Merge branch 'devel'

Author: kelvin-cao

cli/mfg.c

@@ -111,7 +111,20 @@ static int ping(int argc, char **argv)
 	return 0;
 }
 
-static void print_security_config(struct switchtec_security_cfg_state *state)
+static const char* program_status_to_string(enum switchtec_otp_program_status s)
+{
+	switch(s) {
+	case SWITCHTEC_OTP_PROGRAMMABLE:
+		return "R/W (Programmable)";
+	case SWITCHTEC_OTP_UNPROGRAMMABLE:
+		return "R/O (Unprogrammable)";
+	default:
+		return "Unknown";
+	}
+}
+
+static void print_security_config(struct switchtec_security_cfg_state *state,
+				  struct switchtec_security_cfg_otp_region *otp)
 {
 	int key_idx;
 	int i;
@@ -194,6 +207,27 @@ static void print_security_config(struct switchtec_security_cfg_state *state)
 				printf("%02x", state->public_key[key_idx][i]);
 		printf("\n");
 	}
+
+	if (otp) {
+		printf("\nOTP Region Program Status\n");
+		printf("\tBasic Secure Settings %s%s\n",
+		       otp->basic_valid? "(Valid):  ": "(Invalid):",
+		       program_status_to_string(otp->basic));
+		printf("\tMixed Version %s\t%s\n",
+		       otp->mixed_ver_valid? "(Valid):  ": "(Invalid):",
+		       program_status_to_string(otp->mixed_ver));
+		printf("\tMain FW Version %s\t%s\n",
+		       otp->main_fw_ver_valid? "(Valid):  ": "(Invalid):",
+		       program_status_to_string(otp->main_fw_ver));
+		printf("\tSecure Unlock Version %s%s\n",
+		       otp->sec_unlock_ver_valid? "(Valid):  ": "(Invalid):",
+		       program_status_to_string(otp->sec_unlock_ver));
+		for (i = 0; i < 4; i++) {
+			printf("\tKMSK%d %s\t\t%s\n", i,
+			       otp->kmsk_valid[i]? "(Valid):  ": "(Invalid):",
+			       program_status_to_string(otp->kmsk[i]));
+		}
+	}
 }
 
 static void print_security_cfg_set(struct switchtec_security_cfg_set *set)
@@ -236,17 +270,25 @@ static int info(int argc, char **argv)
 
 	static struct {
 		struct switchtec_dev *dev;
+		int verbose;
 	} cfg = {};
 
 	const struct argconfig_options opts[] = {
 		DEVICE_OPTION_MFG,
-		{NULL}
-	};
+		{"verbose", 'v', "", CFG_NONE, &cfg.verbose, no_argument,
+		 "print additional chip information"},
+		{NULL}};
 
-	struct switchtec_security_cfg_state state = {};
+	struct switchtec_security_cfg_state_ext ext_state = {};
 
 	argconfig_parse(argc, argv, CMD_DESC_INFO, opts, &cfg, sizeof(cfg));
 
+	ret = switchtec_security_config_get_ext(cfg.dev, &ext_state);
+	if (ret) {
+		switchtec_perror("mfg info");
+		return ret;
+	}
+
 	phase_id = switchtec_boot_phase(cfg.dev);
 	printf("Current Boot Phase: \t\t\t%s\n", phase_id_to_string(phase_id));
 
@@ -266,13 +308,23 @@ static int info(int argc, char **argv)
 		return 0;
 	}
 
-	ret = switchtec_security_config_get(cfg.dev, &state);
-	if (ret) {
-		switchtec_perror("mfg info");
-		return ret;
+	if (cfg.verbose)  {
+		if (!ext_state.otp_valid) {
+			print_security_config(&ext_state.state, NULL);
+			fprintf(stderr,
+				"\nAdditional (verbose) chip info is not available on this chip!\n\n");
+		} else if (phase_id != SWITCHTEC_BOOT_PHASE_FW) {
+			print_security_config(&ext_state.state, NULL);
+			fprintf(stderr,
+				"\nAdditional (verbose) chip info is only available in the Main Firmware phase!\n\n");
+		} else {
+			print_security_config(&ext_state.state, &ext_state.otp);
+		}
+
+		return 0;
 	}
 
