From: Dan Williams <dan.j.williams@intel.com>
To: Lukas Wunner <lukas@wunner.de>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Bjorn Helgaas <helgaas@kernel.org>,
"David Howells" <dhowells@redhat.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
David Woodhouse <dwmw2@infradead.org>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
<linux-pci@vger.kernel.org>, <linux-cxl@vger.kernel.org>,
<linux-coco@lists.linux.dev>, <keyrings@vger.kernel.org>,
<linux-crypto@vger.kernel.org>
Cc: <linuxarm@huawei.com>, David Box <david.e.box@intel.com>,
Dan Williams <dan.j.williams@intel.com>,
"Li, Ming" <ming4.li@intel.com>,
Ilpo Jarvinen <ilpo.jarvinen@linux.intel.com>,
Alistair Francis <alistair.francis@wdc.com>,
Wilfred Mallawa <wilfred.mallawa@wdc.com>,
Damien Le Moal <dlemoal@kernel.org>,
Alexey Kardashevskiy <aik@amd.com>,
Dhaval Giani <dhaval.giani@amd.com>,
Gobikrishna Dhanuskodi <gdhanuskodi@nvidia.com>,
Jason Gunthorpe <jgg@nvidia.com>, Peter Gonda <pgonda@google.com>,
"Jerome Glisse" <jglisse@google.com>,
Sean Christopherson <seanjc@google.com>,
Alexander Graf <graf@amazon.com>,
Samuel Ortiz <sameo@rivosinc.com>,
"Jonathan Corbet" <corbet@lwn.net>
Subject: Re: [PATCH v2 12/18] PCI/CMA: Expose certificates in sysfs
Date: Wed, 17 Jul 2024 19:43:39 -0700 [thread overview]
Message-ID: <6698815b1331a_1f03d294d6@dwillia2-mobl3.amr.corp.intel.com.notmuch> (raw)
In-Reply-To: <e42905e3e5f1d5be39355e833fefc349acb0b03c.1719771133.git.lukas@wunner.de>
Lukas Wunner wrote:
> The kernel already caches certificate chains retrieved from a device
> upon authentication. Expose them in "slot[0-7]" files in sysfs for
> examination by user space.
>
> As noted in the ABI documentation, the "slot[0-7]" files always have a
> file size of 65535 bytes (the maximum size of a certificate chain per
> SPDM 1.0.0 table 18), even if the certificate chain in the slot is
> actually smaller. Although it would be possible to use the certifiate
> chain's actual size as the file size, doing so would require a separate
> struct attribute_group for each device, which would occupy additional
> memory.
>
> Slots are visible in sysfs even if they're currently unprovisioned
> because a future commit will add support for certificate provisioning
> by writing to the "slot[0-7]" files.
>
> Signed-off-by: Lukas Wunner <lukas@wunner.de>
> ---
> Documentation/ABI/testing/sysfs-devices-spdm | 49 ++++++++++++
> drivers/pci/pci-sysfs.c | 1 +
> include/linux/spdm.h | 1 +
> lib/spdm/req-authenticate.c | 30 +++++++-
> lib/spdm/req-sysfs.c | 80 ++++++++++++++++++++
> lib/spdm/spdm.h | 3 +
> 6 files changed, 163 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/ABI/testing/sysfs-devices-spdm b/Documentation/ABI/testing/sysfs-devices-spdm
> index 2d6e5d513231..ed61405770d6 100644
> --- a/Documentation/ABI/testing/sysfs-devices-spdm
> +++ b/Documentation/ABI/testing/sysfs-devices-spdm
> @@ -29,3 +29,52 @@ Description:
> The reason why authentication support could not be determined
> is apparent from "dmesg". To re-probe authentication support
> of PCI devices, exercise the "remove" and "rescan" attributes.
> +
> +
> +What: /sys/devices/.../certificates/
> +What: /sys/devices/.../certificates/slot[0-7]
> +Date: June 2024
> +Contact: Lukas Wunner <lukas@wunner.de>
> +Description:
> + The "certificates" directory provides access to the certificate
> + chains contained in the up to 8 slots of a device.
> +
> + A certificate chain is the concatenation of one or more ASN.1
> + DER-encoded X.509 v3 certificates (SPDM 1.0.0 sec 4.9.2.1).
> + It can be examined as follows::
> +
> + # openssl storeutl -text certificates/slot0
> +
> + A common use case is to add the first certificate in a chain
> + to the keyring of trusted root certificates (".cma" in this
> + example) after comparing its fingerprint to the one provided
> + by the device manufacturer::
> +
> + # openssl x509 -in certificates/slot0 -fingerprint -nocert
> + # openssl x509 -in certificates/slot0 -outform DER | \
> + keyctl padd asymmetric "" %:.cma
> + # echo re > authenticated
> +
> + The file size of each slot is always 65535 bytes (the maximum
> + size of a certificate chain per SPDM 1.0.0 table 18), even if
> + the certificate chain in the slot is actually smaller.
