Re: [PATCH v1 05/15] nitro_enclaves: Handle PCI device command requests

From: Paraschiv, Andra-Irina
Date: Wed Apr 29 2020 - 13:00:46 EST




On 25/04/2020 17:52, Liran Alon wrote:

On 21/04/2020 21:41, Andra Paraschiv wrote:
The Nitro Enclaves PCI device exposes a MMIO space that this driver
uses to submit command requests and to receive command replies e.g. for
enclave creation / termination or setting enclave resources.

Add logic for handling PCI device command requests based on the given
command type.

Register an MSI-X interrupt vector for command reply notifications to
handle this type of communication events.

Signed-off-by: Alexandru-Catalin Vasile <lexnv@xxxxxxxxxx>
Signed-off-by: Andra Paraschiv <andraprs@xxxxxxxxxx>
---
 .../virt/amazon/nitro_enclaves/ne_pci_dev.c | 264 ++++++++++++++++++
 1 file changed, 264 insertions(+)

diff --git a/drivers/virt/amazon/nitro_enclaves/ne_pci_dev.c b/drivers/virt/amazon/nitro_enclaves/ne_pci_dev.c
index 8fbee95ea291..7453d129689a 100644
--- a/drivers/virt/amazon/nitro_enclaves/ne_pci_dev.c
+++ b/drivers/virt/amazon/nitro_enclaves/ne_pci_dev.c
@@ -40,6 +40,251 @@ static const struct pci_device_id ne_pci_ids[] = {
  MODULE_DEVICE_TABLE(pci, ne_pci_ids);
 +/**
+ * ne_submit_request - Submit command request to the PCI device based on the
+ * command type.
+ *
+ * This function gets called with the ne_pci_dev mutex held.
+ *
+ * @pdev: PCI device to send the command to.
+ * @cmd_type: command type of the request sent to the PCI device.
+ * @cmd_request: command request payload.
+ * @cmd_request_size: size of the command request payload.
+ *
+ * @returns: 0 on success, negative return value on failure.
+ */
+static int ne_submit_request(struct pci_dev *pdev,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ enum ne_pci_dev_cmd_type cmd_type,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ void *cmd_request, size_t cmd_request_size)
+{
+ÂÂÂ struct ne_pci_dev *ne_pci_dev = NULL;
These local vars are unnecessarily initialized.

I would keep this initialized overall.

+
+ÂÂÂ BUG_ON(!pdev);
+
+ÂÂÂ ne_pci_dev = pci_get_drvdata(pdev);
+ÂÂÂ BUG_ON(!ne_pci_dev);
+ÂÂÂ BUG_ON(!ne_pci_dev->iomem_base);
You should remove these defensive BUG_ON() calls.

Done.

+
+ÂÂÂ if (WARN_ON(cmd_type <= INVALID_CMD || cmd_type >= MAX_CMD)) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev, "Invalid cmd type=%d\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ cmd_type);
+
+ÂÂÂÂÂÂÂ return -EINVAL;
+ÂÂÂ }
+
+ÂÂÂ if (WARN_ON(!cmd_request))
+ÂÂÂÂÂÂÂ return -EINVAL;
+
+ÂÂÂ if (WARN_ON(cmd_request_size > NE_SEND_DATA_SIZE)) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "Invalid req size=%ld for cmd type=%d\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ cmd_request_size, cmd_type);
+
+ÂÂÂÂÂÂÂ return -EINVAL;
+ÂÂÂ }
It doesn't make sense to have WARN_ON() print error to dmesg on every evaluation to true,
together with using dev_err_ratelimited() which attempts to rate-limit prints.

Anyway, these conditions were already checked by ne_do_request(). Why also check them here?

Updated to not use WARN_ON. Right, they were checked before, but I kept them here just for checking the parameters.


