| Message ID | 20240702225845.322234-1-admiyo@os.amperecomputing.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | MCTP over PCC | expand |
admiyo@ wrote: > From: Adam Young <admiyo@os.amperecomputing.com> > > This series adds support for the Management Control Transport Protocol (MCTP) > over the Platform Communication Channel (PCC) mechanism. > > MCTP defines a communication model intended to > facilitate communication between Management controllers > and other management controllers, and between Management > controllers and management devices > > PCC is a mechanism for communication between components within > the Platform. It is a composed of shared memory regions, > interrupt registers, and status registers. > > The MCTP over PCC driver makes use of two PCC channels. For > sending messages, it uses a Type 3 channel, and for receiving > messages it uses the paired Type 4 channel. The device > and corresponding channels are specified via ACPI. > > The first patch in the series implements a mechanism to allow the driver > to indicate whether an ACK should be sent back to the caller > after processing the interrupt. This is an optional feature in > the PCC code, but has been made explicitly required in another driver. > The implementation here maintains the backwards compatibility of that > driver. > > The second patch in the series is the required change from ACPICA > code that will be imported into the Linux kernel when synchronized > with the ACPICA repository. It ahs already merged there and will > be merged in as is. It is included here so that the patch series > can run and be tested prior to that merge. This cover letter looks woefully insufficient. What is the end user visible effect of merging these patches, or not merging these patches? I.e. what does Linux gain by merging them, what pressing end user need goes unsatisfied if these are not merged? What is the security model for these commands, i.e. how does a distro judge whether this facility allows bypass of Kernel Lockdown protections? The Kconfig does not help either. All this patch says is "communication path exists, plumb it direct to userspace", with no discussion of intended use cases, assumptions, or tradeoffs.
Apologies for not addressing these concerns before updating. If there is a V6 (am sure there will be) I will update the cover. MCTP is a general purpose protocol so it would be impossible to enumerate all the use cases, but some of the ones that are most topical are attestation and RAS support. There are a handful of protocols built on top of MCTP, to include PLDM and SPDM, both specified by the DMTF. https://www.dmtf.org/sites/default/files/standards/documents/DSP0240_1.0.0.pdf https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.3.0.pd SPDM entails various usages, including device identity collection, device authentication, measurement collection, and device secure session establishment. PLDM is more likely to be used for hardware support: temperature, voltage, or fan sensor control. At least two companies have devices that can make use of the mechanism. One is Ampere Computing, my employer. The mechanism it uses is called Platform Communication Channels is part of the ACPI spec: https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/14_Platform_Communications_Channel/Platform_Comm_Channel.html Since it is a socket interface, the system administrator also has the ability to ignore an MCTP link that they do not want to enable. This link would be exposed to the end user, but would not be usable. If MCTP support is disabled in the Kernel, this driver would also be disabled. PCC is based on a shared buffer and a set of I/O mapped memory locations that the Spec calls registers. This mechanism exists regardless of the existence of the driver. Thus, if the user has the ability to map these physical location to virtual locations, they have the ability to drive the hardware. Thus, there is a security aspect to this mechanism that extends beyond the responsibilities of the operating system. If the hardware does not expose the PCC in the ACPI table, this device will never be enabled. Thus it is only an issue on hard that does support PCC. In that case, it is up to the remote controller to sanitize communication; MCTP will be exposed as a socket interface, and userland can send any crafted packet it wants. It would thus also be incumbent on the hardware manufacturer to allow the end user to disable MCTP over PCC communication if they did not want to expose it. Does this cover you concerns? On 7/11/24 12:57, Dan Williams wrote: > admiyo@ wrote: >> From: Adam Young<admiyo@os.amperecomputing.com> >> >> This series adds support for the Management Control Transport Protocol (MCTP) >> over the Platform Communication Channel (PCC) mechanism. >> >> MCTP defines a communication model intended to >> facilitate communication between Management controllers >> and other management controllers, and between Management >> controllers and management devices >> >> PCC is a mechanism for communication between components within >> the Platform. It is a composed of shared memory regions, >> interrupt registers, and status registers. >> >> The MCTP over PCC driver makes use of two PCC channels. For >> sending messages, it uses a Type 3 channel, and for receiving >> messages it uses the paired Type 4 channel. The device >> and corresponding channels are specified via ACPI. >> >> The first patch in the series implements a mechanism to allow the driver >> to indicate whether an ACK should be sent back to the caller >> after processing the interrupt. This is an optional feature in >> the PCC code, but has been made explicitly required in another driver. >> The implementation here maintains the backwards compatibility of that >> driver. >> >> The second patch in the series is the required change from ACPICA >> code that will be imported into the Linux kernel when synchronized >> with the ACPICA repository. It ahs already merged there and will >> be merged in as is. It is included here so that the patch series >> can run and be tested prior to that merge. > This cover letter looks woefully insufficient. > > What is the end user visible effect of merging these patches, or not > merging these patches? I.e. what does Linux gain by merging them, what > pressing end user need goes unsatisfied if these are not merged? What is > the security model for these commands, i.e. how does a distro judge > whether this facility allows bypass of Kernel Lockdown protections? > > The Kconfig does not help either. All this patch says is "communication > path exists, plumb it direct to userspace", with no discussion of > intended use cases, assumptions, or tradeoffs.
