The Intel FPGA Card BMC Secure Update driver instantiates the new
Firmware Upload functionality of the Firmware Loader and provides the
callback functions required to support secure updates on Intel n3000 PAC
devices. This driver is implemented as a sub-driver of the Intel MAX10
BMC mfd driver.
This driver interacts with the HW secure update engine of the FPGA
card BMC in order to transfer new FPGA and BMC images to FLASH on
the FPGA card. Security is enforced by hardware and firmware. The
FPGA Card BMC Secure Update driver interacts with the firmware to
initiate an update, pass in the necessary data, and collect status
on the update.
This driver provides sysfs files for displaying the flash count, the
root entry hashes (REH), and the code-signing-key (CSK) cancellation
vectors.
Changelog v17 -> v18:
- Changed the ABI documentation for the Root Entry Hashes to specify
string as the format for the output.
- Updated comments, strings and config options to more consistently
refer to the driver as the Intel FPGA Card BMC Secure Update driver.
- Removed an instance of dev_dbg().
- Deferred the call to firmware_upload_register() to a later patch
where the required ops are provided.
- Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
of additional cards to be supported by the same driver.
Changelog v16 -> v17:
- Change m10bmc to cardbmc to reflect the fact that the future devices
will not necessarily use the MAX10. This affects filenames, configs,
symbol names, and the driver name.
- Update the Date and KernelVersion for the ABI documentation to Jul 2022
and 5.19 respectively.
- Updated the copyright end-date to 2022 for the secure update driver.
- Removed references to the FPGA Image Load class driver and replaced
them with the new firmware-upload service from the firmware loader.
- Use xarray_alloc to generate a unique number/name firmware-upload.
- Chang the license from GPL to GPLv2 per commit bf7fbeeae6db ("module:
Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity")
- fw_upload_ops functions will return "enum fw_upload_err" data types
instead of integer values.
Changelog v15 -> v16:
- Use 0 instead of FPGA_IMAGE_ERR_NONE to indicate success.
- The size alignment check was moved from the FPGA Image Load framework
to the prepare() op.
- Added cancel_request boolean flag to struct m10bmc_sec.
- Moved the RSU cancellation logic from m10bmc_sec_cancel() to a new
rsu_cancel() function.
- The m10bmc_sec_cancel() function ONLY sets the cancel_request flag.
The cancel_request flag is checked at the beginning of the
m10bmc_sec_write() and m10bmc_sec_poll_complete() functions.
- Adapt to changed prototypes for the prepare() and write() ops. The
m10bmc_sec_write_blk() function has been renamed to
m10bmc_sec_write().
- Created a cleanup op, m10bmc_sec_cleanup(), to attempt to cancel an
ongoing op during when exiting the update process.
Changelog v14 -> v15:
- Updated the Dates and KernelVersions in the ABI documentation
- Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
- Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
- Change instances of *bmc-secure to *bmc-sec-update in file name
and symbol names.
- Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
names.
- Adapted to changes in the FPGA Image Load framework:
(1) All enum types (progress and errors) are now type u32
(2) m10bmc_sec_write_blk() adds *blk_size and max_size parameters
and uses *blk_size as provided by the caller.
(3) m10bmc_sec_poll_complete() no long checks the driver_unload
flag.
Changelog v13 -> v14:
- Changed symbol and text references to reflect the renaming of the
Security Manager Class driver to FPGA Image Load.
Changelog v12 -> v13:
- Updated copyright to 2021
- Updated Date and KernelVersion fields in ABI documentation
- Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
functions instead of devm_fpga_sec_mgr_create() and
devm_fpga_sec_mgr_register().
Changelog v11 -> v12:
- Updated Date and KernelVersion fields in ABI documentation
- Removed size parameter from the write_blk() op. m10bmc_sec_write_blk()
no longer has a size parameter, and the block size is determined
in this (the lower-level) driver.
Changelog v10 -> v11:
- Added Reviewed-by tag to patch #1
Changelog v9 -> v10:
- Changed the path expressions in the sysfs documentation to
replace the n3000 reference with something more generic to
accommodate other devices that use the same driver.