+
+ÂÂÂ memcpy_toio(ne_pci_dev->iomem_base + NE_SEND_DATA, cmd_request,
+ÂÂÂÂÂÂÂÂÂÂÂ cmd_request_size);
+
+ÂÂÂ iowrite32(cmd_type, ne_pci_dev->iomem_base + NE_COMMAND);
+
+ÂÂÂ return 0;
+}
+
+/**
+ * ne_retrieve_reply - Retrieve reply from the PCI device.
+ *
+ * This function gets called with the ne_pci_dev mutex held.
+ *
+ * @pdev: PCI device to receive the reply from.
+ * @cmd_reply: command reply payload.
+ * @cmd_reply_size: size of the command reply payload.
+ *
+ * @returns: 0 on success, negative return value on failure.
+ */
+static int ne_retrieve_reply(struct pci_dev *pdev,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ struct ne_pci_dev_cmd_reply *cmd_reply,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ size_t cmd_reply_size)
+{
+ÂÂÂ struct ne_pci_dev *ne_pci_dev = NULL;
These local vars are unnecessarily initialized.
+
+ÂÂÂ BUG_ON(!pdev);
+
+ÂÂÂ ne_pci_dev = pci_get_drvdata(pdev);
+ÂÂÂ BUG_ON(!ne_pci_dev);
+ÂÂÂ BUG_ON(!ne_pci_dev->iomem_base);
You should remove these defensive BUG_ON() calls.
+
+ÂÂÂ if (WARN_ON(!cmd_reply))
+ÂÂÂÂÂÂÂ return -EINVAL;
+
+ÂÂÂ if (WARN_ON(cmd_reply_size > NE_RECV_DATA_SIZE)) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev, "Invalid reply size=%ld\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ cmd_reply_size);
+
+ÂÂÂÂÂÂÂ return -EINVAL;
+ÂÂÂ }
It doesn't make sense to have WARN_ON() print error to dmesg on every evaluation to true,
together with using dev_err_ratelimited() which attempts to rate-limit prints.

Anyway, these conditions were already checked by ne_do_request(). Why also check them here?

+
+ÂÂÂ memcpy_fromio(cmd_reply, ne_pci_dev->iomem_base + NE_RECV_DATA,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂ cmd_reply_size);
+
+ÂÂÂ return 0;
+}
+
+/**
+ * ne_wait_for_reply - Wait for a reply of a PCI command.
+ *
+ * This function gets called with the ne_pci_dev mutex held.
+ *
+ * @pdev: PCI device for which a reply is waited.
+ *
+ * @returns: 0 on success, negative return value on failure.
+ */
+static int ne_wait_for_reply(struct pci_dev *pdev)
+{
+ÂÂÂ struct ne_pci_dev *ne_pci_dev = NULL;
+ÂÂÂ int rc = -EINVAL;
These local vars are unnecessarily initialized.
+
+ÂÂÂ BUG_ON(!pdev);
+
+ÂÂÂ ne_pci_dev = pci_get_drvdata(pdev);
+ÂÂÂ BUG_ON(!ne_pci_dev);
You should remove these defensive BUG_ON() calls.
+
+ÂÂÂ /*
+ÂÂÂÂ * TODO: Update to _interruptible and handle interrupted wait event
+ÂÂÂÂ * e.g. -ERESTARTSYS, incoming signals + add / update timeout.
+ÂÂÂÂ */
+ÂÂÂ rc = wait_event_timeout(ne_pci_dev->cmd_reply_wait_q,
+ atomic_read(&ne_pci_dev->cmd_reply_avail) != 0,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ msecs_to_jiffies(DEFAULT_TIMEOUT_MSECS));
+ÂÂÂ if (!rc) {
+ÂÂÂÂÂÂÂ pr_err("Wait event timed out when waiting for PCI cmd reply\n");
+
+ÂÂÂÂÂÂÂ return -ETIMEDOUT;
+ÂÂÂ }
+
+ÂÂÂ return 0;
+}
+
+int ne_do_request(struct pci_dev *pdev, enum ne_pci_dev_cmd_type cmd_type,
+ÂÂÂÂÂÂÂÂÂ void *cmd_request, size_t cmd_request_size,
+ÂÂÂÂÂÂÂÂÂ struct ne_pci_dev_cmd_reply *cmd_reply, size_t cmd_reply_size)
This function is introduced in this patch but it is not used.
It will cause compiling the kernel on this commit to raise warnings/errors on unused functions.
You should introduce functions on the patch that they are used.

This function is externally available, via the ne_pci_dev header, so it shouldn't raise warnings.

+{
+ÂÂÂ struct ne_pci_dev *ne_pci_dev = NULL;
+ÂÂÂ int rc = -EINVAL;
These local vars are unnecessarily initialized.
+
+ÂÂÂ BUG_ON(!pdev);
+
+ÂÂÂ ne_pci_dev = pci_get_drvdata(pdev);
+ÂÂÂ BUG_ON(!ne_pci_dev);
+ÂÂÂ BUG_ON(!ne_pci_dev->iomem_base);
You should remove these defensive BUG_ON() calls.
+
+ÂÂÂ if (WARN_ON(cmd_type <= INVALID_CMD || cmd_type >= MAX_CMD)) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev, "Invalid cmd type=%d\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ cmd_type);
+
+ÂÂÂÂÂÂÂ return -EINVAL;
+ÂÂÂ }
+
+ÂÂÂ if (WARN_ON(!cmd_request))
+ÂÂÂÂÂÂÂ return -EINVAL;
+
+ÂÂÂ if (WARN_ON(cmd_request_size > NE_SEND_DATA_SIZE)) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "Invalid req size=%ld for cmd type=%d\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ cmd_request_size, cmd_type);
+
+ÂÂÂÂÂÂÂ return -EINVAL;
+ÂÂÂ }
+
+ÂÂÂ if (WARN_ON(!cmd_reply))
+ÂÂÂÂÂÂÂ return -EINVAL;
+
+ÂÂÂ if (WARN_ON(cmd_reply_size > NE_RECV_DATA_SIZE)) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev, "Invalid reply size=%ld\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ cmd_reply_size);
+
+ÂÂÂÂÂÂÂ return -EINVAL;
+ÂÂÂ }
I would consider specifying all these conditions in function documentation instead of enforcing them at runtime on every function call.

I think that both PCI dev logic checks and documentation would be helpful in this case. :)

+
+ÂÂÂ /*
+ÂÂÂÂ * Use this mutex so that the PCI device handles one command request at
+ÂÂÂÂ * a time.
+ÂÂÂÂ */
+ÂÂÂ mutex_lock(&ne_pci_dev->pci_dev_mutex);
+
+ÂÂÂ atomic_set(&ne_pci_dev->cmd_reply_avail, 0);
+
+ÂÂÂ rc = ne_submit_request(pdev, cmd_type, cmd_request, cmd_request_size);
+ÂÂÂ if (rc < 0) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "Failure in submit cmd request [rc=%d]\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ rc);
+
+ÂÂÂÂÂÂÂ mutex_unlock(&ne_pci_dev->pci_dev_mutex);
+
+ÂÂÂÂÂÂÂ return rc;
Consider leaving function with a goto to a label that unlocks mutex and then return.

Done, I added a goto for mutex unlock and return. In this patch and in a following one, that was having a similar cleanup structure.

