* [PATCH V8 1/2] tools arch x86: Add Intel SDSi provisiong tool
@ 2022-02-17 23:09 David E. Box
2022-02-17 23:09 ` [PATCH V8 2/2] selftests: sdsi: test sysfs setup David E. Box
2022-02-22 14:55 ` [PATCH V8 1/2] tools arch x86: Add Intel SDSi provisiong tool Hans de Goede
0 siblings, 2 replies; 4+ messages in thread
From: David E. Box @ 2022-02-17 23:09 UTC (permalink / raw)
To: hdegoede, david.e.box, gregkh, andriy.shevchenko,
srinivas.pandruvada, mgross
Cc: linux-kernel, platform-driver-x86
Add tool for key certificate and activation payload provisioning on
Intel CPUs supporting Software Defined Silicon (SDSi).
Signed-off-by: David E. Box <david.e.box@linux.intel.com>
---
Applied on review-hans branch.
V8
- Rename sdsi to intel_sdsi and add install target
- Fix compiler warning for signedness mismatch
- Add missing break in CMD_NONE case to avoid fall through
V7
- No changes.
V6
- No changes.
V5
- Update copyright to 2022
V4
- No changes.
V3
- Move from samples to tools.
- Fix bit fields in availability structure.
- Check provisioning availability before issuing command.
V2
- New patch.
MAINTAINERS | 1 +
tools/arch/x86/intel_sdsi/Makefile | 21 +
tools/arch/x86/intel_sdsi/intel_sdsi.c | 541 +++++++++++++++++++++++++
3 files changed, 563 insertions(+)
create mode 100644 tools/arch/x86/intel_sdsi/Makefile
create mode 100644 tools/arch/x86/intel_sdsi/intel_sdsi.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 136f817428cf..dc3c9f271463 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -9871,6 +9871,7 @@ INTEL SDSI DRIVER
M: David E. Box <david.e.box@linux.intel.com>
S: Supported
F: drivers/platform/x86/intel/sdsi.c
+F: tools/arch/x86/intel_sdsi/
INTEL SKYLAKE INT3472 ACPI DEVICE DRIVER
M: Daniel Scally <djrscally@gmail.com>
diff --git a/tools/arch/x86/intel_sdsi/Makefile b/tools/arch/x86/intel_sdsi/Makefile
new file mode 100644
index 000000000000..5de2288cda79
--- /dev/null
+++ b/tools/arch/x86/intel_sdsi/Makefile
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: GPL-2.0
+# Makefile for Intel Software Defined Silicon provisioning tool
+
+intel_sdsi: intel_sdsi.c
+
+CFLAGS = -Wextra
+
+BINDIR ?= /usr/sbin
+
+override CFLAGS += -O2 -Wall
+
+%: %.c
+ $(CC) $(CFLAGS) -o $@ $< $(LDFLAGS)
+
+.PHONY : clean
+clean :
+ @rm -f intel_sdsi
+
+install : intel_sdsi
+ install -d $(DESTDIR)$(BINDIR)
+ install -m 755 -p intel_sdsi $(DESTDIR)$(BINDIR)/intel_sdsi
diff --git a/tools/arch/x86/intel_sdsi/intel_sdsi.c b/tools/arch/x86/intel_sdsi/intel_sdsi.c
new file mode 100644
index 000000000000..52acb518e845
--- /dev/null
+++ b/tools/arch/x86/intel_sdsi/intel_sdsi.c
@@ -0,0 +1,541 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * sdsi: Intel Software Defined Silicon tool for provisioning certificates
+ * and activation payloads on supported cpus.
+ *
+ * See https://github.com/intel/intel-sdsi/blob/master/os-interface.rst
+ * for register descriptions.
+ *
+ * Copyright (C) 2022 Intel Corporation. All rights reserved.
+ */
+
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/types.h>
+
+#define SDSI_DEV "intel_vsec.sdsi"
+#define AUX_DEV_PATH "/sys/bus/auxiliary/devices/"
+#define SDSI_PATH (AUX_DEV_DIR SDSI_DEV)
+#define GUID 0x6dd191
+#define REGISTERS_MIN_SIZE 72
+
+#define __round_mask(x, y) ((__typeof__(x))((y) - 1))
+#define round_up(x, y) ((((x) - 1) | __round_mask(x, y)) + 1)
+
+struct enabled_features {
+ uint64_t reserved:3;
+ uint64_t sdsi:1;
+ uint64_t reserved1:60;
+};
+
+struct auth_fail_count {
+ uint64_t key_failure_count:3;
+ uint64_t key_failure_threshold:3;
+ uint64_t auth_failure_count:3;
+ uint64_t auth_failure_threshold:3;
+ uint64_t reserved:52;
+};
+
+struct availability {
+ uint64_t reserved:48;
+ uint64_t available:3;
+ uint64_t threshold:3;
+};
+
+struct sdsi_regs {
+ uint64_t ppin;
+ uint64_t reserved;
+ struct enabled_features en_features;
+ uint64_t reserved1;
+ struct auth_fail_count auth_fail_count;
+ struct availability prov_avail;
+ uint64_t reserved2;
+ uint64_t reserved3;
+ uint64_t socket_id;
+};
+
+struct sdsi_dev {
+ struct sdsi_regs regs;
+ char *dev_name;
+ char *dev_path;
+ int guid;
+};
+
+enum command {
+ CMD_NONE,
+ CMD_LIST_DEVICES,
+ CMD_SOCKET_INFO,
+ CMD_DUMP_CERT,
+ CMD_PROV_AKC,
+ CMD_PROV_CAP,
+};
+
+static void sdsi_list_devices(void)
+{
+ struct dirent *entry;
+ DIR *aux_dir;
+ bool found = false;
+
+ aux_dir = opendir(AUX_DEV_PATH);
+ if (!aux_dir) {
+ fprintf(stderr, "Cannot open directory %s\n", AUX_DEV_PATH);
+ return;
+ }
+
+ while ((entry = readdir(aux_dir))) {
+ if (!strncmp(SDSI_DEV, entry->d_name, strlen(SDSI_DEV))) {
+ found = true;
+ printf("%s\n", entry->d_name);
+ }
+ }
+
+ if (!found)
+ fprintf(stderr, "No sdsi devices found.\n");
+}
+
+static int sdsi_update_registers(struct sdsi_dev *s)
+{
+ FILE *regs_ptr;
+ int ret;
+
+ memset(&s->regs, 0, sizeof(s->regs));
+
+ /* Open the registers file */
+ ret = chdir(s->dev_path);
+ if (ret == -1) {
+ perror("chdir");
+ return ret;
+ }
+
+ regs_ptr = fopen("registers", "r");
+ if (!regs_ptr) {
+ perror("Could not open 'registers' file");
+ return -1;
+ }
+
+ if (s->guid != GUID) {
+ fprintf(stderr, "Unrecognized guid, 0x%x\n", s->guid);
+ fclose(regs_ptr);
+ return -1;
+ }
+
+ /* Update register info for this guid */
+ ret = fread(&s->regs, sizeof(uint8_t), sizeof(s->regs), regs_ptr);
+ if (ret != sizeof(s->regs)) {
+ fprintf(stderr, "Could not read 'registers' file\n");
+ fclose(regs_ptr);
+ return -1;
+ }
+
+ fclose(regs_ptr);
+
+ return 0;
+}
+
+static int sdsi_read_reg(struct sdsi_dev *s)
+{
+ int ret;
+
+ ret = sdsi_update_registers(s);
+ if (ret)
+ return ret;
+
+ /* Print register info for this guid */
+ printf("\n");
+ printf("Socket information for device %s\n", s->dev_name);
+ printf("\n");
+ printf("PPIN: 0x%lx\n", s->regs.ppin);
+ printf("Enabled Features\n");
+ printf(" SDSi: %s\n", !!s->regs.en_features.sdsi ? "Enabled" : "Disabled");
