Re: [PATCH v4 0/3] MCTP over PCC

From: Adam Young
Date: Mon Jul 15 2024 - 14:21:28 EST


Apologies for not addressing these concerns before updating.  If there is a V6 (am sure there will be) I will update the cover.

MCTP is a general purpose  protocol so  it would  be impossible to enumerate all the use cases, but some of the ones that are most topical are attestation and RAS support.  There are a handful of protocols built on top of MCTP, to include PLDM and SPDM, both specified by the DMTF.

https://www.dmtf.org/sites/default/files/standards/documents/DSP0240_1.0.0.pdf
https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.3.0.pd

SPDM entails various usages, including device identity collection, device authentication, measurement collection, and device secure session establishment.

PLDM is more likely to be used  for hardware support: temperature, voltage, or fan sensor control.

At least two companies have devices that can make use of the mechanism. One is Ampere Computing, my employer.

The mechanism it uses is called Platform Communication Channels is part of the ACPI spec: https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/14_Platform_Communications_Channel/Platform_Comm_Channel.html

Since it is a socket interface, the system administrator also has  the ability to ignore an MCTP link that they do not want to enable.  This link would be exposed to the end user, but would not be usable.

If MCTP support is disabled  in the Kernel, this driver would also be disabled.

PCC is based on a shared buffer and a set of I/O mapped memory locations that the Spec calls registers.  This mechanism exists regardless of the existence of the driver. Thus, if the user has the ability to map these  physical location to virtual locations, they have the ability to drive the hardware.  Thus, there is a security aspect to this mechanism that extends beyond the responsibilities of the operating system.

If the hardware does not expose the PCC in the ACPI table, this device will never be enabled.  Thus it is only an issue on hard that does support PCC.  In that case, it is up to the remote controller to sanitize communication; MCTP will be exposed as a socket interface, and userland can send any crafted packet it wants.  It would thus also be incumbent on the hardware manufacturer to allow the end user to disable MCTP over PCC communication if they did not want to expose it.

Does this cover you concerns?


On 7/11/24 12:57, Dan Williams wrote:

admiyo@ wrote:
From: Adam Young<admiyo@xxxxxxxxxxxxxxxxxxxxxx>

This series adds support for the Management Control Transport Protocol (MCTP)
over the Platform Communication Channel (PCC) mechanism.

MCTP defines a communication model intended to
facilitate communication between Management controllers
and other management controllers, and between Management
controllers and management devices

PCC is a mechanism for communication between components within
the Platform. It is a composed of shared memory regions,
interrupt registers, and status registers.

The MCTP over PCC driver makes use of two PCC channels. For
sending messages, it uses a Type 3 channel, and for receiving
messages it uses the paired Type 4 channel. The device
and corresponding channels are specified via ACPI.

The first patch in the series implements a mechanism to allow the driver
to indicate whether an ACK should be sent back to the caller
after processing the interrupt. This is an optional feature in
the PCC code, but has been made explicitly required in another driver.
The implementation here maintains the backwards compatibility of that
driver.

The second patch in the series is the required change from ACPICA
code that will be imported into the Linux kernel when synchronized
with the ACPICA repository. It ahs already merged there and will
be merged in as is. It is included here so that the patch series
can run and be tested prior to that merge.
This cover letter looks woefully insufficient.

What is the end user visible effect of merging these patches, or not
merging these patches? I.e. what does Linux gain by merging them, what
pressing end user need goes unsatisfied if these are not merged? What is
the security model for these commands, i.e. how does a distro judge
whether this facility allows bypass of Kernel Lockdown protections?

The Kconfig does not help either. All this patch says is "communication
path exists, plumb it direct to userspace", with no discussion of
intended use cases, assumptions, or tradeoffs.