From: Adam Young <admiyo@os.amperecomputing.com> This series adds support for the Management Control Transport Protocol (MCTP) over the Platform Communication Channel (PCC) mechanism. MCTP defines a communication model intended to facilitate communication between Management controllers and other management controllers, and between Management controllers and management devices PCC is a mechanism for communication between components within the Platform. It is a composed of shared memory regions, interrupt registers, and status registers. The MCTP over PCC driver makes use of two PCC channels. For sending messages, it uses a Type 3 channel, and for receiving messages it uses the paired Type 4 channel. The device and corresponding channels are specified via ACPI. The first patch in the series implements a mechanism to allow the driver to indicate whether an ACK should be sent back to the caller after processing the interrupt. This is an optional feature in the PCC code, but has been made explicitly required in another driver. The implementation here maintains the backwards compatibility of that driver. The second patch in the series is the required change from ACPICA code that will be imported into the Linux kernel when synchronized with the ACPICA repository. It ahs already merged there and will be merged in as is. It is included here so that the patch series can run and be tested prior to that merge. Previous Version: https://lore.kernel.org/20240619200552.119080-1-admiyo@os.amperecomputing.com/ Changes in V4 - Read flags out of shared buffer to trigger ACK for Type 4 RX - Remove list of netdevs and cleanup from devices only - tag PCCT protocol headers as little endian - Remove unused constants Changes in V3 - removed unused header - removed spurious space - removed spurious semis after functiomns - removed null assignment for init - remove redundant set of device on skb - tabify constant declarations - added rtnl_link_stats64 function - set MTU to minimum to start - clean up logic on driver removal - remove cast on void * assignment - call cleanup function directly - check received length before allocating skb - introduce symbolic constatn for ACK FLAG MASK - symbolic constant for PCC header flag. - Add namespace ID to PCC magic - replaced readls with copy from io of PCC header - replaced custom modules init and cleanup with ACPI version Changes in V2 - All Variable Declarations are in reverse Xmass Tree Format - All Checkpatch Warnings Are Fixed - Removed Dead code - Added packet tx/rx stats - Removed network physical address. This is still in disucssion in the spec, and will be added once there is consensus. The protocol can be used with out it. This also lead to the removal of the Big Endian conversions. - Avoided using non volatile pointers in copy to and from io space - Reorderd the patches to put the ACK check for the PCC Mailbox as a pre-requisite. The corresponding change for the MCTP driver has been inlined in the main patch. - Replaced magic numbers with constants, fixed typos, and other minor changes from code review. Code Review Change not made - Did not change the module init unload function to use the ACPI equivalent as they do not remove all devices prior to unload, leading to dangling references and seg faults. Adam Young (3): mctp pcc: Check before sending MCTP PCC response ACK mctp pcc: Allow PCC Data Type in MCTP resource. mctp pcc: Implement MCTP over PCC Transport drivers/acpi/acpica/rsaddr.c | 2 +- drivers/mailbox/pcc.c | 31 +++- drivers/net/mctp/Kconfig | 13 ++ drivers/net/mctp/Makefile | 1 + drivers/net/mctp/mctp-pcc.c | 322 +++++++++++++++++++++++++++++++++++ include/acpi/pcc.h | 8 + 6 files changed, 368 insertions(+), 9 deletions(-) create mode 100644 drivers/net/mctp/mctp-pcc.c