The MAX10 BMC Secure Update driver instantiates the new Firmware
Upload functionality of the Firmware Loader and provides the callback
functions required to support secure updates on Intel n3000 PAC
devices. This driver is implemented as a sub-driver of the Intel MAX10
BMC mfd driver.
This driver interacts with the HW secure update engine of the FPGA
card BMC in order to transfer new FPGA and BMC images to FLASH on
the FPGA card. Security is enforced by hardware and firmware. The
FPGA Card BMC Secure Update driver interacts with the firmware to
initiate an update, pass in the necessary data, and collect status
on the update.
This driver provides sysfs files for displaying the flash count, the
root entry hashes (REH), and the code-signing-key (CSK) cancellation
vectors.
Changelog v18 -> v19:
- Change "card bmc" naming back to "m10 bmc" naming to be consistent
with the parent driver.
Changelog v17 -> v18:
- Changed the ABI documentation for the Root Entry Hashes to specify
string as the format for the output.
- Updated comments, strings and config options to more consistently
refer to the driver as the Intel FPGA Card BMC Secure Update driver.
- Removed an instance of dev_dbg().
- Deferred the call to firmware_upload_register() to a later patch
where the required ops are provided.
- Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
of additional cards to be supported by the same driver.
Changelog v16 -> v17:
- Change m10bmc to cardbmc to reflect the fact that the future devices
will not necessarily use the MAX10. This affects filenames, configs,
symbol names, and the driver name.
- Update the Date and KernelVersion for the ABI documentation to Jul 2022
and 5.19 respectively.
- Updated the copyright end-date to 2022 for the secure update driver.
- Removed references to the FPGA Image Load class driver and replaced
them with the new firmware-upload service from the firmware loader.
- Use xarray_alloc to generate a unique number/name firmware-upload.
- Chang the license from GPL to GPLv2 per commit bf7fbeeae6db ("module:
Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity")
- fw_upload_ops functions will return "enum fw_upload_err" data types
instead of integer values.
Changelog v15 -> v16:
- Use 0 instead of FPGA_IMAGE_ERR_NONE to indicate success.
- The size alignment check was moved from the FPGA Image Load framework
to the prepare() op.
- Added cancel_request boolean flag to struct m10bmc_sec.
- Moved the RSU cancellation logic from m10bmc_sec_cancel() to a new
rsu_cancel() function.
- The m10bmc_sec_cancel() function ONLY sets the cancel_request flag.
The cancel_request flag is checked at the beginning of the
m10bmc_sec_write() and m10bmc_sec_poll_complete() functions.
- Adapt to changed prototypes for the prepare() and write() ops. The
m10bmc_sec_write_blk() function has been renamed to
m10bmc_sec_write().
- Created a cleanup op, m10bmc_sec_cleanup(), to attempt to cancel an
ongoing op during when exiting the update process.
Changelog v14 -> v15:
- Updated the Dates and KernelVersions in the ABI documentation
- Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
- Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
- Change instances of *bmc-secure to *bmc-sec-update in file name
and symbol names.
- Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
names.
- Adapted to changes in the FPGA Image Load framework:
(1) All enum types (progress and errors) are now type u32
(2) m10bmc_sec_write_blk() adds *blk_size and max_size parameters
and uses *blk_size as provided by the caller.
(3) m10bmc_sec_poll_complete() no long checks the driver_unload
flag.
Changelog v13 -> v14:
- Changed symbol and text references to reflect the renaming of the
Security Manager Class driver to FPGA Image Load.
Changelog v12 -> v13:
- Updated copyright to 2021
- Updated Date and KernelVersion fields in ABI documentation
- Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
functions instead of devm_fpga_sec_mgr_create() and
devm_fpga_sec_mgr_register().
Changelog v11 -> v12:
- Updated Date and KernelVersion fields in ABI documentation
- Removed size parameter from the write_blk() op. m10bmc_sec_write_blk()
no longer has a size parameter, and the block size is determined
in this (the lower-level) driver.
Changelog v10 -> v11:
- Added Reviewed-by tag to patch #1
Changelog v9 -> v10:
- Changed the path expressions in the sysfs documentation to
replace the n3000 reference with something more generic to
accommodate other devices that use the same driver.
Changelog v8 -> v9:
- Rebased to 5.12-rc2 next
- Updated Date and KernelVersion in ABI documentation
Changelog v7 -> v8:
- Split out patch "mfd: intel-m10-bmc: support for MAX10 BMC Secure
Updates" and submitted it separately:
https://marc.info/?l=linux-kernel&m=161126987101096&w=2
Changelog v6 -> v7:
- Rebased patches for 5.11-rc2
- Updated Date and KernelVersion in ABI documentation
Changelog v5 -> v6:
- Added WARN_ON() prior to several calls to regmap_bulk_read()
to assert that the (SIZE / stride) calculations did not result
in remainders.
- Changed the (size / stride) calculation in regmap_bulk_write()
call to ensure that we don't write one less than intended.
- Changed flash_count_show() parameter list to achieve
reverse-christmas tree format.
- Removed unnecessary call to rsu_check_complete() in
m10bmc_sec_poll_complete() and changed while loop to
do/while loop.
- Initialized auth_result and doorbell to HW_ERRINFO_POISON
in m10bmc_sec_hw_errinfo() and removed unnecessary if statements.
Changelog v4 -> v5:
- Renamed sysfs node user_flash_count to flash_count and updated
the sysfs documentation accordingly to more accurately descirbe
the purpose of the count.
Changelog v3 -> v4:
- Moved sysfs files for displaying the flash count, the root
entry hashes (REH), and the code-signing-key (CSK) cancellation
vectors from the FPGA Security Manager class driver to this
driver (as they are not generic enough for the class driver).
- Added a new ABI documentation file with informtaion about the
new sysfs entries: sysfs-driver-intel-m10-bmc-secure
- Updated the MAINTAINERS file to add the new ABI documentation
file: sysfs-driver-intel-m10-bmc-secure
- Removed unnecessary ret variable from m10bmc_secure_probe()
- Incorporated new devm_fpga_sec_mgr_register() function into
m10bmc_secure_probe() and removed the m10bmc_secure_remove()
function.
Changelog v2 -> v3:
- Changed "MAX10 BMC Security Engine driver" to "MAX10 BMC Secure
Update driver"
- Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
- Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
- Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
underlying functions are now called directly.
- Changed "_root_entry_hash" to "_reh", with a comment explaining
what reh is.
- Renamed get_csk_vector() to m10bmc_csk_vector()
- Changed calling functions of functions that return "enum fpga_sec_err"
to check for (ret != FPGA_SEC_ERR_NONE) instead of (ret)
Changelog v1 -> v2:
- These patches were previously submitted as part of a larger V1
patch set under the title "Intel FPGA Security Manager Class Driver".
- Grouped all changes to include/linux/mfd/intel-m10-bmc.h into a
single patch: "mfd: intel-m10-bmc: support for MAX10 BMC Security
Engine".
- Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
- Adapted to changes in the Intel FPGA Security Manager by splitting
the single call to ifpga_sec_mgr_register() into two function
calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
- Replaced small function-creation macros for explicit function
declarations.
- Bug fix for the get_csk_vector() function to properly apply the
stride variable in calls to m10bmc_raw_bulk_read().
- Added m10bmc_ prefix to functions in m10bmc_iops structure
- Implemented HW_ERRINFO_POISON for m10bmc_sec_hw_errinfo() to
ensure that corresponding bits are set to 1 if we are unable
to read the doorbell or auth_result registers.
- Added comments and additional code cleanup per V1 review.
Russ Weight (5):
mfd: intel-m10-bmc: Rename n3000bmc-secure driver
fpga: m10bmc-sec: create max10 bmc secure update
fpga: m10bmc-sec: expose max10 flash update count
fpga: m10bmc-sec: expose max10 canceled keys in sysfs
fpga: m10bmc-sec: add max10 secure update functions
.../sysfs-driver-intel-m10-bmc-sec-update | 61 ++
MAINTAINERS | 7 +
drivers/fpga/Kconfig | 12 +
drivers/fpga/Makefile | 3 +
drivers/fpga/intel-m10-bmc-sec-update.c | 594 ++++++++++++++++++
drivers/mfd/intel-m10-bmc.c | 2 +-
6 files changed, 678 insertions(+), 1 deletion(-)
create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
create mode 100644 drivers/fpga/intel-m10-bmc-sec-update.c
--
2.25.1
Create a sub driver for the FPGA Card BMC in order to support secure
updates. This patch creates the Max10 BMC Secure Update driver
and provides sysfs files for displaying the current root entry hashes
for the FPGA static region, the FPGA PR region, and the card BMC.
Signed-off-by: Russ Weight <[email protected]>
Reviewed-by: Tom Rix <[email protected]>
---
v19:
- Change "card bmc" naming back to "m10 bmc" naming to be consistent
with the parent driver.
v18:
- Changed the ABI documentation for the Root Entry Hashes to specify
string as the format for the output.
- Updated comments, strings and config options to more consistently
refer to the driver as the Intel FPGA Card BMC Secure Update driver.
- Removed an instance of dev_dbg().
- Deferred the call to firmware_upload_register() to a later patch
where the required ops are provided. The bmc_sec_remove() function is
also removed from this patch and added in a later patch.
- Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
of additional cards to be supported by the same driver.
v17:
- Update the Date and KernelVersion for the ABI documentation to Jul 2022
and 5.19 respectively.
- Updated the copyright end-date to 2022 for the secure update driver.
- Change m10bmc to cardbmc to reflect the fact that the future devices
will not necessarily use the MAX10. This affects filenames, configs, and
symbol names.
- Removed references to the FPGA Image Load class driver and replaced
them with the new firmware-upload service from the firmware loader.
- Firmware upload requires a unique name for the firmware device. Use
xarray_alloc to generate a unique number to append to the name.
- Changed the license from GPL to GPLv2 per commit bf7fbeeae6db: 'module:
Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity'
v16:
- No Change
v15:
- Updated the Dates and KernelVersions in the ABI documentation
- Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
- Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
- Change instances of *bmc-secure to *bmc-sec-update in file name
and symbol names.
- Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
names.
- Change instances of *lops* to *ops* in symbol names.
v14:
- Changed symbol and text references to reflect the renaming of the
Security Manager Class driver to FPGA Image Load.
v13:
- Updated copyright to 2021
- Updated ABI documentation date and kernel version
- Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
functions instead of devm_fpga_sec_mgr_create() and
devm_fpga_sec_mgr_register().
v12:
- Updated Date and KernelVersion fields in ABI documentation
v11:
- Added Reviewed-by tag
v10:
- Changed the path expressions in the sysfs documentation to
replace the n3000 reference with something more generic to
accomodate other devices that use the same driver.
v9:
- Rebased to 5.12-rc2 next
- Updated Date and KernelVersion in ABI documentation
v8:
- Previously patch 2/6, otherwise no change
v7:
- Updated Date and KernelVersion in ABI documentation
v6:
- Added WARN_ON() call for (sha_num_bytes / stride) to assert
that the proper count is passed to regmap_bulk_read().
v5:
- No change
v4:
- Moved sysfs files for displaying the root entry hashes (REH)
from the FPGA Security Manager class driver to here. The
m10bmc_reh() and m10bmc_reh_size() functions are removed and
the functionality from these functions is moved into a
show_root_entry_hash() function for displaying the REHs.
- Added ABI documentation for the new sysfs entries:
sysfs-driver-intel-m10-bmc-secure
- Updated the MAINTAINERS file to add the new ABI documentation
file: sysfs-driver-intel-m10-bmc-secure
- Removed unnecessary ret variable from m10bmc_secure_probe()
- Incorporated new devm_fpga_sec_mgr_register() function into
m10bmc_secure_probe() and removed the m10bmc_secure_remove()
function.
v3:
- Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
- Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
- Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure
Update driver"
- Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
underlying functions are now called directly.
- Changed "_root_entry_hash" to "_reh", with a comment explaining
what reh is.
v2:
- Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
- Switched to GENMASK(31, 16) for a couple of mask definitions.
- Moved MAX10 BMC address and function definitions to a separate
patch.
- Replaced small function-creation macros with explicit function
declarations.
- Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
- Adapted to changes in the Intel FPGA Security Manager by splitting
the single call to ifpga_sec_mgr_register() into two function
calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
---
.../sysfs-driver-intel-m10-bmc-sec-update | 29 ++++
MAINTAINERS | 7 +
drivers/fpga/Kconfig | 12 ++
drivers/fpga/Makefile | 3 +
drivers/fpga/intel-m10-bmc-sec-update.c | 133 ++++++++++++++++++
5 files changed, 184 insertions(+)
create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
create mode 100644 drivers/fpga/intel-m10-bmc-sec-update.c
diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
new file mode 100644
index 000000000000..2bb271695e14
--- /dev/null
+++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
@@ -0,0 +1,29 @@
+What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/sr_root_entry_hash
+Date: Jul 2022
+KernelVersion: 5.19
+Contact: Russ Weight <[email protected]>
+Description: Read only. Returns the root entry hash for the static
+ region if one is programmed, else it returns the
+ string: "hash not programmed". This file is only
+ visible if the underlying device supports it.
+ Format: string.
+
+What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/pr_root_entry_hash
+Date: Jul 2022
+KernelVersion: 5.19
+Contact: Russ Weight <[email protected]>
+Description: Read only. Returns the root entry hash for the partial
+ reconfiguration region if one is programmed, else it
+ returns the string: "hash not programmed". This file
+ is only visible if the underlying device supports it.
+ Format: string.
+
+What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/bmc_root_entry_hash
+Date: Jul 2022
+KernelVersion: 5.19
+Contact: Russ Weight <[email protected]>
+Description: Read only. Returns the root entry hash for the BMC image
+ if one is programmed, else it returns the string:
+ "hash not programmed". This file is only visible if the
+ underlying device supports it.
