Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp382775rdg; Tue, 10 Oct 2023 13:09:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEp1OGqVcVqe3QSOIbEsvDBjQ1I4zmp2uQA/EsyJW3t4sXhJ4ItviNSTlchLex0YIxTMauF X-Received: by 2002:a05:6808:49:b0:3a7:25c6:7b85 with SMTP id v9-20020a056808004900b003a725c67b85mr18246037oic.47.1696968562111; Tue, 10 Oct 2023 13:09:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696968562; cv=none; d=google.com; s=arc-20160816; b=aVpgYtj2u4Ood6gHKODLhxLpcakf7LIx0+X9ZY40G38SlojR9iuVP+dGNqhDOJ2s+O PHf7CZgjQOaAN0wjYgO/GKInRNRQRuHJOSiSySgV5O2B2UVoKQblag7JdoyFTa17UTon f2fa3UAiZaEE6UAZrQmzAm70cXk3MpuMJG2rRxkyy1c5E8fwAe5wPCA4b698lN21kD2O DbSovnjcEQbK3kchqYAxWnyPrG5v90EZdXwWRuHytUnMNSjCd6WtVd6YSeWwEtLZavn3 WtTlAbaeJ/m2BjthMg0T5cSdz08XtgRjCA8GCjPKz5FRZuSC2SKTVg4C9yOzKm07UlnS 3rMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=ztbpBpO2pXmGy4HQ32tzm/CpMzlQbXI1hy8IyrK/n2c=; fh=k6wcWtuNv9wfSrCofIPT2ofNbXxVvSVRZoy0ZaHpgec=; b=PITlxxCLPTEX1z4mM6uwu5ZxHUewTxw9VpCqkz1AkxPTM0BiJRVTE0j8QFltlneLgB VzHXWojPPRF6rDfPMDAYHjnBa/NSRagb+/ox+UP+KMDgi8S3qSQfC+04hAQSbwB04IFA pVbqYpcGzZAGrX509uk4p7UFFpwfeyvJF4FqWjeu1F0WHtd13t9syOI5zNo/UwhWfsJe rKCEYNju5riSMV+c5QJz4ERkidVzkfhrN3qv7ji420AcAZoHac1wv0234w6iaIAUTLjK dEcJ0oknrFRwu+jYlV3FM4sRG75COB93eqW45v+ZoLelkQLnzkIqjY+vMtFi+2htil7t lvNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@wanadoo.fr header.s=t20230301 header.b=SPUlWyBv; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wanadoo.fr Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id z188-20020a6333c5000000b00585adc52bd5si237261pgz.730.2023.10.10.13.09.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 13:09:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@wanadoo.fr header.s=t20230301 header.b=SPUlWyBv; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wanadoo.fr Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id C515480AA319; Tue, 10 Oct 2023 13:09:18 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234528AbjJJUIg (ORCPT + 99 others); Tue, 10 Oct 2023 16:08:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234475AbjJJUIU (ORCPT ); Tue, 10 Oct 2023 16:08:20 -0400 Received: from smtp.smtpout.orange.fr (smtp-19.smtpout.orange.fr [80.12.242.19]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A996D47 for ; Tue, 10 Oct 2023 13:06:57 -0700 (PDT) Received: from [192.168.1.18] ([86.243.2.178]) by smtp.orange.fr with ESMTPA id qJ09qs5Gi0onIqJ09qavla; Tue, 10 Oct 2023 22:06:53 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wanadoo.fr; s=t20230301; t=1696968413; bh=ztbpBpO2pXmGy4HQ32tzm/CpMzlQbXI1hy8IyrK/n2c=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=SPUlWyBvKqDK5IXiYbEseSMc5bZ78JTJuP/3JYAN6kwTDalaKQq4RbAKvOSEP0ueG KZxRObMFwix3Xf+jZ3w6VRuRShlVOx4/iTUSMZcw0PtP2dCNERJSUkxbwPPn4H+uTL ibFj96ORVcJNvPeP/AI/vB63FYkCwlFbeN+uLgjFXnYt3WFKwWG+LX6uSfjR0KL7+h qPBHF9qPj7wvHJDS9r9UAN+Dsd5ybCXigG4zO2P1smcpA1um1ztKJszRAF9t5tUlzk GTHF4g1fValeq1TUaiY+XyMeGLhYItsBXp+r1OQzs3RaumwAyQhDJngKJPZjJYEPmt P0ZSvCkVcTmnA== X-ME-Helo: [192.168.1.18] X-ME-Auth: Y2hyaXN0b3BoZS5qYWlsbGV0QHdhbmFkb28uZnI= X-ME-Date: Tue, 10 Oct 2023 22:06:53 +0200 X-ME-IP: 86.243.2.178 Message-ID: <7792f0ce-b6b4-4b20-9725-1792a888297f@wanadoo.fr> Date: Tue, 10 Oct 2023 22:06:43 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v5] misc: Add Nitro Secure Module driver Content-Language: fr To: Alexander Graf , linux-kernel@vger.kernel.org Cc: linux-crypto@vger.kernel.org, Arnd Bergmann , Greg Kroah-Hartman , Herbert Xu , Olivia Mackall , Petre Eftime , Erdem Meydanlli , Benjamin Herrenschmidt , David Woodhouse , "Michael S . Tsirkin" , Jason Wang , Xuan Zhuo References: <20231010191815.13641-1-graf@amazon.com> From: Christophe JAILLET In-Reply-To: <20231010191815.13641-1-graf@amazon.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=2.