1// SPDX-License-Identifier: GPL-2.0-only
  2/* Copyright(c) 2022 Intel Corporation. */
  3
  4#include <linux/firmware.h>
  5#include <asm/cpu.h>
  6#include <asm/microcode_intel.h>
  7
  8#include "ifs.h"
  9
 10#define IFS_CHUNK_ALIGNMENT	256
 11union meta_data {
 12	struct {
 13		u32 meta_type;		// metadata type
 14		u32 meta_size;		// size of this entire struct including hdrs.
 15		u32 test_type;		// IFS test type
 16		u32 fusa_info;		// Fusa info
 17		u32 total_images;	// Total number of images
 18		u32 current_image;	// Current Image #
 19		u32 total_chunks;	// Total number of chunks in this image
 20		u32 starting_chunk;	// Starting chunk number in this image
 21		u32 size_per_chunk;	// size of each chunk
 22		u32 chunks_per_stride;	// number of chunks in a stride
 23	};
 24	u8 padding[IFS_CHUNK_ALIGNMENT];
 25};
 26
 27#define IFS_HEADER_SIZE	(sizeof(struct microcode_header_intel))
 28#define META_TYPE_IFS	1
 29static  struct microcode_header_intel *ifs_header_ptr;	/* pointer to the ifs image header */
 30static u64 ifs_hash_ptr;			/* Address of ifs metadata (hash) */
 31static u64 ifs_test_image_ptr;			/* 256B aligned address of test pattern */
 32static DECLARE_COMPLETION(ifs_done);
 33
 34static const char * const scan_hash_status[] = {
 35	[0] = "No error reported",
 36	[1] = "Attempt to copy scan hashes when copy already in progress",
 37	[2] = "Secure Memory not set up correctly",
 38	[3] = "FuSaInfo.ProgramID does not match or ff-mm-ss does not match",
 39	[4] = "Reserved",
 40	[5] = "Integrity check failed",
 41	[6] = "Scan reload or test is in progress"
 42};
 43
 44static const char * const scan_authentication_status[] = {
 45	[0] = "No error reported",
 46	[1] = "Attempt to authenticate a chunk which is already marked as authentic",
 47	[2] = "Chunk authentication error. The hash of chunk did not match expected value"
 48};
 49
 50#define MC_HEADER_META_TYPE_END		(0)
 51
 52struct metadata_header {
 53	unsigned int		type;
 54	unsigned int		blk_size;
 55};
 56
 57static struct metadata_header *find_meta_data(void *ucode, unsigned int meta_type)
 58{
 59	struct metadata_header *meta_header;
 60	unsigned long data_size, total_meta;
 61	unsigned long meta_size = 0;
 62
 63	data_size = get_datasize(ucode);
 64	total_meta = ((struct microcode_intel *)ucode)->hdr.metasize;
 65	if (!total_meta)
 66		return NULL;
 67
 68	meta_header = (ucode + MC_HEADER_SIZE + data_size) - total_meta;
 69
 70	while (meta_header->type != MC_HEADER_META_TYPE_END &&
 71	       meta_header->blk_size &&
 72	       meta_size < total_meta) {
 73		meta_size += meta_header->blk_size;
 74		if (meta_header->type == meta_type)
 75			return meta_header;
 76
 77		meta_header = (void *)meta_header + meta_header->blk_size;
 78	}
 79	return NULL;
 80}
 81
 82/*
 83 * To copy scan hashes and authenticate test chunks, the initiating cpu must point
 84 * to the EDX:EAX to the test image in linear address.
 85 * Run wrmsr(MSR_COPY_SCAN_HASHES) for scan hash copy and run wrmsr(MSR_AUTHENTICATE_AND_COPY_CHUNK)
 86 * for scan hash copy and test chunk authentication.
 87 */
 88static void copy_hashes_authenticate_chunks(struct work_struct *work)
 89{
 90	struct ifs_work *local_work = container_of(work, struct ifs_work, w);
 91	union ifs_scan_hashes_status hashes_status;
 92	union ifs_chunks_auth_status chunk_status;
 93	struct device *dev = local_work->dev;
 94	int i, num_chunks, chunk_size;
 95	struct ifs_data *ifsd;
 96	u64 linear_addr, base;
 97	u32 err_code;
 98
 99	ifsd = ifs_get_data(dev);
100	/* run scan hash copy */
101	wrmsrl(MSR_COPY_SCAN_HASHES, ifs_hash_ptr);
102	rdmsrl(MSR_SCAN_HASHES_STATUS, hashes_status.data);
103
104	/* enumerate the scan image information */
105	num_chunks = hashes_status.num_chunks;
106	chunk_size = hashes_status.chunk_size * 1024;
107	err_code = hashes_status.error_code;
108
109	if (!hashes_status.valid) {
110		ifsd->loading_error = true;
111		if (err_code >= ARRAY_SIZE(scan_hash_status)) {
112			dev_err(dev, "invalid error code 0x%x for hash copy\n", err_code);
113			goto done;
114		}
115		dev_err(dev, "Hash copy error : %s", scan_hash_status[err_code]);
116		goto done;
117	}
118
119	/* base linear address to the scan data */
120	base = ifs_test_image_ptr;
121
122	/* scan data authentication and copy chunks to secured memory */
123	for (i = 0; i < num_chunks; i++) {
124		linear_addr = base + i * chunk_size;
125		linear_addr |= i;
126
127		wrmsrl(MSR_AUTHENTICATE_AND_COPY_CHUNK, linear_addr);
128		rdmsrl(MSR_CHUNKS_AUTHENTICATION_STATUS, chunk_status.data);
129
130		ifsd->valid_chunks = chunk_status.valid_chunks;
131		err_code = chunk_status.error_code;
132
133		if (err_code) {
134			ifsd->loading_error = true;
135			if (err_code >= ARRAY_SIZE(scan_authentication_status)) {
136				dev_err(dev,
137					"invalid error code 0x%x for authentication\n", err_code);
138				goto done;
139			}
140			dev_err(dev, "Chunk authentication error %s\n",
141				scan_authentication_status[err_code]);
142			goto done;
143		}
144	}
145done:
146	complete(&ifs_done);
147}
148
149static int validate_ifs_metadata(struct device *dev)
150{
151	struct ifs_data *ifsd = ifs_get_data(dev);
152	union meta_data *ifs_meta;
153	char test_file[64];
154	int ret = -EINVAL;
155
156	snprintf(test_file, sizeof(test_file), "%02x-%02x-%02x-%02x.scan",
157		 boot_cpu_data.x86, boot_cpu_data.x86_model,
158		 boot_cpu_data.x86_stepping, ifsd->cur_batch);
159
160	ifs_meta = (union meta_data *)find_meta_data(ifs_header_ptr, META_TYPE_IFS);
161	if (!ifs_meta) {
162		dev_err(dev, "IFS Metadata missing in file %s\n", test_file);
163		return ret;
164	}
165
166	ifs_test_image_ptr = (u64)ifs_meta + sizeof(union meta_data);
167
168	/* Scan chunk start must be 256 byte aligned */
169	if (!IS_ALIGNED(ifs_test_image_ptr, IFS_CHUNK_ALIGNMENT)) {
170		dev_err(dev, "Scan pattern is not aligned on %d bytes aligned in %s\n",
171			IFS_CHUNK_ALIGNMENT, test_file);
172		return ret;
173	}
174
175	if (ifs_meta->current_image != ifsd->cur_batch) {
176		dev_warn(dev, "Mismatch between filename %s and batch metadata 0x%02x\n",
177			 test_file, ifs_meta->current_image);
178		return ret;
179	}
180
181	return 0;
182}
183
184/*
185 * IFS requires scan chunks authenticated per each socket in the platform.
