From: "Keller, Jacob E" <jacob.e.keller@intel.com>
To: Jakub Kicinski <kuba@kernel.org>,
"Nguyen, Anthony L" <anthony.l.nguyen@intel.com>
Cc: "davem@davemloft.net" <davem@davemloft.net>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"sassmann@redhat.com" <sassmann@redhat.com>,
"Brelinski, TonyX" <tonyx.brelinski@intel.com>
Subject: RE: [PATCH net-next 03/15] ice: read security revision to ice_nvm_info and ice_orom_info
Date: Mon, 1 Feb 2021 18:15:19 +0000 [thread overview]
Message-ID: <339cfa644eec45a7bc7b1b24dfe8b04e@intel.com> (raw)
In-Reply-To: <20210129224407.0529a802@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
> -----Original Message-----
> From: Jakub Kicinski <kuba@kernel.org>
> Sent: Friday, January 29, 2021 10:44 PM
> To: Nguyen, Anthony L <anthony.l.nguyen@intel.com>
> Cc: davem@davemloft.net; Keller, Jacob E <jacob.e.keller@intel.com>;
> netdev@vger.kernel.org; sassmann@redhat.com; Brelinski, TonyX
> <tonyx.brelinski@intel.com>
> Subject: Re: [PATCH net-next 03/15] ice: read security revision to ice_nvm_info
> and ice_orom_info
>
> On Thu, 28 Jan 2021 16:43:20 -0800 Tony Nguyen wrote:
> > From: Jacob Keller <jacob.e.keller@intel.com>
> >
> > The main NVM module and the Option ROM module contain a security
> > revision in their CSS header. This security revision is used to
> > determine whether or not the signed module should be loaded at bootup.
> > If the module security revision is lower than the associated minimum
> > security revision, it will not be loaded.
> >
> > The CSS header does not have a module id associated with it, and thus
> > requires flat NVM reads in order to access it. To do this, take
> > advantage of the cached bank information. Introduce a new
> > "ice_read_flash_module" function that takes the module and bank to read.
> > Implement both ice_read_active_nvm_module and
> > ice_read_active_orom_module. These functions will use the cached values
> > to determine the active bank and calculate the appropriate offset.
> >
> > Using these new access functions, extract the security revision for both
> > the main NVM bank and the Option ROM into the associated info structure.
> >
> > Add the security revisions to the devlink info output. Report the main
> > NVM bank security revision as "fw.mgmt.srev". Report the Option ROM
> > security revision as "fw.undi.srev".
> >
> > A future patch will add the associated minimum security revisions as
> > devlink flash parameters.
>
> This needs a wider discussion. Hopefully we can agree on a reasonably
> uniform way of handling this across vendors. Having to fish out
> _particular_ version keys out and then target _particular_ parameters
> for each vendor is not great.
>
Yea, I can see how that would be problematic. It does seem like some sort of tied interface would make sense.
> First off - is there a standard around the version management that we
> can base the interface on? What about key management? There's gotta be
> a way of revoking keys too, right?
>
I am not sure. None of the implementation I've written deals with key management and it wasn't an ask.
>
> I'd recommend separating the srev patches out of the series so the
> other ones can land.
Sure, We can do that.
next prev parent reply other threads:[~2021-02-01 18:29 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-29 0:43 [PATCH net-next 00/15][pull request] 100GbE Intel Wired LAN Driver Updates 2021-01-28 Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 01/15] ice: create flash_info structure and separate NVM version Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 02/15] ice: cache NVM module bank information Tony Nguyen
2021-01-29 21:01 ` Willem de Bruijn
2021-01-29 21:04 ` Willem de Bruijn
2021-01-29 21:32 ` Jacob Keller
2021-01-29 21:36 ` Willem de Bruijn
2021-01-29 0:43 ` [PATCH net-next 03/15] ice: read security revision to ice_nvm_info and ice_orom_info Tony Nguyen
2021-01-30 6:44 ` Jakub Kicinski
2021-02-01 18:15 ` Keller, Jacob E [this message]
2021-01-29 0:43 ` [PATCH net-next 04/15] ice: add devlink parameters to read and write minimum security revision Tony Nguyen
2021-02-03 20:41 ` Jakub Kicinski
2021-02-04 1:34 ` Jacob Keller
2021-02-04 2:08 ` Jakub Kicinski
2021-02-04 19:10 ` Jacob Keller
2021-02-04 21:53 ` Jacob Keller
2021-02-06 2:32 ` Brelinski, TonyX
2021-02-06 2:34 ` Brelinski, TonyX
2021-02-10 18:51 ` Jakub Kicinski
2021-02-04 21:48 ` Jacob Keller
2021-01-29 0:43 ` [PATCH net-next 05/15] ice: report timeout length for erasing during devlink flash Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 06/15] ice: introduce context struct for info report Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 07/15] ice: refactor interface for ice_read_flash_module Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 08/15] ice: allow reading inactive flash security revision Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 09/15] ice: allow reading arbitrary size data with read_flash_module Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 10/15] ice: display some stored NVM versions via devlink info Tony Nguyen
2021-01-30 6:37 ` Jakub Kicinski
2021-02-01 18:15 ` Keller, Jacob E
2021-02-01 21:40 ` Jacob Keller
2021-02-01 22:34 ` Jakub Kicinski
2021-02-01 23:09 ` Jacob Keller
2021-02-06 2:35 ` Brelinski, TonyX
2021-01-29 0:43 ` [PATCH net-next 11/15] ice: display stored netlist " Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 12/15] ice: display stored UNDI firmware version " Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 13/15] ice: Replace one-element array with flexible-array member Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 14/15] ice: use flex_array_size where possible Tony Nguyen
2021-01-29 0:43 ` [PATCH net-next 15/15] ice: remove dead code Tony Nguyen
2021-01-29 21:37 ` [PATCH net-next 00/15][pull request] 100GbE Intel Wired LAN Driver Updates 2021-01-28 Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=339cfa644eec45a7bc7b1b24dfe8b04e@intel.com \
--to=jacob.e.keller@intel.com \
--cc=anthony.l.nguyen@intel.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sassmann@redhat.com \
--cc=tonyx.brelinski@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).