1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2018, Intel Corporation. */
3 
4 #include "ice_common.h"
5 #include "ice_vf_mbx.h"
6 
7 /**
8  * ice_aq_send_msg_to_vf
9  * @hw: pointer to the hardware structure
10  * @vfid: VF ID to send msg
11  * @v_opcode: opcodes for VF-PF communication
12  * @v_retval: return error code
13  * @msg: pointer to the msg buffer
14  * @msglen: msg length
15  * @cd: pointer to command details
16  *
17  * Send message to VF driver (0x0802) using mailbox
18  * queue and asynchronously sending message via
19  * ice_sq_send_cmd() function
20  */
21 int
22 ice_aq_send_msg_to_vf(struct ice_hw *hw, u16 vfid, u32 v_opcode, u32 v_retval,
23 		      u8 *msg, u16 msglen, struct ice_sq_cd *cd)
24 {
25 	struct ice_aqc_pf_vf_msg *cmd;
26 	struct ice_aq_desc desc;
27 
28 	ice_fill_dflt_direct_cmd_desc(&desc, ice_mbx_opc_send_msg_to_vf);
29 
30 	cmd = &desc.params.virt;
31 	cmd->id = cpu_to_le32(vfid);
32 
33 	desc.cookie_high = cpu_to_le32(v_opcode);
34 	desc.cookie_low = cpu_to_le32(v_retval);
35 
36 	if (msglen)
37 		desc.flags |= cpu_to_le16(ICE_AQ_FLAG_RD);
38 
39 	return ice_sq_send_cmd(hw, &hw->mailboxq, &desc, msg, msglen, cd);
40 }
41 
42 /**
43  * ice_conv_link_speed_to_virtchnl
44  * @adv_link_support: determines the format of the returned link speed
45  * @link_speed: variable containing the link_speed to be converted
46  *
47  * Convert link speed supported by HW to link speed supported by virtchnl.
48  * If adv_link_support is true, then return link speed in Mbps. Else return
49  * link speed as a VIRTCHNL_LINK_SPEED_* casted to a u32. Note that the caller
50  * needs to cast back to an enum virtchnl_link_speed in the case where
51  * adv_link_support is false, but when adv_link_support is true the caller can
52  * expect the speed in Mbps.
53  */
54 u32 ice_conv_link_speed_to_virtchnl(bool adv_link_support, u16 link_speed)
55 {
56 	u32 speed;
57 
58 	if (adv_link_support)
59 		switch (link_speed) {
60 		case ICE_AQ_LINK_SPEED_10MB:
61 			speed = ICE_LINK_SPEED_10MBPS;
62 			break;
63 		case ICE_AQ_LINK_SPEED_100MB:
64 			speed = ICE_LINK_SPEED_100MBPS;
65 			break;
66 		case ICE_AQ_LINK_SPEED_1000MB:
67 			speed = ICE_LINK_SPEED_1000MBPS;
68 			break;
69 		case ICE_AQ_LINK_SPEED_2500MB:
70 			speed = ICE_LINK_SPEED_2500MBPS;
71 			break;
72 		case ICE_AQ_LINK_SPEED_5GB:
73 			speed = ICE_LINK_SPEED_5000MBPS;
74 			break;
75 		case ICE_AQ_LINK_SPEED_10GB:
76 			speed = ICE_LINK_SPEED_10000MBPS;
77 			break;
78 		case ICE_AQ_LINK_SPEED_20GB:
79 			speed = ICE_LINK_SPEED_20000MBPS;
80 			break;
81 		case ICE_AQ_LINK_SPEED_25GB:
82 			speed = ICE_LINK_SPEED_25000MBPS;
83 			break;
84 		case ICE_AQ_LINK_SPEED_40GB:
85 			speed = ICE_LINK_SPEED_40000MBPS;
86 			break;
87 		case ICE_AQ_LINK_SPEED_50GB:
88 			speed = ICE_LINK_SPEED_50000MBPS;
89 			break;
90 		case ICE_AQ_LINK_SPEED_100GB:
91 			speed = ICE_LINK_SPEED_100000MBPS;
92 			break;
93 		default:
94 			speed = ICE_LINK_SPEED_UNKNOWN;
95 			break;
96 		}
97 	else
98 		/* Virtchnl speeds are not defined for every speed supported in
99 		 * the hardware. To maintain compatibility with older AVF
100 		 * drivers, while reporting the speed the new speed values are
101 		 * resolved to the closest known virtchnl speeds
