Received: by 2002:a05:7412:3b8b:b0:fc:a2b0:25d7 with SMTP id nd11csp2398339rdb; Mon, 12 Feb 2024 03:47:37 -0800 (PST) X-Google-Smtp-Source: AGHT+IGfYnoh26/9WIsnpo6hSrwM3HzW7X0wauOAIPlCq8dOI0lcHmD4xAMPInMlMCUc4iochWqu X-Received: by 2002:ac8:5915:0:b0:42c:6e6b:2d75 with SMTP id 21-20020ac85915000000b0042c6e6b2d75mr7710945qty.44.1707738457380; Mon, 12 Feb 2024 03:47:37 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707738457; cv=pass; d=google.com; s=arc-20160816; b=kpPvvTIoAyMbEgilDRFeey1Y5GgIhi2mJ1M97RYbnhj5Ez+0pxo3vD34jFrB/cAjEg x+T9EoCOJQFTHpGuNFZoM3/ra5faygTdn1IPaK3yPrB6kAc4yJeVkLQNM0csOVXQVsoZ lJBsyJYzOOejkJ7DMz+weJjWf2WkNAX+2oeyBXj4FaxSX8jlVfizNMledRMKqEsjlKYS N4pq9KC+OgJj62a27w1xPOwhSkxaHNRVd27iei00oQ2NoDb7jENP22TKOJzGI1RseYQE PChUml3aZ2b/xFisq+zaLRqtJ1S/ZEhnTbQ4QPgGQJc20Gn9iMenZ5dmkSuRRGnfgayN LCVw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-id:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:references:message-id:in-reply-to:subject:cc:to:date :from:dkim-signature; bh=mFXfkXw2LipVg6gyeMIzanU5t01HBcThX4Ie6nZ5em4=; fh=w8j8glGl4wYRqPFkvhUgOQaMs7Yn44HeUVfgip2blhA=; b=jY3gcv+xLg42Dtjs9yldWlhSmR7Rfu01vJ4/EVfVHUUdBqJek+4xteu7/PkpgD6Q31 nnmhCW8ehA5EaPPBplw66SDuXwYGpgi5MDa+b0C2osoftuP4Ca8YyDZsXbBId/B9wTc0 uaWBiRe6BkyIjqLZxGJfNOmGmwjFFdv/DJiyYzx3Cz5gvqsPsiBT6CnTKTK2xj0ODrFv kloCeklZ0hQED2kPy5NoJELs3fkFFo4VV8ar+HnNSBt8SQ0MorOLUGZJbDeo6gjIFwfE V2p+cbAbAI6V7kjYybtP2g0zbVduwEyjTe817v1vLX+C0n8SzM0T9t3+SqwJbNHHQSB1 3mMw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=kRFO39h3; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-crypto+bounces-1960-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1960-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Forwarded-Encrypted: i=2; AJvYcCWBizTgWda1xBi94gId/Var115ZzXb24/zWBCEHivU0ogRxVtQK5Im6w+UnWtL3JCamvZ0n/X4FaPUTjObfAu+TGXWBoOxbp7kjcva+EQ== Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id g6-20020ac842c6000000b0042b218f14f1si162914qtm.647.2024.02.12.03.47.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Feb 2024 03:47:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto+bounces-1960-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=kRFO39h3; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-crypto+bounces-1960-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1960-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 037681C2106D for ; Mon, 12 Feb 2024 11:47:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DCF7D3987B; Mon, 12 Feb 2024 11:47:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="kRFO39h3" X-Original-To: linux-crypto@vger.kernel.org Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B471F39859; Mon, 12 Feb 2024 11:47:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.16 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707738450; cv=none; b=nQr/y9jJBKwbVcUO3bYc/Vt+fu1j3b8+rOjgW/rafYsaPz1WpoTFUAzHLUJf0/7cgtO25cuyUsPXbAnAI6VCQY6WCpXDuZjNp7gyp+Zk4RO2huqG+C2FPghMVp1gkZCCbaFWDU+V5z/IlxCr5jNnoa/KHM2SVv8uzu7NABVJtEA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707738450; c=relaxed/simple; bh=qlzqXd3E8EN9sGyZ5zlZscBBy3a7+JL3uMmODD1BNa0=; h=From:Date:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=KyppGbCIDoJVlP0AV0H0VchTepF92I9NI4TqQoZTfpEJ9Cdy2Tw9HQ/bOuFONM33FMd+QMlsbz9nmao6GiKfu+YBC6Km7nYCThbVG7aDwcfShGUem/hq831gIjjoWGhx48C8ttqb1cs8Y1coUQGGkbWXj6mlAMeE2lRfKI9qdE8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=kRFO39h3; arc=none smtp.client-ip=192.198.163.