Changelog v8 -> v9:
- Rebased to 5.12-rc2 next
- Updated Date and KernelVersion in ABI documentation
Changelog v7 -> v8:
- Split out patch "mfd: intel-m10-bmc: support for MAX10 BMC Secure
Updates" and submitted it separately:
https://marc.info/?l=linux-kernel&m=161126987101096&w=2
Changelog v6 -> v7:
- Rebased patches for 5.11-rc2
- Updated Date and KernelVersion in ABI documentation
Changelog v5 -> v6:
- Added WARN_ON() prior to several calls to regmap_bulk_read()
to assert that the (SIZE / stride) calculations did not result
in remainders.
- Changed the (size / stride) calculation in regmap_bulk_write()
call to ensure that we don't write one less than intended.
- Changed flash_count_show() parameter list to achieve
reverse-christmas tree format.
- Removed unnecessary call to rsu_check_complete() in
m10bmc_sec_poll_complete() and changed while loop to
do/while loop.
- Initialized auth_result and doorbell to HW_ERRINFO_POISON
in m10bmc_sec_hw_errinfo() and removed unnecessary if statements.
Changelog v4 -> v5:
- Renamed sysfs node user_flash_count to flash_count and updated
the sysfs documentation accordingly to more accurately descirbe
the purpose of the count.
Changelog v3 -> v4:
- Moved sysfs files for displaying the flash count, the root
entry hashes (REH), and the code-signing-key (CSK) cancellation
vectors from the FPGA Security Manager class driver to this
driver (as they are not generic enough for the class driver).
- Added a new ABI documentation file with informtaion about the
new sysfs entries: sysfs-driver-intel-m10-bmc-secure
- Updated the MAINTAINERS file to add the new ABI documentation
file: sysfs-driver-intel-m10-bmc-secure
- Removed unnecessary ret variable from m10bmc_secure_probe()
- Incorporated new devm_fpga_sec_mgr_register() function into
m10bmc_secure_probe() and removed the m10bmc_secure_remove()
function.
Changelog v2 -> v3:
- Changed "MAX10 BMC Security Engine driver" to "MAX10 BMC Secure
Update driver"
- Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
- Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
- Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
underlying functions are now called directly.
- Changed "_root_entry_hash" to "_reh", with a comment explaining
what reh is.
- Renamed get_csk_vector() to m10bmc_csk_vector()
- Changed calling functions of functions that return "enum fpga_sec_err"
to check for (ret != FPGA_SEC_ERR_NONE) instead of (ret)
Changelog v1 -> v2:
- These patches were previously submitted as part of a larger V1
patch set under the title "Intel FPGA Security Manager Class Driver".
- Grouped all changes to include/linux/mfd/intel-m10-bmc.h into a
single patch: "mfd: intel-m10-bmc: support for MAX10 BMC Security
Engine".
- Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
- Adapted to changes in the Intel FPGA Security Manager by splitting
the single call to ifpga_sec_mgr_register() into two function
calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
- Replaced small function-creation macros for explicit function
declarations.
- Bug fix for the get_csk_vector() function to properly apply the
stride variable in calls to m10bmc_raw_bulk_read().
- Added m10bmc_ prefix to functions in m10bmc_iops structure
- Implemented HW_ERRINFO_POISON for m10bmc_sec_hw_errinfo() to
ensure that corresponding bits are set to 1 if we are unable
to read the doorbell or auth_result registers.
- Added comments and additional code cleanup per V1 review.
Russ Weight (5):
mfd: intel-m10-bmc: Rename n3000bmc-secure driver
fpga: cardbmc-sec: create bmc secure update driver
fpga: cardbmc-sec: expose flash update count
fpga: cardbmc-sec: expose canceled keys in sysfs
fpga: cardbmc-sec: add card BMC secure update functions
.../sysfs-driver-intel-cardbmc-sec-update | 61 ++
MAINTAINERS | 7 +
drivers/fpga/Kconfig | 12 +
drivers/fpga/Makefile | 3 +
drivers/fpga/intel-cardbmc-sec-update.c | 594 ++++++++++++++++++
drivers/mfd/intel-m10-bmc.c | 2 +-
6 files changed, 678 insertions(+), 1 deletion(-)
create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-cardbmc-sec-update
create mode 100644 drivers/fpga/intel-cardbmc-sec-update.c
--
2.25.1
Create firmware upload ops and call the Firmware Upload support of the
Firmware Loader subsystem to enable FPGA image uploads for secure
updates of BMC images, FPGA images, etc.