102 		 */
103 		switch (link_speed) {
104 		case ICE_AQ_LINK_SPEED_10MB:
105 		case ICE_AQ_LINK_SPEED_100MB:
106 			speed = (u32)VIRTCHNL_LINK_SPEED_100MB;
107 			break;
108 		case ICE_AQ_LINK_SPEED_1000MB:
109 		case ICE_AQ_LINK_SPEED_2500MB:
110 		case ICE_AQ_LINK_SPEED_5GB:
111 			speed = (u32)VIRTCHNL_LINK_SPEED_1GB;
112 			break;
113 		case ICE_AQ_LINK_SPEED_10GB:
114 			speed = (u32)VIRTCHNL_LINK_SPEED_10GB;
115 			break;
116 		case ICE_AQ_LINK_SPEED_20GB:
117 			speed = (u32)VIRTCHNL_LINK_SPEED_20GB;
118 			break;
119 		case ICE_AQ_LINK_SPEED_25GB:
120 			speed = (u32)VIRTCHNL_LINK_SPEED_25GB;
121 			break;
122 		case ICE_AQ_LINK_SPEED_40GB:
123 		case ICE_AQ_LINK_SPEED_50GB:
124 		case ICE_AQ_LINK_SPEED_100GB:
125 			speed = (u32)VIRTCHNL_LINK_SPEED_40GB;
126 			break;
127 		default:
128 			speed = (u32)VIRTCHNL_LINK_SPEED_UNKNOWN;
129 			break;
130 		}
131 
132 	return speed;
133 }
134 
135 /* The mailbox overflow detection algorithm helps to check if there
136  * is a possibility of a malicious VF transmitting too many MBX messages to the
137  * PF.
138  * 1. The mailbox snapshot structure, ice_mbx_snapshot, is initialized during
139  * driver initialization in ice_init_hw() using ice_mbx_init_snapshot().
140  * The struct ice_mbx_snapshot helps to track and traverse a static window of
141  * messages within the mailbox queue while looking for a malicious VF.
142  *
143  * 2. When the caller starts processing its mailbox queue in response to an
144  * interrupt, the structure ice_mbx_snapshot is expected to be cleared before
145  * the algorithm can be run for the first time for that interrupt. This can be
146  * done via ice_mbx_reset_snapshot().
147  *
148  * 3. For every message read by the caller from the MBX Queue, the caller must
149  * call the detection algorithm's entry function ice_mbx_vf_state_handler().
150  * Before every call to ice_mbx_vf_state_handler() the struct ice_mbx_data is
151  * filled as it is required to be passed to the algorithm.
152  *
153  * 4. Every time a message is read from the MBX queue, a VFId is received which
154  * is passed to the state handler. The boolean output is_malvf of the state
155  * handler ice_mbx_vf_state_handler() serves as an indicator to the caller
156  * whether this VF is malicious or not.
157  *
158  * 5. When a VF is identified to be malicious, the caller can send a message
159  * to the system administrator. The caller can invoke ice_mbx_report_malvf()
160  * to help determine if a malicious VF is to be reported or not. This function
161  * requires the caller to maintain a global bitmap to track all malicious VFs
162  * and pass that to ice_mbx_report_malvf() along with the VFID which was identified
163  * to be malicious by ice_mbx_vf_state_handler().
164  *
165  * 6. The global bitmap maintained by PF can be cleared completely if PF is in
166  * reset or the bit corresponding to a VF can be cleared if that VF is in reset.
167  * When a VF is shut down and brought back up, we assume that the new VF
168  * brought up is not malicious and hence report it if found malicious.
169  *
170  * 7. The function ice_mbx_reset_snapshot() is called to reset the information
171  * in ice_mbx_snapshot for every new mailbox interrupt handled.
