From: "Alexandre Courbot" <acourbot@nvidia.com>
To: "John Hubbard" <jhubbard@nvidia.com>
Cc: "Danilo Krummrich" <dakr@kernel.org>,
"Joel Fernandes" <joelagnelf@nvidia.com>,
"Timur Tabi" <ttabi@nvidia.com>,
"Alistair Popple" <apopple@nvidia.com>,
"Eliot Courtney" <ecourtney@nvidia.com>,
"Shashank Sharma" <shashanks@nvidia.com>,
"Zhi Wang" <zhiw@nvidia.com>, "David Airlie" <airlied@gmail.com>,
"Simona Vetter" <simona@ffwll.ch>,
"Bjorn Helgaas" <bhelgaas@google.com>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
rust-for-linux@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v10 18/28] gpu: nova-core: Hopper/Blackwell: add FMC signature extraction
Date: Fri, 17 Apr 2026 23:24:34 +0900 [thread overview]
Message-ID: <DHVHYMGOZ58F.2E1GSYX4L27NU@nvidia.com> (raw)
In-Reply-To: <20260411024953.473149-19-jhubbard@nvidia.com>
On Sat Apr 11, 2026 at 11:49 AM JST, John Hubbard wrote:
> Add extract_fmc_signatures() which extracts SHA-384 hash, RSA public
> key, and RSA signature from FMC ELF32 firmware sections. These are
> needed for FSP Chain of Trust verification.
>
> Signed-off-by: John Hubbard <jhubbard@nvidia.com>
> ---
> drivers/gpu/nova-core/firmware.rs | 3 +-
> drivers/gpu/nova-core/fsp.rs | 78 +++++++++++++++++++++++++++++++
> drivers/gpu/nova-core/gsp/boot.rs | 3 +-
> 3 files changed, 82 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/nova-core/firmware.rs b/drivers/gpu/nova-core/firmware.rs
> index bc26807116e4..6d07715b3a49 100644
> --- a/drivers/gpu/nova-core/firmware.rs
> +++ b/drivers/gpu/nova-core/firmware.rs
> @@ -26,6 +26,7 @@
> },
> };
>
> +pub(crate) use elf::elf_section;
> pub(crate) mod booter;
> pub(crate) mod fsp;
> pub(crate) mod fwsec;
> @@ -646,7 +647,7 @@ fn elf32_section<'a>(elf: &'a [u8], name: &str) -> Option<&'a [u8]> {
> }
>
> /// Automatically detects ELF32 vs ELF64 based on the ELF header.
> - pub(super) fn elf_section<'a>(elf: &'a [u8], name: &str) -> Option<&'a [u8]> {
> + pub(crate) fn elf_section<'a>(elf: &'a [u8], name: &str) -> Option<&'a [u8]> {
We don't want to change the visibility of this method - thankfully there
is an easy way to achieve this - please read on.
> // Check ELF magic.
> if elf.len() < 5 || elf.get(0..4)? != b"\x7fELF" {
> return None;
> diff --git a/drivers/gpu/nova-core/fsp.rs b/drivers/gpu/nova-core/fsp.rs
> index 55e543e80de8..8287bda795ca 100644
> --- a/drivers/gpu/nova-core/fsp.rs
> +++ b/drivers/gpu/nova-core/fsp.rs
> @@ -18,6 +18,18 @@
> /// FSP secure boot completion timeout in milliseconds.
> const FSP_SECURE_BOOT_TIMEOUT_MS: i64 = 5000;
>
> +/// Size constraints for FSP security signatures (Hopper/Blackwell).
This doccomment is about the 3 following items but will only appears on
the first one. You want one doccomment per const that reads something
like "/// Expected size for X".
> +const FSP_HASH_SIZE: usize = 48; // SHA-384 hash
> +const FSP_PKEY_SIZE: usize = 384; // RSA-3072 public key
> +const FSP_SIG_SIZE: usize = 384; // RSA-3072 signature
> +
> +/// Structure to hold FMC signatures.
