root/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/base.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. nvkm_secboot_reset
  2. nvkm_secboot_is_managed
  3. nvkm_secboot_oneinit
  4. nvkm_secboot_fini
  5. nvkm_secboot_dtor
  6. nvkm_secboot_ctor

   1 /*
   2  * Copyright (c) 2016, NVIDIA CORPORATION. All rights reserved.
   3  *
   4  * Permission is hereby granted, free of charge, to any person obtaining a
   5  * copy of this software and associated documentation files (the "Software"),
   6  * to deal in the Software without restriction, including without limitation
   7  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
   8  * and/or sell copies of the Software, and to permit persons to whom the
   9  * Software is furnished to do so, subject to the following conditions:
  10  *
  11  * The above copyright notice and this permission notice shall be included in
  12  * all copies or substantial portions of the Software.
  13  *
  14  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  15  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  16  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
  17  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  18  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
  19  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
  20  * DEALINGS IN THE SOFTWARE.
  21  */
  22 
  23 /*
  24  * Secure boot is the process by which NVIDIA-signed firmware is loaded into
  25  * some of the falcons of a GPU. For production devices this is the only way
  26  * for the firmware to access useful (but sensitive) registers.
  27  *
  28  * A Falcon microprocessor supporting advanced security modes can run in one of
  29  * three modes:
  30  *
  31  * - Non-secure (NS). In this mode, functionality is similar to Falcon
  32  *   architectures before security modes were introduced (pre-Maxwell), but
  33  *   capability is restricted. In particular, certain registers may be
  34  *   inaccessible for reads and/or writes, and physical memory access may be
  35  *   disabled (on certain Falcon instances). This is the only possible mode that
  36  *   can be used if you don't have microcode cryptographically signed by NVIDIA.
  37  *
  38  * - Heavy Secure (HS). In this mode, the microprocessor is a black box - it's
  39  *   not possible to read or write any Falcon internal state or Falcon registers
  40  *   from outside the Falcon (for example, from the host system). The only way
  41  *   to enable this mode is by loading microcode that has been signed by NVIDIA.
  42  *   (The loading process involves tagging the IMEM block as secure, writing the
  43  *   signature into a Falcon register, and starting execution. The hardware will
  44  *   validate the signature, and if valid, grant HS privileges.)
  45  *
  46  * - Light Secure (LS). In this mode, the microprocessor has more privileges
  47  *   than NS but fewer than HS. Some of the microprocessor state is visible to
  48  *   host software to ease debugging. The only way to enable this mode is by HS
  49  *   microcode enabling LS mode. Some privileges available to HS mode are not
  50  *   available here. LS mode is introduced in GM20x.
  51  *
  52  * Secure boot consists in temporarily switching a HS-capable falcon (typically
  53  * PMU) into HS mode in order to validate the LS firmwares of managed falcons,
  54  * load them, and switch managed falcons into LS mode. Once secure boot
  55  * completes, no falcon remains in HS mode.
  56  *
  57  * Secure boot requires a write-protected memory region (WPR) which can only be
  58  * written by the secure falcon. On dGPU, the driver sets up the WPR region in
  59  * video memory. On Tegra, it is set up by the bootloader and its location and
  60  * size written into memory controller registers.
  61  *
  62  * The secure boot process takes place as follows:
  63  *
  64  * 1) A LS blob is constructed that contains all the LS firmwares we want to
  65  *    load, along with their signatures and bootloaders.
  66  *
  67  * 2) A HS blob (also called ACR) is created that contains the signed HS
  68  *    firmware in charge of loading the LS firmwares into their respective
  69  *    falcons.
  70  *
  71  * 3) The HS blob is loaded (via its own bootloader) and executed on the
  72  *    HS-capable falcon. It authenticates itself, switches the secure falcon to
  73  *    HS mode and setup the WPR region around the LS blob (dGPU) or copies the
  74  *    LS blob into the WPR region (Tegra).
  75  *
  76  * 4) The LS blob is now secure from all external tampering. The HS falcon
  77  *    checks the signatures of the LS firmwares and, if valid, switches the
  78  *    managed falcons to LS mode and makes them ready to run the LS firmware.
  79  *
  80  * 5) The managed falcons remain in LS mode and can be started.
