lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <151203316887.10143.695111218800036009@mail.alporthouse.com>
Date:   Thu, 30 Nov 2017 09:12:48 +0000
From:   Chris Wilson <chris@...is-wilson.co.uk>
To:     Sean Paul <seanpaul@...omium.org>, dri-devel@...ts.freedesktop.org,
        intel-gfx@...ts.freedesktop.org
Cc:     "David Airlie" <airlied@...ux.ie>, linux-kernel@...r.kernel.org,
        "Rodrigo Vivi" <rodrigo.vivi@...el.com>
Subject: Re: [Intel-gfx] [RFC PATCH 3/6] drm/i915: Add HDCP framework + base
 implementation

Quoting Sean Paul (2017-11-30 03:08:58)
> This patch adds the framework required to add HDCP support to intel
> connectors. It implements Aksv loading from fuse, and parts 1/2/3
> of the HDCP authentication scheme.
> 
> Note that without shim implementations, this does not actually implement
> HDCP. That will come in subsequent patches.
> 
> Signed-off-by: Sean Paul <seanpaul@...omium.org>
> ---
>  drivers/gpu/drm/i915/Makefile       |   1 +
>  drivers/gpu/drm/i915/i915_reg.h     |  83 +++++
>  drivers/gpu/drm/i915/intel_atomic.c |  26 +-
>  drivers/gpu/drm/i915/intel_ddi.c    |  14 +
>  drivers/gpu/drm/i915/intel_drv.h    |  53 +++
>  drivers/gpu/drm/i915/intel_hdcp.c   | 636 ++++++++++++++++++++++++++++++++++++
>  6 files changed, 811 insertions(+), 2 deletions(-)
>  create mode 100644 drivers/gpu/drm/i915/intel_hdcp.c
> 
> diff --git a/drivers/gpu/drm/i915/Makefile b/drivers/gpu/drm/i915/Makefile
> index 6c3b0481ef82..1e745508e437 100644
> --- a/drivers/gpu/drm/i915/Makefile
> +++ b/drivers/gpu/drm/i915/Makefile
> @@ -87,6 +87,7 @@ i915-y += intel_audio.o \
>           intel_fbc.o \
>           intel_fifo_underrun.o \
>           intel_frontbuffer.o \
> +         intel_hdcp.o \
>           intel_hotplug.o \
>           intel_modes.o \
>           intel_overlay.o \
> diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
> index 68a58cce6ab1..43128030171d 100644
> --- a/drivers/gpu/drm/i915/i915_reg.h
> +++ b/drivers/gpu/drm/i915/i915_reg.h
> @@ -7991,6 +7991,7 @@ enum {
>  #define     GEN9_MEM_LATENCY_LEVEL_1_5_SHIFT   8
>  #define     GEN9_MEM_LATENCY_LEVEL_2_6_SHIFT   16
>  #define     GEN9_MEM_LATENCY_LEVEL_3_7_SHIFT   24
> +#define   SKL_PCODE_LOAD_HDCP_KEYS             0x5
>  #define   SKL_PCODE_CDCLK_CONTROL              0x7
>  #define     SKL_CDCLK_PREPARE_FOR_CHANGE       0x3
>  #define     SKL_CDCLK_READY_FOR_CHANGE         0x1
> @@ -8285,6 +8286,88 @@ enum skl_power_gate {
>  #define  SKL_PW_TO_PG(pw)                      ((pw) - SKL_DISP_PW_1 + SKL_PG1)
>  #define  SKL_FUSE_PG_DIST_STATUS(pg)           (1 << (27 - (pg)))
>  
> +
> +/* HDCP Key Registers */
> +#define SKL_HDCP_KEY_CONF              _MMIO(0x66c00)
> +#define         SKL_HDCP_AKSV_SEND_TRIGGER     BIT(31)
> +#define  SKL_HDCP_CLEAR_KEYS_TRIGGER   BIT(30)
> +#define SKL_HDCP_KEY_STATUS            _MMIO(0x66c04)
> +#define  SKL_HDCP_FUSE_IN_PROGRESS     BIT(7)
> +#define  SKL_HDCP_FUSE_ERROR           BIT(6)
> +#define  SKL_HDCP_FUSE_DONE            BIT(5)
> +#define  SKL_HDCP_KEY_LOAD_STATUS      BIT(1)
> +#define  SKL_HDCP_KEY_LOAD_DONE                BIT(0)
> +#define SKL_HDCP_AKSV_LO               _MMIO(0x66c10)
> +#define SKL_HDCP_AKSV_HI               _MMIO(0x66c14)
> +
> +/* HDCP Repeater Registers */
> +#define SKL_HDCP_REP_CTL               _MMIO(0x66d00)
> +#define  SKL_HDCP_DDIB_REP_PRESENT     BIT(30)
> +#define  SKL_HDCP_DDIA_REP_PRESENT     BIT(29)
> +#define  SKL_HDCP_DDIC_REP_PRESENT     BIT(28)
> +#define  SKL_HDCP_DDID_REP_PRESENT     BIT(27)
> +#define  SKL_HDCP_DDIF_REP_PRESENT     BIT(26)
> +#define  SKL_HDCP_DDIE_REP_PRESENT     BIT(25)
> +#define  SKL_HDCP_DDIB_SHA1_M0         (1 << 20)
> +#define  SKL_HDCP_DDIA_SHA1_M0         (2 << 20)
> +#define  SKL_HDCP_DDIC_SHA1_M0         (3 << 20)
> +#define  SKL_HDCP_DDID_SHA1_M0         (4 << 20)
> +#define  SKL_HDCP_DDIF_SHA1_M0         (5 << 20)
> +#define  SKL_HDCP_DDIE_SHA1_M0         (6 << 20) // Bspec says 5?
> +#define  SKL_HDCP_SHA1_BUSY            BIT(16)
> +#define  SKL_HDCP_SHA1_READY           BIT(17)
