Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
IronPort-SDR: aw8mVPMcmf3rfSJ5RBl3FfgFyVRCT/TG34RgPMeNFtiEKYZhz7xJLoaCN49uf/s/2gvEjRRei+
 XKtnPE6K/1YQ==
IronPort-SDR: Nml14h2uH1cZNs6N8ThrPHp31nnOazMrBC7rvlq/2nhL7EPYZuNgdCeJNX3zkEmIXzaLl6lJ5j
 H7PstkFl5H5w==
Subject: Re: [PATCH v5 1/7] fpga: sec-mgr: intel fpga security manager class
 driver
To:     Moritz Fischer <mdf@kernel.org>
Cc:     linux-fpga@vger.kernel.org, linux-kernel@vger.kernel.org,
        trix@redhat.com, lgoncalv@redhat.com, yilun.xu@intel.com,
        hao.wu@intel.com, matthew.gerlach@intel.com
References: <20201021001650.13978-1-russell.h.weight@intel.com>
 <20201021001650.13978-2-russell.h.weight@intel.com>
 <6131c200-c557-ec63-43a1-8823d6e970ba@intel.com>
 <20201025191252.GA760290@epycbox.lan>
From:   Russ Weight <russell.h.weight@intel.com>
Message-ID: <e89b084a-8431-caab-2f95-046ad85a4544@intel.com>
Date:   Mon, 26 Oct 2020 16:00:40 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20201025191252.GA760290@epycbox.lan>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Precedence: bulk


On 10/25/20 12:12 PM, Moritz Fischer wrote:
> Hi Russ,
>
> On Tue, Oct 20, 2020 at 05:31:12PM -0700, Russ Weight wrote:
>> I see that I need to remove "intel" from the subject line on this patch.
>> I'll take care of that.
>>
>> I still have an outstanding question about treating a class-driver as a
>> managed resource of the parent device. I'm reposting the question inline.
> Yes please.
>> On 10/20/20 5:16 PM, Russ Weight wrote:
>>> Create the FPGA Security Manager class driver. The security
>>> manager provides interfaces to manage secure updates for the
>>> FPGA and BMC images that are stored in FLASH. The driver can
>>> also be used to update root entry hashes and to cancel code
>>> signing keys.
>>>
>>> This patch creates the class driver and provides sysfs
>>> interfaces for displaying root entry hashes, canceled code
>>> signing keys and flash counts.
>>>
>>> Signed-off-by: Russ Weight <russell.h.weight@intel.com>
>>> Signed-off-by: Xu Yilun <yilun.xu@intel.com>
>>> Reviewed-by: Tom Rix <trix@redhat.com>
>>> ---
>>> v5:
>>>   - Added the devm_fpga_sec_mgr_unregister() function, following recent
>>>     changes to the fpga_manager() implementation.
>>>   - Changed some *_show() functions to use sysfs_emit() instead of sprintf(
>>> v4:
>>>   - Changed from "Intel FPGA Security Manager" to FPGA Security Manager"
>>>     and removed unnecessary references to "Intel".
>>>   - Changed: iops -> sops, imgr -> smgr, IFPGA_ -> FPGA_, ifpga_ to fpga_
>>> v3:
>>>   - Modified sysfs handler check in check_sysfs_handler() to make
>>>     it more readable.
>>> v2:
>>>   - Bumped documentation dates and versions
>>>   - Added Documentation/fpga/ifpga-sec-mgr.rst 
>>>   - Removed references to bmc_flash_count & smbus_flash_count (not supported)
>>>   - Split ifpga_sec_mgr_register() into create() and register() functions
>>>   - Added devm_ifpga_sec_mgr_create()
>>>   - Removed typedefs for imgr ops
>>> ---
>>>  .../ABI/testing/sysfs-class-fpga-sec-mgr      |  67 +++
>>>  Documentation/fpga/fpga-sec-mgr.rst           |  50 ++
>>>  Documentation/fpga/index.rst                  |   1 +
>>>  MAINTAINERS                                   |   9 +
>>>  drivers/fpga/Kconfig                          |   9 +
>>>  drivers/fpga/Makefile                         |   3 +
>>>  drivers/fpga/fpga-sec-mgr.c                   | 487 ++++++++++++++++++
>>>  include/linux/fpga/fpga-sec-mgr.h             |  83 +++
>>>  8 files changed, 709 insertions(+)
>>>  create mode 100644 Documentation/ABI/testing/sysfs-class-fpga-sec-mgr
>>>  create mode 100644 Documentation/fpga/fpga-sec-mgr.rst
>>>  create mode 100644 drivers/fpga/fpga-sec-mgr.c
>>>  create mode 100644 include/linux/fpga/fpga-sec-mgr.h
>>>
>>> diff --git a/Documentation/ABI/testing/sysfs-class-fpga-sec-mgr b/Documentation/ABI/testing/sysfs-class-fpga-sec-mgr
>>> new file mode 100644
>>> index 000000000000..843f0b58f171
>>> --- /dev/null
>>> +++ b/Documentation/ABI/testing/sysfs-class-fpga-sec-mgr
>>> @@ -0,0 +1,67 @@
>>> +What: 		/sys/class/fpga_sec_mgr/fpga_secX/name
>>> +Date:		Oct 2020
>>> +KernelVersion:  5.11
>>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>>> +Description:	Name of low level fpga security manager driver.