> +#[derive(Debug, Clone, Copy)]
> +pub(crate) struct FmcSignatures {
> + hash384: [u8; FSP_HASH_SIZE],
> + public_key: [u8; FSP_PKEY_SIZE],
> + signature: [u8; FSP_SIG_SIZE],
> +}
> /// FSP interface for Hopper/Blackwell GPUs.
> pub(crate) struct Fsp;
>
> @@ -50,4 +62,70 @@ pub(crate) fn wait_secure_boot(
> })
> .map(|_| ())
> }
> +
> + /// Extract FMC firmware signatures for Chain of Trust verification.
> + ///
> + /// Extracts real cryptographic signatures from FMC ELF32 firmware sections.
> + /// Returns signatures in a heap-allocated structure to prevent stack overflow.
> + pub(crate) fn extract_fmc_signatures(
If you make this a method of `FmcFirmware`, you can keep the current
visibility of `elf_section`, while also simplifying the caller (as it is
only ever called on the data of a `FmcFirmware`).
> + dev: &device::Device<device::Bound>,
> + fmc_fw_data: &[u8],
> + ) -> Result<KBox<FmcSignatures>> {
> + let hash_section = crate::firmware::elf_section(fmc_fw_data, "hash")
> + .ok_or(EINVAL)
> + .inspect_err(|_| dev_err!(dev, "FMC firmware missing 'hash' section\n"))?;
> +
> + let pkey_section = crate::firmware::elf_section(fmc_fw_data, "publickey")
> + .ok_or(EINVAL)
> + .inspect_err(|_| dev_err!(dev, "FMC firmware missing 'publickey' section\n"))?;
> +
> + let sig_section = crate::firmware::elf_section(fmc_fw_data, "signature")
> + .ok_or(EINVAL)
> + .inspect_err(|_| dev_err!(dev, "FMC firmware missing 'signature' section\n"))?;
> +
> + if hash_section.len() != FSP_HASH_SIZE {
> + dev_err!(
> + dev,
> + "FMC hash section size {} != expected {}\n",
> + hash_section.len(),
> + FSP_HASH_SIZE
> + );
> + return Err(EINVAL);
> + }
> +
> + if pkey_section.len() > FSP_PKEY_SIZE {
> + dev_err!(
> + dev,
> + "FMC publickey section size {} > maximum {}\n",
> + pkey_section.len(),
> + FSP_PKEY_SIZE
> + );
> + return Err(EINVAL);
> + }
> +
> + if sig_section.len() > FSP_SIG_SIZE {
> + dev_err!(
> + dev,
> + "FMC signature section size {} > maximum {}\n",
> + sig_section.len(),
> + FSP_SIG_SIZE
> + );
> + return Err(EINVAL);
> + }
That's quite a bit of repeating code. I'd like to factor this out into a
closure, but first a question: the length of `hash_section` is required
to be exactly `FSP_HASH_SIZE`, but the other two sections are only
required to be smaller. Does that really make sense or should they all
be strictly equal to their expected size? Because AFAICT 384 is the only
size that makes sense for them.
Assuming we can apply the same length test for all 3, you can replace
all this code with just:
/// Returns the section `name` of size `expected_len`, or EINVAL if
/// the section doesn't exist or doesn't have the expected length.
let get_section = |name, expected_len| {
crate::firmware::elf_section(fmc_fw_data, name)
.ok_or(EINVAL)
.inspect_err(|_| dev_err!(dev, "FMC firmware missing '{}' section\n", name))
.and_then(|section| {
if section.len() > expected_len {
dev_err!(
dev,
"FMC {} section size {} != expected {}\n",
name,
section.len(),
expected_len
);
Err(EINVAL)
} else {
Ok(section)
}
})
};
let hash_section = get_section("hash", FSP_HASH_SIZE)?;
let pkey_section = get_section("publickey", FSP_PKEY_SIZE)?;
let sig_section = get_section("signature", FSP_SIG_SIZE)?;
> +
> + let mut signatures = KBox::new(
> + FmcSignatures {
> + hash384: [0u8; FSP_HASH_SIZE],
> + public_key: [0u8; FSP_PKEY_SIZE],
> + signature: [0u8; FSP_SIG_SIZE],
> + },
> + GFP_KERNEL,
> + )?;
> +
> + signatures.hash384.copy_from_slice(hash_section);
> + signatures.public_key[..pkey_section.len()].copy_from_slice(pkey_section);
> + signatures.signature[..sig_section.len()].copy_from_slice(sig_section);
If the size assumption I make above is correct, you can remove the
slices on the destination.