Signed-off-by: Russ Weight <[email protected]>
---
v18:
- Moved the firmware_upload_register() function here from an earlier
patch since this is where the required ops are provided.
- Moved the bmc_sec_remove() function here from an earlier patch to
unregister the firmware driver and do cleanup.
v17:
- Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
future devices will not necessarily use the MAX10.
- Change from image_load class driver to the new firmware_upload
functionality of the firmware_loader.
- fw_upload_ops functions will return "enum fw_upload_err" data types
instead of integer values.
v16:
- Use 0 instead of FPGA_IMAGE_ERR_NONE to indicate success.
- The size alignment check was moved from the FPGA Image Load framework
to the prepare() op.
- Added cancel_request boolean flag to struct m10bmc_sec.
- Moved the RSU cancellation logic from m10bmc_sec_cancel() to a new
rsu_cancel() function.
- The m10bmc_sec_cancel() function ONLY sets the cancel_request flag.
The cancel_request flag is checked at the beginning of the
m10bmc_sec_write() and m10bmc_sec_poll_complete() functions.
- Adapt to changed prototypes for the prepare() and write() ops. The
m10bmc_sec_write_blk() function has been renamed to
m10bmc_sec_write().
- Created a cleanup() op, m10bmc_sec_cleanup(), to attempt to cancel an
ongoing op during when exiting the update process.
v15:
- Adapted to changes in the FPGA Image Load framework:
(1) All enum types (progress and errors) are now type u32
(2) m10bmc_sec_write_blk() adds *blk_size and max_size parameters
and uses *blk_size as provided by the caller.
(3) m10bmc_sec_poll_complete() no long checks the driver_unload
flag.
v14:
- Changed symbol names to reflect the renaming of the Security Manager
Class driver to FPGA Image Load.
v13:
- No change
v12:
- Updated Date and KernelVersion fields in ABI documentation
- Removed size parameter from the write_blk() op. m10bmc_sec_write_blk()
no longer has a size parameter, and the block size is determined
in this (the lower-level) driver.
v11:
- No change
v10:
- No change
v9:
- No change
v8:
- Previously patch 5/6, otherwise no change
v7:
- No change
v6:
- Changed (size / stride) calculation to ((size + stride - 1) / stride)
to ensure that the proper count is passed to regmap_bulk_write().
- Removed unnecessary call to rsu_check_complete() in
m10bmc_sec_poll_complete() and changed while loop to
do/while loop.
v5:
- No change
v4:
- No change
v3:
- Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
- Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
driver"
- Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
underlying functions are now called directly.
- Changed calling functions of functions that return "enum fpga_sec_err"
to check for (ret != FPGA_SEC_ERR_NONE) instead of (ret)
v2:
- Reworked the rsu_start_done() function to make it more readable
- Reworked while-loop condition/content in rsu_prog_ready()
- Minor code cleanup per review comments
- Added a comment to the m10bmc_sec_poll_complete() function to
explain the context (could take 30+ minutes to complete).
- Added m10bmc_ prefix to functions in m10bmc_iops structure
- Moved MAX10 BMC address and function definitions to a separate
patch.
---
drivers/fpga/intel-cardbmc-sec-update.c | 377 ++++++++++++++++++++++++
1 file changed, 377 insertions(+)
diff --git a/drivers/fpga/intel-cardbmc-sec-update.c b/drivers/fpga/intel-cardbmc-sec-update.c
index 41c828d6d65a..39d5590d582a 100644
--- a/drivers/fpga/intel-cardbmc-sec-update.c
+++ b/drivers/fpga/intel-cardbmc-sec-update.c
@@ -17,8 +17,14 @@
struct bmc_sec {
struct device *dev;
struct intel_m10bmc *m10bmc;
+ struct fw_upload *fwl;
+ char *fw_name;
+ u32 fw_name_id;
+ bool cancel_request;
};
+static DEFINE_XARRAY_ALLOC(fw_upload_xa);
+
/* Root Entry Hash (REH) support */
#define REH_SHA256_SIZE 32
#define REH_SHA384_SIZE 48
@@ -178,9 +184,349 @@ static const struct attribute_group *bmc_sec_attr_groups[] = {
NULL,
};
+static void log_error_regs(struct bmc_sec *sec, u32 doorbell)
+{
+ u32 auth_result;
+
+ dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
+
+ if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
+ dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
+}
+
+static enum fw_upload_err rsu_check_idle(struct bmc_sec *sec)
+{
+ u32 doorbell;
+ int ret;
+
+ ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+ if (ret)
+ return FW_UPLOAD_ERR_RW_ERROR;
+
+ if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
+ rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
+ log_error_regs(sec, doorbell);
+ return FW_UPLOAD_ERR_BUSY;
+ }
+
+ return FW_UPLOAD_ERR_NONE;
+}
+
+static inline bool rsu_start_done(u32 doorbell)
+{
+ u32 status, progress;
+
+ if (doorbell & DRBL_RSU_REQUEST)
+ return false;
+
+ status = rsu_stat(doorbell);
+ if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
+ return true;
+
+ progress = rsu_prog(doorbell);
+ if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
+ return true;
+
+ return false;
+}
+
+static enum fw_upload_err rsu_update_init(struct bmc_sec *sec)
+{
+ u32 doorbell, status;
+ int ret;
+
+ ret = regmap_update_bits(sec->m10bmc->regmap,
+ M10BMC_SYS_BASE + M10BMC_DOORBELL,
+ DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
+ DRBL_RSU_REQUEST |
+ FIELD_PREP(DRBL_HOST_STATUS,
+ HOST_STATUS_IDLE));
+ if (ret)
+ return FW_UPLOAD_ERR_RW_ERROR;
+
+ ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
+ M10BMC_SYS_BASE + M10BMC_DOORBELL,
+ doorbell,
+ rsu_start_done(doorbell),
+ NIOS_HANDSHAKE_INTERVAL_US,
+ NIOS_HANDSHAKE_TIMEOUT_US);
+
+ if (ret == -ETIMEDOUT) {
+ log_error_regs(sec, doorbell);
+ return FW_UPLOAD_ERR_TIMEOUT;
+ } else if (ret) {
+ return FW_UPLOAD_ERR_RW_ERROR;
+ }
+
+ status = rsu_stat(doorbell);
+ if (status == RSU_STAT_WEAROUT) {
+ dev_warn(sec->dev, "Excessive flash update count detected\n");
+ return FW_UPLOAD_ERR_WEAROUT;
+ } else if (status == RSU_STAT_ERASE_FAIL) {
+ log_error_regs(sec, doorbell);
+ return FW_UPLOAD_ERR_HW_ERROR;
+ }
+
+ return FW_UPLOAD_ERR_NONE;
+}
+
+static enum fw_upload_err rsu_prog_ready(struct bmc_sec *sec)
+{
+ unsigned long poll_timeout;
+ u32 doorbell, progress;
+ int ret;
+
+ ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+ if (ret)
+ return FW_UPLOAD_ERR_RW_ERROR;
+
+ poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
+ while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
+ msleep(RSU_PREP_INTERVAL_MS);
+ if (time_after(jiffies, poll_timeout))
+ break;
+
+ ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+ if (ret)
+ return FW_UPLOAD_ERR_RW_ERROR;
+ }
+
+ progress = rsu_prog(doorbell);
+ if (progress == RSU_PROG_PREPARE) {
+ log_error_regs(sec, doorbell);
+ return FW_UPLOAD_ERR_TIMEOUT;
