1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2018, Intel Corporation. */
3 
4 #include "ice_common.h"
5 #include "ice_vf_mbx.h"
6 
7 /**
8  * ice_aq_send_msg_to_vf
9  * @hw: pointer to the hardware structure
10  * @vfid: VF ID to send msg
11  * @v_opcode: opcodes for VF-PF communication
12  * @v_retval: return error code
13  * @msg: pointer to the msg buffer
14  * @msglen: msg length
15  * @cd: pointer to command details
16  *
17  * Send message to VF driver (0x0802) using mailbox
18  * queue and asynchronously sending message via
19  * ice_sq_send_cmd() function
20  */
21 int
ice_aq_send_msg_to_vf(struct ice_hw * hw,u16 vfid,u32 v_opcode,u32 v_retval,u8 * msg,u16 msglen,struct ice_sq_cd * cd)22 ice_aq_send_msg_to_vf(struct ice_hw *hw, u16 vfid, u32 v_opcode, u32 v_retval,
23 		      u8 *msg, u16 msglen, struct ice_sq_cd *cd)
24 {
25 	struct ice_aqc_pf_vf_msg *cmd;
26 	struct ice_aq_desc desc;
27 
28 	ice_fill_dflt_direct_cmd_desc(&desc, ice_mbx_opc_send_msg_to_vf);
29 
30 	cmd = &desc.params.virt;
31 	cmd->id = cpu_to_le32(vfid);
32 
33 	desc.cookie_high = cpu_to_le32(v_opcode);
34 	desc.cookie_low = cpu_to_le32(v_retval);
35 
36 	if (msglen)
37 		desc.flags |= cpu_to_le16(ICE_AQ_FLAG_RD);
38 
39 	return ice_sq_send_cmd(hw, &hw->mailboxq, &desc, msg, msglen, cd);
40 }
41 
42 static const u32 ice_legacy_aq_to_vc_speed[] = {
43 	VIRTCHNL_LINK_SPEED_100MB,	/* BIT(0) */
44 	VIRTCHNL_LINK_SPEED_100MB,
45 	VIRTCHNL_LINK_SPEED_1GB,
46 	VIRTCHNL_LINK_SPEED_1GB,
47 	VIRTCHNL_LINK_SPEED_1GB,
48 	VIRTCHNL_LINK_SPEED_10GB,
49 	VIRTCHNL_LINK_SPEED_20GB,
50 	VIRTCHNL_LINK_SPEED_25GB,
51 	VIRTCHNL_LINK_SPEED_40GB,
52 	VIRTCHNL_LINK_SPEED_40GB,
53 	VIRTCHNL_LINK_SPEED_40GB,
54 };
55 
56 /**
57  * ice_conv_link_speed_to_virtchnl
58  * @adv_link_support: determines the format of the returned link speed
59  * @link_speed: variable containing the link_speed to be converted
60  *
61  * Convert link speed supported by HW to link speed supported by virtchnl.
62  * If adv_link_support is true, then return link speed in Mbps. Else return
63  * link speed as a VIRTCHNL_LINK_SPEED_* casted to a u32. Note that the caller
64  * needs to cast back to an enum virtchnl_link_speed in the case where
65  * adv_link_support is false, but when adv_link_support is true the caller can
66  * expect the speed in Mbps.
67  */
ice_conv_link_speed_to_virtchnl(bool adv_link_support,u16 link_speed)68 u32 ice_conv_link_speed_to_virtchnl(bool adv_link_support, u16 link_speed)
69 {
70 	/* convert a BIT() value into an array index */
71 	u32 index = fls(link_speed) - 1;
72 
73 	if (adv_link_support)
74 		return ice_get_link_speed(index);
75 	else if (index < ARRAY_SIZE(ice_legacy_aq_to_vc_speed))
76 		/* Virtchnl speeds are not defined for every speed supported in
77 		 * the hardware. To maintain compatibility with older AVF
78 		 * drivers, while reporting the speed the new speed values are
79 		 * resolved to the closest known virtchnl speeds
80 		 */
81 		return ice_legacy_aq_to_vc_speed[index];
82 
83 	return VIRTCHNL_LINK_SPEED_UNKNOWN;
84 }
85 
86 /* The mailbox overflow detection algorithm helps to check if there
87  * is a possibility of a malicious VF transmitting too many MBX messages to the
88  * PF.
89  * 1. The mailbox snapshot structure, ice_mbx_snapshot, is initialized during
90  * driver initialization in ice_init_hw() using ice_mbx_init_snapshot().
91  * The struct ice_mbx_snapshot helps to track and traverse a static window of
92  * messages within the mailbox queue while looking for a malicious VF.
93  *
94  * 2. When the caller starts processing its mailbox queue in response to an
95  * interrupt, the structure ice_mbx_snapshot is expected to be cleared before
96  * the algorithm can be run for the first time for that interrupt. This
97  * requires calling ice_mbx_reset_snapshot() as well as calling
98  * ice_mbx_reset_vf_info() for each VF tracking structure.
99  *
100  * 3. For every message read by the caller from the MBX Queue, the caller must
101  * call the detection algorithm's entry function ice_mbx_vf_state_handler().
102  * Before every call to ice_mbx_vf_state_handler() the struct ice_mbx_data is
103  * filled as it is required to be passed to the algorithm.
104  *
105  * 4. Every time a message is read from the MBX queue, a tracking structure
106  * for the VF must be passed to the state handler. The boolean output
107  * report_malvf from ice_mbx_vf_state_handler() serves as an indicator to the
108  * caller whether it must report this VF as malicious or not.
109  *
110  * 5. When a VF is identified to be malicious, the caller can send a message
111  * to the system administrator.
112  *
113  * 6. The PF is responsible for maintaining the struct ice_mbx_vf_info
114  * structure for each VF. The PF should clear the VF tracking structure if the
115  * VF is reset. When a VF is shut down and brought back up, we will then
116  * assume that the new VF is not malicious and may report it again if we
117  * detect it again.
118  *
119  * 7. The function ice_mbx_reset_snapshot() is called to reset the information
120  * in ice_mbx_snapshot for every new mailbox interrupt handled.
121  */
122 #define ICE_RQ_DATA_MASK(rq_data) ((rq_data) & PF_MBX_ARQH_ARQH_M)
123 /* Using the highest value for an unsigned 16-bit value 0xFFFF to indicate that
124  * the max messages check must be ignored in the algorithm
125  */
126 #define ICE_IGNORE_MAX_MSG_CNT	0xFFFF
127 
128 /**
129  * ice_mbx_reset_snapshot - Reset mailbox snapshot structure
130  * @snap: pointer to the mailbox snapshot
131  */
ice_mbx_reset_snapshot(struct ice_mbx_snapshot * snap)132 static void ice_mbx_reset_snapshot(struct ice_mbx_snapshot *snap)
133 {
134 	struct ice_mbx_vf_info *vf_info;
135 
136 	/* Clear mbx_buf in the mailbox snaphot structure and setting the
137 	 * mailbox snapshot state to a new capture.
138 	 */
139 	memset(&snap->mbx_buf, 0, sizeof(snap->mbx_buf));
140 	snap->mbx_buf.state = ICE_MAL_VF_DETECT_STATE_NEW_SNAPSHOT;
141 
142 	/* Reset message counts for all VFs to zero */
143 	list_for_each_entry(vf_info, &snap->mbx_vf, list_entry)
144 		vf_info->msg_count = 0;
145 }
146 
147 /**
148  * ice_mbx_traverse - Pass through mailbox snapshot
149  * @hw: pointer to the HW struct
150  * @new_state: new algorithm state
151  *
152  * Traversing the mailbox static snapshot without checking
153  * for malicious VFs.
154  */
155 static void
ice_mbx_traverse(struct ice_hw * hw,enum ice_mbx_snapshot_state * new_state)156 ice_mbx_traverse(struct ice_hw *hw,
157 		 enum ice_mbx_snapshot_state *new_state)
158 {
159 	struct ice_mbx_snap_buffer_data *snap_buf;
160 	u32 num_iterations;
161 
162 	snap_buf = &hw->mbx_snapshot.mbx_buf;
163 
164 	/* As mailbox buffer is circular, applying a mask
165 	 * on the incremented iteration count.
166 	 */
167 	num_iterations = ICE_RQ_DATA_MASK(++snap_buf->num_iterations);
168 
169 	/* Checking either of the below conditions to exit snapshot traversal:
170 	 * Condition-1: If the number of iterations in the mailbox is equal to
171 	 * the mailbox head which would indicate that we have reached the end
172 	 * of the static snapshot.
173 	 * Condition-2: If the maximum messages serviced in the mailbox for a
174 	 * given interrupt is the highest possible value then there is no need
175 	 * to check if the number of messages processed is equal to it. If not
176 	 * check if the number of messages processed is greater than or equal
177 	 * to the maximum number of mailbox entries serviced in current work item.
178 	 */
179 	if (num_iterations == snap_buf->head ||
180 	    (snap_buf->max_num_msgs_mbx < ICE_IGNORE_MAX_MSG_CNT &&
181 	     ++snap_buf->num_msg_proc >= snap_buf->max_num_msgs_mbx))
182 		*new_state = ICE_MAL_VF_DETECT_STATE_NEW_SNAPSHOT;
183 }
184 
185 /**
186  * ice_mbx_detect_malvf - Detect malicious VF in snapshot
187  * @hw: pointer to the HW struct
188  * @vf_info: mailbox tracking structure for a VF
189  * @new_state: new algorithm state
190  * @is_malvf: boolean output to indicate if VF is malicious
191  *
192  * This function tracks the number of asynchronous messages
193  * sent per VF and marks the VF as malicious if it exceeds
194  * the permissible number of messages to send.
195  */
196 static int
ice_mbx_detect_malvf(struct ice_hw * hw,struct ice_mbx_vf_info * vf_info,enum ice_mbx_snapshot_state * new_state,bool * is_malvf)197 ice_mbx_detect_malvf(struct ice_hw *hw, struct ice_mbx_vf_info *vf_info,
198 		     enum ice_mbx_snapshot_state *new_state,
199 		     bool *is_malvf)
200 {
201 	/* increment the message count for this VF */
202 	vf_info->msg_count++;
203 
204 	if (vf_info->msg_count >= ICE_ASYNC_VF_MSG_THRESHOLD)
205 		*is_malvf = true;
206 
207 	/* continue to iterate through the mailbox snapshot */
208 	ice_mbx_traverse(hw, new_state);
209 
210 	return 0;
211 }
212 
213 /**
214  * ice_mbx_vf_state_handler - Handle states of the overflow algorithm
215  * @hw: pointer to the HW struct
216  * @mbx_data: pointer to structure containing mailbox data
217  * @vf_info: mailbox tracking structure for the VF in question
218  * @report_malvf: boolean output to indicate whether VF should be reported
219  *
220  * The function serves as an entry point for the malicious VF
221  * detection algorithm by handling the different states and state
222  * transitions of the algorithm:
223  * New snapshot: This state is entered when creating a new static
224  * snapshot. The data from any previous mailbox snapshot is
225  * cleared and a new capture of the mailbox head and tail is
226  * logged. This will be the new static snapshot to detect
227  * asynchronous messages sent by VFs. On capturing the snapshot
228  * and depending on whether the number of pending messages in that
229  * snapshot exceed the watermark value, the state machine enters
230  * traverse or detect states.
231  * Traverse: If pending message count is below watermark then iterate
232  * through the snapshot without any action on VF.
233  * Detect: If pending message count exceeds watermark traverse
234  * the static snapshot and look for a malicious VF.
235  */
236 int
ice_mbx_vf_state_handler(struct ice_hw * hw,struct ice_mbx_data * mbx_data,struct ice_mbx_vf_info * vf_info,bool * report_malvf)237 ice_mbx_vf_state_handler(struct ice_hw *hw, struct ice_mbx_data *mbx_data,
238 			 struct ice_mbx_vf_info *vf_info, bool *report_malvf)
239 {
240 	struct ice_mbx_snapshot *snap = &hw->mbx_snapshot;
241 	struct ice_mbx_snap_buffer_data *snap_buf;
242 	struct ice_ctl_q_info *cq = &hw->mailboxq;
243 	enum ice_mbx_snapshot_state new_state;
244 	bool is_malvf = false;
245 	int status = 0;
246 
247 	if (!report_malvf || !mbx_data || !vf_info)
248 		return -EINVAL;
249 
250 	*report_malvf = false;
251 
252 	/* When entering the mailbox state machine assume that the VF
253 	 * is not malicious until detected.
254 	 */
255 	 /* Checking if max messages allowed to be processed while servicing current
256 	  * interrupt is not less than the defined AVF message threshold.
257 	  */
258 	if (mbx_data->max_num_msgs_mbx <= ICE_ASYNC_VF_MSG_THRESHOLD)
259 		return -EINVAL;
260 
261 	/* The watermark value should not be lesser than the threshold limit
262 	 * set for the number of asynchronous messages a VF can send to mailbox
263 	 * nor should it be greater than the maximum number of messages in the
264 	 * mailbox serviced in current interrupt.
265 	 */
266 	if (mbx_data->async_watermark_val < ICE_ASYNC_VF_MSG_THRESHOLD ||
267 	    mbx_data->async_watermark_val > mbx_data->max_num_msgs_mbx)
268 		return -EINVAL;
269 
270 	new_state = ICE_MAL_VF_DETECT_STATE_INVALID;
271 	snap_buf = &snap->mbx_buf;
272 
273 	switch (snap_buf->state) {
274 	case ICE_MAL_VF_DETECT_STATE_NEW_SNAPSHOT:
275 		/* Clear any previously held data in mailbox snapshot structure. */
276 		ice_mbx_reset_snapshot(snap);
277 
278 		/* Collect the pending ARQ count, number of messages processed and
279 		 * the maximum number of messages allowed to be processed from the
280 		 * Mailbox for current interrupt.
