[PATCH] net/ncsi: Add Intel OS2BMC OEM command

[PATCH] net/ncsi: Add Intel OS2BMC OEM command

[Jiaqing Zhao]

The Intel OS2BMC OEM NCSI command is used for controlling whether
network traffic between host and sideband is allowed or not. By
default such traffic is disallowed, meaning that if the device using
NCS (usually BMC) does not have extra active connection, it cannot
reach the host.

This patch enables the host-sideband traffic by sending the Enable
OS2BMC flow OEM NCSI command, which is controlled by kernel option
CONFIG_NCSI_OEM_CMD_INTEL_OS2BMC.

Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
---
 net/ncsi/Kconfig       |  6 ++++++
 net/ncsi/internal.h    |  4 ++++
 net/ncsi/ncsi-manage.c | 42 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+)

diff --git a/net/ncsi/Kconfig b/net/ncsi/Kconfig
index ea1dd32b6b1f..faeddbd48fe9 100644
--- a/net/ncsi/Kconfig
+++ b/net/ncsi/Kconfig
@@ -23,3 +23,9 @@ config NCSI_OEM_CMD_KEEP_PHY
 	help
 	  This allows to keep PHY link up and prevents any channel resets during
 	  the host load.
+config NCSI_OEM_CMD_INTEL_OS2BMC
+	bool "Allow traffic between host and sideband (Intel-specific)"
+	depends on NET_NCSI
+	help
+	  This allows network traffic between host and sideband, specific to
+	  Intel network controllers.
diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index 03757e76bb6b..d730f435d136 100644
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -82,6 +82,8 @@ enum {
 /* Intel specific OEM command */
 #define NCSI_OEM_INTEL_CMD_GMA          0x06   /* CMD ID for Get MAC */
 #define NCSI_OEM_INTEL_CMD_KEEP_PHY     0x20   /* CMD ID for Keep PHY up */
+#define NCSI_OEM_INTEL_CMD_OS2BMC	0x40   /* CMD ID for Enable OS2BMC traffic */
+#define NCSI_OEM_INTEL_CMD_OS2BMC_PARAM	0x03   /* Parameter for Enable OS2BMC */
 /* Broadcom specific OEM Command */
 #define NCSI_OEM_BCM_CMD_GMA            0x01   /* CMD ID for Get MAC */
 /* Mellanox specific OEM Command */
@@ -92,6 +94,7 @@ enum {
 /* OEM Command payload lengths*/
 #define NCSI_OEM_INTEL_CMD_GMA_LEN      5
 #define NCSI_OEM_INTEL_CMD_KEEP_PHY_LEN 7
+#define NCSI_OEM_INTEL_CMD_OS2BMC_LEN   6
 #define NCSI_OEM_BCM_CMD_GMA_LEN        12
 #define NCSI_OEM_MLX_CMD_GMA_LEN        8
 #define NCSI_OEM_MLX_CMD_SMAF_LEN        60
@@ -285,6 +288,7 @@ enum {
 	ncsi_dev_state_probe_dp,
 	ncsi_dev_state_config_sp	= 0x0301,
 	ncsi_dev_state_config_cis,
+	ncsi_dev_state_config_intel_os2bmc,
 	ncsi_dev_state_config_oem_gma,
 	ncsi_dev_state_config_clear_vids,
 	ncsi_dev_state_config_svf,
diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c
index 80713febfac6..d8b9fcedf7ec 100644
--- a/net/ncsi/ncsi-manage.c
+++ b/net/ncsi/ncsi-manage.c
@@ -718,6 +718,34 @@ static int ncsi_oem_keep_phy_intel(struct ncsi_cmd_arg *nca)
 
 #endif
 
+#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_INTEL_OS2BMC)
+
+static int ncsi_oem_enable_os2bmc_intel(struct ncsi_cmd_arg *nca)
+{
+	unsigned char data[NCSI_OEM_INTEL_CMD_OS2BMC_LEN];
+	int ret = 0;
+
+	nca->payload = NCSI_OEM_INTEL_CMD_OS2BMC_LEN;
+
+	memset(data, 0, NCSI_OEM_INTEL_CMD_OS2BMC_LEN);
+	*(unsigned int *)data = ntohl((__force __be32)NCSI_OEM_MFR_INTEL_ID);
+	data[4] = NCSI_OEM_INTEL_CMD_OS2BMC;
+
+	/* Enable both Network-to-BMC and Host-to-BMC traffic */
+	data[5] = NCSI_OEM_INTEL_CMD_OS2BMC_PARAM;
+
+	nca->data = data;
+
+	ret = ncsi_xmit_cmd(nca);
+	if (ret)
+		netdev_err(nca->ndp->ndev.dev,
+			   "NCSI: Failed to transmit cmd 0x%x during configure\n",
+			   nca->type);
+	return ret;
+}
+
+#endif
+
 #if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC)
 
