[7/8] drm/i915/huc: Support HuC authentication

Commit Message

Srivatsa, Anusha Jan. 13, 2017, 5:07 p.m. UTC

The HuC authentication is done by host2guc call. The HuC RSA keys
are sent to GuC for authentication.

v2: rebased on top of drm-tip. Changed name format and upped
version 1.7.
v3: changed wait_for_atomic to wait_for
v4: rebased. Rename intel_huc_auh() to intel_guc_auth_huc()
and place the prototype in intel_guc.h,correct the comments.
v5: rebased. Moved intel_guc_auth_huc from i915_guc_submission.c
to intel_uc.c.Update dev to dev_priv in intel_guc_auth_huc().
Renamed HOST2GUC_ACTION_AUTHENTICATE_HUC TO INTEL_GUC_ACTION_
AUTHENTICATE_HUC
v6: rebased. Add newline on DRM_ERRORs that already dont have one.
v7: rebased. Replace wait_for with intel_wait_for_register() since
the latter employs sleep optimisations for quick responses- as pointed
out by Chris Wilson.
v8: rebased. Cleanup the intel_guc_auth_huc() by removing checks
already performed in earlier functions. Make comments more descriptive.
v9: rebased. Changed the bias for pinning the HuC object. Move
intel_guc_auth_huc() to intel_huc.c. Change DRM_DEBUGs to DRM_ERRORs
in intel_guc_auth_huc(). Add return status to DRM_ERRORs.

Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Arkadiusz Hiler <arkadiusz.hiler@intel.com>
Cc: Michal Wajdeczko <michal.wajdeczko@intel.com>
Tested-by: Xiang Haihao <haihao.xiang@intel.com>
Signed-off-by: Anusha Srivatsa <anusha.srivatsa@intel.com>
Signed-off-by: Alex Dai <yu.dai@intel.com>
Signed-off-by: Peter Antoine <peter.antoine@intel.com>
---
 drivers/gpu/drm/i915/intel_guc_fwif.h   |  1 +
 drivers/gpu/drm/i915/intel_guc_loader.c |  2 ++
 drivers/gpu/drm/i915/intel_huc.c        | 53 +++++++++++++++++++++++++++++++++
 drivers/gpu/drm/i915/intel_uc.h         |  1 +
 4 files changed, 57 insertions(+)

Comments

Chris Wilson Jan. 13, 2017, 5:24 p.m. UTC | #1

On Fri, Jan 13, 2017 at 09:07:08AM -0800, Anusha Srivatsa wrote:
> +/**
> + * intel_guc_auth_huc() - authenticate ucode
> + * @dev_priv: the drm_i915_device
> + *
> + * Triggers a HuC fw authentication request to the GuC via intel_guc_action_
> + * authenticate_huc interface.
> + */
> +void intel_guc_auth_huc(struct drm_i915_private *dev_priv)
> +{
> +	struct intel_guc *guc = &dev_priv->guc;
> +	struct intel_huc *huc = &dev_priv->huc;
> +	struct i915_vma *vma;
> +	int ret;
> +	u32 data[2];
> +
> +	vma = i915_gem_object_ggtt_pin(huc->fw.obj, NULL, 0, 0,
> +				PIN_OFFSET_BIAS | GUC_WOPCM_TOP);
> +	if (IS_ERR(vma)) {
> +		DRM_ERROR("failed to pin huc fw object %d\n",
> +				(int)PTR_ERR(vma));
> +		return;
> +	}
> +
> +	/* Invalidate GuC TLB to let GuC take the latest updates to GTT. */
> +	I915_WRITE(GEN8_GTCR, GEN8_GTCR_INVALIDATE);
> +
> +	/* Specify auth action and where public signature is. */
> +	data[0] = INTEL_GUC_ACTION_AUTHENTICATE_HUC;
> +	data[1] = i915_ggtt_offset(vma) + huc->fw.rsa_offset;
> +
> +	ret = intel_guc_send(guc, data, ARRAY_SIZE(data));
> +	if (ret) {
> +		DRM_ERROR("HuC: GuC did not ack Auth request %d\n", ret);
> +		goto out;
> +	}
> +
> +	/* Check authentication status, it should be done by now */
> +	ret = intel_wait_for_register(dev_priv,
> +				HUC_STATUS2,
> +				HUC_FW_VERIFIED,
> +				HUC_FW_VERIFIED,
> +				50);
> +
> +	if (ret) {
> +		DRM_ERROR("HuC: Authentication failed %d\n", ret);
> +		goto out;
> +	}
> +
> +	DRM_ERROR("HuC Authentication Successful!\n");

