1. 27 Nov, 2020 1 commit
    • Antony Antony's avatar
      xfrm: redact SA secret with lockdown confidentiality · c7a5899e
      Antony Antony authored
      redact XFRM SA secret in the netlink response to xfrm_get_sa()
      or dumpall sa.
      Enable lockdown, confidentiality mode, at boot or at run time.
      
      e.g. when enabled:
      cat /sys/kernel/security/lockdown
      none integrity [confidentiality]
      
      ip xfrm state
      src 172.16.1.200 dst 172.16.1.100
      	proto esp spi 0x00000002 reqid 2 mode tunnel
      	replay-window 0
      	aead rfc4106(gcm(aes)) 0x0000000000000000000000000000000000000000 96
      
      note: the aead secret is redacted.
      Redacting secret is also a FIPS 140-2 requirement.
      
      v1->v2
       - add size checks before memset calls
      v2->v3
       - replace spaces with tabs for consistency
      v3->v4
       - use kernel lockdown instead of a /proc setting
      v4->v5
       - remove kconfig option
      Reviewed-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarAntony Antony <antony.antony@secunet.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      c7a5899e
  2. 10 Nov, 2020 21 commits
  3. 09 Nov, 2020 1 commit
  4. 08 Nov, 2020 1 commit
  5. 07 Nov, 2020 16 commits
    • Wang Qing's avatar
      ef9ac209
    • Wang Qing's avatar
    • Jakub Kicinski's avatar
      Merge branch 'net-ipa-constrain-gsi-interrupts' · 2d152760
      Jakub Kicinski authored
      Alex Elder says:
      
      ====================
      net: ipa: constrain GSI interrupts
      
      The goal of this series is to more tightly control when GSI
      interrupts are enabled.  This is a long-ish series, so I'll
      describe it in parts.
      
      The first patch is actually unrelated...  I forgot to include
      it in my previous series (which exposed the GSI layer to the
      IPA version).  It is a trivial comments-only update patch.
      
      The second patch defers registering the GSI interrupt handler
      until *after* all of the resources that handler touches have
      been initialized.  In practice, we don't see this interrupt
      that early, but this precludes an obvious problem.
      
      The next two patches are simple changes.  The first just
      trivially renames a field.  The second switches from using
      constant mask values to using an enumerated type of bit
      positions to represent each GSI interrupt type.
      
      The rest implement the "real work."  First, all interrupts
      are disabled at initialization time.  Next, we keep track of
      a bitmask of enabled GSI interrupt types, updating it each
      time we enable or disable one of them.  From there we have
      a set of patches that one-by-one enable each interrupt type
      only during the period it is required.  This includes allowing
      a channel to generate IEOB interrupts only when it has been
      enabled.  And finally, the last patch simplifies some code
      now that all GSI interrupt types are handled uniformly.
      ====================
      
      Link: https://lore.kernel.org/r/20201105181407.8006-1-elder@linaro.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2d152760
    • Alex Elder's avatar
      net: ipa: pass a value to gsi_irq_type_update() · 8194be79
      Alex Elder authored
      Now that all of the GSI interrupts are handled uniformly,
      change gsi_irq_type_update() so it takes a value.  Have the
      function assign that value to the cached mask of enabled GSI
      IRQ types before writing it to hardware.
      
      Note that gsi_irq_teardown() will only be called after
      gsi_irq_disable(), so it's not necessary for the former
      to disable all IRQ types.  Get rid of that.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8194be79
    • Alex Elder's avatar
      net: ipa: only enable GSI general IRQs when needed · 352f26a8
      Alex Elder authored
      Most GSI general errors are unrecoverable without a full reset.
      Despite that, we want to receive these errors so we can at least
      report what happened before whatever undefined behavior ensues.
      
      Explicitly disable all such interrupts in gsi_irq_setup(), then
      enable those we want in gsi_irq_enable().  List the interrupt types
      we are interested in (everything but breakpoint) explicitly rather
      than using GSI_CNTXT_GSI_IRQ_ALL, and remove that symbol's
      definition.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      352f26a8
    • Alex Elder's avatar
      net: ipa: explicitly disallow inter-EE interrupts · 46f748cc
      Alex Elder authored
      It is possible for other execution environments (EEs, like the modem)
      to request changes to local (AP) channel or event ring state.  We do
      not support this feature.
      
      In gsi_irq_setup(), explicitly zero the mask that defines which
      channels are permitted to generate inter-EE channel state change
      interrupts.  Do the same for the event ring mask.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      46f748cc
    • Alex Elder's avatar
      net: ipa: only enable GSI IEOB IRQs when needed · 06c86328
      Alex Elder authored
      A GSI channel must be started in order to use it to perform a
      transfer data (or command) transaction.  And the only time we'll see
      an IEOB interrupt is if we send a transaction to a started channel.
      Therefore we do not need to have the IEOB interrupt type enabled
      until at least one channel has been started.  And once the last
      started channel has been stopped, we can disable the IEOB interrupt
      type again.
      
      We already enable the IEOB interrupt for a particular channel only
      when it is started.  Extend that by having the IEOB interrupt *type*
      be enabled only when at least one channel is in STARTED state.
      
      Disallow all channels from triggering the IEOB interrupt in
      gsi_irq_setup().  We only enable an channel's interrupt when
      needed, so there is no longer any need to zero the channel mask
      in gsi_irq_disable().
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      06c86328
    • Alex Elder's avatar
      net: ipa: only enable generic command completion IRQ when needed · d6c9e3f5
      Alex Elder authored
      The completion of a generic EE GSI command is signaled by a global
      interrupt of type GP_INT1.  The only other used type for a global
      interrupt is a hardware error report.
      
      First, disallow all global interrupt types in gsi_irq_setup().  We
      want to know about hardware errors, so re-enable the interrupt type
      in gsi_irq_enable(), to allow hardware errors to be reported.
      Disable that interrupt type again in gsi_irq_disable().
      
      We only issue generic EE commands one at a time, and there's no
      reason to keep the completion interrupt enabled when no generic
      EE command is pending.  We furthermore have no need to enable the
      GP_INT2 or GP_INT3 interrupt types (which aren't used).
      
      The change in gsi_irq_enable() makes GSI_CNTXT_GLOB_IRQ_ALL unused,
      so get rid of it.  Have gsi_generic_command() enable the GP_INT1
      interrupt type (in addition to the ERROR_INT type) only while a
      generic command is pending.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d6c9e3f5
    • Alex Elder's avatar
      net: ipa: only enable GSI event control IRQs when needed · b4175f87
      Alex Elder authored
      A GSI event ring causes an event control interrupt to fire whenever
      its state changes (between NOT_ALLOCATED and ALLOCATED).  No event
      ring should ever change state except when we request it to.
      
      Currently, we permit *all* events rings to generate event control
      interrupts--even those that are never used.  And we enable event
      control interrupts essentially at all times, from setup to teardown.
      
      Instead, only enable the event control interrupt type for the
      duration of an event ring command, and when doing so, only allow
      the event ring being operated upon to cause the interrupt to fire.
      Disallow all event rings from issuing the event control interrupt
      in gsi_irq_setup().
      
      Because an event ring's interrupt is only enabled when needed,
      there is no longer any need to zero the event channel mask in
      gsi_irq_disable().
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b4175f87
    • Alex Elder's avatar
      net: ipa: only enable GSI channel control IRQs when needed · b054d4f9
      Alex Elder authored
      A GSI channel causes a channel control interrupt to fire whenever
      its state changes (between NOT_ALLOCATED, ALLOCATED, STARTED, etc.).
      We do not support inter-EE channel commands (initiated by other EEs),
      so no channel should ever change state except when we request it to.
      
      Currently, we permit *all* channels to generate channel control
      interrupts--even those that are never used.  And we enable channel
      control interrupts essentially at all times, from setup to teardown.
      
      Instead, disable all channel control interrupts initially in
      gsi_irq_setup(), and only enable the channel control interrupt
      type for the duration of a channel command.  When doing so, only
      allow the channel being operated upon to cause the interrupt to
      fire.
      
      Because a channel's interrupt is now enabled only when needed (one
      channel at a time), there is no longer any need to zero the channel
      mask in gsi_irq_disable().
      
      Add new gsi_irq_type_enable() and gsi_irq_type_disable() as helper
      functions to control whether a given GSI interrupt type is enabled.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b054d4f9
    • Alex Elder's avatar
      net: ipa: cache last-saved GSI IRQ enabled type · 3ca97ffd
      Alex Elder authored
      Keep track of the set of GSI interrupt types that are currently
      enabled by recording the mask value to write (or last written) to
      the TYPE_IRQ_MSK register.
      
      Create a new helper function gsi_irq_type_update() to handle
      actually writing the register.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3ca97ffd
    • Alex Elder's avatar
      net: ipa: disable all GSI interrupt types initially · 97eb94c8
      Alex Elder authored
      Introduce gsi_irq_setup() and gsi_irq_teardown() to disable all
      GSI interrupts when first setting up GSI hardware, and to clean
      things up when we're done.
      
      Re-enable all GSI interrupt types in gsi_irq_enable(), but do
      so only after each of the type-specific interrupt masks has
      been configured.  Similarly, disable all interrupt types in
      gsi_irq_disable()--first--before zeroing out the type-specific
      masks.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      97eb94c8
    • Alex Elder's avatar
      net: ipa: define GSI interrupt types with an enum · f9b28804
      Alex Elder authored
      Define the GSI interrupt types with an enumerated type whose values
      are the bit positions representing each interrupt type.  Include a
      short comment describing how each interrupt type is used.
      
      Build up the enabled interrupt mask explicitly in gsi_irq_enable(),
      and get rid of the definition of GSI_CNTXT_TYPE_IRQ_MSK_ALL.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      f9b28804
    • Alex Elder's avatar
      net: ipa: rename gsi->event_enable_bitmap · a054539d
      Alex Elder authored
      Rename the "event_enable_bitmap" field of the GSI structure to be
      "ieob_enabled_bitmap".  An upcoming patch will cache the last value
      stored for another interrupt mask and this is a more direct naming
      convention to follow.
      
      Add a few comments to explain the bitmap fields in the GSI structure.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      a054539d
    • Alex Elder's avatar
      net: ipa: request GSI IRQ later · 0b8d6761
      Alex Elder authored
      Introduce gsi_irq_init() and gsi_irq_exit(), to encapsulate looking
      up the GSI IRQ and registering its handler.  Call gsi_irq_init() a
      little later in gsi_init(), and initialize the completion earlier.
      The IRQ handler accesses both the GSI virtual memory pointer and the
      completion, and this way these things will have been initialized
      before the gsi_irq() can ever be called.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0b8d6761
    • Alex Elder's avatar
      net: ipa: refer to IPA versions, not GSI · 4a04d65c
      Alex Elder authored
      The GSI code is now exposed to IPA version numbers, and we handle
      version-specific behavior based on the IPA version.
      
      Modify some comments that talk about GSI versions so they reference
      IPA versions instead.  Correct version number errors in a couple of
      these comments.
      
      The (comment) mapping between IPA and GSI versions in the definition
      of the ipa_version enumerated type remains.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4a04d65c