+ } else if (progress != RSU_PROG_READY) {
+ log_error_regs(sec, doorbell);
+ return FW_UPLOAD_ERR_HW_ERROR;
+ }
+
+ return FW_UPLOAD_ERR_NONE;
+}
+
+static enum fw_upload_err rsu_send_data(struct bmc_sec *sec)
+{
+ u32 doorbell;
+ int ret;
+
+ ret = regmap_update_bits(sec->m10bmc->regmap,
+ M10BMC_SYS_BASE + M10BMC_DOORBELL,
+ DRBL_HOST_STATUS,
+ FIELD_PREP(DRBL_HOST_STATUS,
+ HOST_STATUS_WRITE_DONE));
+ if (ret)
+ return FW_UPLOAD_ERR_RW_ERROR;
+
+ ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
+ M10BMC_SYS_BASE + M10BMC_DOORBELL,
+ doorbell,
+ rsu_prog(doorbell) != RSU_PROG_READY,
+ NIOS_HANDSHAKE_INTERVAL_US,
+ NIOS_HANDSHAKE_TIMEOUT_US);
+
+ if (ret == -ETIMEDOUT) {
+ log_error_regs(sec, doorbell);
+ return FW_UPLOAD_ERR_TIMEOUT;
+ } else if (ret) {
+ return FW_UPLOAD_ERR_RW_ERROR;
+ }
+
+ switch (rsu_stat(doorbell)) {
+ case RSU_STAT_NORMAL:
+ case RSU_STAT_NIOS_OK:
+ case RSU_STAT_USER_OK:
+ case RSU_STAT_FACTORY_OK:
+ break;
+ default:
+ log_error_regs(sec, doorbell);
+ return FW_UPLOAD_ERR_HW_ERROR;
+ }
+
+ return FW_UPLOAD_ERR_NONE;
+}
+
+static int rsu_check_complete(struct bmc_sec *sec, u32 *doorbell)
+{
+ if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
+ return -EIO;
+
+ switch (rsu_stat(*doorbell)) {
+ case RSU_STAT_NORMAL:
+ case RSU_STAT_NIOS_OK:
+ case RSU_STAT_USER_OK:
+ case RSU_STAT_FACTORY_OK:
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ switch (rsu_prog(*doorbell)) {
+ case RSU_PROG_IDLE:
+ case RSU_PROG_RSU_DONE:
+ return 0;
+ case RSU_PROG_AUTHENTICATING:
+ case RSU_PROG_COPYING:
+ case RSU_PROG_UPDATE_CANCEL:
+ case RSU_PROG_PROGRAM_KEY_HASH:
+ return -EAGAIN;
+ default:
+ return -EINVAL;
+ }
+}
+
+static enum fw_upload_err rsu_cancel(struct bmc_sec *sec)
+{
+ u32 doorbell;
+ int ret;
+
+ ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+ if (ret)
+ return FW_UPLOAD_ERR_RW_ERROR;
+
+ if (rsu_prog(doorbell) != RSU_PROG_READY)
+ return FW_UPLOAD_ERR_BUSY;
+
+ ret = regmap_update_bits(sec->m10bmc->regmap,
+ M10BMC_SYS_BASE + M10BMC_DOORBELL,
+ DRBL_HOST_STATUS,
+ FIELD_PREP(DRBL_HOST_STATUS,
+ HOST_STATUS_ABORT_RSU));
+ if (ret)
+ return FW_UPLOAD_ERR_RW_ERROR;
+
+ return FW_UPLOAD_ERR_CANCELED;
+}
+
+static enum fw_upload_err bmc_sec_prepare(struct fw_upload *fwl,
+ const u8 *data, u32 size)
+{
+ struct bmc_sec *sec = fwl->dd_handle;
+ u32 ret;
+
+ sec->cancel_request = false;
+
+ if (!size || size & 0x3 || size > M10BMC_STAGING_SIZE)
+ return FW_UPLOAD_ERR_INVALID_SIZE;
+
+ ret = rsu_check_idle(sec);
+ if (ret != FW_UPLOAD_ERR_NONE)
+ return ret;
+
+ ret = rsu_update_init(sec);
+ if (ret != FW_UPLOAD_ERR_NONE)
+ return ret;
+
+ ret = rsu_prog_ready(sec);
+ if (ret != FW_UPLOAD_ERR_NONE)
+ return ret;
+
+ if (sec->cancel_request)
+ return rsu_cancel(sec);
+
+ return FW_UPLOAD_ERR_NONE;
+}
+
+#define WRITE_BLOCK_SIZE 0x4000 /* Default write-block size is 0x4000 bytes */
+
+static enum fw_upload_err bmc_sec_write(struct fw_upload *fwl, const u8 *data,
+ u32 offset, u32 size, u32 *written)
+{
+ struct bmc_sec *sec = fwl->dd_handle;
+ unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+ u32 blk_size, doorbell;
+ int ret;
+
+ if (sec->cancel_request)
+ return rsu_cancel(sec);
+
+ ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
+ if (ret) {
+ return FW_UPLOAD_ERR_RW_ERROR;
+ } else if (rsu_prog(doorbell) != RSU_PROG_READY) {
+ log_error_regs(sec, doorbell);
+ return FW_UPLOAD_ERR_HW_ERROR;
+ }
+
+ blk_size = min_t(u32, WRITE_BLOCK_SIZE, size);
+ ret = regmap_bulk_write(sec->m10bmc->regmap,
