lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ad693584-26f0-2132-afc5-3224dfe4559a@collabora.com>
Date:   Fri, 5 Apr 2019 11:24:36 +0200
From:   Enric Balletbo i Serra <enric.balletbo@...labora.com>
To:     Nick Crews <ncrews@...omium.org>, bleung@...omium.org
Cc:     linux-kernel@...r.kernel.org, alexandre.belloni@...tlin.com,
        a.zummo@...ertech.it, linux-rtc@...r.kernel.org,
        dlaurie@...omium.org, sjg@...gle.com, groeck@...gle.com,
        dtor@...gle.com
Subject: Re: [PATCH] platform/chrome: wilco_ec: Standardize mailbox interface

Hi Nick,

On 5/4/19 0:54, Nick Crews wrote:
> I sent this out previously in a series with a keyboard backlight driver
> (https://lkml.org/lkml/2019/4/4/1370), but the backlight driver is
> still in flux, and I wanted to get this committed ASAP. Thus I'm
> sending this as a separate series, in hopes that this can be
> expedited.
> 

I removed this paragraph from the patch because is not really related to the
commit message. Also you don't need to resend for this reason, I can pick-up the
patch from the series. The fact that you send this patch in the series doesn't
mean that I need to pick-up all the series ;-)

> The current API for the wilco EC mailbox interface is bad.
> 
> It assumes that most messages sent to the EC follow a similar structure,
> with a command byte in MBOX[0], followed by a junk byte, followed by
> actual data. This doesn't happen in several cases, such as setting the
> RTC time, using the raw debugfs interface, and reading or writing
> properties such as the Peak Shift policy (this last to be submitted soon).
> 
> Similarly for the response message from the EC, the current interface
> assumes that the first byte of data is always 0, and the second byte
> is unused. However, in both setting and getting the RTC time, in the
> debugfs interface, and for reading and writing properties, this isn't
> true.
> 
> The current way to resolve this is to use WILCO_EC_FLAG_RAW* flags to
> specify when and when not to skip these initial bytes in the sent and
> received message. They are confusing and used so much that they are
> normal, and not exceptions. In addition, the first byte of
> response in the debugfs interface is still always skipped, which is
> weird, since this raw interface should be giving the entire result.
> 
> Additionally, sent messages assume the first byte is a command, and so
> struct wilco_ec_message contains the "command" field. In setting or
> getting properties however, the first byte is not a command, and so this
> field has to be filled with a byte that isn't actually a command. This
> is again inconsistent.
> 
> wilco_ec_message contains a result field as well, copied from
> wilco_ec_response->result. The message result field should be removed:
> if the message fails, the cause is already logged, and the callers are
> alerted. They will never care about the actual state of the result flag.
> 
> These flags and different cases make the wilco_ec_transfer() function,
> used in wilco_ec_mailbox(), really gross, dealing with a bunch of
> different cases. It's difficult to figure out what it is doing.
> 
> Finally, making these assumptions about the structure of a message make
> it so that the messages do not correspond well with the specification
> for the EC's mailbox interface. For instance, this interface
> specification may say that MBOX[9] in the received message contains
> some information, but the calling code needs to remember that the first
> byte of response is always skipped, and because it didn't set the
> RESPONSE_RAW flag, the next byte is also skipped, so this information
> is actually contained within wilco_ec_message->response_data[7]. This
> makes it difficult to maintain this code in the future.
> 
> To fix these problems this patch standardizes the mailbox interface by:
> - Removing the WILCO_EC_FLAG_RAW* flags
> - Removing the command and reserved_raw bytes from wilco_ec_request
> - Removing the mbox0 byte from wilco_ec_response
> - Simplifying wilco_ec_transfer() because of these changes
> - Gives the callers of wilco_ec_mailbox() the responsibility of exactly
>   and consistently defining the structure of the mailbox request and
>   response
> - Removing command and result from wilco_ec_message.
> 
> This results in the reduction of total code, and makes it much more
> maintainable and understandable.
