linux/drivers/fpga/intel-m10-bmc-sec-update.c
Russ Weight 5cd339b370
fpga: m10bmc-sec: add max10 secure update functions
Create firmware upload ops and call the Firmware Upload support of the
Firmware Loader subsystem to enable FPGA image uploads for secure
updates of BMC images, FPGA images, etc.

Tested-by: Tianfei Zhang <tianfei.zhang@intel.com>
Signed-off-by: Russ Weight <russell.h.weight@intel.com>
Link: https://lore.kernel.org/r/20220606160038.846236-6-russell.h.weight@intel.com
Signed-off-by: Xu Yilun <yilun.xu@intel.com>
2022-06-08 17:04:39 +08:00

626 lines
16 KiB
C

// SPDX-License-Identifier: GPL-2.0
/*
* Intel MAX10 Board Management Controller Secure Update Driver
*
* Copyright (C) 2019-2022 Intel Corporation. All rights reserved.
*
*/
#include <linux/bitfield.h>
#include <linux/device.h>
#include <linux/firmware.h>
#include <linux/mfd/intel-m10-bmc.h>
#include <linux/mod_devicetable.h>
#include <linux/module.h>
#include <linux/platform_device.h>
#include <linux/slab.h>
struct m10bmc_sec {
struct device *dev;
struct intel_m10bmc *m10bmc;
struct fw_upload *fwl;
char *fw_name;
u32 fw_name_id;
bool cancel_request;
};
static DEFINE_XARRAY_ALLOC(fw_upload_xa);
/* Root Entry Hash (REH) support */
#define REH_SHA256_SIZE 32
#define REH_SHA384_SIZE 48
#define REH_MAGIC GENMASK(15, 0)
#define REH_SHA_NUM_BYTES GENMASK(31, 16)
static ssize_t
show_root_entry_hash(struct device *dev, u32 exp_magic,
u32 prog_addr, u32 reh_addr, char *buf)
{
struct m10bmc_sec *sec = dev_get_drvdata(dev);
int sha_num_bytes, i, ret, cnt = 0;
u8 hash[REH_SHA384_SIZE];
unsigned int stride;
u32 magic;
stride = regmap_get_reg_stride(sec->m10bmc->regmap);
ret = m10bmc_raw_read(sec->m10bmc, prog_addr, &magic);
if (ret)
return ret;
if (FIELD_GET(REH_MAGIC, magic) != exp_magic)
return sysfs_emit(buf, "hash not programmed\n");
sha_num_bytes = FIELD_GET(REH_SHA_NUM_BYTES, magic) / 8;
if ((sha_num_bytes % stride) ||
(sha_num_bytes != REH_SHA256_SIZE &&
sha_num_bytes != REH_SHA384_SIZE)) {
dev_err(sec->dev, "%s bad sha num bytes %d\n", __func__,
sha_num_bytes);
return -EINVAL;
}
ret = regmap_bulk_read(sec->m10bmc->regmap, reh_addr,
hash, sha_num_bytes / stride);
if (ret) {
dev_err(dev, "failed to read root entry hash: %x cnt %x: %d\n",
reh_addr, sha_num_bytes / stride, ret);
return ret;
}
for (i = 0; i < sha_num_bytes; i++)
cnt += sprintf(buf + cnt, "%02x", hash[i]);
cnt += sprintf(buf + cnt, "\n");
return cnt;
}
#define DEVICE_ATTR_SEC_REH_RO(_name, _magic, _prog_addr, _reh_addr) \
static ssize_t _name##_root_entry_hash_show(struct device *dev, \
struct device_attribute *attr, \
char *buf) \
{ return show_root_entry_hash(dev, _magic, _prog_addr, _reh_addr, buf); } \
static DEVICE_ATTR_RO(_name##_root_entry_hash)
DEVICE_ATTR_SEC_REH_RO(bmc, BMC_PROG_MAGIC, BMC_PROG_ADDR, BMC_REH_ADDR);
DEVICE_ATTR_SEC_REH_RO(sr, SR_PROG_MAGIC, SR_PROG_ADDR, SR_REH_ADDR);
DEVICE_ATTR_SEC_REH_RO(pr, PR_PROG_MAGIC, PR_PROG_ADDR, PR_REH_ADDR);
#define CSK_BIT_LEN 128U
#define CSK_32ARRAY_SIZE DIV_ROUND_UP(CSK_BIT_LEN, 32)
