From patchwork Thu Sep 30 01:05:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kuppuswamy Sathyanarayanan X-Patchwork-Id: 12527059 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12B0EC433FE for ; Thu, 30 Sep 2021 01:05:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EA987615E5 for ; Thu, 30 Sep 2021 01:05:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347555AbhI3BHQ (ORCPT ); Wed, 29 Sep 2021 21:07:16 -0400 Received: from mga02.intel.com ([134.134.136.20]:24479 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347083AbhI3BHM (ORCPT ); Wed, 29 Sep 2021 21:07:12 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10122"; a="212330102" X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="212330102" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:30 -0700 X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="521027362" Received: from yzhu3-mobl.amr.corp.intel.com (HELO skuppusw-desk1.amr.corp.intel.com) ([10.254.37.25]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:28 -0700 From: Kuppuswamy Sathyanarayanan To: Greg Kroah-Hartman , Borislav Petkov Cc: x86@kernel.org, Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , "Michael S . Tsirkin" , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Dan Williams , Andi Kleen , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-usb@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH v2 1/6] driver core: Move the "authorized" attribute from USB/Thunderbolt to core Date: Wed, 29 Sep 2021 18:05:06 -0700 Message-Id: <20210930010511.3387967-2-sathyanarayanan.kuppuswamy@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Currently bus drivers like "USB" or "Thunderbolt" implement a custom version of device authorization to selectively authorize the driver probes. Since there is a common requirement, move the "authorized" attribute support to the driver core in order to allow it to be used by other subsystems / buses. Similar requirements have been discussed in the PCI [1] community for PCI bus drivers as well. No functional changes are intended. It just converts authorized attribute from int to bool and moves it to the driver core. There should be no user-visible change in the location or semantics of attributes for USB devices. Regarding thunderbolt driver, although it declares sw->authorized as "int" and allows 0,1,2 as valid values for sw->authorized attribute, but within the driver, in all authorized attribute related checks, it is treated as bool value. So when converting the authorized attribute from int to bool value, there should be no functional changes other than value 2 being not visible to the user. [1]: https://lore.kernel.org/all/CACK8Z6E8pjVeC934oFgr=VB3pULx_GyT2NkzAogdRQJ9TKSX9A@mail.gmail.com/ Reviewed-by: Dan Williams Signed-off-by: Kuppuswamy Sathyanarayanan --- drivers/thunderbolt/domain.c | 6 +++--- drivers/thunderbolt/icm.c | 9 +++++---- drivers/thunderbolt/switch.c | 18 ++++++++---------- drivers/thunderbolt/tb.c | 2 +- drivers/thunderbolt/tb.h | 2 -- drivers/usb/core/driver.c | 2 +- drivers/usb/core/generic.c | 2 +- drivers/usb/core/hub.c | 8 ++++---- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 3 +-- drivers/usb/core/usb.c | 10 +++++++++- include/linux/device.h | 3 ++- include/linux/usb.h | 6 ------ 13 files changed, 36 insertions(+), 37 deletions(-) diff --git a/drivers/thunderbolt/domain.c b/drivers/thunderbolt/domain.c index 7018d959f775..3e39686eff14 100644 --- a/drivers/thunderbolt/domain.c +++ b/drivers/thunderbolt/domain.c @@ -656,7 +656,7 @@ int tb_domain_approve_switch(struct tb *tb, struct tb_switch *sw) /* The parent switch must be authorized before this one */ parent_sw = tb_to_switch(sw->dev.parent); - if (!parent_sw || !parent_sw->authorized) + if (!parent_sw || !parent_sw->dev.authorized) return -EINVAL; return tb->cm_ops->approve_switch(tb, sw); @@ -683,7 +683,7 @@ int tb_domain_approve_switch_key(struct tb *tb, struct tb_switch *sw) /* The parent switch must be authorized before this one */ parent_sw = tb_to_switch(sw->dev.parent); - if (!parent_sw || !parent_sw->authorized) + if (!parent_sw || !parent_sw->dev.authorized) return -EINVAL; ret = tb->cm_ops->add_switch_key(tb, sw); @@ -720,7 +720,7 @@ int tb_domain_challenge_switch_key(struct tb *tb, struct tb_switch *sw) /* The parent switch must be authorized before this one */ parent_sw = tb_to_switch(sw->dev.parent); - if (!parent_sw || !parent_sw->authorized) + if (!parent_sw || !parent_sw->dev.authorized) return -EINVAL; get_random_bytes(challenge, sizeof(challenge)); diff --git a/drivers/thunderbolt/icm.c b/drivers/thunderbolt/icm.c index 6255f1ef9599..f5b784c1cabb 100644 --- a/drivers/thunderbolt/icm.c +++ b/drivers/thunderbolt/icm.c @@ -768,7 +768,7 @@ icm_fr_device_connected(struct tb *tb, const struct icm_pkg_header *hdr) * sure our book keeping matches that. */ if (sw->depth == depth && sw_phy_port == phy_port && - !!sw->authorized == authorized) { + sw->dev.authorized == authorized) { /* * It was enumerated through another link so update * route string accordingly. @@ -849,7 +849,7 @@ icm_fr_device_connected(struct tb *tb, const struct icm_pkg_header *hdr) sw->connection_key = pkg->connection_key; sw->link = link; sw->depth = depth; - sw->authorized = authorized; + sw->dev.authorized = authorized; sw->security_level = security_level; sw->boot = boot; sw->link_speed = speed_gen3 ? 