Re: [PATCH v4 0/3] MCTP over PCC
From: Adam Young
Date: Mon Jul 15 2024 - 14:21:28 EST
Apologies for not addressing these concerns before updating. If there
is a V6 (am sure there will be) I will update the cover.
MCTP is a general purpose protocol so it would be impossible to
enumerate all the use cases, but some of the ones that are most topical
are attestation and RAS support. There are a handful of protocols built
on top of MCTP, to include PLDM and SPDM, both specified by the DMTF.
https://www.dmtf.org/sites/default/files/standards/documents/DSP0240_1.0.0.pdf
https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.3.0.pd
SPDM entails various usages, including device identity collection,
device authentication, measurement collection, and device secure session
establishment.
PLDM is more likely to be used for hardware support: temperature,
voltage, or fan sensor control.
At least two companies have devices that can make use of the mechanism.
One is Ampere Computing, my employer.
The mechanism it uses is called Platform Communication Channels is part
of the ACPI spec:
https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/14_Platform_Communications_Channel/Platform_Comm_Channel.html
Since it is a socket interface, the system administrator also has the
ability to ignore an MCTP link that they do not want to enable. This
link would be exposed to the end user, but would not be usable.
If MCTP support is disabled in the Kernel, this driver would also be
disabled.
PCC is based on a shared buffer and a set of I/O mapped memory locations
that the Spec calls registers. This mechanism exists regardless of the
existence of the driver. Thus, if the user has the ability to map these
physical location to virtual locations, they have the ability to drive
the hardware. Thus, there is a security aspect to this mechanism that
extends beyond the responsibilities of the operating system.
If the hardware does not expose the PCC in the ACPI table, this device
will never be enabled. Thus it is only an issue on hard that does
support PCC. In that case, it is up to the remote controller to
sanitize communication; MCTP will be exposed as a socket interface, and
userland can send any crafted packet it wants. It would thus also be
incumbent on the hardware manufacturer to allow the end user to disable
MCTP over PCC communication if they did not want to expose it.
Does this cover you concerns?
On 7/11/24 12:57, Dan Williams wrote:
admiyo@ wrote:
From: Adam Young<admiyo@xxxxxxxxxxxxxxxxxxxxxx>
This series adds support for the Management Control Transport Protocol (MCTP)
over the Platform Communication Channel (PCC) mechanism.
MCTP defines a communication model intended to
facilitate communication between Management controllers
and other management controllers, and between Management
controllers and management devices
PCC is a mechanism for communication between components within
the Platform. It is a composed of shared memory regions,
interrupt registers, and status registers.
The MCTP over PCC driver makes use of two PCC channels. For
sending messages, it uses a Type 3 channel, and for receiving
messages it uses the paired Type 4 channel. The device
and corresponding channels are specified via ACPI.
The first patch in the series implements a mechanism to allow the driver
to indicate whether an ACK should be sent back to the caller
after processing the interrupt. This is an optional feature in
the PCC code, but has been made explicitly required in another driver.
The implementation here maintains the backwards compatibility of that
driver.
The second patch in the series is the required change from ACPICA
code that will be imported into the Linux kernel when synchronized
with the ACPICA repository. It ahs already merged there and will
be merged in as is. It is included here so that the patch series
can run and be tested prior to that merge.
This cover letter looks woefully insufficient.
What is the end user visible effect of merging these patches, or not
merging these patches? I.e. what does Linux gain by merging them, what
pressing end user need goes unsatisfied if these are not merged? What is
the security model for these commands, i.e. how does a distro judge
whether this facility allows bypass of Kernel Lockdown protections?
The Kconfig does not help either. All this patch says is "communication
path exists, plumb it direct to userspace", with no discussion of
intended use cases, assumptions, or tradeoffs.