1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Copyright (c) 2018, Intel Corporation. */ |
3 | |
4 | #include "ice_common.h" |
5 | #include "ice_vf_mbx.h" |
6 | |
7 | /** |
8 | * ice_aq_send_msg_to_vf |
9 | * @hw: pointer to the hardware structure |
10 | * @vfid: VF ID to send msg |
11 | * @v_opcode: opcodes for VF-PF communication |
12 | * @v_retval: return error code |
13 | * @msg: pointer to the msg buffer |
14 | * @msglen: msg length |
15 | * @cd: pointer to command details |
16 | * |
17 | * Send message to VF driver (0x0802) using mailbox |
18 | * queue and asynchronously sending message via |
19 | * ice_sq_send_cmd() function |
20 | */ |
21 | int |
22 | ice_aq_send_msg_to_vf(struct ice_hw *hw, u16 vfid, u32 v_opcode, u32 v_retval, |
23 | u8 *msg, u16 msglen, struct ice_sq_cd *cd) |
24 | { |
25 | struct ice_aqc_pf_vf_msg *cmd; |
26 | struct ice_aq_desc desc; |
27 | |
28 | ice_fill_dflt_direct_cmd_desc(desc: &desc, opcode: ice_mbx_opc_send_msg_to_vf); |
29 | |
30 | cmd = &desc.params.virt; |
31 | cmd->id = cpu_to_le32(vfid); |
32 | |
33 | desc.cookie_high = cpu_to_le32(v_opcode); |
34 | desc.cookie_low = cpu_to_le32(v_retval); |
35 | |
36 | if (msglen) |
37 | desc.flags |= cpu_to_le16(ICE_AQ_FLAG_RD); |
38 | |
39 | return ice_sq_send_cmd(hw, cq: &hw->mailboxq, desc: &desc, buf: msg, buf_size: msglen, cd); |
40 | } |
41 | |
42 | static const u32 ice_legacy_aq_to_vc_speed[] = { |
43 | VIRTCHNL_LINK_SPEED_100MB, /* BIT(0) */ |
44 | VIRTCHNL_LINK_SPEED_100MB, |
45 | VIRTCHNL_LINK_SPEED_1GB, |
46 | VIRTCHNL_LINK_SPEED_1GB, |
47 | VIRTCHNL_LINK_SPEED_1GB, |
48 | VIRTCHNL_LINK_SPEED_10GB, |
49 | VIRTCHNL_LINK_SPEED_20GB, |
50 | VIRTCHNL_LINK_SPEED_25GB, |
51 | VIRTCHNL_LINK_SPEED_40GB, |
52 | VIRTCHNL_LINK_SPEED_40GB, |
53 | VIRTCHNL_LINK_SPEED_40GB, |
54 | }; |
55 | |
56 | /** |
57 | * ice_conv_link_speed_to_virtchnl |
58 | * @adv_link_support: determines the format of the returned link speed |
59 | * @link_speed: variable containing the link_speed to be converted |
60 | * |
61 | * Convert link speed supported by HW to link speed supported by virtchnl. |
62 | * If adv_link_support is true, then return link speed in Mbps. Else return |
63 | * link speed as a VIRTCHNL_LINK_SPEED_* casted to a u32. Note that the caller |
64 | * needs to cast back to an enum virtchnl_link_speed in the case where |
65 | * adv_link_support is false, but when adv_link_support is true the caller can |
66 | * expect the speed in Mbps. |
67 | */ |
68 | u32 ice_conv_link_speed_to_virtchnl(bool adv_link_support, u16 link_speed) |
69 | { |
70 | /* convert a BIT() value into an array index */ |
71 | u32 index = fls(x: link_speed) - 1; |
72 | |
73 | if (adv_link_support) |
74 | return ice_get_link_speed(index); |
75 | else if (index < ARRAY_SIZE(ice_legacy_aq_to_vc_speed)) |
76 | /* Virtchnl speeds are not defined for every speed supported in |
77 | * the hardware. To maintain compatibility with older AVF |
78 | * drivers, while reporting the speed the new speed values are |
79 | * resolved to the closest known virtchnl speeds |
80 | */ |
81 | return ice_legacy_aq_to_vc_speed[index]; |
82 | |
83 | return VIRTCHNL_LINK_SPEED_UNKNOWN; |
84 | } |
85 | |
