* [PATCH v4 9/9] rust: macros: remove `THIS_MODULE` static from `module!`
From: Alvin Sun @ 2026-06-23 6:29 UTC (permalink / raw)
To: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen, Aaron Tomlin, Greg Kroah-Hartman,
Rafael J. Wysocki, David Airlie, Simona Vetter, Daniel Almeida,
Arnd Bergmann, Brendan Higgins, David Gow, Rae Moar, Breno Leitao,
Jens Axboe, Dave Ertman, Ira Weiny, Leon Romanovsky, Igor Korotin,
FUJITA Tomonori, Bjorn Helgaas, Krzysztof Wilczyński,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas
Cc: rust-for-linux, linux-modules, driver-core, dri-devel, nova-gpu,
linux-kselftest, kunit-dev, linux-block, linux-kernel, netdev,
linux-pci, Alvin Sun
In-Reply-To: <20260623-fix-fops-owner-v4-0-0daf5f077d5c@linux.dev>
All users have been migrated to `ModuleMetadata::THIS_MODULE` const or
`this_module::<LocalModule>()` helper. The `static THIS_MODULE`
generated by the `module!` macro is no longer referenced anywhere,
so remove it to avoid having two sources of the same `ThisModule`
pointer.
Signed-off-by: Alvin Sun <alvin.sun@linux.dev>
---
rust/macros/module.rs | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/rust/macros/module.rs b/rust/macros/module.rs
index aa9a618d5d19e..23b6a1b456b80 100644
--- a/rust/macros/module.rs
+++ b/rust/macros/module.rs
@@ -497,22 +497,6 @@ pub(crate) fn module(info: ModuleInfo) -> Result<TokenStream> {
/// Used by the printing macros, e.g. [`info!`].
const __LOG_PREFIX: &[u8] = #name_cstr.to_bytes_with_nul();
- // SAFETY: `__this_module` is constructed by the kernel at load time and will not be
- // freed until the module is unloaded.
- #[cfg(MODULE)]
- static THIS_MODULE: ::kernel::ThisModule = unsafe {
- extern "C" {
- static __this_module: ::kernel::types::Opaque<::kernel::bindings::module>;
- };
-
- ::kernel::ThisModule::from_ptr(__this_module.get())
- };
-
- #[cfg(not(MODULE))]
- static THIS_MODULE: ::kernel::ThisModule = unsafe {
- ::kernel::ThisModule::from_ptr(::core::ptr::null_mut())
- };
-
/// The `LocalModule` type is the type of the module created by `module!`,
/// `module_pci_driver!`, `module_platform_driver!`, etc.
type LocalModule = #type_;
--
2.43.0
^ permalink raw reply related
* [PATCH v4 7/9] rust: configfs: use `LocalModule` for `THIS_MODULE`
From: Alvin Sun @ 2026-06-23 6:29 UTC (permalink / raw)
To: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen, Aaron Tomlin, Greg Kroah-Hartman,
Rafael J. Wysocki, David Airlie, Simona Vetter, Daniel Almeida,
Arnd Bergmann, Brendan Higgins, David Gow, Rae Moar, Breno Leitao,
Jens Axboe, Dave Ertman, Ira Weiny, Leon Romanovsky, Igor Korotin,
FUJITA Tomonori, Bjorn Helgaas, Krzysztof Wilczyński,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas
Cc: rust-for-linux, linux-modules, driver-core, dri-devel, nova-gpu,
linux-kselftest, kunit-dev, linux-block, linux-kernel, netdev,
linux-pci, Alvin Sun
In-Reply-To: <20260623-fix-fops-owner-v4-0-0daf5f077d5c@linux.dev>
Replace the `THIS_MODULE` static reference in the `configfs_attrs!`
macro with `this_module::<LocalModule>()`, and update
rnull to import `LocalModule` instead of `THIS_MODULE`, consistent
with the move of `THIS_MODULE` into the `ModuleMetadata` trait.
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: Alvin Sun <alvin.sun@linux.dev>
---
drivers/block/rnull/configfs.rs | 6 ++----
rust/kernel/configfs.rs | 8 +++++---
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/block/rnull/configfs.rs b/drivers/block/rnull/configfs.rs
index c10a55fc58948..b2547ad1e5ddd 100644
--- a/drivers/block/rnull/configfs.rs
+++ b/drivers/block/rnull/configfs.rs
@@ -1,9 +1,7 @@
// SPDX-License-Identifier: GPL-2.0
-use super::{
- NullBlkDevice,
- THIS_MODULE, //
-};
+use super::NullBlkDevice;
+use crate::LocalModule;
use kernel::{
block::mq::gen_disk::{
GenDisk,
diff --git a/rust/kernel/configfs.rs b/rust/kernel/configfs.rs
index 2339c6467325d..b542422115461 100644
--- a/rust/kernel/configfs.rs
+++ b/rust/kernel/configfs.rs
@@ -875,7 +875,7 @@ fn as_ptr(&self) -> *const bindings::config_item_type {
/// configfs::Subsystem<Configuration>,
/// Configuration
/// >::new_with_child_ctor::<N,Child>(
-/// &THIS_MODULE,
+/// ::kernel::module::this_module::<LocalModule>(),
/// &CONFIGURATION_ATTRS
/// );
///
@@ -1021,7 +1021,8 @@ macro_rules! configfs_attrs {
static [< $data:upper _TPE >] : $crate::configfs::ItemType<$container, $data> =
$crate::configfs::ItemType::<$container, $data>::new::<N>(
- &THIS_MODULE, &[<$ data:upper _ATTRS >]
+ $crate::module::this_module::<LocalModule>(),
+ &[<$ data:upper _ATTRS >]
);
)?
@@ -1030,7 +1031,8 @@ macro_rules! configfs_attrs {
$crate::configfs::ItemType<$container, $data> =
$crate::configfs::ItemType::<$container, $data>::
new_with_child_ctor::<N, $child>(
- &THIS_MODULE, &[<$ data:upper _ATTRS >]
+ $crate::module::this_module::<LocalModule>(),
+ &[<$ data:upper _ATTRS >]
);
)?
--
2.43.0
^ permalink raw reply related
* [PATCH v4 8/9] rust: binder: use `LocalModule` for `THIS_MODULE`
From: Alvin Sun @ 2026-06-23 6:29 UTC (permalink / raw)
To: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen, Aaron Tomlin, Greg Kroah-Hartman,
Rafael J. Wysocki, David Airlie, Simona Vetter, Daniel Almeida,
Arnd Bergmann, Brendan Higgins, David Gow, Rae Moar, Breno Leitao,
Jens Axboe, Dave Ertman, Ira Weiny, Leon Romanovsky, Igor Korotin,
FUJITA Tomonori, Bjorn Helgaas, Krzysztof Wilczyński,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas
Cc: rust-for-linux, linux-modules, driver-core, dri-devel, nova-gpu,
linux-kselftest, kunit-dev, linux-block, linux-kernel, netdev,
linux-pci, Alvin Sun
In-Reply-To: <20260623-fix-fops-owner-v4-0-0daf5f077d5c@linux.dev>
Replace the `THIS_MODULE` static reference in the binder fops with
`this_module::<LocalModule>()`, consistent with the move of
`THIS_MODULE` into the `ModuleMetadata` trait.
Signed-off-by: Alvin Sun <alvin.sun@linux.dev>
---
drivers/android/binder/rust_binder_main.rs | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/android/binder/rust_binder_main.rs b/drivers/android/binder/rust_binder_main.rs
index dc1941cd2407b..d6ceebbd5f94e 100644
--- a/drivers/android/binder/rust_binder_main.rs
+++ b/drivers/android/binder/rust_binder_main.rs
@@ -17,6 +17,7 @@
bindings::{self, seq_file},
fs::File,
list::{ListArc, ListArcSafe, ListLinksSelfPtr, TryNewListArc},
+ module::this_module,
prelude::*,
seq_file::SeqFile,
seq_print,
@@ -318,7 +319,7 @@ unsafe impl<T> Sync for AssertSync<T> {}
let zeroed_ops = unsafe { core::mem::MaybeUninit::zeroed().assume_init() };
let ops = kernel::bindings::file_operations {
- owner: THIS_MODULE.as_ptr(),
+ owner: this_module::<LocalModule>().as_ptr(),
poll: Some(rust_binder_poll),
unlocked_ioctl: Some(rust_binder_ioctl),
compat_ioctl: bindings::compat_ptr_ioctl,
--
2.43.0
^ permalink raw reply related
* [PATCH v4 6/9] rust: miscdevice: set fops.owner from driver module pointer
From: Alvin Sun @ 2026-06-23 6:29 UTC (permalink / raw)
To: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen, Aaron Tomlin, Greg Kroah-Hartman,
Rafael J. Wysocki, David Airlie, Simona Vetter, Daniel Almeida,
Arnd Bergmann, Brendan Higgins, David Gow, Rae Moar, Breno Leitao,
Jens Axboe, Dave Ertman, Ira Weiny, Leon Romanovsky, Igor Korotin,
FUJITA Tomonori, Bjorn Helgaas, Krzysztof Wilczyński,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas
Cc: rust-for-linux, linux-modules, driver-core, dri-devel, nova-gpu,
linux-kselftest, kunit-dev, linux-block, linux-kernel, netdev,
linux-pci, Alvin Sun
In-Reply-To: <20260623-fix-fops-owner-v4-0-0daf5f077d5c@linux.dev>
Set the miscdevice fops owner field from the driver module pointer
via the `this_module::<T::OwnerModule>()` helper, instead of
defaulting to null.
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: Alvin Sun <alvin.sun@linux.dev>
---
rust/kernel/miscdevice.rs | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/rust/kernel/miscdevice.rs b/rust/kernel/miscdevice.rs
index 83ce50def5ac9..2a4329f98614e 100644
--- a/rust/kernel/miscdevice.rs
+++ b/rust/kernel/miscdevice.rs
@@ -24,12 +24,13 @@
IovIterSource, //
},
mm::virt::VmaNew,
+ module::this_module,
prelude::*,
seq_file::SeqFile,
types::{
ForeignOwnable,
Opaque, //
- },
+ }, //
};
use core::marker::PhantomData;
@@ -430,6 +431,7 @@ impl<T: MiscDevice> MiscdeviceVTable<T> {
} else {
None
},
+ owner: this_module::<T::OwnerModule>().as_ptr(),
..pin_init::zeroed()
};
--
2.43.0
^ permalink raw reply related
* [PATCH v4 5/9] rust: drm: set fops.owner from driver module pointer
From: Alvin Sun @ 2026-06-23 6:29 UTC (permalink / raw)
To: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen, Aaron Tomlin, Greg Kroah-Hartman,
Rafael J. Wysocki, David Airlie, Simona Vetter, Daniel Almeida,
Arnd Bergmann, Brendan Higgins, David Gow, Rae Moar, Breno Leitao,
Jens Axboe, Dave Ertman, Ira Weiny, Leon Romanovsky, Igor Korotin,
FUJITA Tomonori, Bjorn Helgaas, Krzysztof Wilczyński,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas
Cc: rust-for-linux, linux-modules, driver-core, dri-devel, nova-gpu,
linux-kselftest, kunit-dev, linux-block, linux-kernel, netdev,
linux-pci, Alvin Sun
In-Reply-To: <20260623-fix-fops-owner-v4-0-0daf5f077d5c@linux.dev>
Change `create_fops()` to accept an owner module pointer instead of
hardcoding `null_mut()`, ensuring the kernel correctly tracks the
module owning the DRM device's file operations.
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Gary Guo <gary@garyguo.net>
Signed-off-by: Alvin Sun <alvin.sun@linux.dev>
---
rust/kernel/drm/device.rs | 3 ++-
rust/kernel/drm/gem/mod.rs | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/rust/kernel/drm/device.rs b/rust/kernel/drm/device.rs
index 403fc35353c74..d92cacb665366 100644
--- a/rust/kernel/drm/device.rs
+++ b/rust/kernel/drm/device.rs
@@ -111,7 +111,8 @@ impl<T: drm::Driver> Device<T> {
fops: &Self::GEM_FOPS,
};
- const GEM_FOPS: bindings::file_operations = drm::gem::create_fops();
+ const GEM_FOPS: bindings::file_operations =
+ drm::gem::create_fops(crate::module::this_module::<T::OwnerModule>().as_ptr());
/// Create a new `drm::Device` for a `drm::Driver`.
pub fn new(dev: &device::Device, data: impl PinInit<T::Data, Error>) -> Result<ARef<Self>> {
diff --git a/rust/kernel/drm/gem/mod.rs b/rust/kernel/drm/gem/mod.rs
index 01b5bd47a3332..9a203efc59116 100644
--- a/rust/kernel/drm/gem/mod.rs
+++ b/rust/kernel/drm/gem/mod.rs
@@ -357,10 +357,10 @@ impl<T: DriverObject> AllocImpl for Object<T> {
};
}
-pub(super) const fn create_fops() -> bindings::file_operations {
+pub(super) const fn create_fops(owner: *mut bindings::module) -> bindings::file_operations {
let mut fops: bindings::file_operations = pin_init::zeroed();
- fops.owner = core::ptr::null_mut();
+ fops.owner = owner;
fops.open = Some(bindings::drm_open);
fops.release = Some(bindings::drm_release);
fops.unlocked_ioctl = Some(bindings::drm_ioctl);
--
2.43.0
^ permalink raw reply related
* [PATCH v4 4/9] rust: macros: auto-insert OwnerModule in #[vtable]
From: Alvin Sun @ 2026-06-23 6:29 UTC (permalink / raw)
To: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen, Aaron Tomlin, Greg Kroah-Hartman,
Rafael J. Wysocki, David Airlie, Simona Vetter, Daniel Almeida,
Arnd Bergmann, Brendan Higgins, David Gow, Rae Moar, Breno Leitao,
Jens Axboe, Dave Ertman, Ira Weiny, Leon Romanovsky, Igor Korotin,
FUJITA Tomonori, Bjorn Helgaas, Krzysztof Wilczyński,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas
Cc: rust-for-linux, linux-modules, driver-core, dri-devel, nova-gpu,
linux-kselftest, kunit-dev, linux-block, linux-kernel, netdev,
linux-pci, Alvin Sun
In-Reply-To: <20260623-fix-fops-owner-v4-0-0daf5f077d5c@linux.dev>
Auto-add `type OwnerModule: ::kernel::ModuleMetadata;` as a required
associated type on the trait side if not already defined, and
auto-insert `type OwnerModule = crate::LocalModule;` on the impl side
if not explicitly provided, eliminating the need to manually declare
and implement `OwnerModule` in every vtable trait and impl.
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Suggested-by: Gary Guo <gary@garyguo.net>
Link: https://lore.kernel.org/all/DIMMWHUOLPSH.13JFRHDKDQJGO@garyguo.net
Signed-off-by: Alvin Sun <alvin.sun@linux.dev>
---
rust/macros/lib.rs | 6 ++++++
rust/macros/vtable.rs | 41 ++++++++++++++++++++++++++++++++++++-----
2 files changed, 42 insertions(+), 5 deletions(-)
diff --git a/rust/macros/lib.rs b/rust/macros/lib.rs
index 2cfd59e0f9e7c..bc7ded353c5ca 100644
--- a/rust/macros/lib.rs
+++ b/rust/macros/lib.rs
@@ -176,6 +176,12 @@ pub fn module(input: TokenStream) -> TokenStream {
///
/// This macro should not be used when all functions are required.
///
+/// Additionally, this macro automatically handles the `OwnerModule`
+/// associated type: on the trait side, `type OwnerModule: ModuleMetadata;`
+/// is added as a required associated type if not already defined; on the
+/// impl side, `type OwnerModule = LocalModule;` is automatically inserted
+/// if not explicitly defined.
+///
/// # Examples
///
/// ```
diff --git a/rust/macros/vtable.rs b/rust/macros/vtable.rs
index c6510b0c4ea1d..be9a5ed8abe5e 100644
--- a/rust/macros/vtable.rs
+++ b/rust/macros/vtable.rs
@@ -30,6 +30,22 @@ fn handle_trait(mut item: ItemTrait) -> Result<ItemTrait> {
const USE_VTABLE_ATTR: ();
});
+ // Add `type OwnerModule: ModuleMetadata` as a required associated type if
+ // the trait does not already define it.
+ if !item
+ .items
+ .iter()
+ .any(|i| matches!(i, TraitItem::Type(t) if t.ident == "OwnerModule"))
+ {
+ gen_items.push(parse_quote! {
+ /// The module implementing this vtable trait.
+ ///
+ /// Automatically set to `crate::LocalModule` by the `#[vtable]`
+ /// impl macro.
+ type OwnerModule: ::kernel::ModuleMetadata;
+ });
+ }
+
for item in &item.items {
if let TraitItem::Fn(fn_item) = item {
let name = &fn_item.sig.ident;
@@ -57,12 +73,18 @@ fn handle_trait(mut item: ItemTrait) -> Result<ItemTrait> {
fn handle_impl(mut item: ItemImpl) -> Result<ItemImpl> {
let mut gen_items = Vec::new();
- let mut defined_consts = HashSet::new();
+ let mut defined_items = HashSet::new();
- // Iterate over all user-defined constants to gather any possible explicit overrides.
+ // Iterate over all user-defined items to gather any possible explicit overrides.
for item in &item.items {
- if let ImplItem::Const(const_item) = item {
- defined_consts.insert(const_item.ident.clone());
+ match item {
+ ImplItem::Const(const_item) => {
+ defined_items.insert(const_item.ident.clone());
+ }
+ ImplItem::Type(type_item) => {
+ defined_items.insert(type_item.ident.clone());
+ }
+ _ => {}
}
}
@@ -70,6 +92,15 @@ fn handle_impl(mut item: ItemImpl) -> Result<ItemImpl> {
const USE_VTABLE_ATTR: () = ();
});
+ // Auto-insert `type OwnerModule = crate::LocalModule` if not explicitly defined.
+ // `crate::LocalModule` resolves to the real module type (via `module!`) or a
+ // dummy fallback in non-module contexts (e.g., doctests).
+ if !defined_items.contains(&parse_quote!(OwnerModule)) {
+ gen_items.push(parse_quote! {
+ type OwnerModule = crate::LocalModule;
+ });
+ }
+
for item in &item.items {
if let ImplItem::Fn(fn_item) = item {
let name = &fn_item.sig.ident;
@@ -78,7 +109,7 @@ fn handle_impl(mut item: ItemImpl) -> Result<ItemImpl> {
name.span(),
);
// Skip if it's declared already -- this allows user override.
- if defined_consts.contains(&gen_const_name) {
+ if defined_items.contains(&gen_const_name) {
continue;
}
let cfg_attrs = crate::helpers::gather_cfg_attrs(&fn_item.attrs);
--
2.43.0
^ permalink raw reply related
* [PATCH v4 3/9] rust: doctest: add LocalModule fallback for #[vtable] ThisModule
From: Alvin Sun @ 2026-06-23 6:29 UTC (permalink / raw)
To: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen, Aaron Tomlin, Greg Kroah-Hartman,
Rafael J. Wysocki, David Airlie, Simona Vetter, Daniel Almeida,
Arnd Bergmann, Brendan Higgins, David Gow, Rae Moar, Breno Leitao,
Jens Axboe, Dave Ertman, Ira Weiny, Leon Romanovsky, Igor Korotin,
FUJITA Tomonori, Bjorn Helgaas, Krzysztof Wilczyński,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas
Cc: rust-for-linux, linux-modules, driver-core, dri-devel, nova-gpu,
linux-kselftest, kunit-dev, linux-block, linux-kernel, netdev,
linux-pci, Alvin Sun
In-Reply-To: <20260623-fix-fops-owner-v4-0-0daf5f077d5c@linux.dev>
Add a `LocalModule` struct with a null-pointer `ModuleMetadata` impl
in the doctest harness, so that `crate::LocalModule` (auto-inserted
by `#[vtable]`) resolves correctly when there is no `module!` macro.
Reviewed-by: Andreas Hindborg <a.hindborg@kernel.org>
Signed-off-by: Alvin Sun <alvin.sun@linux.dev>
---
scripts/rustdoc_test_gen.rs | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/scripts/rustdoc_test_gen.rs b/scripts/rustdoc_test_gen.rs
index ee76e96b41eea..198af4e446c8c 100644
--- a/scripts/rustdoc_test_gen.rs
+++ b/scripts/rustdoc_test_gen.rs
@@ -239,6 +239,22 @@ macro_rules! assert_eq {{
const __LOG_PREFIX: &[u8] = b"rust_doctests_kernel\0";
+/// Dummy module type for doctest context.
+struct LocalModule;
+
+use kernel::{{
+ str::CStr,
+ ModuleMetadata,
+ ThisModule, //
+}};
+use core::ptr::null_mut;
+
+impl ModuleMetadata for LocalModule {{
+ const NAME: &'static CStr = c"rust_doctests_kernel";
+ // SAFETY: `try_module_get`/`module_put` handle null module pointers gracefully.
+ const THIS_MODULE: ThisModule = unsafe {{ ThisModule::from_ptr(null_mut()) }};
+}}
+
{rust_tests}
"#
)
--
2.43.0
^ permalink raw reply related
* [PATCH v4 2/9] rust: module: add `THIS_MODULE` const to `ModuleMetadata` trait
From: Alvin Sun @ 2026-06-23 6:29 UTC (permalink / raw)
To: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen, Aaron Tomlin, Greg Kroah-Hartman,
Rafael J. Wysocki, David Airlie, Simona Vetter, Daniel Almeida,
Arnd Bergmann, Brendan Higgins, David Gow, Rae Moar, Breno Leitao,
Jens Axboe, Dave Ertman, Ira Weiny, Leon Romanovsky, Igor Korotin,
FUJITA Tomonori, Bjorn Helgaas, Krzysztof Wilczyński,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas
Cc: rust-for-linux, linux-modules, driver-core, dri-devel, nova-gpu,
linux-kselftest, kunit-dev, linux-block, linux-kernel, netdev,
linux-pci, Alvin Sun
In-Reply-To: <20260623-fix-fops-owner-v4-0-0daf5f077d5c@linux.dev>
Since `const_refs_to_static` has been stable as of the MSRV bump, a
`ThisModule` pointer can now be used in const contexts.
Add a `THIS_MODULE` const to the `ModuleMetadata` trait so that modules
can provide their `ThisModule` pointer in const contexts such as static
`file_operations`.
Add a `this_module()` helper to retrieve the `THIS_MODULE` pointer of a
given module type, and update `__init` to use it instead of the
`THIS_MODULE` static generated by the `module!` macro.
The `static THIS_MODULE` generated by the `module!` macro is retained
for backwards compatibility with existing users and removed in a later
patch once all references have been migrated.
Signed-off-by: Alvin Sun <alvin.sun@linux.dev>
---
rust/kernel/module.rs | 8 ++++++++
rust/macros/module.rs | 18 +++++++++++++++++-
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/rust/kernel/module.rs b/rust/kernel/module.rs
index be242a82e86d2..5aca42f7a33fc 100644
--- a/rust/kernel/module.rs
+++ b/rust/kernel/module.rs
@@ -42,6 +42,14 @@ fn init(module: &'static ThisModule) -> impl pin_init::PinInit<Self, crate::erro
pub trait ModuleMetadata {
/// The name of the module as specified in the `module!` macro.
const NAME: &'static crate::str::CStr;
+
+ /// The module's `THIS_MODULE` pointer.
+ const THIS_MODULE: ThisModule;
+}
+
+/// Returns a reference to the `THIS_MODULE` of the given module type.
+pub const fn this_module<M: ModuleMetadata>() -> &'static ThisModule {
+ &M::THIS_MODULE
}
/// Equivalent to `THIS_MODULE` in the C API.
diff --git a/rust/macros/module.rs b/rust/macros/module.rs
index 06c18e2075083..aa9a618d5d19e 100644
--- a/rust/macros/module.rs
+++ b/rust/macros/module.rs
@@ -519,6 +519,22 @@ pub(crate) fn module(info: ModuleInfo) -> Result<TokenStream> {
impl ::kernel::ModuleMetadata for #type_ {
const NAME: &'static ::kernel::str::CStr = #name_cstr;
+
+ #[cfg(MODULE)]
+ const THIS_MODULE: ::kernel::ThisModule = {
+ extern "C" {
+ static __this_module: ::kernel::types::Opaque<::kernel::bindings::module>;
+ }
+
+ // SAFETY: `__this_module` is constructed by the kernel at load time
+ // and lives until the module is unloaded.
+ unsafe { ::kernel::ThisModule::from_ptr(__this_module.get()) }
+ };
+
+ #[cfg(not(MODULE))]
+ const THIS_MODULE: ::kernel::ThisModule = unsafe {
+ ::kernel::ThisModule::from_ptr(::core::ptr::null_mut())
+ };
}
// Double nested modules, since then nobody can access the public items inside.
@@ -616,7 +632,7 @@ pub extern "C" fn #ident_exit() {
/// This function must only be called once.
unsafe fn __init() -> ::kernel::ffi::c_int {
let initer = <super::super::LocalModule as ::kernel::InPlaceModule>::init(
- &super::super::THIS_MODULE
+ ::kernel::module::this_module::<super::super::LocalModule>()
);
// SAFETY: No data race, since `__MOD` can only be accessed by this module
// and there only `__init` and `__exit` access it. These functions are only
--
2.43.0
^ permalink raw reply related
* [PATCH v4 1/9] rust: module: move module types into `module.rs`
From: Alvin Sun @ 2026-06-23 6:29 UTC (permalink / raw)
To: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen, Aaron Tomlin, Greg Kroah-Hartman,
Rafael J. Wysocki, David Airlie, Simona Vetter, Daniel Almeida,
Arnd Bergmann, Brendan Higgins, David Gow, Rae Moar, Breno Leitao,
Jens Axboe, Dave Ertman, Ira Weiny, Leon Romanovsky, Igor Korotin,
FUJITA Tomonori, Bjorn Helgaas, Krzysztof Wilczyński,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas
Cc: rust-for-linux, linux-modules, driver-core, dri-devel, nova-gpu,
linux-kselftest, kunit-dev, linux-block, linux-kernel, netdev,
linux-pci, Alvin Sun
In-Reply-To: <20260623-fix-fops-owner-v4-0-0daf5f077d5c@linux.dev>
Move `Module`, `InPlaceModule`, `ModuleMetadata` and `ThisModule` from
`lib.rs` into a new `rust/kernel/module.rs`. Re-export them from `lib.rs`
to avoid tree-wide changes.