static ssize_t
show_canceled_csk(struct device *dev, u32 addr, char *buf)
{
unsigned int i, stride, size = CSK_32ARRAY_SIZE * sizeof(u32);
struct m10bmc_sec *sec = dev_get_drvdata(dev);
DECLARE_BITMAP(csk_map, CSK_BIT_LEN);
__le32 csk_le32[CSK_32ARRAY_SIZE];
u32 csk32[CSK_32ARRAY_SIZE];
int ret;
stride = regmap_get_reg_stride(sec->m10bmc->regmap);
if (size % stride) {
dev_err(sec->dev,
"CSK vector size (0x%x) not aligned to stride (0x%x)\n",
size, stride);
WARN_ON_ONCE(1);
return -EINVAL;
}
ret = regmap_bulk_read(sec->m10bmc->regmap, addr, csk_le32,
size / stride);
if (ret) {
dev_err(sec->dev, "failed to read CSK vector: %x cnt %x: %d\n",
addr, size / stride, ret);
return ret;
}
for (i = 0; i < CSK_32ARRAY_SIZE; i++)
csk32[i] = le32_to_cpu(((csk_le32[i])));
bitmap_from_arr32(csk_map, csk32, CSK_BIT_LEN);
bitmap_complement(csk_map, csk_map, CSK_BIT_LEN);
return bitmap_print_to_pagebuf(1, buf, csk_map, CSK_BIT_LEN);
}
#define DEVICE_ATTR_SEC_CSK_RO(_name, _addr) \
static ssize_t _name##_canceled_csks_show(struct device *dev, \
struct device_attribute *attr, \
char *buf) \
{ return show_canceled_csk(dev, _addr, buf); } \
static DEVICE_ATTR_RO(_name##_canceled_csks)
#define CSK_VEC_OFFSET 0x34
DEVICE_ATTR_SEC_CSK_RO(bmc, BMC_PROG_ADDR + CSK_VEC_OFFSET);
DEVICE_ATTR_SEC_CSK_RO(sr, SR_PROG_ADDR + CSK_VEC_OFFSET);
DEVICE_ATTR_SEC_CSK_RO(pr, PR_PROG_ADDR + CSK_VEC_OFFSET);
#define FLASH_COUNT_SIZE 4096 /* count stored as inverted bit vector */
static ssize_t flash_count_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct m10bmc_sec *sec = dev_get_drvdata(dev);
unsigned int stride, num_bits;
u8 *flash_buf;
int cnt, ret;
stride = regmap_get_reg_stride(sec->m10bmc->regmap);
num_bits = FLASH_COUNT_SIZE * 8;
flash_buf = kmalloc(FLASH_COUNT_SIZE, GFP_KERNEL);
if (!flash_buf)
return -ENOMEM;
if (FLASH_COUNT_SIZE % stride) {
dev_err(sec->dev,
"FLASH_COUNT_SIZE (0x%x) not aligned to stride (0x%x)\n",
FLASH_COUNT_SIZE, stride);
WARN_ON_ONCE(1);
return -EINVAL;
}
ret = regmap_bulk_read(sec->m10bmc->regmap, STAGING_FLASH_COUNT,
flash_buf, FLASH_COUNT_SIZE / stride);
if (ret) {
dev_err(sec->dev,
"failed to read flash count: %x cnt %x: %d\n",
STAGING_FLASH_COUNT, FLASH_COUNT_SIZE / stride, ret);
goto exit_free;
}
cnt = num_bits - bitmap_weight((unsigned long *)flash_buf, num_bits);
exit_free:
kfree(flash_buf);
return ret ? : sysfs_emit(buf, "%u\n", cnt);
}
static DEVICE_ATTR_RO(flash_count);
static struct attribute *m10bmc_security_attrs[] = {
&dev_attr_flash_count.attr,
&dev_attr_bmc_root_entry_hash.attr,
&dev_attr_sr_root_entry_hash.attr,
&dev_attr_pr_root_entry_hash.attr,
&dev_attr_sr_canceled_csks.attr,
&dev_attr_pr_canceled_csks.attr,
&dev_attr_bmc_canceled_csks.attr,
NULL,
};
static struct attribute_group m10bmc_security_attr_group = {
.name = "security",
.attrs = m10bmc_security_attrs,
};
static const struct attribute_group *m10bmc_sec_attr_groups[] = {
&m10bmc_security_attr_group,
NULL,
};
static void log_error_regs(struct m10bmc_sec *sec, u32 doorbell)
