lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200904235305.6254-1-russell.h.weight@intel.com>
Date:   Fri,  4 Sep 2020 16:52:53 -0700
From:   Russ Weight <russell.h.weight@...el.com>
To:     mdf@...nel.org, lee.jones@...aro.org, linux-fpga@...r.kernel.org,
        linux-kernel@...r.kernel.org
Cc:     trix@...hat.com, lgoncalv@...hat.com, yilun.xu@...el.com,
        hao.wu@...el.com, matthew.gerlach@...el.com,
        Russ Weight <russell.h.weight@...el.com>
Subject: [PATCH v1 00/12] Intel FPGA Security Manager Class Driver


These patches depend on the patchset: "add regmap-spi-avmm & Intel
Max10 BMC chip support" which is currently under review.

           --------------------------------------------------

This patchset introduces the Intel Security Manager class driver
for managing secure updates on Intel FPGA Cards. It also provides
the n3000bmc-secure mfd sub-driver for the MAX10 BMC for the n3000
Programmable Acceleration Cards (PAC). The n3000bmc-secure driver
is implemented using the Intel Security Manager class driver.

The Intel Security Manager class driver provides a common API for
user-space tools to manage updates for Secure FPGA devices. Device
drivers that instantiate the Intel Security Manager class driver will
interact with the HW secure update engine in order to transfer
new FPGA and BMC images to FLASH so that they will be automatically
loaded when the FPGA card reboots.

The API consists of sysfs nodes and supports the following functions:

(1) Instantiate and monitor a secure update
(2) Display security information including: Root Entry Hashes (REH),
    Cancelled Code Signing Keys (CSK), and flash update counts for
    both BMC and FPGA images.

Secure updates make use of the request_firmware framework, which
requires that image files are accessible under /lib/firmware. A request
for a secure update returns immediately, while the update itself
proceeds in the context of a kernel worker thread. Sysfs files provide
a means for monitoring the progress of a secure update and for
retrieving error information in the event of a failure.

The n3000bmc-secure driver instantiates the Intel Security Manager
class driver and provides the callback functions required to support
secure updates on Intel n3000 PAC devices.

Russ Weight (12):
  fpga: fpga security manager class driver
  fpga: create intel max10 bmc security engine
  fpga: expose max10 flash update counts in sysfs
  fpga: expose max10 canceled keys in sysfs
  fpga: enable secure updates
  fpga: add max10 secure update functions
  fpga: expose sec-mgr update status
  fpga: expose sec-mgr update errors
  fpga: expose sec-mgr update size
  fpga: enable sec-mgr update cancel
  fpga: expose hardware error info in sysfs
  fpga: add max10 get_hw_errinfo callback func

 .../ABI/testing/sysfs-class-ifpga-sec-mgr     | 151 ++++
 MAINTAINERS                                   |   8 +
 drivers/fpga/Kconfig                          |  20 +
 drivers/fpga/Makefile                         |   6 +
 drivers/fpga/ifpga-sec-mgr.c                  | 669 ++++++++++++++++++
 drivers/fpga/intel-m10-bmc-secure.c           | 557 +++++++++++++++
 include/linux/fpga/ifpga-sec-mgr.h            | 201 ++++++
 include/linux/mfd/intel-m10-bmc.h             | 116 +++
 8 files changed, 1728 insertions(+)
 create mode 100644 Documentation/ABI/testing/sysfs-class-ifpga-sec-mgr
 create mode 100644 drivers/fpga/ifpga-sec-mgr.c
 create mode 100644 drivers/fpga/intel-m10-bmc-secure.c
 create mode 100644 include/linux/fpga/ifpga-sec-mgr.h

-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