Switch six bus driver registrations from `module.0` to the public
`ThisModule::as_ptr()` accessor, since the field is no longer visible
outside the new `module` submodule.
No functional change.
Signed-off-by: Alvin Sun <alvin.sun@linux.dev>
---
rust/kernel/auxiliary.rs | 2 +-
rust/kernel/i2c.rs | 2 +-
rust/kernel/lib.rs | 75 +++++-------------------------------------------
rust/kernel/module.rs | 71 +++++++++++++++++++++++++++++++++++++++++++++
rust/kernel/net/phy.rs | 6 +++-
rust/kernel/pci.rs | 2 +-
rust/kernel/platform.rs | 2 +-
rust/kernel/usb.rs | 2 +-
8 files changed, 88 insertions(+), 74 deletions(-)
diff --git a/rust/kernel/auxiliary.rs b/rust/kernel/auxiliary.rs
index 93c0db1f66555..4a02f83240be3 100644
--- a/rust/kernel/auxiliary.rs
+++ b/rust/kernel/auxiliary.rs
@@ -63,7 +63,7 @@ unsafe fn register(
// SAFETY: `adrv` is guaranteed to be a valid `DriverType`.
to_result(unsafe {
- bindings::__auxiliary_driver_register(adrv.get(), module.0, name.as_char_ptr())
+ bindings::__auxiliary_driver_register(adrv.get(), module.as_ptr(), name.as_char_ptr())
})
}
diff --git a/rust/kernel/i2c.rs b/rust/kernel/i2c.rs
index 7b908f0c5a58d..24eff08f47123 100644
--- a/rust/kernel/i2c.rs
+++ b/rust/kernel/i2c.rs
@@ -142,7 +142,7 @@ unsafe fn register(
}
// SAFETY: `idrv` is guaranteed to be a valid `DriverType`.
- to_result(unsafe { bindings::i2c_register_driver(module.0, idrv.get()) })
+ to_result(unsafe { bindings::i2c_register_driver(module.as_ptr(), idrv.get()) })
}
unsafe fn unregister(idrv: &Opaque<Self::DriverType>) {
diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
index b72b2fbe046d6..040ae85056509 100644
--- a/rust/kernel/lib.rs
+++ b/rust/kernel/lib.rs
@@ -93,6 +93,7 @@
pub mod maple_tree;
pub mod miscdevice;
pub mod mm;
+pub mod module;
pub mod module_param;
#[cfg(CONFIG_NET)]
pub mod net;
@@ -139,79 +140,17 @@
#[doc(hidden)]
pub use bindings;
pub use macros;
+pub use module::{
+ InPlaceModule,
+ Module,
+ ModuleMetadata,
+ ThisModule, //
+};
pub use uapi;
/// Prefix to appear before log messages printed from within the `kernel` crate.
const __LOG_PREFIX: &[u8] = b"rust_kernel\0";
-/// The top level entrypoint to implementing a kernel module.
-///
-/// For any teardown or cleanup operations, your type may implement [`Drop`].
-pub trait Module: Sized + Sync + Send {
- /// Called at module initialization time.
- ///
- /// Use this method to perform whatever setup or registration your module
- /// should do.
- ///
- /// Equivalent to the `module_init` macro in the C API.
- fn init(module: &'static ThisModule) -> error::Result<Self>;
-}
-
-/// A module that is pinned and initialised in-place.
-pub trait InPlaceModule: Sync + Send {
- /// Creates an initialiser for the module.
- ///
- /// It is called when the module is loaded.
- fn init(module: &'static ThisModule) -> impl pin_init::PinInit<Self, error::Error>;
-}
-
-impl<T: Module> InPlaceModule for T {
- fn init(module: &'static ThisModule) -> impl pin_init::PinInit<Self, error::Error> {
- let initer = move |slot: *mut Self| {
- let m = <Self as Module>::init(module)?;
-
- // SAFETY: `slot` is valid for write per the contract with `pin_init_from_closure`.
- unsafe { slot.write(m) };
- Ok(())
- };
-
- // SAFETY: On success, `initer` always fully initialises an instance of `Self`.
- unsafe { pin_init::pin_init_from_closure(initer) }
- }
-}
-
-/// Metadata attached to a [`Module`] or [`InPlaceModule`].
-pub trait ModuleMetadata {
- /// The name of the module as specified in the `module!` macro.
- const NAME: &'static crate::str::CStr;
-}
-
-/// Equivalent to `THIS_MODULE` in the C API.
-///
-/// C header: [`include/linux/init.h`](srctree/include/linux/init.h)
-pub struct ThisModule(*mut bindings::module);
-
-// SAFETY: `THIS_MODULE` may be used from all threads within a module.
-unsafe impl Sync for ThisModule {}
-
-impl ThisModule {
- /// Creates a [`ThisModule`] given the `THIS_MODULE` pointer.
- ///
- /// # Safety
- ///
- /// The pointer must be equal to the right `THIS_MODULE`.
- pub const unsafe fn from_ptr(ptr: *mut bindings::module) -> ThisModule {
- ThisModule(ptr)
- }
-
- /// Access the raw pointer for this module.
- ///
- /// It is up to the user to use it correctly.
- pub const fn as_ptr(&self) -> *mut bindings::module {
- self.0
- }
-}
-
#[cfg(not(testlib))]
#[panic_handler]
fn panic(info: &core::panic::PanicInfo<'_>) -> ! {
diff --git a/rust/kernel/module.rs b/rust/kernel/module.rs
new file mode 100644
index 0000000000000..be242a82e86d2
--- /dev/null
+++ b/rust/kernel/module.rs
@@ -0,0 +1,71 @@
+// SPDX-License-Identifier: GPL-2.0
+
+//! Module-related types and helpers.
+
+/// The entrypoint to implementing a kernel module.
+///
+/// For any teardown or cleanup operations, your type may implement [`Drop`].
+pub trait Module: Sized + Sync + Send {
+ /// Called at module initialization time.
+ ///
+ /// Use this method to perform whatever setup or registration your module
+ /// should do.
+ ///
+ /// Equivalent to the `module_init` macro in the C API.
+ fn init(module: &'static ThisModule) -> crate::error::Result<Self>;
+}
+
+/// A module that is pinned and initialised in-place.
+pub trait InPlaceModule: Sync + Send {
+ /// Creates an initialiser for the module.
+ ///
+ /// It is called when the module is loaded.
+ fn init(module: &'static ThisModule) -> impl pin_init::PinInit<Self, crate::error::Error>;
+}
+
+impl<T: Module> InPlaceModule for T {
+ fn init(module: &'static ThisModule) -> impl pin_init::PinInit<Self, crate::error::Error> {
+ let initer = move |slot: *mut Self| {
+ let m = <Self as Module>::init(module)?;
+
+ // SAFETY: `slot` is valid for write per the contract with `pin_init_from_closure`.
+ unsafe { slot.write(m) };
+ Ok(())
+ };
+
+ // SAFETY: On success, `initer` always fully initialises an instance of `Self`.
+ unsafe { pin_init::pin_init_from_closure(initer) }
+ }
+}
+
+/// Metadata attached to a [`Module`] or [`InPlaceModule`].
+pub trait ModuleMetadata {
+ /// The name of the module as specified in the `module!` macro.
+ const NAME: &'static crate::str::CStr;
+}
+
+/// Equivalent to `THIS_MODULE` in the C API.
+///
+/// C header: [`include/linux/init.h`](srctree/include/linux/init.h)
+pub struct ThisModule(*mut crate::bindings::module);
+
+// SAFETY: `THIS_MODULE` may be used from all threads within a module.
+unsafe impl Sync for ThisModule {}
+
+impl ThisModule {
+ /// Creates a [`ThisModule`] given the `THIS_MODULE` pointer.
+ ///
+ /// # Safety
+ ///
+ /// The pointer must be equal to the right `THIS_MODULE`.
+ pub const unsafe fn from_ptr(ptr: *mut crate::bindings::module) -> ThisModule {
+ ThisModule(ptr)
+ }
+
+ /// Access the raw pointer for this module.
+ ///
+ /// It is up to the user to use it correctly.
+ pub const fn as_ptr(&self) -> *mut crate::bindings::module {
+ self.0
+ }
+}
diff --git a/rust/kernel/net/phy.rs b/rust/kernel/net/phy.rs
index 3ca99db5cccf2..8b7036b8fe480 100644
--- a/rust/kernel/net/phy.rs
+++ b/rust/kernel/net/phy.rs
@@ -659,7 +659,11 @@ pub fn register(
// the `drivers` slice are initialized properly. `drivers` will not be moved.
// So it's just an FFI call.
to_result(unsafe {
- bindings::phy_drivers_register(drivers[0].0.get(), drivers.len().try_into()?, module.0)
+ bindings::phy_drivers_register(
+ drivers[0].0.get(),
+ drivers.len().try_into()?,
+ module.as_ptr(),
+ )
})?;
// INVARIANT: The `drivers` slice is successfully registered to the kernel via `phy_drivers_register`.
Ok(Registration { drivers })
diff --git a/rust/kernel/pci.rs b/rust/kernel/pci.rs
index af74ddff6114d..916ed2cb6b70b 100644
--- a/rust/kernel/pci.rs
+++ b/rust/kernel/pci.rs
@@ -86,7 +86,7 @@ unsafe fn register(
// SAFETY: `pdrv` is guaranteed to be a valid `DriverType`.
to_result(unsafe {
- bindings::__pci_register_driver(pdrv.get(), module.0, name.as_char_ptr())
+ bindings::__pci_register_driver(pdrv.get(), module.as_ptr(), name.as_char_ptr())
})
}
diff --git a/rust/kernel/platform.rs b/rust/kernel/platform.rs
index 8917d4ee499fb..9fdbafd53bc21 100644
--- a/rust/kernel/platform.rs
+++ b/rust/kernel/platform.rs
@@ -82,7 +82,7 @@ unsafe fn register(
}
// SAFETY: `pdrv` is guaranteed to be a valid `DriverType`.
- to_result(unsafe { bindings::__platform_driver_register(pdrv.get(), module.0) })
+ to_result(unsafe { bindings::__platform_driver_register(pdrv.get(), module.as_ptr()) })
}
unsafe fn unregister(pdrv: &Opaque<Self::DriverType>) {
diff --git a/rust/kernel/usb.rs b/rust/kernel/usb.rs
index 9c17a672cd275..213db32727c17 100644
--- a/rust/kernel/usb.rs
+++ b/rust/kernel/usb.rs
@@ -63,7 +63,7 @@ unsafe fn register(
// SAFETY: `udrv` is guaranteed to be a valid `DriverType`.
to_result(unsafe {
- bindings::usb_register_driver(udrv.get(), module.0, name.as_char_ptr())
+ bindings::usb_register_driver(udrv.get(), module.as_ptr(), name.as_char_ptr())
})
}
--
2.43.0
^ permalink raw reply related
* [PATCH v4 0/9] Fix missing fops.owner in Rust DRM/misc abstractions
From: Alvin Sun @ 2026-06-23 6:29 UTC (permalink / raw)
To: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Danilo Krummrich, Luis Chamberlain, Petr Pavlu, Daniel Gomez,
Sami Tolvanen, Aaron Tomlin, Greg Kroah-Hartman,
Rafael J. Wysocki, David Airlie, Simona Vetter, Daniel Almeida,
Arnd Bergmann, Brendan Higgins, David Gow, Rae Moar, Breno Leitao,
Jens Axboe, Dave Ertman, Ira Weiny, Leon Romanovsky, Igor Korotin,
FUJITA Tomonori, Bjorn Helgaas, Krzysztof Wilczyński,
Arve Hjønnevåg, Todd Kjos, Christian Brauner,
Carlos Llamas
Cc: rust-for-linux, linux-modules, driver-core, dri-devel, nova-gpu,
linux-kselftest, kunit-dev, linux-block, linux-kernel, netdev,
linux-pci, Alvin Sun
During tyr debugfs development, a kernel NULL pointer dereference was
encountered after `rmmod tyr` while gnome-shell still held /dev/card1 open:
```
[158827.868132] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[158827.868918] Mem abort info:
[158827.869177] ESR = 0x0000000086000004
[158827.869519] EC = 0x21: IABT (current EL), IL = 32 bits
[158827.870000] SET = 0, FnV = 0
[158827.870281] EA = 0, S1PTW = 0
[158827.870571] FSC = 0x04: level 0 translation fault
[158827.871043] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000108dec000
[158827.871623] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[158827.872242] Internal error: Oops: 0000000086000004 [#1] SMP
[158827.872246] Modules linked in: tyr sunrpc snd_soc_simple_card rk805_pwrkey snd_soc_simple_card_utils rtw88_8822bu display_connector rtw88_usb rtw88_8822b snd_soc_rockchip_i2s_tdm snd_soc_hdmi_codec
rtw88_core]
[158827.872337] CPU: 4 UID: 1000 PID: 11276 Comm: gnome-s:disk$0 Tainted: G N 7.1.0-rc1+ #331 PREEMPT
[158827.880534] Tainted: [N]=TEST
[158827.880535] Hardware name: FriendlyElec NanoPi R6C/NanoPi R6C, BIOS v1.1 04/09/2025
[158827.880538] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[158827.880542] pc : 0x0
[158827.880547] lr : _RNvNtCs257m05FHVbX_3tyr2vm8pt_unmap+0x8c/0x12c [tyr]
[158827.880578] sp : ffff800083c236b0
[158827.880579] x29: ffff800083c236d0 x28: ffff00013f8a0000 x27: 0000000000000000
[158827.880585] x26: 000000000000007c x25: ffff000108e6ed80 x24: 0000000000401000
[158827.880590] x23: 0000000000000000 x22: 0000000040000000 x21: 0000000000001000
[158827.880595] x20: ffff00010f778138 x19: 0000000000400000 x18: 00000000ffffffff
[158827.880600] x17: 000000040044ffff x16: 045000f2b5503510 x15: 0720072007200720
[158827.880606] x14: 0720072007200720 x13: 0000000000401000 x12: 0000000000400000
[158827.880611] x11: ffff800083c239d0 x10: ffff000141e4fd88 x9 : 0000000000000000
[158827.880615] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000400000
[158827.880620] x5 : ffff00013f8a0000 x4 : 0000000000000000 x3 : 0000000000000001
[158827.880625] x2 : 0000000000001000 x1 : 0000000000400000 x0 : ffff00010f778138
[158827.880630] Call trace:
[158827.880632] 0x0 (P)
[158827.880635] _RNvXs6_NtCs257m05FHVbX_3tyr2vmNtB5_9GpuVmDataNtNtNtCsgmSOfgXi5CZ_6kernel3drm5gpuvm11DriverGpuVm13sm_step_unmap+0x3c/0x120 [tyr]
[158827.891166] _RNvMs4_NtNtNtCsgmSOfgXi5CZ_6kernel3drm5gpuvm6sm_opsINtB7_5GpuVmNtNtCs257m05FHVbX_3tyr2vm9GpuVmDataE13sm_step_unmapB13_+0x18/0x34 [tyr]
[158827.891187] op_unmap_cb+0x78/0xb0
[158827.891196] __drm_gpuvm_sm_unmap+0x18c/0x1b4
[158827.891204] drm_gpuvm_sm_unmap+0x38/0x4c
[158827.891209] _RNvMs5_NtCs257m05FHVbX_3tyr2vmNtB5_2Vm7exec_op+0x1cc/0x254 [tyr]
[158827.894085] _RNvMs5_NtCs257m05FHVbX_3tyr2vmNtB5_2Vm11unmap_range+0x124/0x188 [tyr]
[158827.894105] _RINvNtCs5hGKnPbRUFW_4core3ptr13drop_in_placeNtNtCs257m05FHVbX_3tyr3gem8KernelBoEBK_+0x44/0xd8 [tyr]
[158827.894125] _RINvNtCs5hGKnPbRUFW_4core3ptr13drop_in_placeINtNtNtCsgmSOfgXi5CZ_6kernel5alloc4kvec3VecNtNtCs257m05FHVbX_3tyr2fw7SectionNtNtBL_9allocator7KmallocEEB1r_+0x3c/0x100 [tyr]
[158827.894147] _RINvNtCs5hGKnPbRUFW_4core3ptr13drop_in_placeINtNtNtCsgmSOfgXi5CZ_6kernel4sync3arc3ArcNtNtCs257m05FHVbX_3tyr2fw8FirmwareEEB1p_+0x94/0x190 [tyr]
[158827.894167] _RNvMs4_NtNtCsgmSOfgXi5CZ_6kernel3drm6deviceINtB5_6DeviceNtNtCs257m05FHVbX_3tyr6driver12TyrDrmDriverE7releaseBW_+0x30/0x98 [tyr]
[158827.899550] drm_dev_put.part.0+0x88/0xc0
[158827.899557] drm_minor_release+0x18/0x28
[158827.899562] drm_release+0x144/0x170
[158827.899567] __fput+0xe4/0x30c
[158827.899573] ____fput+0x14/0x20
[158827.899579] task_work_run+0x7c/0xe8
[158827.899586] do_exit+0x2a8/0xac4
[158827.899590] do_group_exit+0x34/0x90
[158827.899594] get_signal+0xaac/0xabc
[158827.899599] arch_do_signal_or_restart+0x90/0x3e8
[158827.899606] exit_to_user_mode_loop+0x140/0x1d0
[158827.899613] el0_svc+0x2f4/0x2f8
[158827.899620] el0t_64_sync_handler+0xa0/0xe4
[158827.899627] el0t_64_sync+0x198/0x19c
[158827.899632] ---[ end trace 0000000000000000 ]---
```
The root cause: `fops.owner` was `NULL` in Rust DRM drivers, so the kernel
never blocked module unloading while file descriptors were open. This leads to
use-after-free when drm_release (or other fops) is called on freed module code.
The series moves `THIS_MODULE` into the `ModuleMetadata` as a const, threads it
through `#[vtable]` to set `fops.owner` in DRM/miscdevice, and updates configfs
and rnull to use `this_module::<LocalModule>()`.
Assisted-by: opencode:glm-5.2
Signed-off-by: Alvin Sun <alvin.sun@linux.dev>
---
Changes in v4:
- Move module-related types into a new `rust/kernel/module.rs`.
- Migrate binder from the `module!`-generated `THIS_MODULE` static to
`this_module::<LocalModule>()`.
- Reorganise the series so that every commit builds independently, and
drop the legacy `THIS_MODULE` static once all users are migrated.
- Link to v3: https://lore.kernel.org/r/20260622-fix-fops-owner-v3-0-49d45cb37032@linux.dev
Changes in v3:
- Renamed vtable associated type `ThisModule` to `OwnerModule`
- Added `this_module()` helper for ergonomic `THIS_MODULE` access
- Refined vtable macro implementation: one-liner detection and single `defined_items` set
- Reordered commits to place doctest fallback before vtable auto-insert
- Link to v2: https://lore.kernel.org/r/20260521-fix-fops-owner-v2-0-fd99079c5a04@linux.dev
Changes in v2:
- Merged old `static THIS_MODULE` and v1's `MODULE_PTR` into a single
`ModuleMetadata::THIS_MODULE` const
- `#[vtable]` macro now auto-inserts `type ThisModule`, removing all per-driver
manual patches from v1
- Added configfs & rnull usage site updates and doctest `LocalModule` fallback
- Link to v1: https://lore.kernel.org/r/20260519-fix-fops-owner-v1-0-2ded9830da14@linux.dev
---
Alvin Sun (9):
rust: module: move module types into `module.rs`
rust: module: add `THIS_MODULE` const to `ModuleMetadata` trait
rust: doctest: add LocalModule fallback for #[vtable] ThisModule
rust: macros: auto-insert OwnerModule in #[vtable]
rust: drm: set fops.owner from driver module pointer
rust: miscdevice: set fops.owner from driver module pointer
rust: configfs: use `LocalModule` for `THIS_MODULE`
rust: binder: use `LocalModule` for `THIS_MODULE`
rust: macros: remove `THIS_MODULE` static from `module!`
drivers/android/binder/rust_binder_main.rs | 3 +-
drivers/block/rnull/configfs.rs | 6 +--
rust/kernel/auxiliary.rs | 2 +-
rust/kernel/configfs.rs | 8 +--
rust/kernel/drm/device.rs | 3 +-
rust/kernel/drm/gem/mod.rs | 4 +-
rust/kernel/i2c.rs | 2 +-
rust/kernel/lib.rs | 75 +++-------------------------
rust/kernel/miscdevice.rs | 4 +-
rust/kernel/module.rs | 79 ++++++++++++++++++++++++++++++
rust/kernel/net/phy.rs | 6 ++-
rust/kernel/pci.rs | 2 +-
rust/kernel/platform.rs | 2 +-
rust/kernel/usb.rs | 2 +-
rust/macros/lib.rs | 6 +++
rust/macros/module.rs | 34 ++++++-------
rust/macros/vtable.rs | 41 ++++++++++++++--
scripts/rustdoc_test_gen.rs | 16 ++++++
18 files changed, 187 insertions(+), 108 deletions(-)
---
base-commit: b7e5ac83cb16f7ffd11dc23736f84276602100ed
change-id: 20260519-fix-fops-owner-e3a77bb27c6c
prerequisite-change-id: 20260519-miscdev-use-format-9ab7e83b1c11:v3
prerequisite-patch-id: 405b334ff0d48ad350014f05a2321bdbaa025400
prerequisite-patch-id: 604b631c81d5423f4ebb2e12ba2d22e9ce371bfc
prerequisite-patch-id: cb550d94cefe01920e0d3ced2b2bcbecd76f3907
prerequisite-patch-id: 3bc830839742591460cb86d9472c04f4686dc600
prerequisite-patch-id: 571058244bc8c7088638d2e3225713011246c7e9
prerequisite-patch-id: 347c5a3c6dbef9832bfce8419fc23e6e08ba477f
prerequisite-patch-id: 3e202d988b56b88446f7535e90d3f00cf5f15701
Best regards,
--
Alvin Sun <alvin.sun@linux.dev>
^ permalink raw reply
* Re: [PATCH v3 3/3] gpu: nova-core: gsp: Extract and display usable FB regions from GSP
From: Alexandre Courbot @ 2026-06-23 6:17 UTC (permalink / raw)
To: Danilo Krummrich, Alice Ryhl, David Airlie, Simona Vetter,
Benno Lossin, Gary Guo
Cc: nova-gpu, dri-devel, linux-kernel, rust-for-linux,
Alexandre Courbot, Joel Fernandes
In-Reply-To: <20260617-boot-vram-v3-3-20b9ec5fe9f2@nvidia.com>
On Wed Jun 17, 2026 at 10:24 PM JST, Alexandre Courbot wrote:
> From: Joel Fernandes <joelagnelf@nvidia.com>
>
> Add usable_fb_regions() to GspStaticConfigInfo to extract the usable FB
> regions from GSP's fbRegionInfoParams. Usable regions are those that are
> not reserved or protected.
>
> The extracted regions are stored in GetGspStaticInfoReply and exposed
> for use by the memory subsystem.
>
> Display the regions and their total size upon device probe.
>
> Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
> [acourbot: expose all regions as a KVec, display usable regions and
> total usable VRAM.]
> Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Pushed to drm-rust-next, thanks for the reviews!
[acourbot: replace dev_info!() with dev_dbg!().]
^ permalink raw reply
* Re: [PATCH v2 1/3] rust: sync: Add abstraction for synchronize_rcu()
From: Philipp Stanner @ 2026-06-23 6:09 UTC (permalink / raw)
To: Danilo Krummrich, Philipp Stanner
Cc: Miguel Ojeda, Boqun Feng, Gary Guo, Björn Roy Baron,
Benno Lossin, Andreas Hindborg, Alice Ryhl, Trevor Gross,
Daniel Almeida, Tamir Duberstein, Alexandre Courbot,
Onur Özkan, Alexander Viro, Christian Brauner, Jan Kara,
Lyude Paul, Paul E. McKenney, Frederic Weisbecker,
Neeraj Upadhyay, Joel Fernandes, Josh Triplett, Uladzislau Rezki,
Steven Rostedt, Mathieu Desnoyers, Lai Jiangshan, Zqiang,
Christian Schrefl, rust-for-linux, linux-kernel, linux-fsdevel,
rcu
In-Reply-To: <DJFSV0OS9NEG.G9W8K1OHQ8D5@kernel.org>
On Mon, 2026-06-22 at 20:46 +0200, Danilo Krummrich wrote:
> On Mon Jun 22, 2026 at 7:32 PM CEST, Philipp Stanner wrote:
> > +/// Wait for one RCU grace period.
> > +///
> > +/// You typically do this to wait for everyone holding a [`Guard`].
>
> NIT: "typically" reads a bit as if there were other reasons to call
> synchronize_rcu() than to wait for all concurrent RCU read side critical
> sections.
The reason I wrote "typically" is because my mind had the potential
future use-case of ours prefetched where we might have to do a
synchronize_rcu() to wait for a C backend to be done with something,
where no one really holds a Rust `Guard` (though of course the read
lock).
>
> Also, while it's implicit, it might still be worth to explicitly call out that
> this means concurrently held Guard objects (concurrent read side critical
> sections), i.e. subsequent read side critical sections may still run
> concurrently.
That's quite generic RCU knowledge IMO. I'm not sure to what degree one
wants to document RCU in general at this new function here, vs just the
Rust API.
Rewording the documentation is fine by me, but since we're in a nitty
domain here I would then ask you to provide a few draft sentences that
would satisfy your basic requirements.
P.
>
> > +#[inline]
> > +pub fn synchronize_rcu() {
> > + // SAFETY: `synchronize_rcu()` is always safe to be called. It just waits for a grace period.
