README: Prominently address API/ABI stability

Make a header out of it to help catch people's eyes. Also add a contact
section beforehand so people know where to send feedback.

Signed-off-by: Andrew

README: Prominently address API/ABI stability

Make a header out of it to help catch people's eyes. Also add a contact
section beforehand so people know where to send feedback.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I9d8ec99fbdb0314075d175c0844eb232b6d7719d

show more ...

core: Fix large packet buffer overrun

The astlpc binding allows negotiation of Tx/Rx region sizes, but the
packet accumulator assumed packet sizes were at most 4096 bytes. Avoid
buffer overflow by

core: Fix large packet buffer overrun

The astlpc binding allows negotiation of Tx/Rx region sizes, but the
packet accumulator assumed packet sizes were at most 4096 bytes. Avoid
buffer overflow by allocating at least the length of the inbound packet
if we have not yet initialised the packet buffer.

Fixes:

=================================================================
==42296==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x7ff8a22235ce bp 0x7ffd47469750 sp 0x7ffd47468ef8
WRITE of size 8192 at 0x621000002500 thread T0
#0 0x7ff8a22235cd in __interceptor_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.6+0x3a5cd)
#1 0x7ff8a21ac78b in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 0x7ff8a21ac78b in mctp_msg_ctx_add_pkt /home/andrew/src/openbmc/libmctp/core.c:237
#3 0x7ff8a21af245 in mctp_bus_rx /home/andrew/src/openbmc/libmctp/core.c:495
#4 0x56458d3f9648 in mctp_astlpc_rx_start astlpc.c:813
#5 0x56458d3f9648 in mctp_astlpc_poll astlpc.c:931
#6 0x56458d3fc1f4 in astlpc_test_send_large_packet tests/test_astlpc.c:1111
#7 0x56458d3efc86 in main tests/test_astlpc.c:1185
#8 0x7ff8a165dcb1 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28cb1)
#9 0x56458d3efe7d in _start (/home/andrew/src/openbmc/libmctp/tests/.libs/test_astlpc+0x17e7d)

0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
#0 0x7ff8a22998d0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb08d0)
#1 0x7ff8a21b0533 in __mctp_realloc /home/andrew/src/openbmc/libmctp/alloc.c:48

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.6+0x3a5cd) in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==42296==ABORTING

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I9d39090cb9246ec2f6c06942d4f2a91fe0df0202

show more ...

core: Fix comment on size limits

We introduced size limits in 2c820c5ad455 ("core: Limit maximum size of
an assembled MCTP message").

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I955

core: Fix comment on size limits

We introduced size limits in 2c820c5ad455 ("core: Limit maximum size of
an assembled MCTP message").

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I9553027ddba65c344d29b4f7fd7817d6ff93f454

show more ...

astlpc: Extract MIN()/MAX() to range.h

Enable reuse beyond astlpc.c.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I090358882b2c4b9cb1a9393a9ae38dfbe80335e9

tests: astlpc: Re-order astlpc ops struct definitions

Make it easier to isolate test cases with `#if 0` hackery.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Ibc3daef821768407b01f7599

tests: astlpc: Re-order astlpc ops struct definitions

Make it easier to isolate test cases with `#if 0` hackery.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Ibc3daef821768407b01f75996d3ab614bb6b6593

show more ...

astlpc: Clear OBF during binding initialisation

Whatever the buffer ownership state was previously, it is now irrelevant
as we're initialising the binding. Ensure that we don't accidentally
block in

astlpc: Clear OBF during binding initialisation

Whatever the buffer ownership state was previously, it is now irrelevant
as we're initialising the binding. Ensure that we don't accidentally
block initialisation due to the host failing to consume the previous KCS
command (which implies OBF is set and therefore we would block on
sending the dummy command).

The relevant callsites for mctp_astlpc_kcs_set_status() were aleady
setting KCS_STATUS_OBF in the status value passed to the function,
therefore it's not necessary for the function to set it explicitly.
Removing the explicit KCS_STATUS_OBF from mctp_astlpc_kcs_set_status()
to make way for correct use in mctp_astlpc_init_bmc().

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I54266ee4459115e993af2ad6665252887c27ab3e

show more ...

core: handle memory allocation failures in mctp init

This just handles __mctp_alloc failures in libmctp.

Signed-off-by: Sumanth Bhat <sumanth.bhat@linux.intel.com>
Change-Id: I0b5beaf2b981a56133bd6

core: handle memory allocation failures in mctp init

This just handles __mctp_alloc failures in libmctp.

Signed-off-by: Sumanth Bhat <sumanth.bhat@linux.intel.com>
Change-Id: I0b5beaf2b981a56133bd6caaf269e75e28cefba7

show more ...

core: Limit maximum size of an assembled MCTP message

If libmctp receives sequence of fragment MCTP packets and never receives
EOM packet, this will cause heap memory to grow without bounds. This
co

core: Limit maximum size of an assembled MCTP message

If libmctp receives sequence of fragment MCTP packets and never receives
EOM packet, this will cause heap memory to grow without bounds. This
commit puts an upper cap on maximum MCTP message size. This should
protect us from any malicious device trying to exploiting this.