+ printf("Authorization Failure Count\n");
+ printf(" AKC Failure Count: %d\n", s->regs.auth_fail_count.key_failure_count);
+ printf(" AKC Failure Threshold: %d\n", s->regs.auth_fail_count.key_failure_threshold);
+ printf(" CAP Failure Count: %d\n", s->regs.auth_fail_count.auth_failure_count);
+ printf(" CAP Failure Threshold: %d\n", s->regs.auth_fail_count.auth_failure_threshold);
+ printf("Provisioning Availability\n");
+ printf(" Updates Available: %d\n", s->regs.prov_avail.available);
+ printf(" Updates Threshold: %d\n", s->regs.prov_avail.threshold);
+ printf("Socket ID: %ld\n", s->regs.socket_id & 0xF);
+
+ return 0;
+}
+
+static int sdsi_certificate_dump(struct sdsi_dev *s)
+{
+ uint64_t state_certificate[512] = {0};
+ bool first_instance;
+ uint64_t previous;
+ FILE *cert_ptr;
+ int i, ret, size;
+
+ ret = sdsi_update_registers(s);
+ if (ret)
+ return ret;
+
+ if (!s->regs.en_features.sdsi) {
+ fprintf(stderr, "SDSi feature is present but not enabled.");
+ fprintf(stderr, " Unable to read state certificate");
+ return -1;
+ }
+
+ ret = chdir(s->dev_path);
+ if (ret == -1) {
+ perror("chdir");
+ return ret;
+ }
+
+ cert_ptr = fopen("state_certificate", "r");
+ if (!cert_ptr) {
+ perror("Could not open 'state_certificate' file");
+ return -1;
+ }
+
+ size = fread(state_certificate, 1, sizeof(state_certificate), cert_ptr);
+ if (!size) {
+ fprintf(stderr, "Could not read 'state_certificate' file\n");
+ fclose(cert_ptr);
+ return -1;
+ }
+
+ printf("%3d: 0x%lx\n", 0, state_certificate[0]);
+ previous = state_certificate[0];
+ first_instance = true;
+
+ for (i = 1; i < (int)(round_up(size, sizeof(uint64_t))/sizeof(uint64_t)); i++) {
+ if (state_certificate[i] == previous) {
+ if (first_instance) {
+ puts("*");
+ first_instance = false;
+ }
+ continue;
+ }
+ printf("%3d: 0x%lx\n", i, state_certificate[i]);
+ previous = state_certificate[i];
+ first_instance = true;
+ }
+ printf("%3d\n", i);
+
+ fclose(cert_ptr);
+
+ return 0;
+}
+
+static int sdsi_provision(struct sdsi_dev *s, char *bin_file, enum command command)
+{
+ int bin_fd, prov_fd, size, ret;
+ char buf[4096] = { 0 };
+ char cap[] = "provision_cap";
+ char akc[] = "provision_akc";
+ char *prov_file;
+
+ if (!bin_file) {
+ fprintf(stderr, "No binary file provided\n");
+ return -1;
+ }
+
+ /* Open the binary */
+ bin_fd = open(bin_file, O_RDONLY);
+ if (bin_fd == -1) {
+ fprintf(stderr, "Could not open file %s: %s\n", bin_file, strerror(errno));
+ return bin_fd;
+ }
+
+ prov_file = (command == CMD_PROV_AKC) ? akc : cap;
+
+ ret = chdir(s->dev_path);
+ if (ret == -1) {
+ perror("chdir");
+ close(bin_fd);
+ return ret;
+ }
+
+ /* Open the provision file */
+ prov_fd = open(prov_file, O_WRONLY);
+ if (prov_fd == -1) {
+ fprintf(stderr, "Could not open file %s: %s\n", prov_file, strerror(errno));
+ close(bin_fd);
+ return prov_fd;
+ }
+
+ /* Read the binary file into the buffer */
+ size = read(bin_fd, buf, 4096);
+ if (size == -1) {
+ close(bin_fd);
+ close(prov_fd);
+ return -1;
+ }
+
+ ret = write(prov_fd, buf, size);
+ if (ret == -1) {
+ close(bin_fd);
+ close(prov_fd);
+ perror("Provisioning failed");
+ return ret;
+ }
+
+ printf("Provisioned %s file %s successfully\n", prov_file, bin_file);
+
+ close(bin_fd);
+ close(prov_fd);
+
+ return 0;
+}
+
+static int sdsi_provision_akc(struct sdsi_dev *s, char *bin_file)
+{
+ int ret;
+
+ ret = sdsi_update_registers(s);
+ if (ret)
+ return ret;
+
+ if (!s->regs.en_features.sdsi) {
+ fprintf(stderr, "SDSi feature is present but not enabled. Unable to provision");
+ return -1;
+ }
+
+ if (!s->regs.prov_avail.available) {
+ fprintf(stderr, "Maximum number of updates (%d) has been reached.\n",
+ s->regs.prov_avail.threshold);
+ return -1;
+ }
+
+ if (s->regs.auth_fail_count.key_failure_count ==
+ s->regs.auth_fail_count.key_failure_threshold) {
+ fprintf(stderr, "Maximum number of AKC provision failures (%d) has been reached.\n",
+ s->regs.auth_fail_count.key_failure_threshold);
+ fprintf(stderr, "Power cycle the system to reset the counter\n");
+ return -1;
+ }
+
+ return sdsi_provision(s, bin_file, CMD_PROV_AKC);
+}
+
+static int sdsi_provision_cap(struct sdsi_dev *s, char *bin_file)
+{
+ int ret;
+
+ ret = sdsi_update_registers(s);
+ if (ret)
+ return ret;
+
+ if (!s->regs.en_features.sdsi) {
+ fprintf(stderr, "SDSi feature is present but not enabled. Unable to provision");
+ return -1;
+ }
+
+ if (!s->regs.prov_avail.available) {
+ fprintf(stderr, "Maximum number of updates (%d) has been reached.\n",
+ s->regs.prov_avail.threshold);
+ return -1;
+ }
+
+ if (s->regs.auth_fail_count.auth_failure_count ==
+ s->regs.auth_fail_count.auth_failure_threshold) {
+ fprintf(stderr, "Maximum number of CAP provision failures (%d) has been reached.\n",
+ s->regs.auth_fail_count.auth_failure_threshold);
+ fprintf(stderr, "Power cycle the system to reset the counter\n");
+ return -1;
+ }
+
+ return sdsi_provision(s, bin_file, CMD_PROV_CAP);
+}
+
+static int read_sysfs_data(const char *file, int *value)
+{
+ char buff[16];
+ FILE *fp;
+
+ fp = fopen(file, "r");
+ if (!fp) {
+ perror(file);
+ return -1;
+ }
+
+ if (!fgets(buff, 16, fp)) {
+ fprintf(stderr, "Failed to read file '%s'", file);
+ fclose(fp);
+ return -1;
+ }
+
+ fclose(fp);
+ *value = strtol(buff, NULL, 0);
+
+ return 0;
+}
+
+static struct sdsi_dev *sdsi_create_dev(char *dev_no)
+{
+ int dev_name_len = sizeof(SDSI_DEV) + strlen(dev_no) + 1;
+ struct sdsi_dev *s;
+ int guid;
+ DIR *dir;
+
+ s = (struct sdsi_dev *)malloc(sizeof(*s));
+ if (!s) {
+ perror("malloc");
+ return NULL;
+ }
+
+ s->dev_name = (char *)malloc(sizeof(SDSI_DEV) + strlen(dev_no) + 1);
+ if (!s->dev_name) {
+ perror("malloc");
+ free(s);
+ return NULL;
+ }
+
+ snprintf(s->dev_name, dev_name_len, "%s.%s", SDSI_DEV, dev_no);
+
+ s->dev_path = (char *)malloc(sizeof(AUX_DEV_PATH) + dev_name_len);
+ if (!s->dev_path) {
+ perror("malloc");
+ free(s->dev_name);