> > + unsafe { bindings::synchronize_rcu() };
> > +}
> > --
> > 2.54.0
^ permalink raw reply
* Re: [PATCH 3/6] gpu: nova-core: gsp: move boot code into local closure
From: Eliot Courtney @ 2026-06-23 5:40 UTC (permalink / raw)
To: Alexandre Courbot, Eliot Courtney
Cc: Danilo Krummrich, Alice Ryhl, David Airlie, Simona Vetter,
Gary Guo, John Hubbard, Alistair Popple, Timur Tabi, Zhi Wang,
nova-gpu, dri-devel, linux-kernel, rust-for-linux, dri-devel
In-Reply-To: <DJFO5A5XN2EO.22B58J2O6D4JG@nvidia.com>
On Tue Jun 23, 2026 at 12:04 AM JST, Alexandre Courbot wrote:
> On Mon Jun 22, 2026 at 4:57 PM JST, Eliot Courtney wrote:
>> On Fri Jun 19, 2026 at 10:42 PM JST, Alexandre Courbot wrote:
>>> The next patch aims at replacing the cumbersome `BootUnloadGuard` with a
>>> more local and less intrusive mechanism to run the GSP unload sequence
>>> upon GSP boot failure. Doing so requires running the boot code in a
>>> local closure, which changes its indentation and would make other
>>> changes difficult to track in the diff. Thus, this preparatory patch
>>> moves said boot code into a local closure that is run upon construction,
>>> so the next patch does not need to re-indent code that changes.
>>>
>>> This is a mechanical preparatory patch to make the next patch easier to
>>> read. No functional change intended.
>>>
>>> Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
>>> ---
>>
>> I agree with removing BootUnloadGuard, but I think it's not great to do
>> a bunch of lifting into closures then manually handling the result. It's
>> error prone imo (we already had several bugs relating to this kind of
>> thing). Instead, what about just using ScopeGuard directly? This lets us
>> avoid lifting into closures (which is a bit noisy) and avoids manual
>> result handling for failures (which is a bit error prone). With the
>> `GspBootContext` it's fairly easy to do now:
>>
>> ```
>> let unload_guard = ScopeGuard::new_with_data(unload_bundle, |unload_bundle| {
>> let _ = gsp.unload(ctx, unload_bundle);
>> });
>> ```
>
> Yes, initially I wanted to use `ScopeGuard` but ran into issues when
> trying to make the references mutable. However it looks like you have
> been able to overcome these issues, thanks for taking the time to craft
> a patch!
>
>>
>> I confirmed that it's also compatible with the v2 of this series that
>> has the mutable Fsp - you can stash the context inside the ScopeGuard
>> data (then making a &mut reference to the stashed context for brevity)
>> or have a separate unload context type that doesn't use FSP or something
>> (could later be type parametrized along with Gsp, for example).
>>
>> For example here is a rough diff on top of this patch series (you can
>> change the Result<Option<UnloadBundle>> returns to like
>> Result<Result<UnloadBundle>> if you want to centralise teh error
>> handling of a failed unloadbundle although currently it can only fail in
>> one location):
>
> Yes, looking at it it looks like a cleaner approach than using closures.
>
> The only thing that I saw as a regression is that now each HAL needs to
> call `Gsp::unload` itself in its own `ScopeGuard`. I don't think that's
> the HAL's work - `Gsp::boot` should be the centralized point where this
> happens.
>
> But we can make both work if `unload_bundle` is passed as an output
> argument to `GspHal::boot` instead of being returned:
>
> let mut guard = ScopeGuard::new_with_data((ctx, None), ...);
> let (ctx, unload_bundle) = &mut *guard;
>
> // `unload_bundle` is a mutable reference to the
> // `Option<UnloadBundle>` in `guard`.
> hal.boot(&self, ctx, unload_bundle, &fb_layout, &wpr_meta)?;
>
> The boot method can fill `unload_bundle` early, and if it returns an
> error then the `ScopeGuard` will be able to use it. Also, and that's
> nice, the HALs don't need to use `ScopeGuard`. But output arguments
> aren't really something we expect to see in Rust.
>
> Another alternative would be to separate the unload bundle construction
> from `GspHal::boot`:
>
> let unload_bundle = hal.build_unload_bundle(ctx, ...);
> let guard = ScopeGuard::new_with_data((ctx, unload_bundle), ...);
>
> hal.boot(...)?;
>
> It removes the "1 boot -> 1 unload bundle" symmetry, but on the other
> hand it also splits concerns more clearly. And it removes the awkward
> return type of `GspHal::boot`, which come to think of it was another
> smell that things were not in the right place.
>
> The main drawback I see is that we now need to build `Vbios` twice for
> TU102, since it is needed both for the unload bundle and for booting.
> But the solution is the same as what the v2 of this series does to
> `Fsp`: the BIOS is a GPU-wide subdevice that is likely to be used
> elsewhere, not something to be confined in a GSP HAL. So I say, let's
> extract it and make it also part of `GspBootContext`.
>
> How does that sound?
I think that currently it's confusing because we have two concepts in
use with very similar names. We have "unloadbundle" meaning what we need
to run to unload the driver, and we have "unload_guard" which is for
running unwind stuff if we error. And for the most part these things are
the same, but they might not be (e.g. in my other series where we need
to keep certain DMA allocations alive just for the error path, but not
for an unload later, or when we are partially loaded). So it might be
nice to make these two things more separate.
I think that trying to build the unload bundle separately
(`build_unload_bundle`) is confusing because e.g. hal.boot() still needs
to handle unwinding its state in case of error, so it adds a strong
assumption that unloading in success is the same as unwinding in error.
If we switch to a model where the caller owns Gsp::unload, we need to
support prolonging some state until gsp.unload() finishes, e.g. in my
blackwell fixes series, we need to prolong DMA allocation in the error
case for `FmcBootArgs`. It's doable to prolong the DMA allocation
because the callee currently owns running the Gsp::unload. But we would
need to do some gymnastics if the caller owns running Gsp::unload and I
can't figure out a nice way to do this. In general, if we have partially
initialized hardware, it seems likely to me we will have to handle
keeping a certain set of resources alive until we can guarantee they are
not accessed anymore (gsp inactive being a clear marker).
Separately, I think it would be good to explicitly define the semantics
of what the state should be in after each one of these calls in
Gsp::boot. For example:
"Callees that fail should call gsp.unload(ctx, unwind_bundle) to unload
if it's required. If it succeeds, return an unload bundle."
For state that should be unwound *before* Gsp::unload, I think the HAL
methods should handle it internally (regardless of what we decide for
caller vs callee ownership of running gsp.unload). But we do have to
deal with unwind that needs to happen after gsp shutdown unfortunately.
It might be nice to make this more explicit.
So it kinda sucks to have to repeat Gsp::unload in HALs, but also I
think that whether Gsp::unload is required depends on how far we have
initialized, so HALs may not want to actually call it. So IMO it makes
some sense there too to have them decide. (e.g. if we only loaded Vbios
so far).
So concretely, IMO:
1. Keep gsp.unload() the responsibility of the callees, because they may
need to prolong state until after gsp.unload, and, maybe we are not
initialized enough to want to call gsp.unload yet and callees know
this best.
2. Through naming, explicitly differentiate between unload and unwind.
WDYT?
^ permalink raw reply
* [PATCH v2 21/21] lib: rspdm: Support SPDM challenge
From: alistair23 @ 2026-06-23 4:54 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair@alistair23.me>
Support the CHALLENGE SPDM command.
Signed-off-by: Alistair Francis <alistair@alistair23.me>
---
lib/rspdm/consts.rs | 6 +
lib/rspdm/lib.rs | 10 +-
lib/rspdm/state.rs | 232 +++++++++++++++++++++++++++++++-
lib/rspdm/validator.rs | 61 +++++++++
rust/bindings/bindings_helper.h | 1 +
5 files changed, 305 insertions(+), 5 deletions(-)
diff --git a/lib/rspdm/consts.rs b/lib/rspdm/consts.rs
index 2fbc4ab41869..e67be8e6b057 100644
--- a/lib/rspdm/consts.rs
+++ b/lib/rspdm/consts.rs
@@ -148,6 +148,8 @@ fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
pub(crate) const SPDM_GET_CERTIFICATE: u8 = 0x82;
+pub(crate) const SPDM_CHALLENGE: u8 = 0x83;
+
// If the crypto support isn't enabled don't offer the algorithms
// to the responder
#[cfg(CONFIG_CRYPTO_RSA)]
@@ -176,3 +178,7 @@ fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
pub(crate) const SPDM_HASH_ALGOS: u32 = SPDM_HASH_SHA2_256 | SPDM_HASH_SHA2_384_512;
pub(crate) const SPDM_OPAQUE_DATA_FMT_GENERAL: u8 = bit_u8(1);
+
+pub(crate) const SPDM_PREFIX_SZ: usize = 64;
+pub(crate) const SPDM_COMBINED_PREFIX_SZ: usize = 100;
+pub(crate) const SPDM_MAX_OPAQUE_DATA: usize = 1024;
diff --git a/lib/rspdm/lib.rs b/lib/rspdm/lib.rs
index fa5513e8bd4e..33c16f7ffb46 100644
--- a/lib/rspdm/lib.rs
+++ b/lib/rspdm/lib.rs
@@ -11,8 +11,7 @@
//! from other subsytems.
use crate::bindings::{
- spdm_state,
- EPROTONOSUPPORT, //
+ spdm_state, //
};
use core::ffi::{
c_int,
@@ -141,7 +140,12 @@ pub extern "C" fn spdm_authenticate(state_ptr: *mut spdm_state) -> c_int {
provisioned_slots &= !(1 << slot);
}
- -(EPROTONOSUPPORT as i32)
+ let provisioned_slots = state.provisioned_slots.trailing_zeros();
+ if let Err(e) = state.challenge(provisioned_slots as u8) {
+ return e.to_errno() as c_int;
+ }
+
+ 0
}
/// spdm_destroy() - Destroy SPDM session
diff --git a/lib/rspdm/state.rs b/lib/rspdm/state.rs
index e381cf3f75f9..7341d9d8a931 100644
--- a/lib/rspdm/state.rs
+++ b/lib/rspdm/state.rs
@@ -8,6 +8,7 @@
//! <https://www.dmtf.org/dsp/DSP0274>
use core::ffi::c_void;
+use core::mem::offset_of;
use core::slice::from_raw_parts_mut;
use kernel::prelude::*;
use kernel::{
@@ -19,6 +20,7 @@
Error, //
},
str::CStr,
+ str::CString,
validate::Untrusted,
};
@@ -31,6 +33,7 @@
SPDM_ASYM_RSASSA_2048,
SPDM_ASYM_RSASSA_3072,
SPDM_ASYM_RSASSA_4096,
+ SPDM_COMBINED_PREFIX_SZ,
SPDM_ERROR,
SPDM_GET_VERSION_LEN,
SPDM_HASH_ALGOS,
@@ -38,10 +41,12 @@
SPDM_HASH_SHA_384,
SPDM_HASH_SHA_512,
SPDM_KEY_EX_CAP,
+ SPDM_MAX_OPAQUE_DATA,
SPDM_MAX_VER,
SPDM_MIN_DATA_TRANSFER_SIZE,
SPDM_MIN_VER,
SPDM_OPAQUE_DATA_FMT_GENERAL,
+ SPDM_PREFIX_SZ,
SPDM_REQ,
SPDM_RSP_MIN_CAPS,
SPDM_SLOTS,
@@ -51,6 +56,8 @@
SPDM_VER_13, //
};
use crate::validator::{
+ ChallengeReq,
+ ChallengeRsp,
GetCapabilitiesReq,
GetCapabilitiesRsp,
GetCertificateReq,
@@ -65,6 +72,8 @@
SpdmHeader, //
};
+const SPDM_CONTEXT: &str = "responder-challenge_auth signing";
+
/// The current SPDM session state for a device. Based on the
/// C `struct spdm_state`.
///
@@ -111,6 +120,12 @@
/// not populated. Prefixed by the 4 + H header per SPDM 1.0.0 table 15.
/// @leaf_key: Public key portion of leaf certificate against which to check
/// responder's signatures.
+/// @transcript: Concatenation of all SPDM messages exchanged during an
+/// authentication or measurement sequence. Used to verify the signature,
+/// as it is computed over the hashed transcript.
+/// @next_nonce: Requester nonce to be used for the next authentication
+/// sequence. Populated from user space through sysfs.
+/// If user space does not provide a nonce, the kernel uses a random one.
pub(crate) struct SpdmState<'a> {
pub(crate) dev: *mut bindings::device,
pub(crate) transport: bindings::spdm_transport,
@@ -140,6 +155,10 @@ pub(crate) struct SpdmState<'a> {
// Certificates
pub(crate) certs: [KVec<u8>; SPDM_SLOTS],
pub(crate) leaf_key: Option<*mut bindings::public_key>,
+
+ transcript: VVec<u8>,
+
+ pub(crate) next_nonce: KVec<u8>,
}
impl Drop for SpdmState<'_> {
@@ -210,6 +229,8 @@ pub(crate) fn new(
hash_len: 0,
certs: [const { KVec::new() }; SPDM_SLOTS],
leaf_key: None,
+ transcript: VVec::new(),
+ next_nonce: KVec::new(),
}
}
@@ -325,13 +346,15 @@ fn spdm_err(&self, rsp: &SpdmErrorRsp) -> Result<(), Error> {
/// The data in `request_buf` is sent to the device and the response is
/// stored in `response_buf`.
pub(crate) fn spdm_exchange(
- &self,
+ &mut self,
request_buf: &mut [u8],
response_buf: &mut [u8],
) -> Result<i32, Error> {
let header_size = core::mem::size_of::<SpdmHeader>();
let request: &SpdmHeader = Untrusted::new(&request_buf[..]).validate()?;
+ self.transcript.extend_from_slice(request_buf, GFP_KERNEL)?;
+
let transport_function = self.transport.ok_or(EINVAL)?;
// SAFETY: `transport_function` is provided by the new(), we are
// calling the function.
@@ -381,6 +404,8 @@ pub(crate) fn get_version(&mut self) -> Result<(), Error> {
request.version = SPDM_MIN_VER;
self.version = SPDM_MIN_VER;
+ self.transcript.clear();
+
// SAFETY: `request` is repr(C) and packed, so we can convert it to a slice
let request_buf = unsafe {
from_raw_parts_mut(
@@ -400,6 +425,16 @@ pub(crate) fn get_version(&mut self) -> Result<(), Error> {
response_vec.truncate(rc);
let response: &GetVersionRsp = Untrusted::new(response_vec.as_slice()).validate()?;
+ let rsp_sz = core::mem::size_of::<SpdmHeader>()
+ + 2
+ + response.version_number_entry_count as usize * 2;
+
+ if rsp_sz > response_vec.len() {
+ return Err(EIO);
+ }
+
+ self.transcript
+ .extend_from_slice(&response_vec[..rsp_sz], GFP_KERNEL)?;
let mut foundver = false;
let entry_count = response.version_number_entry_count;
@@ -463,12 +498,15 @@ pub(crate) fn get_capabilities(&mut self) -> Result<(), Error> {
let rc = self.spdm_exchange(request_buf, response_vec.as_mut_slice())? as usize;
// The transport must report a length within the buffer we provided.
- if rc > response_vec.len() {
+ if rc > response_vec.len() || rc > rsp_sz {
pr_err!("Overflowed capabilities response\n");
return Err(EIO);
}
response_vec.truncate(rc);
+ self.transcript
+ .extend_from_slice(&response_vec[..rsp_sz], GFP_KERNEL)?;
+
let response: &mut GetCapabilitiesRsp = Untrusted::new(&mut response_vec).validate()?;
self.rsp_caps = u32::from_le(response.flags);
@@ -625,6 +663,9 @@ pub(crate) fn negotiate_algs(&mut self) -> Result<(), Error> {
let response: &NegotiateAlgsRsp = Untrusted::new(response_vec.as_slice()).validate()?;
+ self.transcript
+ .extend_from_slice(&response_vec, GFP_KERNEL)?;
+
self.base_asym_alg = u32::from_le(response.base_asym_sel);
self.base_hash_alg = u32::from_le(response.base_hash_sel);
self.meas_hash_alg = u32::from_le(response.measurement_hash_algo);
@@ -674,6 +715,14 @@ pub(crate) fn get_digests(&mut self) -> Result<(), Error> {
response_vec.truncate(len);
let response: &GetDigestsRsp = Untrusted::new(response_vec.as_slice()).validate()?;
+ let rsp_sz = core::mem::size_of::<SpdmHeader>() + response.param2 as usize * self.hash_len;
+
+ if rsp_sz > response_vec.len() {
+ return Err(EIO);
+ }
+
+ self.transcript
+ .extend_from_slice(&response_vec[..rsp_sz], GFP_KERNEL)?;
if len
< core::mem::size_of::<GetDigestsRsp>()
@@ -731,6 +780,14 @@ fn get_cert_exchange(
response_vec.truncate(len);
let response: &GetCertificateRsp = Untrusted::new(response_vec.as_slice()).validate()?;
+ let rsp_sz = core::mem::size_of::<SpdmHeader>() + 4 + response.portion_length as usize;
+
+ if rsp_sz > response_vec.len() {
+ return Err(EIO);
+ }
+
+ self.transcript
+ .extend_from_slice(&response_vec[..rsp_sz], GFP_KERNEL)?;
if len
< core::mem::size_of::<GetCertificateRsp>()
@@ -971,4 +1028,175 @@ pub(crate) fn validate_cert_chain(&mut self, slot: u8) -> Result<(), Error> {
Ok(())
}
+
+ pub(crate) fn challenge_rsp_len(&mut self, nonce_len: usize, opaque_len: usize) -> usize {
+ // No measurement summary hash requested (MSHLength == 0)
+ let mut length =
+ core::mem::size_of::<SpdmHeader>() + self.hash_len + nonce_len + opaque_len + 2;
+
+ if self.version >= SPDM_VER_13 {
+ length += 8;
+ }
+
+ length + self.sig_len
+ }
+
+ fn verify_signature(&mut self, signature: &mut [u8]) -> Result<(), Error> {
+ let mut sig = bindings::public_key_signature::default();
+ let mut mhash: KVec<u8> = KVec::new();
+
+ sig.s = signature as *mut _ as *mut u8;
+ sig.s_size = self.sig_len as u32;
+ sig.encoding = self.base_asym_enc.as_ptr() as *const u8;
+ sig.hash_algo = self.base_hash_alg_name.as_ptr() as *const u8;
+
+ let mut m: KVec<u8> = KVec::new();
+ m.extend_with(SPDM_COMBINED_PREFIX_SZ + self.hash_len, 0, GFP_KERNEL)?;
+
+ if let Some(desc) = &mut self.desc {
+ desc.tfm = self.shash;
+
+ unsafe {
+ to_result(bindings::crypto_shash_digest(
+ *desc,
+ self.transcript.as_ptr(),
+ (self.transcript.len() - self.sig_len) as u32,
+ m[SPDM_COMBINED_PREFIX_SZ..].as_mut_ptr(),
+ ))?;
+ };
+ } else {
+ return Err(EPROTO);
+ }
+
+ if self.version <= SPDM_VER_11 {
+ sig.m = m[SPDM_COMBINED_PREFIX_SZ..].as_mut_ptr();
+ } else {
+ let major = self.version >> 4;
+ let minor = self.version & 0xF;
+
+ let output = CString::try_from_fmt(fmt!("dmtf-spdm-v{major:x}.{minor:x}.*dmtf-spdm-v{major:x}.{minor:x}.*dmtf-spdm-v{major:x}.{minor:x}.*dmtf-spdm-v{major:x}.{minor:x}.*"))?;
+ let mut buf = output.into_vec();
+ let zero_pad_len = SPDM_COMBINED_PREFIX_SZ - SPDM_PREFIX_SZ - SPDM_CONTEXT.len() - 1;
+
+ buf.extend_with(zero_pad_len, 0, GFP_KERNEL)?;
+ buf.extend_from_slice(SPDM_CONTEXT.as_bytes(), GFP_KERNEL)?;
+
+ m[..SPDM_COMBINED_PREFIX_SZ].copy_from_slice(&buf);
+
+ mhash.extend_with(self.hash_len, 0, GFP_KERNEL)?;
+
+ if let Some(desc) = &mut self.desc {
+ desc.tfm = self.shash;
+
+ unsafe {
+ to_result(bindings::crypto_shash_digest(
+ *desc,
+ m.as_ptr(),
+ m.len() as u32,
+ mhash.as_mut_ptr(),
+ ))?;
+ };
+ } else {
+ return Err(EPROTO);
+ }
+
+ sig.m = mhash.as_mut_ptr();
+ }
+
+ sig.m_size = self.hash_len as u32;
+
+ if let Some(leaf_key) = self.leaf_key {
+ unsafe { to_result(bindings::public_key_verify_signature(leaf_key, &sig)) }
+ } else {
+ return Err(EPROTO);
+ }
+ }
+
+ pub(crate) fn challenge(&mut self, slot: u8) -> Result<(), Error> {
+ let mut request = ChallengeReq::default();
+ request.version = self.version;
+ request.param1 = slot;
+
+ let nonce_len = request.nonce.len();
+
+ if self.next_nonce.len() > 0 {
+ let request_nonce_len = request.nonce.len();
+
+ if self.next_nonce.len() == request_nonce_len {
+ request
+ .nonce
+ .copy_from_slice(&self.next_nonce[..request_nonce_len]);
+ } else {
+ return Err(EINVAL);
+ }
+
+ self.next_nonce.clear();
+ } else {
+ unsafe {
+ bindings::get_random_bytes(&mut request.nonce as *mut _ as *mut c_void, nonce_len)
+ };
+ }
+
+ let req_sz = if self.version <= SPDM_VER_12 {
+ offset_of!(ChallengeReq, context)
+ } else {
+ core::mem::size_of::<ChallengeReq>()
+ };
+
+ let rsp_sz = self.challenge_rsp_len(nonce_len, SPDM_MAX_OPAQUE_DATA);
+
+ // SAFETY: `request` is repr(C) and packed, so we can convert it to a slice
+ let request_buf = unsafe { from_raw_parts_mut(&mut request as *mut _ as *mut u8, req_sz) };
+
+ let mut response_vec: KVec<u8> = KVec::from_elem(0u8, rsp_sz, GFP_KERNEL)?;
+
+ let rc = self.spdm_exchange(request_buf, response_vec.as_mut_slice())? as usize;
+
+ // The transport must report a length within the buffer we provided.
+ if rc < core::mem::size_of::<ChallengeRsp>() {
+ pr_err!("Truncated challenge response\n");
+ return Err(EIO);
+ }
+ response_vec.truncate(rc);
+
+ let _response: &ChallengeRsp = Untrusted::new(response_vec.as_slice()).validate()?;
+
+ // MSHLength is 0 as no measurement summary hash requested
+ let opaque_len_offset = core::mem::size_of::<SpdmHeader>() + self.hash_len + nonce_len;
+
+ if opaque_len_offset + 2 > response_vec.len() {
+ return Err(EIO);
+ }
+
+ let opaque_len = u16::from_le_bytes(
+ response_vec[opaque_len_offset..(opaque_len_offset + 2)]
+ .try_into()
+ .unwrap_or([0, 0]),
+ );
+
+ let rsp_sz = self.challenge_rsp_len(nonce_len, opaque_len as usize);
+
+ if rsp_sz > response_vec.len() {
+ pr_err!("Truncated challenge response\n");
+ return Err(EIO);
+ }
+
+ self.transcript
+ .extend_from_slice(&response_vec[..rsp_sz], GFP_KERNEL)?;
+
+ /* Verify signature at end of transcript against leaf key */
+ let sig_start = rsp_sz - self.sig_len;
+ let signature = &mut response_vec[sig_start..rsp_sz];
+
+ match self.verify_signature(signature) {
+ Ok(()) => {
+ pr_info!("Authenticated with certificate slot {slot}\n");
+ Ok(())
+ }
+ Err(e) => {
+ pr_err!("Cannot verify challenge_auth signature: {e:?}\n");
+ Err(EPROTO)
+ }
+ }
+ }
}
diff --git a/lib/rspdm/validator.rs b/lib/rspdm/validator.rs
index 4e78683d7b22..2541758953c5 100644
--- a/lib/rspdm/validator.rs
+++ b/lib/rspdm/validator.rs
@@ -28,6 +28,7 @@
use crate::consts::{
SPDM_ASYM_ALGOS,
+ SPDM_CHALLENGE,
SPDM_CTEXPONENT,
SPDM_GET_CAPABILITIES,
SPDM_GET_CERTIFICATE,
@@ -482,3 +483,63 @@ fn validate(unvalidated: &[u8]) -> Result<Self, Self::Err> {
Ok(rsp)
}
}
+
+#[repr(C, packed)]
+pub(crate) struct ChallengeReq {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8,
+ pub(crate) param2: u8,
+
+ pub(crate) nonce: [u8; 32],
+ pub(crate) context: [u8; 8],
+}
+
+impl Default for ChallengeReq {
+ fn default() -> Self {
+ ChallengeReq {
+ version: 0,
+ code: SPDM_CHALLENGE,
+ param1: 0,
+ param2: 0,
+ nonce: [0; 32],
+ context: [0; 8],
+ }
+ }
+}
+
+#[repr(C, packed)]
+pub(crate) struct ChallengeRsp {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8,
+ pub(crate) param2: u8,
+
+ pub(crate) cert_chain_hash: __IncompleteArrayField<u8>,
+ pub(crate) nonce: [u8; 32],
+ pub(crate) message_summary_hash: __IncompleteArrayField<u8>,
+
+ pub(crate) opaque_data_len: u16,
+ pub(crate) opaque_data: __IncompleteArrayField<u8>,
+
+ pub(crate) context: [u8; 8],
+ pub(crate) signature: __IncompleteArrayField<u8>,
+}
+
+impl Validate<Untrusted<&[u8]>> for &ChallengeRsp {
+ type Err = Error;
+
+ fn validate(unvalidated: &[u8]) -> Result<Self, Self::Err> {
+ if unvalidated.len() < mem::size_of::<ChallengeRsp>() {
+ return Err(EINVAL);
+ }
+
+ let ptr = unvalidated.as_ptr();
+ // CAST: `ChallengeRsp` only contains integers and has `repr(C)`.