+ÂÂÂ }
+
+ÂÂÂ rc = ne_wait_for_reply(pdev);
+ÂÂÂ if (rc < 0) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "Failure in wait cmd reply [rc=%d]\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ rc);
+
+ÂÂÂÂÂÂÂ mutex_unlock(&ne_pci_dev->pci_dev_mutex);
+
+ÂÂÂÂÂÂÂ return rc;
+ÂÂÂ }
+
+ÂÂÂ rc = ne_retrieve_reply(pdev, cmd_reply, cmd_reply_size);
+ÂÂÂ if (rc < 0) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "Failure in retrieve cmd reply [rc=%d]\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ rc);
+
+ÂÂÂÂÂÂÂ mutex_unlock(&ne_pci_dev->pci_dev_mutex);
+
+ÂÂÂÂÂÂÂ return rc;
+ÂÂÂ }
+
+ÂÂÂ atomic_set(&ne_pci_dev->cmd_reply_avail, 0);
+
+ÂÂÂ if (cmd_reply->rc < 0) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "Failure in cmd process logic [rc=%d]\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ cmd_reply->rc);
+
+ÂÂÂÂÂÂÂ mutex_unlock(&ne_pci_dev->pci_dev_mutex);
+
+ÂÂÂÂÂÂÂ return cmd_reply->rc;
+ÂÂÂ }
+
+ÂÂÂ mutex_unlock(&ne_pci_dev->pci_dev_mutex);
+
+ÂÂÂ return 0;
+}
+
+/**
+ * ne_reply_handler - Interrupt handler for retrieving a reply matching
+ * a request sent to the PCI device for enclave lifetime management.
+ *
+ * @irq: received interrupt for a reply sent by the PCI device.
+ * @args: PCI device private data structure.
+ *
+ * @returns: IRQ_HANDLED on handled interrupt, IRQ_NONE otherwise.
+ */
+static irqreturn_t ne_reply_handler(int irq, void *args)
+{
+ÂÂÂ struct ne_pci_dev *ne_pci_dev = (struct ne_pci_dev *)args;
+
+ÂÂÂ atomic_set(&ne_pci_dev->cmd_reply_avail, 1);
+
+ÂÂÂ /* TODO: Update to _interruptible. */
+ÂÂÂ wake_up(&ne_pci_dev->cmd_reply_wait_q);
+
+ÂÂÂ return IRQ_HANDLED;
+}
+
 /**
ÂÂ * ne_setup_msix - Setup MSI-X vectors for the PCI device.
ÂÂ *
@@ -75,8 +320,25 @@ static int ne_setup_msix(struct pci_dev *pdev, struct ne_pci_dev *ne_pci_dev)
ÂÂÂÂÂÂÂÂÂ goto err_alloc_irq_vecs;
ÂÂÂÂÂ }
 + /*
+ÂÂÂÂ * This IRQ gets triggered every time the PCI device responds to a
+ÂÂÂÂ * command request. The reply is then retrieved, reading from the MMIO
+ÂÂÂÂ * space of the PCI device.
+ÂÂÂÂ */
+ÂÂÂ rc = request_irq(pci_irq_vector(pdev, NE_VEC_REPLY),
+ÂÂÂÂÂÂÂÂÂÂÂÂ ne_reply_handler, 0, "enclave_cmd", ne_pci_dev);
+ÂÂÂ if (rc < 0) {
+ÂÂÂÂÂÂÂ dev_err_ratelimited(&pdev->dev,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ "Failure in allocating irq reply [rc=%d]\n",
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ rc);
+
+ÂÂÂÂÂÂÂ goto err_req_irq_reply;
+ÂÂÂ }
+
ÂÂÂÂÂ return 0;
 +err_req_irq_reply:
+ÂÂÂ pci_free_irq_vectors(pdev);
 err_alloc_irq_vecs:
ÂÂÂÂÂ return rc;
 }
@@ -232,6 +494,7 @@ static int ne_probe(struct pci_dev *pdev, const struct pci_device_id *id)
  err_ne_pci_dev_enable:
 err_ne_pci_dev_disable:
+ÂÂÂ free_irq(pci_irq_vector(pdev, NE_VEC_REPLY), ne_pci_dev);
ÂÂÂÂÂ pci_free_irq_vectors(pdev);
I suggest to introduce a ne_teardown_msix() utility. That is aimed to cleanup after ne_setup_msix().

I added this functionality in a new function, then I used it for cleanup in this function and teardown in pci remove function.

Thank you.

Andra

 err_setup_msix:
ÂÂÂÂÂ pci_iounmap(pdev, ne_pci_dev->iomem_base);
@@ -255,6 +518,7 @@ static void ne_remove(struct pci_dev *pdev)
 Â pci_set_drvdata(pdev, NULL);
 + free_irq(pci_irq_vector(pdev, NE_VEC_REPLY), ne_pci_dev);
ÂÂÂÂÂ pci_free_irq_vectors(pdev);
 Â pci_iounmap(pdev, ne_pci_dev->iomem_base);



Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.