> +
> + Unprovisioned slots are represented as empty files.
> +
> + Unsupported slots (introduced by SPDM 1.3 margin no 366) are
> + not visible. If the device only supports SPDM version 1.2 or
> + earlier, all 8 slots are assumed to be supported and therefore
> + visible.
> +
> + The kernel learns which slots are supported when authenticating
> + the device for the first time. Hence, no slots are visible
> + until at least one authentication attempt has been performed.
> +
> + SPDM doesn't support on-demand retrieval of certificate chains,
> + so the kernel caches them when (re-)authenticating the device.
> + SPDM allows provisioning slots behind the kernel's back by
> + sending a SET_CERTIFICATE request through a different transport
> + (e.g. via MCTP from a Baseboard Management Controller).
> + SPDM does not specify how to notify the kernel of such events,
> + so unless reauthentication is manually initiated to update the
> + kernel's cache, the "slot[0-7]" files may contain stale data.
> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
> index d9e467cbec6e..a85388211104 100644
> --- a/drivers/pci/pci-sysfs.c
> +++ b/drivers/pci/pci-sysfs.c
> @@ -1664,6 +1664,7 @@ const struct attribute_group *pci_dev_attr_groups[] = {
> #endif
> #ifdef CONFIG_PCI_CMA
> &spdm_attr_group,
> + &spdm_certificates_group,
> #endif
> NULL,
> };
> diff --git a/include/linux/spdm.h b/include/linux/spdm.h
> index 9835a3202a0e..97c7d4feab76 100644
> --- a/include/linux/spdm.h
> +++ b/include/linux/spdm.h
> @@ -35,5 +35,6 @@ int spdm_authenticate(struct spdm_state *spdm_state);
> void spdm_destroy(struct spdm_state *spdm_state);
>
> extern const struct attribute_group spdm_attr_group;
> +extern const struct attribute_group spdm_certificates_group;
>
> #endif
> diff --git a/lib/spdm/req-authenticate.c b/lib/spdm/req-authenticate.c
> index 90f7a7f2629c..1f701d07ad46 100644
> --- a/lib/spdm/req-authenticate.c
> +++ b/lib/spdm/req-authenticate.c
> @@ -14,6 +14,7 @@
> #include "spdm.h"
>
> #include <linux/dev_printk.h>
> +#include <linux/device.h>
> #include <linux/key.h>
> #include <linux/random.h>
>
> @@ -288,9 +289,9 @@ static int spdm_get_digests(struct spdm_state *spdm_state)
> struct spdm_get_digests_req *req = spdm_state->transcript_end;
> struct spdm_get_digests_rsp *rsp;
> unsigned long deprovisioned_slots;
> + u8 slot, supported_slots;
> int rc, length;
> size_t rsp_sz;
> - u8 slot;
>
> *req = (struct spdm_get_digests_req) {
> .code = SPDM_GET_DIGESTS,
> @@ -338,6 +339,33 @@ static int spdm_get_digests(struct spdm_state *spdm_state)
> return -EPROTO;
> }
>
> + /*
> + * If a bit is set in ProvisionedSlotMask, the corresponding bit in
> + * SupportedSlotMask shall also be set (SPDM 1.3.0 table 35).
> + */
> + if (spdm_state->version >= 0x13 && rsp->param2 & ~rsp->param1) {
> + dev_err(spdm_state->dev, "Malformed digests response\n");
> + return -EPROTO;
> + }
> +
> + if (spdm_state->version >= 0x13)
> + supported_slots = rsp->param1;
> + else
> + supported_slots = GENMASK(7, 0);
> +
> + if (spdm_state->supported_slots != supported_slots) {
> + spdm_state->supported_slots = supported_slots;
> +
> + if (device_is_registered(spdm_state->dev)) {
> + rc = sysfs_update_group(&spdm_state->dev->kobj,
> + &spdm_certificates_group);
> + if (rc)
> + dev_err(spdm_state->dev,
> + "Cannot update certificates in sysfs: "
> + "%d\n", rc);
> + }
> + }
> +
> return 0;
> }
>
> diff --git a/lib/spdm/req-sysfs.c b/lib/spdm/req-sysfs.c
> index 9bbed7abc153..afba3c5a2e8f 100644
> --- a/lib/spdm/req-sysfs.c
> +++ b/lib/spdm/req-sysfs.c
> @@ -93,3 +93,83 @@ const struct attribute_group spdm_attr_group = {
> .attrs = spdm_attrs,
> .is_visible = spdm_attrs_are_visible,
> };
> +
> +/* certificates attributes */
> +
> +static umode_t spdm_certificates_are_visible(struct kobject *kobj,
> + struct bin_attribute *a, int n)
> +{
> + struct device *dev = kobj_to_dev(kobj);
> + struct spdm_state *spdm_state = dev_to_spdm_state(dev);
> + u8 slot = a->attr.name[4] - '0';
This is clever, but the @n parameter already conveys the index.
