| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Apr 2020 20:00:24 +0300
From: "Paraschiv, Andra-Irina" <andraprs@...zon.com>
To: Liran Alon <liran.alon@...cle.com>, <linux-kernel@...r.kernel.org>
CC: Anthony Liguori <aliguori@...zon.com>,
Benjamin Herrenschmidt <benh@...zon.com>,
Colm MacCarthaigh <colmmacc@...zon.com>,
Bjoern Doebel <doebel@...zon.de>,
David Woodhouse <dwmw@...zon.co.uk>,
Frank van der Linden <fllinden@...zon.com>,
Alexander Graf <graf@...zon.de>,
Martin Pohlack <mpohlack@...zon.de>,
Matt Wilson <msw@...zon.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Balbir Singh <sblbir@...zon.com>,
Stewart Smith <trawets@...zon.com>,
Uwe Dannowski <uwed@...zon.de>, <kvm@...r.kernel.org>,
<ne-devel-upstream@...zon.com>
Subject: Re: [PATCH v1 05/15] nitro_enclaves: Handle PCI device command
requests
On 25/04/2020 17:52, Liran Alon wrote:
>
> On 21/04/2020 21:41, Andra Paraschiv wrote:
>> The Nitro Enclaves PCI device exposes a MMIO space that this driver
>> uses to submit command requests and to receive command replies e.g. for
>> enclave creation / termination or setting enclave resources.
>>
>> Add logic for handling PCI device command requests based on the given
>> command type.
>>
>> Register an MSI-X interrupt vector for command reply notifications to
>> handle this type of communication events.
>>
>> Signed-off-by: Alexandru-Catalin Vasile <lexnv@...zon.com>
>> Signed-off-by: Andra Paraschiv <andraprs@...zon.com>
>> ---
>> .../virt/amazon/nitro_enclaves/ne_pci_dev.c | 264 ++++++++++++++++++
>> 1 file changed, 264 insertions(+)
>>
>> diff --git a/drivers/virt/amazon/nitro_enclaves/ne_pci_dev.c
>> b/drivers/virt/amazon/nitro_enclaves/ne_pci_dev.c
>> index 8fbee95ea291..7453d129689a 100644
>> --- a/drivers/virt/amazon/nitro_enclaves/ne_pci_dev.c
>> +++ b/drivers/virt/amazon/nitro_enclaves/ne_pci_dev.c
>> @@ -40,6 +40,251 @@ static const struct pci_device_id ne_pci_ids[] = {
>> MODULE_DEVICE_TABLE(pci, ne_pci_ids);
>> +/**
>> + * ne_submit_request - Submit command request to the PCI device
>> based on the
>> + * command type.
>> + *
>> + * This function gets called with the ne_pci_dev mutex held.
>> + *
>> + * @pdev: PCI device to send the command to.
>> + * @cmd_type: command type of the request sent to the PCI device.
>> + * @cmd_request: command request payload.
>> + * @cmd_request_size: size of the command request payload.
>> + *
>> + * @returns: 0 on success, negative return value on failure.
>> + */
>> +static int ne_submit_request(struct pci_dev *pdev,
>> + enum ne_pci_dev_cmd_type cmd_type,
>> + void *cmd_request, size_t cmd_request_size)
>> +{
>> + struct ne_pci_dev *ne_pci_dev = NULL;
> These local vars are unnecessarily initialized.
I would keep this initialized overall.
>> +
>> + BUG_ON(!pdev);
>> +
>> + ne_pci_dev = pci_get_drvdata(pdev);
>> + BUG_ON(!ne_pci_dev);
>> + BUG_ON(!ne_pci_dev->iomem_base);
> You should remove these defensive BUG_ON() calls.
Done.