>>> +
>>> +What: 		/sys/class/fpga_sec_mgr/fpga_secX/security/sr_root_entry_hash
>>> +Date:		Oct 2020
>>> +KernelVersion:  5.11
>>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>>> +Description:	Read only. Returns the root entry hash for the static
>>> +		region if one is programmed, else it returns the
>>> +		string: "hash not programmed".  This file is only
>>> +		visible if the underlying device supports it.
>>> +		Format: "0x%x".
>>> +
>>> +What: 		/sys/class/fpga_sec_mgr/fpga_secX/security/pr_root_entry_hash
>>> +Date:		Oct 2020
>>> +KernelVersion:  5.11
>>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>>> +Description:	Read only. Returns the root entry hash for the partial
>>> +		reconfiguration region if one is programmed, else it
>>> +		returns the string: "hash not programmed".  This file
>>> +		is only visible if the underlying device supports it.
>>> +		Format: "0x%x".
>>> +
>>> +What: 		/sys/class/fpga_sec_mgr/fpga_secX/security/bmc_root_entry_hash
>>> +Date:		Oct 2020
>>> +KernelVersion:  5.11
>>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>>> +Description:	Read only. Returns the root entry hash for the BMC image
>>> +		if one is programmed, else it returns the string:
>>> +		"hash not programmed".  This file is only visible if the
>>> +		underlying device supports it.
>>> +		Format: "0x%x".
>>> +
>>> +What: 		/sys/class/fpga_sec_mgr/fpga_secX/security/sr_canceled_csks
>>> +Date:		Oct 2020
>>> +KernelVersion:  5.11
>>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>>> +Description:	Read only. Returns a list of indices for canceled code
>>> +		signing keys for the static region. The standard bitmap
>>> +		list format is used (e.g. "1,2-6,9").
>>> +
>>> +What: 		/sys/class/fpga_sec_mgr/fpga_secX/security/pr_canceled_csks
>>> +Date:		Oct 2020
>>> +KernelVersion:  5.11
>>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>>> +Description:	Read only. Returns a list of indices for canceled code
>>> +		signing keys for the partial reconfiguration region. The
>>> +		standard bitmap list format is used (e.g. "1,2-6,9").
>>> +
>>> +What: 		/sys/class/fpga_sec_mgr/fpga_secX/security/bmc_canceled_csks
>>> +Date:		Oct 2020
>>> +KernelVersion:  5.11
>>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>>> +Description:	Read only. Returns a list of indices for canceled code
>>> +		signing keys for the BMC.  The standard bitmap list format
>>> +		is used (e.g. "1,2-6,9").
>>> +
>>> +What: 		/sys/class/fpga_sec_mgr/fpga_secX/security/user_flash_count
>>> +Date:		Oct 2020
>>> +KernelVersion:  5.11
>>> +Contact:	Russ Weight <russell.h.weight@intel.com>
>>> +Description:	Read only. Returns number of times the user image for the
>>> +		static region has been flashed.
>>> +		Format: "%u".
>>> diff --git a/Documentation/fpga/fpga-sec-mgr.rst b/Documentation/fpga/fpga-sec-mgr.rst
>>> new file mode 100644
>>> index 000000000000..4a1d6519b1d3
>>> --- /dev/null
>>> +++ b/Documentation/fpga/fpga-sec-mgr.rst
>>> @@ -0,0 +1,50 @@
>>> +.. SPDX-License-Identifier: GPL-2.0
>>> +
>>> +========================================
>>> +FPGA Security Manager Class Driver
>>> +========================================
>>> +
>>> +The FPGA Security Manager class driver provides a common
>>> +API for user-space tools to manage updates for secure FPGA
>>> +devices. Device drivers that instantiate the Security
>>> +Manager class driver will interact with a HW secure update
>>> +engine in order to transfer new FPGA and BMC images to FLASH so
>>> +that they will be automatically loaded when the FPGA card reboots.
>>> +
>>> +A significant difference between the FPGA Manager and the FPGA
>>> +Security Manager is that the FPGA Manager does a live update (Partial
>>> +Reconfiguration) to a device, whereas the FPGA Security Manager
>>> +updates the FLASH images for the Static Region and the BMC so that
>>> +they will be loaded the next time the FPGA card boots. Security is
>>> +enforced by hardware and firmware. The security manager interacts
>>> +with the firmware to initiate an update, pass in the necessary data,
>>> +and collect status on the update.
>>> +
>>> +In addition to managing secure updates of the FPGA and BMC images,
>>> +the FPGA Security Manager update process may also used to
>>> +program root entry hashes and cancellation keys for the FPGA static
>>> +region, the FPGA partial reconfiguration region, and the BMC.
>>> +
>>> +Secure updates make use of the request_firmware framework, which
>>> +requires that image files are accessible under /lib/firmware. A request
>>> +for a secure update returns immediately, while the update itself
>>> +proceeds in the context of a kernel worker thread. Sysfs files provide
>>> +a means for monitoring the progress of a secure update and for
>>> +retrieving error information in the event of a failure.
>>> +
>>> +Sysfs Attributes
>>> +================
>>> +
>>> +The API consists of two groups of sysfs attributes as described below.
>>> +
>>> +1. Files in the *security* sub-directory can be used to read security
>>> +   information including: Root Entry Hashes (REH), Cancelled Code
>>> +   Signing Keys (CSK), and the flash update count for FPGA images.