> +
> + if (IS_ERR_OR_NULL(spdm_state))
> + return SYSFS_GROUP_INVISIBLE;
> +
> + if (!(spdm_state->supported_slots & BIT(slot)))
> + return 0;
> +
> + return a->attr.mode;
> +}
> +
> +static ssize_t spdm_cert_read(struct file *file, struct kobject *kobj,
> + struct bin_attribute *a, char *buf, loff_t off,
> + size_t count)
> +{
> + struct device *dev = kobj_to_dev(kobj);
> + struct spdm_state *spdm_state = dev_to_spdm_state(dev);
> + u8 slot = a->attr.name[4] - '0';
Similar comment on cleverness, I will note that the way this is
typically handled is something like this which is just slightly less
error prone if someone in the future changes the naming scheme.
#define CERT_ATTR(n) \
static ssize_t slot##n##_show(struct file *file, struct kobject *kobj, \
struct bin_attribute *a, char *buf, loff_t off, \
size_t count) \
{ \
return spdm_cert_read(kobj_to_dev(kobj), buf, off, count, (n)); \
} \
static BIN_ATTR_RO(slot##n);
next prev parent reply other threads:[~2024-07-18 2:43 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-30 19:35 [PATCH v2 00/18] PCI device authentication Lukas Wunner
2024-06-30 19:36 ` [PATCH v2 01/18] X.509: Make certificate parser public Lukas Wunner
2024-07-10 2:46 ` Alistair Francis
2024-06-30 19:37 ` [PATCH v2 02/18] X.509: Parse Subject Alternative Name in certificates Lukas Wunner
2024-07-10 2:48 ` Alistair Francis
2024-06-30 19:38 ` [PATCH v2 03/18] X.509: Move certificate length retrieval into new helper Lukas Wunner
2024-07-10 2:49 ` Alistair Francis
2024-07-18 11:04 ` Jonathan Cameron
2024-06-30 19:39 ` [PATCH v2 04/18] certs: Create blacklist keyring earlier Lukas Wunner
2024-07-10 2:52 ` Alistair Francis
2024-06-30 19:40 ` [PATCH v2 05/18] crypto: akcipher - Support more than one signature encoding Lukas Wunner
2024-06-30 19:41 ` [PATCH v2 06/18] crypto: ecdsa - Support P1363 " Lukas Wunner
2024-06-30 22:10 ` Herbert Xu
2024-07-29 14:27 ` Lukas Wunner
2024-06-30 19:42 ` [PATCH v2 07/18] spdm: Introduce library to authenticate devices Lukas Wunner
2024-06-30 21:29 ` Jeff Johnson
2024-07-08 9:57 ` Alexey Kardashevskiy
2024-07-08 12:54 ` Lukas Wunner
2024-07-09 0:45 ` Alexey Kardashevskiy
2024-07-09 8:49 ` Lukas Wunner
2024-07-09 5:09 ` Dan Williams
2024-07-18 11:42 ` Jonathan Cameron
2024-07-09 15:00 ` Jeff Johnson
2024-07-18 14:24 ` Jonathan Cameron
2024-06-30 19:43 ` [PATCH v2 08/18] PCI/CMA: Authenticate devices on enumeration Lukas Wunner
2024-07-09 18:10 ` Dan Williams
2024-07-09 19:32 ` Lukas Wunner
2024-07-09 23:31 ` Dan Williams
2024-07-11 15:00 ` Lukas Wunner
2024-07-11 17:50 ` Dan Williams
2024-07-12 0:50 ` Damien Le Moal
2024-07-14 8:42 ` Lukas Wunner
2024-07-15 17:21 ` Kees Cook
2024-07-15 18:12 ` Jason Gunthorpe
2024-07-15 20:36 ` Dan Williams
2024-07-15 22:02 ` Jason Gunthorpe
2024-07-15 22:17 ` Damien Le Moal
2024-07-15 23:03 ` Jason Gunthorpe
2024-07-15 23:26 ` Damien Le Moal
2024-07-15 23:42 ` Jason Gunthorpe
2024-07-15 23:57 ` Damien Le Moal
2024-07-16 0:11 ` Jason Gunthorpe
2024-07-16 1:23 ` Dan Williams
2024-07-15 22:50 ` Dan Williams
2024-07-15 23:21 ` Jason Gunthorpe
2024-07-15 23:37 ` Dan Williams
2024-07-15 23:55 ` Jason Gunthorpe
2024-07-16 1:35 ` Dan Williams
2024-07-22 10:19 ` Alexey Kardashevskiy
2024-07-22 12:06 ` Jason Gunthorpe
2024-07-23 4:26 ` Alexey Kardashevskiy
2024-07-23 12:58 ` Jason Gunthorpe
2024-07-15 20:19 ` Dan Williams
2024-07-15 20:08 ` Dan Williams
2024-06-30 19:44 ` [PATCH v2 09/18] PCI/CMA: Validate Subject Alternative Name in certificates Lukas Wunner
2024-07-10 20:35 ` Dan Williams
2024-06-30 19:45 ` [PATCH v2 10/18] PCI/CMA: Reauthenticate devices on reset and resume Lukas Wunner
2024-07-10 3:40 ` Alistair Francis
2024-07-10 23:23 ` Dan Williams
2024-07-18 15:01 ` Jonathan Cameron
2024-06-30 19:46 ` [PATCH v2 11/18] PCI/CMA: Expose in sysfs whether devices are authenticated Lukas Wunner
2024-07-17 23:17 ` Dan Williams
2024-07-18 15:11 ` Jonathan Cameron
2024-06-30 19:47 ` [PATCH v2 12/18] PCI/CMA: Expose certificates in sysfs Lukas Wunner
2024-07-18 2:43 ` Dan Williams [this message]
2024-07-18 15:16 ` Jonathan Cameron
2024-07-18 15:19 ` Jonathan Cameron
2024-06-30 19:48 ` [PATCH v2 13/18] sysfs: Allow bin_attributes to be added to groups Lukas Wunner
2024-07-04 10:13 ` Greg Kroah-Hartman
2024-07-12 3:49 ` Alistair Francis
2024-07-18 15:22 ` Jonathan Cameron
2024-06-30 19:49 ` [PATCH v2 14/18] sysfs: Allow symlinks to be added between sibling groups Lukas Wunner
2024-07-04 10:14 ` Greg Kroah-Hartman
2024-07-18 15:36 ` Jonathan Cameron
2024-06-30 19:50 ` [PATCH v2 15/18] PCI/CMA: Expose a log of received signatures in sysfs Lukas Wunner
2024-07-18 15:56 ` Jonathan Cameron
2024-06-30 19:51 ` [PATCH v2 16/18] spdm: Limit memory consumed by log of received signatures Lukas Wunner
2024-07-18 16:03 ` Jonathan Cameron
2024-06-30 19:52 ` [PATCH v2 17/18] spdm: Authenticate devices despite invalid certificate chain Lukas Wunner
2024-07-18 16:08 ` Jonathan Cameron
2024-06-30 19:53 ` [PATCH v2 18/18] spdm: Allow control of next requester nonce through sysfs Lukas Wunner
2024-07-18 16:11 ` Jonathan Cameron
2024-07-08 9:47 ` [PATCH v2 00/18] PCI device authentication Alexey Kardashevskiy
2024-07-08 13:35 ` Lukas Wunner
2025-02-11 1:30 ` Alexey Kardashevskiy
2025-02-12 16:36 ` Lukas Wunner
2025-05-20 8:35 ` Alexey Kardashevskiy
2025-05-29 5:29 ` Alexey Kardashevskiy
2025-05-29 9:40 ` Lukas Wunner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6698815b1331a_1f03d294d6@dwillia2-mobl3.amr.corp.intel.com.notmuch \
--to=dan.j.williams@intel.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=aik@amd.com \
--cc=alistair.francis@wdc.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=david.e.box@intel.com \
--cc=dhaval.giani@amd.com \
--cc=dhowells@redhat.com \
--cc=dlemoal@kernel.org \
--cc=dwmw2@infradead.org \
--cc=gdhanuskodi@nvidia.com \
--cc=graf@amazon.com \
--cc=helgaas@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=ilpo.jarvinen@linux.intel.com \
--cc=jgg@nvidia.com \
--cc=jglisse@google.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linuxarm@huawei.com \
--cc=lukas@wunner.de \
--cc=ming4.li@intel.com \
--cc=pgonda@google.com \
--cc=sameo@rivosinc.com \
--cc=seanjc@google.com \
--cc=wilfred.mallawa@wdc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).