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1707738448; x=1739274448; h=from:date:to:cc:subject:in-reply-to:message-id: references:mime-version:content-id; bh=qlzqXd3E8EN9sGyZ5zlZscBBy3a7+JL3uMmODD1BNa0=; b=kRFO39h3EAp2KcpdJsox+3/AUQOiWtcZEuRw3eK158CIwRNfIuAM/ngV 0fecrquCzUP4hvZIKF/DzB5VxgHd0e9X7ylOUJadt9u2PHzApHcz7d+vf cVzoGy58KpnQd2cH9pKLc3FiL7VMHvJQclXyP88dAej4SADvR02hMqy9X 6nJClK6Cpxj6kRworZTtRBJ5CX4ifoaoKX5IyIovw8mLk7Zrc9yQQpT/6 ljZLS80nSaeh7c6DSt+YAxVk6Ml0M5TvqOwmMDBD4uWa2rWAyjZUk++BX ujQXCAtQWuIIpjQHBeDRxahRHKsH+ydnVtzKZ4XWplwckb5004bSVcu5Y A==; X-IronPort-AV: E=McAfee;i="6600,9927,10981"; a="2054877" X-IronPort-AV: E=Sophos;i="6.06,263,1705392000"; d="scan'208";a="2054877" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmvoesa110.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Feb 2024 03:47:26 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10981"; a="911459436" X-IronPort-AV: E=Sophos;i="6.06,263,1705392000"; d="scan'208";a="911459436" Received: from ijarvine-desk1.ger.corp.intel.com (HELO localhost) ([10.246.49.160]) by fmsmga002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Feb 2024 03:47:20 -0800 From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= Date: Mon, 12 Feb 2024 13:47:14 +0200 (EET) To: Lukas Wunner cc: Bjorn Helgaas , David Howells , David Woodhouse , Herbert Xu , "David S. Miller" , Alex Williamson , linux-pci@vger.kernel.org, linux-cxl@vger.kernel.org, linux-coco@lists.linux.dev, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, kvm@vger.kernel.org, Jonathan Cameron , linuxarm@huawei.com, David Box , Dan Williams , Dave Jiang , "Li, Ming" , Zhi Wang , Alistair Francis , Wilfred Mallawa , Alexey Kardashevskiy , Tom Lendacky , Sean Christopherson , Alexander Graf Subject: Re: [PATCH 07/12] spdm: Introduce library to authenticate devices In-Reply-To: <20240209203204.GA5850@wunner.de> Message-ID: <5de3ae38-023f-0a3f-d750-fbfa1af7a8ee@linux.intel.com> References: <89a83f42ae3c411f46efd968007e9b2afd839e74.1695921657.git.lukas@wunner.de> <5d0e75-993c-3978-8ccf-60bfb7cac10@linux.intel.com> <20240209203204.GA5850@wunner.de> Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="8323328-136259284-1707737012=:1013" Content-ID: This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323328-136259284-1707737012=:1013 Content-Type: text/plain; CHARSET=ISO-8859-15 Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: On Fri, 9 Feb 2024, Lukas Wunner wrote: > On Tue, Oct 03, 2023 at 01:35:26PM +0300, Ilpo J=E4rvinen wrote: > > On Thu, 28 Sep 2023, Lukas Wunner wrote: > > > +typedef int (spdm_transport)(void *priv, struct device *dev, > > > + const void *request, size_t request_sz, > > > + void *response, size_t response_sz); > >=20 > > This returns a length or an error, right? If so return ssize_t instead. > >=20 > > If you make this change, alter the caller types too. >=20 > Alright, I've changed the types in __spdm_exchange() and spdm_exchange(). >=20 > However the callers of those functions assign the result to an "rc" varia= ble > which is also used to receive an "int" return value. > E.g. spdm_get_digests() assigns the ssize_t result of spdm_exchange() to = rc > but also the int result of crypto_shash_update(). >=20 > It feels awkward to change the type of "rc" to "ssize_t" in those > functions, so I kept "int". Using ssize_t type variable for return values is not that uncommon (kernel= =20 wide). Obviously that results in int -> ssize_t conversion if they call=20 any function that only needs to return an int. But it seems harmless. crypto_shash_update() doesn't input size_t like (spdm_transport)() does. > > > +struct spdm_error_rsp { > > > +=09u8 version; > > > +=09u8 code; > > > +=09enum spdm_error_code error_code:8; > > > +=09u8 error_data; > > > + > > > +=09u8 extended_error_data[]; > > > +} __packed; > >=20 > > Is this always going to produce the layout you want given the alignment= =20 > > requirements for the storage unit for u8 and enum are probably differen= t? >=20 > Yes, the __packed attribute forces the compiler to avoid padding. Okay, so I assume compiler is actually able put enum with u8, seemingly=20 bitfield code generation has gotten better than it used to be. With how little is promised wordings in the spec (unless there is later=20 update I've not seen), I'd suggest you still add a static_assert for the=20 sizeof of the struct to make sure it is always of correct size.