From patchwork Fri Feb 7 00:13:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jason Gunthorpe X-Patchwork-Id: 13964124 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2045.outbound.protection.outlook.com [40.107.244.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2B06F5672; Fri, 7 Feb 2025 00:13:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.244.45 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738887228; cv=fail; b=A8tQY5rP2R/yklxOUB6woPT/m65XbuWPKiqnfz2kCm9m7vUFZpIBTkyQ9Up2kniulC/7v7IsJS5EolM6JkVucFtT6u7e9wNhSqSFFNRWE53cT5jNSsytOGaHwWJMoQNv9WJcRoimsdCwu4AbqkZmjZfZIgIRXQmESW4/o/A2aFI= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738887228; c=relaxed/simple; bh=UPKMtK57L+zknvxI/OwqAjvV5rrPVmNPUoGIrrc3vLU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=acOiXNvoIa3Clf5EotUpZQgCdyW1FlBZCmwQOsji+DPl5ARye2Og2wVkRQ94v574H+3uzz4r99bBtIJL21LgAgnNH5cdy3irTSiM1QhXMPgZarZolp/mpzIIZaairV8eovcl+7XqFrEpNEReY+9iJLyZI/pwUvzIfPq0JPT75ic= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com; spf=fail smtp.mailfrom=nvidia.com; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b=P8MsGUAB; arc=fail smtp.client-ip=40.107.244.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=nvidia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com header.b="P8MsGUAB" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=XYo4xmvNGrphqzFJEJjHcWwhWB4fRKUhRdaTJryZQBR0p1S03pRZ8mOtHnDmd7jEWX3RmCtr7X7wH8P7dPsgQ9WCkJmrDqx7wLXP3tchucHNmOez8ZDP35rrWNNQ+39DQ9WSvJYQU7Qed2SQ/XcPWqq+bbp6U1QXNxzIw8ZBUUz19MsGI+PSmjiW1vjXLjBrxZbBRItOiIbDIR62+K+Yn7ZeIs0gBBx5zpKxJ+R3XqQ4QtCNLUhajcegCK/Vjx8fibdOqPPKoFQ6BC1dVtqScqZhKudVVneSsUtFYksbZBFRmDZlgsbDGtFD7VFOKaOsxKXkJRq/Mu8oYlhE5rucZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=e7Shz75grRCwY8Z1HfydNCAIJMp6pG0Z3WfjZMmLwyk=; b=aCu2wfJTCjhMP9T8r7HcN11gOLkJp1+W5G3DoHiCQWutb7DEVNMZ1D7V3IY90O1gi3QbJxcxWZkX7Mfq7HBTd2pmDkkqy2Tw/H/6tG5heerB4RXsx1oSuR2RG4Rk38I7rUf33TeKPvkoh0LxRRpNSgyojNWftXHPIzvXSFuefYf1dgkUONoTkBpwRsaUT/57e3hohftBZKIqhV9ZqBXla4soUMNMUcUkh94I3eE9Gb9Ws7cG3D+Yh9cmqIbTms5HHEPPCQedlAK9jbwVbhz/F0BElaRDPimkgS+NJjZaYgHe7e+kT4Mu7zyOLCAEnIz+EApDhVG/96m2z4SVFnyVzg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e7Shz75grRCwY8Z1HfydNCAIJMp6pG0Z3WfjZMmLwyk=; b=P8MsGUAByPoJkz+21Tge7kEJAJH8a2eRF6znceE2wVU5qPpzBn6xxV7KSVD7Sc5NxDqPHjqYiX2+AFBjAturfa2/oQbo3NnjSHNZSWv4sK9cDqx8TqeOSXKZ8+AL7pPVo1/foKLosEzdC6QRFhOuGIItfdkUNmAKq1E0QdSeDKqXYyidMhovHmFHe92HYym4AccbMuyZD3XUrODjuF9U2yqf0L5OpQQVpZWs7+51GVBZ9wpVxnyJWgfxTGiNCxrEWyiEmVmb8tKL3cUfVIm8LUbqUGHdLTTnnUtrT6s4rR6F2RrgmEo88fA/xJr3S/PDM27+KPTWh/V+2lwvGy1sew== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; Received: from CH3PR12MB8659.namprd12.prod.outlook.com (2603:10b6:610:17c::13) by SN7PR12MB6885.namprd12.prod.outlook.com (2603:10b6:806:263::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8398.24; Fri, 7 Feb 2025 00:13:36 +0000 Received: from CH3PR12MB8659.namprd12.prod.outlook.com ([fe80::6eb6:7d37:7b4b:1732]) by CH3PR12MB8659.namprd12.prod.outlook.com ([fe80::6eb6:7d37:7b4b:1732%6]) with mapi id 15.20.8398.025; Fri, 7 Feb 2025 00:13:35 +0000 From: Jason Gunthorpe To: Cc: Andy Gospodarek , Aron Silverton , Dan Williams , Daniel Vetter , Dave Jiang , David Ahern , Andy Gospodarek , Christoph Hellwig , Itay Avraham , Jiri Pirko , Jonathan Cameron , Jakub Kicinski , Leonid Bloch , Leon Romanovsky , linux-cxl@vger.kernel.org, linux-rdma@vger.kernel.org, netdev@vger.kernel.org, Saeed Mahameed , "Nelson, Shannon" Subject: [PATCH v4 06/10] fwctl: Add documentation Date: Thu, 6 Feb 2025 20:13:28 -0400 Message-ID: <6-v4-0cf4ec3b8143+4995-fwctl_jgg@nvidia.com> In-Reply-To: <0-v4-0cf4ec3b8143+4995-fwctl_jgg@nvidia.com> References: X-ClientProxiedBy: BL1PR13CA0318.namprd13.prod.outlook.com (2603:10b6:208:2c1::23) To CH3PR12MB8659.namprd12.prod.outlook.com (2603:10b6:610:17c::13) Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PR12MB8659:EE_|SN7PR12MB6885:EE_ X-MS-Office365-Filtering-Correlation-Id: 2474fa82-a92b-4c3d-d921-08dd470c42c8 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|1800799024|7416014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?3p6ieTjnkMnX3qWb6pooRDp/u0XiBC2?= =?utf-8?q?YRGWxvNZqMqJw6efMuzjYl5Uc4mKPfqe7eXze9WstKaRMntnaq/fF+FySAU3Gw6NC?= =?utf-8?q?tHBsv7R0WxVhROPrBm/lrqWJXV7+bhNj2GP9HRpU4pZELt1sF4sOd3L9vS+TQY4pa?= =?utf-8?q?djiPA05DLv9c3HGq9zR35kxy1zm3VYy+FmM+b8BSpHRaTpGwc2aB934rb7SQuUmiT?= =?utf-8?q?HvSaUCjDiQkCxl1+oqpxQQ9hpmwlPW99+FohXym/G7s5Qe7pP2liE9ee9rY96g4CN?= =?utf-8?q?hlkEF+JheWkEwqR1RmG/HTteOElY/rTlrfkXl2q9NscfbrJVYJtJe14n6ghcNfTnn?= =?utf-8?q?8hPYh7rohhsEsNWc56U7k/3UPLMSS/3yZ1MhCMd2wJw2IvZtiv5XTdaDLcUiFxlAL?= =?utf-8?q?E95gqnI+cq7NE/zFnYSs5u7uoudhCYrl9drhw8lEbP87+MgFkzBxbUoew0mFvTxvq?= =?utf-8?q?vQptIrlDGWtZVx/NwvLrjRlmKKIAaLZSe/FJDU0djRQpsASYZ1tADozYwFbRcIj4k?= =?utf-8?q?xZkN0LFtTlK37Ug4/X0i1Ic0niBhElKxVtEc/Gs9pAhAr9te5Totg4+xjwKeStPuD?= =?utf-8?q?Jo/aET7Rl6yBAsCEGpFx0072FgEIlEt1Aj4wH9UYNXib7jSCFC6LdXHCBptYHPf0W?= =?utf-8?q?cwTSD9PilXMjoIAK6BtvPK/FizDZ4pgaPHOxrDYSCu9DNTXhC/0ije0FQKgJclqq5?= =?utf-8?q?vLAWScaivkxe67Xc6Fsdv44ikpc2YQAntxHnJOwWyhG1ofwWkJsy2tJv2MqDjXD5z?= =?utf-8?q?sRs2PFGCREQ1SNxPIbTCvFILnF3R/A9G0C+cMztBLXs05dUXanC4QGAO79S0BRDEA?= =?utf-8?q?Li8RPZoX2z5Ox+qochM2w9ZGvnvPhrnyhCgtOHYOg4nVxDXxX0o6aW96aHp2yw0ix?= =?utf-8?q?yT25NhH11a/ZBcHey5b1w6bOGtpTnCOnqhVZZKTukMD9Di5uXSBbuGiGNi9u74N5u?= =?utf-8?q?GcaJ0GTCVtGVPvVDLszT0CThBfd34i+7D66MH86kcoeSWtfjB8veMEoXphVeYoxiv?= =?utf-8?q?o+RR7xLLt2aeSwVzAtAq3mta4WKMSUZMcdyr/Er69cHBcl5Sk5HdL7o8GO6SeoEpH?= =?utf-8?q?N5yzG+5NkEfIBQahiLVLNp9K9PBiitquzAQGtmg7FB48ajUl6ByzFcuitvKBEBzQ/?= =?utf-8?q?L6mdYaJTeoaN6+NbAZznHRreTOhFXnuKqiRLWx1N7M1LULCxwgs/r7uY0J4XeXQGP?= =?utf-8?q?CTMnFX0uugABZUsLVrtVR27fVVfJC8N/qL3WE0hlFIpGynMJWCGFn9jVqqErMZT4P?= =?utf-8?q?6QJL4gV8+e0TU+pnTPR23XVVKGiFp2SYIHLtIaZ6CmBjvj1TISatiDuqZyeBt3Rc6?= =?utf-8?q?xMXBG1Mw1rg3?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR12MB8659.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(7416014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?EnqjbEL2sAbhZyb3P180RbE62/Bv?= =?utf-8?q?4AZJUIQjQ10PwH0ws3EbaTkVEVLPcR+4JnQRXFl10rQ74BoTz1Nu4o+4yYgIORrOS?= =?utf-8?q?cMMTzQ/vm5oDhuYEQW2FJRaOu4dFE4wGnQL2P4ot1FJV3g6w7Uj/cBnWCIRVrBCyb?= =?utf-8?q?oVOcWCODME6I/e3Kv3wFwHkcHy2Seaq6NokF5hQG6N9BmRwRkWL5J8aQPWCIM1gHJ?= =?utf-8?q?HnUeMN1r8WyhGiAonMmNpJyNRFmAVtjXK212hlcPaa8SBinQANN6Zp+nOatCHkOdF?= =?utf-8?q?NVcxWIDmH8p20r+rcOnMq8QFwB4K72gc2zcXeL/iGwmeLVFqVojtuYHvqSkOGEPoY?= =?utf-8?q?Ib8PTxhe+Hp9VbT1ILdMDDw7QVf3Z4OUlpOoPrid4SvExpaZwaJbez2WhuqOGLVDw?= =?utf-8?q?dvuILWLnTS8Sk9LzI/X95f4jHSifkovBf7dWZhCr5JUOk8eFn9+0ZiGt3NYU4j79A?= =?utf-8?q?hIHKfTQ3iTNeZXzitiTTY7jF8nNM1pMq9aXRw4ErBjS0cx9kfStvBP09JW2xfBbDc?= =?utf-8?q?P1VUUOTxFYAFPzIh1kP5jdlR4mLq6vqTn+zCBSC1qOFZMvXwNwv5d5CIcBLS3YcHx?