20 : 10; @@ -1235,7 +1235,8 @@ __icm_tr_device_connected(struct tb *tb, const struct icm_pkg_header *hdr, sw = tb_switch_find_by_uuid(tb, &pkg->ep_uuid); if (sw) { /* Update the switch if it is still in the same place */ - if (tb_route(sw) == route && !!sw->authorized == authorized) { + if (tb_route(sw) == route && + sw->dev.authorized == authorized) { parent_sw = tb_to_switch(sw->dev.parent); update_switch(parent_sw, sw, route, pkg->connection_id, 0, 0, 0, boot); @@ -1272,7 +1273,7 @@ __icm_tr_device_connected(struct tb *tb, const struct icm_pkg_header *hdr, sw = alloc_switch(parent_sw, route, &pkg->ep_uuid); if (!IS_ERR(sw)) { sw->connection_id = pkg->connection_id; - sw->authorized = authorized; + sw->dev.authorized = authorized; sw->security_level = security_level; sw->boot = boot; sw->link_speed = speed_gen3 ? 20 : 10; diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c index 3014146081c1..e640d764499a 100644 --- a/drivers/thunderbolt/switch.c +++ b/drivers/thunderbolt/switch.c @@ -1494,9 +1494,7 @@ static ssize_t authorized_show(struct device *dev, struct device_attribute *attr, char *buf) { - struct tb_switch *sw = tb_to_switch(dev); - - return sprintf(buf, "%u\n", sw->authorized); + return sprintf(buf, "%u\n", dev->authorized); } static int disapprove_switch(struct device *dev, void *not_used) @@ -1505,7 +1503,7 @@ static int disapprove_switch(struct device *dev, void *not_used) struct tb_switch *sw; sw = tb_to_switch(dev); - if (sw && sw->authorized) { + if (sw && sw->dev.authorized) { int ret; /* First children */ @@ -1517,7 +1515,7 @@ static int disapprove_switch(struct device *dev, void *not_used) if (ret) return ret; - sw->authorized = 0; + dev->authorized = false; kobject_uevent_env(&sw->dev.kobj, KOBJ_CHANGE, envp); } @@ -1533,7 +1531,7 @@ static int tb_switch_set_authorized(struct tb_switch *sw, unsigned int val) if (!mutex_trylock(&sw->tb->lock)) return restart_syscall(); - if (!!sw->authorized == !!val) + if (sw->dev.authorized == !!val) goto unlock; switch (val) { @@ -1564,12 +1562,12 @@ static int tb_switch_set_authorized(struct tb_switch *sw, unsigned int val) } if (!ret) { - sw->authorized = val; + sw->dev.authorized = !!val; /* * Notify status change to the userspace, informing the new * value of /sys/bus/thunderbolt/devices/.../authorized. */ - sprintf(envp_string, "AUTHORIZED=%u", sw->authorized); + sprintf(envp_string, "AUTHORIZED=%u", sw->dev.authorized); kobject_uevent_env(&sw->dev.kobj, KOBJ_CHANGE, envp); } @@ -1671,7 +1669,7 @@ static ssize_t key_store(struct device *dev, struct device_attribute *attr, if (!mutex_trylock(&sw->tb->lock)) return restart_syscall(); - if (sw->authorized) { + if (sw->dev.authorized) { ret = -EBUSY; } else { kfree(sw->key); @@ -2192,7 +2190,7 @@ struct tb_switch *tb_switch_alloc(struct tb *tb, struct device *parent, /* Root switch is always authorized */ if (!route) - sw->authorized = true; + sw->dev.authorized = true; device_initialize(&sw->dev); sw->dev.parent = parent; diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c index 2897a77d44c3..44d2fa893fa9 100644 --- a/drivers/thunderbolt/tb.c +++ b/drivers/thunderbolt/tb.c @@ -1323,7 +1323,7 @@ static int tb_scan_finalize_switch(struct device *dev, void *data) * send uevent to userspace. */ if (sw->boot) - sw->authorized = 1; + sw->dev.authorized = true; dev_set_uevent_suppress(dev, false); kobject_uevent(&dev->kobj, KOBJ_ADD); diff --git a/drivers/thunderbolt/tb.h b/drivers/thunderbolt/tb.h index 725104c83e3d..cfe869d8e826 100644 --- a/drivers/thunderbolt/tb.h +++ b/drivers/thunderbolt/tb.h @@ -130,7 +130,6 @@ struct tb_switch_tmu { * @safe_mode: The switch is in safe-mode * @boot: Whether the switch was already authorized on boot or not * @rpm: The switch supports runtime PM - * @authorized: Whether the switch is authorized by user or policy * @security_level: Switch supported security level * @debugfs_dir: Pointer to the debugfs structure * @key: Contains the key used to challenge the device or %NULL if not @@ -180,7 +179,6 @@ struct tb_switch { bool safe_mode; bool boot; bool rpm; - unsigned int authorized; enum tb_security_level security_level; struct dentry *debugfs_dir; u8 *key; diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c index 072968c40ade..fb476665f52d 100644 --- a/drivers/usb/core/driver.c +++ b/drivers/usb/core/driver.c @@ -331,7 +331,7 @@ static int usb_probe_interface(struct device *dev) if (usb_device_is_owned(udev)) return