 /* NCSI OEM Command APIs */
@@ -1039,6 +1067,20 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp)
 			goto error;
 		}
 
+#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_INTEL_OS2BMC)
+		nd->state = ncsi_dev_state_config_intel_os2bmc;
+		break;
+	case ncsi_dev_state_config_intel_os2bmc:
+		nca.type = NCSI_PKT_CMD_OEM;
+		nca.package = np->id;
+		nca.channel = nc->id;
+		ndp->pending_req_num = 1;
+		ret = ncsi_oem_enable_os2bmc_intel(&nca);
+
+		if (ret)
+			goto error;
+#endif /* CONFIG_NCSI_OEM_CMD_INTEL_OS2BMC */
+
 		nd->state = ncsi_dev_state_config_oem_gma;
 		break;
 	case ncsi_dev_state_config_oem_gma:
-- 
2.34.1

Re: [PATCH] net/ncsi: Add Intel OS2BMC OEM command

[Paul Fertser]

Hello,

On Fri, Sep 09, 2022 at 10:57:17AM +0800, Jiaqing Zhao wrote:
> The Intel OS2BMC OEM NCSI command is used for controlling whether
> network traffic between host and sideband is allowed or not. By
> default such traffic is disallowed, meaning that if the device using
> NCS (usually BMC) does not have extra active connection, it cannot
> reach the host.

Can you please explain the rationale behind introducing this as a
compile-time kernel config option? I can probably imagine how this can
make sense as a DT switch (e.g. to describe hardware where there's no
other communication channel between the host and BMC) but even this
feels far-fetched.

Can you please outline some particular use cases for this feature?

-- 
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:fercerpav@gmail.com

Re: [PATCH] net/ncsi: Add Intel OS2BMC OEM command

[Jiaqing Zhao]

On 2022-09-09 13:59, Paul Fertser wrote:
> Hello,
> 
> On Fri, Sep 09, 2022 at 10:57:17AM +0800, Jiaqing Zhao wrote:
>> The Intel OS2BMC OEM NCSI command is used for controlling whether
>> network traffic between host and sideband is allowed or not. By
>> default such traffic is disallowed, meaning that if the device using
>> NCS (usually BMC) does not have extra active connection, it cannot
>> reach the host.
> 
> Can you please explain the rationale behind introducing this as a
> compile-time kernel config option? I can probably imagine how this can
> make sense as a DT switch (e.g. to describe hardware where there's no
> other communication channel between the host and BMC) but even this
> feels far-fetched.

Previously I submitted a patch to make the NCSI configurable in DT[1], but
it was not accepted by kernel community. A limitation is that currently NCSI
is not a standalone device node, it is controlled by "use-ncsi" option in the
MAC device DT node (like ftgmac100).

Other features like keep phy (also intel-specific oem) also uses kernel option.
(CONFIG_NCSI_OEM_CMD_KEEP_PHY)

[1] https://lore.kernel.org/netdev/20220610165940.2326777-4-jiaqing.zhao@linux.intel.com/T/

> Can you please outline some particular use cases for this feature?
> 
It enables access between host and BMC when BMC shares the network connection
with host using NCSI, like accessing BMC via HTTP or SSH from host. 

Re: [PATCH] net/ncsi: Add Intel OS2BMC OEM command

[Paul Fertser]

Hello,

On Fri, Sep 09, 2022 at 03:34:53PM +0800, Jiaqing Zhao wrote:
> > Can you please outline some particular use cases for this feature?
> > 
> It enables access between host and BMC when BMC shares the network connection
> with host using NCSI, like accessing BMC via HTTP or SSH from host. 

Why having a compile time kernel option here more appropriate than
just running something like "/usr/bin/ncsi-netlink --package 0
--channel 0 --index 3 --oem-payload 00000157200001" (this example uses
another OEM command) on BMC userspace startup?

