Commit cb5eceee authored by Jithu Joseph's avatar Jithu Joseph Committed by Borislav Petkov
Browse files

platform/x86/intel/ifs: Remove memory allocation from load path 



IFS requires tests to be authenticated once for each CPU socket on a
system.

scan_chunks_sanity_check() was dynamically allocating memory to store
the state of whether tests have been authenticated on each socket for
every load operation.

Move the memory allocation to init path and store the pointer in
ifs_data struct.

Also rearrange the adjacent error checking in init for a more simplified
and natural flow.

Suggested-by: default avatarBorislav Petkov <bp@alien8.de>
Signed-off-by: default avatarJithu Joseph <jithu.joseph@intel.com>
Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
Reviewed-by: default avatarTony Luck <tony.luck@intel.com>
Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20221117195957.28225-1-jithu.joseph@intel.com
parent a4c30fa4

drivers/platform/x86/intel/ifs/core.c

+16 −4
Original line number Original line Diff line number Diff line
@@ -4,6 +4,7 @@ 
#include <linux/module.h>

#include <linux/module.h>

#include <linux/kdev_t.h>

#include <linux/kdev_t.h>

#include <linux/semaphore.h>

#include <linux/semaphore.h>

#include <linux/slab.h>





#include <asm/cpu_device_id.h>

#include <asm/cpu_device_id.h>
@@ -34,6 +35,7 @@ static int __init ifs_init(void) 
{

{

	const struct x86_cpu_id *m;

	const struct x86_cpu_id *m;

	u64 msrval;

	u64 msrval;

	int ret;





	m = x86_match_cpu(ifs_cpu_ids);

	m = x86_match_cpu(ifs_cpu_ids);

	if (!m)

	if (!m)
@@ -50,16 +52,26 @@ static int __init ifs_init(void) 




	ifs_device.misc.groups = ifs_get_groups();

	ifs_device.misc.groups = ifs_get_groups();





	if ((msrval & BIT(ifs_device.data.integrity_cap_bit)) &&

	if (!(msrval & BIT(ifs_device.data.integrity_cap_bit)))

	    !misc_register(&ifs_device.misc))

		return 0;



		return -ENODEV;

		return -ENODEV;



	ifs_device.data.pkg_auth = kmalloc_array(topology_max_packages(), sizeof(bool), GFP_KERNEL);

	if (!ifs_device.data.pkg_auth)

		return -ENOMEM;



	ret = misc_register(&ifs_device.misc);

	if (ret) {

		kfree(ifs_device.data.pkg_auth);

		return ret;

	}



	return 0;

}

}





static void __exit ifs_exit(void)

static void __exit ifs_exit(void)

{

{

	misc_deregister(&ifs_device.misc);

	misc_deregister(&ifs_device.misc);

	kfree(ifs_device.data.pkg_auth);

}

}





module_init(ifs_init);

module_init(ifs_init);

drivers/platform/x86/intel/ifs/ifs.h

+2 −0
Original line number Original line Diff line number Diff line
@@ -191,6 +191,7 @@ union ifs_status { 
 * struct ifs_data - attributes related to intel IFS driver

 * struct ifs_data - attributes related to intel IFS driver

 * @integrity_cap_bit: MSR_INTEGRITY_CAPS bit enumerating this test

 * @integrity_cap_bit: MSR_INTEGRITY_CAPS bit enumerating this test

 * @loaded_version: stores the currently loaded ifs image version.

 * @loaded_version: stores the currently loaded ifs image version.

 * @pkg_auth: array of bool storing per package auth status

 * @loaded: If a valid test binary has been loaded into the memory

 * @loaded: If a valid test binary has been loaded into the memory

 * @loading_error: Error occurred on another CPU while loading image

 * @loading_error: Error occurred on another CPU while loading image

 * @valid_chunks: number of chunks which could be validated.

 * @valid_chunks: number of chunks which could be validated.
@@ -199,6 +200,7 @@ union ifs_status { 
 */

 */

struct ifs_data {

struct ifs_data {

	int	integrity_cap_bit;

	int	integrity_cap_bit;

	bool	*pkg_auth;

	int	loaded_version;

	int	loaded_version;

	bool	loaded;

	bool	loaded;

	bool	loading_error;

	bool	loading_error;

drivers/platform/x86/intel/ifs/load.c

+4 −10
Original line number Original line Diff line number Diff line
@@ -3,7 +3,6 @@ 




#include <linux/firmware.h>

#include <linux/firmware.h>

#include <asm/cpu.h>

#include <asm/cpu.h>

#include <linux/slab.h>

#include <asm/microcode_intel.h>

#include <asm/microcode_intel.h>





#include "ifs.h"

#include "ifs.h"
@@ -118,16 +117,12 @@ static void copy_hashes_authenticate_chunks(struct work_struct *work) 
 */

 */

static int scan_chunks_sanity_check(struct device *dev)

static int scan_chunks_sanity_check(struct device *dev)

{

{

	int metadata_size, curr_pkg, cpu, ret = -ENOMEM;

	int metadata_size, curr_pkg, cpu, ret;

	struct ifs_data *ifsd = ifs_get_data(dev);

	struct ifs_data *ifsd = ifs_get_data(dev);

	bool *package_authenticated;

	struct ifs_work local_work;

	struct ifs_work local_work;

	char *test_ptr;

	char *test_ptr;





	package_authenticated = kcalloc(topology_max_packages(), sizeof(bool), GFP_KERNEL);

	memset(ifsd->pkg_auth, 0, (topology_max_packages() * sizeof(bool)));

	if (!package_authenticated)

		return ret;



	metadata_size = ifs_header_ptr->metadata_size;

	metadata_size = ifs_header_ptr->metadata_size;





	/* Spec says that if the Meta Data Size = 0 then it should be treated as 2000 */

	/* Spec says that if the Meta Data Size = 0 then it should be treated as 2000 */
@@ -150,7 +145,7 @@ static int scan_chunks_sanity_check(struct device *dev) 
	cpus_read_lock();

	cpus_read_lock();

	for_each_online_cpu(cpu) {

	for_each_online_cpu(cpu) {

		curr_pkg = topology_physical_package_id(cpu);

		curr_pkg = topology_physical_package_id(cpu);

		if (package_authenticated[curr_pkg])

		if (ifsd->pkg_auth[curr_pkg])

			continue;

			continue;

		reinit_completion(&ifs_done);

		reinit_completion(&ifs_done);

		local_work.dev = dev;

		local_work.dev = dev;
@@ -161,12 +156,11 @@ static int scan_chunks_sanity_check(struct device *dev) 
			ret = -EIO;

			ret = -EIO;

			goto out;

			goto out;

		}

		}

		package_authenticated[curr_pkg] = 1;

		ifsd->pkg_auth[curr_pkg] = 1;

	}

	}

	ret = 0;

	ret = 0;

out:

out:

	cpus_read_unlock();

	cpus_read_unlock();

	kfree(package_authenticated);





	return ret;

	return ret;

}

}