error; - if (udev->authorized == 0) { + if (udev->dev.authorized == false) { dev_err(&intf->dev, "Device is not authorized for usage\n"); return error; } else if (intf->authorized == 0) { diff --git a/drivers/usb/core/generic.c b/drivers/usb/core/generic.c index 26f9fb9f67ca..7fa4ca77fa89 100644 --- a/drivers/usb/core/generic.c +++ b/drivers/usb/core/generic.c @@ -230,7 +230,7 @@ int usb_generic_driver_probe(struct usb_device *udev) /* Choose and set the configuration. This registers the interfaces * with the driver core and lets interface drivers bind to them. */ - if (udev->authorized == 0) + if (udev->dev.authorized == false) dev_err(&udev->dev, "Device is not authorized for usage\n"); else { c = usb_choose_configuration(udev); diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 86658a81d284..f58b19aa4f5f 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -2616,10 +2616,10 @@ int usb_new_device(struct usb_device *udev) int usb_deauthorize_device(struct usb_device *usb_dev) { usb_lock_device(usb_dev); - if (usb_dev->authorized == 0) + if (usb_dev->dev.authorized == false) goto out_unauthorized; - usb_dev->authorized = 0; + usb_dev->dev.authorized = false; usb_set_configuration(usb_dev, -1); out_unauthorized: @@ -2633,7 +2633,7 @@ int usb_authorize_device(struct usb_device *usb_dev) int result = 0, c; usb_lock_device(usb_dev); - if (usb_dev->authorized == 1) + if (usb_dev->dev.authorized == true) goto out_authorized; result = usb_autoresume_device(usb_dev); @@ -2652,7 +2652,7 @@ int usb_authorize_device(struct usb_device *usb_dev) } } - usb_dev->authorized = 1; + usb_dev->dev.authorized = true; /* Choose and set the configuration. This registers the interfaces * with the driver core and lets interface drivers bind to them. */ diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 4d59d927ae3e..47548ce1cfb1 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -1962,7 +1962,7 @@ int usb_set_configuration(struct usb_device *dev, int configuration) struct usb_hcd *hcd = bus_to_hcd(dev->bus); int n, nintf; - if (dev->authorized == 0 || configuration == -1) + if (dev->dev.authorized == false || configuration == -1) configuration = 0; else { for (i = 0; i < dev->descriptor.bNumConfigurations; i++) { diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c index fa2e49d432ff..3d63e345d0a0 100644 --- a/drivers/usb/core/sysfs.c +++ b/drivers/usb/core/sysfs.c @@ -726,8 +726,7 @@ usb_descriptor_attr(bMaxPacketSize0, "%d\n"); static ssize_t authorized_show(struct device *dev, struct device_attribute *attr, char *buf) { - struct usb_device *usb_dev = to_usb_device(dev); - return snprintf(buf, PAGE_SIZE, "%u\n", usb_dev->authorized); + return snprintf(buf, PAGE_SIZE, "%u\n", dev->authorized); } /* diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c index 62368c4ed37a..18f3ad39ccbc 100644 --- a/drivers/usb/core/usb.c +++ b/drivers/usb/core/usb.c @@ -579,6 +579,14 @@ static unsigned usb_bus_is_wusb(struct usb_bus *bus) return hcd->wireless; } +/* + * usb_dev_authorized() - Used to initialize the "authorized" status of + * the USB device. + * (user space) policy determines if we authorize this device to be + * used or not. By default, wired USB devices are authorized. + * WUSB devices are not, until we authorize them from user space. + * FIXME -- complete doc + */ static bool usb_dev_authorized(struct usb_device *dev, struct usb_hcd *hcd) { struct usb_hub *hub; @@ -717,7 +725,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, dev->active_duration = -jiffies; #endif - dev->authorized = usb_dev_authorized(dev, usb_hcd); + dev->dev.authorized = usb_dev_authorized(dev, usb_hcd); if (!root_hub) dev->wusb = usb_bus_is_wusb(bus) ? 1 : 0; diff --git a/include/linux/device.h b/include/linux/device.h index e270cb740b9e..899be9a2c0cb 100644 --- a/include/linux/device.h +++ b/include/linux/device.h @@ -443,7 +443,7 @@ struct dev_links_info { * @removable: Whether the device can be removed from the system. This * should be set by the subsystem / bus driver that discovered * the device. - * + * @authorized: Whether the device is authorized to bind to a driver. * @offline_disabled: If set, the device is permanently online. * @offline: Set after successful invocation of bus type's .offline(). * @of_node_reused: Set if the device-tree node is shared with an ancestor @@ -562,6 +562,7 @@ struct device { enum device_removable removable; + bool authorized:1; bool offline_disabled:1; bool offline:1; bool of_node_reused:1; diff --git a/include/linux/usb.h b/include/linux/usb.h index 7ccaa76a9a96..796df4068e94 100644 --- a/include/linux/usb.h +++ b/include/linux/usb.h @@ -576,11 +576,6 @@ struct usb3_lpm_parameters { * @can_submit: URBs may be submitted * @persist_enabled: USB_PERSIST enabled for this device * @have_langid: whether string_langid is valid - * @authorized: policy has said we can use it; - * (user space) policy determines if we authorize this device to be - * used or not. By default, wired USB devices are authorized. - * WUSB devices are not, until we authorize them from user space. - * FIXME -- complete doc * @authenticated: Crypto authentication passed * @wusb: device is Wireless USB * @lpm_capable: device supports LPM @@ -662,7 +657,6 @@ struct usb_device { unsigned can_submit:1; unsigned persist_enabled:1; unsigned have_langid:1; - unsigned authorized:1; unsigned authenticated:1; unsigned wusb:1; unsigned lpm_capable:1; From patchwork Thu Sep 30 01:05:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kuppuswamy Sathyanarayanan X-Patchwork-Id: 12527067 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58805C433FE for ; Thu, 30 Sep 2021 01:05:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 40415615E3 for ; Thu, 30 Sep 2021 01:05:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347584AbhI3BHS (ORCPT ); Wed, 29 Sep 2021 21:07:18 -0400 Received: from mga02.intel.com ([134.134.136.20]:24480 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347152AbhI3BHO (ORCPT ); Wed, 29 Sep 2021 21:07:14 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10122"; a="212330104" X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="212330104" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:31 -0700 X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="521027367" Received: from yzhu3-mobl.amr.corp.intel.com (HELO skuppusw-desk1.amr.corp.intel.com) ([10.254.37.25]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:30 -0700 From: Kuppuswamy Sathyanarayanan To: Greg Kroah-Hartman , Borislav Petkov Cc: x86@kernel.org, Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , "Michael S . Tsirkin" , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Dan Williams , Andi Kleen , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-usb@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH v2 2/6] driver core: Add common support to skip probe for un-authorized devices Date: Wed, 29 Sep 2021 18:05:07 -0700 Message-Id: <20210930010511.3387967-3-sathyanarayanan.kuppuswamy@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org While the common case for device-authorization is to skip probe of unauthorized devices, some buses may still want to emit a message on probe failure (Thunderbolt), or base probe failures on the authorization status of a related device like a parent (USB). So add an option (has_probe_authorization) in struct bus_type for the bus driver to own probe authorization policy. Reviewed-by: Dan Williams Signed-off-by: Kuppuswamy Sathyanarayanan --- drivers/base/dd.c | 5 +++++ drivers/thunderbolt/domain.c | 1 + drivers/usb/core/driver.c | 1 + include/linux/device/bus.h | 4 ++++ 4 files changed, 11 insertions(+) diff --git a/drivers/base/dd.c b/drivers/base/dd.c index 68ea1f949daa..0cd03ac7d3b1 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -544,6 +544,11 @@ static int really_probe(struct device *dev, struct device_driver *drv) !drv->suppress_bind_attrs; int ret; + if (!dev->authorized && !dev->bus->has_probe_authorization) { + dev_dbg(dev, "Device is not authorized\n"); + return -ENODEV; + } + if (defer_all_probes) { /* * Value of defer_all_probes can be set only by diff --git a/drivers/thunderbolt/domain.c b/drivers/thunderbolt/domain.c index 3e39686eff14..6de8a366b796 100644 --- a/drivers/thunderbolt/domain.c +++ b/drivers/thunderbolt/domain.c @@ -321,6 +321,7 @@ struct bus_type tb_bus_type = { .probe = tb_service_probe, .remove = tb_service_remove, .shutdown = tb_service_shutdown, + .has_probe_authorization = true, }; static void tb_domain_release(struct device *dev) diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c index fb476665f52d..f57b5a7a90ca 100644 --- a/drivers/usb/core/driver.c +++ b/drivers/usb/core/driver.c @@ -2028,4 +2028,5 @@ struct bus_type usb_bus_type = { .match = usb_device_match, .uevent = usb_uevent, .need_parent_lock = true, + .has_probe_authorization = true, }; diff --git a/include/linux/device/bus.h b/include/linux/device/bus.h index 062777a45a74..571a2f6e7c1d 100644 --- a/include/linux/device/bus.h +++ b/include/linux/device/bus.h @@ -69,6 +69,9 @@ struct fwnode_handle; * @lock_key: Lock class key for use by the lock validator * @need_parent_lock: When probing or removing a device on this bus, the * device core should lock the device's parent. + * @has_probe_authorization: Set true to indicate to the driver-core to skip + * the authorization checks and let bus drivers + * handle it locally. * * A bus is a channel between the processor and one or more devices. For the * purposes of the device model, all devices are connected via a bus, even if @@ -112,6 +115,7 @@ struct bus_type { struct lock_class_key lock_key; bool need_parent_lock; + bool has_probe_authorization; }; extern int __must_check bus_register(struct bus_type *bus); From patchwork Thu Sep 30 01:05:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kuppuswamy Sathyanarayanan X-Patchwork-Id: 12527061 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CCCAC433F5 for ; Thu, 30 Sep 2021 01:05:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5171B6197A for ; Thu, 30 Sep 2021 01:05:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347567AbhI3BHR (ORCPT ); Wed, 29 Sep 2021 21:07:17 -0400 Received: from mga02.intel.com ([134.134.136.20]:24481 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347347AbhI3BHP (ORCPT ); Wed, 29 Sep 2021 21:07:15 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10122"; a="212330108" X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="212330108" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:33 -0700 X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="521027370" Received: from yzhu3-mobl.amr.corp.intel.com (HELO skuppusw-desk1.amr.corp.intel.com) ([10.254.37.25]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:31 -0700 From: Kuppuswamy Sathyanarayanan To: Greg Kroah-Hartman , Borislav Petkov Cc: x86@kernel.org, Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , "Michael S . Tsirkin" , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Dan Williams , Andi Kleen , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-usb@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH v2 3/6] driver core: Allow arch to initialize the authorized attribute Date: Wed, 29 Sep 2021 18:05:08 -0700 Message-Id: <20210930010511.3387967-4-sathyanarayanan.kuppuswamy@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Authorized device attribute is used to authorize or deauthorize the driver probe of the given device. Currently this attribute is initialized to "true" (allow all) by default. But for platforms like TDX guest, in which the host is an untrusted entity, it has a requirement to disable all devices by default and allow only a trusted list of devices with hardened drivers. So define a variable "dev_default_authorization" which is used to initialize the "authorized" attribute in device_initialize(). Also allow arch code to override the default value by updating dev_default_authorization value. More discussion about the need for device/driver filter and the use of allow list can be found in article [1] titled "firewall for device drivers". Also note that USB and Thunderbolt both override this initial value in their respective device initializations so this is not a regression for those buses. [1] - https://lwn.net/Articles/865918/ Reviewed-by: Dan Williams Signed-off-by: Kuppuswamy Sathyanarayanan --- drivers/base/core.c | 7 +++++++ include/linux/device.h | 2 ++ 2 files changed, 9 insertions(+) diff --git a/drivers/base/core.c b/drivers/base/core.c index e65dd803a453..98717f00b90b 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -47,6 +47,12 @@ static int __init sysfs_deprecated_setup(char *arg) early_param("sysfs.deprecated", sysfs_deprecated_setup); #endif +/* + * Default authorization status set as allow all. It can be + * overridden by arch code. + */ +bool __ro_after_init dev_default_authorization = true; + /* Device links support. */ static LIST_HEAD(deferred_sync); static unsigned int defer_sync_state_count = 1; @@ -2855,6 +2861,7 @@ void device_initialize(struct device *dev) #ifdef CONFIG_SWIOTLB dev->dma_io_tlb_mem = &io_tlb_default_mem; #endif + dev->authorized = dev_default_authorization; } EXPORT_SYMBOL_GPL(device_initialize); diff --git a/include/linux/device.h b/include/linux/device.h index 899be9a2c0cb..c97b1e59d23a 100644 --- a/include/linux/device.h +++ b/include/linux/device.h @@ -959,6 +959,8 @@ int devtmpfs_mount(void); static inline int devtmpfs_mount(void) { return 0; } #endif +extern bool dev_default_authorization; + /* drivers/base/power/shutdown.c */ void device_shutdown(void); From patchwork Thu Sep 30 01:05:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kuppuswamy Sathyanarayanan X-Patchwork-Id: 12527065 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14ABBC4332F for ; Thu, 30 Sep 2021 01:05:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0160D615A4 for ; Thu, 30 Sep 2021 01:05:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347609AbhI3BHT (ORCPT ); Wed, 29 Sep 2021 21:07:19 -0400 Received: from mga02.intel.com ([134.134.136.20]:24480 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347505AbhI3BHQ (ORCPT ); Wed, 29 Sep 2021 21:07:16 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10122"; a="212330112" X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="212330112" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:34 -0700 X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="521027373" Received: from yzhu3-mobl.amr.corp.intel.com (HELO skuppusw-desk1.amr.corp.intel.com) ([10.254.37.25]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:33 -0700 From: Kuppuswamy Sathyanarayanan To: Greg Kroah-Hartman , Borislav Petkov Cc: x86@kernel.org, Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , "Michael S . Tsirkin" , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Dan Williams , Andi Kleen , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-usb@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest Date: Wed, 29 Sep 2021 18:05:09 -0700 Message-Id: <20210930010511.3387967-5-sathyanarayanan.kuppuswamy@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Confidential guest platforms like TDX have a requirement to allow only trusted devices. By default the confidential-guest core will arrange for all devices to default to unauthorized (via dev_default_authorization) in device_initialize(). Since virtio driver is already hardened against the attack from the un-trusted host, override the confidential computing default unauthorized state Reviewed-by: Dan Williams Signed-off-by: Kuppuswamy Sathyanarayanan --- drivers/virtio/virtio.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c index 588e02fb91d3..377b0ccdc503 100644 --- a/drivers/virtio/virtio.c +++ b/drivers/virtio/virtio.c @@ -5,6 +5,8 @@ #include #include #include +#include +#include #include /* Unique numbering for virtio devices. */ @@ -390,6 +392,13 @@ int register_virtio_device(struct virtio_device *dev) dev->config_enabled = false; dev->config_change_pending = false; + /* + * For Confidential guest (like TDX), virtio devices are + * trusted. So set authorized status as true. + */ + if (cc_platform_has(CC_ATTR_GUEST_DEVICE_FILTER)) + dev->dev.authorized = true; + /* We always start by resetting the device, in case a previous * driver messed it up. This also tests that code path a little. */ dev->config->reset(dev); From patchwork Thu Sep 30 01:05:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kuppuswamy Sathyanarayanan X-Patchwork-Id: 12527069 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C201AC4332F for ; Thu, 30 Sep 2021 01:05:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A0318615E2 for ; Thu, 30 Sep 2021 01:05:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347580AbhI3BH2 (ORCPT ); Wed, 29 Sep 2021 21:07:28 -0400 Received: from mga02.intel.com ([134.134.136.20]:24480 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347570AbhI3BHR (ORCPT ); Wed, 29 Sep 2021 21:07:17 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10122"; a="212330116" X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="212330116" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:36 -0700 X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="521027381" Received: from yzhu3-mobl.amr.corp.intel.com (HELO skuppusw-desk1.amr.corp.intel.com) ([10.254.37.25]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:34 -0700 From: Kuppuswamy Sathyanarayanan To: Greg Kroah-Hartman , Borislav Petkov Cc: x86@kernel.org, Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , "Michael S . Tsirkin" , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Dan Williams , Andi Kleen , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-usb@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH v2 5/6] x86/tdx: Add device filter support for x86 TDX guest platform Date: Wed, 29 Sep 2021 18:05:10 -0700 Message-Id: <20210930010511.3387967-6-sathyanarayanan.kuppuswamy@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org For Confidential VM guests like TDX, the host is untrusted and hence the devices emulated by the host or any data coming from the host cannot be trusted. So the drivers that interact with the outside world have to be hardened and the allowed devices have to be filtered. More details about the need for device/driver filter in confidential guest can be found in article [1] titled "firewall for device drivers". So use the "authorized" device attribute to allow only the trusted list of the devices. Add support for cc_guest_dev_authorized() which can be used by BUS drivers to consult the arch specific device allow list and initialize the "authorized" attribute. In order to deny probing for all but the allowed list of devices @dev_default_authorization is set to false. The default audited list of drivers that a protected guest may trust are:  * virtio-blk  * virtio-console  * virtio-net * virtio-pci * virtio_rproc_serial Add a new flag CC_ATTR_GUEST_DEVICE_FILTER to conditionally enable device filter related code in generic drivers (using cc_platform_has() API). [1] - https://lwn.net/Articles/865918/ Reviewed-by: Andi Kleen Reviewed-by: Dan Williams Signed-off-by: Kuppuswamy Sathyanarayanan --- arch/x86/include/asm/tdx.h | 9 ++++++ arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/cc_platform.c | 20 ++++++++++++ arch/x86/kernel/cpu/intel.c | 1 + arch/x86/kernel/tdx-filter.c | 56 +++++++++++++++++++++++++++++++++ arch/x86/kernel/tdx.c | 2 ++ include/linux/cc_platform.h | 10 ++++++ include/linux/device.h | 11 +++++++ include/uapi/linux/virtio_ids.h | 8 +++++ 9 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 arch/x86/kernel/tdx-filter.c diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h index 78d146e8a163..c18920703503 100644 --- a/arch/x86/include/asm/tdx.h +++ b/arch/x86/include/asm/tdx.h @@ -5,6 +5,7 @@ #include #include +#include #include #include @@ -69,6 +70,7 @@ enum tdx_map_type { void __init tdx_early_init(void); bool cpuid_has_tdx_guest(void); +void __init tdx_filter_init(void); /* Helper function used to communicate with the TDX module */ u64 __tdx_module_call(u64 fn, u64 rcx, u64 rdx, u64 r8, u64 r9, @@ -96,6 +98,8 @@ int tdx_hcall_get_quote(u64 data); extern void (*tdx_event_notify_handler)(void); +bool tdx_guest_dev_authorized(struct device *dev); + /* * To support I/O port access in decompressor or early kernel init * code, since #VE exception handler cannot be used, use paravirt @@ -169,6 +173,11 @@ static inline int tdx_hcall_gpa_intent(phys_addr_t gpa, int numpages, return -ENODEV; } +static inline bool tdx_guest_dev_authorized(struct device *dev) +{ + return dev->authorized; +} + #endif /* CONFIG_INTEL_TDX_GUEST */ #if defined(CONFIG_KVM_GUEST) && defined(CONFIG_INTEL_TDX_GUEST) diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index 3d8876f60d5b..2b6f7b0065f5 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -128,7 +128,7 @@ obj-$(CONFIG_PARAVIRT_CLOCK) += pvclock.o obj-$(CONFIG_X86_PMEM_LEGACY_DEVICE) += pmem.o obj-$(CONFIG_JAILHOUSE_GUEST) += jailhouse.o -obj-$(CONFIG_INTEL_TDX_GUEST) += tdcall.o tdx.o +obj-$(CONFIG_INTEL_TDX_GUEST) += tdcall.o tdx.o tdx-filter.o obj-$(CONFIG_EISA) += eisa.o obj-$(CONFIG_PCSPKR_PLATFORM) += pcspeaker.o diff --git a/arch/x86/kernel/cc_platform.c b/arch/x86/kernel/cc_platform.c index 3fd2c628e028..3544ed78dd16 100644 --- a/arch/x86/kernel/cc_platform.c +++ b/arch/x86/kernel/cc_platform.c @@ -11,6 +11,9 @@ #include #include #include +#include + +#include #include @@ -24,3 +27,20 @@ bool cc_platform_has(enum cc_attr attr) return false; } EXPORT_SYMBOL_GPL(cc_platform_has); + +/* + * cc_guest_dev_authorized() - Used to get ARCH specific authorized status + * of the given device. + * @dev - device structure + * + * Return True to allow the device or False to deny it. + * + */ +bool cc_guest_dev_authorized(struct device *dev) +{ + if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST)) + return tdx_guest_dev_authorized(dev); + + return dev->authorized; +} +EXPORT_SYMBOL_GPL(cc_guest_dev_authorized); diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c index 7fbb7f6eb523..1d405750bc16 100644 --- a/arch/x86/kernel/cpu/intel.c +++ b/arch/x86/kernel/cpu/intel.c @@ -84,6 +84,7 @@ bool intel_cc_platform_has(enum cc_attr attr) case CC_ATTR_GUEST_MEM_ENCRYPT: case CC_ATTR_GUEST_SHARED_MAPPING_INIT: case CC_ATTR_MEM_ENCRYPT: + case CC_ATTR_GUEST_DEVICE_FILTER: return cpu_feature_enabled(X86_FEATURE_TDX_GUEST); default: return false; diff --git a/arch/x86/kernel/tdx-filter.c b/arch/x86/kernel/tdx-filter.c new file mode 100644 index 000000000000..534cc2cf5851 --- /dev/null +++ b/arch/x86/kernel/tdx-filter.c @@ -0,0 +1,56 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (c) 2020 Intel Corporation + */ +#define pr_fmt(fmt) "TDX: " fmt + +#include +#include +#include +#include +#include +#include + +#include +#include + +/* + * Allow list for PCI bus + * + * NOTE: Device ID is duplicated here. But for small list + * of devices, it is easier to maintain the duplicated list + * here verses exporting the device ID table from the driver + * and use it. + */ +struct pci_device_id pci_allow_ids[] = { + { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO_TRANS_ID_NET) }, + { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO_TRANS_ID_BLOCK) }, + { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO_TRANS_ID_CONSOLE) }, + { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO_TRANS_ID_9P) }, + { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_NET) }, + { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_BLOCK) }, + { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_CONSOLE) }, + { PCI_DEVICE(PCI_VENDOR_ID_REDHAT_QUMRANET, VIRTIO1_ID_9P) }, + { 0, }, +}; + +bool tdx_guest_dev_authorized(struct device *dev) +{ + if (!dev_is_pci(dev)) + return dev->authorized; + + if (pci_match_id(pci_allow_ids, to_pci_dev(dev))) + return true; + + return dev_default_authorization; +} + +void __init tdx_filter_init(void) +{ + if (!cc_platform_has(CC_ATTR_GUEST_DEVICE_FILTER)) + return; + + dev_default_authorization = false; + + pr_info("Enabled TDX guest device filter\n"); +} diff --git a/arch/x86/kernel/tdx.c b/arch/x86/kernel/tdx.c index aeeab647e62d..b1d660bd98c6 100644 --- a/arch/x86/kernel/tdx.c +++ b/arch/x86/kernel/tdx.c @@ -797,6 +797,8 @@ void __init tdx_early_init(void) tdx_get_info(); + tdx_filter_init(); + pv_ops.irq.safe_halt = tdx_safe_halt; pv_ops.irq.halt = tdx_halt; diff --git a/include/linux/cc_platform.h b/include/linux/cc_platform.h index d39370cfbda1..a0b608bba1ee 100644 --- a/include/linux/cc_platform.h +++ b/include/linux/cc_platform.h @@ -94,6 +94,16 @@ enum cc_attr { */ CC_ATTR_GUEST_SHARED_MAPPING_INIT, + /** + * @CC_ATTR_GUEST_DEVICE_FILTER: Filter device enumeration as per + * platform specific allow list. + * + * The platform/OS is running as a guest/virtual machine and allows or + * dis-allows device enumeration as per platform specific allow list. + * + * Examples include TDX guest. + */ + CC_ATTR_GUEST_DEVICE_FILTER, }; #ifdef CONFIG_ARCH_HAS_CC_PLATFORM diff --git a/include/linux/device.h b/include/linux/device.h index c97b1e59d23a..125590e80c35 100644 --- a/include/linux/device.h +++ b/include/linux/device.h @@ -990,4 +990,15 @@ extern long sysfs_deprecated; #define sysfs_deprecated 0 #endif +#ifndef __ASSEMBLY__ +#ifdef CONFIG_ARCH_HAS_CC_PLATFORM +bool cc_guest_dev_authorized(struct device *dev); +#else +static inline bool cc_guest_dev_authorized(struct device *dev) +{ + return dev->authorized; +} +#endif /* CONFIG_ARCH_HAS_CC_PLATFORM */ +#endif /* __ASSEMBLY__ */ + #endif /* _DEVICE_H_ */ diff --git a/include/uapi/linux/virtio_ids.h b/include/uapi/linux/virtio_ids.h index 80d76b75bccd..68c68d449ea5 100644 --- a/include/uapi/linux/virtio_ids.h +++ b/include/uapi/linux/virtio_ids.h @@ -81,4 +81,12 @@ #define VIRTIO_TRANS_ID_RNG 1005 /* transitional virtio rng */ #define VIRTIO_TRANS_ID_9P 1009 /* transitional virtio 9p console */ +/* + * Virtio IDS (for PCI rev ID > 1) + */ +#define VIRTIO1_ID_NET 1041 /* transitional virtio net */ +#define VIRTIO1_ID_BLOCK 1042 /* transitional virtio block */ +#define VIRTIO1_ID_CONSOLE 1043 /* transitional virtio console */ +#define VIRTIO1_ID_9P 1049 /* transitional virtio 9p console */ + #endif /* _LINUX_VIRTIO_IDS_H */ From patchwork Thu Sep 30 01:05:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kuppuswamy Sathyanarayanan X-Patchwork-Id: 12527063 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3FA5C433FE for ; Thu, 30 Sep 2021 01:05:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CA606615A4 for ; Thu, 30 Sep 2021 01:05:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347633AbhI3BHV (ORCPT ); Wed, 29 Sep 2021 21:07:21 -0400 Received: from mga02.intel.com ([134.134.136.20]:24480 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347601AbhI3BHT (ORCPT ); Wed, 29 Sep 2021 21:07:19 -0400 X-IronPort-AV: E=McAfee;i="6200,9189,10122"; a="212330117" X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="212330117" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:37 -0700 X-IronPort-AV: E=Sophos;i="5.85,334,1624345200"; d="scan'208";a="521027386" Received: from yzhu3-mobl.amr.corp.intel.com (HELO skuppusw-desk1.amr.corp.intel.com) ([10.254.37.25]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2021 18:05:36 -0700 From: Kuppuswamy Sathyanarayanan To: Greg Kroah-Hartman , Borislav Petkov Cc: x86@kernel.org, Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , "Michael S . Tsirkin" , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Mika Westerberg , Jonathan Corbet , Jason Wang , Dan Williams , Andi Kleen , Kuppuswamy Sathyanarayanan , linux-kernel@vger.kernel.org, linux-pci@vger.kernel.org, linux-usb@vger.kernel.org, virtualization@lists.linux-foundation.org Subject: [PATCH v2 6/6] PCI: Initialize authorized attribute for confidential guest Date: Wed, 29 Sep 2021 18:05:11 -0700 Message-Id: <20210930010511.3387967-7-sathyanarayanan.kuppuswamy@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> References: <20210930010511.3387967-1-sathyanarayanan.kuppuswamy@linux.intel.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Confidential guest platforms like TDX have a requirement to allow only trusted devices. So initialize the "authorized" attribute using cc_guest_dev_authorized(). By default the confidential-guest core arranges for all devices to default to unauthorized (via dev_default_authorization) in device_initialize(). So, consult a core list of allowed devices to override that default. ARCH code will use its device allow list in cc_guest_dev_authorized() to determine the status of the authorized attribute. Reviewed-by: Dan Williams Signed-off-by: Kuppuswamy Sathyanarayanan --- drivers/pci/probe.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index d9fc02a71baa..aab9d1917d52 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -20,6 +20,8 @@ #include #include #include +#include +#include #include "pci.h" #define CARDBUS_LATENCY_TIMER 176 /* secondary latency timer */ @@ -2491,6 +2493,8 @@ void pci_device_add(struct pci_dev *dev, struct pci_bus *bus) pci_configure_device(dev); device_initialize(&dev->dev); + if (cc_platform_has(CC_ATTR_GUEST_DEVICE_FILTER)) + dev->dev.authorized = cc_guest_dev_authorized(&dev->dev); dev->dev.release = pci_release_dev; set_dev_node(&dev->dev, pcibus_to_node(bus));