Also, this prevents overwhelming of the device's resources.
Section 10.1.5 of DSP0236 (v1.3.1) allows configuration of
endpoints to protect its resources.

Signed-off-by: Sumanth Bhat <sumanth.bhat@linux.intel.com>
Change-Id: Id62cfab7c25b3e1ccf955f2e924844b58b4be154

show more ...

core: Drop trivial length packets

If we receive packets which are of length less than mctp header size,
we can drop them without passing through message assembly process.

Signed-off-by: Sumanth Bha

core: Drop trivial length packets

If we receive packets which are of length less than mctp header size,
we can drop them without passing through message assembly process.

Signed-off-by: Sumanth Bhat <sumanth.bhat@linux.intel.com>
Change-Id: Idfe67530f7b2fb9c3ecb214a38f489a852b80c70

show more ...

core: Fix off-by-one assertion in mctp_pktbuf_alloc_end

pkt->end refers to the address after the last byte allocated to the
packet body, so we need a less-than-or-equal-to inequality.

Signed-off-by

core: Fix off-by-one assertion in mctp_pktbuf_alloc_end

pkt->end refers to the address after the last byte allocated to the
packet body, so we need a less-than-or-equal-to inequality.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Ie91f4fe015858b5d2f308289e806d85d8320f239

show more ...

core: Return size_t for mctp_pktbuf_size()

Large packets are enabled by e.g. MTU negotiation in the astlpc binding.
Avoid truncating large packets in calls to the pktbuf APIs.

Signed-off-by: Andrew

core: Return size_t for mctp_pktbuf_size()

Large packets are enabled by e.g. MTU negotiation in the astlpc binding.
Avoid truncating large packets in calls to the pktbuf APIs.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I1244d70fe93ca7538ca09256110d648c495c6aa7

show more ...

clang-format: Enable AlignConsecutiveMacros

clang-format-10 has been adopted in CI, so enable some of the more
useful recent features.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I92

clang-format: Enable AlignConsecutiveMacros

clang-format-10 has been adopted in CI, so enable some of the more
useful recent features.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I9293bacb049b97c0a9abdf7188ea2eea66e43092

show more ...

mctp-astlpc-demux: Explicitly construct a fileio astlpc instance

mctp-astlpc-demux is run on BMCs in userspace, so fileio is what we
require.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-

mctp-astlpc-demux: Explicitly construct a fileio astlpc instance

mctp-astlpc-demux is run on BMCs in userspace, so fileio is what we
require.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Iecd8df8901c14ea5924cdc1671b880b5f4824c6c

show more ...

astlpc: Request maximum MTU in fileio constructor

The MTU value 0 is special-cased to request the maximum possible MTU,
whatever that may be. Exploit this fact in the fileio constructor.

Signed-off

astlpc: Request maximum MTU in fileio constructor

The MTU value 0 is special-cased to request the maximum possible MTU,
whatever that may be. Exploit this fact in the fileio constructor.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Ib9ad48deb1644579d962b5939a3f3f444091f3ce

show more ...

libmctp: v0.10

Introduce v2 of the astlpc binding protocol.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Idaba0167f605d51fba30cebdce432ca9c38463d7

docs: astlpc: Document the behaviours of protocol version 2

The sole feature of version 2 is maximum transmission unit negotiation.
The process is designed in a backwards-compatible fashion with ver

docs: astlpc: Document the behaviours of protocol version 2

The sole feature of version 2 is maximum transmission unit negotiation.
The process is designed in a backwards-compatible fashion with version
1. The negotiated version must be at least 2 in order to exploit MTUs
larger than the baseline transmission unit.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Ife23e0551f975894fbb0544b4b1d3cf0b4190b4f

show more ...

docs: astlpc: Factor out KCS command and status sequences

Dedicate words to the mechanics of setting status and sending commands
via the KCS interface. Factor out these behaviours from the binding
i

docs: astlpc: Factor out KCS command and status sequences

Dedicate words to the mechanics of setting status and sending commands
via the KCS interface. Factor out these behaviours from the binding
initialisation and packet transmission sequences to keep them succinct.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I1316045d6bb6f3a980a83ed2b046d7e68cabbf01

show more ...

docs: astlpc: Describe some implementation details

However, isolate the details to their own section near the end of the
document so as not to disrupt specification of the binding behaviour.

Signed

docs: astlpc: Describe some implementation details

However, isolate the details to their own section near the end of the
document so as not to disrupt specification of the binding behaviour.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I7d4ab48b5659caa185a3f665857daee50dfb5a61

show more ...

docs: astlpc: Introduce scope, terms and reference sections

Link to supporting documentation and provide definitions for the various
terms used through the document.