>> +
>> + if (WARN_ON(cmd_type <= INVALID_CMD || cmd_type >= MAX_CMD)) {
>> + dev_err_ratelimited(&pdev->dev, "Invalid cmd type=%d\n",
>> + cmd_type);
>> +
>> + return -EINVAL;
>> + }
>> +
>> + if (WARN_ON(!cmd_request))
>> + return -EINVAL;
>> +
>> + if (WARN_ON(cmd_request_size > NE_SEND_DATA_SIZE)) {
>> + dev_err_ratelimited(&pdev->dev,
>> + "Invalid req size=%ld for cmd type=%d\n",
>> + cmd_request_size, cmd_type);
>> +
>> + return -EINVAL;
>> + }
> It doesn't make sense to have WARN_ON() print error to dmesg on every
> evaluation to true,
> together with using dev_err_ratelimited() which attempts to rate-limit
> prints.
>
> Anyway, these conditions were already checked by ne_do_request(). Why
> also check them here?
Updated to not use WARN_ON. Right, they were checked before, but I kept
them here just for checking the parameters.
>
>> +
>> + memcpy_toio(ne_pci_dev->iomem_base + NE_SEND_DATA, cmd_request,
>> + cmd_request_size);
>> +
>> + iowrite32(cmd_type, ne_pci_dev->iomem_base + NE_COMMAND);
>> +
>> + return 0;
>> +}
>> +
>> +/**
>> + * ne_retrieve_reply - Retrieve reply from the PCI device.
>> + *
>> + * This function gets called with the ne_pci_dev mutex held.
>> + *
>> + * @pdev: PCI device to receive the reply from.
>> + * @cmd_reply: command reply payload.
>> + * @cmd_reply_size: size of the command reply payload.
>> + *
>> + * @returns: 0 on success, negative return value on failure.
>> + */
>> +static int ne_retrieve_reply(struct pci_dev *pdev,
>> + struct ne_pci_dev_cmd_reply *cmd_reply,
>> + size_t cmd_reply_size)
>> +{
>> + struct ne_pci_dev *ne_pci_dev = NULL;
> These local vars are unnecessarily initialized.
>> +
>> + BUG_ON(!pdev);
>> +
>> + ne_pci_dev = pci_get_drvdata(pdev);
>> + BUG_ON(!ne_pci_dev);
>> + BUG_ON(!ne_pci_dev->iomem_base);
> You should remove these defensive BUG_ON() calls.
>> +
>> + if (WARN_ON(!cmd_reply))
>> + return -EINVAL;
>> +
>> + if (WARN_ON(cmd_reply_size > NE_RECV_DATA_SIZE)) {
>> + dev_err_ratelimited(&pdev->dev, "Invalid reply size=%ld\n",
>> + cmd_reply_size);
>> +
>> + return -EINVAL;
>> + }
> It doesn't make sense to have WARN_ON() print error to dmesg on every
> evaluation to true,
> together with using dev_err_ratelimited() which attempts to rate-limit
> prints.
>
> Anyway, these conditions were already checked by ne_do_request(). Why
> also check them here?
>
>> +
>> + memcpy_fromio(cmd_reply, ne_pci_dev->iomem_base + NE_RECV_DATA,
>> + cmd_reply_size);
>> +
>> + return 0;
>> +}
>> +
>> +/**
>> + * ne_wait_for_reply - Wait for a reply of a PCI command.
>> + *
>> + * This function gets called with the ne_pci_dev mutex held.
>> + *
>> + * @pdev: PCI device for which a reply is waited.
>> + *
>> + * @returns: 0 on success, negative return value on failure.
>> + */
>> +static int ne_wait_for_reply(struct pci_dev *pdev)
>> +{
>> + struct ne_pci_dev *ne_pci_dev = NULL;
>> + int rc = -EINVAL;
> These local vars are unnecessarily initialized.
>> +
>> + BUG_ON(!pdev);
>> +
>> + ne_pci_dev = pci_get_drvdata(pdev);
>> + BUG_ON(!ne_pci_dev);
> You should remove these defensive BUG_ON() calls.
>> +
>> + /*
>> + * TODO: Update to _interruptible and handle interrupted wait event
>> + * e.g. -ERESTARTSYS, incoming signals + add / update timeout.