= =?utf-8?q?VF1AmyJ7QCwJFowmwYLymZ6Ri31bBrzh9d4FArWjOrJojiA2RJ8/XBmKWlu8b469F?= =?utf-8?q?o770wp8qkSPC+wpdF+lfHCuNNYtlobAWfJRbslqKaY4xRmsq15DhwS1zLTWSMNsXR?= =?utf-8?q?84dBDwea3oWcICZWsWqeG+zSQaBTRJbVlcptIDFSm/JGGQ7jvPnvr7I3weurwGObU?= =?utf-8?q?Gz1EEnUvn1nSqOCtRrrABwNBq+aSScAt1U8a4H58tXwq4ldChN8Vwe7m0ezLZMsTU?= =?utf-8?q?VsosdIXtOFT+Zmho+VBe977oHzwejfNZYiu0gRwB1D/q/aQ50SGqIz69AziEPiWUr?= =?utf-8?q?WYkyW14KLgwrBL6+ywHA2sLvY95SC+9A77H4aCQ5KarPHS4YVUf/+YZ6A8RVAAL2U?= =?utf-8?q?Ty9OjPopFu8ngfdjTqZ+olBWdO3raItbaqTCwRhpqxIfWpuqLawY9A7DwUBbv1KZO?= =?utf-8?q?b995jQsgkfq16Ao2XMhbXKEnrN9yJ7SmQwHfo24UiEFuu3Afl7ZRogJWZMyPWL+H3?= =?utf-8?q?Y4w5fKD9No4UTM2/Nt4RfsqlmZnP0nokD54g5ySXUhWLmY1Wa9wu1YV44aRYcBADg?= =?utf-8?q?I3HrnqRo5z6KfIG32KM295IbQhzu9bXF5dnhCCGgS7GP1YrfeI/TzGPTTgwCRu4Kx?= =?utf-8?q?kJdDSLexDbOS5qiZ2JoP9K+qGxDdUPeF0mA5k8OWA7Oy2stw2Z975s/AmLKCGGIZZ?= =?utf-8?q?HCjsdy/R1rhuWRfanIahyKKadB/OB52/BV9ynD/k1q40EYNJnv+MHRebjGbI4tGb7?= =?utf-8?q?6+V6SGI1WqcLsmYRn04IMB3xeVLqAanRE/Tmy3j9v2Vbfjjq85ZM/k69LdmVwVfsO?= =?utf-8?q?xxB40WLw7GhKZ7XJZzJa6kTljNNctuJusd6zd+F5J4pDd2zpraufd3JDf3g3HhUZo?= =?utf-8?q?isE3D9JuiZ2EVnVoSJBeTTDRIwlLPoSOn6i0PkOmeFcJxh5S8/0DLajsKZ+7hXr+B?= =?utf-8?q?d7JGxNx2OOoK?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2474fa82-a92b-4c3d-d921-08dd470c42c8 X-MS-Exchange-CrossTenant-AuthSource: CH3PR12MB8659.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2025 00:13:34.4976 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: nVxPpLj+86D1M1aLYc/NkiS8gma1gXXZ04XAHuxjhHupbFjqWY9qcBuL6OEGlXwW X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR12MB6885 Document the purpose and rules for the fwctl subsystem. Link in kdocs to the doc tree. Nacked-by: Jakub Kicinski Link: https://lore.kernel.org/r/20240603114250.5325279c@kernel.org Acked-by: Daniel Vetter https://lore.kernel.org/r/ZrHY2Bds7oF7KRGz@phenom.ffwll.local Reviewed-by: Jonathan Cameron Signed-off-by: Jason Gunthorpe Reviewed-by: Dave Jiang --- Documentation/userspace-api/fwctl/fwctl.rst | 285 ++++++++++++++++++++ Documentation/userspace-api/fwctl/index.rst | 12 + Documentation/userspace-api/index.rst | 1 + MAINTAINERS | 2 +- 4 files changed, 299 insertions(+), 1 deletion(-) create mode 100644 Documentation/userspace-api/fwctl/fwctl.rst create mode 100644 Documentation/userspace-api/fwctl/index.rst diff --git a/Documentation/userspace-api/fwctl/fwctl.rst b/Documentation/userspace-api/fwctl/fwctl.rst new file mode 100644 index 00000000000000..428f6f5bb9b4f9 --- /dev/null +++ b/Documentation/userspace-api/fwctl/fwctl.rst @@ -0,0 +1,285 @@ +.. SPDX-License-Identifier: GPL-2.0 + +=============== +fwctl subsystem +=============== + +:Author: Jason Gunthorpe + +Overview +======== + +Modern devices contain extensive amounts of FW, and in many cases, are largely +software-defined pieces of hardware. The evolution of this approach is largely a +reaction to Moore's Law where a chip tape out is now highly expensive, and the +chip design is extremely large. Replacing fixed HW logic with a flexible and +tightly coupled FW/HW combination is an effective risk mitigation against chip +respin. Problems in the HW design can be counteracted in device FW. This is +especially true for devices which present a stable and backwards compatible +interface to the operating system driver (such as NVMe). + +The FW layer in devices has grown