Signed-off-by: Andrew Jeffery <

docs: astlpc: Introduce scope, terms and reference sections

Link to supporting documentation and provide definitions for the various
terms used through the document.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Id27dcda9720ca4717e395a83bcf1091f2e8416d2

show more ...

docs: Describe operation of the astlpc binding

This is a mostly-faithful reproduction of the internal document that has
so-far driven development of the binding inside IBM. It covers the
behaviour o

docs: Describe operation of the astlpc binding

This is a mostly-faithful reproduction of the internal document that has
so-far driven development of the binding inside IBM. It covers the
behaviour of the protocol along with constraints motivating its
development. The binding was developed for use on POWER host
architecture systems, which are LPC-based.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: I6708ed5776419ab03b2f569cb243b5e3df21885b

show more ...

astlpc: Bump protocol support to v2

The new functionality in v2 is the one feature to negotiate transmission
units larger than the MCTP baseline transmission unit.

Signed-off-by: Andrew Jeffery <an

astlpc: Bump protocol support to v2

The new functionality in v2 is the one feature to negotiate transmission
units larger than the MCTP baseline transmission unit.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Ia7d9b1177b0e0a3af911f2d960456682327abe4d

show more ...

astlpc: Make MTU configurable at binding instantiation

Make the MTU value provided to mctp_astlpc_init() stick. Previously we
just printed a warning and forced the MTU to the baseline transmission
u

astlpc: Make MTU configurable at binding instantiation

Make the MTU value provided to mctp_astlpc_init() stick. Previously we
just printed a warning and forced the MTU to the baseline transmission
unit. Now that MTU negotiation is in place, accept the provided value.

Change-Id: I0c026ba0a94a26a6d99755d3debf048b6e0b4aca
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>

show more ...

astlpc: Introduce MTU negotiation

MTU negotiation is implemented in a backwards-compatible manner with
version 1 of the astlpc binding. Functionally, MTU negotation involves
proposing arrangements o

astlpc: Introduce MTU negotiation

MTU negotiation is implemented in a backwards-compatible manner with
version 1 of the astlpc binding. Functionally, MTU negotation involves
proposing arrangements of the Rx and Tx buffer layouts. It is assumed
that the MTU is a packet sized to fill the Tx buffer as described in the
control space.

For v1 of the binding the MTU is defined in terms of the MCTP_BTU
constant provided by libmctp.h. MCTP_BTU is used regardless of the
buffer sizes specified in the control space (which MUST describe buffers
supporting at least MCTP_BTU-sized packets).

For v2 of the binding the MTU is defined in terms of the appropriate
buffer's size field in the control space.

The sequence of events for negotiating the MTU under v2 is as follows:

1. The BMC initialises its binding, filling out the Rx and Tx buffer
properties with the largest configuration it supports.

2. The host initialises its binding, writing its maximum Rx buffer size
before sending `channel-init` to the BMC.

3. The BMC receives `channel-init`, negotiates protocol version 2 and
then validates the host's proposed buffer configuration. If the proposed
configuration is invalid (e.g. out-of-bounds values) the BMC terminates
channel initialisation leaving the channel-active bit clear and writing
the zero to the negotiated version field. If the proposal is valid, the
BMC calculates the buffer sizes according to the available constraints
and writes the chosen buffer configuration to the control region.

4. Assuming the version negotiation and buffer configuration are
successful, the BMC sets `channel-active` and notifies the host

5. The host reads `channel-active`, accepts the negotiation of v2 and
validates the buffer configuration. If the validation passes, then the
buffer configuration is the configuration used for the remainder of the
session. If validation fails then the host MUST NOT send MCTP packets
via the LPC binding until a valid buffer configuration can be
negotiated.

Change-Id: I89107593f220418d746c2d73771348ed8f7f3e87
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>

show more ...

astlpc: Implement version negotiation

Binding version negotiation was previously left as a todo. With the
upcoming efforts to introduce MTU negotiation we need to repurpose some
of the fields in the

astlpc: Implement version negotiation

Binding version negotiation was previously left as a todo. With the
upcoming efforts to introduce MTU negotiation we need to repurpose some
of the fields in the control structure (in a backwards-compatible way),
so make sure we can first negotiate the protocol version before
proceeding to change the semantics of the fields.

Change-Id: Ibd2283987b8b60b3ab7ada667e2b507b4ac09034
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>

show more ...

astlpc: Remove redundant lpc_map_base member from context struct

We only make use of lpc_map once we've established where the structure
lives in the LPC FW address space; there's no need to carry lp

astlpc: Remove redundant lpc_map_base member from context struct

We only make use of lpc_map once we've established where the structure
lives in the LPC FW address space; there's no need to carry lpc_map_base
around beyond this initial calculation.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Change-Id: Ib341643b936c10e386d67934a5d92fb59dd5b477

show more ...