+ Format: string.
diff --git a/MAINTAINERS b/MAINTAINERS
index cf883b1ec852..759a7788dad9 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -7784,6 +7784,13 @@ F: Documentation/fpga/
F: drivers/fpga/
F: include/linux/fpga/
+INTEL MAX10 BMC SECURE UPDATES
+M: Russ Weight <[email protected]>
+L: [email protected]
+S: Maintained
+F: Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
+F: drivers/fpga/intel-m10-bmc-sec-update.c
+
FPU EMULATOR
M: Bill Metzenthen <[email protected]>
S: Maintained
diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
index 991b3f361ec9..0831eecc9a09 100644
--- a/drivers/fpga/Kconfig
+++ b/drivers/fpga/Kconfig
@@ -243,4 +243,16 @@ config FPGA_MGR_VERSAL_FPGA
configure the programmable logic(PL).
To compile this as a module, choose M here.
+
+config FPGA_M10_BMC_SEC_UPDATE
+ tristate "Intel MAX10 BMC Secure Update driver"
+ depends on MFD_INTEL_M10_BMC && FW_UPLOAD
+ help
+ Secure update support for the Intel MAX10 board management
+ controller.
+
+ This is a subdriver of the Intel MAX10 board management controller
+ (BMC) and provides support for secure updates for the BMC image,
+ the FPGA image, the Root Entry Hashes, etc.
+
endif # FPGA
diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
index 5935b3d0abd5..139ac1b573d3 100644
--- a/drivers/fpga/Makefile
+++ b/drivers/fpga/Makefile
@@ -22,6 +22,9 @@ obj-$(CONFIG_FPGA_MGR_VERSAL_FPGA) += versal-fpga.o
obj-$(CONFIG_ALTERA_PR_IP_CORE) += altera-pr-ip-core.o
obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT) += altera-pr-ip-core-plat.o
+# FPGA Secure Update Drivers
+obj-$(CONFIG_FPGA_M10_BMC_SEC_UPDATE) += intel-m10-bmc-sec-update.o
+
# FPGA Bridge Drivers
obj-$(CONFIG_FPGA_BRIDGE) += fpga-bridge.o
obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE) += altera-hps2fpga.o altera-fpga2sdram.o
diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
new file mode 100644
index 000000000000..a36856d897c9
--- /dev/null
+++ b/drivers/fpga/intel-m10-bmc-sec-update.c
@@ -0,0 +1,133 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Intel MAX10 Board Management Controller Secure Update Driver
+ *
+ * Copyright (C) 2019-2022 Intel Corporation. All rights reserved.
+ *
+ */
+#include <linux/bitfield.h>
+#include <linux/device.h>
+#include <linux/firmware.h>
+#include <linux/mfd/intel-m10-bmc.h>
+#include <linux/mod_devicetable.h>
+#include <linux/module.h>
+#include <linux/platform_device.h>
+#include <linux/slab.h>
+
+struct m10bmc_sec {
+ struct device *dev;
+ struct intel_m10bmc *m10bmc;
+};
+
+/* Root Entry Hash (REH) support */
+#define REH_SHA256_SIZE 32
+#define REH_SHA384_SIZE 48
+#define REH_MAGIC GENMASK(15, 0)
+#define REH_SHA_NUM_BYTES GENMASK(31, 16)
+
+static ssize_t
+show_root_entry_hash(struct device *dev, u32 exp_magic,
+ u32 prog_addr, u32 reh_addr, char *buf)
+{
+ struct m10bmc_sec *sec = dev_get_drvdata(dev);
+ unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+ int sha_num_bytes, i, ret, cnt = 0;
+ u8 hash[REH_SHA384_SIZE];
+ u32 magic;
+
+ ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
+ if (ret)
+ return ret;
+
+ if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
+ return sysfs_emit(buf, "hash not programmed\n");
+
+ sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
+ if (sha_num_bytes != REH_SHA256_SIZE &&
+ sha_num_bytes != REH_SHA384_SIZE) {
+ dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
+ sha_num_bytes);
+ return -EINVAL;
+ }
+
+ WARN_ON(sha_num_bytes % stride);
+ ret = regmap_bulk_read(sec->m10bmc->regmap, reh_addr,
+ hash, sha_num_bytes / stride);
+ if (ret) {
+ dev_err(dev, "failed to read root entry hash: %x cnt %x: %d\n",
+ reh_addr, sha_num_bytes / stride, ret);
+ return ret;
+ }
+
+ for (i = 0; i < sha_num_bytes; i++)
+ cnt += sprintf(buf + cnt, "%02x", hash[i]);
+ cnt += sprintf(buf + cnt, "\n");
+
+ return cnt;
+}
+
+#define DEVICE_ATTR_SEC_REH_RO(_name, _magic, _prog_addr, _reh_addr) \
+static ssize_t _name##_root_entry_hash_show(struct device *dev, \
+ struct device_attribute *attr, \
+ char *buf) \
+{ return show_root_entry_hash(dev, _magic, _prog_addr, _reh_addr, buf); } \
+static DEVICE_ATTR_RO(_name##_root_entry_hash)
+
+DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
+DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
+DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
+
+static struct attribute *m10bmc_security_attrs[] = {
+ &dev_attr_bmc_root_entry_hash.attr,
+ &dev_attr_sr_root_entry_hash.attr,
+ &dev_attr_pr_root_entry_hash.attr,
+ NULL,
+};
+
+static struct attribute_group m10bmc_security_attr_group = {
+ .name = "security",
+ .attrs = m10bmc_security_attrs,
+};
+
+static const struct attribute_group *m10bmc_sec_attr_groups[] = {
+ &m10bmc_security_attr_group,
+ NULL,
+};
+
+#define SEC_UPDATE_LEN_MAX 32
+static int m10bmc_sec_probe(struct platform_device *pdev)
+{
+ struct m10bmc_sec *sec;
+
+ sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
+ if (!sec)
+ return -ENOMEM;
+
+ sec->dev = &pdev->dev;
+ sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
+ dev_set_drvdata(&pdev->dev, sec);
+
+ return 0;
+}
+
+static const struct platform_device_id intel_m10bmc_sec_ids[] = {
+ {
+ .name = "n3000bmc-sec-update",
+ },
+ { }
+};
+
+static struct platform_driver intel_m10bmc_sec_driver = {
+ .probe = m10bmc_sec_probe,
+ .driver = {
+ .name = "intel-m10bmc-sec-update",
+ .dev_groups = m10bmc_sec_attr_groups,
+ },
+ .id_table = intel_m10bmc_sec_ids,
+};
+module_platform_driver(intel_m10bmc_sec_driver);
+
+MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
+MODULE_AUTHOR("Intel Corporation");
+MODULE_DESCRIPTION("Intel MAX10 BMC Secure Update");
+MODULE_LICENSE("GPL");
--
2.25.1
The n3000bmc-secure driver has changed to n3000bmc-sec-update. Update
the name in the list of the intel-m10-bmc sub-drivers.
Signed-off-by: Russ Weight <[email protected]>
---
v19:
- No change
v18:
- No change
v17:
- This is a new patch to change in the name of the secure update
driver.