86 | /* The mailbox overflow detection algorithm helps to check if there |
87 | * is a possibility of a malicious VF transmitting too many MBX messages to the |
88 | * PF. |
89 | * 1. The mailbox snapshot structure, ice_mbx_snapshot, is initialized during |
90 | * driver initialization in ice_init_hw() using ice_mbx_init_snapshot(). |
91 | * The struct ice_mbx_snapshot helps to track and traverse a static window of |
92 | * messages within the mailbox queue while looking for a malicious VF. |
93 | * |
94 | * 2. When the caller starts processing its mailbox queue in response to an |
95 | * interrupt, the structure ice_mbx_snapshot is expected to be cleared before |
96 | * the algorithm can be run for the first time for that interrupt. This |
97 | * requires calling ice_mbx_reset_snapshot() as well as calling |
98 | * ice_mbx_reset_vf_info() for each VF tracking structure. |
99 | * |
100 | * 3. For every message read by the caller from the MBX Queue, the caller must |
101 | * call the detection algorithm's entry function ice_mbx_vf_state_handler(). |
102 | * Before every call to ice_mbx_vf_state_handler() the struct ice_mbx_data is |
103 | * filled as it is required to be passed to the algorithm. |
104 | * |
105 | * 4. Every time a message is read from the MBX queue, a tracking structure |
106 | * for the VF must be passed to the state handler. The boolean output |
107 | * report_malvf from ice_mbx_vf_state_handler() serves as an indicator to the |
108 | * caller whether it must report this VF as malicious or not. |
109 | * |
110 | * 5. When a VF is identified to be malicious, the caller can send a message |
111 | * to the system administrator. |
112 | * |
113 | * 6. The PF is responsible for maintaining the struct ice_mbx_vf_info |
114 | * structure for each VF. The PF should clear the VF tracking structure if the |
115 | * VF is reset. When a VF is shut down and brought back up, we will then |
116 | * assume that the new VF is not malicious and may report it again if we |
117 | * detect it again. |
118 | * |
119 | * 7. The function ice_mbx_reset_snapshot() is called to reset the information |
120 | * in ice_mbx_snapshot for every new mailbox interrupt handled. |
121 | */ |
122 | #define ICE_RQ_DATA_MASK(rq_data) ((rq_data) & PF_MBX_ARQH_ARQH_M) |
123 | /* Using the highest value for an unsigned 16-bit value 0xFFFF to indicate that |
124 | * the max messages check must be ignored in the algorithm |
125 | */ |
126 | #define ICE_IGNORE_MAX_MSG_CNT 0xFFFF |
127 | |
128 | /** |
129 | * ice_mbx_reset_snapshot - Reset mailbox snapshot structure |
130 | * @snap: pointer to the mailbox snapshot |
131 | */ |
132 | static void ice_mbx_reset_snapshot(struct ice_mbx_snapshot *snap) |
133 | { |
134 | struct ice_mbx_vf_info *vf_info; |
135 | |
136 | /* Clear mbx_buf in the mailbox snaphot structure and setting the |
137 | * mailbox snapshot state to a new capture. |
138 | */ |
139 | memset(&snap->mbx_buf, 0, sizeof(snap->mbx_buf)); |
140 | snap->mbx_buf.state = ICE_MAL_VF_DETECT_STATE_NEW_SNAPSHOT; |
141 | |
142 | /* Reset message counts for all VFs to zero */ |
143 | list_for_each_entry(vf_info, &snap->mbx_vf, list_entry) |
144 | vf_info->msg_count = 0; |
145 | } |
146 | |
147 | /** |