{
u32 auth_result;
dev_err(sec->dev, "RSU error status: 0x%08x\n", doorbell);
if (!m10bmc_sys_read(sec->m10bmc, M10BMC_AUTH_RESULT, &auth_result))
dev_err(sec->dev, "RSU auth result: 0x%08x\n", auth_result);
}
static enum fw_upload_err rsu_check_idle(struct m10bmc_sec *sec)
{
u32 doorbell;
int ret;
ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
if (ret)
return FW_UPLOAD_ERR_RW_ERROR;
if (rsu_prog(doorbell) != RSU_PROG_IDLE &&
rsu_prog(doorbell) != RSU_PROG_RSU_DONE) {
log_error_regs(sec, doorbell);
return FW_UPLOAD_ERR_BUSY;
}
return FW_UPLOAD_ERR_NONE;
}
static inline bool rsu_start_done(u32 doorbell)
{
u32 status, progress;
if (doorbell & DRBL_RSU_REQUEST)
return false;
status = rsu_stat(doorbell);
if (status == RSU_STAT_ERASE_FAIL || status == RSU_STAT_WEAROUT)
return true;
progress = rsu_prog(doorbell);
if (progress != RSU_PROG_IDLE && progress != RSU_PROG_RSU_DONE)
return true;
return false;
}
static enum fw_upload_err rsu_update_init(struct m10bmc_sec *sec)
{
u32 doorbell, status;
int ret;
ret = regmap_update_bits(sec->m10bmc->regmap,
M10BMC_SYS_BASE + M10BMC_DOORBELL,
DRBL_RSU_REQUEST | DRBL_HOST_STATUS,
DRBL_RSU_REQUEST |
FIELD_PREP(DRBL_HOST_STATUS,
HOST_STATUS_IDLE));
if (ret)
return FW_UPLOAD_ERR_RW_ERROR;
ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
M10BMC_SYS_BASE + M10BMC_DOORBELL,
doorbell,
rsu_start_done(doorbell),
NIOS_HANDSHAKE_INTERVAL_US,
NIOS_HANDSHAKE_TIMEOUT_US);
if (ret == -ETIMEDOUT) {
log_error_regs(sec, doorbell);
return FW_UPLOAD_ERR_TIMEOUT;
} else if (ret) {
return FW_UPLOAD_ERR_RW_ERROR;
}
status = rsu_stat(doorbell);
if (status == RSU_STAT_WEAROUT) {
dev_warn(sec->dev, "Excessive flash update count detected\n");
return FW_UPLOAD_ERR_WEAROUT;
} else if (status == RSU_STAT_ERASE_FAIL) {
log_error_regs(sec, doorbell);
return FW_UPLOAD_ERR_HW_ERROR;
}
return FW_UPLOAD_ERR_NONE;
}
static enum fw_upload_err rsu_prog_ready(struct m10bmc_sec *sec)
{
unsigned long poll_timeout;
u32 doorbell, progress;
int ret;
ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
if (ret)
return FW_UPLOAD_ERR_RW_ERROR;
poll_timeout = jiffies + msecs_to_jiffies(RSU_PREP_TIMEOUT_MS);
while (rsu_prog(doorbell) == RSU_PROG_PREPARE) {
msleep(RSU_PREP_INTERVAL_MS);
if (time_after(jiffies, poll_timeout))
break;
ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
if (ret)
return FW_UPLOAD_ERR_RW_ERROR;
}
progress = rsu_prog(doorbell);
if (progress == RSU_PROG_PREPARE) {
log_error_regs(sec, doorbell);
return FW_UPLOAD_ERR_TIMEOUT;
} else if (progress != RSU_PROG_READY) {
log_error_regs(sec, doorbell);
return FW_UPLOAD_ERR_HW_ERROR;
}
return FW_UPLOAD_ERR_NONE;
}
static enum fw_upload_err rsu_send_data(struct m10bmc_sec *sec)
{
u32 doorbell;
int ret;
ret = regmap_update_bits(sec->m10bmc->regmap,
M10BMC_SYS_BASE + M10BMC_DOORBELL,
DRBL_HOST_STATUS,
FIELD_PREP(DRBL_HOST_STATUS,
HOST_STATUS_WRITE_DONE));
if (ret)
return FW_UPLOAD_ERR_RW_ERROR;
ret = regmap_read_poll_timeout(sec->m10bmc->regmap,
M10BMC_SYS_BASE + M10BMC_DOORBELL,
doorbell,
rsu_prog(doorbell) != RSU_PROG_READY,
NIOS_HANDSHAKE_INTERVAL_US,
NIOS_HANDSHAKE_TIMEOUT_US);
if (ret == -ETIMEDOUT) {
log_error_regs(sec, doorbell);
return FW_UPLOAD_ERR_TIMEOUT;
} else if (ret) {
return FW_UPLOAD_ERR_RW_ERROR;
}
switch (rsu_stat(doorbell)) {
case RSU_STAT_NORMAL:
case RSU_STAT_NIOS_OK:
case RSU_STAT_USER_OK:
case RSU_STAT_FACTORY_OK:
break;
default:
log_error_regs(sec, doorbell);
return FW_UPLOAD_ERR_HW_ERROR;
}
return FW_UPLOAD_ERR_NONE;
}
static int rsu_check_complete(struct m10bmc_sec *sec, u32 *doorbell)
{
if (m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, doorbell))
return -EIO;
switch (rsu_stat(*doorbell)) {
case RSU_STAT_NORMAL:
case RSU_STAT_NIOS_OK:
case RSU_STAT_USER_OK:
case RSU_STAT_FACTORY_OK:
break;
default:
return -EINVAL;
}
switch (rsu_prog(*doorbell)) {
case RSU_PROG_IDLE:
case RSU_PROG_RSU_DONE:
return 0;
case RSU_PROG_AUTHENTICATING:
case RSU_PROG_COPYING:
case RSU_PROG_UPDATE_CANCEL:
case RSU_PROG_PROGRAM_KEY_HASH:
return -EAGAIN;
default:
return -EINVAL;
}
}
static enum fw_upload_err rsu_cancel(struct m10bmc_sec *sec)
{
u32 doorbell;
int ret;
ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
if (ret)
return FW_UPLOAD_ERR_RW_ERROR;
if (rsu_prog(doorbell) != RSU_PROG_READY)
return FW_UPLOAD_ERR_BUSY;
ret = regmap_update_bits(sec->m10bmc->regmap,
M10BMC_SYS_BASE + M10BMC_DOORBELL,
DRBL_HOST_STATUS,
FIELD_PREP(DRBL_HOST_STATUS,
HOST_STATUS_ABORT_RSU));
if (ret)
return FW_UPLOAD_ERR_RW_ERROR;
return FW_UPLOAD_ERR_CANCELED;
}
static enum fw_upload_err m10bmc_sec_prepare(struct fw_upload *fwl,
const u8 *data, u32 size)
{
struct m10bmc_sec *sec = fwl->dd_handle;
u32 ret;
sec->cancel_request = false;
if (!size || size > M10BMC_STAGING_SIZE)
return FW_UPLOAD_ERR_INVALID_SIZE;
ret = rsu_check_idle(sec);
if (ret != FW_UPLOAD_ERR_NONE)
return ret;
ret = rsu_update_init(sec);
if (ret != FW_UPLOAD_ERR_NONE)
return ret;
ret = rsu_prog_ready(sec);
if (ret != FW_UPLOAD_ERR_NONE)
return ret;
if (sec->cancel_request)
return rsu_cancel(sec);
return FW_UPLOAD_ERR_NONE;
}
#define WRITE_BLOCK_SIZE 0x4000 /* Default write-block size is 0x4000 bytes */
static enum fw_upload_err m10bmc_sec_write(struct fw_upload *fwl, const u8 *data,
u32 offset, u32 size, u32 *written)
{
struct m10bmc_sec *sec = fwl->dd_handle;
u32 blk_size, doorbell, extra_offset;
unsigned int stride, extra = 0;
int ret;
stride = regmap_get_reg_stride(sec->m10bmc->regmap);
if (sec->cancel_request)
return rsu_cancel(sec);
ret = m10bmc_sys_read(sec->m10bmc, M10BMC_DOORBELL, &doorbell);
if (ret) {
return FW_UPLOAD_ERR_RW_ERROR;
} else if (rsu_prog(doorbell) != RSU_PROG_READY) {
log_error_regs(sec, doorbell);
return FW_UPLOAD_ERR_HW_ERROR;
}
WARN_ON_ONCE(WRITE_BLOCK_SIZE % stride);
blk_size = min_t(u32, WRITE_BLOCK_SIZE, size);
ret = regmap_bulk_write(sec->m10bmc->regmap,
M10BMC_STAGING_BASE + offset,
(void *)data + offset,
blk_size / stride);
if (ret)
return FW_UPLOAD_ERR_RW_ERROR;
/*
* If blk_size is not aligned to stride, then handle the extra
* bytes with regmap_write.
*/
if (blk_size % stride) {
extra_offset = offset + ALIGN_DOWN(blk_size, stride);
memcpy(&extra, (u8 *)(data + extra_offset), blk_size % stride);
ret = regmap_write(sec->m10bmc->regmap,
M10BMC_STAGING_BASE + extra_offset, extra);
if (ret)
return FW_UPLOAD_ERR_RW_ERROR;
}
*written = blk_size;
return FW_UPLOAD_ERR_NONE;
}
static enum fw_upload_err m10bmc_sec_poll_complete(struct fw_upload *fwl)
{
struct m10bmc_sec *sec = fwl->dd_handle;
unsigned long poll_timeout;
u32 doorbell, result;
int ret;
if (sec->cancel_request)
return rsu_cancel(sec);
result = rsu_send_data(sec);
if (result != FW_UPLOAD_ERR_NONE)
return result;
poll_timeout = jiffies + msecs_to_jiffies(RSU_COMPLETE_TIMEOUT_MS);
do {
msleep(RSU_COMPLETE_INTERVAL_MS);
ret = rsu_check_complete(sec, &doorbell);
} while (ret == -EAGAIN && !time_after(jiffies, poll_timeout));
if (ret == -EAGAIN) {
log_error_regs(sec, doorbell);
return FW_UPLOAD_ERR_TIMEOUT;
} else if (ret == -EIO) {
return FW_UPLOAD_ERR_RW_ERROR;
} else if (ret) {
log_error_regs(sec, doorbell);
return FW_UPLOAD_ERR_HW_ERROR;
}
return FW_UPLOAD_ERR_NONE;
}
/*
* m10bmc_sec_cancel() may be called asynchronously with an on-going update.
* All other functions are called sequentially in a single thread. To avoid
* contention on register accesses, m10bmc_sec_cancel() must only update
* the cancel_request flag. Other functions will check this flag and handle
* the cancel request synchronously.
*/
static void m10bmc_sec_cancel(struct fw_upload *fwl)
{
struct m10bmc_sec *sec = fwl->dd_handle;
sec->cancel_request = true;
}
static void m10bmc_sec_cleanup(struct fw_upload *fwl)
{
struct m10bmc_sec *sec = fwl->dd_handle;
(void)rsu_cancel(sec);
}
static const struct fw_upload_ops m10bmc_ops = {
.prepare = m10bmc_sec_prepare,
.write = m10bmc_sec_write,
.poll_complete = m10bmc_sec_poll_complete,
.cancel = m10bmc_sec_cancel,
.cleanup = m10bmc_sec_cleanup,
};
#define SEC_UPDATE_LEN_MAX 32
static int m10bmc_sec_probe(struct platform_device *pdev)
{
char buf[SEC_UPDATE_LEN_MAX];
struct m10bmc_sec *sec;
struct fw_upload *fwl;
unsigned int len;
int ret;
sec = devm_kzalloc(&pdev->dev, sizeof(*sec), GFP_KERNEL);
if (!sec)
return -ENOMEM;
sec->dev = &pdev->dev;
sec->m10bmc = dev_get_drvdata(pdev->dev.parent);
dev_set_drvdata(&pdev->dev, sec);
ret = xa_alloc(&fw_upload_xa, &sec->fw_name_id, sec,
xa_limit_32b, GFP_KERNEL);
if (ret)
return ret;
len = scnprintf(buf, SEC_UPDATE_LEN_MAX, "secure-update%d",
sec->fw_name_id);
sec->fw_name = kmemdup_nul(buf, len, GFP_KERNEL);
if (!sec->fw_name)
return -ENOMEM;
fwl = firmware_upload_register(THIS_MODULE, sec->dev, sec->fw_name,
&m10bmc_ops, sec);
if (IS_ERR(fwl)) {
dev_err(sec->dev, "Firmware Upload driver failed to start\n");
kfree(sec->fw_name);
xa_erase(&fw_upload_xa, sec->fw_name_id);
return PTR_ERR(fwl);
}
sec->fwl = fwl;
return 0;
}
static int m10bmc_sec_remove(struct platform_device *pdev)
{
struct m10bmc_sec *sec = dev_get_drvdata(&pdev->dev);
firmware_upload_unregister(sec->fwl);
kfree(sec->fw_name);
xa_erase(&fw_upload_xa, sec->fw_name_id);
return 0;
}
static const struct platform_device_id intel_m10bmc_sec_ids[] = {
{
.name = "n3000bmc-sec-update",
},
{ }
};
MODULE_DEVICE_TABLE(platform, intel_m10bmc_sec_ids);
static struct platform_driver intel_m10bmc_sec_driver = {
.probe = m10bmc_sec_probe,
.remove = m10bmc_sec_remove,
.driver = {
.name = "intel-m10bmc-sec-update",
.dev_groups = m10bmc_sec_attr_groups,
},
.id_table = intel_m10bmc_sec_ids,
};
module_platform_driver(intel_m10bmc_sec_driver);
MODULE_AUTHOR("Intel Corporation");
MODULE_DESCRIPTION("Intel MAX10 BMC Secure Update");
MODULE_LICENSE("GPL");