> 
> Signed-off-by: Nick Crews <ncrews@...omium.org>
> Acked-by: Alexandre Belloni <alexandre.belloni@...tlin.com>

The patch is added to the chrome-platform for-next branch for autobuilders to
play with. If all goes well I'll queue the patch for chrome-platform-5.2

Thanks,
 Enric


> ---
>  drivers/platform/chrome/wilco_ec/debugfs.c | 43 ++++++++-------
>  drivers/platform/chrome/wilco_ec/mailbox.c | 53 ++++++++----------
>  drivers/rtc/rtc-wilco-ec.c                 | 63 +++++++++++++---------
>  include/linux/platform_data/wilco-ec.h     | 22 +-------
>  4 files changed, 83 insertions(+), 98 deletions(-)
> 
> diff --git a/drivers/platform/chrome/wilco_ec/debugfs.c b/drivers/platform/chrome/wilco_ec/debugfs.c
> index c090db2cd5be..17c4c9068aaf 100644
> --- a/drivers/platform/chrome/wilco_ec/debugfs.c
> +++ b/drivers/platform/chrome/wilco_ec/debugfs.c
> @@ -10,25 +10,26 @@
>   * by reading from raw.
>   *
>   * For writing:
> - * Bytes 0-1 indicate the message type:
> - *         00 F0 = Execute Legacy Command
> - *         00 F2 = Read/Write NVRAM Property
> - * Byte 2 provides the command code
> - * Bytes 3+ consist of the data passed in the request
> + * Bytes 0-1 indicate the message type, one of enum wilco_ec_msg_type
> + * Byte 2+ consist of the data passed in the request, starting at MBOX[0]
>   *
> - * When referencing the EC interface spec, byte 2 corresponds to MBOX[0],
> - * byte 3 corresponds to MBOX[1], etc.
> - *
> - * At least three bytes are required, for the msg type and command,
> - * with additional bytes optional for additional data.
> + * At least three bytes are required for writing, two for the type and at
> + * least a single byte of data. Only the first EC_MAILBOX_DATA_SIZE bytes
> + * of MBOX will be used.
>   *
>   * Example:
>   * // Request EC info type 3 (EC firmware build date)
> - * $ echo 00 f0 38 00 03 00 > raw
> + * // Corresponds with sending type 0x00f0 with MBOX = [38, 00, 03, 00]
> + * $ echo 00 f0 38 00 03 00 > /sys/kernel/debug/wilco_ec/raw
>   * // View the result. The decoded ASCII result "12/21/18" is
>   * // included after the raw hex.
> - * $ cat raw
> - * 00 31 32 2f 32 31 2f 31 38 00 38 00 01 00 2f 00  .12/21/18.8...
> + * // Corresponds with MBOX = [00, 00, 31, 32, 2f, 32, 31, ...]
> + * $ cat /sys/kernel/debug/wilco_ec/raw
> + * 00 00 31 32 2f 32 31 2f 31 38 00 38 00 01 00 2f 00  ..12/21/18.8...
> + *
> + * Note that the first 32 bytes of the received MBOX[] will be printed,
> + * even if some of the data is junk. It is up to you to know how many of
> + * the first bytes of data are the actual response.