148 | * ice_mbx_traverse - Pass through mailbox snapshot |
149 | * @hw: pointer to the HW struct |
150 | * @new_state: new algorithm state |
151 | * |
152 | * Traversing the mailbox static snapshot without checking |
153 | * for malicious VFs. |
154 | */ |
155 | static void |
156 | ice_mbx_traverse(struct ice_hw *hw, |
157 | enum ice_mbx_snapshot_state *new_state) |
158 | { |
159 | struct ice_mbx_snap_buffer_data *snap_buf; |
160 | u32 num_iterations; |
161 | |
162 | snap_buf = &hw->mbx_snapshot.mbx_buf; |
163 | |
164 | /* As mailbox buffer is circular, applying a mask |
165 | * on the incremented iteration count. |
166 | */ |
167 | num_iterations = ICE_RQ_DATA_MASK(++snap_buf->num_iterations); |
168 | |
169 | /* Checking either of the below conditions to exit snapshot traversal: |
170 | * Condition-1: If the number of iterations in the mailbox is equal to |
171 | * the mailbox head which would indicate that we have reached the end |
172 | * of the static snapshot. |
173 | * Condition-2: If the maximum messages serviced in the mailbox for a |
174 | * given interrupt is the highest possible value then there is no need |
175 | * to check if the number of messages processed is equal to it. If not |
176 | * check if the number of messages processed is greater than or equal |
177 | * to the maximum number of mailbox entries serviced in current work item. |
178 | */ |
179 | if (num_iterations == snap_buf->head || |
180 | (snap_buf->max_num_msgs_mbx < ICE_IGNORE_MAX_MSG_CNT && |
181 | ++snap_buf->num_msg_proc >= snap_buf->max_num_msgs_mbx)) |
182 | *new_state = ICE_MAL_VF_DETECT_STATE_NEW_SNAPSHOT; |
183 | } |
184 | |
185 | /** |
186 | * ice_mbx_detect_malvf - Detect malicious VF in snapshot |
187 | * @hw: pointer to the HW struct |
188 | * @vf_info: mailbox tracking structure for a VF |
189 | * @new_state: new algorithm state |
190 | * @is_malvf: boolean output to indicate if VF is malicious |
191 | * |
192 | * This function tracks the number of asynchronous messages |
193 | * sent per VF and marks the VF as malicious if it exceeds |
194 | * the permissible number of messages to send. |
195 | */ |
196 | static int |
197 | ice_mbx_detect_malvf(struct ice_hw *hw, struct ice_mbx_vf_info *vf_info, |
198 | enum ice_mbx_snapshot_state *new_state, |
199 | bool *is_malvf) |
200 | { |
201 | /* increment the message count for this VF */ |
202 | vf_info->msg_count++; |
203 | |
204 | if (vf_info->msg_count >= ICE_ASYNC_VF_MSG_THRESHOLD) |
205 | *is_malvf = true; |
206 | |
207 | /* continue to iterate through the mailbox snapshot */ |
208 | ice_mbx_traverse(hw, new_state); |
209 | |
210 | return 0; |
211 | } |
212 | |
213 | /** |
214 | * ice_mbx_vf_state_handler - Handle states of the overflow algorithm |
215 | * @hw: pointer to the HW struct |
216 | * @mbx_data: pointer to structure containing mailbox data |
217 | * @vf_info: mailbox tracking structure for the VF in question |
218 | * @report_malvf: boolean output to indicate whether VF should be reported |
219 | * |
220 | * The function serves as an entry point for the malicious VF |
221 | * detection algorithm by handling the different states and state |
222 | * transitions of the algorithm: |