+ free(s);
+ return NULL;
+ }
+
+ snprintf(s->dev_path, sizeof(AUX_DEV_PATH) + dev_name_len, "%s%s", AUX_DEV_PATH,
+ s->dev_name);
+ dir = opendir(s->dev_path);
+ if (!dir) {
+ fprintf(stderr, "Could not open directory '%s': %s\n", s->dev_path,
+ strerror(errno));
+ free(s->dev_path);
+ free(s->dev_name);
+ free(s);
+ return NULL;
+ }
+
+ if (chdir(s->dev_path) == -1) {
+ perror("chdir");
+ free(s->dev_path);
+ free(s->dev_name);
+ free(s);
+ return NULL;
+ }
+
+ if (read_sysfs_data("guid", &guid)) {
+ free(s->dev_path);
+ free(s->dev_name);
+ free(s);
+ return NULL;
+ }
+
+ s->guid = guid;
+
+ return s;
+}
+
+static void sdsi_free_dev(struct sdsi_dev *s)
+{
+ free(s->dev_path);
+ free(s->dev_name);
+ free(s);
+}
+
+static void print_help(char *prog)
+{
+ printf("Usage: %s [-l] [-d dev_no [-is] [-a file] [-c file]]\n", prog);
+
+ printf("\n");
+ printf("Commands:\n");
+ printf(" %-13s\t%s\n", "-l", "list available sdsi devices");
+ printf(" %-13s\t%s\n", "-d <dev_no>", "sdsi device number");
+ printf(" %-13s\t%s\n", "-i", "show socket information");
+ printf(" %-13s\t%s\n", "-s", "dump state certificate data");
+ printf(" %-13s\t%s\n", "-a <file>", "provision socket with AKC file");
+ printf(" %-13s\t%s\n", "-c <file>", "provision socket with CAP file");
+}
+
+int main(int argc, char *argv[])
+{
+ char bin_file[PATH_MAX], *dev_no = NULL;
+ enum command command = CMD_NONE;
+ struct sdsi_dev *s;
+ int ret = 0, opt;
+
+ while ((opt = getopt(argc, argv, "d:lisa:c:h")) != -1) {
+ switch (opt) {
+ case 'd':
+ dev_no = optarg;
+ break;
+ case 'l':
+ command = CMD_LIST_DEVICES;
+ break;
+ case 'i':
+ command = CMD_SOCKET_INFO;
+ break;
+ case 's':
+ command = CMD_DUMP_CERT;
+ break;
+ case 'a':
+ case 'c':
+ if (!access(optarg, F_OK) == 0) {
+ fprintf(stderr, "Could not open file '%s': %s\n", optarg,
+ strerror(errno));
+ return -1;
+ }
+
+ if (!realpath(optarg, bin_file)) {
+ perror("realpath");
+ return -1;
+ }
+
+ command = (opt == 'a') ? CMD_PROV_AKC : CMD_PROV_CAP;
+ break;
+ case 'h':
+ default:
+ print_help(argv[0]);
+ return 0;
+ }
+ }
+
+ if (!dev_no && command != CMD_LIST_DEVICES) {
+ print_help(argv[0]);
+ return -1;
+ }
+
+ if (dev_no) {
+ s = sdsi_create_dev(dev_no);
+ if (!s)
+ return -1;
+ }
+
+ /* Run the command */
+ switch (command) {
+ case CMD_NONE:
+ fprintf(stderr, "need to specify a command\n");
+ print_help(argv[0]);
+ ret = -1;
+ break;
+ case CMD_LIST_DEVICES:
+ sdsi_list_devices();
+ break;
+ case CMD_SOCKET_INFO:
+ ret = sdsi_read_reg(s);
+ break;
+ case CMD_DUMP_CERT:
+ ret = sdsi_certificate_dump(s);
+ break;
+ case CMD_PROV_AKC:
+ ret = sdsi_provision_akc(s, bin_file);
+ break;
+ case CMD_PROV_CAP:
+ ret = sdsi_provision_cap(s, bin_file);
+ break;
+ }
+
+
+ if (dev_no)
+ sdsi_free_dev(s);
+
+ return ret;
+}
base-commit: 42f8bcb37e2c65931799cdf61d086ed78456e798
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH V8 2/2] selftests: sdsi: test sysfs setup
2022-02-17 23:09 [PATCH V8 1/2] tools arch x86: Add Intel SDSi provisiong tool David E. Box
@ 2022-02-17 23:09 ` David E. Box
2022-02-22 14:56 ` Hans de Goede
2022-02-22 14:55 ` [PATCH V8 1/2] tools arch x86: Add Intel SDSi provisiong tool Hans de Goede
1 sibling, 1 reply; 4+ messages in thread
From: David E. Box @ 2022-02-17 23:09 UTC (permalink / raw)
To: hdegoede, david.e.box, gregkh, andriy.shevchenko,
srinivas.pandruvada, mgross
Cc: linux-kernel, platform-driver-x86
Tests file configuration and error handling of the Intel Software
Defined Silicon sysfs ABI.
Signed-off-by: David E. Box <david.e.box@linux.intel.com>
---
Applied on review-hans branch.
V8
- Skip if python3 or pytest aren't installed
- Do not remove driver after test is run
V7
- No changes.
V6
- No changes.
V5
- No changes.
V4
- No changes.
V3
- Add tests to check PCI device removal handling and to check for
driver memory leaks.
V2
- New patch.
MAINTAINERS | 1 +
tools/testing/selftests/drivers/sdsi/sdsi.sh | 26 ++
.../selftests/drivers/sdsi/sdsi_test.py | 226 ++++++++++++++++++
3 files changed, 253 insertions(+)
create mode 100755 tools/testing/selftests/drivers/sdsi/sdsi.sh
create mode 100644 tools/testing/selftests/drivers/sdsi/sdsi_test.py
diff --git a/MAINTAINERS b/MAINTAINERS
index dc3c9f271463..be2c4c63e58f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -9872,6 +9872,7 @@ M: David E. Box <david.e.box@linux.intel.com>
S: Supported
F: drivers/platform/x86/intel/sdsi.c
F: tools/arch/x86/intel_sdsi/
+F: tools/testing/selftests/drivers/sdsi/
INTEL SKYLAKE INT3472 ACPI DEVICE DRIVER
M: Daniel Scally <djrscally@gmail.com>
diff --git a/tools/testing/selftests/drivers/sdsi/sdsi.sh b/tools/testing/selftests/drivers/sdsi/sdsi.sh
new file mode 100755
index 000000000000..b938b1d46b04
--- /dev/null
+++ b/tools/testing/selftests/drivers/sdsi/sdsi.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+# Runs tests for the intel_sdsi driver
+
+if ! command -v python3 > /dev/null 2>&1; then
+ echo "drivers/sdsi: [SKIP] python3 not installed"
+ exit 77
+fi
+
+if ! python -c "import pytest" > /dev/null 2>&1; then
+ echo "drivers/sdsi: [SKIP] pytest module not installed"
+ exit 77
+fi
+
+if ! /sbin/modprobe -q -r intel_sdsi; then
+ echo "drivers/sdsi: [SKIP]"
+ exit 77
+fi
+
+if /sbin/modprobe -q intel_sdsi; then
+ python3 -m pytest sdsi_test.py
+ echo "drivers/sdsi: [OK]"
+else
+ echo "drivers/sdsi: [FAIL]"
+ exit 1
+fi
diff --git a/tools/testing/selftests/drivers/sdsi/sdsi_test.py b/tools/testing/selftests/drivers/sdsi/sdsi_test.py
new file mode 100644
index 000000000000..4922edfe461f
--- /dev/null
+++ b/tools/testing/selftests/drivers/sdsi/sdsi_test.py
@@ -0,0 +1,226 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: GPL-2.0
+
+from struct import pack
+from time import sleep
+
+import errno
+import glob
+import os
+import subprocess
+
+try:
+ import pytest
+except ImportError:
+ print("Unable to import pytest python module.")