>>> +
>>> +2. Files in the *update* sub-directory can be used to instantiate and
>>> +   monitor a secure update.
>>> +
>>> +
>>> +See `<../ABI/testing/sysfs-class-fpga-sec-mgr>`__ for a full
>>> +description of the sysfs attributes for the FPGA Security
>>> +Manager.
>>> diff --git a/Documentation/fpga/index.rst b/Documentation/fpga/index.rst
>>> index f80f95667ca2..0b2f427042af 100644
>>> --- a/Documentation/fpga/index.rst
>>> +++ b/Documentation/fpga/index.rst
>>> @@ -8,6 +8,7 @@ fpga
>>>      :maxdepth: 1
>>>  
>>>      dfl
>>> +    fpga-sec-mgr
>>>  
>>>  .. only::  subproject and html
>>>  
>>> diff --git a/MAINTAINERS b/MAINTAINERS
>>> index 4538378de6f5..7997fff716a8 100644
>>> --- a/MAINTAINERS
>>> +++ b/MAINTAINERS
>>> @@ -6901,6 +6901,15 @@ F:	Documentation/fpga/
>>>  F:	drivers/fpga/
>>>  F:	include/linux/fpga/
>>>  
>>> +FPGA SECURITY MANAGER DRIVERS
>>> +M:	Russ Weight <russell.h.weight@intel.com>
>>> +L:	linux-fpga@vger.kernel.org
>>> +S:	Maintained
>>> +F:	Documentation/ABI/testing/sysfs-class-fpga-sec-mgr
>>> +F:	Documentation/fpga/fpga-sec-mgr.rst
>>> +F:	drivers/fpga/fpga-sec-mgr.c
>>> +F:	include/linux/fpga/fpga-sec-mgr.h
>>> +
>>>  FPU EMULATOR
>>>  M:	Bill Metzenthen <billm@melbpc.org.au>
>>>  S:	Maintained
>>> diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig
>>> index 7cd5a29fc437..6810b23b178d 100644
>>> --- a/drivers/fpga/Kconfig
>>> +++ b/drivers/fpga/Kconfig
>>> @@ -215,4 +215,13 @@ config FPGA_MGR_ZYNQMP_FPGA
>>>  	  to configure the programmable logic(PL) through PS
>>>  	  on ZynqMP SoC.
>>>  
>>> +config FPGA_SEC_MGR
>>> +	tristate "FPGA Security Manager"
>>> +	help
>>> +	  The Security Manager class driver presents a common
>>> +	  user API for managing secure updates for FPGA
>>> +	  devices, including flash images for the FPGA static
>>> +	  region and for the BMC. Select this option to enable
>>> +	  updates for secure FPGA devices.
>>> +
>>>  endif # FPGA
>>> diff --git a/drivers/fpga/Makefile b/drivers/fpga/Makefile
>>> index d8e21dfc6778..0e357262faed 100644
>>> --- a/drivers/fpga/Makefile
>>> +++ b/drivers/fpga/Makefile
>>> @@ -21,6 +21,9 @@ obj-$(CONFIG_FPGA_MGR_ZYNQMP_FPGA)	+= zynqmp-fpga.o
>>>  obj-$(CONFIG_ALTERA_PR_IP_CORE)         += altera-pr-ip-core.o
>>>  obj-$(CONFIG_ALTERA_PR_IP_CORE_PLAT)    += altera-pr-ip-core-plat.o
>>>  
>>> +# FPGA Security Manager Framework
>>> +obj-$(CONFIG_FPGA_SEC_MGR)		+= fpga-sec-mgr.o
>>> +
>>>  # FPGA Bridge Drivers
>>>  obj-$(CONFIG_FPGA_BRIDGE)		+= fpga-bridge.o
>>>  obj-$(CONFIG_SOCFPGA_FPGA_BRIDGE)	+= altera-hps2fpga.o altera-fpga2sdram.o
>>> diff --git a/drivers/fpga/fpga-sec-mgr.c b/drivers/fpga/fpga-sec-mgr.c
>>> new file mode 100644
>>> index 000000000000..95b5a7ccbe44
>>> --- /dev/null
>>> +++ b/drivers/fpga/fpga-sec-mgr.c
>>> @@ -0,0 +1,487 @@
>>> +// SPDX-License-Identifier: GPL-2.0
>>> +/*
>>> + * FPGA Security Manager
>>> + *
>>> + * Copyright (C) 2019-2020 Intel Corporation, Inc.
