lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160927093100.GA19121@intel.com>
Date:   Tue, 27 Sep 2016 12:31:00 +0300
From:   Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
To:     Tomas Winkler <tomas.winkler@...el.com>
Cc:     tpmdd-devel@...ts.sourceforge.net,
        Jason Gunthorpe <jgunthorpe@...idianresearch.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 2/4] tmp/tpm_crb: fix Intel PTT hw bug during idle
 state

On Thu, Sep 15, 2016 at 09:23:29AM +0300, Jarkko Sakkinen wrote:
> On Mon, Sep 12, 2016 at 04:04:19PM +0300, Tomas Winkler wrote:
> > There is a HW bug in Skylake, and Broxton PCH Intel PTT device, where
> > most of the registers in the control area except START, REQUEST, CANCEL,
> > and LOC_CTRL lost retention when the device is in the idle state. Hence
> > we need to bring the device to ready state before accessing the other
> > registers. The fix brings device to ready state before trying to read
> > command and response buffer addresses in order to remap the for access.
> > 
> > Signed-off-by: Tomas Winkler <tomas.winkler@...el.com>
> 
> Tested-by: Jarkko Sakkinen <jarkko.sakkinn@...ux.intel.com>
> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinn@...ux.intel.com>

I noticed something odd or at least not described in the commit message.

> /Jarkko
> 
> > ---
> > V2: cmd read need to be called also before crb_init as this will run
> >  self test.
> > V3: resend.
> > 
> >  drivers/char/tpm/tpm_crb.c | 47 ++++++++++++++++++++++++++++++++++++++--------
> >  1 file changed, 39 insertions(+), 8 deletions(-)
> > 
> > diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
> > index b6923a8b3ff7..e945177cf2c8 100644
> > --- a/drivers/char/tpm/tpm_crb.c
> > +++ b/drivers/char/tpm/tpm_crb.c
> > @@ -318,6 +318,7 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
> >  	struct list_head resources;
> >  	struct resource io_res;
> >  	struct device *dev = &device->dev;
> > +	u32 pa_high, pa_low;
> >  	u64 cmd_pa;
> >  	u32 cmd_size;
> >  	u64 rsp_pa;
> > @@ -345,12 +346,27 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
> >  	if (IS_ERR(priv->cca))
> >  		return PTR_ERR(priv->cca);
> >  
> > -	cmd_pa = ((u64) ioread32(&priv->cca->cmd_pa_high) << 32) |
> > -		  (u64) ioread32(&priv->cca->cmd_pa_low);
> > +	/*
> > +	 * PTT HW bug w/a: wake up the device to access
> > +	 * possibly not retained registers.
> > +	 */
> > +	ret = crb_cmd_ready(dev, priv);
> > +	if (ret)
> > +		return ret;
> > +
> > +	pa_high = ioread32(&priv->cca->cmd_pa_high);
> > +	pa_low  = ioread32(&priv->cca->cmd_pa_low);
> > +	cmd_pa = ((u64)pa_high << 32) | pa_low;
> >  	cmd_size = ioread32(&priv->cca->cmd_size);
> > +
> > +	dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n",
> > +		pa_high, pa_low, cmd_size);
> > +
> >  	priv->cmd = crb_map_res(dev, priv, &io_res, cmd_pa, cmd_size);
> > -	if (IS_ERR(priv->cmd))
> > -		return PTR_ERR(priv->cmd);
> > +	if (IS_ERR(priv->cmd)) {
> > +		ret = PTR_ERR(priv->cmd);
> > +		goto out;
> > +	}
> >  
> >  	memcpy_fromio(&rsp_pa, &priv->cca->rsp_pa, 8);
> >  	rsp_pa = le64_to_cpu(rsp_pa);
> > @@ -358,7 +374,8 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
> >  
> >  	if (cmd_pa != rsp_pa) {
> >  		priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size);
> > -		return PTR_ERR_OR_ZERO(priv->rsp);
> > +		ret = PTR_ERR_OR_ZERO(priv->rsp);
> > +		goto out;
> >  	}
> >  
> >  	/* According to the PTP specification, overlapping command and response
> > @@ -366,12 +383,18 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
> >  	 */
> >  	if (cmd_size != rsp_size) {
> >  		dev_err(dev, FW_BUG "overlapping command and response buffer sizes are not identical");
> > -		return -EINVAL;
> > +		ret = -EINVAL;
> > +		goto out;
> >  	}
> > +
> >  	priv->cmd_size = cmd_size;
> >  
> >  	priv->rsp = priv->cmd;
> > -	return 0;
> > +
> > +out:
> > +	crb_go_idle(dev, priv);
> > +
> > +	return ret;
> >  }
> >  
> >  static int crb_acpi_add(struct acpi_device *device)
> > @@ -415,7 +438,15 @@ static int crb_acpi_add(struct acpi_device *device)
> >  	if (rc)
> >  		return rc;
> >  
> > -	return crb_init(device, priv);
> > +	rc  = crb_cmd_ready(dev, priv);
> > +	if (rc)
> > +		return rc;

You do this already in crb_map_io() that is called before crb_init().
What is the purpose of this extra crb_cmd_ready()? Looks unrelated at
least to the described workaround.

> > +
> > +	rc = crb_init(device, priv);
> > +	if (rc)
> > +		crb_go_idle(dev, priv);
> > +
> > +	return rc;
> >  }
> >  
> >  static int crb_acpi_remove(struct acpi_device *device)
> > -- 
> > 2.7.4

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