-- 
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:fercerpav@gmail.com

Re: [PATCH] net/ncsi: Add Intel OS2BMC OEM command

[Jiaqing Zhao]

On 2022-09-09 15:43, Paul Fertser wrote:
> Hello,
> 
> On Fri, Sep 09, 2022 at 03:34:53PM +0800, Jiaqing Zhao wrote:
>>> Can you please outline some particular use cases for this feature?
>>>
>> It enables access between host and BMC when BMC shares the network connection
>> with host using NCSI, like accessing BMC via HTTP or SSH from host. 
> 
> Why having a compile time kernel option here more appropriate than
> just running something like "/usr/bin/ncsi-netlink --package 0
> --channel 0 --index 3 --oem-payload 00000157200001" (this example uses
> another OEM command) on BMC userspace startup?
> 

Using ncsi-netlink is one way, but the package and channel id is undetermined
as it is selected at runtime. Calling the netlink command on a nonexistent
package/channel may lead to kernel panic.

Why I prefer the kernel option is that it applies the config to all ncsi
devices by default when setting up them. This reduces the effort and keeps
compatibility. Lots of things in current ncsi kernel driver can be done via
commands from userspace, but I think it is not a good idea to have a driver
resides on both kernel and userspace.

Re: [PATCH] net/ncsi: Add Intel OS2BMC OEM command

[Sam Mendoza-Jonas]

On September 13, 2022 3:12:06 AM GMT+01:00, Jiaqing Zhao <jiaqing.zhao@linux.intel.com> wrote:
>
>
>On 2022-09-09 15:43, Paul Fertser wrote:
>> Hello,
>> 
>> On Fri, Sep 09, 2022 at 03:34:53PM +0800, Jiaqing Zhao wrote:
>>>> Can you please outline some particular use cases for this feature?
>>>>
>>> It enables access between host and BMC when BMC shares the network connection
>>> with host using NCSI, like accessing BMC via HTTP or SSH from host. 
>> 
>> Why having a compile time kernel option here more appropriate than
>> just running something like "/usr/bin/ncsi-netlink --package 0
>> --channel 0 --index 3 --oem-payload 00000157200001" (this example uses
>> another OEM command) on BMC userspace startup?
>> 
>
>Using ncsi-netlink is one way, but the package and channel id is undetermined
>as it is selected at runtime. Calling the netlink command on a nonexistent
>package/channel may lead to kernel panic.

If so, that would be a bug :)

>
>Why I prefer the kernel option is that it applies the config to all ncsi
>devices by default when setting up them. This reduces the effort and keeps
>compatibility. Lots of things in current ncsi kernel driver can be done via
>commands from userspace, but I think it is not a good idea to have a driver
>resides on both kernel and userspace.

BMCs are of course in their own world and there's already some examples of the config option, but how would a system owner be able to disable this without reflashing the BMC?

Re: [PATCH] net/ncsi: Add Intel OS2BMC OEM command

[Jiaqing Zhao]

On 2022-09-13 21:35, Sam Mendoza-Jonas wrote:
> On September 13, 2022 3:12:06 AM GMT+01:00, Jiaqing Zhao <jiaqing.zhao@linux.intel.com> wrote:
>>
>>
>> On 2022-09-09 15:43, Paul Fertser wrote:
>>> Hello,
>>>
>>> On Fri, Sep 09, 2022 at 03:34:53PM +0800, Jiaqing Zhao wrote:
>>>>> Can you please outline some particular use cases for this feature?
>>>>>
>>>> It enables access between host and BMC when BMC shares the network connection
>>>> with host using NCSI, like accessing BMC via HTTP or SSH from host. 
>>>
>>> Why having a compile time kernel option here more appropriate than
>>> just running something like "/usr/bin/ncsi-netlink --package 0
>>> --channel 0 --index 3 --oem-payload 00000157200001" (this example uses
>>> another OEM command) on BMC userspace startup?
>>>
>>
>> Using ncsi-netlink is one way, but the package and channel id is undetermined
>> as it is selected at runtime. Calling the netlink command on a nonexistent
>> package/channel may lead to kernel panic.
> 
> If so, that would be a bug :)

Yes but I haven't found the root cause so far, it only panics with some specific
NICs I remember.