172  *
173  * 8. The memory allocated for variables in ice_mbx_snapshot is de-allocated
174  * when driver is unloaded.
175  */
176 #define ICE_RQ_DATA_MASK(rq_data) ((rq_data) & PF_MBX_ARQH_ARQH_M)
177 /* Using the highest value for an unsigned 16-bit value 0xFFFF to indicate that
178  * the max messages check must be ignored in the algorithm
179  */
180 #define ICE_IGNORE_MAX_MSG_CNT	0xFFFF
181 
182 /**
183  * ice_mbx_traverse - Pass through mailbox snapshot
184  * @hw: pointer to the HW struct
185  * @new_state: new algorithm state
186  *
187  * Traversing the mailbox static snapshot without checking
188  * for malicious VFs.
189  */
190 static void
191 ice_mbx_traverse(struct ice_hw *hw,
192 		 enum ice_mbx_snapshot_state *new_state)
193 {
194 	struct ice_mbx_snap_buffer_data *snap_buf;
195 	u32 num_iterations;
196 
197 	snap_buf = &hw->mbx_snapshot.mbx_buf;
198 
199 	/* As mailbox buffer is circular, applying a mask
200 	 * on the incremented iteration count.
201 	 */
202 	num_iterations = ICE_RQ_DATA_MASK(++snap_buf->num_iterations);
203 
204 	/* Checking either of the below conditions to exit snapshot traversal:
205 	 * Condition-1: If the number of iterations in the mailbox is equal to
206 	 * the mailbox head which would indicate that we have reached the end
207 	 * of the static snapshot.
208 	 * Condition-2: If the maximum messages serviced in the mailbox for a
209 	 * given interrupt is the highest possible value then there is no need
210 	 * to check if the number of messages processed is equal to it. If not
211 	 * check if the number of messages processed is greater than or equal
212 	 * to the maximum number of mailbox entries serviced in current work item.
213 	 */
214 	if (num_iterations == snap_buf->head ||
215 	    (snap_buf->max_num_msgs_mbx < ICE_IGNORE_MAX_MSG_CNT &&
216 	     ++snap_buf->num_msg_proc >= snap_buf->max_num_msgs_mbx))
217 		*new_state = ICE_MAL_VF_DETECT_STATE_NEW_SNAPSHOT;
218 }
219 
220 /**
221  * ice_mbx_detect_malvf - Detect malicious VF in snapshot
222  * @hw: pointer to the HW struct
223  * @vf_id: relative virtual function ID
224  * @new_state: new algorithm state
225  * @is_malvf: boolean output to indicate if VF is malicious
226  *
227  * This function tracks the number of asynchronous messages
228  * sent per VF and marks the VF as malicious if it exceeds
229  * the permissible number of messages to send.
230  */
231 static int
232 ice_mbx_detect_malvf(struct ice_hw *hw, u16 vf_id,
233 		     enum ice_mbx_snapshot_state *new_state,
234 		     bool *is_malvf)
235 {
236 	struct ice_mbx_snapshot *snap = &hw->mbx_snapshot;
237 
238 	if (vf_id >= snap->mbx_vf.vfcntr_len)
239 		return -EIO;
240 
241 	/* increment the message count in the VF array */
242 	snap->mbx_vf.vf_cntr[vf_id]++;
243 
244 	if (snap->mbx_vf.vf_cntr[vf_id] >= ICE_ASYNC_VF_MSG_THRESHOLD)
245 		*is_malvf = true;
246 
247 	/* continue to iterate through the mailbox snapshot */
248 	ice_mbx_traverse(hw, new_state);
249 
250 	return 0;
251 }
252 
253 /**
254  * ice_mbx_reset_snapshot - Reset mailbox snapshot structure
255  * @snap: pointer to mailbox snapshot structure in the ice_hw struct
256  *
257  * Reset the mailbox snapshot structure and clear VF counter array.