+ print("\nIf not already installed, you may do so with:")
+ print("\t\tpip3 install pytest")
+ exit(1)
+
+SOCKETS = glob.glob('/sys/bus/auxiliary/devices/intel_vsec.sdsi.*')
+NUM_SOCKETS = len(SOCKETS)
+
+MODULE_NAME = 'sdsi'
+DEV_PREFIX = 'intel_vsec.sdsi'
+CLASS_DIR = '/sys/bus/auxiliary/devices'
+GUID = "0x6dd191"
+
+def read_bin_file(file):
+ with open(file, mode='rb') as f:
+ content = f.read()
+ return content
+
+def get_dev_file_path(socket, file):
+ return CLASS_DIR + '/' + DEV_PREFIX + '.' + str(socket) + '/' + file
+
+def kmemleak_enabled():
+ kmemleak = "/sys/kernel/debug/kmemleak"
+ return os.path.isfile(kmemleak)
+
+class TestSDSiDriver:
+ def test_driver_loaded(self):
+ lsmod_p = subprocess.Popen(('lsmod'), stdout=subprocess.PIPE)
+ result = subprocess.check_output(('grep', '-q', MODULE_NAME), stdin=lsmod_p.stdout)
+
+@pytest.mark.parametrize('socket', range(0, NUM_SOCKETS))
+class TestSDSiFilesClass:
+
+ def read_value(self, file):
+ f = open(file, "r")
+ value = f.read().strip("\n")
+ return value
+
+ def get_dev_folder(self, socket):
+ return CLASS_DIR + '/' + DEV_PREFIX + '.' + str(socket) + '/'
+
+ def test_sysfs_files_exist(self, socket):
+ folder = self.get_dev_folder(socket)
+ print (folder)
+ assert os.path.isfile(folder + "guid") == True
+ assert os.path.isfile(folder + "provision_akc") == True
+ assert os.path.isfile(folder + "provision_cap") == True
+ assert os.path.isfile(folder + "state_certificate") == True
+ assert os.path.isfile(folder + "registers") == True
+
+ def test_sysfs_file_permissions(self, socket):
+ folder = self.get_dev_folder(socket)
+ mode = os.stat(folder + "guid").st_mode & 0o777
+ assert mode == 0o444 # Read all
+ mode = os.stat(folder + "registers").st_mode & 0o777
+ assert mode == 0o400 # Read owner
+ mode = os.stat(folder + "provision_akc").st_mode & 0o777
+ assert mode == 0o200 # Read owner
+ mode = os.stat(folder + "provision_cap").st_mode & 0o777
+ assert mode == 0o200 # Read owner
+ mode = os.stat(folder + "state_certificate").st_mode & 0o777
+ assert mode == 0o400 # Read owner
+
+ def test_sysfs_file_ownership(self, socket):
+ folder = self.get_dev_folder(socket)
+
+ st = os.stat(folder + "guid")
+ assert st.st_uid == 0
+ assert st.st_gid == 0
+
+ st = os.stat(folder + "registers")
+ assert st.st_uid == 0
+ assert st.st_gid == 0
+
+ st = os.stat(folder + "provision_akc")
+ assert st.st_uid == 0
+ assert st.st_gid == 0
+
+ st = os.stat(folder + "provision_cap")
+ assert st.st_uid == 0
+ assert st.st_gid == 0
+
+ st = os.stat(folder + "state_certificate")
+ assert st.st_uid == 0
+ assert st.st_gid == 0
+
+ def test_sysfs_file_sizes(self, socket):
+ folder = self.get_dev_folder(socket)
+
+ if self.read_value(folder + "guid") == GUID:
+ st = os.stat(folder + "registers")
+ assert st.st_size == 72
+
+ st = os.stat(folder + "provision_akc")
+ assert st.st_size == 1024
+
+ st = os.stat(folder + "provision_cap")
+ assert st.st_size == 1024
+
+ st = os.stat(folder + "state_certificate")
+ assert st.st_size == 4096
+
+ def test_no_seek_allowed(self, socket):
+ folder = self.get_dev_folder(socket)
+ rand_file = bytes(os.urandom(8))
+
+ f = open(folder + "provision_cap", "wb", 0)
+ f.seek(1)
+ with pytest.raises(OSError) as error:
+ f.write(rand_file)
+ assert error.value.errno == errno.ESPIPE
+ f.close()
+
+ f = open(folder + "provision_akc", "wb", 0)
+ f.seek(1)
+ with pytest.raises(OSError) as error:
+ f.write(rand_file)
+ assert error.value.errno == errno.ESPIPE
+ f.close()
+
+ def test_registers_seek(self, socket):
+ folder = self.get_dev_folder(socket)
+
+ # Check that the value read from an offset of the entire
+ # file is none-zero and the same as the value read
+ # from seeking to the same location
+ f = open(folder + "registers", "rb")
+ data = f.read()
+ f.seek(64)
+ id = f.read()
+ assert id != bytes(0)
+ assert data[64:] == id
+ f.close()
+
+@pytest.mark.parametrize('socket', range(0, NUM_SOCKETS))
+class TestSDSiMailboxCmdsClass:
+ def test_provision_akc_eoverflow_1017_bytes(self, socket):
+
+ # The buffer for writes is 1k, of with 8 bytes must be
+ # reserved for the command, leaving 1016 bytes max.
+ # Check that we get an overflow error for 1017 bytes.
+ node = get_dev_file_path(socket, "provision_akc")
+ rand_file = bytes(os.urandom(1017))
+
+ f = open(node, 'wb', 0)
+ with pytest.raises(OSError) as error:
+ f.write(rand_file)
+ assert error.value.errno == errno.EOVERFLOW
+ f.close()
+
+@pytest.mark.parametrize('socket', range(0, NUM_SOCKETS))
+class TestSdsiDriverLocksClass:
+ def test_enodev_when_pci_device_removed(self, socket):
+ node = get_dev_file_path(socket, "provision_akc")
+ dev_name = DEV_PREFIX + '.' + str(socket)
+ driver_dir = CLASS_DIR + '/' + dev_name + "/driver/"
+ rand_file = bytes(os.urandom(8))
+
+ f = open(node, 'wb', 0)
+ g = open(node, 'wb', 0)
+
+ with open(driver_dir + 'unbind', 'w') as k:
+ print(dev_name, file = k)
+
+ with pytest.raises(OSError) as error:
+ f.write(rand_file)
+ assert error.value.errno == errno.ENODEV
+
+ with pytest.raises(OSError) as error:
+ g.write(rand_file)
+ assert error.value.errno == errno.ENODEV
+
+ f.close()
+ g.close()
+
+ # Short wait needed to allow file to close before pulling driver
+ sleep(1)
+
+ p = subprocess.Popen(('modprobe', '-r', 'intel_sdsi'))
+ p.wait()
+ p = subprocess.Popen(('modprobe', '-r', 'intel_vsec'))
+ p.wait()
+ p = subprocess.Popen(('modprobe', 'intel_vsec'))
+ p.wait()
+
+ # Short wait needed to allow driver time to get inserted
+ # before continuing tests
+ sleep(1)
+
+ def test_memory_leak(self, socket):
+ if not kmemleak_enabled:
+ pytest.skip("kmemleak not enabled in kernel")
+
+ dev_name = DEV_PREFIX + '.' + str(socket)
+ driver_dir = CLASS_DIR + '/' + dev_name + "/driver/"
+
+ with open(driver_dir + 'unbind', 'w') as k:
+ print(dev_name, file = k)
+
+ sleep(1)
+
+ subprocess.check_output(('modprobe', '-r', 'intel_sdsi'))
+ subprocess.check_output(('modprobe', '-r', 'intel_vsec'))
+
+ with open('/sys/kernel/debug/kmemleak', 'w') as f:
+ print('scan', file = f)
+ sleep(5)
+
+ assert os.stat('/sys/kernel/debug/kmemleak').st_size == 0
+
+ subprocess.check_output(('modprobe', 'intel_vsec'))
+ sleep(1)
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH V8 1/2] tools arch x86: Add Intel SDSi provisiong tool
2022-02-17 23:09 [PATCH V8 1/2] tools arch x86: Add Intel SDSi provisiong tool David E. Box
2022-02-17 23:09 ` [PATCH V8 2/2] selftests: sdsi: test sysfs setup David E. Box
@ 2022-02-22 14:55 ` Hans de Goede
1 sibling, 0 replies; 4+ messages in thread
From: Hans de Goede @ 2022-02-22 14:55 UTC (permalink / raw)
To: David E. Box, gregkh, andriy.shevchenko, srinivas.pandruvada,
mgross
Cc: linux-kernel, platform-driver-x86
Hi David,
On 2/18/22 00:09, David E. Box wrote:
> Add tool for key certificate and activation payload provisioning on
> Intel CPUs supporting Software Defined Silicon (SDSi).
>
> Signed-off-by: David E. Box <david.e.box@linux.intel.com>
When building this with gcc12 I get:
cc -Wextra -O2 -Wall -o intel_sdsi intel_sdsi.c
In function ‘sdsi_provision_cap’,
inlined from ‘main’ at intel_sdsi.c:532:9:
intel_sdsi.c:326:15: warning: ‘s’ may be used uninitialized [-Wmaybe-uninitialized]
326 | ret = sdsi_update_registers(s);
| ^~~~~~~~~~~~~~~~~~~~~~~~
intel_sdsi.c: In function ‘main’:
intel_sdsi.c:462:26: note: ‘s’ was declared here
462 | struct sdsi_dev *s;
| ^
Please fix this.