+ M10BMC_STAGING_BASE + offset,
+ (void *)data + offset,
+ (blk_size + stride - 1) / stride);
+
+ if (ret)
+ return FW_UPLOAD_ERR_RW_ERROR;
+
+ *written = blk_size;
+ return FW_UPLOAD_ERR_NONE;
+}
+
+static enum fw_upload_err bmc_sec_poll_complete(struct fw_upload *fwl)
+{
+ struct bmc_sec *sec = fwl->dd_handle;
+ unsigned long poll_timeout;
+ u32 doorbell, result;
+ int ret;
+
+ if (sec->cancel_request)
+ return rsu_cancel(sec);
+
+ result = rsu_send_data(sec);
+ if (result != FW_UPLOAD_ERR_NONE)
+ return result;
+
+ poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
+ do {
+ msleep(RSU_COMPLETE_INTERVAL_MS);
+ ret = rsu_check_complete(sec, &doorbell);
+ } while (ret == -EAGAIN && !time_after(jiffies, poll_timeout));
+
+ if (ret == -EAGAIN) {
+ log_error_regs(sec, doorbell);
+ return FW_UPLOAD_ERR_TIMEOUT;
+ } else if (ret == -EIO) {
+ return FW_UPLOAD_ERR_RW_ERROR;
+ } else if (ret) {
+ log_error_regs(sec, doorbell);
+ return FW_UPLOAD_ERR_HW_ERROR;
+ }
+
+ return FW_UPLOAD_ERR_NONE;
+}
+
+/*
+ * bmc_sec_cancel() may be called asynchronously with an on-going update.
+ * All other functions are called sequentially in a single thread. To avoid
+ * contention on register accesses, bmc_sec_cancel() must only update
+ * the cancel_request flag. Other functions will check this flag and handle
+ * the cancel request synchronously.
+ */
+static void bmc_sec_cancel(struct fw_upload *fwl)
+{
+ struct bmc_sec *sec = fwl->dd_handle;
+
+ sec->cancel_request = true;
+}
+
+static void bmc_sec_cleanup(struct fw_upload *fwl)
+{
+ struct bmc_sec *sec = fwl->dd_handle;
+
+ (void)rsu_cancel(sec);
+}
+
+static const struct fw_upload_ops cardbmc_ops = {
+ .prepare = bmc_sec_prepare,
+ .write = bmc_sec_write,
+ .poll_complete = bmc_sec_poll_complete,
+ .cancel = bmc_sec_cancel,
+ .cleanup = bmc_sec_cleanup,
+};
+
#define SEC_UPDATE_LEN_MAX 32
static int bmc_sec_probe(struct platform_device *pdev)
{
+ char buf[SEC_UPDATE_LEN_MAX];
+ struct fw_upload *fwl;
+ unsigned int len, ret;
struct bmc_sec *sec;
sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
@@ -191,6 +537,36 @@ static int bmc_sec_probe(struct platform_device *pdev)
sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
dev_set_drvdata(&pdev->dev, sec);
+ ret = xa_alloc(&fw_upload_xa, &sec->fw_name_id, sec,
+ xa_limit_32b, GFP_KERNEL);
+ if (ret)
+ return ret;
+
+ len = scnprintf(buf, SEC_UPDATE_LEN_MAX, "secure-update%d",
+ sec->fw_name_id);
+ sec->fw_name = kmemdup_nul(buf, len, GFP_KERNEL);
+
+ fwl = firmware_upload_register(THIS_MODULE, sec->dev, sec->fw_name,
+ &cardbmc_ops, sec);
+ if (IS_ERR(fwl)) {
+ dev_err(sec->dev, "Firmware Upload driver failed to start\n");
+ kfree(sec->fw_name);
+ xa_erase(&fw_upload_xa, sec->fw_name_id);
+ return PTR_ERR(fwl);
+ }
+
+ sec->fwl = fwl;
+ return 0;
+}
+
+static int bmc_sec_remove(struct platform_device *pdev)
+{
+ struct bmc_sec *sec = dev_get_drvdata(&pdev->dev);
+
+ firmware_upload_unregister(sec->fwl);
+ kfree(sec->fw_name);
+ xa_erase(&fw_upload_xa, sec->fw_name_id);
+
return 0;
}
@@ -203,6 +579,7 @@ static const struct platform_device_id intel_cardbmc_sec_ids[] = {
static struct platform_driver intel_cardbmc_sec_driver = {
.probe = bmc_sec_probe,
+ .remove = bmc_sec_remove,
.driver = {
.name = "intel-cardbmc-sec-update",
.dev_groups = bmc_sec_attr_groups,
--
2.25.1
Extend the FPGA Card BMC Secure Update driver to provide sysfs files to
expose the canceled code signing key (CSK) bit vectors. These use the
standard bitmap list format (e.g. 1,2-6,9).
Signed-off-by: Russ Weight <[email protected]>
Reviewed-by: Tom Rix <[email protected]>
---
v18:
- No change
v17:
- Update the Date and KernelVersion for the ABI documentation to Jul 2022
and 5.19 respectively.
- Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
future devices will not necessarily use the MAX10.
v16:
- No Change
v15:
- Updated the Dates and KernelVersions in the ABI documentation
v14:
- No changes
v13:
- Updated ABI documentation date and kernel version
v12:
- Updated Date and KernelVersion fields in ABI documentation
v11:
- No change
v10:
- Changed the path expressions in the sysfs documentation to
replace the n3000 reference with something more generic to
accomodate other devices that use the same driver.
v9:
- Rebased to 5.12-rc2 next
- Updated Date and KernelVersion in ABI documentation
v8:
- Previously patch 4/6, otherwise no change
v7:
- Updated Date and KernelVersion in ABI documentation
v6:
- Added WARN_ON() call for (size / stride) to ensure
that the proper count is passed to regmap_bulk_read().
v5:
- No change
v4:
- Moved sysfs files for displaying the code-signing-key (CSK)
cancellation vectors from the FPGA Security Manger class driver
to here. The m10bmc_csk_vector() and m10bmc_csk_cancel_nbits()
functions are removed and the functionality from these functions
is moved into a show_canceled_csk() function for for displaying
the CSK vectors.
- Added ABI documentation for new sysfs entries
v3:
- Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
- Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
driver"
- Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
underlying functions are now called directly.
- Renamed get_csk_vector() to m10bmc_csk_vector()
v2:
- Replaced small function-creation macros for explicit function
declarations.
- Fixed get_csk_vector() function to properly apply the stride
variable in calls to m10bmc_raw_bulk_read()
- Added m10bmc_ prefix to functions in m10bmc_iops structure
---
.../sysfs-driver-intel-cardbmc-sec-update | 24 ++++++++++
drivers/fpga/intel-cardbmc-sec-update.c | 48 +++++++++++++++++++
2 files changed, 72 insertions(+)
diff --git a/Documentation/ABI/testing/sysfs-driver-intel-cardbmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-cardbmc-sec-update
index 04f8c5a1fc1c..f7c2c9a6e9c6 100644
--- a/Documentation/ABI/testing/sysfs-driver-intel-cardbmc-sec-update
+++ b/Documentation/ABI/testing/sysfs-driver-intel-cardbmc-sec-update
@@ -28,6 +28,30 @@ Description: Read only. Returns the root entry hash for the BMC image
underlying device supports it.
Format: string.
+What: /sys/bus/platform/drivers/intel-cardbmc-sec-update/.../security/sr_canceled_csks
+Date: Jul 2022
+KernelVersion: 5.19
+Contact: Russ Weight <[email protected]>
+Description: Read only. Returns a list of indices for canceled code
+ signing keys for the static region. The standard bitmap
+ list format is used (e.g. "1,2-6,9").
+
+What: /sys/bus/platform/drivers/intel-cardbmc-sec-update/.../security/pr_canceled_csks
+Date: Jul 2022
+KernelVersion: 5.19
+Contact: Russ Weight <[email protected]>
+Description: Read only. Returns a list of indices for canceled code
+ signing keys for the partial reconfiguration region. The
+ standard bitmap list format is used (e.g. "1,2-6,9").
+
+What: /sys/bus/platform/drivers/intel-cardbmc-sec-update/.../security/bmc_canceled_csks
+Date: Jul 2022
+KernelVersion: 5.19
+Contact: Russ Weight <[email protected]>
+Description: Read only. Returns a list of indices for canceled code
+ signing keys for the BMC. The standard bitmap list format
+ is used (e.g. "1,2-6,9").
+
What: /sys/bus/platform/drivers/intel-cardbmc-sec-update/.../security/flash_count
Date: Jul 2022
KernelVersion: 5.19
diff --git a/drivers/fpga/intel-cardbmc-sec-update.c b/drivers/fpga/intel-cardbmc-sec-update.c
index d8f3645e2139..41c828d6d65a 100644
--- a/drivers/fpga/intel-cardbmc-sec-update.c
+++ b/drivers/fpga/intel-cardbmc-sec-update.c
@@ -77,6 +77,51 @@ DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
+#define CSK_BIT_LEN 128U
+#define CSK_32ARRAY_SIZE DIV_ROUND_UP(CSK_BIT_LEN, 32)
+
+static ssize_t
+show_canceled_csk(struct device *dev, u32 addr, char *buf)
+{
+ unsigned int i, stride, size = CSK_32ARRAY_SIZE * sizeof(u32);
+ struct bmc_sec *sec = dev_get_drvdata(dev);
+ DECLARE_BITMAP(csk_map, CSK_BIT_LEN);
+ __le32 csk_le32[CSK_32ARRAY_SIZE];
+ u32 csk32[CSK_32ARRAY_SIZE];
+ int ret;
+
+ stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+
+ WARN_ON(size % stride);
+ ret = regmap_bulk_read(sec->m10bmc->regmap, addr, csk_le32,
+ size / stride);
+ if (ret) {
+ dev_err(sec->dev, "failed to read CSK vector: %x cnt %x: %d\n",
+ addr, size / stride, ret);
+ return ret;
+ }
+
+ for (i = 0; i < CSK_32ARRAY_SIZE; i++)
+ csk32[i] = le32_to_cpu(((csk_le32[i])));
+
+ bitmap_from_arr32(csk_map, csk32, CSK_BIT_LEN);
+ bitmap_complement(csk_map, csk_map, CSK_BIT_LEN);
+ return bitmap_print_to_pagebuf(1, buf, csk_map, CSK_BIT_LEN);
+}
+
+#define DEVICE_ATTR_SEC_CSK_RO(_name, _addr) \
+static ssize_t _name##_canceled_csks_show(struct device *dev, \
+ struct device_attribute *attr, \
+ char *buf) \
+{ return show_canceled_csk(dev, _addr, buf); } \
+static DEVICE_ATTR_RO(_name##_canceled_csks)
+
+#define CSK_VEC_OFFSET 0x34
+
+DEVICE_ATTR_SEC_CSK_RO(bmc, BMC_PROG_ADDR + CSK_VEC_OFFSET);
+DEVICE_ATTR_SEC_CSK_RO(sr, SR_PROG_ADDR + CSK_VEC_OFFSET);
+DEVICE_ATTR_SEC_CSK_RO(pr, PR_PROG_ADDR + CSK_VEC_OFFSET);
+
#define FLASH_COUNT_SIZE 4096 /* count stored as inverted bit vector */
static ssize_t flash_count_show(struct device *dev,
@@ -117,6 +162,9 @@ static struct attribute *bmc_security_attrs[] = {
&dev_attr_bmc_root_entry_hash.attr,
&dev_attr_sr_root_entry_hash.attr,
&dev_attr_pr_root_entry_hash.attr,
+ &dev_attr_sr_canceled_csks.attr,
+ &dev_attr_pr_canceled_csks.attr,
+ &dev_attr_bmc_canceled_csks.attr,
NULL,
};
--
2.25.1