>   */
>  
>  #include <linux/ctype.h>
> @@ -136,18 +137,15 @@ static ssize_t raw_write(struct file *file, const char __user *user_buf,
>  	ret = parse_hex_sentence(buf, kcount, request_data, TYPE_AND_DATA_SIZE);
>  	if (ret < 0)
>  		return ret;
> -	/* Need at least two bytes for message type and one for command */
> +	/* Need at least two bytes for message type and one byte of data */
>  	if (ret < 3)
>  		return -EINVAL;
>  
> -	/* Clear response data buffer */
> -	memset(debug_info->raw_data, '\0', EC_MAILBOX_DATA_SIZE_EXTENDED);
> -
>  	msg.type = request_data[0] << 8 | request_data[1];
> -	msg.flags = WILCO_EC_FLAG_RAW;
> -	msg.command = request_data[2];
> -	msg.request_data = ret > 3 ? request_data + 3 : 0;
> -	msg.request_size = ret - 3;
> +	msg.flags = 0;
> +	msg.request_data = request_data + 2;
> +	msg.request_size = ret - 2;
> +	memset(debug_info->raw_data, 0, sizeof(debug_info->raw_data));
>  	msg.response_data = debug_info->raw_data;
>  	msg.response_size = EC_MAILBOX_DATA_SIZE;
>  
> @@ -174,7 +172,8 @@ static ssize_t raw_read(struct file *file, char __user *user_buf, size_t count,
>  		fmt_len = hex_dump_to_buffer(debug_info->raw_data,
>  					     debug_info->response_size,
>  					     16, 1, debug_info->formatted_data,
> -					     FORMATTED_BUFFER_SIZE, true);
> +					     sizeof(debug_info->formatted_data),
> +					     true);
>  		/* Only return response the first time it is read */
>  		debug_info->response_size = 0;
>  	}
> diff --git a/drivers/platform/chrome/wilco_ec/mailbox.c b/drivers/platform/chrome/wilco_ec/mailbox.c
> index 14355668ddfa..7fb58b487963 100644
> --- a/drivers/platform/chrome/wilco_ec/mailbox.c
> +++ b/drivers/platform/chrome/wilco_ec/mailbox.c
> @@ -92,21 +92,10 @@ static void wilco_ec_prepare(struct wilco_ec_message *msg,
>  			     struct wilco_ec_request *rq)
>  {
>  	memset(rq, 0, sizeof(*rq));
> -
> -	/* Handle messages without trimming bytes from the request */
> -	if (msg->request_size && msg->flags & WILCO_EC_FLAG_RAW_REQUEST) {
> -		rq->reserved_raw = *(u8 *)msg->request_data;
> -		msg->request_size--;
> -		memmove(msg->request_data, msg->request_data + 1,
> -			msg->request_size);
> -	}
> -
> -	/* Fill in request packet */
>  	rq->struct_version = EC_MAILBOX_PROTO_VERSION;
>  	rq->mailbox_id = msg->type;
>  	rq->mailbox_version = EC_MAILBOX_VERSION;
> -	rq->data_size = msg->request_size + EC_MAILBOX_DATA_EXTRA;
> -	rq->command = msg->command;
> +	rq->data_size = msg->request_size;
>  
>  	/* Checksum header and data */
>  	rq->checksum = wilco_ec_checksum(rq, sizeof(*rq));
> @@ -159,6 +148,12 @@ static int wilco_ec_transfer(struct wilco_ec_device *ec,
>  		return -EIO;
>  	}
>  
> +	/*
> +	 * The EC always returns either EC_MAILBOX_DATA_SIZE or
> +	 * EC_MAILBOX_DATA_SIZE_EXTENDED bytes of data, so we need to
> +	 * calculate the checksum on **all** of this data, even if we
> +	 * won't use all of it.
