lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID:
 <AS8PR04MB85932B4E47EFC519B0EF6D9A95632@AS8PR04MB8593.eurprd04.prod.outlook.com>
Date: Thu, 19 Sep 2024 06:43:45 +0000
From: Pankaj Gupta <pankaj.gupta@....com>
To: Sascha Hauer <s.hauer@...gutronix.de>
CC: Jonathan Corbet <corbet@....net>, Rob Herring <robh@...nel.org>, Krzysztof
 Kozlowski <krzk+dt@...nel.org>, Conor Dooley <conor+dt@...nel.org>, Shawn Guo
	<shawnguo@...nel.org>, Pengutronix Kernel Team <kernel@...gutronix.de>, Fabio
 Estevam <festevam@...il.com>, Rob Herring <robh+dt@...nel.org>,
	"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"devicetree@...r.kernel.org" <devicetree@...r.kernel.org>,
	"imx@...ts.linux.dev" <imx@...ts.linux.dev>,
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>
Subject: RE: [EXT] Re: [PATCH v7 4/5] firmware: imx: add driver for NXP
 EdgeLock Enclave

> diff --git a/drivers/firmware/imx/ele_base_msg.c 
> b/drivers/firmware/imx/ele_base_msg.c
> new file mode 100644
> index 000000000000..e3e570a25e85
> --- /dev/null
> +++ b/drivers/firmware/imx/ele_base_msg.c
> @@ -0,0 +1,286 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * Copyright 2024 NXP
> + */
> +
> +#include <linux/types.h>
> +
> +#include <linux/completion.h>
> +#include <linux/dma-mapping.h>
> +#include <linux/genalloc.h>
> +
> +#include "ele_base_msg.h"
> +#include "ele_common.h"
> +
> +int ele_get_info(struct device *dev, struct ele_dev_info *s_info)

I repeat once again:

The context pointer argument should be struct se_if_priv *.

Do not expect foreign code to pass in a struct device * here from which you
blindly expect that it's the right one.

> +int ele_fetch_soc_info(struct device *dev, u16 *soc_rev, u64 
> +*serial_num)

> Also here and all the other functions in this file.

Accepted. 

> + *
> + * Header file for the EdgeLock Enclave Base API(s).
> + */
> +
> +#ifndef ELE_BASE_MSG_H
> +#define ELE_BASE_MSG_H
> +
> +#include <linux/device.h>
> +#include <linux/types.h>
> +
> +#define WORD_SZ                              i4

> Unused.
Accepted will remove in V8.

> +#define ELE_NONE_VAL                 0x0
> +
> +#define ELE_GET_INFO_REQ             0xDA
> +#define ELE_GET_INFO_REQ_MSG_SZ              0x10
> +#define ELE_GET_INFO_RSP_MSG_SZ              0x08
> +
> +#define DEFAULT_IMX_SOC_VER          0xA000

> Unused
Accepted will remove in V8.

> +#define SOC_VER_MASK                 0xFFFF0000

> Unused
Accepted will remove in V8.

> +int ele_msg_send(struct se_if_priv *priv,
> +              void *tx_msg,
> +              int tx_msg_sz)
> +{
> +     struct se_msg_hdr *header;
> +     int err;
> +
> +     header = tx_msg;
> +
> +     /*
> +      * Check that the size passed as argument matches the size
> +      * carried in the message.
> +      */
> +     if (header->size << 2 != tx_msg_sz) {
> +             err = -EINVAL;
> +             dev_err(priv->dev,
> +                     "User buf hdr: 0x%x, sz mismatced with input-sz (%d
!= %d).",
> +                     *(u32 *)header,
> +                     header->size << 2, tx_msg_sz);
> +             goto exit;
> +     }
> +     guard(mutex)(&priv->se_if_lock);

> Drop this mutex. All it does is to protect mbox_send_message() which
already has its own locking.

Accepted. 
Since the TX buffers are dynamically allocated. There is no chance of
TX-Buffer getting over-written.
Will remove this in v8.

> +
> +     err = mbox_send_message(priv->tx_chan, tx_msg);
> +     if (err < 0) {
> +             dev_err(priv->dev, "Error: mbox_send_message failure.\n");
> +             return err;
> +     }
> +     err = tx_msg_sz;
> +
> +exit:
> +     return err;
> +}
> +
> +void se_if_rx_callback(struct mbox_client *mbox_cl, void *msg) {
> +     struct se_clbk_handle *se_clbk_hdl;
> +     struct device *dev = mbox_cl->dev;
> +     struct se_msg_hdr *header;
> +     struct se_if_priv *priv;
> +     u32 rx_msg_sz;
> +
> +     priv = dev_get_drvdata(dev);
> +
> +     /* The function can be called with NULL msg */

> You already identified this as a possible case...

Intention of this comment was to give the reason for checking "msg" for
NULL, before using it.


> +     if (!msg) {
> +             dev_err(dev, "Message is invalid\n");

> ...so why print an error message here?

This will help, know that there is incoming message with no length.

> +             return;
> +     }
> +
> +     header = msg;
> +     rx_msg_sz = header->size << 2;
> +
> +     /* Incoming command: wake up the receiver if any. */
> +     if (header->tag == priv->cmd_tag) {
> +             se_clbk_hdl = &priv->cmd_receiver_clbk_hdl;
> +             dev_dbg(dev,
> +                     "Selecting cmd receiver for mesg header:0x%x.",
> +                     *(u32 *) header);
> +
> +             /* Pre-allocated buffer of MAX_NVM_MSG_LEN
> +              * as the NVM command are initiated by FW.
> +              * Size is revealed as part of this call function.
> +              */
> +             if (rx_msg_sz > MAX_NVM_MSG_LEN) {
> +                     dev_err(dev,
> +                             "CMD-RCVER NVM: hdr(0x%x) with different
sz(%d != %d).\n",
> +                             *(u32 *) header,
> +                             rx_msg_sz, se_clbk_hdl->rx_msg_sz);
> +
> +                     se_clbk_hdl->rx_msg_sz = MAX_NVM_MSG_LEN;
> +             }
> +             se_clbk_hdl->rx_msg_sz = rx_msg_sz;
> +
> +     } else if (header->tag == priv->rsp_tag) {
> +             se_clbk_hdl = &priv->waiting_rsp_clbk_hdl;
> +             dev_dbg(dev,
> +                     "Selecting resp waiter for mesg header:0x%x.",
> +                     *(u32 *) header);
> +
> +             if (rx_msg_sz != se_clbk_hdl->rx_msg_sz
> +                             && !exception_for_size(priv, header)) {
> +                     dev_err(dev,
> +                             "Rsp to CMD: hdr(0x%x) with different sz(%d
!= %d).\n",
> +                             *(u32 *) header,
> +                             rx_msg_sz, se_clbk_hdl->rx_msg_sz);
> +
> +                     se_clbk_hdl->rx_msg_sz = min(rx_msg_sz,
se_clbk_hdl->rx_msg_sz);
> +             }
> +     } else {
> +             dev_err(dev, "Failed to select a device for message:
%.8x\n",
> +                     *((u32 *) header));
> +             return;
> +     }
> +
> +     memcpy(se_clbk_hdl->rx_msg, msg, se_clbk_hdl->rx_msg_sz);
> +
> +     /* Allow user to read */
> +     atomic_inc(&se_clbk_hdl->pending_hdr);
> +
> +     wake_up_interruptible(&se_clbk_hdl->wq);

> You are rebuilding a completion here, why not use a completion then?

Accepted.

> +#include <linux/mod_devicetable.h>
> +#include <linux/module.h>
> +#include <linux/of_platform.h>
> +#include <linux/of_reserved_mem.h>
> +#include <linux/platform_device.h>
> +#include <linux/slab.h>
> +#include <linux/string.h>
> +#include <linux/sys_soc.h>
> +
> +#include "ele_base_msg.h"
> +#include "ele_common.h"
> +#include "se_ctrl.h"
> +
> +#define RESERVED_DMA_POOL            BIT(0)

> Unused
Accepted will remove in V8.

> +static void se_load_firmware(const struct firmware *fw, void 
> +*context) {
> +     struct se_if_priv *priv = context;
> +     const struct se_if_node_info *info = priv->info;
> +     phys_addr_t se_fw_phyaddr;
> +     u8 *se_fw_buf;
> +     int ret;
> +
> +     if (!fw) {
> +             if (priv->fw_fail > MAX_FW_LOAD_RETRIES)
> +                     dev_dbg(priv->dev,
> +                              "External FW not found, using ROM FW.\n");
> +             else {
> +                     /*add a bit delay to wait for firmware priv released
*/
> +                     msleep(20);
> +
> +                     /* Load firmware one more time if timeout */
> +                     request_firmware_nowait(THIS_MODULE,
> +                                     FW_ACTION_UEVENT,
priv->se_img_file_to_load,
> +                                     priv->dev, GFP_KERNEL, priv,
> +                                     se_load_firmware);
> +                     priv->fw_fail++;
> +                     dev_dbg(priv->dev, "Value of retries = 0x%x.\n",
> +                             priv->fw_fail);
> +             }
> +
> +             return;
> +     }

> Are you continuously trying to load the firmware here in the hope that the
rootfs is mounted before your retry counter exceeds?

Yes.

> Don't do this.

Shall the retry counter to be removed, to make it predictable?
Or am I missing something.

Thanks.

>Sascha

--
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       |
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.pengutr
onix.de%2F&data=05%7C02%7Cpankaj.gupta%40nxp.com%7C332a105e5ed24741d3b808dcd
0c9a781%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C638614811726643343%7CUn
known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJX
VCI6Mn0%3D%7C0%7C%7C%7C&sdata=AzbLQ4wpSte4lA2myKQBDYRzSxhc72EcbVq42CcRo0M%3D
&reserved=0  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Download attachment "smime.p7s" of type "application/pkcs7-signature" (11094 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