258  */
259 static void ice_mbx_reset_snapshot(struct ice_mbx_snapshot *snap)
260 {
261 	u32 vfcntr_len;
262 
263 	if (!snap || !snap->mbx_vf.vf_cntr)
264 		return;
265 
266 	/* Clear VF counters. */
267 	vfcntr_len = snap->mbx_vf.vfcntr_len;
268 	if (vfcntr_len)
269 		memset(snap->mbx_vf.vf_cntr, 0,
270 		       (vfcntr_len * sizeof(*snap->mbx_vf.vf_cntr)));
271 
272 	/* Reset mailbox snapshot for a new capture. */
273 	memset(&snap->mbx_buf, 0, sizeof(snap->mbx_buf));
274 	snap->mbx_buf.state = ICE_MAL_VF_DETECT_STATE_NEW_SNAPSHOT;
275 }
276 
277 /**
278  * ice_mbx_vf_state_handler - Handle states of the overflow algorithm
279  * @hw: pointer to the HW struct
280  * @mbx_data: pointer to structure containing mailbox data
281  * @vf_id: relative virtual function (VF) ID
282  * @is_malvf: boolean output to indicate if VF is malicious
283  *
284  * The function serves as an entry point for the malicious VF
285  * detection algorithm by handling the different states and state
286  * transitions of the algorithm:
287  * New snapshot: This state is entered when creating a new static
288  * snapshot. The data from any previous mailbox snapshot is
289  * cleared and a new capture of the mailbox head and tail is
290  * logged. This will be the new static snapshot to detect
291  * asynchronous messages sent by VFs. On capturing the snapshot
292  * and depending on whether the number of pending messages in that
293  * snapshot exceed the watermark value, the state machine enters
294  * traverse or detect states.
295  * Traverse: If pending message count is below watermark then iterate
296  * through the snapshot without any action on VF.
297  * Detect: If pending message count exceeds watermark traverse
298  * the static snapshot and look for a malicious VF.
299  */
300 int
301 ice_mbx_vf_state_handler(struct ice_hw *hw,
302 			 struct ice_mbx_data *mbx_data, u16 vf_id,
303 			 bool *is_malvf)
304 {
305 	struct ice_mbx_snapshot *snap = &hw->mbx_snapshot;
306 	struct ice_mbx_snap_buffer_data *snap_buf;
307 	struct ice_ctl_q_info *cq = &hw->mailboxq;
308 	enum ice_mbx_snapshot_state new_state;
309 	int status = 0;
310 
311 	if (!is_malvf || !mbx_data)
312 		return -EINVAL;
313 
314 	/* When entering the mailbox state machine assume that the VF
315 	 * is not malicious until detected.
316 	 */
317 	*is_malvf = false;
318 
319 	 /* Checking if max messages allowed to be processed while servicing current
320 	  * interrupt is not less than the defined AVF message threshold.
321 	  */
322 	if (mbx_data->max_num_msgs_mbx <= ICE_ASYNC_VF_MSG_THRESHOLD)
323 		return -EINVAL;
324 
325 	/* The watermark value should not be lesser than the threshold limit
326 	 * set for the number of asynchronous messages a VF can send to mailbox
327 	 * nor should it be greater than the maximum number of messages in the
328 	 * mailbox serviced in current interrupt.
329 	 */
330 	if (mbx_data->async_watermark_val < ICE_ASYNC_VF_MSG_THRESHOLD ||
331 	    mbx_data->async_watermark_val > mbx_data->max_num_msgs_mbx)
332 		return -EINVAL;
333 
334 	new_state = ICE_MAL_VF_DETECT_STATE_INVALID;
335 	snap_buf = &snap->mbx_buf;
336 
337 	switch (snap_buf->state) {
338 	case ICE_MAL_VF_DETECT_STATE_NEW_SNAPSHOT:
339 		/* Clear any previously held data in mailbox snapshot structure. */
340 		ice_mbx_reset_snapshot(snap);
341 
342 		/* Collect the pending ARQ count, number of messages processed and
343 		 * the maximum number of messages allowed to be processed from the
344 		 * Mailbox for current interrupt.
345 		 */
346 		snap_buf->num_pending_arq = mbx_data->num_pending_arq;
347 		snap_buf->num_msg_proc = mbx_data->num_msg_proc;
348 		snap_buf->max_num_msgs_mbx = mbx_data->max_num_msgs_mbx;
349 
350 		/* Capture a new static snapshot of the mailbox by logging the
351 		 * head and tail of snapshot and set num_iterations to the tail
352 		 * value to mark the start of the iteration through the snapshot.