223 | * New snapshot: This state is entered when creating a new static |
224 | * snapshot. The data from any previous mailbox snapshot is |
225 | * cleared and a new capture of the mailbox head and tail is |
226 | * logged. This will be the new static snapshot to detect |
227 | * asynchronous messages sent by VFs. On capturing the snapshot |
228 | * and depending on whether the number of pending messages in that |
229 | * snapshot exceed the watermark value, the state machine enters |
230 | * traverse or detect states. |
231 | * Traverse: If pending message count is below watermark then iterate |
232 | * through the snapshot without any action on VF. |
233 | * Detect: If pending message count exceeds watermark traverse |
234 | * the static snapshot and look for a malicious VF. |
235 | */ |
236 | int |
237 | ice_mbx_vf_state_handler(struct ice_hw *hw, struct ice_mbx_data *mbx_data, |
238 | struct ice_mbx_vf_info *vf_info, bool *report_malvf) |
239 | { |
240 | struct ice_mbx_snapshot *snap = &hw->mbx_snapshot; |
241 | struct ice_mbx_snap_buffer_data *snap_buf; |
242 | struct ice_ctl_q_info *cq = &hw->mailboxq; |
243 | enum ice_mbx_snapshot_state new_state; |
244 | bool is_malvf = false; |
245 | int status = 0; |
246 | |
247 | if (!report_malvf || !mbx_data || !vf_info) |
248 | return -EINVAL; |
249 | |
250 | *report_malvf = false; |
251 | |
252 | /* When entering the mailbox state machine assume that the VF |
253 | * is not malicious until detected. |
254 | */ |
255 | /* Checking if max messages allowed to be processed while servicing current |
256 | * interrupt is not less than the defined AVF message threshold. |
257 | */ |
258 | if (mbx_data->max_num_msgs_mbx <= ICE_ASYNC_VF_MSG_THRESHOLD) |
259 | return -EINVAL; |
260 | |
261 | /* The watermark value should not be lesser than the threshold limit |
262 | * set for the number of asynchronous messages a VF can send to mailbox |
263 | * nor should it be greater than the maximum number of messages in the |
264 | * mailbox serviced in current interrupt. |
265 | */ |
266 | if (mbx_data->async_watermark_val < ICE_ASYNC_VF_MSG_THRESHOLD || |
267 | mbx_data->async_watermark_val > mbx_data->max_num_msgs_mbx) |
268 | return -EINVAL; |
269 | |
270 | new_state = ICE_MAL_VF_DETECT_STATE_INVALID; |
271 | snap_buf = &snap->mbx_buf; |
272 | |
273 | switch (snap_buf->state) { |
274 | case ICE_MAL_VF_DETECT_STATE_NEW_SNAPSHOT: |
275 | /* Clear any previously held data in mailbox snapshot structure. */ |
276 | ice_mbx_reset_snapshot(snap); |
277 | |
278 | /* Collect the pending ARQ count, number of messages processed and |
279 | * the maximum number of messages allowed to be processed from the |
280 | * Mailbox for current interrupt. |
281 | */ |
282 | snap_buf->num_pending_arq = mbx_data->num_pending_arq; |
283 | snap_buf->num_msg_proc = mbx_data->num_msg_proc; |
284 | snap_buf->max_num_msgs_mbx = mbx_data->max_num_msgs_mbx; |
285 | |
286 | /* Capture a new static snapshot of the mailbox by logging the |
287 | * head and tail of snapshot and set num_iterations to the tail |
288 | * value to mark the start of the iteration through the snapshot. |
289 | */ |
290 | snap_buf->head = ICE_RQ_DATA_MASK(cq->rq.next_to_clean + |
291 | mbx_data->num_pending_arq); |