> +#define  SKL_HDCP_SHA1_COMPLETE                BIT(18)
> +#define  SKL_HDCP_SHA1_V_MATCH         BIT(19)
> +#define  SKL_HDCP_SHA1_TEXT_32         (1 << 1)
> +#define  SKL_HDCP_SHA1_COMPLETE_HASH   (2 << 1)
> +#define  SKL_HDCP_SHA1_TEXT_24         (4 << 1)
> +#define  SKL_HDCP_SHA1_TEXT_16         (5 << 1)
> +#define  SKL_HDCP_SHA1_TEXT_8          (6 << 1)
> +#define  SKL_HDCP_SHA1_TEXT_0          (7 << 1)
> +#define SKL_HDCP_SHA_V_PRIME_H0                _MMIO(0x66d04)
> +#define SKL_HDCP_SHA_V_PRIME_H1                _MMIO(0x66d08)
> +#define SKL_HDCP_SHA_V_PRIME_H2                _MMIO(0x66d0C)
> +#define SKL_HDCP_SHA_V_PRIME_H3                _MMIO(0x66d10)
> +#define SKL_HDCP_SHA_V_PRIME_H4                _MMIO(0x66d14)
> +#define SKL_HDCP_SHA_V_PRIME(h)                _MMIO((0x66d04 + h * 4))
> +#define SKL_HDCP_SHA_TEXT              _MMIO(0x66d18)
> +
> +/* HDCP Auth Registers */
> +#define _SKL_PORTA_HDCP_AUTHENC                0x66800
> +#define _SKL_PORTB_HDCP_AUTHENC                0x66500
> +#define _SKL_PORTC_HDCP_AUTHENC                0x66600
> +#define _SKL_PORTD_HDCP_AUTHENC                0x66700
> +#define _SKL_PORTE_HDCP_AUTHENC                0x66A00
> +#define _SKL_PORTF_HDCP_AUTHENC                0x66900
> +#define _SKL_PORT_HDCP_AUTHENC(port, x)        _MMIO(_PICK(port, \
> +                                         _SKL_PORTA_HDCP_AUTHENC, \
> +                                         _SKL_PORTB_HDCP_AUTHENC, \
> +                                         _SKL_PORTC_HDCP_AUTHENC, \
> +                                         _SKL_PORTD_HDCP_AUTHENC, \
> +                                         _SKL_PORTE_HDCP_AUTHENC, \
> +                                         _SKL_PORTF_HDCP_AUTHENC) + x)
> +#define SKL_PORT_HDCP_CONF(port)       _SKL_PORT_HDCP_AUTHENC(port, 0x0)
> +#define  SKL_HDCP_CONF_CAPTURE_AN      BIT(0)
> +#define  SKL_HDCP_CONF_AUTH_AND_ENC    (BIT(1) | BIT(0))
> +#define SKL_PORT_HDCP_ANINIT(port)     _SKL_PORT_HDCP_AUTHENC(port, 0x4)
> +#define SKL_PORT_HDCP_ANLO(port)       _SKL_PORT_HDCP_AUTHENC(port, 0x8)
> +#define SKL_PORT_HDCP_ANHI(port)       _SKL_PORT_HDCP_AUTHENC(port, 0xC)
> +#define SKL_PORT_HDCP_BKSVLO(port)     _SKL_PORT_HDCP_AUTHENC(port, 0x10)
> +#define SKL_PORT_HDCP_BKSVHI(port)     _SKL_PORT_HDCP_AUTHENC(port, 0x14)
> +#define SKL_PORT_HDCP_RPRIME(port)     _SKL_PORT_HDCP_AUTHENC(port, 0x18)
> +#define SKL_PORT_HDCP_STATUS(port)     _SKL_PORT_HDCP_AUTHENC(port, 0x1C)
> +#define  SKL_HDCP_STATUS_STREAM_A_ENC  BIT(31)
> +#define  SKL_HDCP_STATUS_STREAM_B_ENC  BIT(30)
> +#define  SKL_HDCP_STATUS_STREAM_C_ENC  BIT(29)
> +#define  SKL_HDCP_STATUS_STREAM_D_ENC  BIT(28)
> +#define  SKL_HDCP_STATUS_AUTH          BIT(21)
> +#define  SKL_HDCP_STATUS_ENC           BIT(20)
> +#define  SKL_HDCP_STATUS_RI_MATCH      BIT(19)
> +#define  SKL_HDCP_STATUS_R0_READY      BIT(18)
> +#define  SKL_HDCP_STATUS_AN_READY      BIT(17)
> +#define  SKL_HDCP_STATUS_CIPHER                BIT(16)
> +#define  SKL_HDCP_STATUS_FRAME_CNT(x)  ((x >> 8) & 0xff)
> +
>  /* Per-pipe DDI Function Control */
>  #define _TRANS_DDI_FUNC_CTL_A          0x60400
>  #define _TRANS_DDI_FUNC_CTL_B          0x61400
> diff --git a/drivers/gpu/drm/i915/intel_atomic.c b/drivers/gpu/drm/i915/intel_atomic.c
> index 36d4e635e4ce..ddf08227d9cb 100644
> --- a/drivers/gpu/drm/i915/intel_atomic.c
> +++ b/drivers/gpu/drm/i915/intel_atomic.c
> @@ -109,12 +109,34 @@ int intel_digital_connector_atomic_check(struct drm_connector *conn,
>         struct intel_digital_connector_state *old_conn_state =
>                 to_intel_digital_connector_state(old_state);
>         struct drm_crtc_state *crtc_state;
> -
> -       if (!new_state->crtc)
> +       uint64_t old_cp = old_conn_state->base.content_protection;
> +       uint64_t new_cp = new_state->content_protection;
> +
> +       if (!new_state->crtc) {
> +               /* 
> +                * If the connector is being disabled with CP enabled, mark it
> +                * desired so it's re-enabled when the connector is brought back
> +                */