>>
>> Why I prefer the kernel option is that it applies the config to all ncsi
>> devices by default when setting up them. This reduces the effort and keeps
>> compatibility. Lots of things in current ncsi kernel driver can be done via
>> commands from userspace, but I think it is not a good idea to have a driver
>> resides on both kernel and userspace.
> 
> BMCs are of course in their own world and there's already some examples of the config option, but how would a system owner be able to disable this without reflashing the BMC?

Given that ncsi driver is a driver binding to the PHY driver, it seems to be unable
to make it a module and have some module options. So far build option seems to be
the only way. Maybe in future sysfs entries can be added to make it configurable at
runtime.

Re: [PATCH] net/ncsi: Add Intel OS2BMC OEM command

[Paul Fertser]

Hello,

On Tue, Sep 13, 2022 at 10:12:06AM +0800, Jiaqing Zhao wrote:
> On 2022-09-09 15:43, Paul Fertser wrote:
> > On Fri, Sep 09, 2022 at 03:34:53PM +0800, Jiaqing Zhao wrote:
> >>> Can you please outline some particular use cases for this feature?
> >>>
> >> It enables access between host and BMC when BMC shares the network connection
> >> with host using NCSI, like accessing BMC via HTTP or SSH from host. 
> > 
> > Why having a compile time kernel option here more appropriate than
> > just running something like "/usr/bin/ncsi-netlink --package 0
> > --channel 0 --index 3 --oem-payload 00000157200001" (this example uses
> > another OEM command) on BMC userspace startup?
> > 
> 
> Using ncsi-netlink is one way, but the package and channel id is undetermined
> as it is selected at runtime. Calling the netlink command on a nonexistent
> package/channel may lead to kernel panic.

That sounds like a bug all right. If you can reproduce, it's likely
the fix is reasonably easy, please consider doing it.

> Why I prefer the kernel option is that it applies the config to all ncsi
> devices by default when setting up them. This reduces the effort and keeps
> compatibility. Lots of things in current ncsi kernel driver can be done via
> commands from userspace, but I think it is not a good idea to have a driver
> resides on both kernel and userspace.

How should the developer decide whether to enable this compile-time
option for a platform or not? If it's always nice to have why not
add the code unconditionally? And if not, are you sure kernel compile
time is the right decision point? So far I get an impression a sysfs
runtime knob would be more useful.

-- 
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:fercerpav@gmail.com

Re: [PATCH] net/ncsi: Add Intel OS2BMC OEM command

[Jiaqing Zhao]

On 2022-09-15 23:43, Paul Fertser wrote:
> Hello,
> 
> On Tue, Sep 13, 2022 at 10:12:06AM +0800, Jiaqing Zhao wrote:
>> On 2022-09-09 15:43, Paul Fertser wrote:
>>> On Fri, Sep 09, 2022 at 03:34:53PM +0800, Jiaqing Zhao wrote:
>>>>> Can you please outline some particular use cases for this feature?
>>>>>
>>>> It enables access between host and BMC when BMC shares the network connection
>>>> with host using NCSI, like accessing BMC via HTTP or SSH from host. 
>>>
>>> Why having a compile time kernel option here more appropriate than
>>> just running something like "/usr/bin/ncsi-netlink --package 0
>>> --channel 0 --index 3 --oem-payload 00000157200001" (this example uses
>>> another OEM command) on BMC userspace startup?
>>>
>>
>> Using ncsi-netlink is one way, but the package and channel id is undetermined
>> as it is selected at runtime. Calling the netlink command on a nonexistent
>> package/channel may lead to kernel panic.
> 
> That sounds like a bug all right. If you can reproduce, it's likely
> the fix is reasonably easy, please consider doing it.

It cannot be reproduced stably and varies on NICs, I'm still investigating it,
it might be some NIC firmware issue. 

>> Why I prefer the kernel option is that it applies the config to all ncsi
>> devices by default when setting up them. This reduces the effort and keeps
>> compatibility. Lots of things in current ncsi kernel driver can be done via
>> commands from userspace, but I think it is not a good idea to have a driver
>> resides on both kernel and userspace.
> 
> How should the developer decide whether to enable this compile-time
> option for a platform or not? If it's always nice to have why not
> add the code unconditionally? And if not, are you sure kernel compile
> time is the right decision point? So far I get an impression a sysfs
> runtime knob would be more useful.

Disabling Host-BMC traffic ensures the isolation between Host network and BMC's
management network, some developers/vendors may prefer disable it for security
concerns. Though having a runtime knob in sysfs would be useful, setting the
default behavior in kernel config is also useful from my point.