From patchwork Tue May 15 16:56:12 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ferruh Yigit <ferruh.yigit@intel.com>
X-Patchwork-Id: 40063
X-Patchwork-Delegate: thomas@monjalon.net
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@dpdk.org
Delivered-To: patchwork@dpdk.org
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id DAE2C1B79B;
	Tue, 15 May 2018 18:56:37 +0200 (CEST)
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
	by dpdk.org (Postfix) with ESMTP id 182141B798
	for <dev@dpdk.org>; Tue, 15 May 2018 18:56:35 +0200 (CEST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
	by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	15 May 2018 09:56:35 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.49,403,1520924400"; d="scan'208";a="58847827"
Received: from silpixa00399777.ir.intel.com (HELO
	silpixa00399777.ger.corp.intel.com) ([10.237.222.236])
	by orsmga002.jf.intel.com with ESMTP; 15 May 2018 09:56:33 -0700
From: Ferruh Yigit <ferruh.yigit@intel.com>
To: dev@dpdk.org
Cc: Ferruh Yigit <ferruh.yigit@intel.com>,
	Christian Ehrhardt <christian.ehrhardt@canonical.com>,
	Luca Boccassi <bluca@debian.org>,
	Maxime Coquelin <maxime.coquelin@redhat.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	Stephen Hemminger <stephen@networkplumber.org>
Date: Tue, 15 May 2018 17:56:12 +0100
Message-Id: <20180515165612.61243-1-ferruh.yigit@intel.com>
X-Mailer: git-send-email 2.14.3
Subject: [dpdk-dev] [PATCH] igb_uio: fail and log if kernel lock down is
	enabled
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://dpdk.org/ml/options/dev>,
	<mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://dpdk.org/ml/listinfo/dev>,
	<mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

When EFI secure boot is enabled, it is possible to lock down kernel and
prevent accessing device BARs and this makes igb_uio unusable.

Lock down patches are not part of the vanilla kernel but they are
applied and used by some distros already [1].

It is not possible to fix this issue, but intention of this patch is to
detect and log if kernel lock down enabled and don't insert the module
for that case.

The challenge is since this feature enabled by distros, they have
different config options and APIs for it. This patch is done based on
Fedora and Ubuntu kernel source, may needs to add more distro specific
support.

[1]
kernel.ubuntu.com/git/ubuntu/ubuntu-artful.git/commit/?id=99f9ef18d5b6
And a few more patches to

Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
---
Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Cc: Luca Boccassi <bluca@debian.org>
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
---
 kernel/linux/igb_uio/compat.h  | 24 ++++++++++++++++++++----
 kernel/linux/igb_uio/igb_uio.c |  5 +++++
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/kernel/linux/igb_uio/compat.h b/kernel/linux/igb_uio/compat.h
index d9f4d29fc..774c980c2 100644
--- a/kernel/linux/igb_uio/compat.h
+++ b/kernel/linux/igb_uio/compat.h
@@ -125,10 +125,6 @@ static bool pci_check_and_mask_intx(struct pci_dev *pdev)
 #define HAVE_PCI_IS_BRIDGE_API 1
 #endif
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 8, 0)
-#define HAVE_ALLOC_IRQ_VECTORS 1
-#endif
-
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 3, 0)
 #define HAVE_MSI_LIST_IN_GENERIC_DEVICE 1
 #endif
@@ -136,3 +132,23 @@ static bool pci_check_and_mask_intx(struct pci_dev *pdev)
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 5, 0)
 #define HAVE_PCI_MSI_MASK_IRQ 1
 #endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 8, 0)
+#define HAVE_ALLOC_IRQ_VECTORS 1
+#endif
+
+static inline bool igbuio_kernel_is_locked_down(void)
+{
+#ifdef CONFIG_LOCK_DOWN_KERNEL
+#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT /* fedora */
+	return kernel_is_locked_down(NULL);
+#elif CONFIG_EFI_SECURE_BOOT_LOCK_DOWN /* ubuntu */
+	return kernel_is_locked_down();
+#else
+	return false;
+#endif
+#else
+	return false;
+#endif
+
+}
diff --git a/kernel/linux/igb_uio/igb_uio.c b/kernel/linux/igb_uio/igb_uio.c
index cd9b7e721..b3233f18e 100644
--- a/kernel/linux/igb_uio/igb_uio.c
+++ b/kernel/linux/igb_uio/igb_uio.c
@@ -621,6 +621,11 @@ igbuio_pci_init_module(void)
 {
 	int ret;
 
+	if (igbuio_kernel_is_locked_down()) {
+		pr_err("Not able to use module, kernel lock down is enabled\n");
+		return -EINVAL;
+	}
+
 	ret = igbuio_config_intr_mode(intr_mode);
 	if (ret < 0)
 		return ret;