> +               if (old_cp == DRM_MODE_CONTENT_PROTECTION_ENABLED)
> +                       new_state->content_protection =
> +                               DRM_MODE_CONTENT_PROTECTION_DESIRED;
>                 return 0;
> +       }
>  
>         crtc_state = drm_atomic_get_new_crtc_state(new_state->state, new_state->crtc);
>  
> +       if (new_cp != old_cp) {
> +               /* Only drivers can set content protection enabled */
> +               if (new_cp == DRM_MODE_CONTENT_PROTECTION_ENABLED)
> +                       new_state->content_protection =
> +                               DRM_MODE_CONTENT_PROTECTION_DESIRED;
> +
> +               /* Involve the encoder/connector to enable/disable CP */
> +               if (new_cp == DRM_MODE_CONTENT_PROTECTION_OFF ||
> +                   old_cp == DRM_MODE_CONTENT_PROTECTION_OFF)
> +                       crtc_state->mode_changed = true;
> +       }
> +
>         /*
>          * These properties are handled by fastset, and might not end
>          * up in a modeset.
> diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c
> index 933c18fd4258..0e69337f410d 100644
> --- a/drivers/gpu/drm/i915/intel_ddi.c
> +++ b/drivers/gpu/drm/i915/intel_ddi.c
> @@ -2432,10 +2432,17 @@ static void intel_enable_ddi(struct intel_encoder *encoder,
>                              const struct intel_crtc_state *crtc_state,
>                              const struct drm_connector_state *conn_state)
>  {
> +       struct drm_connector *connector = conn_state->connector;
> +       struct intel_connector *intel_connector = to_intel_connector(connector);
> +
>         if (intel_crtc_has_type(crtc_state, INTEL_OUTPUT_HDMI))
>                 intel_enable_ddi_hdmi(encoder, crtc_state, conn_state);
>         else
>                 intel_enable_ddi_dp(encoder, crtc_state, conn_state);
> +
> +       if (conn_state->content_protection ==
> +                       DRM_MODE_CONTENT_PROTECTION_DESIRED)
> +               intel_hdcp_enable(intel_connector);
>  }
>  
>  static void intel_disable_ddi_dp(struct intel_encoder *encoder,
> @@ -2468,10 +2475,17 @@ static void intel_disable_ddi(struct intel_encoder *encoder,
>                               const struct intel_crtc_state *old_crtc_state,
>                               const struct drm_connector_state *old_conn_state)
>  {
> +       struct drm_connector *connector = old_conn_state->connector;
> +       struct intel_connector *intel_connector = to_intel_connector(connector);
> +
>         if (intel_crtc_has_type(old_crtc_state, INTEL_OUTPUT_HDMI))
>                 intel_disable_ddi_hdmi(encoder, old_crtc_state, old_conn_state);
>         else
>                 intel_disable_ddi_dp(encoder, old_crtc_state, old_conn_state);
> +
> +       if (old_conn_state->content_protection !=
> +                       DRM_MODE_CONTENT_PROTECTION_OFF)
> +               intel_hdcp_disable(intel_connector);
>  }
>  
>  static void bxt_ddi_pre_pll_enable(struct intel_encoder *encoder,
> diff --git a/drivers/gpu/drm/i915/intel_drv.h b/drivers/gpu/drm/i915/intel_drv.h
> index 47d022d48718..8924004575b8 100644
> --- a/drivers/gpu/drm/i915/intel_drv.h
> +++ b/drivers/gpu/drm/i915/intel_drv.h
> @@ -299,6 +299,49 @@ struct intel_panel {
>         } backlight;
>  };
>  
> +struct intel_hdcp_shim {
> +       /* Outputs the transmitter's An and Aksv values to the receiver. */
> +       int (*write_an_aksv)(struct intel_digital_port *intel_dig_port, u8 *an);
> +
> +       /* Reads the receiver's key selection vector */
> +       int (*read_bksv)(struct intel_digital_port *intel_dig_port, u8 *bksv);
> +
> +       /*
> +        * Reads BINFO from DP receivers and BSTATUS from HDMI receivers. The
> +        * definitions are the same in the respective specs, but the names are
> +        * different. Call it BSTATUS since that's the name the HDMI spec
> +        * uses and it was there first.
> +        */
> +       int (*read_bstatus)(struct intel_digital_port *intel_dig_port,
> +                           u8 *bstatus);
> +
> +       /* Determines whether a repeater is present downstream */
> +       int (*repeater_present)(struct intel_digital_port *intel_dig_port,
> +                               bool *repeater_present);
> +
> +       /* Reads the receiver's Ri' value */
> +       int (*read_ri_prime)(struct intel_digital_port *intel_dig_port, u8 *ri);
> +
> +       /* Determines if the receiver's KSV FIFO is ready for consumption */
> +       int (*read_ksv_ready)(struct intel_digital_port *intel_dig_port,
> +                             bool *ksv_ready);
> +
> +       /* Reads the ksv fifo for num_downstream devices */
> +       int (*read_ksv_fifo)(struct intel_digital_port *intel_dig_port,
> +                            int num_downstream, u8 *ksv_fifo);
> +
> +       /* Reads a 32-bit part of V' from the receiver */
> +       int (*read_v_prime_part)(struct intel_digital_port *intel_dig_port,
> +                                int i, u32 *part);
> +
> +       /* Enables HDCP signalling on the port */
> +       int (*toggle_signalling)(struct intel_digital_port *intel_dig_port,
> +                                bool enable);
> +
> +       /* Ensures the link is still protected */
> +       bool (*check_link)(struct intel_digital_port *intel_dig_port);
> +};
> +
>  struct intel_connector {
>         struct drm_connector base;
>         /*
> @@ -330,6 +373,9 @@ struct intel_connector {
>  
>         /* Work struct to schedule a uevent on link train failure */
>         struct work_struct modeset_retry_work;
> +
> +       const struct intel_hdcp_shim *hdcp_shim;
> +       struct delayed_work hdcp_work;
>  };
>  
>  struct intel_digital_connector_state {
> @@ -1295,6 +1341,8 @@ void intel_ddi_set_vc_payload_alloc(const struct intel_crtc_state *crtc_state,
>                                     bool state);
>  u32 bxt_signal_levels(struct intel_dp *intel_dp);
>  uint32_t ddi_signal_levels(struct intel_dp *intel_dp);
> +int intel_ddi_enable_hdcp_signalling(struct intel_encoder *intel_encoder);
> +int intel_ddi_disable_hdcp_signalling(struct intel_encoder *intel_encoder);
>  u8 intel_ddi_dp_voltage_max(struct intel_encoder *encoder);
>  
>  unsigned int intel_fb_align_height(const struct drm_framebuffer *fb,
> @@ -1746,6 +1794,11 @@ static inline void intel_backlight_device_unregister(struct intel_connector *con
>  }
>  #endif /* CONFIG_BACKLIGHT_CLASS_DEVICE */
>  
> +/* intel_hdcp.c */
> +int intel_hdcp_enable(struct intel_connector *connector);
> +int intel_hdcp_disable(struct intel_connector *connector);
> +int intel_hdcp_check_link(struct intel_connector *connector);
> +void intel_hdcp_work(struct work_struct *work);
>  
>  /* intel_psr.c */
>  void intel_psr_enable(struct intel_dp *intel_dp,
> diff --git a/drivers/gpu/drm/i915/intel_hdcp.c b/drivers/gpu/drm/i915/intel_hdcp.c
> new file mode 100644
> index 000000000000..a2a575ed657e
> --- /dev/null
> +++ b/drivers/gpu/drm/i915/intel_hdcp.c
> @@ -0,0 +1,636 @@
> +/*
> + * Copyright (C) 2017 Google, Inc.
> + *
> + * This software is licensed under the terms of the GNU General Public
> + * License version 2, as published by the Free Software Foundation, and
> + * may be copied, distributed, and modified under those terms.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + */
> +
> +#include <drm/drmP.h>
> +#include <drm/drm_hdcp.h>
> +#include <linux/i2c.h>
> +#include <linux/random.h>
> +
> +#include "intel_drv.h"
> +#include "i915_reg.h"
> +
> +#define KEY_LOAD_TRIES 5
> +
> +static int intel_hdcp_poll_ksv_fifo(struct intel_digital_port *intel_dig_port,
> +                                   const struct intel_hdcp_shim *shim)
> +{
> +       unsigned long timeout = jiffies + msecs_to_jiffies_timeout(500);
> +       int ret;
> +       bool ksv_ready;
> +
> +       while (true) {
> +               ret = shim->read_ksv_ready(intel_dig_port, &ksv_ready);
> +               if (ret)
> +                       return ret;
> +               if (ksv_ready)
> +                       break;
> +               if (time_after(jiffies, timeout))
> +                       return -ETIMEDOUT;
> +               msleep(100);
> +       }

__wait_for() (useful so that we can track all the horrible polling
code).  I hope nothing time critical contends with this path! ;)

> +       return 0;
> +}
> +
> +static void intel_hdcp_clear_keys(struct drm_i915_private *dev_priv)
> +{
> +       I915_WRITE(SKL_HDCP_KEY_CONF, SKL_HDCP_CLEAR_KEYS_TRIGGER);
> +       I915_WRITE(SKL_HDCP_KEY_STATUS,
> +                  SKL_HDCP_KEY_LOAD_DONE | SKL_HDCP_KEY_LOAD_STATUS |
> +                  SKL_HDCP_FUSE_IN_PROGRESS | SKL_HDCP_FUSE_ERROR |
> +                  SKL_HDCP_FUSE_DONE);
> +}
> +
> +static int intel_hdcp_load_keys(struct drm_i915_private *dev_priv)
> +{
> +       unsigned long timeout;
> +       int ret;
> +       u32 val;
> +
> +       // Initiate loading the HDCP key from fuses
> +       mutex_lock(&dev_priv->pcu_lock);
> +       ret = sandybridge_pcode_write(dev_priv, SKL_PCODE_LOAD_HDCP_KEYS, 1);
> +       mutex_unlock(&dev_priv->pcu_lock);
> +       if (ret) {
> +               DRM_ERROR("Failed to initiate HDCP key load (%d)\n", ret);
> +               return ret;
> +       }
> +
> +       // Wait for the keys to load (500us)
> +       timeout = jiffies + nsecs_to_jiffies_timeout(500 * 1000);
> +       while (true) {
> +               val = I915_READ(SKL_HDCP_KEY_STATUS);
> +               if (val & SKL_HDCP_KEY_LOAD_DONE)
> +                       break;
> +               if (time_after(jiffies, timeout))
> +                       return -ETIMEDOUT;
> +               usleep_range(50, 100);
> +       }
> +       if (!(val & SKL_HDCP_KEY_LOAD_STATUS))
> +               return -ENXIO;

err = __intel_wait_for_register(dev_priv,
				SKL_HDCP_KEY_STATUS,
				SKL_HDCP_KEY_LOAD_DONE,
				SKL_HDCP_KEY_LOAD_DONE,
				10, 1000, &val);
if (err)
	return err;

if (!(val & SKL_HDCP_KEY_LOAD_STATUS))
	return -ENXIO;

> +
> +       // Send Aksv over to PCH display for use in authentication
> +       I915_WRITE(SKL_HDCP_KEY_CONF, SKL_HDCP_AKSV_SEND_TRIGGER);
> +
> +       return 0;
> +}
> +
> +/* Returns updated SHA-1 index */
> +static int intel_write_sha_text(struct drm_i915_private *dev_priv, u32 sha_text)
> +{
> +       I915_WRITE(SKL_HDCP_SHA_TEXT, sha_text);

> +       if (wait_for(I915_READ(SKL_HDCP_REP_CTL) & SKL_HDCP_SHA1_READY, 1)) {

	intel_wait_for_register(dev_priv,
			       SKL_HDCP_REP_CTL,
			       SKL_HDCP_SHA1_READY,
			       1,
			       10, 1000);

The wait_for() macro is massive. If it can be done using
intel_wait_for_register, do so. If not, try to provide a function that
encapsulates the wait_for() with the functionality you need.

The advantage of intel_wait_for_register() is that switches between
polling for a fast response and sleeping for a slow response. For most
registers, they typically respond quickly.
-Chris

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