Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751256AbdFBSAh (ORCPT ); Fri, 2 Jun 2017 14:00:37 -0400 Received: from mga11.intel.com ([192.55.52.93]:9589 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751154AbdFBSAe (ORCPT ); Fri, 2 Jun 2017 14:00:34 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.39,286,1493708400"; d="scan'208";a="94902720" Message-ID: <1496426339.28981.65.camel@linux.intel.com> Subject: Re: [PATCH v3 00/27] Thunderbolt security levels and NVM firmware upgrade From: Andy Shevchenko To: Mika Westerberg , Greg Kroah-Hartman Cc: Andreas Noever , Michael Jamet , Yehezkel Bernat , Lukas Wunner , Amir Levy , Andy Lutomirski , Mario.Limonciello@dell.com, Jared.Dominguez@dell.com, linux-kernel@vger.kernel.org Date: Fri, 02 Jun 2017 20:58:59 +0300 In-Reply-To: <20170602140524.23367-1-mika.westerberg@linux.intel.com> References: <20170602140524.23367-1-mika.westerberg@linux.intel.com> Organization: Intel Finland Oy Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6-1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 9487 Lines: 221 On Fri, 2017-06-02 at 17:04 +0300, Mika Westerberg wrote: > Hi, > > This is a third version of the patch series adding support for > Thunderbolt > security levels and NVM firmware upgrade. PCs running Intel Falcon > Ridge or > newer need these in order to connect devices if the security level is > set > to "user(SL1) or secure(SL2)" from BIOS. > > The security levels were added to to prevent DMA attacks when PCIe is > tunneled over Thunderbolt fabric where IOMMU is not available or > cannot be > enabled for different reasons. > > This series converts the Thunderbolt driver to a Linux bus and makes > each > Thunderbolt device (aka Thunderbolt switch or router or endpoint) a > Linux > device which is connected to that bus addressed by their routing > string > (this is the addressing Thunderbolt uses). > > With these patches the user can authorize devices using sysfs > attributes > like (following USB): > >   # echo 1 > /sys/bus/thunderbolt/devices/0-1/authorized > > If the BIOS security level is set to "secure" and the device supports > secure connect on the first connect the device is uploaded a random > key: > >   # key=$(openssl rand -hex 32) >   # echo $key > /sys/bus/thunderbolt/devices/0-1/key >   # echo 1 > /sys/bus/thunderbolt/devices/0-1/authorized > > Next time the device is plugged in the user can verify (challenge) the > device using the same key: > >   # echo $key > /sys/bus/thunderbolt/devices/0-1/key >   # echo 2 > /sys/bus/thunderbolt/devices/0-1/authorized > > The device identification information is found below each device sysfs > node and includes following attributes: > >   device - Device ID >   device_name - Name of the device >   vendor - Vendor ID >   vendor_name - Name of the vendor >   unique_id - Unique ID string identifying this particular > device > > In addition these patches add support for upgrading NVM firmware > running on > a host or device by running something like: > >   # dd if=KYK_TBT_FW_0018.bin of=/sys/bus/thunderbolt/devices/0- > 0/nvm_non_active0/nvmem >   # echo 1 > /sys/bus/thunderbolt/devices/0-0/nvm_authenticate > > More information how to use the Thunderbolt bus can be found in patch > [26/27]. > > Where Internal Connection Manager (ICM) firmware is available and > usable, > we use it in the driver. This also includes newer Apple Macbooks with > Alpine Ridge. For older Macbooks the driver works as before but in > addition > the Thunderbolt bus is available there as well (including possibility > to > upgrade NVM firmware of connected devices). > > Note for Macs the Linux native PCIe hotplug support does not work well > with > the Thunderbolt PCIe topologies where there is need to put all > available > resources to the PCIe downstream port where the PCIe chain is > extended. > This is something we need to fix. In the mean time is a way to work it > around by passing "pci=hpbussize=10,hpmemsize=2M" or so to the kernel > command line. > > Regarding Christoph's UUID series here [1], they now include the > existing > types for backwards compatibility so this series compiles and works > fine > with them. We will convert the Thunderbolt driver to use these new > types > once that series hits mainline. > > Andreas and Lukas, do you have any comments or concerns regarding this > series? > > We are currently porting Amir's network driver on top of the > Thunderbolt > bus. > > The previous version (v2) can be found in [2]. > > [1] http://git.infradead.org/users/hch/misc.git/shortlog/refs/heads/uu > id-types > [2] https://lwn.net/Articles/723935/ > Awesome work, Mika! Have no more to comment. > Changes from the previos version (v2): > > [PATCH v2 03/27] thunderbolt: Do not try to read UID if DROM offset is > read as 0 >   - Add Suggested-by Andreas > > [PATCH v2 07/27] thunderbolt: Allow passing NULL to tb_ctl_free() >   - Add Suggested-by Andy > > [PATCH v2 09/27] thunderbolt: Convert switch to a device >   - Rework comment regarding UUID to mention that it is not strictly >     following rules of UUID format. >   - Update Documentation/ABI/testing/sysfs-bus-thunderbolt unique_id >     attribute description accordingly. > > [PATCH v2 12/27] thunderbolt: Refactor and fix parsing of port drom > entries >   - Add Reviewed-by Andy > > [PATCH v2 13/27] thunderbolt: Read vendor and device name from DROM >   - Use ksrtndup() instead and drop parse_name() > > [PATCH v2 21/27] thunderbolt: Store Thunderbolt generation in the > switch structure >   - Make the unknown switch defaulting to generation 1 more explicit >   - Add Reviewed-by Andy > > [PATCH v2 24/27] thunderbolt: Add support for Internal Connection > Manager (ICM) >   - Allow secure connect only when BIOS setting is in "secure >     connect/SL2" to follow what Windows does. > > [PATCH v2 25/27] thunderbolt: Add support for host and device NVM > firmware upgrade >   - Add check for sw->nvm in nvm_authenticate_store() to prevent NULL >     pointer dereference when NVMem devices are not yet added. > > [PATCH v2 26/27] thunderbolt: Add documentation how Thunderbolt bus > can be used >   - Update documentation to mention that secure connect is only >     available when the BIOS setting is in "secure connect/SL2". > > Lukas Wunner (1): >   thunderbolt: Refactor and fix parsing of port drom entries > > Mika Westerberg (26): >   thunderbolt: Use const buffer pointer in write operations >   thunderbolt: No need to read UID of the root switch on resume >   thunderbolt: Do not try to read UID if DROM offset is read as 0 >   thunderbolt: Do not warn about newer DROM versions >   thunderbolt: Add MSI-X support >   thunderbolt: Rework capability handling >   thunderbolt: Allow passing NULL to tb_ctl_free() >   thunderbolt: Introduce thunderbolt bus and connection manager >   thunderbolt: Convert switch to a device >   thunderbolt: Fail switch adding operation if reading DROM fails >   thunderbolt: Do not fail if DROM data CRC32 is invalid >   thunderbolt: Read vendor and device name from DROM >   thunderbolt: Move control channel messages to tb_msgs.h >   thunderbolt: Expose get_route() to other files >   thunderbolt: Expose make_header() to other files >   thunderbolt: Let the connection manager handle all notifications >   thunderbolt: Rework control channel to be more reliable >   thunderbolt: Add new Thunderbolt PCI IDs >   thunderbolt: Add support for NHI mailbox >   thunderbolt: Store Thunderbolt generation in the switch structure >   thunderbolt: Add support for DMA configuration based mailbox >   thunderbolt: Do not touch the hardware if the NHI is gone on resume >   thunderbolt: Add support for Internal Connection Manager (ICM) >   thunderbolt: Add support for host and device NVM firmware upgrade >   thunderbolt: Add documentation how Thunderbolt bus can be used >   MAINTAINERS: Add maintainers for Thunderbolt driver > >  Documentation/ABI/testing/sysfs-bus-thunderbolt |  110 +++ >  Documentation/admin-guide/index.rst             |    1 + >  Documentation/admin-guide/thunderbolt.rst       |  199 ++++ >  MAINTAINERS                                     |    3 + >  drivers/thunderbolt/Kconfig                     |   13 +- >  drivers/thunderbolt/Makefile                    |    2 +- >  drivers/thunderbolt/cap.c                       |  169 ++-- >  drivers/thunderbolt/ctl.c                       |  665 +++++++++---- >  drivers/thunderbolt/ctl.h                       |  105 +- >  drivers/thunderbolt/dma_port.c                  |  524 ++++++++++ >  drivers/thunderbolt/dma_port.h                  |   34 + >  drivers/thunderbolt/domain.c                    |  455 +++++++++ >  drivers/thunderbolt/eeprom.c                    |  119 ++- >  drivers/thunderbolt/icm.c                       | 1089 > +++++++++++++++++++++ >  drivers/thunderbolt/nhi.c                       |  306 +++++- >  drivers/thunderbolt/nhi.h                       |   93 +- >  drivers/thunderbolt/nhi_regs.h                  |   27 + >  drivers/thunderbolt/switch.c                    | 1178 > +++++++++++++++++++++-- >  drivers/thunderbolt/tb.c                        |  237 +++-- >  drivers/thunderbolt/tb.h                        |  251 ++++- >  drivers/thunderbolt/tb_msgs.h                   |  260 +++++ >  drivers/thunderbolt/tb_regs.h                   |   50 +- >  drivers/thunderbolt/tunnel_pci.c                |   17 +- >  23 files changed, 5323 insertions(+), 584 deletions(-) >  create mode 100644 Documentation/ABI/testing/sysfs-bus-thunderbolt >  create mode 100644 Documentation/admin-guide/thunderbolt.rst >  create mode 100644 drivers/thunderbolt/dma_port.c >  create mode 100644 drivers/thunderbolt/dma_port.h >  create mode 100644 drivers/thunderbolt/domain.c >  create mode 100644 drivers/thunderbolt/icm.c >  create mode 100644 drivers/thunderbolt/tb_msgs.h > -- Andy Shevchenko Intel Finland Oy