+ let ptr = ptr.cast::<ChallengeRsp>();
+ // SAFETY: `ptr` came from a reference and the cast above is valid.
+ let rsp: &ChallengeRsp = unsafe { &*ptr };
+
+ Ok(rsp)
+ }
+}
diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helper.h
index e9736162c904..1479f9c6604a 100644
--- a/rust/bindings/bindings_helper.h
+++ b/rust/bindings/bindings_helper.h
@@ -31,6 +31,7 @@
#include <linux/acpi.h>
#include <linux/gpu_buddy.h>
#include <crypto/hash.h>
+#include <crypto/public_key.h>
#include <drm/drm_device.h>
#include <drm/drm_drv.h>
#include <drm/drm_file.h>
--
2.54.0
^ permalink raw reply related
* [PATCH v2 20/21] rust: allow extracting the buffer from a CString
From: alistair23 @ 2026-06-23 4:54 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair@alistair23.me>
The kernel CString is a wrapper aroud a KVec. This patch allows
retrieving the underlying buffer and consuming the CString. This allows
users to create a CString from a string and then retrieve the underlying
buffer.
Signed-off-by: Alistair Francis <alistair@alistair23.me>
Reviewed-by: Gary Guo <gary@garyguo.net>
---
rust/kernel/str.rs | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
index a556788bcc5e..3fd8a218547f 100644
--- a/rust/kernel/str.rs
+++ b/rust/kernel/str.rs
@@ -870,6 +870,12 @@ pub fn try_from_fmt(args: fmt::Arguments<'_>) -> Result<Self, Error> {
// exist in the buffer.
Ok(Self { buf })
}
+
+ /// Return the internal buffer while consuming the original [`CString`]
+ #[inline]
+ pub fn into_vec(self) -> KVec<u8> {
+ self.buf
+ }
}
impl Deref for CString {
--
2.54.0
^ permalink raw reply related
* [PATCH v2 19/21] lib: rspdm: Support SPDM certificate validation
From: alistair23 @ 2026-06-23 4:54 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair@alistair23.me>
Support validating the SPDM certificate chain. This only performs basic
sanity checks on the chain before we continue on. This does not ensure
that the root CA is trusted, we leave that for userspace to check and
enforce. Instead we just make sure that the chain is correct, uses
supported signatures and that it isn't blacklisted in the kernel.
We then store the first leaf certificate for use later.
Signed-off-by: Alistair Francis <alistair@alistair23.me>
---
lib/rspdm/lib.rs | 12 +++
lib/rspdm/state.rs | 142 +++++++++++++++++++++++++++++++-
rust/bindings/bindings_helper.h | 2 +
rust/kernel/error.rs | 1 +
4 files changed, 156 insertions(+), 1 deletion(-)
diff --git a/lib/rspdm/lib.rs b/lib/rspdm/lib.rs
index 488203be821d..fa5513e8bd4e 100644
--- a/lib/rspdm/lib.rs
+++ b/lib/rspdm/lib.rs
@@ -129,6 +129,18 @@ pub extern "C" fn spdm_authenticate(state_ptr: *mut spdm_state) -> c_int {
provisioned_slots &= !(1 << slot);
}
+ let mut provisioned_slots = state.provisioned_slots;
+ while (provisioned_slots as usize) > 0 {
+ let slot = provisioned_slots.trailing_zeros() as u8;
+
+ if let Err(e) = state.validate_cert_chain(slot) {
+ pr_err!("Certificate in slot {slot} failed to verify: {e:?}\n");
+ return e.to_errno() as c_int;
+ }
+
+ provisioned_slots &= !(1 << slot);
+ }
+
-(EPROTONOSUPPORT as i32)
}
diff --git a/lib/rspdm/state.rs b/lib/rspdm/state.rs
index 9138df30e138..e381cf3f75f9 100644
--- a/lib/rspdm/state.rs
+++ b/lib/rspdm/state.rs
@@ -109,7 +109,8 @@
/// H in SPDM specification.
/// @certs: Certificate chain in each of the 8 slots. Empty KVec if a slot is
/// not populated. Prefixed by the 4 + H header per SPDM 1.0.0 table 15.
-#[expect(dead_code)]
+/// @leaf_key: Public key portion of leaf certificate against which to check
+/// responder's signatures.
pub(crate) struct SpdmState<'a> {
pub(crate) dev: *mut bindings::device,
pub(crate) transport: bindings::spdm_transport,
@@ -138,10 +139,20 @@ pub(crate) struct SpdmState<'a> {
// Certificates
pub(crate) certs: [KVec<u8>; SPDM_SLOTS],
+ pub(crate) leaf_key: Option<*mut bindings::public_key>,
}
impl Drop for SpdmState<'_> {
fn drop(&mut self) {
+ if let Some(leaf_key) = self.leaf_key.take() {
+ // SAFETY: `leaf_key` was extracted from a x509 certificate
+ // in `validate_cert_chain()` so it is valid to pass to
+ // `public_key_free()`.
+ unsafe {
+ bindings::public_key_free(leaf_key);
+ }
+ }
+
if let Some(desc) = self.desc.take() {
// SAFETY: `self.shash` is a valid handle
let desc_len = core::mem::size_of::<bindings::shash_desc>()
@@ -198,6 +209,7 @@ pub(crate) fn new(
desc: None,
hash_len: 0,
certs: [const { KVec::new() }; SPDM_SLOTS],
+ leaf_key: None,
}
}
@@ -831,4 +843,132 @@ pub(crate) fn get_certificate(&mut self, slot: u8) -> Result<(), Error> {
Ok(())
}
+
+ pub(crate) fn validate_cert_chain(&mut self, slot: u8) -> Result<(), Error> {
+ let cert_chain_buf = &self.certs[slot as usize];
+ let cert_chain_len = cert_chain_buf.len();
+ // We skip over the RootHash
+ let header_len = 4 + self.hash_len;
+
+ let mut offset = header_len;
+ let mut prev_cert: Option<*mut bindings::x509_certificate> = None;
+
+ while offset < cert_chain_len {
+ // SAFETY: `cert_chain_buf[offset..]` is a non-empty slice of
+ // bytes valid for at least `cert_chain_len` bytes.
+ let cert_len = unsafe {
+ bindings::x509_get_certificate_length(
+ &cert_chain_buf[offset..] as *const _ as *const u8,
+ cert_chain_len - offset,
+ )
+ };
+
+ if cert_len < 0 {
+ pr_err!("Invalid certificate length\n");
+
+ if let Some(prev) = prev_cert {
+ // SAFETY: `prev_cert` is the previously parsed
+ // certificate from a prior loop iteration.
+ unsafe { bindings::x509_free_certificate(prev) };
+ }
+
+ to_result(cert_len as i32)?;
+ }
+
+ // SAFETY: `cert_chain_buf[offset..]` is a non-empty slice of
+ // bytes valid for at least `cert_len` bytes.
+ let cert_ptr = unsafe {
+ match from_err_ptr(bindings::x509_cert_parse(
+ &cert_chain_buf[offset..] as *const _ as *const c_void,
+ cert_len as usize,
+ )) {
+ Err(e) => {
+ if let Some(prev) = prev_cert {
+ // SAFETY: `prev_cert` is the previously parsed
+ // certificate from a prior loop iteration.
+ bindings::x509_free_certificate(prev);
+ }
+ return Err(e);
+ }
+ Ok(c) => c,
+ }
+ };
+ // SAFETY: Cast the `struct x509_certificate` to a Rust binding
+ let cert = unsafe { *cert_ptr };
+
+ if cert.unsupported_sig || cert.blacklisted {
+ pr_err!("Certificate was rejected\n");
+
+ if let Some(prev) = prev_cert {
+ // SAFETY: `prev_cert` is the previously parsed
+ // certificate from a prior loop iteration.
+ unsafe { bindings::x509_free_certificate(prev) };
+ }
+ // SAFETY: `cert_ptr` was just returned by
+ // `x509_cert_parse()`.
+ unsafe { bindings::x509_free_certificate(cert_ptr) };
+
+ return Err(EKEYREJECTED);
+ }
+
+ if let Some(prev) = prev_cert {
+ // SAFETY: `prev_cert` is the previously parsed
+ // certificate from a prior loop iteration.
+ let rc = unsafe { bindings::public_key_verify_signature((*prev).pub_, cert.sig) };
+
+ if rc < 0 {
+ pr_err!("Signature validation error\n");
+
+ // SAFETY: `prev_cert` is the previously parsed
+ // certificate from a prior loop iteration.
+ unsafe { bindings::x509_free_certificate(prev) };
+
+ // SAFETY: `cert_ptr` was just returned by
+ // `x509_cert_parse()`.
+ unsafe { bindings::x509_free_certificate(cert_ptr) };
+
+ to_result(rc)?;
+ }
+ }
+
+ if let Some(prev) = prev_cert {
+ // SAFETY: `prev_cert` is the previously parsed
+ // certificate from a prior loop iteration.
+ unsafe { bindings::x509_free_certificate(prev) };
+ }
+
+ prev_cert = Some(cert_ptr);
+ offset += cert_len as usize;
+ }
+
+ if let Some(prev) = prev_cert {
+ if let Some(validate) = self.validate {
+ // SAFETY: Call the `validate` function provided.
+ let rc = unsafe { validate(self.dev, slot, prev) };
+ if let Err(e) = to_result(rc) {
+ // SAFETY: `prev_cert` is the previously parsed
+ // certificate from a prior loop iteration.
+ unsafe { bindings::x509_free_certificate(prev) };
+ return Err(e);
+ }
+ }
+
+ // The leaf key is the same for all slots, so just store the first one.
+ if self.leaf_key.is_none() {
+ // SAFETY: `prev_cert` is the previously parsed
+ // certificate from a prior loop iteration.
+ self.leaf_key = unsafe { Some((*prev).pub_) };
+ // SAFETY: `prev_cert` is the previously parsed
+ // certificate from a prior loop iteration. We are setting
+ // the `pub` key to null so it isn't freed below
+ unsafe { (*prev).pub_ = core::ptr::null_mut() };
+ }
+
+ // SAFETY: `prev_cert` is the previously parsed
+ // certificate from a prior loop iteration.
+ unsafe { bindings::x509_free_certificate(prev) };
+ }
+
+ Ok(())
+ }
}
diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helper.h
index d63ad2b03362..e9736162c904 100644
--- a/rust/bindings/bindings_helper.h
+++ b/rust/bindings/bindings_helper.h
@@ -38,6 +38,8 @@
#include <drm/drm_gem_shmem_helper.h>
#include <drm/drm_gpuvm.h>
#include <drm/drm_ioctl.h>
+#include <keys/asymmetric-type.h>
+#include <keys/x509-parser.h>
#include <kunit/test.h>
#include <linux/auxiliary_bus.h>
#include <linux/bitmap.h>
diff --git a/rust/kernel/error.rs b/rust/kernel/error.rs
index 6413de18df80..10700a17eedc 100644
--- a/rust/kernel/error.rs
+++ b/rust/kernel/error.rs
@@ -95,6 +95,7 @@ macro_rules! declare_err {
declare_err!(EINPROGRESS, "Operation now in progress.");
declare_err!(EPROTO, "Protocol error");
declare_err!(EPROTONOSUPPORT, "Protocol not supported");
+ declare_err!(EKEYREJECTED, "Key was rejected by service");
}
/// Generic integer kernel error.
--
2.54.0
^ permalink raw reply related
* [PATCH v2 18/21] lib: rspdm: Support SPDM get_certificate
From: alistair23 @ 2026-06-23 4:54 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair@alistair23.me>
Support the GET_CERTIFICATE SPDM command.
The kernel will send a GET_CERTIFICATE request to the the responder and
then iterate over all of the certificates returned.
Certificate validation happens in the next commit.
Signed-off-by: Alistair Francis <alistair@alistair23.me>
---
lib/rspdm/consts.rs | 2 +
lib/rspdm/lib.rs | 15 +++++
lib/rspdm/state.rs | 145 +++++++++++++++++++++++++++++++++++++++++
lib/rspdm/validator.rs | 56 ++++++++++++++++
4 files changed, 218 insertions(+)
diff --git a/lib/rspdm/consts.rs b/lib/rspdm/consts.rs
index c4d9521866af..2fbc4ab41869 100644
--- a/lib/rspdm/consts.rs
+++ b/lib/rspdm/consts.rs
@@ -146,6 +146,8 @@ fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
pub(crate) const SPDM_GET_DIGESTS: u8 = 0x81;
+pub(crate) const SPDM_GET_CERTIFICATE: u8 = 0x82;
+
// If the crypto support isn't enabled don't offer the algorithms
// to the responder
#[cfg(CONFIG_CRYPTO_RSA)]
diff --git a/lib/rspdm/lib.rs b/lib/rspdm/lib.rs
index bda5f91ca13c..488203be821d 100644
--- a/lib/rspdm/lib.rs
+++ b/lib/rspdm/lib.rs
@@ -114,6 +114,21 @@ pub extern "C" fn spdm_authenticate(state_ptr: *mut spdm_state) -> c_int {
return e.to_errno() as c_int;
}
+ if state.provisioned_slots == 0 {
+ return -(bindings::EIO as c_int);
+ }
+
+ let mut provisioned_slots = state.provisioned_slots;
+ while (provisioned_slots as usize) > 0 {
+ let slot = provisioned_slots.trailing_zeros() as u8;
+
+ if let Err(e) = state.get_certificate(slot) {
+ return e.to_errno() as c_int;
+ }
+
+ provisioned_slots &= !(1 << slot);
+ }
+
-(EPROTONOSUPPORT as i32)
}
diff --git a/lib/rspdm/state.rs b/lib/rspdm/state.rs
index 055f37289c8b..9138df30e138 100644
--- a/lib/rspdm/state.rs
+++ b/lib/rspdm/state.rs
@@ -53,6 +53,8 @@
use crate::validator::{
GetCapabilitiesReq,
GetCapabilitiesRsp,
+ GetCertificateReq,
+ GetCertificateRsp,
GetDigestsReq,
GetDigestsRsp,
GetVersionReq,
@@ -157,6 +159,17 @@ fn drop(&mut self) {
}
}
+#[repr(C, packed)]
+pub(crate) struct SpdmCertChain {
+ // `length` is a u16 (with 2 bytes reserved) for SPDM versions 1.3
+ // and lower and u32 for 1.4. We don't currently support `LargeOffset`
+ // and `LargeLength`, so let's pretend this is always a u16
+ length: u16,
+ _reserved: [u8; 2],
+ root_hash: bindings::__IncompleteArrayField<u8>,
+ certificates: bindings::__IncompleteArrayField<u8>,
+}
+
impl SpdmState<'_> {
pub(crate) fn new(
dev: *mut bindings::device,
@@ -686,4 +699,136 @@ pub(crate) fn get_digests(&mut self) -> Result<(), Error> {
Ok(())
}
+
+ fn get_cert_exchange(
+ &mut self,
+ request_buf: &mut [u8],
+ response_vec: &mut KVec<u8>,
+ ) -> Result<&GetCertificateRsp, Error> {
+ let len = self.spdm_exchange(request_buf, response_vec.as_mut_slice())? as usize;
+
+ // The transport must report a length within the buffer we provided.
+ if len < core::mem::size_of::<GetCertificateRsp>() {
+ pr_err!("Truncated certificate response\n");
+ return Err(EIO);
+ }
+ if len > response_vec.len() {
+ pr_err!("Overflowed get certificate response\n");
+ return Err(EIO);
+ }
+ response_vec.truncate(len);
+
+ let response: &GetCertificateRsp = Untrusted::new(response_vec.as_slice()).validate()?;
+
+ if len
+ < core::mem::size_of::<GetCertificateRsp>()
+ + u16::from_le(response.portion_length) as usize
+ {
+ pr_err!("Truncated certificate response\n");
+ return Err(EIO);
+ }
+
+ Ok(response)
+ }
+
+ pub(crate) fn get_certificate(&mut self, slot: u8) -> Result<(), Error> {
+ let mut request = GetCertificateReq::default();
+ request.version = self.version;
+ request.param1 = slot;
+
+ let req_sz = core::mem::size_of::<GetCertificateReq>();
+ let rsp_sz = (core::mem::size_of::<GetCertificateRsp>() as u32 + u16::MAX as u32)
+ .min(self.transport_sz) as usize;
+
+ request.offset = 0;
+ request.length = ((rsp_sz - core::mem::size_of::<GetCertificateRsp>()) as u16).to_le();
+
+ // SAFETY: `request` is repr(C) and packed, so we can convert it to a slice
+ let request_buf = unsafe { from_raw_parts_mut(&mut request as *mut _ as *mut u8, req_sz) };
+
+ let mut response_vec: KVec<u8> = KVec::from_elem(0u8, rsp_sz, GFP_KERNEL)?;
+
+ let response = self.get_cert_exchange(request_buf, &mut response_vec)?;
+
+ if response.param1 != slot {
+ pr_err!("Invalid slot response\n");
+ return Err(EPROTO);
+ }
+
+ let total_cert_len = u16::from_le(response.portion_length) as usize
+ + u16::from_le(response.remainder_length) as usize;
+
+ let mut certs_buf: KVec<u8> = KVec::new();
+
+ certs_buf.extend_from_slice(
+ &response_vec[8..(8 + u16::from_le(response.portion_length) as usize)],
+ GFP_KERNEL,
+ )?;
+
+ let mut offset: u16 = u16::from_le(response.portion_length);
+ let mut remainder_length = u16::from_le(response.remainder_length) as usize;
+
+ while remainder_length > 0 {
+ request.offset = offset.to_le();
+ request.length =
+ ((remainder_length.min(rsp_sz - core::mem::size_of::<GetCertificateRsp>())) as u16)
+ .to_le();
+
+ let request_buf =
+ unsafe { from_raw_parts_mut(&mut request as *mut _ as *mut u8, req_sz) };
+
+ response_vec.resize(
+ request.length as usize + core::mem::size_of::<GetCertificateRsp>(),
+ 0,
+ GFP_KERNEL,
+ )?;
+
+ let response = self.get_cert_exchange(request_buf, &mut response_vec)?;
+
+ if u16::from_le(response.portion_length) == 0
+ || (response.param1 & 0xF) != slot
+ || offset as usize
+ + u16::from_le(response.portion_length) as usize
+ + u16::from_le(response.remainder_length) as usize
+ != total_cert_len
+ {
+ pr_err!("Malformed certificate response\n");
+ return Err(EPROTO);
+ }
+
+ certs_buf.extend_from_slice(
+ &response_vec[8..(8 + u16::from_le(response.portion_length) as usize)],
+ GFP_KERNEL,
+ )?;
+ offset += u16::from_le(response.portion_length);
+ remainder_length = u16::from_le(response.remainder_length) as usize;
+ }
+
+ let header_length = core::mem::size_of::<SpdmCertChain>() + self.hash_len;
+
+ if total_cert_len < header_length as usize || total_cert_len != certs_buf.len() {
+ pr_err!("Malformed certificate chain in slot {slot}\n");
+ return Err(EPROTO);
+ }
+
+ let cert_chain_length = {
+ let ptr = certs_buf.as_ptr();
+ // SAFETY: `SpdmCertChain` is repr(C) and packed. We just
+ // checked the length above so we can convert it from a slice
+ let ptr = ptr.cast::<SpdmCertChain>();
+ // SAFETY: `ptr` came from a reference and the cast above is valid.
+ let certs: &SpdmCertChain = unsafe { &*ptr };
+ u16::from_le(certs.length) as usize
+ };
+
+ if total_cert_len != cert_chain_length {
+ pr_err!("Malformed certificate chain in slot {slot}\n");
+ return Err(EPROTO);
+ }
+
+ self.certs[slot as usize].clear();
+ self.certs[slot as usize].extend_from_slice(&certs_buf, GFP_KERNEL)?;
+
+ Ok(())
+ }
}
diff --git a/lib/rspdm/validator.rs b/lib/rspdm/validator.rs
index b3d5cab6a9ce..4e78683d7b22 100644
--- a/lib/rspdm/validator.rs
+++ b/lib/rspdm/validator.rs
@@ -30,6 +30,7 @@
SPDM_ASYM_ALGOS,
SPDM_CTEXPONENT,
SPDM_GET_CAPABILITIES,
+ SPDM_GET_CERTIFICATE,
SPDM_GET_DIGESTS,
SPDM_GET_VERSION,
SPDM_HASH_ALGOS,
@@ -426,3 +427,58 @@ fn validate(unvalidated: &[u8]) -> Result<Self, Self::Err> {
Ok(rsp)
}
}
+
+#[repr(C, packed)]
+pub(crate) struct GetCertificateReq {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8,
+ pub(crate) param2: u8,
+
+ pub(crate) offset: u16,
+ pub(crate) length: u16,
+}
+
+impl Default for GetCertificateReq {
+ fn default() -> Self {
+ GetCertificateReq {
+ version: 0,
+ code: SPDM_GET_CERTIFICATE,
+ param1: 0,
+ param2: 0,
+ offset: 0,
+ length: 0,
+ }
+ }
+}
+
+#[repr(C, packed)]
+pub(crate) struct GetCertificateRsp {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8,
+ pub(crate) param2: u8,
+
+ pub(crate) portion_length: u16,
+ pub(crate) remainder_length: u16,
+
+ pub(crate) cert_chain: __IncompleteArrayField<u8>,
+}
+
+impl Validate<Untrusted<&[u8]>> for &GetCertificateRsp {
+ type Err = Error;
+
+ fn validate(unvalidated: &[u8]) -> Result<Self, Self::Err> {
+ if unvalidated.len() < mem::size_of::<GetCertificateRsp>() {
+ return Err(EINVAL);
+ }
+
+ let ptr = unvalidated.as_ptr();
+ // CAST: `GetCertificateRsp` only contains integers and has `repr(C)`.
+ let ptr = ptr.cast::<GetCertificateRsp>();
+ // SAFETY: `ptr` came from a reference and the cast above is valid.
+ let rsp: &GetCertificateRsp = unsafe { &*ptr };
+
+ Ok(rsp)
+ }
+}
--
2.54.0
^ permalink raw reply related
* [PATCH v2 17/21] lib: rspdm: Support SPDM get_digests
From: alistair23 @ 2026-06-23 4:54 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair@alistair23.me>
Support the GET_DIGESTS SPDM command.
Signed-off-by: Alistair Francis <alistair@alistair23.me>
---
lib/rspdm/consts.rs | 7 ++--
lib/rspdm/lib.rs | 4 +++
lib/rspdm/state.rs | 80 +++++++++++++++++++++++++++++++++++++++++-
lib/rspdm/validator.rs | 53 ++++++++++++++++++++++++++++
4 files changed, 141 insertions(+), 3 deletions(-)
diff --git a/lib/rspdm/consts.rs b/lib/rspdm/consts.rs
index e222821bad5d..c4d9521866af 100644
--- a/lib/rspdm/consts.rs
+++ b/lib/rspdm/consts.rs
@@ -19,10 +19,11 @@
pub(crate) const SPDM_VER_10: u8 = 0x10;
pub(crate) const SPDM_VER_11: u8 = 0x11;
pub(crate) const SPDM_VER_12: u8 = 0x12;
-#[allow(dead_code)]
pub(crate) const SPDM_VER_13: u8 = 0x13;
pub(crate) const SPDM_VER_14: u8 = 0x14;
+pub(crate) const SPDM_SLOTS: usize = 8;
+
pub(crate) const SPDM_MIN_VER: u8 = SPDM_VER_10;
pub(crate) const SPDM_MAX_VER: u8 = SPDM_VER_14;
@@ -106,7 +107,7 @@ fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
mem::size_of::<GetVersionRsp>() + (u8::MAX as usize) * mem::size_of::<u16>();
pub(crate) const SPDM_GET_CAPABILITIES: u8 = 0xe1;
-pub(crate) const SPDM_MIN_DATA_TRANSFER_SIZE: u32 = 42;
+pub(crate) const SPDM_MIN_DATA_TRANSFER_SIZE: u32 = 42; // SPDM 1.2.0 margin no 226
// SPDM cryptographic timeout of this implementation:
// Assume calculations may take up to 1 sec on a busy machine, which equals
@@ -143,6 +144,8 @@ fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
pub(crate) const SPDM_HASH_SHA_384: u32 = bit_u32(1);
pub(crate) const SPDM_HASH_SHA_512: u32 = bit_u32(2);
+pub(crate) const SPDM_GET_DIGESTS: u8 = 0x81;
+
// If the crypto support isn't enabled don't offer the algorithms
// to the responder
#[cfg(CONFIG_CRYPTO_RSA)]
diff --git a/lib/rspdm/lib.rs b/lib/rspdm/lib.rs
index d418d15e4c70..bda5f91ca13c 100644
--- a/lib/rspdm/lib.rs
+++ b/lib/rspdm/lib.rs
@@ -110,6 +110,10 @@ pub extern "C" fn spdm_authenticate(state_ptr: *mut spdm_state) -> c_int {
return e.to_errno() as c_int;
}
+ if let Err(e) = state.get_digests() {
+ return e.to_errno() as c_int;
+ }
+
-(EPROTONOSUPPORT as i32)
}
diff --git a/lib/rspdm/state.rs b/lib/rspdm/state.rs
index e4eb009a977c..055f37289c8b 100644
--- a/lib/rspdm/state.rs
+++ b/lib/rspdm/state.rs
@@ -44,13 +44,17 @@
SPDM_OPAQUE_DATA_FMT_GENERAL,
SPDM_REQ,
SPDM_RSP_MIN_CAPS,
+ SPDM_SLOTS,
SPDM_VER_10,
SPDM_VER_11,
- SPDM_VER_12, //
+ SPDM_VER_12,
+ SPDM_VER_13, //
};
use crate::validator::{
GetCapabilitiesReq,
GetCapabilitiesRsp,
+ GetDigestsReq,
+ GetDigestsRsp,
GetVersionReq,
GetVersionRsp,
NegotiateAlgsReq,
@@ -86,6 +90,10 @@
/// Selected by responder during NEGOTIATE_ALGORITHMS exchange.
/// @meas_hash_alg: Hash algorithm for measurement blocks.
/// Selected by responder during NEGOTIATE_ALGORITHMS exchange.
+/// @supported_slots: Bitmask of responder's supported certificate slots.
+/// Received during GET_DIGESTS exchange (from SPDM 1.3).
+/// @provisioned_slots: Bitmask of responder's provisioned certificate slots.
+/// Received during GET_DIGESTS exchange.
/// @base_asym_enc: Human-readable name of @base_asym_alg's signature encoding.
/// Passed to crypto subsystem when calling verify_signature().
/// @sig_len: Signature length of @base_asym_alg (in bytes).
@@ -97,6 +105,8 @@
/// @desc: Synchronous hash context for @base_hash_alg computation.
/// @hash_len: Hash length of @base_hash_alg (in bytes).
/// H in SPDM specification.
+/// @certs: Certificate chain in each of the 8 slots. Empty KVec if a slot is
+/// not populated. Prefixed by the 4 + H header per SPDM 1.0.0 table 15.
#[expect(dead_code)]
pub(crate) struct SpdmState<'a> {
pub(crate) dev: *mut bindings::device,
@@ -111,6 +121,8 @@ pub(crate) struct SpdmState<'a> {
pub(crate) base_asym_alg: u32,
pub(crate) base_hash_alg: u32,
pub(crate) meas_hash_alg: u32,
+ pub(crate) supported_slots: u8,
+ pub(crate) provisioned_slots: u8,
/* Signature algorithm */
base_asym_enc: &'a CStr,
@@ -121,6 +133,9 @@ pub(crate) struct SpdmState<'a> {
pub(crate) shash: *mut bindings::crypto_shash,
pub(crate) desc: Option<&'a mut bindings::shash_desc>,
pub(crate) hash_len: usize,
+
+ // Certificates
+ pub(crate) certs: [KVec<u8>; SPDM_SLOTS],
}
impl Drop for SpdmState<'_> {
@@ -161,12 +176,15 @@ pub(crate) fn new(
base_asym_alg: 0,
base_hash_alg: 0,
meas_hash_alg: 0,
+ supported_slots: 0,
+ provisioned_slots: 0,
base_asym_enc: unsafe { CStr::from_bytes_with_nul_unchecked(b"\0") },
sig_len: 0,
base_hash_alg_name: unsafe { CStr::from_bytes_with_nul_unchecked(b"\0") },
shash: core::ptr::null_mut(),
desc: None,
hash_len: 0,
+ certs: [const { KVec::new() }; SPDM_SLOTS],
}
}
@@ -608,4 +626,64 @@ pub(crate) fn negotiate_algs(&mut self) -> Result<(), Error> {
Ok(())
}
+
+ pub(crate) fn get_digests(&mut self) -> Result<(), Error> {
+ let mut request = GetDigestsReq::default();
+ request.version = self.version;
+
+ let req_sz = core::mem::size_of::<GetDigestsReq>();
+ let rsp_sz = core::mem::size_of::<GetDigestsRsp>() + SPDM_SLOTS * self.hash_len;
+
+ // SAFETY: `request` is repr(C) and packed, so we can convert it to a slice
+ let request_buf = unsafe { from_raw_parts_mut(&mut request as *mut _ as *mut u8, req_sz) };
+
+ let mut response_vec: KVec<u8> = KVec::from_elem(0u8, rsp_sz, GFP_KERNEL)?;
+
+ let len = self.spdm_exchange(request_buf, response_vec.as_mut_slice())? as usize;
+
+ // The transport must report a length within the buffer we provided.
+ if len > response_vec.len() {
+ pr_err!("Overflowed digests response\n");
+ return Err(EIO);
+ }
+ response_vec.truncate(len);
+
+ let response: &GetDigestsRsp = Untrusted::new(response_vec.as_slice()).validate()?;
+
+ if len
+ < core::mem::size_of::<GetDigestsRsp>()
+ + response.param2.count_ones() as usize * self.hash_len
+ {
+ pr_err!("Overflowed digests response\n");
+ return Err(EIO);
+ }
+
+ let mut deprovisioned_slots = self.provisioned_slots & !response.param2;
+ while (deprovisioned_slots.trailing_zeros() as usize) < SPDM_SLOTS {
+ let slot = deprovisioned_slots.trailing_zeros() as usize;
+ self.certs[slot].clear();
+ deprovisioned_slots &= !(1 << slot);
+ }
+
+ if self.version >= SPDM_VER_13 && (response.param2 & !response.param1 != 0) {
+ pr_err!("Malformed digests response\n");
+ return Err(EPROTO);
+ }
+
+ self.provisioned_slots = response.param2;
+ if self.provisioned_slots == 0 {
+ pr_err!("No certificates provisioned\n");
+ return Err(EPROTO);
+ }
+
+ let supported_slots = if self.version >= SPDM_VER_13 {
+ response.param1
+ } else {
+ 0xFF
+ };
+
+ self.supported_slots = supported_slots;
+
+ Ok(())
+ }
}
diff --git a/lib/rspdm/validator.rs b/lib/rspdm/validator.rs
index c53828376fca..b3d5cab6a9ce 100644
--- a/lib/rspdm/validator.rs
+++ b/lib/rspdm/validator.rs
@@ -30,6 +30,7 @@
SPDM_ASYM_ALGOS,
SPDM_CTEXPONENT,
SPDM_GET_CAPABILITIES,
+ SPDM_GET_DIGESTS,
SPDM_GET_VERSION,
SPDM_HASH_ALGOS,
SPDM_MEAS_SPEC_DMTF,
@@ -373,3 +374,55 @@ fn validate(unvalidated: &[u8]) -> Result<Self, Self::Err> {
Ok(rsp)
}
}
+
+#[repr(C, packed)]
+pub(crate) struct GetDigestsReq {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8,
+ pub(crate) param2: u8,
+}
+
+impl Default for GetDigestsReq {
+ fn default() -> Self {
+ GetDigestsReq {
+ version: 0,
+ code: SPDM_GET_DIGESTS,
+ param1: 0,
+ param2: 0,
+ }
+ }
+}
+
+#[repr(C, packed)]
+pub(crate) struct GetDigestsRsp {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8,
+ pub(crate) param2: u8,
+
+ pub(crate) digests: __IncompleteArrayField<u8>,
+ // KeyPairIDs, added in 1.3
+
+ // CertificateInfo, added in 1.3
+
+ // KeyUsageMask, added in 1.3
+}
+
+impl Validate<Untrusted<&[u8]>> for &GetDigestsRsp {
+ type Err = Error;
+
+ fn validate(unvalidated: &[u8]) -> Result<Self, Self::Err> {
+ if unvalidated.len() < mem::size_of::<GetDigestsRsp>() {
+ return Err(EINVAL);
+ }
+
+ let ptr = unvalidated.as_ptr();
+ // CAST: `GetDigestsRsp` only contains integers and has `repr(C)`.
+ let ptr = ptr.cast::<GetDigestsRsp>();
+ // SAFETY: `ptr` came from a reference and the cast above is valid.
+ let rsp: &GetDigestsRsp = unsafe { &*ptr };
+
+ Ok(rsp)
+ }
+}
--
2.54.0
^ permalink raw reply related
* [PATCH v2 16/21] lib: rspdm: Support SPDM negotiate_algorithms
From: alistair23 @ 2026-06-23 4:54 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair@alistair23.me>
Support the NEGOTIATE_ALGORITHMS SPDM command.
Signed-off-by: Alistair Francis <alistair@alistair23.me>
---
lib/rspdm/consts.rs | 56 +++++++++-
lib/rspdm/lib.rs | 9 +-
lib/rspdm/state.rs | 239 ++++++++++++++++++++++++++++++++++++++++-
lib/rspdm/validator.rs | 110 ++++++++++++++++++-
4 files changed, 408 insertions(+), 6 deletions(-)
diff --git a/lib/rspdm/consts.rs b/lib/rspdm/consts.rs
index 15d69631ed8c..e222821bad5d 100644
--- a/lib/rspdm/consts.rs
+++ b/lib/rspdm/consts.rs
@@ -9,7 +9,10 @@
use crate::validator::GetVersionRsp;
use core::mem;
-use kernel::bits::bit_u32;
+use kernel::bits::{
+ bit_u32,
+ bit_u8, //
+};
use kernel::error::{code::EINVAL, Error};
// SPDM versions supported by this implementation
@@ -114,6 +117,57 @@ fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
pub(crate) const SPDM_CERT_CAP: u32 = bit_u32(1);
pub(crate) const SPDM_CHAL_CAP: u32 = bit_u32(2);
+pub(crate) const SPDM_KEY_EX_CAP: u32 = bit_u32(9);
pub(crate) const SPDM_REQ_CAPS: u32 = SPDM_CERT_CAP | SPDM_CHAL_CAP;
pub(crate) const SPDM_RSP_MIN_CAPS: u32 = SPDM_CERT_CAP | SPDM_CHAL_CAP;
+
+pub(crate) const SPDM_NEGOTIATE_ALGS: u8 = 0xe3;
+
+pub(crate) const SPDM_MEAS_SPEC_DMTF: u8 = bit_u8(0);
+
+pub(crate) const SPDM_ASYM_RSASSA_2048: u32 = bit_u32(0);
+pub(crate) const _SPDM_ASYM_RSAPSS_2048: u32 = bit_u32(1);
+pub(crate) const SPDM_ASYM_RSASSA_3072: u32 = bit_u32(2);
+pub(crate) const _SPDM_ASYM_RSAPSS_3072: u32 = bit_u32(3);
+pub(crate) const SPDM_ASYM_ECDSA_ECC_NIST_P256: u32 = bit_u32(4);
+pub(crate) const SPDM_ASYM_RSASSA_4096: u32 = bit_u32(5);
+pub(crate) const _SPDM_ASYM_RSAPSS_4096: u32 = bit_u32(6);
+pub(crate) const SPDM_ASYM_ECDSA_ECC_NIST_P384: u32 = bit_u32(7);
+pub(crate) const SPDM_ASYM_ECDSA_ECC_NIST_P521: u32 = bit_u32(8);
+pub(crate) const _SPDM_ASYM_SM2_ECC_SM2_P256: u32 = bit_u32(9);
+pub(crate) const _SPDM_ASYM_EDDSA_ED25519: u32 = bit_u32(10);
+pub(crate) const _SPDM_ASYM_EDDSA_ED448: u32 = bit_u32(11);
+
+pub(crate) const SPDM_HASH_SHA_256: u32 = bit_u32(0);
+pub(crate) const SPDM_HASH_SHA_384: u32 = bit_u32(1);
+pub(crate) const SPDM_HASH_SHA_512: u32 = bit_u32(2);
+
+// If the crypto support isn't enabled don't offer the algorithms
+// to the responder
+#[cfg(CONFIG_CRYPTO_RSA)]
+pub(crate) const SPDM_ASYM_RSA: u32 =
+ SPDM_ASYM_RSASSA_2048 | SPDM_ASYM_RSASSA_3072 | SPDM_ASYM_RSASSA_4096;
+#[cfg(not(CONFIG_CRYPTO_RSA))]
+pub(crate) const SPDM_ASYM_RSA: u32 = 0;
+
+#[cfg(CONFIG_CRYPTO_ECDSA)]
+pub(crate) const SPDM_ASYM_ECDSA: u32 =
+ SPDM_ASYM_ECDSA_ECC_NIST_P256 | SPDM_ASYM_ECDSA_ECC_NIST_P384 | SPDM_ASYM_ECDSA_ECC_NIST_P521;
+#[cfg(not(CONFIG_CRYPTO_ECDSA))]
+pub(crate) const SPDM_ASYM_ECDSA: u32 = 0;
+
+#[cfg(CONFIG_CRYPTO_SHA256)]
+pub(crate) const SPDM_HASH_SHA2_256: u32 = SPDM_HASH_SHA_256;
+#[cfg(not(CONFIG_CRYPTO_SHA256))]
+pub(crate) const SPDM_HASH_SHA2_256: u32 = 0;
+
+#[cfg(CONFIG_CRYPTO_SHA512)]
+pub(crate) const SPDM_HASH_SHA2_384_512: u32 = SPDM_HASH_SHA_384 | SPDM_HASH_SHA_512;
+#[cfg(not(CONFIG_CRYPTO_SHA512))]
+pub(crate) const SPDM_HASH_SHA2_384_512: u32 = 0;
+
+pub(crate) const SPDM_ASYM_ALGOS: u32 = SPDM_ASYM_RSA | SPDM_ASYM_ECDSA;
+pub(crate) const SPDM_HASH_ALGOS: u32 = SPDM_HASH_SHA2_256 | SPDM_HASH_SHA2_384_512;
+
+pub(crate) const SPDM_OPAQUE_DATA_FMT_GENERAL: u8 = bit_u8(1);
diff --git a/lib/rspdm/lib.rs b/lib/rspdm/lib.rs
index 76325babdff2..d418d15e4c70 100644
--- a/lib/rspdm/lib.rs
+++ b/lib/rspdm/lib.rs
@@ -94,7 +94,7 @@ pub extern "C" fn spdm_authenticate(state_ptr: *mut spdm_state) -> c_int {
// exclusive `&mut SpdmState` lives entirely inside the lock guard, so
// concurrent FFI callers serialize on the mutex and can never form
// aliased `&mut SpdmState` references.
- let mutex: &Mutex<SpdmState> = unsafe { &*(state_ptr as *const Mutex<SpdmState>) };
+ let mutex: &Mutex<SpdmState<'_>> = unsafe { &*(state_ptr as *const Mutex<SpdmState<'_>>) };
let mut state = mutex.lock();
@@ -106,6 +106,10 @@ pub extern "C" fn spdm_authenticate(state_ptr: *mut spdm_state) -> c_int {
return e.to_errno() as c_int;
}
+ if let Err(e) = state.negotiate_algs() {
+ return e.to_errno() as c_int;
+ }
+
-(EPROTONOSUPPORT as i32)
}
@@ -117,11 +121,12 @@ pub extern "C" fn spdm_destroy(state_ptr: *mut spdm_state) {
if state_ptr.is_null() {
return;
}
+
// SAFETY: `state_ptr` was returned from `spdm_create()`, which leaked a
// `Pin<KBox<Mutex<SpdmState>>>` via `KBox::into_raw`. The caller
// guarantees the state is no longer in use. Reconstructing the pinned
// box and dropping it runs `Drop` for the `Mutex` and `SpdmState` and
// frees the allocation.
- let b = unsafe { KBox::from_raw(state_ptr as *mut Mutex<SpdmState>) };
+ let b = unsafe { KBox::from_raw(state_ptr as *mut Mutex<SpdmState<'_>>) };
drop(unsafe { Pin::new_unchecked(b) });
}
diff --git a/lib/rspdm/state.rs b/lib/rspdm/state.rs
index 5ef14c8ed237..e4eb009a977c 100644
--- a/lib/rspdm/state.rs
+++ b/lib/rspdm/state.rs
@@ -14,19 +14,34 @@
bindings,
error::{
code::EINVAL,
+ from_err_ptr,
to_result,
Error, //
},
+ str::CStr,
validate::Untrusted,
};
use crate::consts::{
SpdmErrorCode,
+ SPDM_ASYM_ALGOS,
+ SPDM_ASYM_ECDSA_ECC_NIST_P256,
+ SPDM_ASYM_ECDSA_ECC_NIST_P384,
+ SPDM_ASYM_ECDSA_ECC_NIST_P521,
+ SPDM_ASYM_RSASSA_2048,
+ SPDM_ASYM_RSASSA_3072,
+ SPDM_ASYM_RSASSA_4096,
SPDM_ERROR,
SPDM_GET_VERSION_LEN,
+ SPDM_HASH_ALGOS,
+ SPDM_HASH_SHA_256,
+ SPDM_HASH_SHA_384,
+ SPDM_HASH_SHA_512,
+ SPDM_KEY_EX_CAP,
SPDM_MAX_VER,
SPDM_MIN_DATA_TRANSFER_SIZE,
SPDM_MIN_VER,
+ SPDM_OPAQUE_DATA_FMT_GENERAL,
SPDM_REQ,
SPDM_RSP_MIN_CAPS,
SPDM_VER_10,
@@ -38,6 +53,8 @@
GetCapabilitiesRsp,
GetVersionReq,
GetVersionRsp,
+ NegotiateAlgsReq,
+ NegotiateAlgsRsp,
SpdmErrorRsp,
SpdmHeader, //
};
@@ -61,8 +78,27 @@
/// Negotiated during GET_VERSION exchange.
/// `rsp_caps`: Cached capabilities of responder.
/// Received during GET_CAPABILITIES exchange.
+/// @base_asym_alg: Asymmetric key algorithm for signature verification of
+/// CHALLENGE_AUTH and MEASUREMENTS messages.
+/// Selected by responder during NEGOTIATE_ALGORITHMS exchange.
+/// @base_hash_alg: Hash algorithm for signature verification of
+/// CHALLENGE_AUTH and MEASUREMENTS messages.
+/// Selected by responder during NEGOTIATE_ALGORITHMS exchange.
+/// @meas_hash_alg: Hash algorithm for measurement blocks.
+/// Selected by responder during NEGOTIATE_ALGORITHMS exchange.
+/// @base_asym_enc: Human-readable name of @base_asym_alg's signature encoding.
+/// Passed to crypto subsystem when calling verify_signature().
+/// @sig_len: Signature length of @base_asym_alg (in bytes).
+/// S or SigLen in SPDM specification.
+/// @base_hash_alg_name: Human-readable name of @base_hash_alg.
+/// Passed to crypto subsystem when calling crypto_alloc_shash() and
+/// verify_signature().
+/// @shash: Synchronous hash handle for @base_hash_alg computation.
+/// @desc: Synchronous hash context for @base_hash_alg computation.
+/// @hash_len: Hash length of @base_hash_alg (in bytes).
+/// H in SPDM specification.
#[expect(dead_code)]
-pub(crate) struct SpdmState {
+pub(crate) struct SpdmState<'a> {
pub(crate) dev: *mut bindings::device,
pub(crate) transport: bindings::spdm_transport,
pub(crate) transport_priv: *mut c_void,
@@ -72,9 +108,41 @@ pub(crate) struct SpdmState {
// Negotiated state
pub(crate) version: u8,
pub(crate) rsp_caps: u32,
+ pub(crate) base_asym_alg: u32,
+ pub(crate) base_hash_alg: u32,
+ pub(crate) meas_hash_alg: u32,
+
+ /* Signature algorithm */
+ base_asym_enc: &'a CStr,
+ sig_len: usize,
+
+ /* Hash algorithm */
+ base_hash_alg_name: &'a CStr,
+ pub(crate) shash: *mut bindings::crypto_shash,
+ pub(crate) desc: Option<&'a mut bindings::shash_desc>,
+ pub(crate) hash_len: usize,
}
-impl SpdmState {
+impl Drop for SpdmState<'_> {
+ fn drop(&mut self) {
+ if let Some(desc) = self.desc.take() {
+ // SAFETY: `self.shash` is a valid handle
+ let desc_len = core::mem::size_of::<bindings::shash_desc>()
+ + unsafe { bindings::crypto_shash_descsize(self.shash) } as usize;
+
+ // SAFETY: `desc` was allocated and converted to a raw pointer with
+ // into_raw_parts()
+ let desc_vec = unsafe { KVec::from_raw_parts(desc, desc_len, desc_len) };
+ drop(desc_vec);
+ }
+
+ unsafe {
+ bindings::crypto_free_shash(self.shash);
+ }
+ }
+}
+
+impl SpdmState<'_> {
pub(crate) fn new(
dev: *mut bindings::device,
transport: bindings::spdm_transport,
@@ -90,6 +158,15 @@ pub(crate) fn new(
validate,
version: SPDM_MIN_VER,
rsp_caps: 0,
+ base_asym_alg: 0,
+ base_hash_alg: 0,
+ meas_hash_alg: 0,
+ base_asym_enc: unsafe { CStr::from_bytes_with_nul_unchecked(b"\0") },
+ sig_len: 0,
+ base_hash_alg_name: unsafe { CStr::from_bytes_with_nul_unchecked(b"\0") },
+ shash: core::ptr::null_mut(),
+ desc: None,
+ hash_len: 0,
}
}
@@ -373,4 +450,162 @@ pub(crate) fn get_capabilities(&mut self) -> Result<(), Error> {
Ok(())
}
+
+ fn update_response_algs(&mut self) -> Result<(), Error> {
+ match self.base_asym_alg {
+ SPDM_ASYM_RSASSA_2048 => {
+ self.sig_len = 256;
+ self.base_asym_enc = CStr::from_bytes_with_nul(b"pkcs1\0")?;
+ }
+ SPDM_ASYM_RSASSA_3072 => {
+ self.sig_len = 384;
+ self.base_asym_enc = CStr::from_bytes_with_nul(b"pkcs1\0")?;
+ }
+ SPDM_ASYM_RSASSA_4096 => {
+ self.sig_len = 512;
+ self.base_asym_enc = CStr::from_bytes_with_nul(b"pkcs1\0")?;
+ }
+ SPDM_ASYM_ECDSA_ECC_NIST_P256 => {
+ self.sig_len = 64;
+ self.base_asym_enc = CStr::from_bytes_with_nul(b"p1363\0")?;
+ }
+ SPDM_ASYM_ECDSA_ECC_NIST_P384 => {
+ self.sig_len = 96;
+ self.base_asym_enc = CStr::from_bytes_with_nul(b"p1363\0")?;
+ }
+ SPDM_ASYM_ECDSA_ECC_NIST_P521 => {
+ self.sig_len = 132;
+ self.base_asym_enc = CStr::from_bytes_with_nul(b"p1363\0")?;
+ }
+ _ => {
+ pr_err!("Unknown asym algorithm\n");
+ return Err(EINVAL);
+ }
+ }
+
+ match self.base_hash_alg {
+ SPDM_HASH_SHA_256 => {
+ self.base_hash_alg_name = CStr::from_bytes_with_nul(b"sha256\0")?;
+ }
+ SPDM_HASH_SHA_384 => {
+ self.base_hash_alg_name = CStr::from_bytes_with_nul(b"sha384\0")?;
+ }
+ SPDM_HASH_SHA_512 => {
+ self.base_hash_alg_name = CStr::from_bytes_with_nul(b"sha512\0")?;
+ }
+ _ => {
+ pr_err!("Unknown hash algorithm\n");
+ return Err(EINVAL);
+ }
+ }
+
+ // This is freed in when `SpdmState` is dropped, but this call
+ // can happen multiple times.
+ if self.shash != core::ptr::null_mut() {
+ if let Some(desc) = self.desc.take() {
+ // SAFETY: `self.shash` is a valid handle
+ let desc_len = core::mem::size_of::<bindings::shash_desc>()
+ + unsafe { bindings::crypto_shash_descsize(self.shash) } as usize;
+
+ // SAFETY: `desc` was allocated and converted to a raw pointer with
+ // into_raw_parts()
+ let desc_vec = unsafe { KVec::from_raw_parts(desc, desc_len, desc_len) };
+ drop(desc_vec);
+ }
+
+ unsafe {
+ bindings::crypto_free_shash(self.shash);
+ }
+ }
+
+ self.shash =
+ unsafe { bindings::crypto_alloc_shash(self.base_hash_alg_name.as_char_ptr(), 0, 0) };
+ if let Err(e) = from_err_ptr(self.shash) {
+ self.shash = core::ptr::null_mut();
+ return Err(e);
+ }
+
+ // SAFETY: `self.shash` is a valid handle (verified above).
+ let desc_len = core::mem::size_of::<bindings::shash_desc>()
+ + unsafe { bindings::crypto_shash_descsize(self.shash) } as usize;
+
+ let desc_vec: KVec<u8> = KVec::from_elem(0u8, desc_len, GFP_KERNEL)?;
+ // Consume the desc_vec to make sure it isn't dropped, untill we
+ // manually drop it later
+ let (desc_buf, _length, _capacity) = desc_vec.into_raw_parts();
+
+ // SAFETY: We are casting the allocation to be a shash_desc
+ let desc = unsafe {
+ core::mem::transmute::<*mut c_void, &mut bindings::shash_desc>(desc_buf as *mut c_void)
+ };
+ desc.tfm = self.shash;
+
+ self.desc = Some(desc);
+
+ /* Used frequently to compute offsets, so cache H */
+ self.hash_len = unsafe { bindings::crypto_shash_digestsize(self.shash) as usize };
+
+ if let Some(desc) = &mut self.desc {
+ // SAFETY: `self.desc` is a valid and initalised `shash_desc` sized buffer
+ unsafe { to_result(bindings::crypto_shash_init(*desc)) }
+ } else {
+ Err(ENOMEM)
+ }
+ }
+
+ pub(crate) fn negotiate_algs(&mut self) -> Result<(), Error> {
+ let mut request = NegotiateAlgsReq::default();
+ request.version = self.version;
+
+ if self.version >= SPDM_VER_12 && (self.rsp_caps & SPDM_KEY_EX_CAP) == SPDM_KEY_EX_CAP {
+ request.other_params_support = SPDM_OPAQUE_DATA_FMT_GENERAL;
+ }
+
+ let req_sz = core::mem::size_of::<NegotiateAlgsReq>();
+ let rsp_sz = core::mem::size_of::<NegotiateAlgsRsp>();
+
+ request.length = (req_sz as u16).to_le();
+
+ // SAFETY: `request` is repr(C) and packed, so we can convert it to a slice
+ let request_buf = unsafe { from_raw_parts_mut(&mut request as *mut _ as *mut u8, req_sz) };
+
+ let mut response_vec: KVec<u8> = KVec::from_elem(0u8, rsp_sz, GFP_KERNEL)?;
+
+ let rc = self.spdm_exchange(request_buf, response_vec.as_mut_slice())? as usize;
+
+ // The transport must report a length within the buffer we provided.