to incredible size and devices frequently +integrate clusters of fast processors to run it. For example, mlx5 devices have +over 30MB of FW code, and big configurations operate with over 1GB of FW managed +runtime state. + +The availability of such a flexible layer has created quite a variety in the +industry where single pieces of silicon are now configurable software-defined +devices and can operate in substantially different ways depending on the need. +Further, we often see cases where specific sites wish to operate devices in ways +that are highly specialized and require applications that have been tailored to +their unique configuration. + +Further, devices have become multi-functional and integrated to the point they +no longer fit neatly into the kernel's division of subsystems. Modern +multi-functional devices have drivers, such as bnxt/ice/mlx5/pds, that span many +subsystems while sharing the underlying hardware using the auxiliary device +system. + +All together this creates a challenge for the operating system, where devices +have an expansive FW environment that needs robust device-specific debugging +support, and FW-driven functionality that is not well suited to “generic” +interfaces. fwctl seeks to allow access to the full device functionality from +user space in the areas of debuggability, management, and first-boot/nth-boot +provisioning. + +fwctl is aimed at the common device design pattern where the OS and FW +communicate via an RPC message layer constructed with a queue or mailbox scheme. +In this case the driver will typically have some layer to deliver RPC messages +and collect RPC responses from device FW. The in-kernel subsystem drivers that +operate the device for its primary purposes will use these RPCs to build their +drivers, but devices also usually have a set of ancillary RPCs that don't really +fit into any specific subsystem. For example, a HW RAID controller is primarily +operated by the block layer but also comes with a set of RPCs to administer the +construction of drives within the HW RAID. + +In the past when devices were more single function, individual subsystems would +grow different approaches to solving some of these common problems. For instance +monitoring device health, manipulating its FLASH, debugging the FW, +provisioning, all have various unique interfaces across the kernel. + +fwctl's purpose is to define a common set of limited rules, described below, +that allow user space to securely construct and execute RPCs inside device FW. +The rules serve as an agreement between the operating system and FW on how to +correctly design the RPC interface. As a uAPI the subsystem provides a thin +layer of discovery and a generic uAPI to deliver the RPCs and collect the +response. It supports a system of user space libraries and tools which will +use this interface to control the device using the device native protocols. + +Scope of Action +--------------- + +fwctl drivers are strictly restricted to being a way to operate the device FW. +It is not an avenue to access random kernel internals, or other operating system +SW states. + +fwctl instances must operate on a well-defined device function, and the device +should have a well-defined security model for what scope within the physical +device the function is permitted to access. For instance, the most complex PCIe +device today may broadly have several function-level scopes: + + 1. A privileged function with full access to the on-device global state and + configuration + + 2. Multiple hypervisor functions with control over itself and child functions + used with VMs + + 3. Multiple VM functions tightly scoped within the VM + +The device may create a logical parent/child relationship between these scopes. +For instance a child VM's FW may be within the scope of the hypervisor FW. It is +quite common in the VFIO world that the hypervisor environment has a complex +provisioning/profiling/configuration responsibility for the function VFIO +assigns to the VM. + +Further, within the function, devices often have RPC commands that fall within +some general scopes of action (see enum fwctl_rpc_scope): + + 1. Access to function & child configuration, FLASH, etc. that becomes live at a + function reset. Access to function & child runtime configuration that is + transparent or non-disruptive to any driver or VM. + + 2. Read-only access to function debug information that may report on FW objects + in the function & child, including FW objects owned by other kernel + subsystems. + + 3. Write access to function & child debug information strictly compatible with + the principles of kernel lockdown and kernel integrity protection. Triggers + a kernel Taint. + + 4. Full debug device access. Triggers a kernel Taint, requires CAP_SYS_RAWIO. + +User space will provide a scope label on each RPC and the kernel must enforce the +above CAPs and taints based on that scope. A combination of kernel and FW can +enforce that RPCs are placed in the correct scope by user space. + +Denied behavior +--------------- + +There are many things this interface must not allow user space to do (without a +Taint or CAP), broadly derived from the principles of kernel lockdown. Some +examples: + + 1. DMA to/from arbitrary memory, hang the system, compromise FW integrity with + untrusted code, or otherwise compromise device or system security and + integrity. + + 2. Provide an abnormal “back door” to kernel drivers. No manipulation of kernel + objects owned by kernel drivers. + + 3. Directly configure or otherwise control kernel drivers. A subsystem kernel + driver can react to the device configuration at function reset/driver load + time, but otherwise must not be coupled to fwctl. + + 4. Operate the HW in a way that overlaps with the core purpose of another + primary kernel subsystem, such as read/write to LBAs, send/receive of + network packets, or operate an accelerator's data plane. + +fwctl is not a replacement for device direct access subsystems like uacce or +VFIO. + +Operations exposed through fwctl's non-taining interfaces should be fully +sharable with other users of the device. For instance exposing a RPC through +fwctl should never prevent a kernel subsystem from also concurrently using that +same RPC or hardware unit down the road. In such cases fwctl will be less +important than proper kernel subsystems that eventually emerge. Mistakes in this +area resulting in clashes will be resolved in favour of a kernel implementation. + +fwctl User API +============== + +.. kernel-doc:: include/uapi/fwctl/fwctl.h +.. kernel-doc:: include/uapi/fwctl/mlx5.h + +sysfs Class +----------- + +fwctl has a sysfs class (/sys/class/fwctl/fwctlNN/) and