Regards,
Hans
> ---
>
> Applied on review-hans branch.
>
> V8
> - Rename sdsi to intel_sdsi and add install target
> - Fix compiler warning for signedness mismatch
> - Add missing break in CMD_NONE case to avoid fall through
> V7
> - No changes.
> V6
> - No changes.
> V5
> - Update copyright to 2022
> V4
> - No changes.
> V3
> - Move from samples to tools.
> - Fix bit fields in availability structure.
> - Check provisioning availability before issuing command.
>
> V2
> - New patch.
>
> MAINTAINERS | 1 +
> tools/arch/x86/intel_sdsi/Makefile | 21 +
> tools/arch/x86/intel_sdsi/intel_sdsi.c | 541 +++++++++++++++++++++++++
> 3 files changed, 563 insertions(+)
> create mode 100644 tools/arch/x86/intel_sdsi/Makefile
> create mode 100644 tools/arch/x86/intel_sdsi/intel_sdsi.c
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 136f817428cf..dc3c9f271463 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -9871,6 +9871,7 @@ INTEL SDSI DRIVER
> M: David E. Box <david.e.box@linux.intel.com>
> S: Supported
> F: drivers/platform/x86/intel/sdsi.c
> +F: tools/arch/x86/intel_sdsi/
>
> INTEL SKYLAKE INT3472 ACPI DEVICE DRIVER
> M: Daniel Scally <djrscally@gmail.com>
> diff --git a/tools/arch/x86/intel_sdsi/Makefile b/tools/arch/x86/intel_sdsi/Makefile
> new file mode 100644
> index 000000000000..5de2288cda79
> --- /dev/null
> +++ b/tools/arch/x86/intel_sdsi/Makefile
> @@ -0,0 +1,21 @@
> +# SPDX-License-Identifier: GPL-2.0
> +# Makefile for Intel Software Defined Silicon provisioning tool
> +
> +intel_sdsi: intel_sdsi.c
> +
> +CFLAGS = -Wextra
> +
> +BINDIR ?= /usr/sbin
> +
> +override CFLAGS += -O2 -Wall
> +
> +%: %.c
> + $(CC) $(CFLAGS) -o $@ $< $(LDFLAGS)
> +
> +.PHONY : clean
> +clean :
> + @rm -f intel_sdsi
> +
> +install : intel_sdsi
> + install -d $(DESTDIR)$(BINDIR)
> + install -m 755 -p intel_sdsi $(DESTDIR)$(BINDIR)/intel_sdsi
> diff --git a/tools/arch/x86/intel_sdsi/intel_sdsi.c b/tools/arch/x86/intel_sdsi/intel_sdsi.c
> new file mode 100644
> index 000000000000..52acb518e845
> --- /dev/null
> +++ b/tools/arch/x86/intel_sdsi/intel_sdsi.c
> @@ -0,0 +1,541 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * sdsi: Intel Software Defined Silicon tool for provisioning certificates
> + * and activation payloads on supported cpus.
> + *
> + * See https://github.com/intel/intel-sdsi/blob/master/os-interface.rst
> + * for register descriptions.
> + *
> + * Copyright (C) 2022 Intel Corporation. All rights reserved.
> + */
> +
> +#include <dirent.h>
> +#include <errno.h>
> +#include <fcntl.h>
> +#include <stdbool.h>
> +#include <stdio.h>
> +#include <stdint.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <unistd.h>
> +
> +#include <sys/types.h>
> +
> +#define SDSI_DEV "intel_vsec.sdsi"
> +#define AUX_DEV_PATH "/sys/bus/auxiliary/devices/"
> +#define SDSI_PATH (AUX_DEV_DIR SDSI_DEV)
> +#define GUID 0x6dd191
> +#define REGISTERS_MIN_SIZE 72
> +
> +#define __round_mask(x, y) ((__typeof__(x))((y) - 1))
> +#define round_up(x, y) ((((x) - 1) | __round_mask(x, y)) + 1)
> +
> +struct enabled_features {
> + uint64_t reserved:3;
> + uint64_t sdsi:1;
> + uint64_t reserved1:60;
> +};
> +
> +struct auth_fail_count {
> + uint64_t key_failure_count:3;
> + uint64_t key_failure_threshold:3;
> + uint64_t auth_failure_count:3;
> + uint64_t auth_failure_threshold:3;
> + uint64_t reserved:52;
> +};
> +
> +struct availability {
> + uint64_t reserved:48;
> + uint64_t available:3;
> + uint64_t threshold:3;
> +};
> +
> +struct sdsi_regs {
> + uint64_t ppin;
> + uint64_t reserved;
> + struct enabled_features en_features;
> + uint64_t reserved1;
> + struct auth_fail_count auth_fail_count;
> + struct availability prov_avail;
> + uint64_t reserved2;
> + uint64_t reserved3;
> + uint64_t socket_id;
> +};
> +
> +struct sdsi_dev {
> + struct sdsi_regs regs;
> + char *dev_name;
> + char *dev_path;
> + int guid;
> +};
> +
> +enum command {
> + CMD_NONE,
> + CMD_LIST_DEVICES,
> + CMD_SOCKET_INFO,
> + CMD_DUMP_CERT,
> + CMD_PROV_AKC,
> + CMD_PROV_CAP,
> +};
> +
> +static void sdsi_list_devices(void)
> +{
> + struct dirent *entry;
> + DIR *aux_dir;
> + bool found = false;
> +
> + aux_dir = opendir(AUX_DEV_PATH);
> + if (!aux_dir) {
> + fprintf(stderr, "Cannot open directory %s\n", AUX_DEV_PATH);
> + return;
> + }
> +
> + while ((entry = readdir(aux_dir))) {
> + if (!strncmp(SDSI_DEV, entry->d_name, strlen(SDSI_DEV))) {
> + found = true;
> + printf("%s\n", entry->d_name);
> + }
> + }
> +
> + if (!found)
> + fprintf(stderr, "No sdsi devices found.\n");
> +}
> +
> +static int sdsi_update_registers(struct sdsi_dev *s)
> +{
> + FILE *regs_ptr;
> + int ret;
> +
> + memset(&s->regs, 0, sizeof(s->regs));
> +
> + /* Open the registers file */
> + ret = chdir(s->dev_path);
> + if (ret == -1) {
> + perror("chdir");
> + return ret;
> + }
> +
> + regs_ptr = fopen("registers", "r");
> + if (!regs_ptr) {
> + perror("Could not open 'registers' file");
> + return -1;
> + }
> +
> + if (s->guid != GUID) {
> + fprintf(stderr, "Unrecognized guid, 0x%x\n", s->guid);
> + fclose(regs_ptr);
> + return -1;
> + }
> +
> + /* Update register info for this guid */
> + ret = fread(&s->regs, sizeof(uint8_t), sizeof(s->regs), regs_ptr);
> + if (ret != sizeof(s->regs)) {
> + fprintf(stderr, "Could not read 'registers' file\n");
> + fclose(regs_ptr);
> + return -1;
> + }
> +
> + fclose(regs_ptr);
> +
> + return 0;
> +}
> +
> +static int sdsi_read_reg(struct sdsi_dev *s)
> +{
> + int ret;
> +
> + ret = sdsi_update_registers(s);
> + if (ret)
> + return ret;
> +
> + /* Print register info for this guid */
> + printf("\n");
> + printf("Socket information for device %s\n", s->dev_name);
> + printf("\n");
> + printf("PPIN: 0x%lx\n", s->regs.ppin);
> + printf("Enabled Features\n");
> + printf(" SDSi: %s\n", !!s->regs.en_features.sdsi ? "Enabled" : "Disabled");
> + printf("Authorization Failure Count\n");
> + printf(" AKC Failure Count: %d\n", s->regs.auth_fail_count.key_failure_count);
> + printf(" AKC Failure Threshold: %d\n", s->regs.auth_fail_count.key_failure_threshold);
> + printf(" CAP Failure Count: %d\n", s->regs.auth_fail_count.auth_failure_count);
> + printf(" CAP Failure Threshold: %d\n", s->regs.auth_fail_count.auth_failure_threshold);
> + printf("Provisioning Availability\n");