+ if rc > response_vec.len() {
+ pr_err!("Overflowed capabilities response\n");
+ return Err(EIO);
+ }
+ response_vec.truncate(rc);
+
+ let response: &NegotiateAlgsRsp = Untrusted::new(response_vec.as_slice()).validate()?;
+
+ self.base_asym_alg = u32::from_le(response.base_asym_sel);
+ self.base_hash_alg = u32::from_le(response.base_hash_sel);
+ self.meas_hash_alg = u32::from_le(response.measurement_hash_algo);
+
+ if self.base_asym_alg & SPDM_ASYM_ALGOS == 0 || self.base_hash_alg & SPDM_HASH_ALGOS == 0 {
+ pr_err!("No common supported algorithms\n");
+ return Err(EPROTO);
+ }
+
+ // /* Responder shall select exactly 1 alg (SPDM 1.0.0 table 14) */
+ if self.base_asym_alg.count_ones() != 1
+ || self.base_hash_alg.count_ones() != 1
+ || self.meas_hash_alg.count_ones() != 1
+ || response.ext_asym_sel_count != 0
+ || response.ext_hash_sel_count != 0
+ || response.param1 > request.param1
+ || response.other_params_sel != request.other_params_support
+ {
+ pr_err!("Malformed algorithms response\n");
+ return Err(EPROTO);
+ }
+
+ self.update_response_algs()?;
+
+ Ok(())
+ }
}
diff --git a/lib/rspdm/validator.rs b/lib/rspdm/validator.rs
index 7b5aca5d50f8..c53828376fca 100644
--- a/lib/rspdm/validator.rs
+++ b/lib/rspdm/validator.rs
@@ -9,7 +9,8 @@
use crate::bindings::{
__IncompleteArrayField,
- __le16, //
+ __le16,
+ __le32, //
};
use crate::consts::SpdmErrorCode;
use core::mem;
@@ -26,10 +27,14 @@
};
use crate::consts::{
+ SPDM_ASYM_ALGOS,
SPDM_CTEXPONENT,
SPDM_GET_CAPABILITIES,
SPDM_GET_VERSION,
+ SPDM_HASH_ALGOS,
+ SPDM_MEAS_SPEC_DMTF,
SPDM_MIN_VER,
+ SPDM_NEGOTIATE_ALGS,
SPDM_REQ_CAPS,
SPDM_VER_10,
SPDM_VER_11, //
@@ -265,3 +270,106 @@ fn validate(unvalidated: &mut KVec<u8>) -> Result<Self, Self::Err> {
Ok(rsp)
}
}
+
+#[repr(C, packed)]
+pub(crate) struct RegAlg {
+ pub(crate) alg_type: u8,
+ pub(crate) alg_count: u8,
+ pub(crate) alg_supported: u16,
+ pub(crate) alg_external: __IncompleteArrayField<__le32>,
+}
+
+#[repr(C, packed)]
+pub(crate) struct NegotiateAlgsReq {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8, // size of resp_alg_struct
+ param2: u8,
+
+ pub(crate) length: u16,
+ pub(crate) measurement_specification: u8,
+ pub(crate) other_params_support: u8,
+
+ pub(crate) base_asym_algo: u32,
+ pub(crate) base_hash_algo: u32,
+
+ reserved1: [u8; 12],
+
+ pub(crate) ext_asym_count: u8,
+ pub(crate) ext_hash_count: u8,
+ reserved2: u8,
+ pub(crate) mel_specification: u8,
+
+ pub(crate) ext_asym: __IncompleteArrayField<__le32>,
+ pub(crate) ext_hash: __IncompleteArrayField<__le32>,
+ pub(crate) resp_alg_struct: __IncompleteArrayField<RegAlg>,
+}
+
+impl Default for NegotiateAlgsReq {
+ fn default() -> Self {
+ NegotiateAlgsReq {
+ version: 0,
+ code: SPDM_NEGOTIATE_ALGS,
+ param1: 0, // Size of resp_alg_struct
+ param2: 0,
+ length: 32,
+ measurement_specification: SPDM_MEAS_SPEC_DMTF,
+ other_params_support: 0,
+ base_asym_algo: SPDM_ASYM_ALGOS.to_le(),
+ base_hash_algo: SPDM_HASH_ALGOS.to_le(),
+ reserved1: [0u8; 12],
+ ext_asym_count: 0,
+ ext_hash_count: 0,
+ reserved2: 0,
+ mel_specification: 0,
+ ext_asym: __IncompleteArrayField::new(),
+ ext_hash: __IncompleteArrayField::new(),
+ resp_alg_struct: __IncompleteArrayField::new(),
+ }
+ }
+}
+
+#[repr(C, packed)]
+pub(crate) struct NegotiateAlgsRsp {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8,
+ pub(crate) param2: u8,
+
+ pub(crate) length: u16,
+ pub(crate) measurement_specification_sel: u8,
+ pub(crate) other_params_sel: u8,
+
+ pub(crate) measurement_hash_algo: u32,
+ pub(crate) base_asym_sel: u32,
+ pub(crate) base_hash_sel: u32,
+
+ reserved1: [u8; 11],
+
+ pub(crate) mel_specification_sel: u8,
+ pub(crate) ext_asym_sel_count: u8,
+ pub(crate) ext_hash_sel_count: u8,
+ reserved2: [u8; 2],
+
+ pub(crate) ext_asym: __IncompleteArrayField<__le32>,
+ pub(crate) ext_hash: __IncompleteArrayField<__le32>,
+ pub(crate) resp_alg_struct: __IncompleteArrayField<RegAlg>,
+}
+
+impl Validate<Untrusted<&[u8]>> for &NegotiateAlgsRsp {
+ type Err = Error;
+
+ fn validate(unvalidated: &[u8]) -> Result<Self, Self::Err> {
+ if unvalidated.len() < mem::size_of::<NegotiateAlgsRsp>() {
+ return Err(EINVAL);
+ }
+
+ let ptr = unvalidated.as_ptr();
+ // CAST: `NegotiateAlgsRsp` only contains integers and has `repr(C)`.
+ let ptr = ptr.cast::<NegotiateAlgsRsp>();
+ // SAFETY: `ptr` came from a reference and the cast above is valid.
+ let rsp: &NegotiateAlgsRsp = unsafe { &*ptr };
+
+ Ok(rsp)
+ }
+}
--
2.54.0
^ permalink raw reply related
* [PATCH v2 15/21] lib: rspdm: Support SPDM get_capabilities
From: alistair23 @ 2026-06-23 4:54 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair@alistair23.me>
Support the GET_CAPABILITIES SPDM command.
Signed-off-by: Alistair Francis <alistair@alistair23.me>
---
lib/rspdm/consts.rs | 19 +++++++-
lib/rspdm/lib.rs | 4 ++
lib/rspdm/state.rs | 78 ++++++++++++++++++++++++++++-
lib/rspdm/validator.rs | 108 ++++++++++++++++++++++++++++++++++++++++-
rust/kernel/error.rs | 1 +
5 files changed, 206 insertions(+), 4 deletions(-)
diff --git a/lib/rspdm/consts.rs b/lib/rspdm/consts.rs
index 055671d43abd..15d69631ed8c 100644
--- a/lib/rspdm/consts.rs
+++ b/lib/rspdm/consts.rs
@@ -9,13 +9,12 @@
use crate::validator::GetVersionRsp;
use core::mem;
+use kernel::bits::bit_u32;
use kernel::error::{code::EINVAL, Error};
// SPDM versions supported by this implementation
pub(crate) const SPDM_VER_10: u8 = 0x10;
-#[allow(dead_code)]
pub(crate) const SPDM_VER_11: u8 = 0x11;
-#[allow(dead_code)]
pub(crate) const SPDM_VER_12: u8 = 0x12;
#[allow(dead_code)]
pub(crate) const SPDM_VER_13: u8 = 0x13;
@@ -102,3 +101,19 @@ fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
pub(crate) const SPDM_GET_VERSION: u8 = 0x84;
pub(crate) const SPDM_GET_VERSION_LEN: usize =
mem::size_of::<GetVersionRsp>() + (u8::MAX as usize) * mem::size_of::<u16>();
+
+pub(crate) const SPDM_GET_CAPABILITIES: u8 = 0xe1;
+pub(crate) const SPDM_MIN_DATA_TRANSFER_SIZE: u32 = 42;
+
+// SPDM cryptographic timeout of this implementation:
+// Assume calculations may take up to 1 sec on a busy machine, which equals
+// roughly 1 << 20. That's within the limits mandated for responders by CMA
+// (1 << 23 usec, PCIe r6.2 sec 6.31.3) and DOE (1 sec, PCIe r6.2 sec 6.30.2).
+// Used in GET_CAPABILITIES exchange.
+pub(crate) const SPDM_CTEXPONENT: u8 = 20;
+
+pub(crate) const SPDM_CERT_CAP: u32 = bit_u32(1);
+pub(crate) const SPDM_CHAL_CAP: u32 = bit_u32(2);
+
+pub(crate) const SPDM_REQ_CAPS: u32 = SPDM_CERT_CAP | SPDM_CHAL_CAP;
+pub(crate) const SPDM_RSP_MIN_CAPS: u32 = SPDM_CERT_CAP | SPDM_CHAL_CAP;
diff --git a/lib/rspdm/lib.rs b/lib/rspdm/lib.rs
index 58d86ea06fd9..76325babdff2 100644
--- a/lib/rspdm/lib.rs
+++ b/lib/rspdm/lib.rs
@@ -102,6 +102,10 @@ pub extern "C" fn spdm_authenticate(state_ptr: *mut spdm_state) -> c_int {
return e.to_errno() as c_int;
}
+ if let Err(e) = state.get_capabilities() {
+ return e.to_errno() as c_int;
+ }
+
-(EPROTONOSUPPORT as i32)
}
diff --git a/lib/rspdm/state.rs b/lib/rspdm/state.rs
index 9e8c65a12199..5ef14c8ed237 100644
--- a/lib/rspdm/state.rs
+++ b/lib/rspdm/state.rs
@@ -25,10 +25,17 @@
SPDM_ERROR,
SPDM_GET_VERSION_LEN,
SPDM_MAX_VER,
+ SPDM_MIN_DATA_TRANSFER_SIZE,
SPDM_MIN_VER,
- SPDM_REQ, //
+ SPDM_REQ,
+ SPDM_RSP_MIN_CAPS,
+ SPDM_VER_10,
+ SPDM_VER_11,
+ SPDM_VER_12, //
};
use crate::validator::{
+ GetCapabilitiesReq,
+ GetCapabilitiesRsp,
GetVersionReq,
GetVersionRsp,
SpdmErrorRsp,
@@ -52,6 +59,8 @@
///
/// `version`: Maximum common supported version of requester and responder.
/// Negotiated during GET_VERSION exchange.
+/// `rsp_caps`: Cached capabilities of responder.
+/// Received during GET_CAPABILITIES exchange.
#[expect(dead_code)]
pub(crate) struct SpdmState {
pub(crate) dev: *mut bindings::device,
@@ -62,6 +71,7 @@ pub(crate) struct SpdmState {
// Negotiated state
pub(crate) version: u8,
+ pub(crate) rsp_caps: u32,
}
impl SpdmState {
@@ -79,6 +89,7 @@ pub(crate) fn new(
transport_sz,
validate,
version: SPDM_MIN_VER,
+ rsp_caps: 0,
}
}
@@ -297,4 +308,69 @@ pub(crate) fn get_version(&mut self) -> Result<(), Error> {
Ok(())
}
+
+ /// Obtain the supported capabilities from an SPDM session and store the
+ /// information in the `SpdmState`.
+ pub(crate) fn get_capabilities(&mut self) -> Result<(), Error> {
+ let mut request = GetCapabilitiesReq::default();
+ request.version = self.version;
+
+ let (req_sz, rsp_sz) = match self.version {
+ SPDM_VER_10 => (
+ core::mem::size_of::<SpdmHeader>(),
+ core::mem::size_of::<SpdmHeader>() + 4 + core::mem::size_of::<u32>(),
+ ),
+ SPDM_VER_11 => {
+ let len = core::mem::size_of::<SpdmHeader>() + 4 + core::mem::size_of::<u32>();
+ (len, len)
+ }
+ _ => {
+ request.data_transfer_size = self.transport_sz.to_le();
+ request.max_spdm_msg_size = request.data_transfer_size;
+
+ (
+ core::mem::size_of::<GetCapabilitiesReq>(),
+ core::mem::size_of::<GetCapabilitiesRsp>(),
+ )
+ }
+ };
+
+ // SAFETY: `request` is repr(C) and packed, so we can convert it to a slice
+ let request_buf = unsafe { from_raw_parts_mut(&mut request as *mut _ as *mut u8, req_sz) };
+
+ let mut response_vec: KVec<u8> = KVec::from_elem(0u8, rsp_sz, GFP_KERNEL)?;
+
+ let rc = self.spdm_exchange(request_buf, response_vec.as_mut_slice())? as usize;
+
+ // The transport must report a length within the buffer we provided.
+ if rc > response_vec.len() {
+ pr_err!("Overflowed capabilities response\n");
+ return Err(EIO);
+ }
+ response_vec.truncate(rc);
+
+ let response: &mut GetCapabilitiesRsp = Untrusted::new(&mut response_vec).validate()?;
+
+ self.rsp_caps = u32::from_le(response.flags);
+ if (self.rsp_caps & SPDM_RSP_MIN_CAPS) != SPDM_RSP_MIN_CAPS {
+ pr_err!(
+ "{:#x} capabilities are supported, which don't meet required {:#x}\n",
+ self.rsp_caps,
+ SPDM_RSP_MIN_CAPS
+ );
+ self.rsp_caps = 0;
+ return Err(EPROTONOSUPPORT);
+ }
+
+ if self.version >= SPDM_VER_12 {
+ let data_transfer_size = u32::from_le(response.data_transfer_size);
+ if data_transfer_size < SPDM_MIN_DATA_TRANSFER_SIZE {
+ pr_err!("Malformed capabilities response\n");
+ return Err(EPROTO);
+ }
+ self.transport_sz = self.transport_sz.min(data_transfer_size);
+ }
+
+ Ok(())
+ }
}
diff --git a/lib/rspdm/validator.rs b/lib/rspdm/validator.rs
index 4570b5f41f8c..7b5aca5d50f8 100644
--- a/lib/rspdm/validator.rs
+++ b/lib/rspdm/validator.rs
@@ -26,8 +26,13 @@
};
use crate::consts::{
+ SPDM_CTEXPONENT,
+ SPDM_GET_CAPABILITIES,
SPDM_GET_VERSION,
- SPDM_MIN_VER, //
+ SPDM_MIN_VER,
+ SPDM_REQ_CAPS,
+ SPDM_VER_10,
+ SPDM_VER_11, //
};
#[repr(C, packed)]
@@ -159,3 +164,104 @@ fn validate(unvalidated: &[u8]) -> Result<Self, Self::Err> {
Ok(rsp)
}
}
+
+#[repr(C, packed)]
+pub(crate) struct GetCapabilitiesReq {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8,
+ pub(crate) param2: u8,
+
+ reserved1: u8,
+ pub(crate) ctexponent: u8,
+ reserved2: [u8; 2],
+
+ pub(crate) flags: u32,
+
+ /* End of SPDM 1.1 structure */
+ pub(crate) data_transfer_size: u32,
+ pub(crate) max_spdm_msg_size: u32,
+}
+
+impl Default for GetCapabilitiesReq {
+ fn default() -> Self {
+ GetCapabilitiesReq {
+ version: 0,
+ code: SPDM_GET_CAPABILITIES,
+ param1: 0,
+ param2: 0,
+ reserved1: 0,
+ ctexponent: SPDM_CTEXPONENT,
+ reserved2: [0; 2],
+ flags: SPDM_REQ_CAPS.to_le(),
+ data_transfer_size: 0,
+ max_spdm_msg_size: 0,
+ }
+ }
+}
+
+#[repr(C, packed)]
+pub(crate) struct GetCapabilitiesRsp {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8,
+ param2: u8,
+
+ reserved1: u8,
+ pub(crate) ctexponent: u8,
+ reserved2: [u8; 2],
+
+ pub(crate) flags: u32,
+
+ /* End of SPDM 1.1 structure */
+ pub(crate) data_transfer_size: u32,
+ pub(crate) max_spdm_msg_size: u32,
+
+ pub(crate) supported_algorithms: __IncompleteArrayField<__le16>,
+}
+
+impl Validate<Untrusted<&mut KVec<u8>>> for &mut GetCapabilitiesRsp {
+ type Err = Error;
+
+ fn validate(unvalidated: &mut KVec<u8>) -> Result<Self, Self::Err> {
+ let version = *(unvalidated.get(0).ok_or(EINVAL))?;
+
+ let expected_length = match version {
+ SPDM_VER_10 | SPDM_VER_11 => {
+ core::mem::size_of::<SpdmHeader>() + 4 + core::mem::size_of::<u32>()
+ }
+ _ => {
+ // Check to see if param1 is set
+ if *(unvalidated.get(2).ok_or(EINVAL))? == 0 {
+ mem::size_of::<GetCapabilitiesRsp>()
+ - mem::size_of::<__IncompleteArrayField<__le16>>()
+ } else {
+ // Not currently supported by Linux, we don't set the bit
+ // so the responder shouldn't either.
+ return Err(EINVAL);
+ }
+ }
+ };
+
+ // Make sure the response meets the SPDM spec version requirements
+ if unvalidated.len() < expected_length {
+ return Err(EINVAL);
+ }
+
+ // If the response is shorter than GetCapabilitiesRsp
+ // (which is valid for older spec versions and when param1 is
+ // set to 0) then we need to pad the vector to ensure
+ // GetCapabilitiesRsp will be initialised.
+ while unvalidated.len() < mem::size_of::<GetCapabilitiesRsp>() {
+ unvalidated.push(0, GFP_KERNEL)?;
+ }
+
+ let ptr = unvalidated.as_mut_ptr();
+ // CAST: `GetCapabilitiesRsp` only contains integers and has `repr(C)`.
+ let ptr = ptr.cast::<GetCapabilitiesRsp>();
+ // SAFETY: `ptr` came from a reference and the cast above is valid.
+ let rsp: &mut GetCapabilitiesRsp = unsafe { &mut *ptr };
+
+ Ok(rsp)
+ }
+}
diff --git a/rust/kernel/error.rs b/rust/kernel/error.rs
index e71f65eb1d40..6413de18df80 100644
--- a/rust/kernel/error.rs
+++ b/rust/kernel/error.rs
@@ -94,6 +94,7 @@ macro_rules! declare_err {
declare_err!(ECONNRESET, "Connection reset by peer.");
declare_err!(EINPROGRESS, "Operation now in progress.");
declare_err!(EPROTO, "Protocol error");
+ declare_err!(EPROTONOSUPPORT, "Protocol not supported");
}
/// Generic integer kernel error.
--
2.54.0
^ permalink raw reply related
* [PATCH v2 14/21] lib: rspdm: Support SPDM get_version
From: alistair23 @ 2026-06-23 4:53 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair@alistair23.me>
Support the GET_VERSION SPDM command.
Signed-off-by: Alistair Francis <alistair@alistair23.me>
---
lib/rspdm/consts.rs | 16 ++++++++--
lib/rspdm/lib.rs | 54 +++++++++++++++++++++++++++------
lib/rspdm/state.rs | 67 ++++++++++++++++++++++++++++++++++++++--
lib/rspdm/validator.rs | 69 ++++++++++++++++++++++++++++++++++++++++++
4 files changed, 192 insertions(+), 14 deletions(-)
diff --git a/lib/rspdm/consts.rs b/lib/rspdm/consts.rs
index 01f008958a1f..055671d43abd 100644
--- a/lib/rspdm/consts.rs
+++ b/lib/rspdm/consts.rs
@@ -7,16 +7,24 @@
//! Rust implementation of the DMTF Security Protocol and Data Model (SPDM)
//! <https://www.dmtf.org/dsp/DSP0274>
+use crate::validator::GetVersionRsp;
+use core::mem;
use kernel::error::{code::EINVAL, Error};
// SPDM versions supported by this implementation
pub(crate) const SPDM_VER_10: u8 = 0x10;
+#[allow(dead_code)]
+pub(crate) const SPDM_VER_11: u8 = 0x11;
+#[allow(dead_code)]
+pub(crate) const SPDM_VER_12: u8 = 0x12;
+#[allow(dead_code)]
+pub(crate) const SPDM_VER_13: u8 = 0x13;
+pub(crate) const SPDM_VER_14: u8 = 0x14;
pub(crate) const SPDM_MIN_VER: u8 = SPDM_VER_10;
+pub(crate) const SPDM_MAX_VER: u8 = SPDM_VER_14;
-#[allow(dead_code)]
pub(crate) const SPDM_REQ: u8 = 0x80;
-#[allow(dead_code)]
pub(crate) const SPDM_ERROR: u8 = 0x7f;
#[derive(Clone, Copy)]
@@ -90,3 +98,7 @@ fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
write!(f, "{:#x}", *self as u8)
}
}
+
+pub(crate) const SPDM_GET_VERSION: u8 = 0x84;
+pub(crate) const SPDM_GET_VERSION_LEN: usize =
+ mem::size_of::<GetVersionRsp>() + (u8::MAX as usize) * mem::size_of::<u16>();
diff --git a/lib/rspdm/lib.rs b/lib/rspdm/lib.rs
index 1883579b817a..58d86ea06fd9 100644
--- a/lib/rspdm/lib.rs
+++ b/lib/rspdm/lib.rs
@@ -18,8 +18,10 @@
c_int,
c_void, //
};
+use core::pin::Pin;
use core::ptr;
use kernel::prelude::*;
+use kernel::sync::{new_mutex, Mutex};
use kernel::{
alloc::flags,
bindings, //
@@ -51,11 +53,22 @@ pub extern "C" fn spdm_create(
transport_sz: u32,
validate: bindings::spdm_validate,
) -> *mut spdm_state {
- match KBox::new(
- SpdmState::new(dev, transport, transport_priv, transport_sz, validate),
- flags::GFP_KERNEL,
- ) {
- Ok(ret) => KBox::into_raw(ret) as *mut spdm_state,
+ // Wrap the `SpdmState` in a `Mutex` so that concurrent FFI callers (for
+ // example, two threads racing on `spdm_authenticate()` for the same
+ // device) serialize on the lock and never form aliased `&mut SpdmState`
+ // references.
+ let state = SpdmState::new(dev, transport, transport_priv, transport_sz, validate);
+ match KBox::pin_init(new_mutex!(state), flags::GFP_KERNEL) {
+ Ok(b) => {
+ // `Mutex<SpdmState>` is `!Unpin` and must remain pinned in
+ // memory. The C side stores the raw pointer; `spdm_destroy()`
+ // re-pins via `Pin::new_unchecked` before dropping, preserving
+ // the pin invariant.
+ // SAFETY: The contents are not moved between here and the
+ // matching `KBox::from_raw` in `spdm_destroy()`.
+ let raw = KBox::into_raw(unsafe { Pin::into_inner_unchecked(b) });
+ raw as *mut spdm_state
+ }
Err(_) => ptr::null_mut(),
}
}
@@ -70,7 +83,25 @@ pub extern "C" fn spdm_create(
/// Return 0 on success or a negative errno. In particular, -EPROTONOSUPPORT
/// indicates authentication is not supported by the device.
#[export]
-pub extern "C" fn spdm_authenticate(_state_ptr: *mut spdm_state) -> c_int {
+pub extern "C" fn spdm_authenticate(state_ptr: *mut spdm_state) -> c_int {
+ if state_ptr.is_null() {
+ return -(bindings::EINVAL as c_int);
+ }
+
+ // SAFETY: `state_ptr` was returned from `spdm_create()` (which leaks a
+ // `Pin<KBox<Mutex<SpdmState>>>`) and has not yet been passed to
+ // `spdm_destroy()`. We only form a shared reference to the mutex; the
+ // exclusive `&mut SpdmState` lives entirely inside the lock guard, so
+ // concurrent FFI callers serialize on the mutex and can never form
+ // aliased `&mut SpdmState` references.
+ let mutex: &Mutex<SpdmState> = unsafe { &*(state_ptr as *const Mutex<SpdmState>) };
+
+ let mut state = mutex.lock();
+
+ if let Err(e) = state.get_version() {
+ return e.to_errno() as c_int;
+ }
+
-(EPROTONOSUPPORT as i32)
}
@@ -82,8 +113,11 @@ pub extern "C" fn spdm_destroy(state_ptr: *mut spdm_state) {
if state_ptr.is_null() {
return;
}
- // SAFETY: `state_ptr` was returned from `spdm_create` (which uses
- // `KBox::into_raw`) and the caller guarantees the state is no longer
- // in use. Reconstructing the `KBox` and dropping it frees the state.
- drop(unsafe { KBox::from_raw(state_ptr as *mut SpdmState) });
+ // SAFETY: `state_ptr` was returned from `spdm_create()`, which leaked a
+ // `Pin<KBox<Mutex<SpdmState>>>` via `KBox::into_raw`. The caller
+ // guarantees the state is no longer in use. Reconstructing the pinned
+ // box and dropping it runs `Drop` for the `Mutex` and `SpdmState` and
+ // frees the allocation.
+ let b = unsafe { KBox::from_raw(state_ptr as *mut Mutex<SpdmState>) };
+ drop(unsafe { Pin::new_unchecked(b) });
}
diff --git a/lib/rspdm/state.rs b/lib/rspdm/state.rs
index e1f74d19ac4b..9e8c65a12199 100644
--- a/lib/rspdm/state.rs
+++ b/lib/rspdm/state.rs
@@ -8,6 +8,7 @@
//! <https://www.dmtf.org/dsp/DSP0274>
use core::ffi::c_void;
+use core::slice::from_raw_parts_mut;
use kernel::prelude::*;
use kernel::{
bindings,
@@ -22,10 +23,14 @@
use crate::consts::{
SpdmErrorCode,
SPDM_ERROR,
+ SPDM_GET_VERSION_LEN,
+ SPDM_MAX_VER,
SPDM_MIN_VER,
SPDM_REQ, //
};
use crate::validator::{
+ GetVersionReq,
+ GetVersionRsp,
SpdmErrorRsp,
SpdmHeader, //
};
@@ -33,6 +38,11 @@
/// The current SPDM session state for a device. Based on the
/// C `struct spdm_state`.
///
+/// Concurrent access is serialized by wrapping the whole struct in a
+/// `Mutex<SpdmState>` at the FFI boundary, so `spdm_authenticate()` callers
+/// run one at a time and the locked `&mut SpdmState` is the only way to
+/// reach the inner fields.
+///
/// `dev`: Responder device. Used for error reporting and passed to @transport.
/// `transport`: Transport function to perform one message exchange.
/// `transport_priv`: Transport private data.
@@ -72,7 +82,6 @@ pub(crate) fn new(
}
}
- #[allow(dead_code)]
fn spdm_err(&self, rsp: &SpdmErrorRsp) -> Result<(), Error> {
match rsp.error_code {
SpdmErrorCode::InvalidRequest => {
@@ -184,7 +193,6 @@ fn spdm_err(&self, rsp: &SpdmErrorRsp) -> Result<(), Error> {
///
/// The data in `request_buf` is sent to the device and the response is
/// stored in `response_buf`.
- #[allow(dead_code)]
pub(crate) fn spdm_exchange(
&self,
request_buf: &mut [u8],
@@ -234,4 +242,59 @@ pub(crate) fn spdm_exchange(
Ok(length)
}
+
+ /// Negotiate a supported SPDM version and store the information
+ /// in the `SpdmState`.
+ pub(crate) fn get_version(&mut self) -> Result<(), Error> {
+ let mut request = GetVersionReq::default();
+ request.version = SPDM_MIN_VER;
+ self.version = SPDM_MIN_VER;
+
+ // SAFETY: `request` is repr(C) and packed, so we can convert it to a slice
+ let request_buf = unsafe {
+ from_raw_parts_mut(
+ &mut request as *mut _ as *mut u8,
+ core::mem::size_of::<GetVersionReq>(),
+ )
+ };
+
+ let mut response_vec: KVec<u8> = KVec::from_elem(0u8, SPDM_GET_VERSION_LEN, GFP_KERNEL)?;
+
+ let rc = self.spdm_exchange(request_buf, response_vec.as_mut_slice())? as usize;
+
+ // The transport must report a length within the buffer we provided.
+ if rc > response_vec.len() {
+ return Err(EINVAL);
+ }
+ response_vec.truncate(rc);
+
+ let response: &GetVersionRsp = Untrusted::new(response_vec.as_slice()).validate()?;
+
+ let mut foundver = false;
+ let entry_count = response.version_number_entry_count;
+ let entries_offset = core::mem::offset_of!(GetVersionRsp, version_number_entries);
+
+ for i in 0..entry_count as usize {
+ let off = entries_offset + i * core::mem::size_of::<u16>();
+ let entry = u16::from_le_bytes([response_vec[off], response_vec[off + 1]]);
+ let alpha_version = (entry & 0xF) as u8;
+ let version = (entry >> 8) as u8;
+
+ if alpha_version > 0 {
+ pr_warn!("Alpha version {alpha_version} is not specifically supported\n");
+ }
+
+ if version >= self.version && version <= SPDM_MAX_VER {
+ self.version = version;
+ foundver = true;
+ }
+ }
+
+ if !foundver {
+ pr_err!("No common supported version\n");
+ return Err(EPROTO);
+ }
+
+ Ok(())
+ }
}
diff --git a/lib/rspdm/validator.rs b/lib/rspdm/validator.rs
index ca853d5aa473..4570b5f41f8c 100644
--- a/lib/rspdm/validator.rs
+++ b/lib/rspdm/validator.rs
@@ -7,6 +7,10 @@
//! Rust implementation of the DMTF Security Protocol and Data Model (SPDM)
//! <https://www.dmtf.org/dsp/DSP0274>
+use crate::bindings::{
+ __IncompleteArrayField,
+ __le16, //
+};
use crate::consts::SpdmErrorCode;
use core::mem;
use kernel::prelude::*;
@@ -21,6 +25,11 @@
},
};
+use crate::consts::{
+ SPDM_GET_VERSION,
+ SPDM_MIN_VER, //
+};
+
#[repr(C, packed)]
pub(crate) struct SpdmHeader {
pub(crate) version: u8,
@@ -90,3 +99,63 @@ fn validate(unvalidated: &[u8]) -> Result<Self, Self::Err> {
Ok(unsafe { &*ptr })
}
}
+
+#[repr(C, packed)]
+pub(crate) struct GetVersionReq {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ pub(crate) param1: u8,
+ pub(crate) param2: u8,
+}
+
+impl Default for GetVersionReq {
+ fn default() -> Self {
+ GetVersionReq {
+ version: 0,
+ code: SPDM_GET_VERSION,
+ param1: 0,
+ param2: 0,
+ }
+ }
+}
+
+#[repr(C, packed)]
+pub(crate) struct GetVersionRsp {
+ pub(crate) version: u8,
+ pub(crate) code: u8,
+ param1: u8,
+ param2: u8,
+ reserved: u8,
+ pub(crate) version_number_entry_count: u8,
+ pub(crate) version_number_entries: __IncompleteArrayField<__le16>,
+}
+
+impl Validate<Untrusted<&[u8]>> for &GetVersionRsp {
+ type Err = Error;
+
+ fn validate(unvalidated: &[u8]) -> Result<Self, Self::Err> {
+ if unvalidated.len() < mem::size_of::<GetVersionRsp>() {
+ return Err(EINVAL);
+ }
+
+ let version = *(unvalidated.get(0).ok_or(ENOMEM))? as usize;
+ if version != SPDM_MIN_VER.into() {
+ return Err(EINVAL);
+ }
+
+ let version_number_entries = *(unvalidated.get(5).ok_or(ENOMEM))? as usize;
+ let total_expected_size =
+ version_number_entries * mem::size_of::<__le16>() + mem::size_of::<GetVersionRsp>();
+ if unvalidated.len() < total_expected_size {
+ return Err(EINVAL);
+ }
+
+ let ptr = unvalidated.as_ptr();
+ // CAST: `GetVersionRsp` only contains integers and has `repr(C)`.
+ let ptr = ptr.cast::<GetVersionRsp>();
+ // SAFETY: `ptr` came from a reference and the cast above is valid.
+ let rsp: &GetVersionRsp = unsafe { &*ptr };
+
+ Ok(rsp)
+ }
+}
--
2.54.0
^ permalink raw reply related
* [PATCH v2 13/21] PCI/CMA: Validate Subject Alternative Name in certificates
From: alistair23 @ 2026-06-23 4:53 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross,
Alistair Francis
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Lukas Wunner <lukas@wunner.de>
PCIe r6.1 sec 6.31.3 stipulates requirements for Leaf Certificates
presented by devices, in particular the presence of a Subject Alternative
Name which encodes the Vendor ID, Device ID, Device Serial Number, etc.
This prevents a mismatch between the device identity in Config Space and
the certificate. A device cannot misappropriate a certificate from a
different device without also spoofing Config Space. As a corollary,
it cannot dupe an arbitrary driver into binding to it. Only drivers
which bind to the device identity in the Subject Alternative Name work
(PCIe r6.1 sec 6.31 "Implementation Note: Overview of Threat Model").
The Subject Alternative Name is signed, hence constitutes a signed copy
of a Config Space portion. It's the same concept as web certificates
which contain a set of domain names in the Subject Alternative Name for
identity verification.
Parse the Subject Alternative Name using a small ASN.1 module and
validate its contents. The theory of operation is explained in a
comment at the top of the newly inserted code.
This functionality is introduced in a separate commit on top of basic
CMA-SPDM support to split the code into digestible, reviewable chunks.
The CMA OID added here is taken from the official OID Repository
(it's not documented in the PCIe Base Spec):
https://oid-rep.orange-labs.fr/get/2.23.147
Side notes:
* PCIe r6.2 removes the spec language on the Subject Alternative Name.
It still "requires the leaf certificate to include the information
typically used by system software for device driver binding", but no
longer specifies how that information is encoded into the certificate.
According to the editor of the PCIe Base Spec and the author of the
CMA 1.1 ECN (which caused this change), FPGA cards which mutate their
device identity at runtime (due to a firmware update) were thought as
unable to satisfy the previous spec language. The Protocol Working
Group could not agree on a better solution and therefore dropped the
spec language entirely. They acknowledge that the requirement is now
under-spec'd. Because products already exist which adhere to the
Subject Alternative Name requirement per PCIe r6.1 sec 6.31.3, they
recommended to "push through" and use it as the de facto standard.
The FPGA concerns are easily overcome by reauthenticating the device
after a firmware update, either via sysfs or pci_cma_reauthenticate()
(added by a subsequent commit).
* PCIe r6.1 sec 6.31.3 strongly recommends to verify that "the
information provided in the Subject Alternative Name entry is signed
by the vendor indicated by the Vendor ID." In other words, the root
certificate on pci_cma_keyring which signs the device's certificate
chain must have been created for a particular Vendor ID.
Unfortunately the spec neglects to define how the Vendor ID shall be
encoded into the root certificate. So the recommendation cannot be
implemented at this point and it is thus possible that a vendor signs
device certificates of a different vendor.
* Instead of a Subject Alternative Name, Leaf Certificates may include
"a Reference Integrity Manifest, e.g., see Trusted Computing Group" or
"a pointer to a location where such a Reference Integrity Manifest can
be obtained" (PCIe r6.1 sec 6.31.3).
A Reference Integrity Manifest contains "golden" measurements which
can be compared to actual measurements retrieved from a device.
It serves a different purpose than the Subject Alternative Name,
hence it is unclear why the spec says only either of them is necessary.
It is also unclear how a Reference Integrity Manifest shall be encoded
into a certificate.
Hence ignore the Reference Integrity Manifest requirement.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> # except ASN.1
[ Changed by AF:
- Fixup a few issues caught by Sashiko
]
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
drivers/pci/Makefile | 5 +-
drivers/pci/cma.asn1 | 41 ++++++++++++
drivers/pci/cma.c | 123 ++++++++++++++++++++++++++++++++++-
include/linux/oid_registry.h | 3 +
4 files changed, 170 insertions(+), 2 deletions(-)
create mode 100644 drivers/pci/cma.asn1
diff --git a/drivers/pci/Makefile b/drivers/pci/Makefile
index 16abfd0e17e1..882cbb108364 100644
--- a/drivers/pci/Makefile
+++ b/drivers/pci/Makefile
@@ -41,7 +41,10 @@ obj-$(CONFIG_PCI_NPEM) += npem.o
obj-$(CONFIG_PCIE_TPH) += tph.o
obj-$(CONFIG_CARDBUS) += setup-cardbus.o
-obj-$(CONFIG_PCI_CMA) += cma.o
+obj-$(CONFIG_PCI_CMA) += pci-cma.o
+pci-cma-y := cma.o cma.asn1.o
+$(obj)/cma.o: $(obj)/cma.asn1.h
+$(obj)/cma.asn1.o: $(obj)/cma.asn1.c $(obj)/cma.asn1.h
# Endpoint library must be initialized before its users
obj-$(CONFIG_PCI_ENDPOINT) += endpoint/
diff --git a/drivers/pci/cma.asn1 b/drivers/pci/cma.asn1
new file mode 100644
index 000000000000..da41421d4085
--- /dev/null
+++ b/drivers/pci/cma.asn1
@@ -0,0 +1,41 @@
+-- SPDX-License-Identifier: BSD-3-Clause
+--
+-- Component Measurement and Authentication (CMA-SPDM, PCIe r6.1 sec 6.31.3)
+-- X.509 Subject Alternative Name (RFC 5280 sec 4.2.1.6)
+--
+-- Copyright (C) 2008 IETF Trust and the persons identified as authors
+-- of the code
+--
+-- https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.6
+--
+-- The ASN.1 module in RFC 5280 appendix A.1 uses EXPLICIT TAGS whereas the one
+-- in appendix A.2 uses IMPLICIT TAGS. The kernel's simplified asn1_compiler.c
+-- always uses EXPLICIT TAGS, hence this ASN.1 module differs from RFC 5280 in
+-- that it adds IMPLICIT to definitions from appendix A.2 (such as GeneralName)
+-- and omits EXPLICIT in those definitions.
+
+SubjectAltName ::= GeneralNames
+
+GeneralNames ::= SEQUENCE OF GeneralName
+
+GeneralName ::= CHOICE {
+ otherName [0] IMPLICIT OtherName,
+ rfc822Name [1] IMPLICIT IA5String,
+ dNSName [2] IMPLICIT IA5String,
+ x400Address [3] ANY,
+ directoryName [4] ANY,
+ ediPartyName [5] IMPLICIT EDIPartyName,
+ uniformResourceIdentifier [6] IMPLICIT IA5String,
+ iPAddress [7] IMPLICIT OCTET STRING,
+ registeredID [8] IMPLICIT OBJECT IDENTIFIER
+ }
+
+OtherName ::= SEQUENCE {
+ type-id OBJECT IDENTIFIER ({ pci_cma_note_oid }),
+ value [0] ANY ({ pci_cma_note_san })
+ }
+
+EDIPartyName ::= SEQUENCE {
+ nameAssigner [0] ANY OPTIONAL,
+ partyName [1] ANY
+ }
diff --git a/drivers/pci/cma.c b/drivers/pci/cma.c
index 9f2cc0b2ec8a..39a858436b28 100644
--- a/drivers/pci/cma.c
+++ b/drivers/pci/cma.c
@@ -12,6 +12,9 @@
#define dev_fmt(fmt) "CMA: " fmt
#include <linux/err.h>
+#include <keys/x509-parser.h>
+#include <linux/asn1_decoder.h>
+#include <linux/oid_registry.h>
#include <linux/pci.h>
#include <linux/pci-doe.h>
#include <linux/pci-tsm.h>
@@ -20,8 +23,126 @@
#include <linux/spdm.h>
#include <linux/tsm.h>
+#include "cma.asn1.h"
#include "pci.h"
+/*
+ * The spdm_requester.c library calls pci_cma_validate() to check requirements
+ * for Leaf Certificates per PCIe r6.1 sec 6.31.3.
+ *
+ * pci_cma_validate() parses the Subject Alternative Name using the ASN.1
+ * module cma.asn1, which calls pci_cma_note_oid() and pci_cma_note_san()
+ * to compare an OtherName against the expected name.
+ *
+ * The expected name is constructed beforehand by pci_cma_construct_san().
+ *
+ * PCIe r6.2 drops the Subject Alternative Name spec language, even though
+ * it continues to require "the leaf certificate to include the information
+ * typically used by system software for device driver binding". Use the
+ * Subject Alternative Name per PCIe r6.1 for lack of a replacement and
+ * because it is the de facto standard among existing products.
+ */
+#define CMA_NAME_MAX sizeof("Vendor=1234:Device=1234:CC=123456:" \
+ "REV=12:SSVID=1234:SSID=1234:1234567890123456")
+
+struct pci_cma_x509_context {
+ struct pci_dev *pdev;
+ u8 slot;
+ enum OID last_oid;
+ char expected_name[CMA_NAME_MAX];
+ unsigned int expected_len;
+ unsigned int found:1;
+};
+
+int pci_cma_note_oid(void *context, size_t hdrlen, unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pci_cma_x509_context *ctx = context;
+
+ ctx->last_oid = look_up_OID(value, vlen);
+
+ return 0;
+}
+
+int pci_cma_note_san(void *context, size_t hdrlen, unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pci_cma_x509_context *ctx = context;
+
+ /* These aren't the drOIDs we're looking for. */
+ if (ctx->last_oid != OID_CMA)
+ return 0;
+
+ if (tag != ASN1_UTF8STR ||
+ vlen != ctx->expected_len ||
+ memcmp(value, ctx->expected_name, vlen) != 0) {
+ pci_err(ctx->pdev, "Leaf certificate of slot %u "
+ "has invalid Subject Alternative Name\n", ctx->slot);
+ return -EINVAL;
+ }
+
+ ctx->found = true;
+
+ return 0;
+}
+
+static unsigned int pci_cma_construct_san(struct pci_dev *pdev, char *name)
+{
+ unsigned int len;
+ u64 serial;
+
+ len = scnprintf(name, CMA_NAME_MAX,
+ "Vendor=%04hx:Device=%04hx:CC=%06x:REV=%02hhx",
+ pdev->vendor, pdev->device, pdev->class, pdev->revision);
+
+ if (pdev->hdr_type == PCI_HEADER_TYPE_NORMAL)
+ len += scnprintf(name + len, CMA_NAME_MAX - len,
+ ":SSVID=%04hx:SSID=%04hx",
+ pdev->subsystem_vendor, pdev->subsystem_device);
+
+ serial = pci_get_dsn(pdev);
+ if (serial)
+ len += scnprintf(name + len, CMA_NAME_MAX - len,
+ ":%016llx", serial);
+
+ return len;
+}
+
+static int pci_cma_validate(struct device *dev, u8 slot,
+ struct x509_certificate *leaf_cert)
+{
+ struct pci_dev *pdev = to_pci_dev(dev);
+ struct pci_cma_x509_context ctx;
+ int ret;
+
+ if (!leaf_cert->raw_san) {
+ pci_err(pdev, "Leaf certificate of slot %u "
+ "has no Subject Alternative Name\n", slot);
+ return -EINVAL;
+ }
+
+ ctx.pdev = pdev;
+ ctx.slot = slot;
+ ctx.found = false;
+ ctx.expected_len = pci_cma_construct_san(pdev, ctx.expected_name);
+
+ ret = asn1_ber_decoder(&cma_decoder, &ctx, leaf_cert->raw_san,
+ leaf_cert->raw_san_size);
+ if (ret == -EBADMSG || ret == -EMSGSIZE)
+ pci_err(pdev, "Leaf certificate of slot %u "
+ "has malformed Subject Alternative Name\n", slot);
+ if (ret < 0)
+ return ret;
+
+ if (!ctx.found) {
+ pci_err(pdev, "Leaf certificate of slot %u "
+ "has no OtherName with CMA OID\n", slot);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
static int pci_doe_transport(void *priv, struct device *dev,
const void *request, size_t request_sz,
void *response, size_t response_sz)
@@ -61,7 +182,7 @@ static struct pci_tsm *pci_cma_tsm_probe(struct tsm_dev *tsm_dev,
}
cma->spdm = spdm_create(&pdev->dev, pci_doe_transport, cma->host.doe_mb,
- PCI_DOE_MAX_PAYLOAD, NULL);
+ PCI_DOE_MAX_PAYLOAD, pci_cma_validate);
if (!cma->spdm) {
pci_tsm_host_destructor(&cma->host);
kfree(cma);
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index ebce402854de..113f4e802ec4 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -150,6 +150,9 @@ enum OID {
OID_id_ml_dsa_65, /* 2.16.840.1.101.3.4.3.18 */
OID_id_ml_dsa_87, /* 2.16.840.1.101.3.4.3.19 */
+ /* PCI */
+ OID_CMA, /* 2.23.147 */
+
OID__NR
};
--
2.54.0
^ permalink raw reply related
* [PATCH v2 12/21] PCI/CMA: Add a PCI TSM CMA driver using SPDM
From: alistair23 @ 2026-06-23 4:53 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross,
Alistair Francis
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair.francis@wdc.com>
Component Measurement and Authentication (CMA, PCIe r6.2 sec 6.31)
allows for measurement and authentication of PCIe devices. It is
based on the Security Protocol and Data Model specification (SPDM,
https://www.dmtf.org/dsp/DSP0274).
CMA-SPDM in turn forms the basis for Integrity and Data Encryption
(IDE, PCIe r6.2 sec 6.33) because the key material used by IDE is
transmitted over a CMA-SPDM session.
As a first step, add support for authentication via a CMA TSM driver.
This was previously discusd here:
http://lore.kernel.org/69976d7d39c60_2f4a1009@dwillia2-mobl4.notmuch
By utilising a TSM driver we get a lot of the TSM driver probe policies
"for free". Currently there is no mechanism to provide evidence to
userspace, as the TSM system doesn't support that at the moment. That
can be added later when support by TSM.
Credits: Jonathan wrote the original proof-of-concept for a CMA implementation.
Lukas reworked that for upstream. Wilfred contributed fixes for issues
discovered during testing. Alistair reworked it as a TSM driver.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Co-developed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Co-developed-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
MAINTAINERS | 1 +
drivers/pci/Kconfig | 14 ++++
drivers/pci/Makefile | 2 +
drivers/pci/cma.c | 154 ++++++++++++++++++++++++++++++++++++++++
drivers/pci/doe.c | 3 -
include/linux/pci-doe.h | 4 ++
6 files changed, 175 insertions(+), 3 deletions(-)
create mode 100644 drivers/pci/cma.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 603192ab6d12..cf654b4ccbf0 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -24407,6 +24407,7 @@ L: linux-cxl@vger.kernel.org
L: linux-pci@vger.kernel.org
S: Maintained
T: git git://git.kernel.org/pub/scm/linux/kernel/git/devsec/spdm.git
+F: drivers/pci/cma.c
F: include/linux/spdm.h
F: lib/rspdm/
diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig
index 33c88432b728..07483655b191 100644
--- a/drivers/pci/Kconfig
+++ b/drivers/pci/Kconfig
@@ -124,6 +124,20 @@ config PCI_ATS
config PCI_IDE
bool
+config PCI_CMA
+ bool "Component Measurement and Authentication (CMA-SPDM)"
+ depends on RSPDM
+ select CRYPTO_ECDSA
+ select CRYPTO_RSA
+ select CRYPTO_SHA256
+ select CRYPTO_SHA512
+ select PCI_DOE
+ select PCI_TSM
+ help
+ Authenticate devices on enumeration per PCIe r6.2 sec 6.31.
+ A PCI DOE mailbox is used as transport for DMTF SPDM based
+ authentication, measurement and secure channel establishment.
+
config PCI_TSM
bool "PCI TSM: Device security protocol support"
select PCI_IDE
diff --git a/drivers/pci/Makefile b/drivers/pci/Makefile
index 41ebc3b9a518..16abfd0e17e1 100644
--- a/drivers/pci/Makefile
+++ b/drivers/pci/Makefile
@@ -41,6 +41,8 @@ obj-$(CONFIG_PCI_NPEM) += npem.o
obj-$(CONFIG_PCIE_TPH) += tph.o
obj-$(CONFIG_CARDBUS) += setup-cardbus.o
+obj-$(CONFIG_PCI_CMA) += cma.o
+
# Endpoint library must be initialized before its users
obj-$(CONFIG_PCI_ENDPOINT) += endpoint/
diff --git a/drivers/pci/cma.c b/drivers/pci/cma.c
new file mode 100644
index 000000000000..9f2cc0b2ec8a
--- /dev/null
+++ b/drivers/pci/cma.c
@@ -0,0 +1,154 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Component Measurement and Authentication (CMA-SPDM, PCIe r6.2 sec 6.31)
+ *
+ * Copyright (C) 2021 Huawei
+ * Jonathan Cameron <Jonathan.Cameron@huawei.com>
+ * Copyright (C) 2022-24 Intel Corporation
+ * Copyright (C) 2026 Western Digital
+ * Alistair Francis <alistair.francis@wdc.com>
+ */
+
+#define dev_fmt(fmt) "CMA: " fmt
+
+#include <linux/err.h>
+#include <linux/pci.h>
+#include <linux/pci-doe.h>
+#include <linux/pci-tsm.h>
+#include <linux/pm_runtime.h>
+#include <linux/slab.h>
+#include <linux/spdm.h>
+#include <linux/tsm.h>
+
+#include "pci.h"
+
+static int pci_doe_transport(void *priv, struct device *dev,
+ const void *request, size_t request_sz,
+ void *response, size_t response_sz)
+{
+ struct pci_doe_mb *doe = priv;
+
+ return pci_doe(doe, PCI_VENDOR_ID_PCI_SIG, PCI_DOE_FEATURE_CMA,
+ request, request_sz, response, response_sz);
+}
+
+struct pci_cma_tsm {
+ struct pci_tsm_host host;
+ struct spdm_state *spdm;
+};
+
+static struct pci_cma_tsm *cma_tsm_from_tsm(struct pci_tsm *tsm)
+{
+ struct pci_tsm_host *host = container_of(tsm, struct pci_tsm_host, base_tsm);
+
+ return container_of(host, struct pci_cma_tsm, host);
+}
+
+static struct pci_tsm *pci_cma_tsm_probe(struct tsm_dev *tsm_dev,
+ struct pci_dev *pdev)
+{
+ struct pci_cma_tsm *cma;
+ int rc;
+
+ cma = kzalloc(sizeof(*cma), GFP_KERNEL);
+ if (!cma)
+ return NULL;
+
+ rc = pci_tsm_host_constructor(pdev, &cma->host, tsm_dev);
+ if (rc) {
+ kfree(cma);
+ return NULL;
+ }
+
+ cma->spdm = spdm_create(&pdev->dev, pci_doe_transport, cma->host.doe_mb,
+ PCI_DOE_MAX_PAYLOAD, NULL);
+ if (!cma->spdm) {
+ pci_tsm_host_destructor(&cma->host);
+ kfree(cma);
+ return NULL;
+ }
+
+ return &cma->host.base_tsm;
+}
+
+static void pci_cma_tsm_remove(struct pci_tsm *tsm)
+{
+ struct pci_cma_tsm *cma = cma_tsm_from_tsm(tsm);
+
+ spdm_destroy(cma->spdm);
+ pci_tsm_host_destructor(&cma->host);
+ kfree(cma);
+}
+
+static int pci_cma_tsm_connect(struct pci_dev *pdev)
+{
+ struct pci_cma_tsm *cma = cma_tsm_from_tsm(pdev->tsm);
+ int rc;
+
+ /*
+ * The DOE mailbox lives in the device's config space, so the
+ * device must be runtime-resumed for the duration of the SPDM
+ * exchange.
+ */
+ rc = pm_runtime_get_sync(&pdev->dev);
+ if (rc < 0) {
+ pm_runtime_put_noidle(&pdev->dev);
+ return rc;
+ }
+
+ rc = spdm_authenticate(cma->spdm);
+
+ pm_runtime_put_sync(&pdev->dev);
+ return rc;
+}
+
+static void pci_cma_tsm_disconnect(struct pci_dev *pdev)
+{
+ /* SPDM state is freed in pci_cma_tsm_remove() */
+}
+
+static struct pci_tdi *pci_cma_tsm_bind(struct pci_dev *pdev,
+ struct kvm *kvm, u32 tdi_id)
+{
+ return ERR_PTR(-EOPNOTSUPP);
+}
+
+static void pci_cma_tsm_unbind(struct pci_tdi *tdi)
+{
+}
+
+static ssize_t pci_cma_tsm_guest_req(struct pci_tdi *tdi,
+ enum pci_tsm_req_scope scope,
+ sockptr_t req_in, size_t in_len,
+ sockptr_t req_out, size_t out_len,
+ u64 *tsm_code)
+{
+ return -EOPNOTSUPP;
+}
+
+static const struct pci_tsm_ops pci_cma_tsm_ops = {
+ .link_ops = {
+ .probe = pci_cma_tsm_probe,
+ .remove = pci_cma_tsm_remove,
+ .connect = pci_cma_tsm_connect,
+ .disconnect = pci_cma_tsm_disconnect,
+ .bind = pci_cma_tsm_bind,
+ .unbind = pci_cma_tsm_unbind,
+ .guest_req = pci_cma_tsm_guest_req,
+ },
+};
+
+static struct tsm_dev *pci_cma_tsm_dev;
+
+static int __init pci_cma_tsm_init(void)
+{
+ struct tsm_dev *tsm_dev;
+
+ tsm_dev = tsm_register(NULL, (struct pci_tsm_ops *)&pci_cma_tsm_ops);
+ if (IS_ERR(tsm_dev))
+ return PTR_ERR(tsm_dev);
+
+ pci_cma_tsm_dev = tsm_dev;
+ return 0;
+}
+late_initcall(pci_cma_tsm_init);
diff --git a/drivers/pci/doe.c b/drivers/pci/doe.c
index 7b41da4ec11a..f236942660a3 100644
--- a/drivers/pci/doe.c
+++ b/drivers/pci/doe.c
@@ -31,9 +31,6 @@
#define PCI_DOE_FLAG_CANCEL 0
#define PCI_DOE_FLAG_DEAD 1
-/* Max data object length is 2^18 dwords */
-#define PCI_DOE_MAX_LENGTH (1 << 18)
-
/**
* struct pci_doe_mb - State for a single DOE mailbox
*
diff --git a/include/linux/pci-doe.h b/include/linux/pci-doe.h
index bd4346a7c4e7..7540396336de 100644
--- a/include/linux/pci-doe.h
+++ b/include/linux/pci-doe.h
@@ -19,6 +19,10 @@ struct pci_doe_mb;
#define PCI_DOE_FEATURE_CMA 1
#define PCI_DOE_FEATURE_SSESSION 2
+/* Max data object length is 2^18 dwords (including 2 dwords for header) */
+#define PCI_DOE_MAX_LENGTH (1 << 18)
+#define PCI_DOE_MAX_PAYLOAD ((PCI_DOE_MAX_LENGTH - 2) * sizeof(u32))
+
struct pci_doe_mb *pci_find_doe_mailbox(struct pci_dev *pdev, u16 vendor,
u8 type);
--
2.54.0
^ permalink raw reply related
* [PATCH v2 11/21] PCI/TSM: Support connecting to PCIe CMA devices
From: alistair23 @ 2026-06-23 4:53 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross,
Alistair Francis
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair.francis@wdc.com>
In the next patch we are going to add a PCIe CMA TSM driver, as such we
need to ensure that is_pci_tsm_host() will allow us to connect to CMA
capable devices. These devices don't necessarily has DEVCAP_TEE or IDE
support.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
include/linux/pci-tsm.h | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/include/linux/pci-tsm.h b/include/linux/pci-tsm.h
index 950e2c36a4ca..80e76ecefe71 100644
--- a/include/linux/pci-tsm.h
+++ b/include/linux/pci-tsm.h
@@ -3,6 +3,7 @@
#define __PCI_TSM_H
#include <linux/mutex.h>
#include <linux/pci.h>
+#include <linux/pci-doe.h>
#include <linux/sockptr.h>
struct pci_tsm;
@@ -130,7 +131,7 @@ struct pci_tsm_host {
struct pci_doe_mb *doe_mb;
};
-/* physical function0 and capable of 'connect' */
+/* device is a TSM host and capable of 'connect' */
static inline bool is_pci_tsm_host(struct pci_dev *pdev)
{
if (!pdev)
@@ -142,6 +143,14 @@ static inline bool is_pci_tsm_host(struct pci_dev *pdev)
if (pdev->is_virtfn)
return false;
+ /*
+ * Report capable if CMA is supported, which can be supported on any PCIe
+ * device.
+ */
+ if (pci_find_doe_mailbox(pdev, PCI_VENDOR_ID_PCI_SIG,
+ PCI_DOE_FEATURE_CMA))
+ return true;
+
/*
* Allow for a Device Security Manager (DSM) associated with function0
* of an Endpoint to coordinate TDISP requests for other functions
--
2.54.0
^ permalink raw reply related
* [PATCH v2 10/21] PCI/TSM: Rename pf0 to host
From: alistair23 @ 2026-06-23 4:53 UTC (permalink / raw)
To: akpm, rust-for-linux, linux-pci, jic23, bhelgaas, lukas, alistair,
linux-cxl, djbw, linux-kernel, Jonathan.Cameron
Cc: alistair23, boqun.feng, benno.lossin, a.hindborg, bjorn3_gh, gary,
wilfred.mallawa, aliceryhl, ojeda, alex.gaynor, tmgross,
Alistair Francis
In-Reply-To: <20260623045406.2589547-1-alistair.francis@wdc.com>
From: Alistair Francis <alistair.francis@wdc.com>
Rename pci_tsm_pf0 to pci_tsm_host (and rename variables and function
names from pf0 to host) as part of converting pci_tsm_host
to be any device that knows how to speak any of CMA, IDE, or
TDISP.
This commit just renames the functions and provides no functional
change. That will happen in the next commit.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
---
drivers/crypto/ccp/sev-dev-tio.h | 4 +-
drivers/crypto/ccp/sev-dev-tsm.c | 12 ++---
drivers/pci/tsm.c | 84 ++++++++++++++++----------------
include/linux/pci-tsm.h | 18 ++++---
4 files changed, 61 insertions(+), 57 deletions(-)
diff --git a/drivers/crypto/ccp/sev-dev-tio.h b/drivers/crypto/ccp/sev-dev-tio.h
index 67512b3dbc53..78d598686487 100644
--- a/drivers/crypto/ccp/sev-dev-tio.h
+++ b/drivers/crypto/ccp/sev-dev-tio.h
@@ -53,9 +53,9 @@ struct tsm_dsm_tio {
struct pci_ide *ide[TIO_IDE_MAX_TC];
};
-/* Describes TSM structure for PF0 pointed by pci_dev->tsm */
+/* Describes TSM structure for the link host pointed by pci_dev->tsm */
struct tio_dsm {
- struct pci_tsm_pf0 tsm;
+ struct pci_tsm_host tsm;
struct tsm_dsm_tio data;
struct sev_device *sev;
};
diff --git a/drivers/crypto/ccp/sev-dev-tsm.c b/drivers/crypto/ccp/sev-dev-tsm.c
index 46f2539d2d5a..a900fd22eac9 100644
--- a/drivers/crypto/ccp/sev-dev-tsm.c
+++ b/drivers/crypto/ccp/sev-dev-tsm.c
@@ -205,7 +205,7 @@ static int stream_alloc(struct pci_dev *pdev, struct pci_ide **ide,
return 0;
}
-static struct pci_tsm *tio_pf0_probe(struct pci_dev *pdev, struct sev_device *sev)
+static struct pci_tsm *tio_host_probe(struct pci_dev *pdev, struct sev_device *sev)
{
struct tio_dsm *dsm __free(kfree) = kzalloc_obj(*dsm);
int rc;
@@ -213,7 +213,7 @@ static struct pci_tsm *tio_pf0_probe(struct pci_dev *pdev, struct sev_device *se
if (!dsm)
return NULL;
- rc = pci_tsm_pf0_constructor(pdev, &dsm->tsm, sev->tsmdev);
+ rc = pci_tsm_host_constructor(pdev, &dsm->tsm, sev->tsmdev);
if (rc)
return NULL;
@@ -226,8 +226,8 @@ static struct pci_tsm *dsm_probe(struct tsm_dev *tsmdev, struct pci_dev *pdev)
{
struct sev_device *sev = tsm_dev_to_sev(tsmdev);
- if (is_pci_tsm_pf0(pdev))
- return tio_pf0_probe(pdev, sev);
+ if (is_pci_tsm_host(pdev))
+ return tio_host_probe(pdev, sev);
return NULL;
}
@@ -237,10 +237,10 @@ static void dsm_remove(struct pci_tsm *tsm)
pci_dbg(pdev, "TSM disabled\n");
- if (is_pci_tsm_pf0(pdev)) {
+ if (is_pci_tsm_host(pdev)) {
struct tio_dsm *dsm = container_of(tsm, struct tio_dsm, tsm.base_tsm);
- pci_tsm_pf0_destructor(&dsm->tsm);
+ pci_tsm_host_destructor(&dsm->tsm);
kfree(dsm);
}
}
diff --git a/drivers/pci/tsm.c b/drivers/pci/tsm.c
index 5fdcd7f2e820..10c9c6696624 100644
--- a/drivers/pci/tsm.c
+++ b/drivers/pci/tsm.c
@@ -45,22 +45,22 @@ static inline bool has_tee(struct pci_dev *pdev)
return pdev->devcap & PCI_EXP_DEVCAP_TEE;
}
-/* 'struct pci_tsm_pf0' wraps 'struct pci_tsm' when ->dsm_dev == ->pdev (self) */
-static struct pci_tsm_pf0 *to_pci_tsm_pf0(struct pci_tsm *tsm)
+/* 'struct pci_tsm_host' wraps 'struct pci_tsm' when ->dsm_dev == ->pdev (self) */
+static struct pci_tsm_host *to_pci_tsm_host(struct pci_tsm *tsm)
{
/*
* All "link" TSM contexts reference the device that hosts the DSM
* interface for a set of devices. Walk to the DSM device and cast its
- * ->tsm context to a 'struct pci_tsm_pf0 *'.
+ * ->tsm context to a 'struct pci_tsm_host *'.
*/
- struct pci_dev *pf0 = tsm->dsm_dev;
+ struct pci_dev *host = tsm->dsm_dev;
- if (!is_pci_tsm_pf0(pf0) || !is_dsm(pf0)) {
+ if (!is_pci_tsm_host(host) || !is_dsm(host)) {
pci_WARN_ONCE(tsm->pdev, 1, "invalid context object\n");
return NULL;
}
- return container_of(pf0->tsm, struct pci_tsm_pf0, base_tsm);
+ return container_of(host->tsm, struct pci_tsm_host, base_tsm);
}
static void tsm_remove(struct pci_tsm *tsm)
@@ -186,7 +186,7 @@ static int probe_fn(struct pci_dev *pdev, void *dsm)
static int pci_tsm_connect(struct pci_dev *pdev, struct tsm_dev *tsm_dev)
{
int rc;
- struct pci_tsm_pf0 *tsm_pf0;
+ struct pci_tsm_host *tsm_host;
const struct pci_tsm_ops *ops = tsm_dev->pci_ops;
struct pci_tsm *pci_tsm __free(tsm_remove) = ops->probe(tsm_dev, pdev);
@@ -197,10 +197,10 @@ static int pci_tsm_connect(struct pci_dev *pdev, struct tsm_dev *tsm_dev)
return -ENXIO;
pdev->tsm = pci_tsm;
- tsm_pf0 = to_pci_tsm_pf0(pdev->tsm);
+ tsm_host = to_pci_tsm_host(pdev->tsm);
/* mutex_intr assumes connect() is always sysfs/user driven */
- ACQUIRE(mutex_intr, lock)(&tsm_pf0->lock);
+ ACQUIRE(mutex_intr, lock)(&tsm_host->lock);
if ((rc = ACQUIRE_ERR(mutex_intr, &lock)))
return rc;
@@ -300,15 +300,15 @@ static int remove_fn(struct pci_dev *pdev, void *data)
static int __pci_tsm_unbind(struct pci_dev *pdev, void *data)
{
struct pci_tdi *tdi;
- struct pci_tsm_pf0 *tsm_pf0;
+ struct pci_tsm_host *tsm_host;
lockdep_assert_held(&pci_tsm_rwsem);
if (!pdev->tsm)
return 0;
- tsm_pf0 = to_pci_tsm_pf0(pdev->tsm);
- guard(mutex)(&tsm_pf0->lock);
+ tsm_host = to_pci_tsm_host(pdev->tsm);
+ guard(mutex)(&tsm_host->lock);
tdi = pdev->tsm->tdi;
if (!tdi)
@@ -341,7 +341,7 @@ EXPORT_SYMBOL_GPL(pci_tsm_unbind);
*/
int pci_tsm_bind(struct pci_dev *pdev, struct kvm *kvm, u32 tdi_id)
{
- struct pci_tsm_pf0 *tsm_pf0;
+ struct pci_tsm_host *tsm_host;
struct pci_tdi *tdi;
if (!kvm)
@@ -355,8 +355,8 @@ int pci_tsm_bind(struct pci_dev *pdev, struct kvm *kvm, u32 tdi_id)
if (!is_link_tsm(pdev->tsm->tsm_dev))
return -ENXIO;
- tsm_pf0 = to_pci_tsm_pf0(pdev->tsm);
- guard(mutex)(&tsm_pf0->lock);
+ tsm_host = to_pci_tsm_host(pdev->tsm);
+ guard(mutex)(&tsm_host->lock);
/* Resolve races to bind a TDI */
if (pdev->tsm->tdi) {
@@ -404,7 +404,7 @@ ssize_t pci_tsm_guest_req(struct pci_dev *pdev, enum pci_tsm_req_scope scope,
sockptr_t req_in, size_t in_len, sockptr_t req_out,
size_t out_len, u64 *tsm_code)
{
- struct pci_tsm_pf0 *tsm_pf0;
+ struct pci_tsm_host *tsm_host;
struct pci_tdi *tdi;
int rc;
@@ -422,8 +422,8 @@ ssize_t pci_tsm_guest_req(struct pci_dev *pdev, enum pci_tsm_req_scope scope,
if (!is_link_tsm(pdev->tsm->tsm_dev))
return -ENXIO;
- tsm_pf0 = to_pci_tsm_pf0(pdev->tsm);
- ACQUIRE(mutex_intr, ops_lock)(&tsm_pf0->lock);
+ tsm_host = to_pci_tsm_host(pdev->tsm);
+ ACQUIRE(mutex_intr, ops_lock)(&tsm_host->lock);
if ((rc = ACQUIRE_ERR(mutex_intr, &ops_lock)))
return rc;
@@ -443,7 +443,7 @@ static void pci_tsm_unbind_all(struct pci_dev *pdev)
static void __pci_tsm_disconnect(struct pci_dev *pdev)
{
- struct pci_tsm_pf0 *tsm_pf0 = to_pci_tsm_pf0(pdev->tsm);
+ struct pci_tsm_host *tsm_host = to_pci_tsm_host(pdev->tsm);
const struct pci_tsm_ops *ops = to_pci_tsm_ops(pdev->tsm);
/* disconnect() mutually exclusive with subfunction pci_tsm_init() */
@@ -455,7 +455,7 @@ static void __pci_tsm_disconnect(struct pci_dev *pdev)
* disconnect() is uninterruptible as it may be called for device
* teardown
*/
- guard(mutex)(&tsm_pf0->lock);
+ guard(mutex)(&tsm_host->lock);
pci_tsm_walk_fns_reverse(pdev, remove_fn, NULL);
ops->disconnect(pdev);
}
@@ -494,7 +494,7 @@ static ssize_t bound_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct pci_dev *pdev = to_pci_dev(dev);
- struct pci_tsm_pf0 *tsm_pf0;
+ struct pci_tsm_host *tsm_host;
struct pci_tsm *tsm;
int rc;
@@ -505,9 +505,9 @@ static ssize_t bound_show(struct device *dev,
tsm = pdev->tsm;
if (!tsm)
return sysfs_emit(buf, "\n");
- tsm_pf0 = to_pci_tsm_pf0(tsm);
+ tsm_host = to_pci_tsm_host(tsm);
- ACQUIRE(mutex_intr, ops_lock)(&tsm_pf0->lock);
+ ACQUIRE(mutex_intr, ops_lock)(&tsm_host->lock);
if ((rc = ACQUIRE_ERR(mutex_intr, &ops_lock)))
return rc;
@@ -547,7 +547,7 @@ static bool pci_tsm_link_group_visible(struct kobject *kobj)
if (!pci_is_pcie(pdev))
return false;
- if (is_pci_tsm_pf0(pdev))
+ if (is_pci_tsm_host(pdev))
return true;
/*
@@ -572,14 +572,14 @@ static umode_t pci_tsm_attr_visible(struct kobject *kobj,
struct pci_dev *pdev = to_pci_dev(kobj_to_dev(kobj));
if (attr == &dev_attr_bound.attr) {
- if (is_pci_tsm_pf0(pdev) && has_tee(pdev))
+ if (is_pci_tsm_host(pdev) && has_tee(pdev))
return attr->mode;
if (pdev->tsm && has_tee(pdev->tsm->dsm_dev))
return attr->mode;
}
if (attr == &dev_attr_dsm.attr) {
- if (is_pci_tsm_pf0(pdev))
+ if (is_pci_tsm_host(pdev))
return attr->mode;
if (pdev->tsm && has_tee(pdev->tsm->dsm_dev))
return attr->mode;
@@ -587,7 +587,7 @@ static umode_t pci_tsm_attr_visible(struct kobject *kobj,
if (attr == &dev_attr_connect.attr ||
attr == &dev_attr_disconnect.attr) {
- if (is_pci_tsm_pf0(pdev))
+ if (is_pci_tsm_host(pdev))
return attr->mode;
}
}
@@ -662,7 +662,7 @@ static struct pci_dev *find_dsm_dev(struct pci_dev *pdev)
struct device *grandparent;
struct pci_dev *uport;
- if (is_pci_tsm_pf0(pdev))
+ if (is_pci_tsm_host(pdev))
return pdev;
struct pci_dev *pf0 __free(pci_dev_put) = pf0_dev_get(pdev);
@@ -735,13 +735,13 @@ int pci_tsm_link_constructor(struct pci_dev *pdev, struct pci_tsm *tsm,
EXPORT_SYMBOL_GPL(pci_tsm_link_constructor);
/**
- * pci_tsm_pf0_constructor() - common 'struct pci_tsm_pf0' (DSM) initialization
- * @pdev: Physical Function 0 PCI device (as indicated by is_pci_tsm_pf0())
+ * pci_tsm_host_constructor() - common 'struct pci_tsm_host' (DSM) initialization
+ * @pdev: TSM host PCI device (as indicated by is_pci_tsm_host())
* @tsm: context to initialize
* @tsm_dev: Platform TEE Security Manager, initiator of security operations
*/
-int pci_tsm_pf0_constructor(struct pci_dev *pdev, struct pci_tsm_pf0 *tsm,
- struct tsm_dev *tsm_dev)
+int pci_tsm_host_constructor(struct pci_dev *pdev, struct pci_tsm_host *tsm,
+ struct tsm_dev *tsm_dev)
{
mutex_init(&tsm->lock);
tsm->doe_mb = pci_find_doe_mailbox(pdev, PCI_VENDOR_ID_PCI_SIG,
@@ -753,13 +753,13 @@ int pci_tsm_pf0_constructor(struct pci_dev *pdev, struct pci_tsm_pf0 *tsm,
return pci_tsm_link_constructor(pdev, &tsm->base_tsm, tsm_dev);
}
-EXPORT_SYMBOL_GPL(pci_tsm_pf0_constructor);
+EXPORT_SYMBOL_GPL(pci_tsm_host_constructor);
-void pci_tsm_pf0_destructor(struct pci_tsm_pf0 *pf0_tsm)
+void pci_tsm_host_destructor(struct pci_tsm_host *host_tsm)
{
- mutex_destroy(&pf0_tsm->lock);
+ mutex_destroy(&host_tsm->lock);
}
-EXPORT_SYMBOL_GPL(pci_tsm_pf0_destructor);
+EXPORT_SYMBOL_GPL(pci_tsm_host_destructor);
int pci_tsm_register(struct tsm_dev *tsm_dev)
{
@@ -780,7 +780,7 @@ int pci_tsm_register(struct tsm_dev *tsm_dev)
/* On first enable, update sysfs groups */
if (is_link_tsm(tsm_dev) && pci_tsm_link_count++ == 0) {
for_each_pci_dev(pdev)
- if (is_pci_tsm_pf0(pdev))
+ if (is_pci_tsm_host(pdev))
link_sysfs_enable(pdev);
} else if (is_devsec_tsm(tsm_dev)) {
pci_tsm_devsec_count++;
@@ -815,7 +815,7 @@ static void __pci_tsm_destroy(struct pci_dev *pdev, struct tsm_dev *tsm_dev)
* skipped if the device itself is being removed since sysfs goes away
* naturally at that point
*/
- if (is_link_tsm(tsm_dev) && is_pci_tsm_pf0(pdev) && !pci_tsm_link_count)
+ if (is_link_tsm(tsm_dev) && is_pci_tsm_host(pdev) && !pci_tsm_link_count)
link_sysfs_disable(pdev);
/* Nothing else to do if this device never attached to the departing TSM */
@@ -828,7 +828,7 @@ static void __pci_tsm_destroy(struct pci_dev *pdev, struct tsm_dev *tsm_dev)
else if (tsm_dev != tsm->tsm_dev)
return;
- if (is_link_tsm(tsm_dev) && is_pci_tsm_pf0(pdev))
+ if (is_link_tsm(tsm_dev) && is_pci_tsm_host(pdev))
pci_tsm_disconnect(pdev);
else
pci_tsm_fn_exit(pdev);
@@ -885,12 +885,12 @@ void pci_tsm_unregister(struct tsm_dev *tsm_dev)
int pci_tsm_doe_transfer(struct pci_dev *pdev, u8 type, const void *req,
size_t req_sz, void *resp, size_t resp_sz)
{
- struct pci_tsm_pf0 *tsm;
+ struct pci_tsm_host *tsm;
- if (!pdev->tsm || !is_pci_tsm_pf0(pdev))
+ if (!pdev->tsm || !is_pci_tsm_host(pdev))
return -ENXIO;
- tsm = to_pci_tsm_pf0(pdev->tsm);
+ tsm = to_pci_tsm_host(pdev->tsm);
if (!tsm->doe_mb)
return -ENXIO;
diff --git a/include/linux/pci-tsm.h b/include/linux/pci-tsm.h
index a6435aba03f9..950e2c36a4ca 100644
--- a/include/linux/pci-tsm.h
+++ b/include/linux/pci-tsm.h
@@ -40,7 +40,7 @@ struct pci_tsm_ops {
* pci_tsm_rwsem held for write to sync with TSM unregistration and
* mutual exclusion of @connect and @disconnect. @connect and
* @disconnect additionally run under the DSM lock (struct
- * pci_tsm_pf0::lock) as well as @probe and @remove of the subfunctions.
+ * pci_tsm_host::lock) as well as @probe and @remove of the subfunctions.
* @bind, @unbind, and @guest_req run under pci_tsm_rwsem held for read
* and the DSM lock.
*/
@@ -115,19 +115,23 @@ struct pci_tsm {
};
/**
- * struct pci_tsm_pf0 - Physical Function 0 TDISP link context
+ * struct pci_tsm_host - TSM host link context (CMA, IDE, or TDISP)
* @base_tsm: generic core "tsm" context
* @lock: mutual exclustion for pci_tsm_ops invocation
* @doe_mb: PCIe Data Object Exchange mailbox
+ *
+ * The host of a TSM link is the device that knows how to speak
+ * CMA, IDE, or TDISP. For TDISP / IDE that is a Physical Function 0.
+ * For CMA-only it is a CMA DOE mailbox.
*/
-struct pci_tsm_pf0 {
+struct pci_tsm_host {
struct pci_tsm base_tsm;
struct mutex lock;
struct pci_doe_mb *doe_mb;
};
/* physical function0 and capable of 'connect' */
-static inline bool is_pci_tsm_pf0(struct pci_dev *pdev)
+static inline bool is_pci_tsm_host(struct pci_dev *pdev)
{
if (!pdev)
return false;
@@ -204,9 +208,9 @@ int pci_tsm_register(struct tsm_dev *tsm_dev);
void pci_tsm_unregister(struct tsm_dev *tsm_dev);
int pci_tsm_link_constructor(struct pci_dev *pdev, struct pci_tsm *tsm,
struct tsm_dev *tsm_dev);
-int pci_tsm_pf0_constructor(struct pci_dev *pdev, struct pci_tsm_pf0 *tsm,
- struct tsm_dev *tsm_dev);
-void pci_tsm_pf0_destructor(struct pci_tsm_pf0 *tsm);
+int pci_tsm_host_constructor(struct pci_dev *pdev, struct pci_tsm_host *tsm,
+ struct tsm_dev *tsm_dev);
+void pci_tsm_host_destructor(struct pci_tsm_host *tsm);
int pci_tsm_doe_transfer(struct pci_dev *pdev, u8 type, const void *req,
size_t req_sz, void *resp, size_t resp_sz);
int pci_tsm_bind(struct pci_dev *pdev, struct kvm *kvm, u32 tdi_id);
--
2.54.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox