>>>> +
>>>> +	sec->cancel_request = false;
>>>> +
>>>> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
>>>> +	if (!IS_ALIGNED((unsigned long)data, stride)) {
>>>> +		dev_err(sec->dev,
>>>> +			"%s address (0x%p) not aligned to stride (0x%x)\n",
>>>> +			__func__, data, stride);
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +	}
>>> Why the base of the source data should be stride aligned? What prevents
>>> the driver from reading out the unaligned data?
>> This check also exists in regmap_bulk_write(), so regmap_bulk_write() would
>> fail for an unaligned base address with -EINVAL:
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/base/regmap/regmap.c#n2274
> I'm sorry I just see the regmap_bulk_write() checks the alignment of
> register addr, but not the data. Am I missed something?
You are right. I was looking at it wrong. It is the destination
address alignment that is being enforced.

>
>> By checking it here, I am able to print something useful to the kernel log.
>>
>>> And this may be a too strict rule. I'm not sure who should ensure the
>>> alignment of the firmware data? The firmware upload framework? Or a user
>>> has no idea about the stride and cannot do the right thing.
>> The firmware upload framework uses an array of pages to allocate space
>> for the firmware image, so in its current implementation it will always
>> be aligned.
>>
>> Would it be better to use regmap_write() for an unaligned start and
>> then follow up with regmap_bulk_write()?
> The driver only supports the firmware upload framework, is it? So if the
> framework ensures the alignment, the extra check is not a must for drivers.
Yes - I agree. There is no check required here.

>
>>>> +
>>>> +	if (!size || size > M10BMC_STAGING_SIZE)
>>>> +		return FW_UPLOAD_ERR_INVALID_SIZE;
>>>> +
>>>> +	ret = rsu_check_idle(sec);
>>>> +	if (ret != FW_UPLOAD_ERR_NONE)
>>>> +		return ret;
>>>> +
>>>> +	ret = rsu_update_init(sec);
>>>> +	if (ret != FW_UPLOAD_ERR_NONE)
>>>> +		return ret;
>>>> +
>>>> +	ret = rsu_prog_ready(sec);
>>>> +	if (ret != FW_UPLOAD_ERR_NONE)
>>>> +		return ret;
>>>> +
>>>> +	if (sec->cancel_request)
>>>> +		return rsu_cancel(sec);
>>>> +
>>>> +	return FW_UPLOAD_ERR_NONE;
>>>> +}
>>>> +
>>>> +#define WRITE_BLOCK_SIZE 0x4000	/* Default write-block size is 0x4000 bytes */
>>>> +
>>>> +static enum fw_upload_err m10bmc_sec_write(struct fw_upload *fwl, const u8 *data,
>>>> +					   u32 offset, u32 size, u32 *written)
>>>> +{
>>>> +	struct m10bmc_sec *sec = fwl->dd_handle;
>>>> +	u32 blk_size, doorbell;
>>>> +	unsigned int stride;
>>>> +	u8 *blk_addr;
>>>> +	int ret;
>>>> +
>>>> +	stride = regmap_get_reg_stride(sec->m10bmc->regmap);
>>>> +	if (sec->cancel_request)
>>>> +		return rsu_cancel(sec);
>>>> +
>>>> +	ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
>>>> +	if (ret) {
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +	} else if (rsu_prog(doorbell) != RSU_PROG_READY) {
>>>> +		log_error_regs(sec, doorbell);
>>>> +		return FW_UPLOAD_ERR_HW_ERROR;
>>>> +	}
>>>> +
>>>> +	WARN_ON_ONCE(WRITE_BLOCK_SIZE % stride);
>>>> +	blk_size = min_t(u32, WRITE_BLOCK_SIZE, size);
>>>> +
>>>> +	/*
>>>> +	 * If the source data size does not align to stride, then create
>>>> +	 * a temporary buffer that is aligned, copy the data, and use the
>>>> +	 * temporary buffer as the source for the write.
>>>> +	 */
>>>> +	if (blk_size % stride) {
>>>> +		blk_addr = kzalloc(blk_size + blk_size % stride, GFP_KERNEL);
>>>> +		if (!blk_addr)
>>>> +			return FW_UPLOAD_ERR_RW_ERROR;
>>>> +		memcpy(blk_addr, data + offset, blk_size);
>>> You don't have to alloc and copy the whole block, just copy the last unaligned
>>> bytes to a local variable and regmap_write().
>> OK - I'll do that. And I'll look at doing something similar for a misaligned start.
> Please double confirm if the checking for misaligned start is necessary.
Done - thanks for your comments!

- Russ
>
> Thanks,
> Yilun
>
>> Thanks,
>> - Russ
>>> Others are good to me.
>>>
>>> Thanks,
>>> Yilun
>>>
>>>> +	} else {
>>>> +		blk_addr = (u8 *)data + offset;
>>>> +	}
>>>> +
>>>> +	ret = regmap_bulk_write(sec->m10bmc->regmap,
>>>> +				M10BMC_STAGING_BASE + offset, blk_addr,
>>>> +				(blk_size + stride - 1) / stride);
>>>> +
>>>> +	if (blk_size % stride)
>>>> +		kfree(blk_addr);
>>>> +
>>>> +	if (ret)
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +
>>>> +	*written = blk_size;
>>>> +	return FW_UPLOAD_ERR_NONE;
>>>> +}
>>>> +
>>>> +static enum fw_upload_err m10bmc_sec_poll_complete(struct fw_upload *fwl)
>>>> +{
>>>> +	struct m10bmc_sec *sec = fwl->dd_handle;
>>>> +	unsigned long poll_timeout;
>>>> +	u32 doorbell, result;
>>>> +	int ret;
>>>> +
>>>> +	if (sec->cancel_request)
>>>> +		return rsu_cancel(sec);
>>>> +
>>>> +	result = rsu_send_data(sec);
>>>> +	if (result != FW_UPLOAD_ERR_NONE)
>>>> +		return result;
>>>> +
>>>> +	poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
>>>> +	do {
>>>> +		msleep(RSU_COMPLETE_INTERVAL_MS);
>>>> +		ret = rsu_check_complete(sec, &doorbell);
>>>> +	} while (ret == -EAGAIN && !time_after(jiffies, poll_timeout));
>>>> +
>>>> +	if (ret == -EAGAIN) {
>>>> +		log_error_regs(sec, doorbell);
>>>> +		return FW_UPLOAD_ERR_TIMEOUT;
>>>> +	} else if (ret == -EIO) {
>>>> +		return FW_UPLOAD_ERR_RW_ERROR;
>>>> +	} else if (ret) {
>>>> +		log_error_regs(sec, doorbell);
>>>> +		return FW_UPLOAD_ERR_HW_ERROR;
>>>> +	}
>>>> +
>>>> +	return FW_UPLOAD_ERR_NONE;
>>>> +}
>>>> +
>>>> +/*
>>>> + * m10bmc_sec_cancel() may be called asynchronously with an on-going update.
>>>> + * All other functions are called sequentially in a single thread. To avoid
>>>> + * contention on register accesses, m10bmc_sec_cancel() must only update
>>>> + * the cancel_request flag. Other functions will check this flag and handle
>>>> + * the cancel request synchronously.
>>>> + */
>>>> +static void m10bmc_sec_cancel(struct fw_upload *fwl)
>>>> +{
>>>> +	struct m10bmc_sec *sec = fwl->dd_handle;
>>>> +
>>>> +	sec->cancel_request = true;
>>>> +}
>>>> +
>>>> +static void m10bmc_sec_cleanup(struct fw_upload *fwl)
>>>> +{
>>>> +	struct m10bmc_sec *sec = fwl->dd_handle;
>>>> +
>>>> +	(void)rsu_cancel(sec);
>>>> +}
>>>> +
>>>> +static const struct fw_upload_ops m10bmc_ops = {
>>>> +	.prepare = m10bmc_sec_prepare,
>>>> +	.write = m10bmc_sec_write,
>>>> +	.poll_complete = m10bmc_sec_poll_complete,
>>>> +	.cancel = m10bmc_sec_cancel,
>>>> +	.cleanup = m10bmc_sec_cleanup,
>>>> +};
>>>> +
>>>>  #define SEC_UPDATE_LEN_MAX 32
>>>>  static int m10bmc_sec_probe(struct platform_device *pdev)
>>>>  {
>>>> +	char buf[SEC_UPDATE_LEN_MAX];
>>>>  	struct m10bmc_sec *sec;
>>>> +	struct fw_upload *fwl;
>>>> +	unsigned int len;
>>>> +	int  ret;
>>>>  
>>>>  	sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
>>>>  	if (!sec)
>>>> @@ -205,6 +581,38 @@ static int m10bmc_sec_probe(struct platform_device *pdev)
>>>>  	sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
>>>>  	dev_set_drvdata(&pdev->dev, sec);
>>>>  
>>>> +	ret = xa_alloc(&fw_upload_xa, &sec->fw_name_id, sec,
>>>> +		       xa_limit_32b, GFP_KERNEL);
>>>> +	if (ret)
>>>> +		return ret;
>>>> +
>>>> +	len = scnprintf(buf, SEC_UPDATE_LEN_MAX, "secure-update%d",
>>>> +			sec->fw_name_id);
>>>> +	sec->fw_name = kmemdup_nul(buf, len, GFP_KERNEL);
>>>> +	if (!sec->fw_name)
>>>> +		return -ENOMEM;
>>>> +
>>>> +	fwl = firmware_upload_register(THIS_MODULE, sec->dev, sec->fw_name,
>>>> +				       &m10bmc_ops, sec);
>>>> +	if (IS_ERR(fwl)) {
>>>> +		dev_err(sec->dev, "Firmware Upload driver failed to start\n");
>>>> +		kfree(sec->fw_name);
>>>> +		xa_erase(&fw_upload_xa, sec->fw_name_id);
>>>> +		return PTR_ERR(fwl);
>>>> +	}
>>>> +
>>>> +	sec->fwl = fwl;
>>>> +	return 0;
>>>> +}
>>>> +
>>>> +static int m10bmc_sec_remove(struct platform_device *pdev)
>>>> +{
>>>> +	struct m10bmc_sec *sec = dev_get_drvdata(&pdev->dev);
>>>> +
>>>> +	firmware_upload_unregister(sec->fwl);
>>>> +	kfree(sec->fw_name);
>>>> +	xa_erase(&fw_upload_xa, sec->fw_name_id);
>>>> +
>>>>  	return 0;
>>>>  }
>>>>  
>>>> @@ -218,6 +626,7 @@ MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
>>>>  
>>>>  static struct platform_driver intel_m10bmc_sec_driver = {
>>>>  	.probe = m10bmc_sec_probe,
>>>> +	.remove = m10bmc_sec_remove,
>>>>  	.driver = {
>>>>  		.name = "intel-m10bmc-sec-update",
>>>>  		.dev_groups = m10bmc_sec_attr_groups,
>>>> -- 
>>>> 2.25.1


^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2022-05-27 19:26 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-21  0:36 [PATCH v21 0/5] FPGA MAX10 BMC Secure Update Driver Russ Weight
2022-05-21  0:36 ` [PATCH v21 1/5] mfd: intel-m10-bmc: Rename n3000bmc-secure driver Russ Weight
2022-05-26  7:54   ` Xu Yilun
2022-05-26  8:31     ` Lee Jones
2022-05-21  0:36 ` [PATCH v21 2/5] fpga: m10bmc-sec: create max10 bmc secure update Russ Weight
2022-05-26  7:55   ` Xu Yilun
2022-05-26  8:04   ` Xu Yilun
2022-05-26 20:48     ` Russ Weight
2022-05-21  0:36 ` [PATCH v21 3/5] fpga: m10bmc-sec: expose max10 flash update count Russ Weight
2022-05-26  7:55   ` Xu Yilun
2022-05-21  0:36 ` [PATCH v21 4/5] fpga: m10bmc-sec: expose max10 canceled keys in sysfs Russ Weight
2022-05-26  7:56   ` Xu Yilun
2022-05-21  0:36 ` [PATCH v21 5/5] fpga: m10bmc-sec: add max10 secure update functions Russ Weight
2022-05-26  7:48   ` Xu Yilun
2022-05-26 21:27     ` Russ Weight
2022-05-27  4:47       ` Xu Yilun
2022-05-27 19:26         ` Russ Weight

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).