> + printf(" Updates Available: %d\n", s->regs.prov_avail.available);
> + printf(" Updates Threshold: %d\n", s->regs.prov_avail.threshold);
> + printf("Socket ID: %ld\n", s->regs.socket_id & 0xF);
> +
> + return 0;
> +}
> +
> +static int sdsi_certificate_dump(struct sdsi_dev *s)
> +{
> + uint64_t state_certificate[512] = {0};
> + bool first_instance;
> + uint64_t previous;
> + FILE *cert_ptr;
> + int i, ret, size;
> +
> + ret = sdsi_update_registers(s);
> + if (ret)
> + return ret;
> +
> + if (!s->regs.en_features.sdsi) {
> + fprintf(stderr, "SDSi feature is present but not enabled.");
> + fprintf(stderr, " Unable to read state certificate");
> + return -1;
> + }
> +
> + ret = chdir(s->dev_path);
> + if (ret == -1) {
> + perror("chdir");
> + return ret;
> + }
> +
> + cert_ptr = fopen("state_certificate", "r");
> + if (!cert_ptr) {
> + perror("Could not open 'state_certificate' file");
> + return -1;
> + }
> +
> + size = fread(state_certificate, 1, sizeof(state_certificate), cert_ptr);
> + if (!size) {
> + fprintf(stderr, "Could not read 'state_certificate' file\n");
> + fclose(cert_ptr);
> + return -1;
> + }
> +
> + printf("%3d: 0x%lx\n", 0, state_certificate[0]);
> + previous = state_certificate[0];
> + first_instance = true;
> +
> + for (i = 1; i < (int)(round_up(size, sizeof(uint64_t))/sizeof(uint64_t)); i++) {
> + if (state_certificate[i] == previous) {
> + if (first_instance) {
> + puts("*");
> + first_instance = false;
> + }
> + continue;
> + }
> + printf("%3d: 0x%lx\n", i, state_certificate[i]);
> + previous = state_certificate[i];
> + first_instance = true;
> + }
> + printf("%3d\n", i);
> +
> + fclose(cert_ptr);
> +
> + return 0;
> +}
> +
> +static int sdsi_provision(struct sdsi_dev *s, char *bin_file, enum command command)
> +{
> + int bin_fd, prov_fd, size, ret;
> + char buf[4096] = { 0 };
> + char cap[] = "provision_cap";
> + char akc[] = "provision_akc";
> + char *prov_file;
> +
> + if (!bin_file) {
> + fprintf(stderr, "No binary file provided\n");
> + return -1;
> + }
> +
> + /* Open the binary */
> + bin_fd = open(bin_file, O_RDONLY);
> + if (bin_fd == -1) {
> + fprintf(stderr, "Could not open file %s: %s\n", bin_file, strerror(errno));
> + return bin_fd;
> + }
> +
> + prov_file = (command == CMD_PROV_AKC) ? akc : cap;
> +
> + ret = chdir(s->dev_path);
> + if (ret == -1) {
> + perror("chdir");
> + close(bin_fd);
> + return ret;
> + }
> +
> + /* Open the provision file */
> + prov_fd = open(prov_file, O_WRONLY);
> + if (prov_fd == -1) {
> + fprintf(stderr, "Could not open file %s: %s\n", prov_file, strerror(errno));
> + close(bin_fd);
> + return prov_fd;
> + }
> +
> + /* Read the binary file into the buffer */
> + size = read(bin_fd, buf, 4096);
> + if (size == -1) {
> + close(bin_fd);
> + close(prov_fd);
> + return -1;
> + }
> +
> + ret = write(prov_fd, buf, size);
> + if (ret == -1) {
> + close(bin_fd);
> + close(prov_fd);
> + perror("Provisioning failed");
> + return ret;
> + }
> +
> + printf("Provisioned %s file %s successfully\n", prov_file, bin_file);
> +
> + close(bin_fd);
> + close(prov_fd);
> +
> + return 0;
> +}
> +
> +static int sdsi_provision_akc(struct sdsi_dev *s, char *bin_file)
> +{
> + int ret;
> +
> + ret = sdsi_update_registers(s);
> + if (ret)
> + return ret;
> +
> + if (!s->regs.en_features.sdsi) {
> + fprintf(stderr, "SDSi feature is present but not enabled. Unable to provision");
> + return -1;
> + }
> +
> + if (!s->regs.prov_avail.available) {
> + fprintf(stderr, "Maximum number of updates (%d) has been reached.\n",
> + s->regs.prov_avail.threshold);
> + return -1;
> + }
> +
> + if (s->regs.auth_fail_count.key_failure_count ==
> + s->regs.auth_fail_count.key_failure_threshold) {
> + fprintf(stderr, "Maximum number of AKC provision failures (%d) has been reached.\n",
> + s->regs.auth_fail_count.key_failure_threshold);
> + fprintf(stderr, "Power cycle the system to reset the counter\n");
> + return -1;
> + }
> +
> + return sdsi_provision(s, bin_file, CMD_PROV_AKC);
> +}
> +
> +static int sdsi_provision_cap(struct sdsi_dev *s, char *bin_file)
> +{
> + int ret;
> +
> + ret = sdsi_update_registers(s);
> + if (ret)
> + return ret;
> +
> + if (!s->regs.en_features.sdsi) {
> + fprintf(stderr, "SDSi feature is present but not enabled. Unable to provision");
> + return -1;
> + }
> +
> + if (!s->regs.prov_avail.available) {
> + fprintf(stderr, "Maximum number of updates (%d) has been reached.\n",
> + s->regs.prov_avail.threshold);
> + return -1;
> + }
> +
> + if (s->regs.auth_fail_count.auth_failure_count ==
> + s->regs.auth_fail_count.auth_failure_threshold) {
> + fprintf(stderr, "Maximum number of CAP provision failures (%d) has been reached.\n",
> + s->regs.auth_fail_count.auth_failure_threshold);
> + fprintf(stderr, "Power cycle the system to reset the counter\n");
> + return -1;
> + }
> +
> + return sdsi_provision(s, bin_file, CMD_PROV_CAP);
> +}
> +
> +static int read_sysfs_data(const char *file, int *value)
> +{
> + char buff[16];
> + FILE *fp;
> +
> + fp = fopen(file, "r");
> + if (!fp) {
> + perror(file);
> + return -1;
> + }
> +
> + if (!fgets(buff, 16, fp)) {
> + fprintf(stderr, "Failed to read file '%s'", file);
> + fclose(fp);
> + return -1;
> + }
> +
> + fclose(fp);
> + *value = strtol(buff, NULL, 0);
> +
> + return 0;
> +}
> +
> +static struct sdsi_dev *sdsi_create_dev(char *dev_no)
> +{
> + int dev_name_len = sizeof(SDSI_DEV) + strlen(dev_no) + 1;
> + struct sdsi_dev *s;
> + int guid;
> + DIR *dir;
> +
> + s = (struct sdsi_dev *)malloc(sizeof(*s));
> + if (!s) {
> + perror("malloc");
> + return NULL;
> + }
> +
> + s->dev_name = (char *)malloc(sizeof(SDSI_DEV) + strlen(dev_no) + 1);
> + if (!s->dev_name) {
> + perror("malloc");
> + free(s);
> + return NULL;
> + }
> +
> + snprintf(s->dev_name, dev_name_len, "%s.%s", SDSI_DEV, dev_no);
> +
> + s->dev_path = (char *)malloc(sizeof(AUX_DEV_PATH) + dev_name_len);
> + if (!s->dev_path) {
> + perror("malloc");
> + free(s->dev_name);
> + free(s);
> + return NULL;
> + }
> +
> + snprintf(s->dev_path, sizeof(AUX_DEV_PATH) + dev_name_len, "%s%s", AUX_DEV_PATH,
> + s->dev_name);
> + dir = opendir(s->dev_path);
> + if (!dir) {
> + fprintf(stderr, "Could not open directory '%s': %s\n", s->dev_path,
> + strerror(errno));
> + free(s->dev_path);
> + free(s->dev_name);
> + free(s);
> + return NULL;