Probably don't want to proclaim using the HuC as an error ;-)
-Chris

Srivatsa, Anusha Jan. 13, 2017, 5:36 p.m. UTC | #2

>-----Original Message-----
>From: Chris Wilson [mailto:chris@chris-wilson.co.uk]
>Sent: Friday, January 13, 2017 9:25 AM
>To: Srivatsa, Anusha <anusha.srivatsa@intel.com>
>Cc: intel-gfx@lists.freedesktop.org; Hiler, Arkadiusz <arkadiusz.hiler@intel.com>;
>Wajdeczko, Michal <Michal.Wajdeczko@intel.com>; Alex Dai
><yu.dai@intel.com>; Peter Antoine <peter.antoine@intel.com>
>Subject: Re: [PATCH 7/8] drm/i915/huc: Support HuC authentication
>
>On Fri, Jan 13, 2017 at 09:07:08AM -0800, Anusha Srivatsa wrote:
>> +/**
>> + * intel_guc_auth_huc() - authenticate ucode
>> + * @dev_priv: the drm_i915_device
>> + *
>> + * Triggers a HuC fw authentication request to the GuC via
>> +intel_guc_action_
>> + * authenticate_huc interface.
>> + */
>> +void intel_guc_auth_huc(struct drm_i915_private *dev_priv) {
>> +	struct intel_guc *guc = &dev_priv->guc;
>> +	struct intel_huc *huc = &dev_priv->huc;
>> +	struct i915_vma *vma;
>> +	int ret;
>> +	u32 data[2];
>> +
>> +	vma = i915_gem_object_ggtt_pin(huc->fw.obj, NULL, 0, 0,
>> +				PIN_OFFSET_BIAS | GUC_WOPCM_TOP);
>> +	if (IS_ERR(vma)) {
>> +		DRM_ERROR("failed to pin huc fw object %d\n",
>> +				(int)PTR_ERR(vma));
>> +		return;
>> +	}
>> +
>> +	/* Invalidate GuC TLB to let GuC take the latest updates to GTT. */
>> +	I915_WRITE(GEN8_GTCR, GEN8_GTCR_INVALIDATE);
>> +
>> +	/* Specify auth action and where public signature is. */
>> +	data[0] = INTEL_GUC_ACTION_AUTHENTICATE_HUC;
>> +	data[1] = i915_ggtt_offset(vma) + huc->fw.rsa_offset;
>> +
>> +	ret = intel_guc_send(guc, data, ARRAY_SIZE(data));
>> +	if (ret) {
>> +		DRM_ERROR("HuC: GuC did not ack Auth request %d\n", ret);
>> +		goto out;
>> +	}
>> +
>> +	/* Check authentication status, it should be done by now */
>> +	ret = intel_wait_for_register(dev_priv,
>> +				HUC_STATUS2,
>> +				HUC_FW_VERIFIED,
>> +				HUC_FW_VERIFIED,
>> +				50);
>> +
>> +	if (ret) {
>> +		DRM_ERROR("HuC: Authentication failed %d\n", ret);
>> +		goto out;
>> +	}
>> +
>> +	DRM_ERROR("HuC Authentication Successful!\n");
>
>Probably don't want to proclaim using the HuC as an error ;-) -Chris

Oh... I was actually thinking it is good if it proclaimed....
Wont it be useful message to know?

Anusha 
>--
>Chris Wilson, Intel Open Source Technology Centre

Patch

diff --git a/drivers/gpu/drm/i915/intel_guc_fwif.h b/drivers/gpu/drm/i915/intel_guc_fwif.h
index ed1ab40..25691f0 100644
--- a/drivers/gpu/drm/i915/intel_guc_fwif.h
+++ b/drivers/gpu/drm/i915/intel_guc_fwif.h
@@ -505,6 +505,7 @@  enum intel_guc_action {
 	INTEL_GUC_ACTION_ENTER_S_STATE = 0x501,
 	INTEL_GUC_ACTION_EXIT_S_STATE = 0x502,
 	INTEL_GUC_ACTION_SLPC_REQUEST = 0x3003,
+	INTEL_GUC_ACTION_AUTHENTICATE_HUC = 0x4000,
 	INTEL_GUC_ACTION_UK_LOG_ENABLE_LOGGING = 0x0E000,
 	INTEL_GUC_ACTION_LIMIT
 };
diff --git a/drivers/gpu/drm/i915/intel_guc_loader.c b/drivers/gpu/drm/i915/intel_guc_loader.c
index 861c157..c618d11 100644
--- a/drivers/gpu/drm/i915/intel_guc_loader.c
+++ b/drivers/gpu/drm/i915/intel_guc_loader.c
@@ -530,6 +530,8 @@  int intel_guc_setup(struct drm_i915_private *dev_priv)
 		intel_uc_fw_status_repr(guc_fw->fetch_status),
 		intel_uc_fw_status_repr(guc_fw->load_status));
 
+	intel_guc_auth_huc(dev_priv);
+
 	if (i915.enable_guc_submission) {
 		if (i915.guc_log_level >= 0)
 			gen9_enable_guc_interrupts(dev_priv);
diff --git a/drivers/gpu/drm/i915/intel_huc.c b/drivers/gpu/drm/i915/intel_huc.c
index 7f3774a..22f1207 100644
--- a/drivers/gpu/drm/i915/intel_huc.c
+++ b/drivers/gpu/drm/i915/intel_huc.c
@@ -287,3 +287,56 @@  void intel_huc_fini(struct drm_i915_private *dev_priv)
 	huc_fw->fetch_status = INTEL_UC_FIRMWARE_NONE;
 }
 
+/**
+ * intel_guc_auth_huc() - authenticate ucode
+ * @dev_priv: the drm_i915_device
+ *
+ * Triggers a HuC fw authentication request to the GuC via intel_guc_action_
+ * authenticate_huc interface.
+ */
+void intel_guc_auth_huc(struct drm_i915_private *dev_priv)
+{
+	struct intel_guc *guc = &dev_priv->guc;
+	struct intel_huc *huc = &dev_priv->huc;
+	struct i915_vma *vma;
+	int ret;
+	u32 data[2];
+
+	vma = i915_gem_object_ggtt_pin(huc->fw.obj, NULL, 0, 0,
+				PIN_OFFSET_BIAS | GUC_WOPCM_TOP);
+	if (IS_ERR(vma)) {
+		DRM_ERROR("failed to pin huc fw object %d\n",
+				(int)PTR_ERR(vma));
+		return;
+	}
+
+	/* Invalidate GuC TLB to let GuC take the latest updates to GTT. */
+	I915_WRITE(GEN8_GTCR, GEN8_GTCR_INVALIDATE);
+
+	/* Specify auth action and where public signature is. */
+	data[0] = INTEL_GUC_ACTION_AUTHENTICATE_HUC;
+	data[1] = i915_ggtt_offset(vma) + huc->fw.rsa_offset;
+
+	ret = intel_guc_send(guc, data, ARRAY_SIZE(data));
+	if (ret) {
+		DRM_ERROR("HuC: GuC did not ack Auth request %d\n", ret);
+		goto out;
+	}
+
+	/* Check authentication status, it should be done by now */
+	ret = intel_wait_for_register(dev_priv,
+				HUC_STATUS2,
+				HUC_FW_VERIFIED,
+				HUC_FW_VERIFIED,
+				50);
+
+	if (ret) {
+		DRM_ERROR("HuC: Authentication failed %d\n", ret);
+		goto out;
+	}
+
+	DRM_ERROR("HuC Authentication Successful!\n");
+out:
+	i915_vma_unpin(vma);
+}
+
diff --git a/drivers/gpu/drm/i915/intel_uc.h b/drivers/gpu/drm/i915/intel_uc.h
index 65c7d6e..27f8b6f 100644
--- a/drivers/gpu/drm/i915/intel_uc.h
+++ b/drivers/gpu/drm/i915/intel_uc.h
@@ -227,5 +227,6 @@  static inline u32 guc_ggtt_offset(struct i915_vma *vma)
 void intel_huc_init(struct drm_i915_private *dev_priv);
 void intel_huc_fini(struct drm_i915_private  *dev_priv);
 int intel_huc_load(struct drm_i915_private *dev_priv);
+void intel_guc_auth_huc(struct drm_i915_private *dev_priv);
 
 #endif