[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3ad21332-c58a-46bb-8d3b-8b3d1cd8cb75@amperemail.onmicrosoft.com>
Date: Mon, 15 Jul 2024 14:21:11 -0400
From: Adam Young <admiyo@...eremail.onmicrosoft.com>
To: Dan Williams <dan.j.williams@...el.com>, admiyo@...amperecomputing.com
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
Jeremy Kerr <jk@...econstruct.com.au>,
Matt Johnston <matt@...econstruct.com.au>,
"David S . Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Sudeep Holla <sudeep.holla@....com>,
Jonathan Cameron <Jonathan.Cameron@...wei.com>,
Huisong Li <lihuisong@...wei.com>
Subject: Re: [PATCH v4 0/3] MCTP over PCC
Apologies for not addressing these concerns before updating. If there
is a V6 (am sure there will be) I will update the cover.
MCTP is a general purpose protocol so it would be impossible to
enumerate all the use cases, but some of the ones that are most topical
are attestation and RAS support. There are a handful of protocols built
on top of MCTP, to include PLDM and SPDM, both specified by the DMTF.
https://www.dmtf.org/sites/default/files/standards/documents/DSP0240_1.0.0.pdf
https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.3.0.pd
SPDM entails various usages, including device identity collection,
device authentication, measurement collection, and device secure session
establishment.
PLDM is more likely to be used for hardware support: temperature,
voltage, or fan sensor control.
At least two companies have devices that can make use of the mechanism.
One is Ampere Computing, my employer.
The mechanism it uses is called Platform Communication Channels is part
of the ACPI spec:
https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/14_Platform_Communications_Channel/Platform_Comm_Channel.html
Since it is a socket interface, the system administrator also has the
ability to ignore an MCTP link that they do not want to enable. This
link would be exposed to the end user, but would not be usable.
If MCTP support is disabled in the Kernel, this driver would also be
disabled.
PCC is based on a shared buffer and a set of I/O mapped memory locations
that the Spec calls registers. This mechanism exists regardless of the
existence of the driver. Thus, if the user has the ability to map these
physical location to virtual locations, they have the ability to drive
the hardware. Thus, there is a security aspect to this mechanism that
extends beyond the responsibilities of the operating system.
If the hardware does not expose the PCC in the ACPI table, this device
will never be enabled. Thus it is only an issue on hard that does
support PCC. In that case, it is up to the remote controller to
sanitize communication; MCTP will be exposed as a socket interface, and
userland can send any crafted packet it wants. It would thus also be
incumbent on the hardware manufacturer to allow the end user to disable
MCTP over PCC communication if they did not want to expose it.
Does this cover you concerns?
On 7/11/24 12:57, Dan Williams wrote:
> admiyo@ wrote:
>> From: Adam Young<admiyo@...amperecomputing.com>
>>
>> This series adds support for the Management Control Transport Protocol (MCTP)
>> over the Platform Communication Channel (PCC) mechanism.
>>
>> MCTP defines a communication model intended to
>> facilitate communication between Management controllers
>> and other management controllers, and between Management
>> controllers and management devices
>>
>> PCC is a mechanism for communication between components within
>> the Platform. It is a composed of shared memory regions,
>> interrupt registers, and status registers.
>>
>> The MCTP over PCC driver makes use of two PCC channels. For
>> sending messages, it uses a Type 3 channel, and for receiving
>> messages it uses the paired Type 4 channel. The device
>> and corresponding channels are specified via ACPI.
>>
>> The first patch in the series implements a mechanism to allow the driver
>> to indicate whether an ACK should be sent back to the caller
>> after processing the interrupt. This is an optional feature in
>> the PCC code, but has been made explicitly required in another driver.
>> The implementation here maintains the backwards compatibility of that
>> driver.
>>
>> The second patch in the series is the required change from ACPICA
>> code that will be imported into the Linux kernel when synchronized
>> with the ACPICA repository. It ahs already merged there and will
>> be merged in as is. It is included here so that the patch series
>> can run and be tested prior to that merge.
> This cover letter looks woefully insufficient.
>
> What is the end user visible effect of merging these patches, or not
> merging these patches? I.e. what does Linux gain by merging them, what
> pressing end user need goes unsatisfied if these are not merged? What is
> the security model for these commands, i.e. how does a distro judge
> whether this facility allows bypass of Kernel Lockdown protections?
>
> The Kconfig does not help either. All this patch says is "communication
> path exists, plumb it direct to userspace", with no discussion of
> intended use cases, assumptions, or tradeoffs.
Powered by blists - more mailing lists