> + }
> +
> + if (chdir(s->dev_path) == -1) {
> + perror("chdir");
> + free(s->dev_path);
> + free(s->dev_name);
> + free(s);
> + return NULL;
> + }
> +
> + if (read_sysfs_data("guid", &guid)) {
> + free(s->dev_path);
> + free(s->dev_name);
> + free(s);
> + return NULL;
> + }
> +
> + s->guid = guid;
> +
> + return s;
> +}
> +
> +static void sdsi_free_dev(struct sdsi_dev *s)
> +{
> + free(s->dev_path);
> + free(s->dev_name);
> + free(s);
> +}
> +
> +static void print_help(char *prog)
> +{
> + printf("Usage: %s [-l] [-d dev_no [-is] [-a file] [-c file]]\n", prog);
> +
> + printf("\n");
> + printf("Commands:\n");
> + printf(" %-13s\t%s\n", "-l", "list available sdsi devices");
> + printf(" %-13s\t%s\n", "-d <dev_no>", "sdsi device number");
> + printf(" %-13s\t%s\n", "-i", "show socket information");
> + printf(" %-13s\t%s\n", "-s", "dump state certificate data");
> + printf(" %-13s\t%s\n", "-a <file>", "provision socket with AKC file");
> + printf(" %-13s\t%s\n", "-c <file>", "provision socket with CAP file");
> +}
> +
> +int main(int argc, char *argv[])
> +{
> + char bin_file[PATH_MAX], *dev_no = NULL;
> + enum command command = CMD_NONE;
> + struct sdsi_dev *s;
> + int ret = 0, opt;
> +
> + while ((opt = getopt(argc, argv, "d:lisa:c:h")) != -1) {
> + switch (opt) {
> + case 'd':
> + dev_no = optarg;
> + break;
> + case 'l':
> + command = CMD_LIST_DEVICES;
> + break;
> + case 'i':
> + command = CMD_SOCKET_INFO;
> + break;
> + case 's':
> + command = CMD_DUMP_CERT;
> + break;
> + case 'a':
> + case 'c':
> + if (!access(optarg, F_OK) == 0) {
> + fprintf(stderr, "Could not open file '%s': %s\n", optarg,
> + strerror(errno));
> + return -1;
> + }
> +
> + if (!realpath(optarg, bin_file)) {
> + perror("realpath");
> + return -1;
> + }
> +
> + command = (opt == 'a') ? CMD_PROV_AKC : CMD_PROV_CAP;
> + break;
> + case 'h':
> + default:
> + print_help(argv[0]);
> + return 0;
> + }
> + }
> +
> + if (!dev_no && command != CMD_LIST_DEVICES) {
> + print_help(argv[0]);
> + return -1;
> + }
> +
> + if (dev_no) {
> + s = sdsi_create_dev(dev_no);
> + if (!s)
> + return -1;
> + }
> +
> + /* Run the command */
> + switch (command) {
> + case CMD_NONE:
> + fprintf(stderr, "need to specify a command\n");
> + print_help(argv[0]);
> + ret = -1;
> + break;
> + case CMD_LIST_DEVICES:
> + sdsi_list_devices();
> + break;
> + case CMD_SOCKET_INFO:
> + ret = sdsi_read_reg(s);
> + break;
> + case CMD_DUMP_CERT:
> + ret = sdsi_certificate_dump(s);
> + break;
> + case CMD_PROV_AKC:
> + ret = sdsi_provision_akc(s, bin_file);
> + break;
> + case CMD_PROV_CAP:
> + ret = sdsi_provision_cap(s, bin_file);
> + break;
> + }
> +
> +
> + if (dev_no)
> + sdsi_free_dev(s);
> +
> + return ret;
> +}
>
> base-commit: 42f8bcb37e2c65931799cdf61d086ed78456e798
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH V8 2/2] selftests: sdsi: test sysfs setup
2022-02-17 23:09 ` [PATCH V8 2/2] selftests: sdsi: test sysfs setup David E. Box
@ 2022-02-22 14:56 ` Hans de Goede
0 siblings, 0 replies; 4+ messages in thread
From: Hans de Goede @ 2022-02-22 14:56 UTC (permalink / raw)
To: David E. Box, gregkh, andriy.shevchenko, srinivas.pandruvada,
mgross
Cc: linux-kernel, platform-driver-x86
Hi David,
On 2/18/22 00:09, David E. Box wrote:
> Tests file configuration and error handling of the Intel Software
> Defined Silicon sysfs ABI.
>
> Signed-off-by: David E. Box <david.e.box@linux.intel.com>
> ---
> Applied on review-hans branch.
>
> V8
> - Skip if python3 or pytest aren't installed
> - Do not remove driver after test is run
> V7
> - No changes.
> V6
> - No changes.
> V5
> - No changes.
> V4
> - No changes.
> V3
> - Add tests to check PCI device removal handling and to check for
> driver memory leaks.
> V2
> - New patch.
>
> MAINTAINERS | 1 +
> tools/testing/selftests/drivers/sdsi/sdsi.sh | 26 ++
> .../selftests/drivers/sdsi/sdsi_test.py | 226 ++++++++++++++++++
> 3 files changed, 253 insertions(+)
> create mode 100755 tools/testing/selftests/drivers/sdsi/sdsi.sh
> create mode 100644 tools/testing/selftests/drivers/sdsi/sdsi_test.py
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index dc3c9f271463..be2c4c63e58f 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -9872,6 +9872,7 @@ M: David E. Box <david.e.box@linux.intel.com>
> S: Supported
> F: drivers/platform/x86/intel/sdsi.c
> F: tools/arch/x86/intel_sdsi/
> +F: tools/testing/selftests/drivers/sdsi/
>
> INTEL SKYLAKE INT3472 ACPI DEVICE DRIVER
> M: Daniel Scally <djrscally@gmail.com>
> diff --git a/tools/testing/selftests/drivers/sdsi/sdsi.sh b/tools/testing/selftests/drivers/sdsi/sdsi.sh
> new file mode 100755
> index 000000000000..b938b1d46b04
> --- /dev/null
> +++ b/tools/testing/selftests/drivers/sdsi/sdsi.sh
> @@ -0,0 +1,26 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0
> +# Runs tests for the intel_sdsi driver
> +
> +if ! command -v python3 > /dev/null 2>&1; then
> + echo "drivers/sdsi: [SKIP] python3 not installed"
> + exit 77
> +fi
> +
> +if ! python -c "import pytest" > /dev/null 2>&1; then
> + echo "drivers/sdsi: [SKIP] pytest module not installed"
> + exit 77
> +fi
> +
> +if ! /sbin/modprobe -q -r intel_sdsi; then
> + echo "drivers/sdsi: [SKIP]"
> + exit 77
> +fi
> +
> +if /sbin/modprobe -q intel_sdsi; then
> + python3 -m pytest sdsi_test.py
> + echo "drivers/sdsi: [OK]"
You will now echo "[OK]" and exit with 0 independent of
the results of the pytest invocation, please change this to:
if /sbin/modprobe -q intel_sdsi && python3 -m pytest sdsi_test.py; then
echo "drivers/sdsi: [OK]"
else
echo "drivers/sdsi: [FAIL]"
exit 1
fi
So that errors of the pytest will result in the test failing.
Regards,
Hans
> +else
> + echo "drivers/sdsi: [FAIL]"
> + exit 1
> +fi
> diff --git a/tools/testing/selftests/drivers/sdsi/sdsi_test.py b/tools/testing/selftests/drivers/sdsi/sdsi_test.py
> new file mode 100644
> index 000000000000..4922edfe461f
> --- /dev/null
> +++ b/tools/testing/selftests/drivers/sdsi/sdsi_test.py
> @@ -0,0 +1,226 @@
> +#!/usr/bin/env python3
> +# SPDX-License-Identifier: GPL-2.0
> +
> +from struct import pack
> +from time import sleep
> +
> +import errno
> +import glob
> +import os
> +import subprocess
> +
> +try:
> + import pytest
> +except ImportError:
> + print("Unable to import pytest python module.")
