Message ID | 166377435400.430546.5464236210021107128.stgit@djiang5-desk3.ch.intel.com |
---|---|
State | Superseded |
Headers | show |
Series | Introduce security commands for CXL pmem device | expand |
On Wed, 21 Sep 2022 08:32:34 -0700 Dave Jiang <dave.jiang@intel.com> wrote: > Add support to emulate a CXL mem device support the "Unlock" operation. > > Signed-off-by: Dave Jiang <dave.jiang@intel.com> I'm not immediately seeing a water tight reference in the spec for unlocking an unlocked region resulting in an error return but give there is no statement on what you would do if the passphrase were wrong in that case... I think I agree with your interpretation. Oh for some compliance tests to refer to :) Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> > --- > tools/testing/cxl/test/mem.c | 45 ++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 45 insertions(+) > > diff --git a/tools/testing/cxl/test/mem.c b/tools/testing/cxl/test/mem.c > index b24119b0ea76..840378d239bf 100644 > --- a/tools/testing/cxl/test/mem.c > +++ b/tools/testing/cxl/test/mem.c > @@ -314,6 +314,48 @@ static int mock_freeze_security(struct cxl_dev_state *cxlds, struct cxl_mbox_cmd > return 0; > } > > +static int mock_unlock_security(struct cxl_dev_state *cxlds, struct cxl_mbox_cmd *cmd) > +{ > + struct cxl_mock_mem_pdata *mdata = dev_get_platdata(cxlds->dev); > + > + if (cmd->size_in != NVDIMM_PASSPHRASE_LEN) > + return -EINVAL; > + > + if (cmd->size_out != 0) > + return -EINVAL; > + > + if (mdata->security_state & CXL_PMEM_SEC_STATE_FROZEN) { > + cmd->return_code = CXL_MBOX_CMD_RC_SECURITY; > + return -ENXIO; > + } > + > + if (!(mdata->security_state & CXL_PMEM_SEC_STATE_USER_PASS_SET)) { > + cmd->return_code = CXL_MBOX_CMD_RC_SECURITY; > + return -ENXIO; > + } > + > + if (mdata->security_state & CXL_PMEM_SEC_STATE_USER_PLIMIT) { > + cmd->return_code = CXL_MBOX_CMD_RC_SECURITY; > + return -ENXIO; > + } > + > + if (!(mdata->security_state & CXL_PMEM_SEC_STATE_LOCKED)) { > + cmd->return_code = CXL_MBOX_CMD_RC_SECURITY; > + return -ENXIO; > + } > + > + if (memcmp(cmd->payload_in, mdata->user_pass, NVDIMM_PASSPHRASE_LEN)) { > + if (++mdata->user_limit == PASS_TRY_LIMIT) > + mdata->security_state |= CXL_PMEM_SEC_STATE_USER_PLIMIT; > + cmd->return_code = CXL_MBOX_CMD_RC_PASSPHRASE; > + return -ENXIO; > + } > + > + mdata->user_limit = 0; > + mdata->security_state &= ~CXL_PMEM_SEC_STATE_LOCKED; > + return 0; > +} > + > static int mock_get_lsa(struct cxl_dev_state *cxlds, struct cxl_mbox_cmd *cmd) > { > struct cxl_mbox_get_lsa *get_lsa = cmd->payload_in; > @@ -419,6 +461,9 @@ static int cxl_mock_mbox_send(struct cxl_dev_state *cxlds, struct cxl_mbox_cmd * > case CXL_MBOX_OP_FREEZE_SECURITY: > rc = mock_freeze_security(cxlds, cmd); > break; > + case CXL_MBOX_OP_UNLOCK: > + rc = mock_unlock_security(cxlds, cmd); > + break; > default: > break; > } > >
diff --git a/tools/testing/cxl/test/mem.c b/tools/testing/cxl/test/mem.c index b24119b0ea76..840378d239bf 100644 --- a/tools/testing/cxl/test/mem.c +++ b/tools/testing/cxl/test/mem.c @@ -314,6 +314,48 @@ static int mock_freeze_security(struct cxl_dev_state *cxlds, struct cxl_mbox_cmd return 0; } +static int mock_unlock_security(struct cxl_dev_state *cxlds, struct cxl_mbox_cmd *cmd) +{ + struct cxl_mock_mem_pdata *mdata = dev_get_platdata(cxlds->dev); + + if (cmd->size_in != NVDIMM_PASSPHRASE_LEN) + return -EINVAL; + + if (cmd->size_out != 0) + return -EINVAL; + + if (mdata->security_state & CXL_PMEM_SEC_STATE_FROZEN) { + cmd->return_code = CXL_MBOX_CMD_RC_SECURITY; + return -ENXIO; + } + + if (!(mdata->security_state & CXL_PMEM_SEC_STATE_USER_PASS_SET)) { + cmd->return_code = CXL_MBOX_CMD_RC_SECURITY; + return -ENXIO; + } + + if (mdata->security_state & CXL_PMEM_SEC_STATE_USER_PLIMIT) { + cmd->return_code = CXL_MBOX_CMD_RC_SECURITY; + return -ENXIO; + } + + if (!(mdata->security_state & CXL_PMEM_SEC_STATE_LOCKED)) { + cmd->return_code = CXL_MBOX_CMD_RC_SECURITY; + return -ENXIO; + } + + if (memcmp(cmd->payload_in, mdata->user_pass, NVDIMM_PASSPHRASE_LEN)) { + if (++mdata->user_limit == PASS_TRY_LIMIT) + mdata->security_state |= CXL_PMEM_SEC_STATE_USER_PLIMIT; + cmd->return_code = CXL_MBOX_CMD_RC_PASSPHRASE; + return -ENXIO; + } + + mdata->user_limit = 0; + mdata->security_state &= ~CXL_PMEM_SEC_STATE_LOCKED; + return 0; +} + static int mock_get_lsa(struct cxl_dev_state *cxlds, struct cxl_mbox_cmd *cmd) { struct cxl_mbox_get_lsa *get_lsa = cmd->payload_in; @@ -419,6 +461,9 @@ static int cxl_mock_mbox_send(struct cxl_dev_state *cxlds, struct cxl_mbox_cmd * case CXL_MBOX_OP_FREEZE_SECURITY: rc = mock_freeze_security(cxlds, cmd); break; + case CXL_MBOX_OP_UNLOCK: + rc = mock_unlock_security(cxlds, cmd); + break; default: break; }
Add support to emulate a CXL mem device support the "Unlock" operation. Signed-off-by: Dave Jiang <dave.jiang@intel.com> --- tools/testing/cxl/test/mem.c | 45 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+)