character devices +(/dev/fwctl/fwctlNN) with a simple numbered scheme. The character device +operates the iotcl uAPI described above. + +fwctl devices can be related to driver components in other subsystems through +sysfs:: + + $ ls /sys/class/fwctl/fwctl0/device/infiniband/ + ibp0s10f0 + + $ ls /sys/class/infiniband/ibp0s10f0/device/fwctl/ + fwctl0/ + + $ ls /sys/devices/pci0000:00/0000:00:0a.0/fwctl/fwctl0 + dev device power subsystem uevent + +User space Community +-------------------- + +Drawing inspiration from nvme-cli, participating in the kernel side must come +with a user space in a common TBD git tree, at a minimum to usefully operate the +kernel driver. Providing such an implementation is a pre-condition to merging a +kernel driver. + +The goal is to build user space community around some of the shared problems +we all have, and ideally develop some common user space programs with some +starting themes of: + + - Device in-field debugging + + - HW provisioning + + - VFIO child device profiling before VM boot + + - Confidential Compute topics (attestation, secure provisioning) + +that stretch across all subsystems in the kernel. fwupd is a great example of +how an excellent user space experience can emerge out of kernel-side diversity. + +fwctl Kernel API +================ + +.. kernel-doc:: drivers/fwctl/main.c + :export: +.. kernel-doc:: include/linux/fwctl.h + +fwctl Driver design +------------------- + +In many cases a fwctl driver is going to be part of a larger cross-subsystem +device possibly using the auxiliary_device mechanism. In that case several +subsystems are going to be sharing the same device and FW interface layer so the +device design must already provide for isolation and cooperation between kernel +subsystems. fwctl should fit into that same model. + +Part of the driver should include a description of how its scope restrictions +and security model work. The driver and FW together must ensure that RPCs +provided by user space are mapped to the appropriate scope. If the validation is +done in the driver then the validation can read a 'command effects' report from +the device, or hardwire the enforcement. If the validation is done in the FW, +then the driver should pass the fwctl_rpc_scope to the FW along with the command. + +The driver and FW must cooperate to ensure that either fwctl cannot allocate +any FW resources, or any resources it does allocate are freed on FD closure. A +driver primarily constructed around FW RPCs may find that its core PCI function +and RPC layer belongs under fwctl with auxiliary devices connecting to other +subsystems. + +Each device type must be mindful of Linux's philosophy for stable ABI. The FW +RPC interface does not have to meet a strictly stable ABI, but it does need to +meet an expectation that userspace tools that are deployed and in significant +use don't needlessly break. FW upgrade and kernel upgrade should keep widely +deployed tooling working. + +Development and debugging focused RPCs under more permissive scopes can have +less stablitiy if the tools using them are only run under exceptional +circumstances and not for every day use of the device. Debugging tools may even +require exact version matching as they may require something similar to DWARF +debug information from the FW binary. + +Security Response +================= + +The