353 		 */
354 		snap_buf->head = ICE_RQ_DATA_MASK(cq->rq.next_to_clean +
355 						  mbx_data->num_pending_arq);
356 		snap_buf->tail = ICE_RQ_DATA_MASK(cq->rq.next_to_clean - 1);
357 		snap_buf->num_iterations = snap_buf->tail;
358 
359 		/* Pending ARQ messages returned by ice_clean_rq_elem
360 		 * is the difference between the head and tail of the
361 		 * mailbox queue. Comparing this value against the watermark
362 		 * helps to check if we potentially have malicious VFs.
363 		 */
364 		if (snap_buf->num_pending_arq >=
365 		    mbx_data->async_watermark_val) {
366 			new_state = ICE_MAL_VF_DETECT_STATE_DETECT;
367 			status = ice_mbx_detect_malvf(hw, vf_id, &new_state, is_malvf);
368 		} else {
369 			new_state = ICE_MAL_VF_DETECT_STATE_TRAVERSE;
370 			ice_mbx_traverse(hw, &new_state);
371 		}
372 		break;
373 
374 	case ICE_MAL_VF_DETECT_STATE_TRAVERSE:
375 		new_state = ICE_MAL_VF_DETECT_STATE_TRAVERSE;
376 		ice_mbx_traverse(hw, &new_state);
377 		break;
378 
379 	case ICE_MAL_VF_DETECT_STATE_DETECT:
380 		new_state = ICE_MAL_VF_DETECT_STATE_DETECT;
381 		status = ice_mbx_detect_malvf(hw, vf_id, &new_state, is_malvf);
382 		break;
383 
384 	default:
385 		new_state = ICE_MAL_VF_DETECT_STATE_INVALID;
386 		status = -EIO;
387 	}
388 
389 	snap_buf->state = new_state;
390 
391 	return status;
392 }
393 
394 /**
395  * ice_mbx_report_malvf - Track and note malicious VF
396  * @hw: pointer to the HW struct
397  * @all_malvfs: all malicious VFs tracked by PF
398  * @bitmap_len: length of bitmap in bits
399  * @vf_id: relative virtual function ID of the malicious VF
400  * @report_malvf: boolean to indicate if malicious VF must be reported
401  *
402  * This function will update a bitmap that keeps track of the malicious
403  * VFs attached to the PF. A malicious VF must be reported only once if
404  * discovered between VF resets or loading so the function checks
405  * the input vf_id against the bitmap to verify if the VF has been
406  * detected in any previous mailbox iterations.
407  */
408 int
409 ice_mbx_report_malvf(struct ice_hw *hw, unsigned long *all_malvfs,
410 		     u16 bitmap_len, u16 vf_id, bool *report_malvf)
411 {
412 	if (!all_malvfs || !report_malvf)
413 		return -EINVAL;
414 
415 	*report_malvf = false;
416 
417 	if (bitmap_len < hw->mbx_snapshot.mbx_vf.vfcntr_len)
418 		return -EINVAL;
419 
420 	if (vf_id >= bitmap_len)
421 		return -EIO;
422 
423 	/* If the vf_id is found in the bitmap set bit and boolean to true */
424 	if (!test_and_set_bit(vf_id, all_malvfs))
425 		*report_malvf = true;
426 
427 	return 0;
428 }
429 
430 /**
431  * ice_mbx_clear_malvf - Clear VF bitmap and counter for VF ID
432  * @snap: pointer to the mailbox snapshot structure
433  * @all_malvfs: all malicious VFs tracked by PF
434  * @bitmap_len: length of bitmap in bits
435  * @vf_id: relative virtual function ID of the malicious VF
436  *
437  * In case of a VF reset, this function can be called to clear
438  * the bit corresponding to the VF ID in the bitmap tracking all
439  * malicious VFs attached to the PF. The function also clears the
440  * VF counter array at the index of the VF ID. This is to ensure
441  * that the new VF loaded is not considered malicious before going
442  * through the overflow detection algorithm.