-	print_security_config(&state);
+	print_security_config(&ext_state.state, NULL);
 
 	return 0;
 }
@@ -714,7 +766,7 @@ static int state_set(int argc, char **argv)
 		return -3;
 	}
 
-	print_security_config(&state);
+	print_security_config(&state, NULL);
 
 	if (!cfg.assume_yes) {
 		fprintf(stderr,

inc/switchtec/fabric.h

@@ -702,7 +702,7 @@ int switchtec_ep_bar_write64(struct switchtec_dev *dev, uint16_t pdfid,
 			     uint8_t bar_index, uint64_t val, uint64_t addr);
 
 /********** ADMIN PASSTHRU COMMAND *********/
-#define SWITCHTEC_NVME_ADMIN_PASSTHRU_MAX_DATA_LEN (MRPC_MAX_DATA_LEN - 8)
+#define SWITCHTEC_NVME_ADMIN_PASSTHRU_MAX_DATA_LEN (4096 + 16 * 4)
 
 int switchtec_nvme_admin_passthru(struct switchtec_dev *dev, uint16_t pdfid,
 				  size_t data_len, void *data,

inc/switchtec/mfg.h

@@ -92,6 +92,36 @@ struct switchtec_security_cfg_state {
 	uint8_t public_key[SWITCHTEC_KMSK_NUM][SWITCHTEC_KMSK_LEN];
 };
 
+/**
+ * @brief Flag which indicates if an OTP region is programmable or not
+ */
+enum switchtec_otp_program_status {
+	SWITCHTEC_OTP_PROGRAMMABLE = 0,
+	SWITCHTEC_OTP_UNPROGRAMMABLE = 1,
+};
+
+struct switchtec_security_cfg_otp_region {
+	bool basic_valid;
+	bool mixed_ver_valid;
+	bool main_fw_ver_valid;
+	bool sec_unlock_ver_valid;
+	bool kmsk_valid[4];
+	enum switchtec_otp_program_status basic;
+	enum switchtec_otp_program_status mixed_ver;
+	enum switchtec_otp_program_status main_fw_ver;
+	enum switchtec_otp_program_status sec_unlock_ver;
+	enum switchtec_otp_program_status kmsk[4];
+};
+
+/**
+ * @brief extended security configuration
+ */
+struct switchtec_security_cfg_state_ext {
+	bool otp_valid;
+	struct switchtec_security_cfg_state state;
+	struct switchtec_security_cfg_otp_region otp;
+};
+
 struct switchtec_security_cfg_set {
 	uint8_t jtag_lock_after_reset;
 	uint8_t jtag_lock_after_bl1;
@@ -142,6 +172,8 @@ int switchtec_sn_ver_get(struct switchtec_dev *dev,
 			 struct switchtec_sn_ver_info *info);
 int switchtec_security_config_get(struct switchtec_dev *dev,
 			          struct switchtec_security_cfg_state *state);
+int switchtec_security_config_get_ext(struct switchtec_dev *dev,
+		struct switchtec_security_cfg_state_ext *ext);
 int switchtec_security_config_set(struct switchtec_dev *dev,
 				  struct switchtec_security_cfg_set *setting);
 int switchtec_mailbox_to_file(struct switchtec_dev *dev, int fd);

inc/switchtec/mrpc.h

@@ -63,6 +63,7 @@ enum mrpc_cmd {
 	MRPC_GAS_READ = 41,
 	MRPC_PART_INFO = 43,
 	MRPC_GAS_WRITE = 52,
+	MRPC_SECURITY_CONFIG_GET_EXT = 60,
 	MRPC_ECHO = 65,
 	MRPC_GET_PAX_ID = 129,
 