> +	 */
>  	if (msg->flags & WILCO_EC_FLAG_EXTENDED_DATA)
>  		size = EC_MAILBOX_DATA_SIZE_EXTENDED;
>  	else
> @@ -173,33 +168,26 @@ static int wilco_ec_transfer(struct wilco_ec_device *ec,
>  		return -EBADMSG;
>  	}
>  
> -	/* Check that the EC reported success */
> -	msg->result = rs->result;
> -	if (msg->result) {
> -		dev_dbg(ec->dev, "bad response: 0x%02x\n", msg->result);
> +	if (rs->result) {
> +		dev_dbg(ec->dev, "EC reported failure: 0x%02x\n", rs->result);
>  		return -EBADMSG;
>  	}
>  
> -	/* Check the returned data size, skipping the header */
>  	if (rs->data_size != size) {
>  		dev_dbg(ec->dev, "unexpected packet size (%u != %zu)",
>  			rs->data_size, size);
>  		return -EMSGSIZE;
>  	}
>  
> -	/* Skip 1 response data byte unless specified */
> -	size = (msg->flags & WILCO_EC_FLAG_RAW_RESPONSE) ? 0 : 1;
> -	if ((ssize_t) rs->data_size - size < msg->response_size) {
> -		dev_dbg(ec->dev, "response data too short (%zd < %zu)",
> -			(ssize_t) rs->data_size - size, msg->response_size);
> +	if (rs->data_size < msg->response_size) {
> +		dev_dbg(ec->dev, "EC didn't return enough data (%u < %zu)",
> +			rs->data_size, msg->response_size);
>  		return -EMSGSIZE;
>  	}
>  
> -	/* Ignore response data bytes as requested */
> -	memcpy(msg->response_data, rs->data + size, msg->response_size);
> +	memcpy(msg->response_data, rs->data, msg->response_size);
>  
> -	/* Return actual amount of data received */
> -	return msg->response_size;
> +	return rs->data_size;
>  }
>  
>  /**
> @@ -207,10 +195,12 @@ static int wilco_ec_transfer(struct wilco_ec_device *ec,
>   * @ec: EC device.
>   * @msg: EC message data for request and response.
>   *
> - * On entry msg->type, msg->flags, msg->command, msg->request_size,
> - * msg->response_size, and msg->request_data should all be filled in.
> + * On entry msg->type, msg->request_size, and msg->request_data should all be
> + * filled in. If desired, msg->flags can be set.
>   *
> - * On exit msg->result and msg->response_data will be filled.
> + * If a response is expected, msg->response_size should be set, and
> + * msg->response_data should point to a buffer with enough space. On exit
> + * msg->response_data will be filled.
>   *
>   * Return: number of bytes received or negative error code on failure.
>   */
> @@ -219,9 +209,8 @@ int wilco_ec_mailbox(struct wilco_ec_device *ec, struct wilco_ec_message *msg)
>  	struct wilco_ec_request *rq;
>  	int ret;
>  
> -	dev_dbg(ec->dev, "cmd=%02x type=%04x flags=%02x rslen=%zu rqlen=%zu\n",
> -		msg->command, msg->type, msg->flags, msg->response_size,
> -		msg->request_size);
> +	dev_dbg(ec->dev, "type=%04x flags=%02x rslen=%zu rqlen=%zu\n",
> +		msg->type, msg->flags, msg->response_size, msg->request_size);
>  
>  	mutex_lock(&ec->mailbox_lock);
>  	/* Prepare request packet */
> diff --git a/drivers/rtc/rtc-wilco-ec.c b/drivers/rtc/rtc-wilco-ec.c
> index e62bda0cb53e..8ad4c4e6d557 100644
> --- a/drivers/rtc/rtc-wilco-ec.c
> +++ b/drivers/rtc/rtc-wilco-ec.c
> @@ -21,8 +21,20 @@
>  #define EC_CMOS_TOD_WRITE		0x02
>  #define EC_CMOS_TOD_READ		0x08
>  
> +/* Message sent to the EC to request the current time. */
> +struct ec_rtc_read_request {
> +	u8 command;
> +	u8 reserved;
> +	u8 param;
> +} __packed;
> +static struct ec_rtc_read_request read_rq = {
> +	.command = EC_COMMAND_CMOS,
> +	.param = EC_CMOS_TOD_READ,
> +};
> +
>  /**
> - * struct ec_rtc_read - Format of RTC returned by EC.
> + * struct ec_rtc_read_response - Format of RTC returned by EC.
> + * @reserved: Unused byte
>   * @second: Second value (0..59)
>   * @minute: Minute value (0..59)
>   * @hour: Hour value (0..23)
> @@ -33,7 +45,8 @@
>   *
>   * All values are presented in binary (not BCD).
>   */
> -struct ec_rtc_read {
> +struct ec_rtc_read_response {
> +	u8 reserved;
>  	u8 second;
>  	u8 minute;
>  	u8 hour;
> @@ -44,8 +57,10 @@ struct ec_rtc_read {
>  } __packed;
>  
>  /**
> - * struct ec_rtc_write - Format of RTC sent to the EC.