292 | snap_buf->tail = ICE_RQ_DATA_MASK(cq->rq.next_to_clean - 1); |
293 | snap_buf->num_iterations = snap_buf->tail; |
294 | |
295 | /* Pending ARQ messages returned by ice_clean_rq_elem |
296 | * is the difference between the head and tail of the |
297 | * mailbox queue. Comparing this value against the watermark |
298 | * helps to check if we potentially have malicious VFs. |
299 | */ |
300 | if (snap_buf->num_pending_arq >= |
301 | mbx_data->async_watermark_val) { |
302 | new_state = ICE_MAL_VF_DETECT_STATE_DETECT; |
303 | status = ice_mbx_detect_malvf(hw, vf_info, new_state: &new_state, is_malvf: &is_malvf); |
304 | } else { |
305 | new_state = ICE_MAL_VF_DETECT_STATE_TRAVERSE; |
306 | ice_mbx_traverse(hw, new_state: &new_state); |
307 | } |
308 | break; |
309 | |
310 | case ICE_MAL_VF_DETECT_STATE_TRAVERSE: |
311 | new_state = ICE_MAL_VF_DETECT_STATE_TRAVERSE; |
312 | ice_mbx_traverse(hw, new_state: &new_state); |
313 | break; |
314 | |
315 | case ICE_MAL_VF_DETECT_STATE_DETECT: |
316 | new_state = ICE_MAL_VF_DETECT_STATE_DETECT; |
317 | status = ice_mbx_detect_malvf(hw, vf_info, new_state: &new_state, is_malvf: &is_malvf); |
318 | break; |
319 | |
320 | default: |
321 | new_state = ICE_MAL_VF_DETECT_STATE_INVALID; |
322 | status = -EIO; |
323 | } |
324 | |
325 | snap_buf->state = new_state; |
326 | |
327 | /* Only report VFs as malicious the first time we detect it */ |
328 | if (is_malvf && !vf_info->malicious) { |
329 | vf_info->malicious = 1; |
330 | *report_malvf = true; |
331 | } |
332 | |
333 | return status; |
334 | } |
335 | |
336 | /** |
337 | * ice_mbx_clear_malvf - Clear VF mailbox info |
338 | * @vf_info: the mailbox tracking structure for a VF |
339 | * |
340 | * In case of a VF reset, this function shall be called to clear the VF's |
341 | * current mailbox tracking state. |
342 | */ |
343 | void ice_mbx_clear_malvf(struct ice_mbx_vf_info *vf_info) |
344 | { |
345 | vf_info->malicious = 0; |
346 | vf_info->msg_count = 0; |
347 | } |
348 | |
349 | /** |
350 | * ice_mbx_init_vf_info - Initialize a new VF mailbox tracking info |
351 | * @hw: pointer to the hardware structure |
352 | * @vf_info: the mailbox tracking info structure for a VF |
353 | * |
354 | * Initialize a VF mailbox tracking info structure and insert it into the |
355 | * snapshot list. |
356 | * |
357 | * If you remove the VF, you must also delete the associated VF info structure |
358 | * from the linked list. |
359 | */ |
360 | void ice_mbx_init_vf_info(struct ice_hw *hw, struct ice_mbx_vf_info *vf_info) |
361 | { |
362 | struct ice_mbx_snapshot *snap = &hw->mbx_snapshot; |
363 | |
364 | ice_mbx_clear_malvf(vf_info); |
365 | list_add(new: &vf_info->list_entry, head: &snap->mbx_vf); |
366 | } |
367 | |
368 | /** |
369 | * ice_mbx_init_snapshot - Initialize mailbox snapshot data |
370 | * @hw: pointer to the hardware structure |
371 | * |
372 | * Clear the mailbox snapshot structure and initialize the VF mailbox list. |
373 | */ |
374 | void ice_mbx_init_snapshot(struct ice_hw *hw) |
375 | { |
376 | struct ice_mbx_snapshot *snap = &hw->mbx_snapshot; |
377 | |
378 | INIT_LIST_HEAD(list: &snap->mbx_vf); |
379 | ice_mbx_reset_snapshot(snap); |
380 | } |
381 | |