443  */
444 int
445 ice_mbx_clear_malvf(struct ice_mbx_snapshot *snap, unsigned long *all_malvfs,
446 		    u16 bitmap_len, u16 vf_id)
447 {
448 	if (!snap || !all_malvfs)
449 		return -EINVAL;
450 
451 	if (bitmap_len < snap->mbx_vf.vfcntr_len)
452 		return -EINVAL;
453 
454 	/* Ensure VF ID value is not larger than bitmap or VF counter length */
455 	if (vf_id >= bitmap_len || vf_id >= snap->mbx_vf.vfcntr_len)
456 		return -EIO;
457 
458 	/* Clear VF ID bit in the bitmap tracking malicious VFs attached to PF */
459 	clear_bit(vf_id, all_malvfs);
460 
461 	/* Clear the VF counter in the mailbox snapshot structure for that VF ID.
462 	 * This is to ensure that if a VF is unloaded and a new one brought back
463 	 * up with the same VF ID for a snapshot currently in traversal or detect
464 	 * state the counter for that VF ID does not increment on top of existing
465 	 * values in the mailbox overflow detection algorithm.
466 	 */
467 	snap->mbx_vf.vf_cntr[vf_id] = 0;
468 
469 	return 0;
470 }
471 
472 /**
473  * ice_mbx_init_snapshot - Initialize mailbox snapshot structure
474  * @hw: pointer to the hardware structure
475  * @vf_count: number of VFs allocated on a PF
476  *
477  * Clear the mailbox snapshot structure and allocate memory
478  * for the VF counter array based on the number of VFs allocated
479  * on that PF.
480  *
481  * Assumption: This function will assume ice_get_caps() has already been
482  * called to ensure that the vf_count can be compared against the number
483  * of VFs supported as defined in the functional capabilities of the device.
484  */
485 int ice_mbx_init_snapshot(struct ice_hw *hw, u16 vf_count)
486 {
487 	struct ice_mbx_snapshot *snap = &hw->mbx_snapshot;
488 
489 	/* Ensure that the number of VFs allocated is non-zero and
490 	 * is not greater than the number of supported VFs defined in
491 	 * the functional capabilities of the PF.
492 	 */
493 	if (!vf_count || vf_count > hw->func_caps.num_allocd_vfs)
494 		return -EINVAL;
495 
496 	snap->mbx_vf.vf_cntr = devm_kcalloc(ice_hw_to_dev(hw), vf_count,
497 					    sizeof(*snap->mbx_vf.vf_cntr),
498 					    GFP_KERNEL);
499 	if (!snap->mbx_vf.vf_cntr)
500 		return -ENOMEM;
501 
502 	/* Setting the VF counter length to the number of allocated
503 	 * VFs for given PF's functional capabilities.
504 	 */
505 	snap->mbx_vf.vfcntr_len = vf_count;
506 
507 	/* Clear mbx_buf in the mailbox snaphot structure and setting the
508 	 * mailbox snapshot state to a new capture.
509 	 */
510 	memset(&snap->mbx_buf, 0, sizeof(snap->mbx_buf));
511 	snap->mbx_buf.state = ICE_MAL_VF_DETECT_STATE_NEW_SNAPSHOT;
512 
513 	return 0;
514 }
515 
516 /**
517  * ice_mbx_deinit_snapshot - Free mailbox snapshot structure
518  * @hw: pointer to the hardware structure
519  *
520  * Clear the mailbox snapshot structure and free the VF counter array.
521  */
522 void ice_mbx_deinit_snapshot(struct ice_hw *hw)
523 {
524 	struct ice_mbx_snapshot *snap = &hw->mbx_snapshot;
525 
526 	/* Free VF counter array and reset VF counter length */
527 	devm_kfree(ice_hw_to_dev(hw), snap->mbx_vf.vf_cntr);
528 	snap->mbx_vf.vfcntr_len = 0;
529 
530 	/* Clear mbx_buf in the mailbox snaphot structure */
531 	memset(&snap->mbx_buf, 0, sizeof(snap->mbx_buf));
532 }
533