>> + */
>> + rc = wait_event_timeout(ne_pci_dev->cmd_reply_wait_q,
>> + atomic_read(&ne_pci_dev->cmd_reply_avail) != 0,
>> + msecs_to_jiffies(DEFAULT_TIMEOUT_MSECS));
>> + if (!rc) {
>> + pr_err("Wait event timed out when waiting for PCI cmd
>> reply\n");
>> +
>> + return -ETIMEDOUT;
>> + }
>> +
>> + return 0;
>> +}
>> +
>> +int ne_do_request(struct pci_dev *pdev, enum ne_pci_dev_cmd_type
>> cmd_type,
>> + void *cmd_request, size_t cmd_request_size,
>> + struct ne_pci_dev_cmd_reply *cmd_reply, size_t
>> cmd_reply_size)
> This function is introduced in this patch but it is not used.
> It will cause compiling the kernel on this commit to raise
> warnings/errors on unused functions.
> You should introduce functions on the patch that they are used.
This function is externally available, via the ne_pci_dev header, so it
shouldn't raise warnings.
>> +{
>> + struct ne_pci_dev *ne_pci_dev = NULL;
>> + int rc = -EINVAL;
> These local vars are unnecessarily initialized.
>> +
>> + BUG_ON(!pdev);
>> +
>> + ne_pci_dev = pci_get_drvdata(pdev);
>> + BUG_ON(!ne_pci_dev);
>> + BUG_ON(!ne_pci_dev->iomem_base);
> You should remove these defensive BUG_ON() calls.
>> +
>> + if (WARN_ON(cmd_type <= INVALID_CMD || cmd_type >= MAX_CMD)) {
>> + dev_err_ratelimited(&pdev->dev, "Invalid cmd type=%d\n",
>> + cmd_type);
>> +
>> + return -EINVAL;
>> + }
>> +
>> + if (WARN_ON(!cmd_request))
>> + return -EINVAL;
>> +
>> + if (WARN_ON(cmd_request_size > NE_SEND_DATA_SIZE)) {
>> + dev_err_ratelimited(&pdev->dev,
>> + "Invalid req size=%ld for cmd type=%d\n",
>> + cmd_request_size, cmd_type);
>> +
>> + return -EINVAL;
>> + }
>> +
>> + if (WARN_ON(!cmd_reply))
>> + return -EINVAL;
>> +
>> + if (WARN_ON(cmd_reply_size > NE_RECV_DATA_SIZE)) {
>> + dev_err_ratelimited(&pdev->dev, "Invalid reply size=%ld\n",
>> + cmd_reply_size);
>> +
>> + return -EINVAL;
>> + }
> I would consider specifying all these conditions in function
> documentation instead of enforcing them at runtime on every function
> call.
I think that both PCI dev logic checks and documentation would be
helpful in this case. :)
>> +
>> + /*
>> + * Use this mutex so that the PCI device handles one command
>> request at
>> + * a time.
>> + */
>> + mutex_lock(&ne_pci_dev->pci_dev_mutex);
>> +
>> + atomic_set(&ne_pci_dev->cmd_reply_avail, 0);
>> +
>> + rc = ne_submit_request(pdev, cmd_type, cmd_request,
>> cmd_request_size);
>> + if (rc < 0) {
>> + dev_err_ratelimited(&pdev->dev,
>> + "Failure in submit cmd request [rc=%d]\n",
>> + rc);
>> +
>> + mutex_unlock(&ne_pci_dev->pci_dev_mutex);
>> +
>> + return rc;
> Consider leaving function with a goto to a label that unlocks mutex
> and then return.
Done, I added a goto for mutex unlock and return. In this patch and in a
following one, that was having a similar cleanup structure.