>>> + */
>>> +
>>> +#include <linux/fpga/fpga-sec-mgr.h>
>>> +#include <linux/idr.h>
>>> +#include <linux/module.h>
>>> +#include <linux/slab.h>
>>> +#include <linux/vmalloc.h>
>>> +
>>> +static DEFINE_IDA(fpga_sec_mgr_ida);
>>> +static struct class *fpga_sec_mgr_class;
>>> +
>>> +struct fpga_sec_mgr_devres {
>>> +	struct fpga_sec_mgr *smgr;
>>> +};
>>> +
>>> +#define to_sec_mgr(d) container_of(d, struct fpga_sec_mgr, dev)
>>> +
>>> +static ssize_t
>>> +show_canceled_csk(struct fpga_sec_mgr *smgr,
>>> +		  int (*get_csk)(struct fpga_sec_mgr *smgr,
>>> +				 unsigned long *csk_map, unsigned int nbits),
>>> +		  int (*get_csk_nbits)(struct fpga_sec_mgr *smgr),
>>> +		  char *buf)
>>> +{
>>> +	unsigned long *csk_map = NULL;
>>> +	unsigned int nbits;
>>> +	int ret;
>>> +
>>> +	ret = get_csk_nbits(smgr);
>>> +	if (ret < 0)
>>> +		return ret;
>>> +
>>> +	nbits = (unsigned int)ret;
>>> +	csk_map = vmalloc(sizeof(unsigned long) * BITS_TO_LONGS(nbits));
>>> +	if (!csk_map)
>>> +		return -ENOMEM;
>>> +
>>> +	ret = get_csk(smgr, csk_map, nbits);
>>> +	if (ret)
>>> +		goto vfree_exit;
>>> +
>>> +	ret = bitmap_print_to_pagebuf(1, buf, csk_map, nbits);
>>> +
>>> +vfree_exit:
>>> +	vfree(csk_map);
>>> +	return ret;
>>> +}
>>> +
>>> +static ssize_t
>>> +show_root_entry_hash(struct fpga_sec_mgr *smgr,
>>> +		     int (*get_reh)(struct fpga_sec_mgr *smgr, u8 *hash,
>>> +				    unsigned int size),
>>> +		     int (*get_reh_size)(struct fpga_sec_mgr *smgr),
>>> +		     char *buf)
>>> +{
>>> +	int size, i, cnt, ret;
>>> +	u8 *hash;
>>> +
>>> +	ret = get_reh_size(smgr);
>>> +	if (ret < 0)
>>> +		return ret;
>>> +	else if (!ret)
>>> +		return sysfs_emit(buf, "hash not programmed\n");
>>> +
>>> +	size = ret;
>>> +	hash = vmalloc(size);
>>> +	if (!hash)
>>> +		return -ENOMEM;
>>> +
>>> +	ret = get_reh(smgr, hash, size);
>>> +	if (ret)
>>> +		goto vfree_exit;
>>> +
>>> +	cnt = sprintf(buf, "0x");
>>> +	for (i = 0; i < size; i++)
>>> +		cnt += sprintf(buf + cnt, "%02x", hash[i]);
>>> +	cnt += sprintf(buf + cnt, "\n");
>>> +
>>> +vfree_exit:
>>> +	vfree(hash);
>>> +	return ret ? : cnt;
>>> +}
>>> +
>>> +#define DEVICE_ATTR_SEC_CSK(_name) \
>>> +static ssize_t _name##_canceled_csks_show(struct device *dev, \
>>> +					  struct device_attribute *attr, \
>>> +					  char *buf) \
>>> +{ \
>>> +	struct fpga_sec_mgr *smgr = to_sec_mgr(dev); \
>>> +	return show_canceled_csk(smgr, \
>>> +	       smgr->sops->_name##_canceled_csks, \
>>> +	       smgr->sops->_name##_canceled_csk_nbits, buf); \
>>> +} \
>>> +static DEVICE_ATTR_RO(_name##_canceled_csks)
>>> +
>>> +#define DEVICE_ATTR_SEC_ROOT_ENTRY_HASH(_name) \
>>> +static ssize_t _name##_root_entry_hash_show(struct device *dev, \
>>> +				     struct device_attribute *attr, \
>>> +				     char *buf) \
>>> +{ \
>>> +	struct fpga_sec_mgr *smgr = to_sec_mgr(dev); \
>>> +	return show_root_entry_hash(smgr, \
>>> +	       smgr->sops->_name##_root_entry_hash, \
>>> +	       smgr->sops->_name##_reh_size, buf); \
>>> +} \
>>> +static DEVICE_ATTR_RO(_name##_root_entry_hash)
>>> +
>>> +static ssize_t user_flash_count_show(struct device *dev,
>>> +				     struct device_attribute *attr, char *buf)
>>> +{
>>> +	struct fpga_sec_mgr *smgr = to_sec_mgr(dev);
>>> +	int cnt = smgr->sops->user_flash_count(smgr);
>>> +
>>> +	return cnt < 0 ? cnt : sysfs_emit(buf, "%u\n", cnt);
>>> +}
>>> +static DEVICE_ATTR_RO(user_flash_count);
>>> +
>>> +DEVICE_ATTR_SEC_ROOT_ENTRY_HASH(sr);
>>> +DEVICE_ATTR_SEC_ROOT_ENTRY_HASH(pr);
>>> +DEVICE_ATTR_SEC_ROOT_ENTRY_HASH(bmc);
>>> +DEVICE_ATTR_SEC_CSK(sr);
>>> +DEVICE_ATTR_SEC_CSK(pr);
>>> +DEVICE_ATTR_SEC_CSK(bmc);
>>> +
>>> +static struct attribute *sec_mgr_security_attrs[] = {