lib/fabric.c

@@ -1380,32 +1380,61 @@ static int admin_passthru_start(struct switchtec_dev *dev, uint16_t pdfid,
 				size_t *rsp_len)
 {
 	int ret;
-	int copy_len;
+	uint16_t copy_len;
+	uint16_t offset = 0;
+
 	struct {
 		uint8_t subcmd;
 		uint8_t rsvd[3];
 		uint16_t pdfid;
 		uint16_t expected_rsp_len;
-		uint8_t data[SWITCHTEC_NVME_ADMIN_PASSTHRU_MAX_DATA_LEN];
+		uint8_t more_data;
+		uint8_t rsvd1[3];
+		uint16_t data_offset;
+		uint16_t data_len;
+		uint8_t data[MRPC_MAX_DATA_LEN - 16];
 	} cmd = {
 		.subcmd = MRPC_NVME_ADMIN_PASSTHRU_START,
-		.pdfid = htole16(pdfid),
-		.expected_rsp_len = htole16(*rsp_len)
+		.pdfid = htole16(pdfid)
 	};
 
 	struct {
-		uint8_t subcmd;
-		uint8_t rsvd[3];
 		uint16_t rsp_len;
 		uint16_t rsvd1;
 	} reply = {};
 
 	if (data_len && data != NULL) {
-		copy_len = data_len > sizeof(cmd.data)?
-				sizeof(cmd.data) : data_len;
-		memcpy(cmd.data, data, copy_len);
+		cmd.more_data = data_len > sizeof(cmd.data);
+		while (cmd.more_data) {
+			copy_len = sizeof(cmd.data);
+			memcpy(cmd.data, data + offset, copy_len);
+
+			cmd.data_offset = htole16(offset);
+			cmd.data_len = htole16(copy_len);
+
+			ret = switchtec_cmd(dev, MRPC_NVME_ADMIN_PASSTHRU,
+					    &cmd, sizeof(cmd), NULL, 0);
+			if (ret)
+				return ret;
+
+			offset += copy_len;
+			data_len -= copy_len;
+			cmd.more_data = data_len > sizeof(cmd.data);
+		}
+
+		if (data_len) {
+			memcpy(cmd.data, data + offset, data_len);
+
+			cmd.data_offset = htole16(offset);
+			cmd.data_len = htole16(data_len);
+		} else {
+			cmd.data_len = 0;
+			cmd.data_offset = 0;
+		}
 	}
 
+	cmd.expected_rsp_len = htole16(*rsp_len);
+
 	ret = switchtec_cmd(dev, MRPC_NVME_ADMIN_PASSTHRU,
 			    &cmd, sizeof(cmd), &reply, sizeof(reply));
 	if (ret) {
@@ -1433,11 +1462,9 @@ static int admin_passthru_data(struct switchtec_dev *dev, uint16_t pdfid,
 	};
 
 	struct {
-		uint8_t subcmd;
-		uint8_t rsvd[3];
 		uint16_t offset;
 		uint16_t len;
-		uint8_t data[MRPC_MAX_DATA_LEN - 8];
+		uint8_t data[MRPC_MAX_DATA_LEN - 4];
 	} reply = {};
 
 	while (offset < rsp_len) {

lib/mfg.c

@@ -111,34 +111,64 @@ static void RSA_get0_key(const RSA *r, const BIGNUM **n,
 }
 #endif
 
-/**
- * @brief Get secure boot configurations
- * @param[in]  dev	Switchtec device handle
- * @param[out] state	Current secure boot settings
- * @return 0 on success, error code on failure
- */
-int switchtec_security_config_get(struct switchtec_dev *dev,
-				  struct switchtec_security_cfg_state *state)
+static int secure_config_get(struct switchtec_dev *dev,
+			     struct switchtec_security_cfg_state *state,
+			     struct switchtec_security_cfg_otp_region *otp,
+			     bool *otp_valid)
 {
 	int ret;
+	uint8_t subcmd = 0;
 	struct cfg_reply {
 		uint32_t valid;
 		uint32_t rsvd1;
 		uint64_t cfg;
-		uint32_t  public_key_exponent;
-		uint8_t  rsvd2;
-		uint8_t  public_key_num;
-		uint8_t  public_key_ver;
-		uint8_t  rsvd3;
-		uint8_t  public_key[SWITCHTEC_KMSK_NUM][SWITCHTEC_KMSK_LEN];
-		uint8_t  rsvd4[32];
+		uint32_t public_key_exponent;
+		uint8_t rsvd2;
+		uint8_t public_key_num;
+		uint8_t public_key_ver;
+		uint8_t rsvd3;
+		uint8_t public_key[SWITCHTEC_KMSK_NUM][SWITCHTEC_KMSK_LEN];
+		uint8_t rsvd4[32];
 	} reply;
 
-	ret = switchtec_mfg_cmd(dev, MRPC_SECURITY_CONFIG_GET, NULL, 0,
+	if (otp_valid)
+		*otp_valid = false;
+
+	ret = switchtec_mfg_cmd(dev, MRPC_SECURITY_CONFIG_GET_EXT,
+				&subcmd, sizeof(subcmd),
 				&reply, sizeof(reply));
-	if (ret)
+	if (ret && ERRNO_MRPC(errno) != ERR_CMD_INVALID)
 		return ret;
 
+	if (!ret) {
+		if (otp) {
+			otp->basic_valid = !!(reply.valid & BIT(5));
+			otp->basic = !!(reply.valid & BIT(6));
+			otp->mixed_ver_valid = !!(reply.valid & BIT(7));
+			otp->mixed_ver = !!(reply.valid & BIT(8));
+			otp->main_fw_ver_valid = !!(reply.valid & BIT(9));
+			otp->main_fw_ver = !!(reply.valid & BIT(10));
+			otp->sec_unlock_ver_valid = !!(reply.valid & BIT(11));
+			otp->sec_unlock_ver = !!(reply.valid & BIT(12));
+			otp->kmsk_valid[0] = !!(reply.valid & BIT(13));
+			otp->kmsk[0] = !!(reply.valid & BIT(14));
+			otp->kmsk_valid[1] = !!(reply.valid & BIT(15));
+			otp->kmsk[1] = !!(reply.valid & BIT(16));
+			otp->kmsk_valid[2] = !!(reply.valid & BIT(17));
+			otp->kmsk[2] = !!(reply.valid & BIT(18));
+			otp->kmsk_valid[3] = !!(reply.valid & BIT(19));
+			otp->kmsk[3] = !!(reply.valid & BIT(20));
+
+			if (otp_valid)
+				*otp_valid = true;
+		}
+	} else {
+		ret = switchtec_mfg_cmd(dev, MRPC_SECURITY_CONFIG_GET, NULL, 0,
+					&reply, sizeof(reply));
+		if (ret)
+			return ret;
+	}
+
 	reply.valid = le32toh(reply.valid);
 	reply.cfg = le64toh(reply.cfg);
 	reply.public_key_exponent = le32toh(reply.public_key_exponent);
@@ -178,6 +208,30 @@ int switchtec_security_config_get(struct switchtec_dev *dev,
 	return 0;
 }
 
+/**
+ * @brief Get secure boot configurations
+ * @param[in]  dev	Switchtec device handle
+ * @param[out] state	Current secure boot settings
+ * @return 0 on success, error code on failure
+ */
+int switchtec_security_config_get(struct switchtec_dev *dev,
+				  struct switchtec_security_cfg_state *state)
+{
+	return secure_config_get(dev, state, NULL, NULL);
+}
+
+/**
+ * @brief Get secure boot extended configurations
+ * @param[in]  dev	Switchtec device handle
+ * @param[out] ext	Current extended secure boot settings
+ * @return 0 on success, error code on failure
+ */
+int switchtec_security_config_get_ext(struct switchtec_dev *dev,
+		struct switchtec_security_cfg_state_ext *ext)
+{
+	return secure_config_get(dev, &ext->state, &ext->otp, &ext->otp_valid);
+}
+
 /**
  * @brief Retrieve mailbox entries
  * @param[in]  dev	Switchtec device handle