>> + }
>> +
>> + rc = ne_wait_for_reply(pdev);
>> + if (rc < 0) {
>> + dev_err_ratelimited(&pdev->dev,
>> + "Failure in wait cmd reply [rc=%d]\n",
>> + rc);
>> +
>> + mutex_unlock(&ne_pci_dev->pci_dev_mutex);
>> +
>> + return rc;
>> + }
>> +
>> + rc = ne_retrieve_reply(pdev, cmd_reply, cmd_reply_size);
>> + if (rc < 0) {
>> + dev_err_ratelimited(&pdev->dev,
>> + "Failure in retrieve cmd reply [rc=%d]\n",
>> + rc);
>> +
>> + mutex_unlock(&ne_pci_dev->pci_dev_mutex);
>> +
>> + return rc;
>> + }
>> +
>> + atomic_set(&ne_pci_dev->cmd_reply_avail, 0);
>> +
>> + if (cmd_reply->rc < 0) {
>> + dev_err_ratelimited(&pdev->dev,
>> + "Failure in cmd process logic [rc=%d]\n",
>> + cmd_reply->rc);
>> +
>> + mutex_unlock(&ne_pci_dev->pci_dev_mutex);
>> +
>> + return cmd_reply->rc;
>> + }
>> +
>> + mutex_unlock(&ne_pci_dev->pci_dev_mutex);
>> +
>> + return 0;
>> +}
>> +
>> +/**
>> + * ne_reply_handler - Interrupt handler for retrieving a reply matching
>> + * a request sent to the PCI device for enclave lifetime management.
>> + *
>> + * @irq: received interrupt for a reply sent by the PCI device.
>> + * @args: PCI device private data structure.
>> + *
>> + * @returns: IRQ_HANDLED on handled interrupt, IRQ_NONE otherwise.
>> + */
>> +static irqreturn_t ne_reply_handler(int irq, void *args)
>> +{
>> + struct ne_pci_dev *ne_pci_dev = (struct ne_pci_dev *)args;
>> +
>> + atomic_set(&ne_pci_dev->cmd_reply_avail, 1);
>> +
>> + /* TODO: Update to _interruptible. */
>> + wake_up(&ne_pci_dev->cmd_reply_wait_q);
>> +
>> + return IRQ_HANDLED;
>> +}
>> +
>> /**
>> * ne_setup_msix - Setup MSI-X vectors for the PCI device.
>> *
>> @@ -75,8 +320,25 @@ static int ne_setup_msix(struct pci_dev *pdev,
>> struct ne_pci_dev *ne_pci_dev)
>> goto err_alloc_irq_vecs;
>> }
>> + /*
>> + * This IRQ gets triggered every time the PCI device responds to a
>> + * command request. The reply is then retrieved, reading from
>> the MMIO
>> + * space of the PCI device.
>> + */
>> + rc = request_irq(pci_irq_vector(pdev, NE_VEC_REPLY),
>> + ne_reply_handler, 0, "enclave_cmd", ne_pci_dev);
>> + if (rc < 0) {
>> + dev_err_ratelimited(&pdev->dev,
>> + "Failure in allocating irq reply [rc=%d]\n",
>> + rc);
>> +
>> + goto err_req_irq_reply;
>> + }
>> +
>> return 0;
>> +err_req_irq_reply:
>> + pci_free_irq_vectors(pdev);
>> err_alloc_irq_vecs:
>> return rc;
>> }
>> @@ -232,6 +494,7 @@ static int ne_probe(struct pci_dev *pdev, const
>> struct pci_device_id *id)
>> err_ne_pci_dev_enable:
>> err_ne_pci_dev_disable:
>> + free_irq(pci_irq_vector(pdev, NE_VEC_REPLY), ne_pci_dev);
>> pci_free_irq_vectors(pdev);
> I suggest to introduce a ne_teardown_msix() utility. That is aimed to
> cleanup after ne_setup_msix().
I added this functionality in a new function, then I used it for cleanup
in this function and teardown in pci remove function.
Thank you.
Andra
>> err_setup_msix:
>> pci_iounmap(pdev, ne_pci_dev->iomem_base);
>> @@ -255,6 +518,7 @@ static void ne_remove(struct pci_dev *pdev)
>> pci_set_drvdata(pdev, NULL);
>> + free_irq(pci_irq_vector(pdev, NE_VEC_REPLY), ne_pci_dev);
>> pci_free_irq_vectors(pdev);
>> pci_iounmap(pdev, ne_pci_dev->iomem_base);
Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.
Powered by blists - more mailing lists