Re: [PATCH v3 00/27] Thunderbolt security levels and NVM firmware upgrade

From: Andy Shevchenko
Date: Fri Jun 02 2017 - 14:00:39 EST

Next message: Darrick J. Wong: "Re: [PATCH v2 27/28] ext4: xattr inode deduplication"
Previous message: John Stultz: "Re: [PATCH][REGRESSION] drm: kirin: Fix drm_of_find_panel_or_bridge conversion"
In reply to: Andreas Noever: "Re: [PATCH v3 08/27] thunderbolt: Introduce thunderbolt bus and connection manager"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH v3 00/27] Thunderbolt security levels and NVM firmware upgrade"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2017-06-02 at 17:04 +0300, Mika Westerberg wrote:
> Hi,
>
> This is a third version of the patch series adding support for
> Thunderbolt
> security levels and NVM firmware upgrade. PCs running Intel Falcon
> Ridge or
> newer need these in order to connect devices if the security level is
> set
> to "user(SL1) or secure(SL2)" from BIOS.
>
> The security levels were added to to prevent DMA attacks when PCIe is
> tunneled over Thunderbolt fabric where IOMMU is not available or
> cannot be
> enabled for different reasons.
>
> This series converts the Thunderbolt driver to a Linux bus and makes
> each
> Thunderbolt device (aka Thunderbolt switch or router or endpoint) a
> Linux
> device which is connected to that bus addressed by their routing
> string
> (this is the addressing Thunderbolt uses).
>
> With these patches the user can authorize devices using sysfs
> attributes
> like (following USB):
>
> Â # echo 1 > /sys/bus/thunderbolt/devices/0-1/authorized
>
> If the BIOS security level is set to "secure" and the device supports
> secure connect on the first connect the device is uploaded a random
> key:
>
> Â # key=$(openssl rand -hex 32)
> Â # echo $key > /sys/bus/thunderbolt/devices/0-1/key
> Â # echo 1 > /sys/bus/thunderbolt/devices/0-1/authorized
>
> Next time the device is plugged in the user can verify (challenge) the
> device using the same key:
>
> Â # echo $key > /sys/bus/thunderbolt/devices/0-1/key
> Â # echo 2 > /sys/bus/thunderbolt/devices/0-1/authorized
>
> The device identification information is found below each device sysfs
> node and includes following attributes:
>
> Â device - Device ID
> Â device_name - Name of the device
> Â vendor - Vendor ID
> Â vendor_name - Name of the vendor
> Â unique_id - Unique ID string identifying this particular
> device
>
> In addition these patches add support for upgrading NVM firmware
> running on
> a host or device by running something like:
>
> Â # dd if=KYK_TBT_FW_0018.bin of=/sys/bus/thunderbolt/devices/0-
> 0/nvm_non_active0/nvmem
> Â # echo 1 > /sys/bus/thunderbolt/devices/0-0/nvm_authenticate
>
> More information how to use the Thunderbolt bus can be found in patch
> [26/27].
>
> Where Internal Connection Manager (ICM) firmware is available and
> usable,
> we use it in the driver. This also includes newer Apple Macbooks with
> Alpine Ridge. For older Macbooks the driver works as before but in
> addition
> the Thunderbolt bus is available there as well (including possibility
> to
> upgrade NVM firmware of connected devices).
>
> Note for Macs the Linux native PCIe hotplug support does not work well
> with
> the Thunderbolt PCIe topologies where there is need to put all
> available
> resources to the PCIe downstream port where the PCIe chain is
> extended.
> This is something we need to fix. In the mean time is a way to work it
> around by passing "pci=hpbussize=10,hpmemsize=2M" or so to the kernel
> command line.
>
> Regarding Christoph's UUID series here [1], they now include the
> existing
> types for backwards compatibility so this series compiles and works
> fine
> with them. We will convert the Thunderbolt driver to use these new
> types
> once that series hits mainline.
>
> Andreas and Lukas, do you have any comments or concerns regarding this
> series?
>
> We are currently porting Amir's network driver on top of the
> Thunderbolt
> bus.
>
> The previous version (v2) can be found in [2].
>
> [1] http://git.infradead.org/users/hch/misc.git/shortlog/refs/heads/uu
> id-types
> [2] https://lwn.net/Articles/723935/
>

Awesome work, Mika!

Have no more to comment.

> Changes from the previos version (v2):
>
> [PATCH v2 03/27] thunderbolt: Do not try to read UID if DROM offset is
> read as 0
> Â - Add Suggested-by Andreas
>
> [PATCH v2 07/27] thunderbolt: Allow passing NULL to tb_ctl_free()
> Â - Add Suggested-by Andy
>
> [PATCH v2 09/27] thunderbolt: Convert switch to a device
> Â - Rework comment regarding UUID to mention that it is not strictly
> ÂÂÂÂfollowing rules of UUID format.
> Â - Update Documentation/ABI/testing/sysfs-bus-thunderbolt unique_id
> ÂÂÂÂattribute description accordingly.
>
> [PATCH v2 12/27] thunderbolt: Refactor and fix parsing of port drom
> entries
> Â - Add Reviewed-by Andy
>
> [PATCH v2 13/27] thunderbolt: Read vendor and device name from DROM
> Â - Use ksrtndup() instead and drop parse_name()
>
> [PATCH v2 21/27] thunderbolt: Store Thunderbolt generation in the
> switch structure
> Â - Make the unknown switch defaulting to generation 1 more explicit
> Â - Add Reviewed-by Andy
>
> [PATCH v2 24/27] thunderbolt: Add support for Internal Connection
> Manager (ICM)
> Â - Allow secure connect only when BIOS setting is in "secure
> ÂÂÂÂconnect/SL2" to follow what Windows does.
>
> [PATCH v2 25/27] thunderbolt: Add support for host and device NVM
> firmware upgrade
> Â - Add check for sw->nvm in nvm_authenticate_store() to prevent NULL
> ÂÂÂÂpointer dereference when NVMem devices are not yet added.
>
> [PATCH v2 26/27] thunderbolt: Add documentation how Thunderbolt bus
> can be used
> Â - Update documentation to mention that secure connect is only
> ÂÂÂÂavailable when the BIOS setting is in "secure connect/SL2".
>
> Lukas Wunner (1):
> Â thunderbolt: Refactor and fix parsing of port drom entries
>
> Mika Westerberg (26):
> Â thunderbolt: Use const buffer pointer in write operations
> Â thunderbolt: No need to read UID of the root switch on resume
> Â thunderbolt: Do not try to read UID if DROM offset is read as 0
> Â thunderbolt: Do not warn about newer DROM versions
> Â thunderbolt: Add MSI-X support
> Â thunderbolt: Rework capability handling
> Â thunderbolt: Allow passing NULL to tb_ctl_free()
> Â thunderbolt: Introduce thunderbolt bus and connection manager
> Â thunderbolt: Convert switch to a device
> Â thunderbolt: Fail switch adding operation if reading DROM fails
> Â thunderbolt: Do not fail if DROM data CRC32 is invalid
> Â thunderbolt: Read vendor and device name from DROM
> Â thunderbolt: Move control channel messages to tb_msgs.h
> Â thunderbolt: Expose get_route() to other files
> Â thunderbolt: Expose make_header() to other files
> Â thunderbolt: Let the connection manager handle all notifications
> Â thunderbolt: Rework control channel to be more reliable
> Â thunderbolt: Add new Thunderbolt PCI IDs
> Â thunderbolt: Add support for NHI mailbox
> Â thunderbolt: Store Thunderbolt generation in the switch structure
> Â thunderbolt: Add support for DMA configuration based mailbox
> Â thunderbolt: Do not touch the hardware if the NHI is gone on resume
> Â thunderbolt: Add support for Internal Connection Manager (ICM)
> Â thunderbolt: Add support for host and device NVM firmware upgrade
> Â thunderbolt: Add documentation how Thunderbolt bus can be used
> Â MAINTAINERS: Add maintainers for Thunderbolt driver
>
> ÂDocumentation/ABI/testing/sysfs-bus-thunderbolt |ÂÂ110 +++
> ÂDocumentation/admin-guide/index.rstÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂÂÂ1 +
> ÂDocumentation/admin-guide/thunderbolt.rstÂÂÂÂÂÂÂ|ÂÂ199 ++++
> ÂMAINTAINERSÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂÂÂ3 +
> Âdrivers/thunderbolt/KconfigÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂÂ13 +-
> Âdrivers/thunderbolt/MakefileÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂÂÂ2 +-
> Âdrivers/thunderbolt/cap.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂ169 ++--
> Âdrivers/thunderbolt/ctl.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂ665 +++++++++----
> Âdrivers/thunderbolt/ctl.hÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂ105 +-
> Âdrivers/thunderbolt/dma_port.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂ524 ++++++++++
> Âdrivers/thunderbolt/dma_port.hÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂÂ34 +
> Âdrivers/thunderbolt/domain.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂ455 +++++++++
> Âdrivers/thunderbolt/eeprom.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂ119 ++-
> Âdrivers/thunderbolt/icm.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ| 1089
> +++++++++++++++++++++
> Âdrivers/thunderbolt/nhi.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂ306 +++++-
> Âdrivers/thunderbolt/nhi.hÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂÂ93 +-
> Âdrivers/thunderbolt/nhi_regs.hÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂÂ27 +
> Âdrivers/thunderbolt/switch.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ| 1178
> +++++++++++++++++++++--
> Âdrivers/thunderbolt/tb.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂ237 +++--
> Âdrivers/thunderbolt/tb.hÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂ251 ++++-
> Âdrivers/thunderbolt/tb_msgs.hÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂ260 +++++
> Âdrivers/thunderbolt/tb_regs.hÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂÂ50 +-
> Âdrivers/thunderbolt/tunnel_pci.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂÂ17 +-
> Â23 files changed, 5323 insertions(+), 584 deletions(-)
> Âcreate mode 100644 Documentation/ABI/testing/sysfs-bus-thunderbolt
> Âcreate mode 100644 Documentation/admin-guide/thunderbolt.rst
> Âcreate mode 100644 drivers/thunderbolt/dma_port.c
> Âcreate mode 100644 drivers/thunderbolt/dma_port.h
> Âcreate mode 100644 drivers/thunderbolt/domain.c
> Âcreate mode 100644 drivers/thunderbolt/icm.c
> Âcreate mode 100644 drivers/thunderbolt/tb_msgs.h
>

--
Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
Intel Finland Oy

Next message: Darrick J. Wong: "Re: [PATCH v2 27/28] ext4: xattr inode deduplication"
Previous message: John Stultz: "Re: [PATCH][REGRESSION] drm: kirin: Fix drm_of_find_panel_or_bridge conversion"
In reply to: Andreas Noever: "Re: [PATCH v3 08/27] thunderbolt: Introduce thunderbolt bus and connection manager"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH v3 00/27] Thunderbolt security levels and NVM firmware upgrade"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]