> + print("\nIf not already installed, you may do so with:")
> + print("\t\tpip3 install pytest")
> + exit(1)
> +
> +SOCKETS = glob.glob('/sys/bus/auxiliary/devices/intel_vsec.sdsi.*')
> +NUM_SOCKETS = len(SOCKETS)
> +
> +MODULE_NAME = 'sdsi'
> +DEV_PREFIX = 'intel_vsec.sdsi'
> +CLASS_DIR = '/sys/bus/auxiliary/devices'
> +GUID = "0x6dd191"
> +
> +def read_bin_file(file):
> + with open(file, mode='rb') as f:
> + content = f.read()
> + return content
> +
> +def get_dev_file_path(socket, file):
> + return CLASS_DIR + '/' + DEV_PREFIX + '.' + str(socket) + '/' + file
> +
> +def kmemleak_enabled():
> + kmemleak = "/sys/kernel/debug/kmemleak"
> + return os.path.isfile(kmemleak)
> +
> +class TestSDSiDriver:
> + def test_driver_loaded(self):
> + lsmod_p = subprocess.Popen(('lsmod'), stdout=subprocess.PIPE)
> + result = subprocess.check_output(('grep', '-q', MODULE_NAME), stdin=lsmod_p.stdout)
> +
> +@pytest.mark.parametrize('socket', range(0, NUM_SOCKETS))
> +class TestSDSiFilesClass:
> +
> + def read_value(self, file):
> + f = open(file, "r")
> + value = f.read().strip("\n")
> + return value
> +
> + def get_dev_folder(self, socket):
> + return CLASS_DIR + '/' + DEV_PREFIX + '.' + str(socket) + '/'
> +
> + def test_sysfs_files_exist(self, socket):
> + folder = self.get_dev_folder(socket)
> + print (folder)
> + assert os.path.isfile(folder + "guid") == True
> + assert os.path.isfile(folder + "provision_akc") == True
> + assert os.path.isfile(folder + "provision_cap") == True
> + assert os.path.isfile(folder + "state_certificate") == True
> + assert os.path.isfile(folder + "registers") == True
> +
> + def test_sysfs_file_permissions(self, socket):
> + folder = self.get_dev_folder(socket)
> + mode = os.stat(folder + "guid").st_mode & 0o777
> + assert mode == 0o444 # Read all
> + mode = os.stat(folder + "registers").st_mode & 0o777
> + assert mode == 0o400 # Read owner
> + mode = os.stat(folder + "provision_akc").st_mode & 0o777
> + assert mode == 0o200 # Read owner
> + mode = os.stat(folder + "provision_cap").st_mode & 0o777
> + assert mode == 0o200 # Read owner
> + mode = os.stat(folder + "state_certificate").st_mode & 0o777
> + assert mode == 0o400 # Read owner
> +
> + def test_sysfs_file_ownership(self, socket):
> + folder = self.get_dev_folder(socket)
> +
> + st = os.stat(folder + "guid")
> + assert st.st_uid == 0
> + assert st.st_gid == 0
> +
> + st = os.stat(folder + "registers")
> + assert st.st_uid == 0
> + assert st.st_gid == 0
> +
> + st = os.stat(folder + "provision_akc")
> + assert st.st_uid == 0
> + assert st.st_gid == 0
> +
> + st = os.stat(folder + "provision_cap")
> + assert st.st_uid == 0
> + assert st.st_gid == 0
> +
> + st = os.stat(folder + "state_certificate")
> + assert st.st_uid == 0
> + assert st.st_gid == 0
> +
> + def test_sysfs_file_sizes(self, socket):
> + folder = self.get_dev_folder(socket)
> +
> + if self.read_value(folder + "guid") == GUID:
> + st = os.stat(folder + "registers")
> + assert st.st_size == 72
> +
> + st = os.stat(folder + "provision_akc")
> + assert st.st_size == 1024
> +
> + st = os.stat(folder + "provision_cap")
> + assert st.st_size == 1024
> +
> + st = os.stat(folder + "state_certificate")
> + assert st.st_size == 4096
> +
> + def test_no_seek_allowed(self, socket):
> + folder = self.get_dev_folder(socket)
> + rand_file = bytes(os.urandom(8))
> +
> + f = open(folder + "provision_cap", "wb", 0)
> + f.seek(1)
> + with pytest.raises(OSError) as error:
> + f.write(rand_file)
> + assert error.value.errno == errno.ESPIPE
> + f.close()
> +
> + f = open(folder + "provision_akc", "wb", 0)
> + f.seek(1)
> + with pytest.raises(OSError) as error:
> + f.write(rand_file)
> + assert error.value.errno == errno.ESPIPE
> + f.close()
> +
> + def test_registers_seek(self, socket):
> + folder = self.get_dev_folder(socket)
> +
> + # Check that the value read from an offset of the entire
> + # file is none-zero and the same as the value read
> + # from seeking to the same location
> + f = open(folder + "registers", "rb")
> + data = f.read()
> + f.seek(64)
> + id = f.read()
> + assert id != bytes(0)
> + assert data[64:] == id
> + f.close()
> +
> +@pytest.mark.parametrize('socket', range(0, NUM_SOCKETS))
> +class TestSDSiMailboxCmdsClass:
> + def test_provision_akc_eoverflow_1017_bytes(self, socket):
> +
> + # The buffer for writes is 1k, of with 8 bytes must be
> + # reserved for the command, leaving 1016 bytes max.
> + # Check that we get an overflow error for 1017 bytes.
> + node = get_dev_file_path(socket, "provision_akc")
> + rand_file = bytes(os.urandom(1017))
> +
> + f = open(node, 'wb', 0)
> + with pytest.raises(OSError) as error:
> + f.write(rand_file)
> + assert error.value.errno == errno.EOVERFLOW
> + f.close()
> +
> +@pytest.mark.parametrize('socket', range(0, NUM_SOCKETS))
> +class TestSdsiDriverLocksClass:
> + def test_enodev_when_pci_device_removed(self, socket):
> + node = get_dev_file_path(socket, "provision_akc")
> + dev_name = DEV_PREFIX + '.' + str(socket)
> + driver_dir = CLASS_DIR + '/' + dev_name + "/driver/"
> + rand_file = bytes(os.urandom(8))
> +
> + f = open(node, 'wb', 0)
> + g = open(node, 'wb', 0)
> +
> + with open(driver_dir + 'unbind', 'w') as k:
> + print(dev_name, file = k)
> +
> + with pytest.raises(OSError) as error:
> + f.write(rand_file)
> + assert error.value.errno == errno.ENODEV
> +
> + with pytest.raises(OSError) as error:
> + g.write(rand_file)
> + assert error.value.errno == errno.ENODEV
> +
> + f.close()
> + g.close()
> +
> + # Short wait needed to allow file to close before pulling driver
> + sleep(1)
> +
> + p = subprocess.Popen(('modprobe', '-r', 'intel_sdsi'))
> + p.wait()
> + p = subprocess.Popen(('modprobe', '-r', 'intel_vsec'))
> + p.wait()
> + p = subprocess.Popen(('modprobe', 'intel_vsec'))
> + p.wait()
> +
> + # Short wait needed to allow driver time to get inserted
> + # before continuing tests
> + sleep(1)
> +
> + def test_memory_leak(self, socket):
> + if not kmemleak_enabled:
> + pytest.skip("kmemleak not enabled in kernel")
> +
> + dev_name = DEV_PREFIX + '.' + str(socket)
> + driver_dir = CLASS_DIR + '/' + dev_name + "/driver/"
> +
> + with open(driver_dir + 'unbind', 'w') as k:
> + print(dev_name, file = k)
> +
> + sleep(1)
> +
> + subprocess.check_output(('modprobe', '-r', 'intel_sdsi'))
> + subprocess.check_output(('modprobe', '-r', 'intel_vsec'))
> +
> + with open('/sys/kernel/debug/kmemleak', 'w') as f:
> + print('scan', file = f)
> + sleep(5)
> +
> + assert os.stat('/sys/kernel/debug/kmemleak').st_size == 0
> +
> + subprocess.check_output(('modprobe', 'intel_vsec'))
> + sleep(1)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-02-22 14:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-02-17 23:09 [PATCH V8 1/2] tools arch x86: Add Intel SDSi provisiong tool David E. Box
2022-02-17 23:09 ` [PATCH V8 2/2] selftests: sdsi: test sysfs setup David E. Box
2022-02-22 14:56 ` Hans de Goede
2022-02-22 14:55 ` [PATCH V8 1/2] tools arch x86: Add Intel SDSi provisiong tool Hans de Goede
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox