diff options
author | Mika Westerberg <mika.westerberg@linux.intel.com> | 2018-01-21 12:08:04 +0200 |
---|---|---|
committer | Mika Westerberg <mika.westerberg@linux.intel.com> | 2018-03-09 12:54:11 +0300 |
commit | 9aaa3b8b4c56d24210acef37b7c800ca218c3d40 (patch) | |
tree | d974db9578dc47b0157aa65c30aa3ddfbbb9d9e5 /drivers/thunderbolt/tb_msgs.h | |
parent | 14862ee308bbcaae0ac9927b6cbccccb51386b6c (diff) | |
download | linux-9aaa3b8b4c56d24210acef37b7c800ca218c3d40.tar.gz linux-9aaa3b8b4c56d24210acef37b7c800ca218c3d40.tar.bz2 linux-9aaa3b8b4c56d24210acef37b7c800ca218c3d40.zip |
thunderbolt: Add support for preboot ACL
Preboot ACL is a mechanism that allows connecting Thunderbolt devices
boot time in more secure way than the legacy Thunderbolt boot support.
As with the legacy boot option, this also needs to be enabled from the
BIOS before booting is allowed. Difference to the legacy mode is that
the userspace software explicitly adds device UUIDs by sending a special
message to the ICM firmware. Only the devices listed in the boot ACL are
connected automatically during the boot. This works in both "user" and
"secure" security levels.
We implement this in Linux by exposing a new sysfs attribute (boot_acl)
below each Thunderbolt domain. The userspace software can then update
the full list as needed.
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Diffstat (limited to 'drivers/thunderbolt/tb_msgs.h')
-rw-r--r-- | drivers/thunderbolt/tb_msgs.h | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/drivers/thunderbolt/tb_msgs.h b/drivers/thunderbolt/tb_msgs.h index 9f52f842257a..496b91f3b579 100644 --- a/drivers/thunderbolt/tb_msgs.h +++ b/drivers/thunderbolt/tb_msgs.h @@ -102,6 +102,7 @@ enum icm_pkg_code { ICM_ADD_DEVICE_KEY = 0x6, ICM_GET_ROUTE = 0xa, ICM_APPROVE_XDOMAIN = 0x10, + ICM_PREBOOT_ACL = 0x18, }; enum icm_event_code { @@ -122,12 +123,13 @@ struct icm_pkg_header { #define ICM_FLAGS_NO_KEY BIT(1) #define ICM_FLAGS_SLEVEL_SHIFT 3 #define ICM_FLAGS_SLEVEL_MASK GENMASK(4, 3) +#define ICM_FLAGS_WRITE BIT(7) struct icm_pkg_driver_ready { struct icm_pkg_header hdr; }; -/* Falcon Ridge & Alpine Ridge common messages */ +/* Falcon Ridge only messages */ struct icm_fr_pkg_driver_ready_response { struct icm_pkg_header hdr; @@ -138,6 +140,8 @@ struct icm_fr_pkg_driver_ready_response { #define ICM_FR_SLEVEL_MASK 0xf +/* Falcon Ridge & Alpine Ridge common messages */ + struct icm_fr_pkg_get_topology { struct icm_pkg_header hdr; }; @@ -274,6 +278,18 @@ struct icm_fr_pkg_approve_xdomain_response { /* Alpine Ridge only messages */ +struct icm_ar_pkg_driver_ready_response { + struct icm_pkg_header hdr; + u8 romver; + u8 ramver; + u16 info; +}; + +#define ICM_AR_INFO_SLEVEL_MASK GENMASK(3, 0) +#define ICM_AR_INFO_BOOT_ACL_SHIFT 7 +#define ICM_AR_INFO_BOOT_ACL_MASK GENMASK(11, 7) +#define ICM_AR_INFO_BOOT_ACL_SUPPORTED BIT(13) + struct icm_ar_pkg_get_route { struct icm_pkg_header hdr; u16 reserved; @@ -288,6 +304,23 @@ struct icm_ar_pkg_get_route_response { u32 route_lo; }; +struct icm_ar_boot_acl_entry { + u32 uuid_lo; + u32 uuid_hi; +}; + +#define ICM_AR_PREBOOT_ACL_ENTRIES 16 + +struct icm_ar_pkg_preboot_acl { + struct icm_pkg_header hdr; + struct icm_ar_boot_acl_entry acl[ICM_AR_PREBOOT_ACL_ENTRIES]; +}; + +struct icm_ar_pkg_preboot_acl_response { + struct icm_pkg_header hdr; + struct icm_ar_boot_acl_entry acl[ICM_AR_PREBOOT_ACL_ENTRIES]; +}; + /* XDomain messages */ struct tb_xdomain_header { |