=20 Mislayouting is much easier to catch on build time. > > > +static int spdm_negotiate_algs(struct spdm_state *spdm_state, > > > +=09=09=09 void *transcript, size_t transcript_sz) > > > +{ > > > +=09struct spdm_req_alg_struct *req_alg_struct; > > > +=09struct spdm_negotiate_algs_req *req; > > > +=09struct spdm_negotiate_algs_rsp *rsp; > > > +=09size_t req_sz =3D sizeof(*req); > > > +=09size_t rsp_sz =3D sizeof(*rsp); > > > +=09int rc, length; > > > + > > > +=09/* Request length shall be <=3D 128 bytes (SPDM 1.1.0 margin no 1= 85) */ > > > +=09BUILD_BUG_ON(req_sz > 128); > >=20 > > I don't know why this really has to be here? This could be static_asser= t() > > below the struct declaration. >=20 > A follow-on patch to add key exchange support increases req_sz based on > an SPDM_MAX_REQ_ALG_STRUCT macro defined here in front of the function > where it's used. That's the reason why the size is checked here as well. Okay, understood. I didn't go that in my analysis so I missed the later=20 addition. > > > +static int spdm_get_certificate(struct spdm_state *spdm_state, u8 sl= ot) > > > +{ > > > +=09struct spdm_get_certificate_req req =3D { > > > +=09=09.code =3D SPDM_GET_CERTIFICATE, > > > +=09=09.param1 =3D slot, > > > +=09}; > > > +=09struct spdm_get_certificate_rsp *rsp; > > > +=09struct spdm_cert_chain *certs =3D NULL; > > > +=09size_t rsp_sz, total_length, header_length; > > > +=09u16 remainder_length =3D 0xffff; > >=20 > > 0xffff in this function should use either U16_MAX or SZ_64K - 1. >=20 > The SPDM spec uses 0xffff so I'm deliberately using that as well > to make the connection to the spec obvious. It's not obvious when somebody is reading 0xffff. If you want to make the= =20 connection obvious, you create a proper #define + add a comment where its= =20 defined with the spec ref. > > > +static void spdm_create_combined_prefix(struct spdm_state *spdm_stat= e, > > > +=09=09=09=09=09const char *spdm_context, void *buf) > > > +{ > > > +=09u8 minor =3D spdm_state->version & 0xf; > > > +=09u8 major =3D spdm_state->version >> 4; > > > +=09size_t len =3D strlen(spdm_context); > > > +=09int rc, zero_pad; > > > + > > > +=09rc =3D snprintf(buf, SPDM_PREFIX_SZ + 1, > > > +=09=09 "dmtf-spdm-v%hhx.%hhx.*dmtf-spdm-v%hhx.%hhx.*" > > > +=09=09 "dmtf-spdm-v%hhx.%hhx.*dmtf-spdm-v%hhx.%hhx.*", > > > +=09=09 major, minor, major, minor, major, minor, major, minor); > >=20 > > Why are these using s8 formatting specifier %hhx ?? >=20 > I don't quite follow, "%hhx" is an unsigned char, not a signed char. >=20 > spdm_state->version may contain e.g. 0x12 which is converted to > "dmtf-spdm-v1.2.*" here. >=20 > The question is what happens if the major or minor version goes beyond 9. > The total length of the prefix is hard-coded by the spec, hence my > expectation is that 1.10 will be represented as "dmtf-spdm-v1.a.*" > to not exceed the length. The code follows that expectation. It's actually fine. I just got tunnel vision when looking what that %hhx is in the first=20 place, in Documentation/core-api/printk-formats.rst there's this list: =09 signed char %d or %hhx unsigned char %u or %x But of course %hhx is just as valid for unsigned. --=20 i. --8323328-136259284-1707737012=:1013--