> - * @param: EC_CMOS_TOD_WRITE
> + * struct ec_rtc_write_request - Format of RTC sent to the EC.
> + * @command: Always EC_COMMAND_CMOS
> + * @reserved: Unused byte
> + * @param: Always EC_CMOS_TOD_WRITE
>   * @century: Century value (full year / 100)
>   * @year: Year value (full year % 100)
>   * @month: Month value (1..12)
> @@ -57,7 +72,9 @@ struct ec_rtc_read {
>   *
>   * All values are presented in BCD.
>   */
> -struct ec_rtc_write {
> +struct ec_rtc_write_request {
> +	u8 command;
> +	u8 reserved;
>  	u8 param;
>  	u8 century;
>  	u8 year;
> @@ -72,19 +89,17 @@ struct ec_rtc_write {
>  static int wilco_ec_rtc_read(struct device *dev, struct rtc_time *tm)
>  {
>  	struct wilco_ec_device *ec = dev_get_drvdata(dev->parent);
> -	u8 param = EC_CMOS_TOD_READ;
> -	struct ec_rtc_read rtc;
> -	struct wilco_ec_message msg = {
> -		.type = WILCO_EC_MSG_LEGACY,
> -		.flags = WILCO_EC_FLAG_RAW_RESPONSE,
> -		.command = EC_COMMAND_CMOS,
> -		.request_data = &param,
> -		.request_size = sizeof(param),
> -		.response_data = &rtc,
> -		.response_size = sizeof(rtc),
> -	};
> +	struct ec_rtc_read_response rtc;
> +	struct wilco_ec_message msg;
>  	int ret;
>  
> +	memset(&msg, 0, sizeof(msg));
> +	msg.type = WILCO_EC_MSG_LEGACY;
> +	msg.request_data = &read_rq;
> +	msg.request_size = sizeof(read_rq);
> +	msg.response_data = &rtc;
> +	msg.response_size = sizeof(rtc);
> +
>  	ret = wilco_ec_mailbox(ec, &msg);
>  	if (ret < 0)
>  		return ret;
> @@ -106,14 +121,8 @@ static int wilco_ec_rtc_read(struct device *dev, struct rtc_time *tm)
>  static int wilco_ec_rtc_write(struct device *dev, struct rtc_time *tm)
>  {
>  	struct wilco_ec_device *ec = dev_get_drvdata(dev->parent);
> -	struct ec_rtc_write rtc;
> -	struct wilco_ec_message msg = {
> -		.type = WILCO_EC_MSG_LEGACY,
> -		.flags = WILCO_EC_FLAG_RAW_RESPONSE,
> -		.command = EC_COMMAND_CMOS,
> -		.request_data = &rtc,
> -		.request_size = sizeof(rtc),
> -	};
> +	struct ec_rtc_write_request rtc;
> +	struct wilco_ec_message msg;
>  	int year = tm->tm_year + 1900;
>  	/*
>  	 * Convert from 0=Sunday to 0=Saturday for the EC
> @@ -123,6 +132,7 @@ static int wilco_ec_rtc_write(struct device *dev, struct rtc_time *tm)
>  	int wday = tm->tm_wday == 6 ? 0 : tm->tm_wday + 1;
>  	int ret;
>  
> +	rtc.command	= EC_COMMAND_CMOS;
>  	rtc.param	= EC_CMOS_TOD_WRITE;
>  	rtc.century	= bin2bcd(year / 100);
>  	rtc.year	= bin2bcd(year % 100);
> @@ -133,6 +143,11 @@ static int wilco_ec_rtc_write(struct device *dev, struct rtc_time *tm)
>  	rtc.second	= bin2bcd(tm->tm_sec);
>  	rtc.weekday	= bin2bcd(wday);
>  
> +	memset(&msg, 0, sizeof(msg));
> +	msg.type = WILCO_EC_MSG_LEGACY;
> +	msg.request_data = &rtc;
> +	msg.request_size = sizeof(rtc);
> +
>  	ret = wilco_ec_mailbox(ec, &msg);
>  	if (ret < 0)
>  		return ret;
> diff --git a/include/linux/platform_data/wilco-ec.h b/include/linux/platform_data/wilco-ec.h
> index 446473a46b88..1ff224793c99 100644
> --- a/include/linux/platform_data/wilco-ec.h
> +++ b/include/linux/platform_data/wilco-ec.h
> @@ -14,10 +14,6 @@
>  /* Message flags for using the mailbox() interface */
>  #define WILCO_EC_FLAG_NO_RESPONSE	BIT(0) /* EC does not respond */
>  #define WILCO_EC_FLAG_EXTENDED_DATA	BIT(1) /* EC returns 256 data bytes */
> -#define WILCO_EC_FLAG_RAW_REQUEST	BIT(2) /* Do not trim request data */
> -#define WILCO_EC_FLAG_RAW_RESPONSE	BIT(3) /* Do not trim response data */
> -#define WILCO_EC_FLAG_RAW		(WILCO_EC_FLAG_RAW_REQUEST | \
> -					 WILCO_EC_FLAG_RAW_RESPONSE)
>  
>  /* Normal commands have a maximum 32 bytes of data */
>  #define EC_MAILBOX_DATA_SIZE		32
> @@ -56,10 +52,7 @@ struct wilco_ec_device {
>   * @mailbox_id: Mailbox identifier, specifies the command set.
>   * @mailbox_version: Mailbox interface version %EC_MAILBOX_VERSION
>   * @reserved: Set to zero.
> - * @data_size: Length of request, data + last 2 bytes of the header.
> - * @command: Mailbox command code, unique for each mailbox_id set.
> - * @reserved_raw: Set to zero for most commands, but is used by
> - *                some command types and for raw commands.
> + * @data_size: Length of following data.
>   */
>  struct wilco_ec_request {
>  	u8 struct_version;
> @@ -68,8 +61,6 @@ struct wilco_ec_request {
>  	u8 mailbox_version;
>  	u8 reserved;
>  	u16 data_size;
> -	u8 command;
> -	u8 reserved_raw;
>  } __packed;
>  
>  /**
> @@ -79,8 +70,6 @@ struct wilco_ec_request {
>   * @result: Result code from the EC.  Non-zero indicates an error.
>   * @data_size: Length of the response data buffer.
>   * @reserved: Set to zero.
> - * @mbox0: EC returned data at offset 0 is unused (always 0) so this byte
> - *         is treated as part of the header instead of the data.
>   * @data: Response data buffer.  Max size is %EC_MAILBOX_DATA_SIZE_EXTENDED.
>   */
>  struct wilco_ec_response {
> @@ -89,7 +78,6 @@ struct wilco_ec_response {
>  	u16 result;
>  	u16 data_size;
>  	u8 reserved[2];
> -	u8 mbox0;
>  	u8 data[0];
>  } __packed;
>  
> @@ -111,21 +99,15 @@ enum wilco_ec_msg_type {
>   * struct wilco_ec_message - Request and response message.
>   * @type: Mailbox message type.
>   * @flags: Message flags, e.g. %WILCO_EC_FLAG_NO_RESPONSE.
> - * @command: Mailbox command code.
> - * @result: Result code from the EC.  Non-zero indicates an error.
>   * @request_size: Number of bytes to send to the EC.
>   * @request_data: Buffer containing the request data.
> - * @response_size: Number of bytes expected from the EC.
> - *                 This is 32 by default and 256 if the flag
> - *                 is set for %WILCO_EC_FLAG_EXTENDED_DATA
> + * @response_size: Number of bytes to read from EC.
>   * @response_data: Buffer containing the response data, should be
>   *                 response_size bytes and allocated by caller.
>   */
>  struct wilco_ec_message {
>  	enum wilco_ec_msg_type type;
>  	u8 flags;
> -	u8 command;
> -	u8 result;
>  	size_t request_size;
>  	void *request_data;
>  	size_t response_size;
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