  81  *
  82  */
  83 
  84 #include "priv.h"
  85 #include "acr.h"
  86 
  87 #include <subdev/mc.h>
  88 #include <subdev/timer.h>
  89 #include <subdev/pmu.h>
  90 #include <engine/sec2.h>
  91 
  92 const char *
  93 nvkm_secboot_falcon_name[] = {
  94         [NVKM_SECBOOT_FALCON_PMU] = "PMU",
  95         [NVKM_SECBOOT_FALCON_RESERVED] = "<reserved>",
  96         [NVKM_SECBOOT_FALCON_FECS] = "FECS",
  97         [NVKM_SECBOOT_FALCON_GPCCS] = "GPCCS",
  98         [NVKM_SECBOOT_FALCON_SEC2] = "SEC2",
  99         [NVKM_SECBOOT_FALCON_END] = "<invalid>",
 100 };
 101 /**
 102  * nvkm_secboot_reset() - reset specified falcon
 103  */
 104 int
 105 nvkm_secboot_reset(struct nvkm_secboot *sb, unsigned long falcon_mask)
 106 {
 107         /* Unmanaged falcon? */
 108         if ((falcon_mask | sb->acr->managed_falcons) != sb->acr->managed_falcons) {
 109                 nvkm_error(&sb->subdev, "cannot reset unmanaged falcon!\n");
 110                 return -EINVAL;
 111         }
 112 
 113         return sb->acr->func->reset(sb->acr, sb, falcon_mask);
 114 }
 115 
 116 /**
 117  * nvkm_secboot_is_managed() - check whether a given falcon is securely-managed
 118  */
 119 bool
 120 nvkm_secboot_is_managed(struct nvkm_secboot *sb, enum nvkm_secboot_falcon fid)
 121 {
 122         if (!sb)
 123                 return false;
 124 
 125         return sb->acr->managed_falcons & BIT(fid);
 126 }
 127 
 128 static int
 129 nvkm_secboot_oneinit(struct nvkm_subdev *subdev)
 130 {
 131         struct nvkm_secboot *sb = nvkm_secboot(subdev);
 132         int ret = 0;
 133 
 134         switch (sb->acr->boot_falcon) {
 135         case NVKM_SECBOOT_FALCON_PMU:
 136                 sb->halt_falcon = sb->boot_falcon = subdev->device->pmu->falcon;
 137                 break;
 138         case NVKM_SECBOOT_FALCON_SEC2:
 139                 /* we must keep SEC2 alive forever since ACR will run on it */
 140                 nvkm_engine_ref(&subdev->device->sec2->engine);
 141                 sb->boot_falcon = subdev->device->sec2->falcon;
 142                 sb->halt_falcon = subdev->device->pmu->falcon;
 143                 break;
 144         default:
 145                 nvkm_error(subdev, "Unmanaged boot falcon %s!\n",
 146                                         nvkm_secboot_falcon_name[sb->acr->boot_falcon]);
 147                 return -EINVAL;
 148         }
 149         nvkm_debug(subdev, "using %s falcon for ACR\n", sb->boot_falcon->name);
 150 
 151         /* Call chip-specific init function */
 152         if (sb->func->oneinit)
 153                 ret = sb->func->oneinit(sb);
 154         if (ret) {
 155                 nvkm_error(subdev, "Secure Boot initialization failed: %d\n",
 156                            ret);
 157                 return ret;
 158         }
 159 
 160         return 0;
 161 }
 162 
 163 static int
 164 nvkm_secboot_fini(struct nvkm_subdev *subdev, bool suspend)
 165 {
 166         struct nvkm_secboot *sb = nvkm_secboot(subdev);
 167         int ret = 0;
 168 
 169         if (sb->func->fini)
 170                 ret = sb->func->fini(sb, suspend);
 171 
 172         return ret;
 173 }
 174 
 175 static void *
 176 nvkm_secboot_dtor(struct nvkm_subdev *subdev)
 177 {
 178         struct nvkm_secboot *sb = nvkm_secboot(subdev);
 179         void *ret = NULL;
 180 
 181         if (sb->func->dtor)
 182                 ret = sb->func->dtor(sb);
 183 
 184         return ret;
 185 }
 186 
 187 static const struct nvkm_subdev_func
 188 nvkm_secboot = {
 189         .oneinit = nvkm_secboot_oneinit,
 190         .fini = nvkm_secboot_fini,
 191         .dtor = nvkm_secboot_dtor,
 192 };
 193 
 194 int
 195 nvkm_secboot_ctor(const struct nvkm_secboot_func *func, struct nvkm_acr *acr,
 196                   struct nvkm_device *device, int index,
 197                   struct nvkm_secboot *sb)
 198 {
 199         unsigned long fid;
 200 
 201         nvkm_subdev_ctor(&nvkm_secboot, device, index, &sb->subdev);
 202         sb->func = func;
 203         sb->acr = acr;
 204         acr->subdev = &sb->subdev;
 205 
 206         nvkm_debug(&sb->subdev, "securely managed falcons:\n");
 207         for_each_set_bit(fid, &sb->acr->managed_falcons,
 208                          NVKM_SECBOOT_FALCON_END)
 209                 nvkm_debug(&sb->subdev, "- %s\n",
 210                            nvkm_secboot_falcon_name[fid]);
 211 
 212         return 0;
 213 }

/* [<][>][^][v][top][bottom][index][help] */