---
drivers/mfd/intel-m10-bmc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mfd/intel-m10-bmc.c b/drivers/mfd/intel-m10-bmc.c
index 8db3bcf5fccc..f4d0d72573c8 100644
--- a/drivers/mfd/intel-m10-bmc.c
+++ b/drivers/mfd/intel-m10-bmc.c
@@ -26,7 +26,7 @@ static struct mfd_cell m10bmc_d5005_subdevs[] = {
static struct mfd_cell m10bmc_pacn3000_subdevs[] = {
{ .name = "n3000bmc-hwmon" },
{ .name = "n3000bmc-retimer" },
- { .name = "n3000bmc-secure" },
+ { .name = "n3000bmc-sec-update" },
};
static struct mfd_cell m10bmc_n5010_subdevs[] = {
--
2.25.1
Extend the MAX10 BMC Secure Update driver to provide a sysfs file to
expose the flash update count.
Signed-off-by: Russ Weight <[email protected]>
Reviewed-by: Tom Rix <[email protected]>
---
v19:
- Change "card bmc" naming back to "m10 bmc" naming to be consistent
with the parent driver.
v18:
- No change
v17:
- Update the Date and KernelVersion for the ABI documentation to Jul 2022
and 5.19 respectively.
- Change "m10bmc" in symbol names to "cardbmc" to reflect the fact that the
future devices will not necessarily use the MAX10.
v16:
- No Change
v15:
- Updated the Dates and KernelVersions in the ABI documentation
v14:
- No change
v13:
- Updated ABI documentation date and kernel version
v12:
- Updated Date and KernelVersion fields in ABI documentation
v11:
- No change
v10:
- Changed the path expression in the sysfs documentation to
replace the n3000 reference with something more generic to
accomodate other devices that use the same driver.
v9:
- Rebased to 5.12-rc2 next
- Updated Date and KernelVersion in ABI documentation
v8:
- Previously patch 3/6, otherwise no change
v7:
- Updated Date and KernelVersion in ABI documentation
v6:
- Changed flash_count_show() parameter list to achieve
reverse-christmas tree format.
- Added WARN_ON() call for (FLASH_COUNT_SIZE / stride) to ensure
that the proper count is passed to regmap_bulk_read().
v5:
- Renamed sysfs node user_flash_count to flash_count and updated the
sysfs documentation accordingly.
v4:
- Moved the sysfs file for displaying the flash count from the
FPGA Security Manager class driver to here. The
m10bmc_user_flash_count() function is removed and the
functionality is moved into a user_flash_count_show()
function.
- Added ABI documentation for the new sysfs entry
v3:
- Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
- Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure Update
driver"
- Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
underlying functions are now called directly.
v2:
- Renamed get_qspi_flash_count() to m10bmc_user_flash_count()
- Minor code cleanup per review comments
- Added m10bmc_ prefix to functions in m10bmc_iops structure
---
.../sysfs-driver-intel-m10-bmc-sec-update | 8 +++++
drivers/fpga/intel-m10-bmc-sec-update.c | 36 +++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
index 2bb271695e14..1132e39b2125 100644
--- a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
+++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
@@ -27,3 +27,11 @@ Description: Read only. Returns the root entry hash for the BMC image
"hash not programmed". This file is only visible if the
underlying device supports it.
Format: string.
+
+What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/flash_count
+Date: Jul 2022
+KernelVersion: 5.19
+Contact: Russ Weight <[email protected]>
+Description: Read only. Returns number of times the secure update
+ staging area has been flashed.
+ Format: "%u".
diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
index a36856d897c9..60dca865cb28 100644
--- a/drivers/fpga/intel-m10-bmc-sec-update.c
+++ b/drivers/fpga/intel-m10-bmc-sec-update.c
@@ -77,7 +77,43 @@ DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
+#define FLASH_COUNT_SIZE 4096 /* count stored as inverted bit vector */
+
+static ssize_t flash_count_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+{
+ struct m10bmc_sec *sec = dev_get_drvdata(dev);
+ unsigned int stride, num_bits;
+ u8 *flash_buf;
+ int cnt, ret;
+
+ stride = regmap_get_reg_stride(sec->m10bmc->regmap);
+ num_bits = FLASH_COUNT_SIZE * 8;
+
+ flash_buf = kmalloc(FLASH_COUNT_SIZE, GFP_KERNEL);
+ if (!flash_buf)
+ return -ENOMEM;
+
+ WARN_ON(FLASH_COUNT_SIZE % stride);
+ ret = regmap_bulk_read(sec->m10bmc->regmap, STAGING_FLASH_COUNT,
+ flash_buf, FLASH_COUNT_SIZE / stride);
+ if (ret) {
+ dev_err(sec->dev,
+ "failed to read flash count: %x cnt %x: %d\n",
+ STAGING_FLASH_COUNT, FLASH_COUNT_SIZE / stride, ret);
+ goto exit_free;
+ }
+ cnt = num_bits - bitmap_weight((unsigned long *)flash_buf, num_bits);
+
+exit_free:
+ kfree(flash_buf);
+
+ return ret ? : sysfs_emit(buf, "%u\n", cnt);
+}
+static DEVICE_ATTR_RO(flash_count);
+
static struct attribute *m10bmc_security_attrs[] = {
+ &dev_attr_flash_count.attr,
&dev_attr_bmc_root_entry_hash.attr,
&dev_attr_sr_root_entry_hash.attr,
&dev_attr_pr_root_entry_hash.attr,
--
2.25.1
On 5/16/22 09:19, Xu Yilun wrote:
> On Tue, May 10, 2022 at 12:56:32PM -0700, Russ Weight wrote:
>> Create a sub driver for the FPGA Card BMC in order to support secure
>> updates. This patch creates the Max10 BMC Secure Update driver
>> and provides sysfs files for displaying the current root entry hashes
>> for the FPGA static region, the FPGA PR region, and the card BMC.
> Could you describe a little more about what is the root entry, and how
> the root entry hashes (maybe also the cancel code signing key) work to
> ensure secure update?
Yes - I'll add some more descriptive text.
>
>> Signed-off-by: Russ Weight <[email protected]>
>> Reviewed-by: Tom Rix <[email protected]>
>> ---
>> v19:
>> - Change "card bmc" naming back to "m10 bmc" naming to be consistent
>> with the parent driver.
>> v18:
>> - Changed the ABI documentation for the Root Entry Hashes to specify
>> string as the format for the output.
>> - Updated comments, strings and config options to more consistently
>> refer to the driver as the Intel FPGA Card BMC Secure Update driver.
>> - Removed an instance of dev_dbg().
>> - Deferred the call to firmware_upload_register() to a later patch
>> where the required ops are provided. The bmc_sec_remove() function is
>> also removed from this patch and added in a later patch.
>> - Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
>> of additional cards to be supported by the same driver.
>> v17:
>> - Update the Date and KernelVersion for the ABI documentation to Jul 2022
>> and 5.19 respectively.
>> - Updated the copyright end-date to 2022 for the secure update driver.
>> - Change m10bmc to cardbmc to reflect the fact that the future devices
>> will not necessarily use the MAX10. This affects filenames, configs, and
>> symbol names.
>> - Removed references to the FPGA Image Load class driver and replaced
>> them with the new firmware-upload service from the firmware loader.
>> - Firmware upload requires a unique name for the firmware device. Use
>> xarray_alloc to generate a unique number to append to the name.
>> - Changed the license from GPL to GPLv2 per commit bf7fbeeae6db: 'module:
>> Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity'
>> v16:
>> - No Change
>> v15:
>> - Updated the Dates and KernelVersions in the ABI documentation
>> - Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
>> - Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
>> - Change instances of *bmc-secure to *bmc-sec-update in file name
>> and symbol names.
>> - Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
>> names.
>> - Change instances of *lops* to *ops* in symbol names.
>> v14:
>> - Changed symbol and text references to reflect the renaming of the
>> Security Manager Class driver to FPGA Image Load.
>> v13:
>> - Updated copyright to 2021
>> - Updated ABI documentation date and kernel version
>> - Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
>> functions instead of devm_fpga_sec_mgr_create() and
>> devm_fpga_sec_mgr_register().
>> v12:
>> - Updated Date and KernelVersion fields in ABI documentation
>> v11:
>> - Added Reviewed-by tag
>> v10:
>> - Changed the path expressions in the sysfs documentation to
>> replace the n3000 reference with something more generic to
>> accomodate other devices that use the same driver.
>> v9:
>> - Rebased to 5.12-rc2 next
>> - Updated Date and KernelVersion in ABI documentation
>> v8:
>> - Previously patch 2/6, otherwise no change
>> v7:
>> - Updated Date and KernelVersion in ABI documentation
>> v6:
>> - Added WARN_ON() call for (sha_num_bytes / stride) to assert
>> that the proper count is passed to regmap_bulk_read().
>> v5:
>> - No change
>> v4:
>> - Moved sysfs files for displaying the root entry hashes (REH)
>> from the FPGA Security Manager class driver to here. The
>> m10bmc_reh() and m10bmc_reh_size() functions are removed and
>> the functionality from these functions is moved into a
>> show_root_entry_hash() function for displaying the REHs.
>> - Added ABI documentation for the new sysfs entries:
>> sysfs-driver-intel-m10-bmc-secure
>> - Updated the MAINTAINERS file to add the new ABI documentation
>> file: sysfs-driver-intel-m10-bmc-secure
>> - Removed unnecessary ret variable from m10bmc_secure_probe()
>> - Incorporated new devm_fpga_sec_mgr_register() function into
>> m10bmc_secure_probe() and removed the m10bmc_secure_remove()
>> function.
>> v3:
>> - Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
>> - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
>> - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure
>> Update driver"
>> - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
>> underlying functions are now called directly.
>> - Changed "_root_entry_hash" to "_reh", with a comment explaining
>> what reh is.
>> v2:
>> - Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
>> - Switched to GENMASK(31, 16) for a couple of mask definitions.
>> - Moved MAX10 BMC address and function definitions to a separate
>> patch.
>> - Replaced small function-creation macros with explicit function
>> declarations.
>> - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
>> - Adapted to changes in the Intel FPGA Security Manager by splitting
>> the single call to ifpga_sec_mgr_register() into two function
>> calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
>> ---
>> .../sysfs-driver-intel-m10-bmc-sec-update | 29 ++++
>> MAINTAINERS | 7 +
>> drivers/fpga/Kconfig | 12 ++
>> drivers/fpga/Makefile | 3 +
>> drivers/fpga/intel-m10-bmc-sec-update.c | 133 ++++++++++++++++++
>> 5 files changed, 184 insertions(+)
>> create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
>> create mode 100644 drivers/fpga/intel-m10-bmc-sec-update.c
>>
>> diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
>> new file mode 100644
>> index 000000000000..2bb271695e14
>> --- /dev/null
>> +++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
>> @@ -0,0 +1,29 @@
>> +What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/sr_root_entry_hash
>> +Date: Jul 2022
>> +KernelVersion: 5.19
>> +Contact: Russ Weight <[email protected]>
>> +Description: Read only. Returns the root entry hash for the static
>> + region if one is programmed, else it returns the
>> + string: "hash not programmed". This file is only
>> + visible if the underlying device supports it.
>> + Format: string.
>> +
>> +What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/pr_root_entry_hash
>> +Date: Jul 2022
>> +KernelVersion: 5.19
>> +Contact: Russ Weight <[email protected]>
>> +Description: Read only. Returns the root entry hash for the partial
>> + reconfiguration region if one is programmed, else it
>> + returns the string: "hash not programmed". This file
>> + is only visible if the underlying device supports it.
>> + Format: string.
>> +
>> +What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/bmc_root_entry_hash
>> +Date: Jul 2022
>> +KernelVersion: 5.19
>> +Contact: Russ Weight <[email protected]>
>> +Description: Read only. Returns the root entry hash for the BMC image
>> + if one is programmed, else it returns the string:
>> + "hash not programmed". This file is only visible if the
>> + underlying device supports it.
>> + Format: string.
>> diff --git a/MAINTAINERS b/MAINTAINERS
>> index cf883b1ec852..759a7788dad9 100644
>> --- a/MAINTAINERS
>> +++ b/MAINTAINERS
>> @@ -7784,6 +7784,13 @@ F: Documentation/fpga/
>> F: drivers/fpga/
>> F: include/linux/fpga/
>>
>> +INTEL MAX10 BMC SECURE UPDATES
>> +M: Russ Weight <[email protected]>
>> +L: [email protected]
>> +S: Maintained
>> +F: Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
>> +F: drivers/fpga/intel-m10-bmc-sec-update.c
>> +
>> FPU EMULATOR
>> M: Bill Metzenthen <[email protected]>
>> S: Maintained
>> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
>> index 991b3f361ec9..0831eecc9a09 100644
>> --- a/drivers/fpga/Kconfig
>> +++ b/drivers/fpga/Kconfig
>> @@ -243,4 +243,16 @@ config FPGA_MGR_VERSAL_FPGA
>> configure the programmable logic(PL).
>>
>> To compile this as a module, choose M here.
>> +
>> +config FPGA_M10_BMC_SEC_UPDATE
>> + tristate "Intel MAX10 BMC Secure Update driver"
>> + depends on MFD_INTEL_M10_BMC && FW_UPLOAD
>> + help
>> + Secure update support for the Intel MAX10 board management
>> + controller.
>> +
>> + This is a subdriver of the Intel MAX10 board management controller
>> + (BMC) and provides support for secure updates for the BMC image,
>> + the FPGA image, the Root Entry Hashes, etc.
>> +
>> endif # FPGA
>> diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
>> index 5935b3d0abd5..139ac1b573d3 100644
>> --- a/drivers/fpga/Makefile
>> +++ b/drivers/fpga/Makefile
>> @@ -22,6 +22,9 @@ obj-$(CONFIG_FPGA_MGR_VERSAL_FPGA) += versal-fpga.o
>> obj-$(CONFIG_ALTERA_PR_IP_CORE) += altera-pr-ip-core.o
>> obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT) += altera-pr-ip-core-plat.o
>>
>> +# FPGA Secure Update Drivers
>> +obj-$(CONFIG_FPGA_M10_BMC_SEC_UPDATE) += intel-m10-bmc-sec-update.o
>> +
>> # FPGA Bridge Drivers
>> obj-$(CONFIG_FPGA_BRIDGE) += fpga-bridge.o
>> obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE) += altera-hps2fpga.o altera-fpga2sdram.o
>> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
>> new file mode 100644
>> index 000000000000..a36856d897c9
>> --- /dev/null
>> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
>> @@ -0,0 +1,133 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/*
>> + * Intel MAX10 Board Management Controller Secure Update Driver
>> + *
>> + * Copyright (C) 2019-2022 Intel Corporation. All rights reserved.
>> + *
>> + */
>> +#include <linux/bitfield.h>
>> +#include <linux/device.h>
>> +#include <linux/firmware.h>
>> +#include <linux/mfd/intel-m10-bmc.h>
>> +#include <linux/mod_devicetable.h>
>> +#include <linux/module.h>
>> +#include <linux/platform_device.h>
>> +#include <linux/slab.h>
>> +
>> +struct m10bmc_sec {
>> + struct device *dev;
>> + struct intel_m10bmc *m10bmc;
>> +};
>> +
>> +/* Root Entry Hash (REH) support */
>> +#define REH_SHA256_SIZE 32
>> +#define REH_SHA384_SIZE 48
>> +#define REH_MAGIC GENMASK(15, 0)
>> +#define REH_SHA_NUM_BYTES GENMASK(31, 16)
>> +
>> +static ssize_t
>> +show_root_entry_hash(struct device *dev, u32 exp_magic,
>> + u32 prog_addr, u32 reh_addr, char *buf)
>> +{
>> + struct m10bmc_sec *sec = dev_get_drvdata(dev);
>> + unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
> reverse xmax tree declarations is recommended. You may initiate the
> variable after declaration.
Yes - I'll make the change.
>
>> + int sha_num_bytes, i, ret, cnt = 0;
>> + u8 hash[REH_SHA384_SIZE];
>> + u32 magic;
>> +
>> + ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
>> + if (ret)
>> + return ret;
>> +
>> + if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
>> + return sysfs_emit(buf, "hash not programmed\n");
>> +
>> + sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
>> + if (sha_num_bytes != REH_SHA256_SIZE &&
>> + sha_num_bytes != REH_SHA384_SIZE) {
>> + dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
>> + sha_num_bytes);
>> + return -EINVAL;
>> + }
>> +
>> + WARN_ON(sha_num_bytes % stride);
> The user will still get the output value which is broken. So why not
> check the condition earlier, and stop user from accessing the interface
> if it cannot work.
Sure - I'll move the check into the if-conditional above and return
-EINVAL if it is true.
>
>> + ret = regmap_bulk_read(sec->m10bmc->regmap, reh_addr,
>> + hash, sha_num_bytes / stride);
>> + if (ret) {
>> + dev_err(dev, "failed to read root entry hash: %x cnt %x: %d\n",
>> + reh_addr, sha_num_bytes / stride, ret);
>> + return ret;
>> + }
>> +
>> + for (i = 0; i < sha_num_bytes; i++)
>> + cnt += sprintf(buf + cnt, "%02x", hash[i]);
>> + cnt += sprintf(buf + cnt, "\n");
>> +
>> + return cnt;
>> +}
>> +
>> +#define DEVICE_ATTR_SEC_REH_RO(_name, _magic, _prog_addr, _reh_addr) \
>> +static ssize_t _name##_root_entry_hash_show(struct device *dev, \
>> + struct device_attribute *attr, \
>> + char *buf) \
>> +{ return show_root_entry_hash(dev, _magic, _prog_addr, _reh_addr, buf); } \
>> +static DEVICE_ATTR_RO(_name##_root_entry_hash)
>> +
>> +DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
>> +DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
>> +DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
>> +
>> +static struct attribute *m10bmc_security_attrs[] = {
>> + &dev_attr_bmc_root_entry_hash.attr,
>> + &dev_attr_sr_root_entry_hash.attr,
>> + &dev_attr_pr_root_entry_hash.attr,
>> + NULL,
>> +};
>> +
>> +static struct attribute_group m10bmc_security_attr_group = {
>> + .name = "security",
>> + .attrs = m10bmc_security_attrs,
>> +};
>> +
>> +static const struct attribute_group *m10bmc_sec_attr_groups[] = {
>> + &m10bmc_security_attr_group,
>> + NULL,
>> +};
>> +
>> +#define SEC_UPDATE_LEN_MAX 32
>> +static int m10bmc_sec_probe(struct platform_device *pdev)
>> +{
>> + struct m10bmc_sec *sec;
>> +
>> + sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
>> + if (!sec)
>> + return -ENOMEM;
>> +
>> + sec->dev = &pdev->dev;
>> + sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
>> + dev_set_drvdata(&pdev->dev, sec);
>> +
>> + return 0;
>> +}
>> +
>> +static const struct platform_device_id intel_m10bmc_sec_ids[] = {
>> + {
>> + .name = "n3000bmc-sec-update",
>> + },
>> + { }
>> +};
> Please move the MODULE_DEVICE_TABLE() here, without blank lines.
OK - will do.
Thanks for the comments!
- Russ
> Thanks, Yilun
>> +
>> +static struct platform_driver intel_m10bmc_sec_driver = {
>> + .probe = m10bmc_sec_probe,
>> + .driver = {
>> + .name = "intel-m10bmc-sec-update",
>> + .dev_groups = m10bmc_sec_attr_groups,
>> + },
>> + .id_table = intel_m10bmc_sec_ids,
>> +};
>> +module_platform_driver(intel_m10bmc_sec_driver);
>> +
>> +MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
>> +MODULE_AUTHOR("Intel Corporation");
>> +MODULE_DESCRIPTION("Intel MAX10 BMC Secure Update");
>> +MODULE_LICENSE("GPL");
>> --
>> 2.25.1
On Tue, May 10, 2022 at 12:56:32PM -0700, Russ Weight wrote:
> Create a sub driver for the FPGA Card BMC in order to support secure
> updates. This patch creates the Max10 BMC Secure Update driver
> and provides sysfs files for displaying the current root entry hashes
> for the FPGA static region, the FPGA PR region, and the card BMC.
Could you describe a little more about what is the root entry, and how
the root entry hashes (maybe also the cancel code signing key) work to
ensure secure update?
>
> Signed-off-by: Russ Weight <[email protected]>
> Reviewed-by: Tom Rix <[email protected]>
> ---
> v19:
> - Change "card bmc" naming back to "m10 bmc" naming to be consistent
> with the parent driver.
> v18:
> - Changed the ABI documentation for the Root Entry Hashes to specify
> string as the format for the output.
> - Updated comments, strings and config options to more consistently
> refer to the driver as the Intel FPGA Card BMC Secure Update driver.
> - Removed an instance of dev_dbg().
> - Deferred the call to firmware_upload_register() to a later patch
> where the required ops are provided. The bmc_sec_remove() function is
> also removed from this patch and added in a later patch.
> - Switched from MODULE_ALIAS() to MODULE_DEVICE_TABLE() in anticipation
> of additional cards to be supported by the same driver.
> v17:
> - Update the Date and KernelVersion for the ABI documentation to Jul 2022
> and 5.19 respectively.
> - Updated the copyright end-date to 2022 for the secure update driver.
> - Change m10bmc to cardbmc to reflect the fact that the future devices
> will not necessarily use the MAX10. This affects filenames, configs, and
> symbol names.
> - Removed references to the FPGA Image Load class driver and replaced
> them with the new firmware-upload service from the firmware loader.
> - Firmware upload requires a unique name for the firmware device. Use
> xarray_alloc to generate a unique number to append to the name.
> - Changed the license from GPL to GPLv2 per commit bf7fbeeae6db: 'module:
> Cure the MODULE_LICENSE "GPL" vs. "GPL v2" bogosity'
> v16:
> - No Change
> v15:
> - Updated the Dates and KernelVersions in the ABI documentation
> - Change driver name from "n3000bmc-secure" to "n3000bmc-sec-update".
> - Change CONFIG_FPGA_M10_BMC_SECURE to CONFIG_FPGA_M10_BMC_SEC_UPDATE.
> - Change instances of *bmc-secure to *bmc-sec-update in file name
> and symbol names.
> - Change instances of *m10bmc_secure* to *m10bmc-sec_update* in symbol
> names.
> - Change instances of *lops* to *ops* in symbol names.
> v14:
> - Changed symbol and text references to reflect the renaming of the
> Security Manager Class driver to FPGA Image Load.
> v13:
> - Updated copyright to 2021
> - Updated ABI documentation date and kernel version
> - Call updated fpga_sec_mgr_register() and fpga_sec_mgr_unregister()
> functions instead of devm_fpga_sec_mgr_create() and
> devm_fpga_sec_mgr_register().
> v12:
> - Updated Date and KernelVersion fields in ABI documentation
> v11:
> - Added Reviewed-by tag
> v10:
> - Changed the path expressions in the sysfs documentation to
> replace the n3000 reference with something more generic to
> accomodate other devices that use the same driver.
> v9:
> - Rebased to 5.12-rc2 next
> - Updated Date and KernelVersion in ABI documentation
> v8:
> - Previously patch 2/6, otherwise no change
> v7:
> - Updated Date and KernelVersion in ABI documentation
> v6:
> - Added WARN_ON() call for (sha_num_bytes / stride) to assert
> that the proper count is passed to regmap_bulk_read().
> v5:
> - No change
> v4:
> - Moved sysfs files for displaying the root entry hashes (REH)
> from the FPGA Security Manager class driver to here. The
> m10bmc_reh() and m10bmc_reh_size() functions are removed and
> the functionality from these functions is moved into a
> show_root_entry_hash() function for displaying the REHs.
> - Added ABI documentation for the new sysfs entries:
> sysfs-driver-intel-m10-bmc-secure
> - Updated the MAINTAINERS file to add the new ABI documentation
> file: sysfs-driver-intel-m10-bmc-secure
> - Removed unnecessary ret variable from m10bmc_secure_probe()
> - Incorporated new devm_fpga_sec_mgr_register() function into
> m10bmc_secure_probe() and removed the m10bmc_secure_remove()
> function.
> v3:
> - Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
> - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
> - Changed "MAX10 BMC Secure Engine driver" to "MAX10 BMC Secure
> Update driver"
> - Removed wrapper functions (m10bmc_raw_*, m10bmc_sys_*). The
> underlying functions are now called directly.
> - Changed "_root_entry_hash" to "_reh", with a comment explaining
> what reh is.
> v2:
> - Added drivers/fpga/intel-m10-bmc-secure.c file to MAINTAINERS.
> - Switched to GENMASK(31, 16) for a couple of mask definitions.
> - Moved MAX10 BMC address and function definitions to a separate
> patch.
> - Replaced small function-creation macros with explicit function
> declarations.
> - Removed ifpga_sec_mgr_init() and ifpga_sec_mgr_uinit() functions.
> - Adapted to changes in the Intel FPGA Security Manager by splitting
> the single call to ifpga_sec_mgr_register() into two function
> calls: devm_ifpga_sec_mgr_create() and ifpga_sec_mgr_register().
> ---
> .../sysfs-driver-intel-m10-bmc-sec-update | 29 ++++
> MAINTAINERS | 7 +
> drivers/fpga/Kconfig | 12 ++
> drivers/fpga/Makefile | 3 +
> drivers/fpga/intel-m10-bmc-sec-update.c | 133 ++++++++++++++++++
> 5 files changed, 184 insertions(+)
> create mode 100644 Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> create mode 100644 drivers/fpga/intel-m10-bmc-sec-update.c
>
> diff --git a/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> new file mode 100644
> index 000000000000..2bb271695e14
> --- /dev/null
> +++ b/Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> @@ -0,0 +1,29 @@
> +What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/sr_root_entry_hash
> +Date: Jul 2022
> +KernelVersion: 5.19
> +Contact: Russ Weight <[email protected]>
> +Description: Read only. Returns the root entry hash for the static
> + region if one is programmed, else it returns the
> + string: "hash not programmed". This file is only
> + visible if the underlying device supports it.
> + Format: string.
> +
> +What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/pr_root_entry_hash
> +Date: Jul 2022
> +KernelVersion: 5.19
> +Contact: Russ Weight <[email protected]>
> +Description: Read only. Returns the root entry hash for the partial
> + reconfiguration region if one is programmed, else it
> + returns the string: "hash not programmed". This file
> + is only visible if the underlying device supports it.
> + Format: string.
> +
> +What: /sys/bus/platform/drivers/intel-m10bmc-sec-update/.../security/bmc_root_entry_hash
> +Date: Jul 2022
> +KernelVersion: 5.19
> +Contact: Russ Weight <[email protected]>
> +Description: Read only. Returns the root entry hash for the BMC image
> + if one is programmed, else it returns the string:
> + "hash not programmed". This file is only visible if the
> + underlying device supports it.
> + Format: string.
> diff --git a/MAINTAINERS b/MAINTAINERS
> index cf883b1ec852..759a7788dad9 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -7784,6 +7784,13 @@ F: Documentation/fpga/
> F: drivers/fpga/
> F: include/linux/fpga/
>
> +INTEL MAX10 BMC SECURE UPDATES
> +M: Russ Weight <[email protected]>
> +L: [email protected]
> +S: Maintained
> +F: Documentation/ABI/testing/sysfs-driver-intel-m10-bmc-sec-update
> +F: drivers/fpga/intel-m10-bmc-sec-update.c
> +
> FPU EMULATOR
> M: Bill Metzenthen <[email protected]>
> S: Maintained
> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
> index 991b3f361ec9..0831eecc9a09 100644
> --- a/drivers/fpga/Kconfig
> +++ b/drivers/fpga/Kconfig
> @@ -243,4 +243,16 @@ config FPGA_MGR_VERSAL_FPGA
> configure the programmable logic(PL).
>
> To compile this as a module, choose M here.
> +
> +config FPGA_M10_BMC_SEC_UPDATE
> + tristate "Intel MAX10 BMC Secure Update driver"
> + depends on MFD_INTEL_M10_BMC && FW_UPLOAD
> + help
> + Secure update support for the Intel MAX10 board management
> + controller.
> +
> + This is a subdriver of the Intel MAX10 board management controller
> + (BMC) and provides support for secure updates for the BMC image,
> + the FPGA image, the Root Entry Hashes, etc.
> +
> endif # FPGA
> diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
> index 5935b3d0abd5..139ac1b573d3 100644
> --- a/drivers/fpga/Makefile
> +++ b/drivers/fpga/Makefile
> @@ -22,6 +22,9 @@ obj-$(CONFIG_FPGA_MGR_VERSAL_FPGA) += versal-fpga.o
> obj-$(CONFIG_ALTERA_PR_IP_CORE) += altera-pr-ip-core.o
> obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT) += altera-pr-ip-core-plat.o
>
> +# FPGA Secure Update Drivers
> +obj-$(CONFIG_FPGA_M10_BMC_SEC_UPDATE) += intel-m10-bmc-sec-update.o
> +
> # FPGA Bridge Drivers
> obj-$(CONFIG_FPGA_BRIDGE) += fpga-bridge.o
> obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE) += altera-hps2fpga.o altera-fpga2sdram.o
> diff --git a/drivers/fpga/intel-m10-bmc-sec-update.c b/drivers/fpga/intel-m10-bmc-sec-update.c
> new file mode 100644
> index 000000000000..a36856d897c9
> --- /dev/null
> +++ b/drivers/fpga/intel-m10-bmc-sec-update.c
> @@ -0,0 +1,133 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Intel MAX10 Board Management Controller Secure Update Driver
> + *
> + * Copyright (C) 2019-2022 Intel Corporation. All rights reserved.
> + *
> + */
> +#include <linux/bitfield.h>
> +#include <linux/device.h>
> +#include <linux/firmware.h>
> +#include <linux/mfd/intel-m10-bmc.h>
> +#include <linux/mod_devicetable.h>
> +#include <linux/module.h>
> +#include <linux/platform_device.h>
> +#include <linux/slab.h>
> +
> +struct m10bmc_sec {
> + struct device *dev;
> + struct intel_m10bmc *m10bmc;
> +};
> +
> +/* Root Entry Hash (REH) support */
> +#define REH_SHA256_SIZE 32
> +#define REH_SHA384_SIZE 48
> +#define REH_MAGIC GENMASK(15, 0)
> +#define REH_SHA_NUM_BYTES GENMASK(31, 16)
> +
> +static ssize_t
> +show_root_entry_hash(struct device *dev, u32 exp_magic,
> + u32 prog_addr, u32 reh_addr, char *buf)
> +{
> + struct m10bmc_sec *sec = dev_get_drvdata(dev);
> + unsigned int stride = regmap_get_reg_stride(sec->m10bmc->regmap);
reverse xmax tree declarations is recommended. You may initiate the
variable after declaration.
> + int sha_num_bytes, i, ret, cnt = 0;
> + u8 hash[REH_SHA384_SIZE];
> + u32 magic;
> +
> + ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
> + if (ret)
> + return ret;
> +
> + if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
> + return sysfs_emit(buf, "hash not programmed\n");
> +
> + sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
> + if (sha_num_bytes != REH_SHA256_SIZE &&
> + sha_num_bytes != REH_SHA384_SIZE) {
> + dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
> + sha_num_bytes);
> + return -EINVAL;
> + }
> +
> + WARN_ON(sha_num_bytes % stride);
The user will still get the output value which is broken. So why not
check the condition earlier, and stop user from accessing the interface
if it cannot work.
> + ret = regmap_bulk_read(sec->m10bmc->regmap, reh_addr,
> + hash, sha_num_bytes / stride);
> + if (ret) {
> + dev_err(dev, "failed to read root entry hash: %x cnt %x: %d\n",
> + reh_addr, sha_num_bytes / stride, ret);
> + return ret;
> + }
> +
> + for (i = 0; i < sha_num_bytes; i++)
> + cnt += sprintf(buf + cnt, "%02x", hash[i]);
> + cnt += sprintf(buf + cnt, "\n");
> +
> + return cnt;
> +}
> +
> +#define DEVICE_ATTR_SEC_REH_RO(_name, _magic, _prog_addr, _reh_addr) \
> +static ssize_t _name##_root_entry_hash_show(struct device *dev, \
> + struct device_attribute *attr, \
> + char *buf) \
> +{ return show_root_entry_hash(dev, _magic, _prog_addr, _reh_addr, buf); } \
> +static DEVICE_ATTR_RO(_name##_root_entry_hash)
> +
> +DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
> +DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
> +DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
> +
> +static struct attribute *m10bmc_security_attrs[] = {
> + &dev_attr_bmc_root_entry_hash.attr,
> + &dev_attr_sr_root_entry_hash.attr,
> + &dev_attr_pr_root_entry_hash.attr,
> + NULL,
> +};
> +
> +static struct attribute_group m10bmc_security_attr_group = {
> + .name = "security",
> + .attrs = m10bmc_security_attrs,
> +};
> +
> +static const struct attribute_group *m10bmc_sec_attr_groups[] = {
> + &m10bmc_security_attr_group,
> + NULL,
> +};
> +
> +#define SEC_UPDATE_LEN_MAX 32
> +static int m10bmc_sec_probe(struct platform_device *pdev)
> +{
> + struct m10bmc_sec *sec;
> +
> + sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
> + if (!sec)
> + return -ENOMEM;
> +
> + sec->dev = &pdev->dev;
> + sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
> + dev_set_drvdata(&pdev->dev, sec);
> +
> + return 0;
> +}
> +
> +static const struct platform_device_id intel_m10bmc_sec_ids[] = {
> + {
> + .name = "n3000bmc-sec-update",
> + },
> + { }
> +};
Please move the MODULE_DEVICE_TABLE() here, without blank lines.
Thanks,
Yilun
> +
> +static struct platform_driver intel_m10bmc_sec_driver = {
> + .probe = m10bmc_sec_probe,
> + .driver = {
> + .name = "intel-m10bmc-sec-update",
> + .dev_groups = m10bmc_sec_attr_groups,
> + },
> + .id_table = intel_m10bmc_sec_ids,
> +};
> +module_platform_driver(intel_m10bmc_sec_driver);
> +
> +MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
> +MODULE_AUTHOR("Intel Corporation");
> +MODULE_DESCRIPTION("Intel MAX10 BMC Secure Update");
> +MODULE_LICENSE("GPL");
> --
> 2.25.1