>>> +	&dev_attr_user_flash_count.attr,
>>> +	&dev_attr_bmc_root_entry_hash.attr,
>>> +	&dev_attr_sr_root_entry_hash.attr,
>>> +	&dev_attr_pr_root_entry_hash.attr,
>>> +	&dev_attr_sr_canceled_csks.attr,
>>> +	&dev_attr_pr_canceled_csks.attr,
>>> +	&dev_attr_bmc_canceled_csks.attr,
>>> +	NULL,
>>> +};
>>> +
>>> +#define check_attr(attribute, _name) \
>>> +	((attribute) == &dev_attr_##_name.attr && smgr->sops->_name)
>>> +
>>> +static umode_t sec_mgr_visible(struct kobject *kobj,
>>> +			       struct attribute *attr, int n)
>>> +{
>>> +	struct fpga_sec_mgr *smgr = to_sec_mgr(kobj_to_dev(kobj));
>>> +
>>> +	/*
>>> +	 * Only display optional sysfs attributes if a
>>> +	 * corresponding handler is provided
>>> +	 */
>>> +	if (check_attr(attr, user_flash_count) ||
>>> +	    check_attr(attr, bmc_root_entry_hash) ||
>>> +	    check_attr(attr, sr_root_entry_hash) ||
>>> +	    check_attr(attr, pr_root_entry_hash) ||
>>> +	    check_attr(attr, sr_canceled_csks) ||
>>> +	    check_attr(attr, pr_canceled_csks) ||
>>> +	    check_attr(attr, bmc_canceled_csks))
>>> +		return attr->mode;
>>> +
>>> +	return 0;
>>> +}
>>> +
>>> +static struct attribute_group sec_mgr_security_attr_group = {
>>> +	.name = "security",
>>> +	.attrs = sec_mgr_security_attrs,
>>> +	.is_visible = sec_mgr_visible,
>>> +};
>>> +
>>> +static ssize_t name_show(struct device *dev,
>>> +			 struct device_attribute *attr, char *buf)
>>> +{
>>> +	struct fpga_sec_mgr *smgr = to_sec_mgr(dev);
>>> +
>>> +	return sysfs_emit(buf, "%s\n", smgr->name);
>>> +}
>>> +static DEVICE_ATTR_RO(name);
>>> +
>>> +static struct attribute *sec_mgr_attrs[] = {
>>> +	&dev_attr_name.attr,
>>> +	NULL,
>>> +};
>>> +
>>> +static struct attribute_group sec_mgr_attr_group = {
>>> +	.attrs = sec_mgr_attrs,
>>> +};
>>> +
>>> +static const struct attribute_group *fpga_sec_mgr_attr_groups[] = {
>>> +	&sec_mgr_attr_group,
>>> +	&sec_mgr_security_attr_group,
>>> +	NULL,
>>> +};
>>> +
>>> +static bool check_sysfs_handler(struct device *dev,
>>> +				void *sysfs_handler, void *size_handler,
>>> +				const char *sysfs_handler_name,
>>> +				const char *size_handler_name)
>>> +{
>>> +	/*
>>> +	 * sysfs_handler and size_handler must either both be
>>> +	 * defined or both be NULL.
>>> +	 */
>>> +	if (sysfs_handler && !size_handler) {
>>> +		dev_err(dev, "%s registered without %s\n",
>>> +			sysfs_handler_name, size_handler_name);
>>> +		return false;
>>> +	} else if (!sysfs_handler && size_handler) {
>>> +		dev_err(dev, "%s registered without %s\n",
>>> +			size_handler_name, sysfs_handler_name);
>>> +		return false;
>>> +	}
>>> +	return true;
>>> +}
>>> +
>>> +#define check_reh_handler(_dev, _sops, _name) \
>>> +	check_sysfs_handler(_dev, (_sops)->_name##_root_entry_hash, \
>>> +			    (_sops)->_name##_reh_size, \
>>> +			    __stringify(_name##_root_entry_hash), \
>>> +			    __stringify(_name##_reh_size))
>>> +
>>> +#define check_csk_handler(_dev, _sops, _name) \
>>> +	check_sysfs_handler(_dev, (_sops)->_name##_canceled_csks, \
>>> +			    (_sops)->_name##_canceled_csk_nbits, \
>>> +			    __stringify(_name##_canceled_csks), \
>>> +			    __stringify(_name##_canceled_csk_nbits))
>>> +
>>> +/**
>>> + * fpga_sec_mgr_create - create and initialize an FPGA
>>> + *			  security manager struct
>>> + *
>>> + * @dev:  fpga security manager device from pdev
>>> + * @name: fpga security manager name
>>> + * @sops: pointer to a structure of fpga callback functions
>>> + * @priv: fpga security manager private data
>>> + *
>>> + * The caller of this function is responsible for freeing the struct
>>> + * with ifpg_sec_mgr_free(). Using devm_fpga_sec_mgr_create() instead
>>> + * is recommended.
