| From 6ecf5264927cc0049ea7c4d34d68b6da3a187674 Mon Sep 17 00:00:00 2001 |
| From: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com> |
| Date: Fri, 24 Sep 2021 12:14:45 -0700 |
| Subject: [PATCH] FROMGIT: BACKPORT: drm/i915/pxp: interfaces for using |
| protected objects |
| |
| This api allow user mode to create protected buffers and to mark |
| contexts as making use of such objects. Only when using contexts |
| marked in such a way is the execution guaranteed to work as expected. |
| |
| Contexts can only be marked as using protected content at creation time |
| (i.e. the parameter is immutable) and they must be both bannable and not |
| recoverable. Given that the protected session gets invalidated on |
| suspend, contexts created this way hold a runtime pm wakeref until |
| they're either destroyed or invalidated. |
| |
| All protected objects and contexts will be considered invalid when the |
| PXP session is destroyed and all new submissions using them will be |
| rejected. All intel contexts within the invalidated gem contexts will be |
| marked banned. Userspace can detect that an invalidation has occurred via |
| the RESET_STATS ioctl, where we report it the same way as a ban due to a |
| hang. |
| |
| v5: squash patches, rebase on proto_ctx, update kerneldoc |
| |
| v6: rebase on obj create_ext changes |
| |
| v7: Use session counter to check if an object it valid, hold wakeref in |
| context, don't add a new flag to RESET_STATS (Daniel) |
| |
| v8: don't increase guilty count for contexts banned during pxp |
| invalidation (Rodrigo) |
| |
| v9: better comments, avoid wakeref put race between pxp_inval and |
| context_close, add usage examples (Rodrigo) |
| |
| v10: modify internal set/get-protected-context functions to not |
| return -ENODEV when setting PXP param to false or getting param |
| when running on pxp-unsupported hw or getting param when i915 |
| was built with CONFIG_PXP off |
| |
| Signed-off-by: Alan Previn <alan.previn.teres.alexis@intel.com> |
| Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com> |
| Signed-off-by: Bommu Krishnaiah <krishnaiah.bommu@intel.com> |
| Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> |
| Cc: Chris Wilson <chris@chris-wilson.co.uk> |
| Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com> |
| Cc: Jason Ekstrand <jason@jlekstrand.net> |
| Cc: Daniel Vetter <daniel.vetter@intel.com> |
| Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com> |
| Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com> |
| Link: https://patchwork.freedesktop.org/patch/msgid/20210924191452.1539378-11-alan.previn.teres.alexis@intel.com |
| (cherry picked from commit d3ac8d42168a9be7380be8035df8b6d3780ec2a1 |
| https://anongit.freedesktop.org/git/drm-intel.git drm-intel-gt-next) |
| |
| - split out protected context implementation as that is not used by CrOS |
| and would require backporting upstream proto context implementation |
| |
| BUG=b:191508777 |
| TEST=tast run <IP> video.PlayDRM* |
| |
| Signed-off-by: Juston Li <juston.li@intel.com> |
| Change-Id: I4947c50387ee068bc6200a691efa61ba79c45ebf |
| Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/3203385 |
| Tested-by: Jeffrey Kardatzke <jkardatzke@google.com> |
| Reviewed-by: Jeffrey Kardatzke <jkardatzke@google.com> |
| Commit-Queue: Jeffrey Kardatzke <jkardatzke@google.com> |
| --- |
| drivers/gpu/drm/i915/gem/i915_gem_create.c | 72 ++++++++++++++----- |
| .../gpu/drm/i915/gem/i915_gem_execbuffer.c | 17 +++++ |
| drivers/gpu/drm/i915/gem/i915_gem_object.c | 1 + |