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 10 Oct 2023 13:09:19 -0700 (PDT) X-Spam-Level: ** Le 10/10/2023 à 21:18, Alexander Graf a écrit : > When running Linux inside a Nitro Enclave, the hypervisor provides a > special virtio device called "Nitro Security Module" (NSM). This device > has 3 main functions: > > 1) Provide attestation reports > 2) Modify PCR state > 3) Provide entropy > > This patch adds a driver for NSM that exposes a /dev/nsm device node which > user space can issue an ioctl on this device with raw NSM CBOR formatted > commands to request attestation documents, influence PCR states, read > entropy and enumerate status of the device. In addition, the driver > implements a hwrng backend. > > Originally-by: Petre Eftime > Signed-off-by: Alexander Graf > > --- ... > +static int nsm_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) > +{ > + struct nsm *nsm = hwrng_to_nsm(rng); > + struct device *dev = &nsm->vdev->dev; > + struct nsm_msg *msg; > + int rc = 0; > + > + /* NSM always needs to wait for a response */ > + if (!wait) > + return 0; > + > + msg = devm_kzalloc(dev, sizeof(*msg), GFP_KERNEL); > + if (!msg) > + return -ENOMEM; Why use devm_ here? It is freed in all cases... > + > + rc = fill_req_get_random(nsm, &msg->req); > + if (rc != 0) > + goto out; > + > + rc = nsm_sendrecv_msg(nsm, msg); > + if (rc != 0) > + goto out; > + > + rc = parse_resp_get_random(nsm, &msg->resp, data, max); > + if (rc < 0) > + goto out; > + > + dev_dbg(dev, "RNG: returning rand bytes = %d", rc); > +out: > + devm_kfree(dev, msg); ..., so kfree would be just fine as well. > + return rc; > +} > + > +static long nsm_dev_ioctl(struct file *file, unsigned int cmd, > + unsigned long arg) > +{ > + void __user *argp = u64_to_user_ptr((u64)arg); > + struct nsm *nsm = file_to_nsm(file); > + struct device *dev = &nsm->vdev->dev; > + struct nsm_msg *msg; > + struct nsm_raw raw; > + int r = 0; > + > + if (cmd != NSM_IOCTL_RAW) > + return -EINVAL; > + > + if (_IOC_SIZE(cmd) != sizeof(raw)) > + return -EINVAL; > + > + /* Allocate message buffers to device */ > + r = -ENOMEM; > + msg = devm_kzalloc(dev, sizeof(*msg), GFP_KERNEL); Why use devm_ here? It is freed in all cases... > + if (!msg) > + goto out; > + > + /* Copy user argument struct to kernel argument struct */ > + r = -EFAULT; > + if (copy_from_user(&raw, argp, _IOC_SIZE(cmd))) > + goto out; > + > + /* Convert kernel argument struct to device request */ > + r = fill_req_raw(nsm, &msg->req, &raw); > + if (r) > + goto out; > + > + /* Send message to NSM and read reply */ > + r = nsm_sendrecv_msg(nsm, msg); > + if (r) > + goto out; > + > + /* Parse device response into kernel argument struct */ > + r = parse_resp_raw(nsm, &msg->resp, &raw); > + if (r) > + goto out; > + > + /* Copy kernel argument struct back to user argument struct */ > + r = -EFAULT; > + if (copy_to_user(argp, &raw, sizeof(raw))) > + goto out; > + > + r = 0; > + > +out: > + devm_kfree(dev, msg); ..., so kfree would be just fine as well. > + return r; > +} ... > +/* Handler for probing the NSM device */ > +static int nsm_device_probe(struct virtio_device *vdev) > +{ > + struct device *dev = &vdev->dev; > + struct nsm *nsm; > + int rc; > + > + nsm = devm_kzalloc(&vdev->dev, sizeof(*nsm), GFP_KERNEL); > + if (!nsm) > + return -ENOMEM; > + > + vdev->priv = nsm; > + nsm->vdev = vdev; > + > + rc = nsm_device_init_vq(vdev); > + if (rc) { > + dev_err(dev, "queue failed to initialize: %d.\n", rc); > + goto err_init_vq; > + } > + > + mutex_init(&nsm->lock); > + init_waitqueue_head(&nsm->wq); > + > + /* Register as hwrng provider */ > + nsm->hwrng = (struct hwrng) { > + .read = nsm_rng_read, > + .name = "nsm-hwrng", > + .quality = 1000, > + }; > + > + rc = devm_hwrng_register(&vdev->dev, &nsm->hwrng); > + if (rc) { > + dev_err(dev, "RNG initialization error: %d.\n", rc); > + goto err_hwrng; > + } > + > + /* Register /dev/nsm device node */ > + nsm->misc = (struct miscdevice) { > + .minor = MISC_DYNAMIC_MINOR, > + .name = "nsm", > + .fops = &nsm_dev_fops, > + .mode = 0666, > + }; > + > + rc = misc_register(&nsm->misc); > + if (rc) { > + dev_err(dev, "misc device registration error: %d.\n", rc); > + goto err_misc; > + } > + > + return 0; > + > +err_misc: > + hwrng_unregister(&nsm->hwrng); Is it needed? devm_hwrng_register() is used. > +err_hwrng: > + vdev->config->del_vqs(vdev); > +err_init_vq: > + kfree(nsm); 'nsm' is devm_kzalloc()'ed, so this is a double free. > + return rc; > +} > + > +/* Handler for removing the NSM device */ > +static void nsm_device_remove(struct virtio_device *vdev) > +{ > + struct nsm *nsm = vdev->priv; > + > + hwrng_unregister(&nsm->hwrng); Is it needed? devm_hwrng_register() is used. > + > + vdev->config->del_vqs(vdev); > + misc_deregister(&nsm->misc); > + list_del(&nsm->node); When is it list_add()'ed? The 'node' field seems unused. CJ > +} ...