186 * Once the test chunk is authenticated, it is automatically copied to secured memory
187 * and proceed the authentication for the next chunk.
188 */
189static int scan_chunks_sanity_check(struct device *dev)
190{
191	struct ifs_data *ifsd = ifs_get_data(dev);
192	struct ifs_work local_work;
193	int curr_pkg, cpu, ret;
194
195	memset(ifsd->pkg_auth, 0, (topology_max_packages() * sizeof(bool)));
196	ret = validate_ifs_metadata(dev);
197	if (ret)
198		return ret;
199
200	ifsd->loading_error = false;
201	ifsd->loaded_version = ifs_header_ptr->rev;
202
203	/* copy the scan hash and authenticate per package */
204	cpus_read_lock();
205	for_each_online_cpu(cpu) {
206		curr_pkg = topology_physical_package_id(cpu);
207		if (ifsd->pkg_auth[curr_pkg])
208			continue;
209		reinit_completion(&ifs_done);
210		local_work.dev = dev;
211		INIT_WORK(&local_work.w, copy_hashes_authenticate_chunks);
212		schedule_work_on(cpu, &local_work.w);
213		wait_for_completion(&ifs_done);
214		if (ifsd->loading_error) {
215			ret = -EIO;
216			goto out;
217		}
218		ifsd->pkg_auth[curr_pkg] = 1;
219	}
220	ret = 0;
221out:
222	cpus_read_unlock();
223
224	return ret;
225}
226
227static int image_sanity_check(struct device *dev, const struct microcode_header_intel *data)
228{
229	struct ucode_cpu_info uci;
230
231	/* Provide a specific error message when loading an older/unsupported image */
232	if (data->hdrver != MC_HEADER_TYPE_IFS) {
233		dev_err(dev, "Header version %d not supported\n", data->hdrver);
234		return -EINVAL;
235	}
236
237	if (intel_microcode_sanity_check((void *)data, true, MC_HEADER_TYPE_IFS)) {
238		dev_err(dev, "sanity check failed\n");
239		return -EINVAL;
240	}
241
242	intel_cpu_collect_info(&uci);
243
244	if (!intel_find_matching_signature((void *)data,
245					   uci.cpu_sig.sig,
246					   uci.cpu_sig.pf)) {
247		dev_err(dev, "cpu signature, processor flags not matching\n");
248		return -EINVAL;
249	}
250
251	return 0;
252}
253
254/*
255 * Load ifs image. Before loading ifs module, the ifs image must be located
256 * in /lib/firmware/intel/ifs_x/ and named as family-model-stepping-02x.{testname}.
257 */
258int ifs_load_firmware(struct device *dev)
259{
260	struct ifs_data *ifsd = ifs_get_data(dev);
261	const struct firmware *fw;
262	char scan_path[64];
263	int ret = -EINVAL;
264
265	snprintf(scan_path, sizeof(scan_path), "intel/ifs_%d/%02x-%02x-%02x-%02x.scan",
266		 ifsd->test_num, boot_cpu_data.x86, boot_cpu_data.x86_model,
267		 boot_cpu_data.x86_stepping, ifsd->cur_batch);
268
269	ret = request_firmware_direct(&fw, scan_path, dev);
270	if (ret) {
271		dev_err(dev, "ifs file %s load failed\n", scan_path);
272		goto done;
273	}
274
275	ret = image_sanity_check(dev, (struct microcode_header_intel *)fw->data);
276	if (ret)
277		goto release;
278
279	ifs_header_ptr = (struct microcode_header_intel *)fw->data;
280	ifs_hash_ptr = (u64)(ifs_header_ptr + 1);
281
282	ret = scan_chunks_sanity_check(dev);
283	if (ret)
284		dev_err(dev, "Load failure for batch: %02x\n", ifsd->cur_batch);
285
286release:
287	release_firmware(fw);
288done:
289	ifsd->loaded = (ret == 0);
290
291	return ret;
292}