| drivers/gpu/drm/i915/gem/i915_gem_object.h | 6 ++ |
| .../gpu/drm/i915/gem/i915_gem_object_types.h | 8 +++ |
| drivers/gpu/drm/i915/pxp/intel_pxp.c | 24 +++++++ |
| drivers/gpu/drm/i915/pxp/intel_pxp.h | 10 +++ |
| drivers/gpu/drm/i915/pxp/intel_pxp_session.c | 3 + |
| drivers/gpu/drm/i915/pxp/intel_pxp_types.h | 9 +++ |
| include/uapi/drm/i915_drm.h | 45 ++++++++++++ |
| 10 files changed, 177 insertions(+), 18 deletions(-) |
| |
| diff --git a/drivers/gpu/drm/i915/gem/i915_gem_create.c b/drivers/gpu/drm/i915/gem/i915_gem_create.c |
| --- a/drivers/gpu/drm/i915/gem/i915_gem_create.c |
| +++ b/drivers/gpu/drm/i915/gem/i915_gem_create.c |
| @@ -6,6 +6,7 @@ |
| #include "gem/i915_gem_ioctls.h" |
| #include "gem/i915_gem_lmem.h" |
| #include "gem/i915_gem_region.h" |
| +#include "pxp/intel_pxp.h" |
| |
| #include "i915_drv.h" |
| #include "i915_trace.h" |
| @@ -82,21 +83,11 @@ static int i915_gem_publish(struct drm_i915_gem_object *obj, |
| return 0; |
| } |
| |
| -/** |
| - * Creates a new object using the same path as DRM_I915_GEM_CREATE_EXT |
| - * @i915: i915 private |
| - * @size: size of the buffer, in bytes |
| - * @placements: possible placement regions, in priority order |
| - * @n_placements: number of possible placement regions |
| - * |
| - * This function is exposed primarily for selftests and does very little |
| - * error checking. It is assumed that the set of placement regions has |
| - * already been verified to be valid. |
| - */ |
| -struct drm_i915_gem_object * |
| -__i915_gem_object_create_user(struct drm_i915_private *i915, u64 size, |
| - struct intel_memory_region **placements, |
| - unsigned int n_placements) |
| +static struct drm_i915_gem_object * |
| +__i915_gem_object_create_user_ext(struct drm_i915_private *i915, u64 size, |
| + struct intel_memory_region **placements, |
| + unsigned int n_placements, |
| + unsigned int ext_flags) |
| { |
| struct intel_memory_region *mr = placements[0]; |
| struct drm_i915_gem_object *obj; |
| @@ -135,6 +126,9 @@ __i915_gem_object_create_user(struct drm_i915_private *i915, u64 size, |
| |
| GEM_BUG_ON(size != obj->base.size); |
| |
| + /* Add any flag set by create_ext options */ |
| + obj->flags |= ext_flags; |
| + |
| trace_i915_gem_object_create(obj); |
| return obj; |
| |
| @@ -145,6 +139,26 @@ __i915_gem_object_create_user(struct drm_i915_private *i915, u64 size, |
| return ERR_PTR(ret); |
| } |
| |
| +/** |
| + * Creates a new object using the same path as DRM_I915_GEM_CREATE_EXT |
| + * @i915: i915 private |
| + * @size: size of the buffer, in bytes |
| + * @placements: possible placement regions, in priority order |
| + * @n_placements: number of possible placement regions |
| + * |
| + * This function is exposed primarily for selftests and does very little |
| + * error checking. It is assumed that the set of placement regions has |
| + * already been verified to be valid. |
| + */ |
| +struct drm_i915_gem_object * |
| +__i915_gem_object_create_user(struct drm_i915_private *i915, u64 size, |
| + struct intel_memory_region **placements, |
| + unsigned int n_placements) |
| +{ |
| + return __i915_gem_object_create_user_ext(i915, size, placements, |
| + n_placements, 0); |
| +} |
| + |
| int |
| i915_gem_dumb_create(struct drm_file *file, |
| struct drm_device *dev, |
| @@ -224,6 +238,7 @@ struct create_ext { |
| struct drm_i915_private *i915; |
| struct intel_memory_region *placements[INTEL_REGION_UNKNOWN]; |
| unsigned int n_placements; |
| + unsigned long flags; |
| }; |
| |
| static void repr_placements(char *buf, size_t size, |
| @@ -356,8 +371,28 @@ static int ext_set_placements(struct i915_user_extension __user *base, |
| return set_placements(&ext, data); |
| } |
| |
| +static int ext_set_protected(struct i915_user_extension __user *base, void *data) |
| +{ |
| + struct drm_i915_gem_create_ext_protected_content ext; |
| + struct create_ext *ext_data = data; |
| + |
| + if (copy_from_user(&ext, base, sizeof(ext))) |
| + return -EFAULT; |
| + |
| + if (ext.flags) |
| + return -EINVAL; |
| + |
| + if (!intel_pxp_is_enabled(&ext_data->i915->gt.pxp)) |
| + return -ENODEV; |
| + |
| + ext_data->flags |= I915_BO_PROTECTED; |
| + |
| + return 0; |
| +} |
| + |
| static const i915_user_extension_fn create_extensions[] = { |
| [I915_GEM_CREATE_EXT_MEMORY_REGIONS] = ext_set_placements, |
| + [I915_GEM_CREATE_EXT_PROTECTED_CONTENT] = ext_set_protected, |
| }; |
| |
| /** |
| @@ -392,9 +427,10 @@ i915_gem_create_ext_ioctl(struct drm_device *dev, void *data, |
| ext_data.n_placements = 1; |
| } |
| |
| - obj = __i915_gem_object_create_user(i915, args->size, |
| - ext_data.placements, |
| - ext_data.n_placements); |
| + obj = __i915_gem_object_create_user_ext(i915, args->size, |
| + ext_data.placements, |
| + ext_data.n_placements, |
| + ext_data.flags); |
| if (IS_ERR(obj)) |
| return PTR_ERR(obj); |
| |
| diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c |
| --- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c |
| +++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c |
| @@ -21,6 +21,8 @@ |
| #include "gt/intel_gt_pm.h" |
| #include "gt/intel_ring.h" |
| |
| +#include "pxp/intel_pxp.h" |
| + |
| #include "i915_drv.h" |
| #include "i915_gem_clflush.h" |
| #include "i915_gem_context.h" |
| @@ -814,6 +816,21 @@ static struct i915_vma *eb_lookup_vma(struct i915_execbuffer *eb, u32 handle) |
| if (unlikely(!obj)) |
| return ERR_PTR(-ENOENT); |
| |
| + /* |
| + * If the user has opted-in for protected-object tracking, make |
| + * sure the object encryption can be used. |
| + * We only need to do this when the object is first used with |
| + * this context, because the context itself will be banned when |
| + * the protected objects become invalid. |
| + */ |
| + if (i915_gem_object_is_protected(obj)) { |
| + err = intel_pxp_key_check(&vm->gt->pxp, obj); |
| + if (err) { |
| + i915_gem_object_put(obj); |
| + return ERR_PTR(err); |
| + } |
| + } |
| + |
| vma = i915_vma_instance(obj, vm, NULL); |
| if (IS_ERR(vma)) { |
| i915_gem_object_put(obj); |
| diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.c b/drivers/gpu/drm/i915/gem/i915_gem_object.c |
| --- a/drivers/gpu/drm/i915/gem/i915_gem_object.c |
| +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.c |
| @@ -25,6 +25,7 @@ |
| #include <linux/sched/mm.h> |
| |
| #include "display/intel_frontbuffer.h" |
| +#include "pxp/intel_pxp.h" |
| #include "i915_drv.h" |
| #include "i915_gem_clflush.h" |
| #include "i915_gem_context.h" |
| diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.h b/drivers/gpu/drm/i915/gem/i915_gem_object.h |
| --- a/drivers/gpu/drm/i915/gem/i915_gem_object.h |
| +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.h |
| @@ -269,6 +269,12 @@ i915_gem_object_clear_tiling_quirk(struct drm_i915_gem_object *obj) |
| clear_bit(I915_TILING_QUIRK_BIT, &obj->flags); |
| } |
| |
| +static inline bool |
| +i915_gem_object_is_protected(const struct drm_i915_gem_object *obj) |
| +{ |
| + return obj->flags & I915_BO_PROTECTED; |
| +} |
| + |
| static inline bool |