>>> + *
>>> + * Return: pointer to struct fpga_sec_mgr or NULL
>>> + */
>>> +struct fpga_sec_mgr *
>>> +fpga_sec_mgr_create(struct device *dev, const char *name,
>>> +		    const struct fpga_sec_mgr_ops *sops, void *priv)
>>> +{
>>> +	struct fpga_sec_mgr *smgr;
>>> +	int id, ret;
>>> +
>>> +	if (!check_reh_handler(dev, sops, bmc) ||
>>> +	    !check_reh_handler(dev, sops, sr) ||
>>> +	    !check_reh_handler(dev, sops, pr) ||
>>> +	    !check_csk_handler(dev, sops, bmc) ||
>>> +	    !check_csk_handler(dev, sops, sr) ||
>>> +	    !check_csk_handler(dev, sops, pr)) {
>>> +		return NULL;
>>> +	}
>>> +
>>> +	if (!name || !strlen(name)) {
>>> +		dev_err(dev, "Attempt to register with no name!\n");
>>> +		return NULL;
>>> +	}
>>> +
>>> +	smgr = kzalloc(sizeof(*smgr), GFP_KERNEL);
>>> +	if (!smgr)
>>> +		return NULL;
>>> +
>>> +	id = ida_simple_get(&fpga_sec_mgr_ida, 0, 0, GFP_KERNEL);
>>> +	if (id < 0)
>>> +		goto error_kfree;
>>> +
>>> +	mutex_init(&smgr->lock);
>>> +
>>> +	smgr->name = name;
>>> +	smgr->priv = priv;
>>> +	smgr->sops = sops;
>>> +
>>> +	device_initialize(&smgr->dev);
>>> +	smgr->dev.class = fpga_sec_mgr_class;
>>> +	smgr->dev.parent = dev;
>>> +	smgr->dev.id = id;
>>> +
>>> +	ret = dev_set_name(&smgr->dev, "fpga_sec%d", id);
>>> +	if (ret) {
>>> +		dev_err(dev, "Failed to set device name: fpga_sec%d\n", id);
>>> +		goto error_device;
>>> +	}
>>> +
>>> +	return smgr;
>>> +
>>> +error_device:
>>> +	ida_simple_remove(&fpga_sec_mgr_ida, id);
>>> +
>>> +error_kfree:
>>> +	kfree(smgr);
>>> +
>>> +	return NULL;
>>> +}
>>> +EXPORT_SYMBOL_GPL(fpga_sec_mgr_create);
>>> +
>>> +/**
>>> + * fpga_sec_mgr_free - free an FPGA security manager created
>>> + *			with fpga_sec_mgr_create()
>>> + *
>>> + * @smgr:	FPGA security manager structure
>>> + */
>>> +void fpga_sec_mgr_free(struct fpga_sec_mgr *smgr)
>>> +{
>>> +	ida_simple_remove(&fpga_sec_mgr_ida, smgr->dev.id);
>>> +	kfree(smgr);
>>> +}
>>> +EXPORT_SYMBOL_GPL(fpga_sec_mgr_free);
>>> +
>>> +static void devm_fpga_sec_mgr_release(struct device *dev, void *res)
>>> +{
>>> +	struct fpga_sec_mgr_devres *dr = res;
>>> +
>>> +	fpga_sec_mgr_free(dr->smgr);
>>> +}
>>> +
>>> +/**
>>> + * devm_fpga_sec_mgr_create - create and initialize an FPGA
>>> + *			       security manager struct
>>> + *
>>> + * @dev:  fpga security manager device from pdev
>>> + * @name: fpga security manager name
>>> + * @sops: pointer to a structure of fpga callback functions
>>> + * @priv: fpga security manager private data
>>> + *
>>> + * This function is intended for use in a FPGA Security manager
>>> + * driver's probe function.  After the security manager driver creates
>>> + * the fpga_sec_mgr struct with devm_fpga_sec_mgr_create(), it should
>>> + * register it with devm_fpga_sec_mgr_register().
>>> + * The fpga_sec_mgr struct allocated with this function will be freed
>>> + * automatically on driver detach.
>>> + *
>>> + * Return: pointer to struct fpga_sec_mgr or NULL
>>> + */
>>> +struct fpga_sec_mgr *
>>> +devm_fpga_sec_mgr_create(struct device *dev, const char *name,
>>> +			 const struct fpga_sec_mgr_ops *sops, void *priv)
>>> +{
>>> +	struct fpga_sec_mgr_devres *dr;
>>> +
>>> +	dr = devres_alloc(devm_fpga_sec_mgr_release, sizeof(*dr), GFP_KERNEL);
>>> +	if (!dr)
>>> +		return NULL;
>>> +
>>> +	dr->smgr = fpga_sec_mgr_create(dev, name, sops, priv);
>>> +	if (!dr->smgr) {
>>> +		devres_free(dr);
>>> +		return NULL;
>>> +	}
>>> +
>>> +	devres_add(dev, dr);
>>> +
>>> +	return dr->smgr;
>>> +}
>>> +EXPORT_SYMBOL_GPL(devm_fpga_sec_mgr_create);
>>> +
>>> +/**
>>> + * fpga_sec_mgr_register - register an FPGA security manager
>>> + *
>>> + * @smgr: fpga security manager struct
>>> + *
>>> + * Return: 0 on success, negative error code otherwise.
>>> + */
>>> +int fpga_sec_mgr_register(struct fpga_sec_mgr *smgr)
>>> +{
>>> +	int ret;
>>> +
>>> +	ret = device_add(&smgr->dev);
>>> +	if (ret)
>>> +		goto error_device;
>> The comment header for device_add() includes the following text:
>>
>>  * NOTE: _Never_ directly free @dev after calling this function, even
>>  * if it returned an error! Always use put_device() to give up your
>>  * reference instead.
>>  *
>>  * Rule of thumb is: if device_add() succeeds, you should call
>>  * device_del() when you want to get rid of it. If device_add() has
>>  * *not* succeeded, use *only* put_device() to drop the reference
>>  * count.
>>
>> This implementation of the security manager requires that the parent
>> driver treat the fpga_sec_mgr data structure as a a managed resource
>> of the parent device using the devm_ version of the create() function.
>>
>> The device structure that is passed to device_add() is embedded in the
>> fpga_sec_mgr data structure.
>>
>> Does this conflict with the core driver functions? Is it possible that
>> we are deleting a device structure that is still being tracked by the
>> core driver code?
> I think it's fine since you'd call the unregister part in the remove()
> function of your driver.
>
> If you'd have failed on device_add(), though, you'd have returned an
> error from the probe() function.
Yeah - in the passing case we call unregister, which should
remove any references in the driver core.

Do you think I should call put_device() if device_add() fails
(Based on the comment that I pasted above)? It could be done in
fpga_sec_mgr_register(), without requiring anything from the
callers.


>
>> - Russ
>>
>>> +
>>> +	dev_info(&smgr->dev, "%s registered\n", smgr->name);
>>> +
>>> +	return 0;
>>> +
>>> +error_device:
>>> +	ida_simple_remove(&fpga_sec_mgr_ida, smgr->dev.id);
>>> +
>>> +	return ret;
>>> +}
>>> +EXPORT_SYMBOL_GPL(fpga_sec_mgr_register);
>>> +
>>> +/**
>>> + * fpga_sec_mgr_unregister - unregister an FPGA security manager
>>> + *
>>> + * @mgr: fpga manager struct
>>> + *
>>> + * This function is intended for use in an FPGA security manager
>>> + * driver's remove() function.
>>> + */
>>> +void fpga_sec_mgr_unregister(struct fpga_sec_mgr *smgr)
>>> +{
>>> +	dev_info(&smgr->dev, "%s %s\n", __func__, smgr->name);
>>> +
>>> +	device_unregister(&smgr->dev);
>>> +}
>>> +EXPORT_SYMBOL_GPL(fpga_sec_mgr_unregister);
>>> +
>>> +static int fpga_sec_mgr_devres_match(struct device *dev, void *res,
>>> +				     void *match_data)
>>> +{
>>> +	struct fpga_sec_mgr_devres *dr = res;
>>> +
>>> +	return match_data == dr->smgr;
>>> +}
>>> +
>>> +static void devm_fpga_sec_mgr_unregister(struct device *dev, void *res)
>>> +{
>>> +	struct fpga_sec_mgr_devres *dr = res;
>>> +
>>> +	fpga_sec_mgr_unregister(dr->smgr);
>>> +}
>>> +
>>> +/**
>>> + * devm_fpga_sec_mgr_register - resource managed variant of
>>> + *				fpga_sec_mgr_register()
>>> + *
>>> + * @dev: managing device for this FPGA security manager
>>> + * @smgr: fpga security manager struct
>>> + *
>>> + * This is the devres variant of fpga_sec_mgr_register() for which the
>>> + * unregister function will be called automatically when the managing
>>> + * device is detached.
>>> + */
>>> +int devm_fpga_sec_mgr_register(struct device *dev, struct fpga_sec_mgr *smgr)
>>> +{
>>> +	struct fpga_sec_mgr_devres *dr;
>>> +	int ret;
>>> +
>>> +	/*
>>> +	 * Make sure that the struct fpga_sec_mgr * that is passed in is
>>> +	 * managed itself.
>>> +	 */
>>> +	if (WARN_ON(!devres_find(dev, devm_fpga_sec_mgr_release,
>>> +				 fpga_sec_mgr_devres_match, smgr)))
>>> +		return -EINVAL;
>>> +
>>> +	dr = devres_alloc(devm_fpga_sec_mgr_unregister, sizeof(*dr), GFP_KERNEL);
>>> +	if (!dr)
>>> +		return -ENOMEM;
>>> +
>>> +	ret = fpga_sec_mgr_register(smgr);
>>> +	if (ret) {
>>> +		devres_free(dr);
>>> +		return ret;
>>> +	}
>>> +
>>> +	dr->smgr = smgr;
>>> +	devres_add(dev, dr);
>>> +
>>> +	return 0;
>>> +}
>>> +EXPORT_SYMBOL_GPL(devm_fpga_sec_mgr_register);
>>> +
>>> +static void fpga_sec_mgr_dev_release(struct device *dev)
>>> +{
>>> +}
>>> +
>>> +static int __init fpga_sec_mgr_class_init(void)
>>> +{
>>> +	pr_info("FPGA Security Manager\n");
>>> +
>>> +	fpga_sec_mgr_class = class_create(THIS_MODULE, "fpga_sec_mgr");
>>> +	if (IS_ERR(fpga_sec_mgr_class))
>>> +		return PTR_ERR(fpga_sec_mgr_class);
>>> +
>>> +	fpga_sec_mgr_class->dev_groups = fpga_sec_mgr_attr_groups;
>>> +	fpga_sec_mgr_class->dev_release = fpga_sec_mgr_dev_release;
>>> +
>>> +	return 0;
>>> +}
>>> +
>>> +static void __exit fpga_sec_mgr_class_exit(void)
>>> +{
>>> +	class_destroy(fpga_sec_mgr_class);
>>> +	ida_destroy(&fpga_sec_mgr_ida);
>>> +}
>>> +
>>> +MODULE_DESCRIPTION("FPGA Security Manager Driver");
>>> +MODULE_LICENSE("GPL v2");
>>> +
>>> +subsys_initcall(fpga_sec_mgr_class_init);
>>> +module_exit(fpga_sec_mgr_class_exit)
>>> diff --git a/include/linux/fpga/fpga-sec-mgr.h b/include/linux/fpga/fpga-sec-mgr.h
>>> new file mode 100644
>>> index 000000000000..dd596c6c3748
>>> --- /dev/null
>>> +++ b/include/linux/fpga/fpga-sec-mgr.h
>>> @@ -0,0 +1,83 @@
>>> +/* SPDX-License-Identifier: GPL-2.0 */
>>> +/*
>>> + * Header file for FPGA Security Manager
>>> + *
>>> + * Copyright (C) 2019-2020 Intel Corporation, Inc.
>>> + */
>>> +#ifndef _LINUX_FPGA_SEC_MGR_H
>>> +#define _LINUX_FPGA_SEC_MGR_H
>>> +
>>> +#include <linux/device.h>
>>> +#include <linux/mutex.h>
>>> +#include <linux/types.h>
>>> +
>>> +struct fpga_sec_mgr;
>>> +
>>> +/**
>>> + * struct fpga_sec_mgr_ops - device specific operations
>>> + * @user_flash_count:	    Optional: Return sysfs string output for FPGA
>>> + *			    image flash count
>>> + * @sr_root_entry_hash:	    Optional: Return sysfs string output for static
>>> + *			    region root entry hash
>>> + * @pr_root_entry_hash:	    Optional: Return sysfs string output for partial
>>> + *			    reconfiguration root entry hash
>>> + * @bmc_root_entry_hash:    Optional: Return sysfs string output for BMC
>>> + *			    root entry hash
>>> + * @sr_canceled_csks:	    Optional: Return sysfs string output for static
>>> + *			    region canceled keys
>>> + * @pr_canceled_csks:	    Optional: Return sysfs string output for partial
>>> + *			    reconfiguration canceled keys
>>> + * @bmc_canceled_csks:	    Optional: Return sysfs string output for bmc
>>> + *			    canceled keys
>>> + * @bmc_canceled_csk_nbits: Optional: Return BMC canceled csk vector bit count
>>> + * @sr_canceled_csk_nbits:  Optional: Return SR canceled csk vector bit count
>>> + * @pr_canceled_csk_nbits:  Optional: Return PR canceled csk vector bit count
>>> + * @bmc_reh_size:	    Optional: Return byte size for BMC root entry hash
>>> + * @sr_reh_size:	    Optional: Return byte size for SR root entry hash
>>> + * @pr_reh_size:	    Optional: Return byte size for PR root entry hash
>>> + */
>>> +struct fpga_sec_mgr_ops {
>>> +	int (*user_flash_count)(struct fpga_sec_mgr *smgr);
>>> +	int (*bmc_root_entry_hash)(struct fpga_sec_mgr *smgr, u8 *hash,
>>> +				   unsigned int size);
>>> +	int (*sr_root_entry_hash)(struct fpga_sec_mgr *smgr, u8 *hash,
>>> +				  unsigned int size);
>>> +	int (*pr_root_entry_hash)(struct fpga_sec_mgr *smgr, u8 *hash,
>>> +				  unsigned int size);
>>> +	int (*bmc_canceled_csks)(struct fpga_sec_mgr *smgr,
>>> +				 unsigned long *csk_map, unsigned int nbits);
>>> +	int (*sr_canceled_csks)(struct fpga_sec_mgr *smgr,
>>> +				unsigned long *csk_map, unsigned int nbits);
>>> +	int (*pr_canceled_csks)(struct fpga_sec_mgr *smgr,
>>> +				unsigned long *csk_map, unsigned int nbits);
>>> +	int (*bmc_reh_size)(struct fpga_sec_mgr *smgr);
>>> +	int (*sr_reh_size)(struct fpga_sec_mgr *smgr);
>>> +	int (*pr_reh_size)(struct fpga_sec_mgr *smgr);
>>> +	int (*bmc_canceled_csk_nbits)(struct fpga_sec_mgr *smgr);
>>> +	int (*sr_canceled_csk_nbits)(struct fpga_sec_mgr *smgr);
>>> +	int (*pr_canceled_csk_nbits)(struct fpga_sec_mgr *smgr);
>>> +};
>>> +
>>> +struct fpga_sec_mgr {
>>> +	const char *name;
>>> +	struct device dev;
>>> +	const struct fpga_sec_mgr_ops *sops;
>>> +	struct mutex lock;		/* protect data structure contents */
>>> +	void *priv;
>>> +};
>>> +
>>> +struct fpga_sec_mgr *
>>> +fpga_sec_mgr_create(struct device *dev, const char *name,
>>> +		    const struct fpga_sec_mgr_ops *sops, void *priv);
>>> +
>>> +struct fpga_sec_mgr *
>>> +devm_fpga_sec_mgr_create(struct device *dev, const char *name,
>>> +			 const struct fpga_sec_mgr_ops *sops, void *priv);
>>> +
>>> +int fpga_sec_mgr_register(struct fpga_sec_mgr *smgr);
>>> +int devm_fpga_sec_mgr_register(struct device *dev,
>>> +			       struct fpga_sec_mgr *smgr);
>>> +void fpga_sec_mgr_unregister(struct fpga_sec_mgr *smgr);
>>> +void fpga_sec_mgr_free(struct fpga_sec_mgr *smgr);
>>> +
>>> +#endif
> Cheers,
> Moritz