kernel remains the gatekeeper for this interface. If violations of the +scopes, security or isolation principles are found, we have options to let +devices fix them with a FW update, push a kernel patch to parse and block RPC +commands or push a kernel patch to block entire firmware versions/devices. + +While the kernel can always directly parse and restrict RPCs, it is expected +that the existing kernel pattern of allowing drivers to delegate validation to +FW to be a useful design. + +Existing Similar Examples +========================= + +The approach described in this document is not a new idea. Direct, or near +direct device access has been offered by the kernel in different areas for +decades. With more devices wanting to follow this design pattern it is becoming +clear that it is not entirely well understood and, more importantly, the +security considerations are not well defined or agreed upon. + +Some examples: + + - HW RAID controllers. This includes RPCs to do things like compose drives into + a RAID volume, configure RAID parameters, monitor the HW and more. + + - Baseboard managers. RPCs for configuring settings in the device and more + + - NVMe vendor command capsules. nvme-cli provides access to some monitoring + functions that different products have defined, but more exist. + + - CXL also has a NVMe-like vendor command system. + + - DRM allows user space drivers to send commands to the device via kernel + mediation + + - RDMA allows user space drivers to directly push commands to the device + without kernel involvement + + - Various “raw” APIs, raw HID (SDL2), raw USB, NVMe Generic Interface, etc. + +The first 4 are examples of areas that fwctl intends to cover. The latter three +are examples of denied behavior as they fully overlap with the primary purpose +of a kernel subsystem. + +Some key lessons learned from these past efforts are the importance of having a +common user space project to use as a pre-condition for obtaining a kernel +driver. Developing good community around useful software in user space is key to +getting companies to fund participation to enable their products. diff --git a/Documentation/userspace-api/fwctl/index.rst b/Documentation/userspace-api/fwctl/index.rst new file mode 100644 index 00000000000000..06959fbf154743 --- /dev/null +++ b/Documentation/userspace-api/fwctl/index.rst @@ -0,0 +1,12 @@ +.. SPDX-License-Identifier: GPL-2.0 + +Firmware Control (FWCTL) Userspace API +====================================== + +A framework that define a common set of limited rules that allows user space +to securely construct and execute RPCs inside device firmware. + +.. toctree:: + :maxdepth: 1 + + fwctl diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst index b1395d94b3fd0a..e8e861f767fd5c 100644 --- a/Documentation/userspace-api/index.rst +++ b/Documentation/userspace-api/index.rst @@ -45,6 +45,7 @@ Devices and I/O accelerators/ocxl dma-buf-alloc-exchange + fwctl/index gpio/index iommufd media/index diff --git a/MAINTAINERS b/MAINTAINERS index 5f30adbe6c8521..319169f7cb7e1c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9561,7 +9561,7 @@ FWCTL SUBSYSTEM M: Jason Gunthorpe M: Saeed Mahameed S: Maintained -F: Documentation/userspace-api/fwctl.rst +F: Documentation/userspace-api/fwctl/ F: drivers/fwctl/ F: include/linux/fwctl.h F: include/uapi/fwctl/