| i915_gem_object_type_has(const struct drm_i915_gem_object *obj, |
| unsigned long flags) |
| diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object_types.h b/drivers/gpu/drm/i915/gem/i915_gem_object_types.h |
| --- a/drivers/gpu/drm/i915/gem/i915_gem_object_types.h |
| +++ b/drivers/gpu/drm/i915/gem/i915_gem_object_types.h |
| @@ -298,6 +298,7 @@ struct drm_i915_gem_object { |
| I915_BO_ALLOC_USER) |
| #define I915_BO_READONLY BIT(4) |
| #define I915_TILING_QUIRK_BIT 5 /* unknown swizzling; do not release! */ |
| +#define I915_BO_PROTECTED BIT(8) |
| |
| /** |
| * @mem_flags - Mutable placement-related flags |
| @@ -531,6 +532,13 @@ struct drm_i915_gem_object { |
| bool dirty:1; |
| } mm; |
| |
| + /* |
| + * Record which PXP key instance this object was created against (if |
| + * any), so we can use it to determine if the encryption is valid by |
| + * comparing against the current key instance. |
| + */ |
| + u32 pxp_key_instance; |
| + |
| struct { |
| struct sg_table *cached_io_st; |
| struct i915_gem_object_page_iter get_io_page; |
| diff --git a/drivers/gpu/drm/i915/pxp/intel_pxp.c b/drivers/gpu/drm/i915/pxp/intel_pxp.c |
| --- a/drivers/gpu/drm/i915/pxp/intel_pxp.c |
| +++ b/drivers/gpu/drm/i915/pxp/intel_pxp.c |
| @@ -178,3 +178,27 @@ void intel_pxp_fini_hw(struct intel_pxp *pxp) |
| |
| intel_pxp_irq_disable(pxp); |
| } |
| + |
| +int intel_pxp_key_check(struct intel_pxp *pxp, struct drm_i915_gem_object *obj) |
| +{ |
| + if (!intel_pxp_is_active(pxp)) |
| + return -ENODEV; |
| + |
| + if (!i915_gem_object_is_protected(obj)) |
| + return -EINVAL; |
| + |
| + GEM_BUG_ON(!pxp->key_instance); |
| + |
| + /* |
| + * If this is the first time we're using this object, it's not |
| + * encrypted yet; it will be encrypted with the current key, so mark it |
| + * as such. If the object is already encrypted, check instead if the |
| + * used key is still valid. |
| + */ |
| + if (!obj->pxp_key_instance) |
| + obj->pxp_key_instance = pxp->key_instance; |
| + else if (obj->pxp_key_instance != pxp->key_instance) |
| + return -ENOEXEC; |
| + |
| + return 0; |
| +} |
| diff --git a/drivers/gpu/drm/i915/pxp/intel_pxp.h b/drivers/gpu/drm/i915/pxp/intel_pxp.h |
| --- a/drivers/gpu/drm/i915/pxp/intel_pxp.h |
| +++ b/drivers/gpu/drm/i915/pxp/intel_pxp.h |
| @@ -8,6 +8,8 @@ |
| |
| #include "intel_pxp_types.h" |
| |
| +struct drm_i915_gem_object; |
| + |
| static inline bool intel_pxp_is_enabled(const struct intel_pxp *pxp) |
| { |
| return pxp->ce; |
| @@ -25,6 +27,8 @@ void intel_pxp_fini_hw(struct intel_pxp *pxp); |
| |
| void intel_pxp_mark_termination_in_progress(struct intel_pxp *pxp); |
| int intel_pxp_wait_for_arb_start(struct intel_pxp *pxp); |
| + |
| +int intel_pxp_key_check(struct intel_pxp *pxp, struct drm_i915_gem_object *obj); |
| #else |
| static inline void intel_pxp_init(struct intel_pxp *pxp) |
| { |
| @@ -38,6 +42,12 @@ static inline int intel_pxp_wait_for_arb_start(struct intel_pxp *pxp) |
| { |
| return -ENODEV; |
| } |
| + |
| +static inline int intel_pxp_key_check(struct intel_pxp *pxp, |
| + struct drm_i915_gem_object *obj) |
| +{ |
| + return -ENODEV; |
| +} |
| #endif |
| |
| #endif /* __INTEL_PXP_H__ */ |
| diff --git a/drivers/gpu/drm/i915/pxp/intel_pxp_session.c b/drivers/gpu/drm/i915/pxp/intel_pxp_session.c |
| --- a/drivers/gpu/drm/i915/pxp/intel_pxp_session.c |
| +++ b/drivers/gpu/drm/i915/pxp/intel_pxp_session.c |
| @@ -72,6 +72,9 @@ static int pxp_create_arb_session(struct intel_pxp *pxp) |
| return ret; |
| } |
| |
| + if (!++pxp->key_instance) |
| + ++pxp->key_instance; |
| + |
| pxp->arb_is_valid = true; |
| |
| return 0; |
| diff --git a/drivers/gpu/drm/i915/pxp/intel_pxp_types.h b/drivers/gpu/drm/i915/pxp/intel_pxp_types.h |
| --- a/drivers/gpu/drm/i915/pxp/intel_pxp_types.h |
| +++ b/drivers/gpu/drm/i915/pxp/intel_pxp_types.h |
| @@ -7,7 +7,9 @@ |
| #define __INTEL_PXP_TYPES_H__ |
| |
| #include <linux/completion.h> |
| +#include <linux/list.h> |
| #include <linux/mutex.h> |
| +#include <linux/spinlock.h> |
| #include <linux/types.h> |
| #include <linux/workqueue.h> |
| |
| @@ -27,6 +29,13 @@ struct intel_pxp { |
| */ |
| bool arb_is_valid; |
| |
| + /* |
| + * Keep track of which key instance we're on, so we can use it to |
| + * determine if an object was created using the current key or a |
| + * previous one. |
| + */ |
| + u32 key_instance; |
| + |
| struct mutex tee_mutex; /* protects the tee channel binding */ |
| |
| /* |
| diff --git a/include/uapi/drm/i915_drm.h b/include/uapi/drm/i915_drm.h |
| --- a/include/uapi/drm/i915_drm.h |
| +++ b/include/uapi/drm/i915_drm.h |
| @@ -2979,8 +2979,12 @@ struct drm_i915_gem_create_ext { |
| * |
| * For I915_GEM_CREATE_EXT_MEMORY_REGIONS usage see |
| * struct drm_i915_gem_create_ext_memory_regions. |
| + * |
| + * For I915_GEM_CREATE_EXT_PROTECTED_CONTENT usage see |
| + * struct drm_i915_gem_create_ext_protected_content. |
| */ |
| #define I915_GEM_CREATE_EXT_MEMORY_REGIONS 0 |
| +#define I915_GEM_CREATE_EXT_PROTECTED_CONTENT 1 |
| __u64 extensions; |
| }; |
| |
| @@ -3038,6 +3042,47 @@ struct drm_i915_gem_create_ext_memory_regions { |
| __u64 regions; |
| }; |
| |
| +/** |
| + * struct drm_i915_gem_create_ext_protected_content - The |
| + * I915_OBJECT_PARAM_PROTECTED_CONTENT extension. |
| + * |
| + * If this extension is provided, buffer contents are expected to be protected |
| + * by PXP encryption and require decryption for scan out and processing. This |
| + * is only possible on platforms that have PXP enabled, on all other scenarios |
| + * using this extension will cause the ioctl to fail and return -ENODEV. The |
| + * flags parameter is reserved for future expansion and must currently be set |
| + * to zero. |
| + * |
| + * The buffer contents are considered invalid after a PXP session teardown. |
| + * |
| + * The encryption is guaranteed to be processed correctly only if the object |
| + * is submitted with a context created using the |
| + * I915_CONTEXT_PARAM_PROTECTED_CONTENT flag. This will also enable extra checks |
| + * at submission time on the validity of the objects involved. |
| + * |
| + * Below is an example on how to create a protected object: |
| + * |
| + * .. code-block:: C |
| + * |
| + * struct drm_i915_gem_create_ext_protected_content protected_ext = { |
| + * .base = { .name = I915_GEM_CREATE_EXT_PROTECTED_CONTENT }, |
| + * .flags = 0, |
| + * }; |
| + * struct drm_i915_gem_create_ext create_ext = { |
| + * .size = PAGE_SIZE, |
| + * .extensions = (uintptr_t)&protected_ext, |
| + * }; |
| + * |
| + * int err = ioctl(fd, DRM_IOCTL_I915_GEM_CREATE_EXT, &create_ext); |
| + * if (err) ... |
| + */ |
| +struct drm_i915_gem_create_ext_protected_content { |
| + /** @base: Extension link. See struct i915_user_extension. */ |
| + struct i915_user_extension base; |
| + /** @flags: reserved for future usage, currently MBZ */ |
| + __u32 flags; |
| +}; |
| + |
| /* ID of the protected content session managed by i915 when PXP is active */ |
| #define I915_PROTECTED_CONTENT_DEFAULT_SESSION 0xf |
| |
| -- |
| 2.33.0.1079.g6e70778dc9-goog |
| |