281 		 */
282 		snap_buf->num_pending_arq = mbx_data->num_pending_arq;
283 		snap_buf->num_msg_proc = mbx_data->num_msg_proc;
284 		snap_buf->max_num_msgs_mbx = mbx_data->max_num_msgs_mbx;
285 
286 		/* Capture a new static snapshot of the mailbox by logging the
287 		 * head and tail of snapshot and set num_iterations to the tail
288 		 * value to mark the start of the iteration through the snapshot.
289 		 */
290 		snap_buf->head = ICE_RQ_DATA_MASK(cq->rq.next_to_clean +
291 						  mbx_data->num_pending_arq);
292 		snap_buf->tail = ICE_RQ_DATA_MASK(cq->rq.next_to_clean - 1);
293 		snap_buf->num_iterations = snap_buf->tail;
294 
295 		/* Pending ARQ messages returned by ice_clean_rq_elem
296 		 * is the difference between the head and tail of the
297 		 * mailbox queue. Comparing this value against the watermark
298 		 * helps to check if we potentially have malicious VFs.
299 		 */
300 		if (snap_buf->num_pending_arq >=
301 		    mbx_data->async_watermark_val) {
302 			new_state = ICE_MAL_VF_DETECT_STATE_DETECT;
303 			status = ice_mbx_detect_malvf(hw, vf_info, &new_state, &is_malvf);
304 		} else {
305 			new_state = ICE_MAL_VF_DETECT_STATE_TRAVERSE;
306 			ice_mbx_traverse(hw, &new_state);
307 		}
308 		break;
309 
310 	case ICE_MAL_VF_DETECT_STATE_TRAVERSE:
311 		new_state = ICE_MAL_VF_DETECT_STATE_TRAVERSE;
312 		ice_mbx_traverse(hw, &new_state);
313 		break;
314 
315 	case ICE_MAL_VF_DETECT_STATE_DETECT:
316 		new_state = ICE_MAL_VF_DETECT_STATE_DETECT;
317 		status = ice_mbx_detect_malvf(hw, vf_info, &new_state, &is_malvf);
318 		break;
319 
320 	default:
321 		new_state = ICE_MAL_VF_DETECT_STATE_INVALID;
322 		status = -EIO;
323 	}
324 
325 	snap_buf->state = new_state;
326 
327 	/* Only report VFs as malicious the first time we detect it */
328 	if (is_malvf && !vf_info->malicious) {
329 		vf_info->malicious = 1;
330 		*report_malvf = true;
331 	}
332 
333 	return status;
334 }
335 
336 /**
337  * ice_mbx_clear_malvf - Clear VF mailbox info
338  * @vf_info: the mailbox tracking structure for a VF
339  *
340  * In case of a VF reset, this function shall be called to clear the VF's
341  * current mailbox tracking state.
342  */
ice_mbx_clear_malvf(struct ice_mbx_vf_info * vf_info)343 void ice_mbx_clear_malvf(struct ice_mbx_vf_info *vf_info)
344 {
345 	vf_info->malicious = 0;
346 	vf_info->msg_count = 0;
347 }
348 
349 /**
350  * ice_mbx_init_vf_info - Initialize a new VF mailbox tracking info
351  * @hw: pointer to the hardware structure
352  * @vf_info: the mailbox tracking info structure for a VF
353  *
354  * Initialize a VF mailbox tracking info structure and insert it into the
355  * snapshot list.
356  *
357  * If you remove the VF, you must also delete the associated VF info structure
358  * from the linked list.
359  */
ice_mbx_init_vf_info(struct ice_hw * hw,struct ice_mbx_vf_info * vf_info)360 void ice_mbx_init_vf_info(struct ice_hw *hw, struct ice_mbx_vf_info *vf_info)
361 {
362 	struct ice_mbx_snapshot *snap = &hw->mbx_snapshot;
363 
364 	ice_mbx_clear_malvf(vf_info);
365 	list_add(&vf_info->list_entry, &snap->mbx_vf);
366 }
367 
368 /**
369  * ice_mbx_init_snapshot - Initialize mailbox snapshot data
370  * @hw: pointer to the hardware structure
371  *
372  * Clear the mailbox snapshot structure and initialize the VF mailbox list.
373  */
ice_mbx_init_snapshot(struct ice_hw * hw)374 void ice_mbx_init_snapshot(struct ice_hw *hw)
375 {
376 	struct ice_mbx_snapshot *snap = &hw->mbx_snapshot;
377 
378 	INIT_LIST_HEAD(&snap->mbx_vf);
379 	ice_mbx_reset_snapshot(snap);
380 }
381