Also note that `copy_from_slice` can panic, so these statements should
have a `//PANIC:` comment justifying why it cannot happen.
> +
> + Ok(signatures)
> + }
> }
> diff --git a/drivers/gpu/nova-core/gsp/boot.rs b/drivers/gpu/nova-core/gsp/boot.rs
> index 9609cef3ff51..739624af1cef 100644
> --- a/drivers/gpu/nova-core/gsp/boot.rs
> +++ b/drivers/gpu/nova-core/gsp/boot.rs
> @@ -208,7 +208,8 @@ fn boot_via_fsp(
> ) -> Result {
> let _fsp_falcon = Falcon::<FspEngine>::new(dev, chipset)?;
>
> - let _fsp_fw = FspFirmware::new(dev, chipset, FIRMWARE_VERSION)?;
> + let fsp_fw = FspFirmware::new(dev, chipset, FIRMWARE_VERSION)?;
> + let _signatures = Fsp::extract_fmc_signatures(dev, fsp_fw.fmc_elf.data())?;
Once `extract_fmc_signatures` is a method of `FspFirmware`, we can
remove that new line and pass `fsp_fw` to `FmcBootArgs::new`. It is
more logical, and will allow it to access both the image and the
signatures from this single argument.
next prev parent reply other threads:[~2026-04-17 14:24 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-11 2:49 [PATCH v10 00/28] gpu: nova-core: firmware: Hopper/Blackwell support John Hubbard
2026-04-11 2:49 ` [PATCH v10 01/28] gpu: nova-core: factor .fwsignature* selection into a new find_gsp_sigs_section() John Hubbard
2026-04-11 2:49 ` [PATCH v10 02/28] gpu: nova-core: use GPU Architecture to simplify HAL selections John Hubbard
2026-04-11 2:49 ` [PATCH v10 03/28] gpu: nova-core: Hopper/Blackwell: basic GPU identification John Hubbard
2026-04-11 3:58 ` Timur Tabi
2026-04-13 21:08 ` John Hubbard
2026-04-13 21:21 ` Timur Tabi
2026-04-13 21:29 ` John Hubbard
2026-04-17 7:27 ` Alexandre Courbot
2026-04-17 7:49 ` Alexandre Courbot
2026-04-11 2:49 ` [PATCH v10 04/28] gpu: nova-core: add Copy/Clone to Spec and Revision John Hubbard
2026-04-11 2:49 ` [PATCH v10 05/28] gpu: nova-core: set DMA mask width based on GPU architecture John Hubbard
2026-04-11 2:49 ` [PATCH v10 06/28] gpu: nova-core: move GFW boot wait into a GPU HAL John Hubbard
2026-04-11 2:49 ` [PATCH v10 07/28] gpu: nova-core: Hopper/Blackwell: skip GFW boot waiting John Hubbard
2026-04-11 2:49 ` [PATCH v10 08/28] gpu: nova-core: Blackwell: calculate reserved FB heap size John Hubbard
2026-04-17 14:23 ` Alexandre Courbot
2026-04-18 1:42 ` John Hubbard
2026-04-11 2:49 ` [PATCH v10 09/28] gpu: nova-core: Hopper/Blackwell: new location for PCI config mirror John Hubbard
2026-04-17 14:23 ` Alexandre Courbot
2026-04-18 1:46 ` John Hubbard
2026-04-18 1:54 ` John Hubbard
2026-04-11 2:49 ` [PATCH v10 10/28] gpu: nova-core: refactor SEC2 booter loading into BooterFirmware::run() John Hubbard
2026-04-11 2:49 ` [PATCH v10 11/28] gpu: nova-core: Hopper/Blackwell: integrate FSP boot path into boot() John Hubbard
2026-04-17 14:24 ` Alexandre Courbot
2026-04-11 2:49 ` [PATCH v10 12/28] gpu: nova-core: don't assume 64-bit firmware images John Hubbard
2026-04-11 2:49 ` [PATCH v10 13/28] gpu: nova-core: add support for 32-bit " John Hubbard
2026-04-11 2:49 ` [PATCH v10 14/28] gpu: nova-core: add auto-detection of 32-bit, 64-bit " John Hubbard
2026-04-11 2:49 ` [PATCH v10 15/28] gpu: nova-core: Hopper/Blackwell: add FSP falcon engine stub John Hubbard
2026-04-11 2:49 ` [PATCH v10 16/28] gpu: nova-core: Hopper/Blackwell: add FMC firmware image, in support of FSP John Hubbard
2026-04-11 2:49 ` [PATCH v10 17/28] gpu: nova-core: Hopper/Blackwell: add FSP secure boot completion waiting John Hubbard
2026-04-17 14:24 ` Alexandre Courbot
2026-04-11 2:49 ` [PATCH v10 18/28] gpu: nova-core: Hopper/Blackwell: add FMC signature extraction John Hubbard
2026-04-17 14:24 ` Alexandre Courbot [this message]
2026-04-11 2:49 ` [PATCH v10 19/28] gpu: nova-core: Hopper/Blackwell: add FSP falcon EMEM operations John Hubbard
2026-04-11 2:49 ` [PATCH v10 20/28] gpu: nova-core: Hopper/Blackwell: add FSP message infrastructure John Hubbard
2026-04-11 2:49 ` [PATCH v10 21/28] gpu: nova-core: add MCTP/NVDM protocol types for firmware communication John Hubbard
2026-04-11 2:49 ` [PATCH v10 22/28] gpu: nova-core: Hopper/Blackwell: add FSP send/receive messaging John Hubbard
2026-04-11 2:49 ` [PATCH v10 23/28] gpu: nova-core: Hopper/Blackwell: add FspCotVersion type John Hubbard
2026-04-11 2:49 ` [PATCH v10 24/28] gpu: nova-core: Hopper/Blackwell: larger non-WPR heap John Hubbard
2026-04-11 2:49 ` [PATCH v10 25/28] gpu: nova-core: Hopper/Blackwell: add FSP Chain of Trust boot John Hubbard
2026-04-11 2:49 ` [PATCH v10 26/28] gpu: nova-core: Blackwell: use correct sysmem flush registers John Hubbard
2026-04-11 2:49 ` [PATCH v10 27/28] gpu: nova-core: Hopper/Blackwell: larger WPR2 (GSP) heap John Hubbard
2026-04-11 2:49 ` [PATCH v10 28/28] gpu: nova-core: Hopper/Blackwell: add GSP lockdown release polling John Hubbard
2026-04-17 14:34 ` [PATCH v10 00/28] gpu: nova-core: firmware: Hopper/Blackwell support Alexandre Courbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DHVHYMGOZ58F.2E1GSYX4L27NU@nvidia.com \
--to=acourbot@nvidia.com \
--cc=a.hindborg@kernel.org \
--cc=airlied@gmail.com \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=apopple@nvidia.com \
--cc=bhelgaas@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=ecourtney@nvidia.com \
--cc=gary@garyguo.net \
--cc=jhubbard@nvidia.com \
--cc=joelagnelf@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=shashanks@nvidia.com \
--cc=simona@ffwll.ch \
--cc=tmgross@umich.edu \
--cc=ttabi@nvidia.com \
--cc=zhiw@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox