1 /*
2  * Copyright 2019 Advanced Micro Devices, Inc.
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining a
5  * copy of this software and associated documentation files (the "Software"),
6  * to deal in the Software without restriction, including without limitation
7  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8  * and/or sell copies of the Software, and to permit persons to whom the
9  * Software is furnished to do so, subject to the following conditions:
10  *
11  * The above copyright notice and this permission notice shall be included in
12  * all copies or substantial portions of the Software.
13  *
14  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
17  * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR
18  * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
19  * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
20  * OTHER DEALINGS IN THE SOFTWARE.
21  *
22  */
23 
24 #include "CUnit/Basic.h"
25 
26 #include "amdgpu_test.h"
27 #include "amdgpu_drm.h"
28 #include "amdgpu_internal.h"
29 
30 #include <string.h>
31 #include <unistd.h>
32 #ifdef __FreeBSD__
33 #include <sys/endian.h>
34 #else
35 #include <endian.h>
36 #endif
37 #include <strings.h>
38 #include <xf86drm.h>
39 
40 static amdgpu_device_handle device_handle;
41 static uint32_t major_version;
42 static uint32_t minor_version;
43 
44 static struct drm_amdgpu_info_hw_ip  sdma_info;
45 
46 #ifndef ARRAY_SIZE
47 #define ARRAY_SIZE(_Arr)  (sizeof(_Arr)/sizeof((_Arr)[0]))
48 #endif
49 
50 
51 /* --------------------- Secure bounce test ------------------------ *
52  *
53  * The secure bounce test tests that we can evict a TMZ buffer,
54  * and page it back in, via a bounce buffer, as it encryption/decryption
55  * depends on its physical address, and have the same data, i.e. data
56  * integrity is preserved.
57  *
58  * The steps are as follows (from Christian K.):
59  *
60  * Buffer A which is TMZ protected and filled by the CPU with a
61  * certain pattern. That the GPU is reading only random nonsense from
62  * that pattern is irrelevant for the test.
63  *
64  * This buffer A is then secure copied into buffer B which is also
65  * TMZ protected.
66  *
67  * Buffer B is moved around, from VRAM to GTT, GTT to SYSTEM,
68  * etc.
69  *
70  * Then, we use another secure copy of buffer B back to buffer A.
71  *
72  * And lastly we check with the CPU the pattern.
73  *
74  * Assuming that we don't have memory contention and buffer A stayed
75  * at the same place, we should still see the same pattern when read
76  * by the CPU.
77  *
78  * If we don't see the same pattern then something in the buffer
79  * migration code is not working as expected.
80  */
81 
82 #define SECURE_BOUNCE_TEST_STR    "secure bounce"
83 #define SECURE_BOUNCE_FAILED_STR  SECURE_BOUNCE_TEST_STR " failed"
84 
85 #define PRINT_ERROR(_Res)   fprintf(stderr, "%s:%d: %s (%d)\n",	\
86 				    __func__, __LINE__, strerror(-(_Res)), _Res)
87 
88 #define PACKET_LCOPY_SIZE         7
89 #define PACKET_NOP_SIZE          12
90 
91 struct sec_amdgpu_bo {
92 	struct amdgpu_bo *bo;
93 	struct amdgpu_va *va;
94 };
95 
96 struct command_ctx {
97 	struct amdgpu_device    *dev;
98 	struct amdgpu_cs_ib_info cs_ibinfo;
99 	struct amdgpu_cs_request cs_req;
100 	struct amdgpu_context   *context;
101 	int ring_id;
102 };
103 
104 /**
105  * amdgpu_bo_alloc_map -- Allocate and map a buffer object (BO)
106  * @dev: The AMDGPU device this BO belongs to.
107  * @size: The size of the BO.
108  * @alignment: Alignment of the BO.
109  * @gem_domain: One of AMDGPU_GEM_DOMAIN_xyz.
110  * @alloc_flags: One of AMDGPU_GEM_CREATE_xyz.
111  * @sbo: the result
112  *
113  * Allocate a buffer object (BO) with the desired attributes
114  * as specified by the argument list and write out the result
115  * into @sbo.
116  *
117  * Return 0 on success and @sbo->bo and @sbo->va are set,
118  * or -errno on error.
119  */
amdgpu_bo_alloc_map(struct amdgpu_device * dev,unsigned size,unsigned alignment,unsigned gem_domain,uint64_t alloc_flags,struct sec_amdgpu_bo * sbo)120 static int amdgpu_bo_alloc_map(struct amdgpu_device *dev,
121 			       unsigned size,
122 			       unsigned alignment,
123 			       unsigned gem_domain,
124 			       uint64_t alloc_flags,
125 			       struct sec_amdgpu_bo *sbo)
126 {
127 	void *cpu;
128 	uint64_t mc_addr;
129 
130 	return amdgpu_bo_alloc_and_map_raw(dev,
131 					   size,
132 					   alignment,
133 					   gem_domain,
134 					   alloc_flags,
135 					   0,
136 					   &sbo->bo,
137 					   &cpu, &mc_addr,
138 					   &sbo->va);
139 }
140 
amdgpu_bo_unmap_free(struct sec_amdgpu_bo * sbo,const uint64_t size)141 static void amdgpu_bo_unmap_free(struct sec_amdgpu_bo *sbo,
142 				 const uint64_t size)
143 {
144 	(void) amdgpu_bo_unmap_and_free(sbo->bo,
145 					sbo->va,
146 					sbo->va->address,
147 					size);
148 	sbo->bo = NULL;
149 	sbo->va = NULL;
150 }
151 
amdgpu_sdma_lcopy(uint32_t * packet,const uint64_t dst,const uint64_t src,const uint32_t size,const int secure)152 static void amdgpu_sdma_lcopy(uint32_t *packet,
153 			      const uint64_t dst,
154 			      const uint64_t src,
155 			      const uint32_t size,
156 			      const int secure)
157 {
158 	/* Set the packet to Linear copy with TMZ set.
159 	 */
160 	packet[0] = htole32(secure << 18 | 1);
161 	packet[1] = htole32(size-1);
162 	packet[2] = htole32(0);
163 	packet[3] = htole32((uint32_t)(src & 0xFFFFFFFFU));
164 	packet[4] = htole32((uint32_t)(src >> 32));
165 	packet[5] = htole32((uint32_t)(dst & 0xFFFFFFFFU));
166 	packet[6] = htole32((uint32_t)(dst >> 32));
167 }
168 
amdgpu_sdma_nop(uint32_t * packet,uint32_t nop_count)169 static void amdgpu_sdma_nop(uint32_t *packet, uint32_t nop_count)
170 {
171 	/* A packet of the desired number of NOPs.
172 	 */
173 	packet[0] = htole32(nop_count << 16);
174 	for ( ; nop_count > 0; nop_count--)
175 		packet[nop_count-1] = 0;
176 }
177 
178 /**
179  * amdgpu_bo_lcopy -- linear copy with TMZ set, using sDMA
180  * @dev: AMDGPU device to which both buffer objects belong to
181  * @dst: destination buffer object
182  * @src: source buffer object
183  * @size: size of memory to move, in bytes.
184  * @secure: Set to 1 to perform secure copy, 0 for clear
185  *
186  * Issues and waits for completion of a Linear Copy with TMZ
187  * set, to the sDMA engine. @size should be a multiple of
188  * at least 16 bytes.
189  */
amdgpu_bo_lcopy(struct command_ctx * ctx,struct sec_amdgpu_bo * dst,struct sec_amdgpu_bo * src,const uint32_t size,int secure)190 static void amdgpu_bo_lcopy(struct command_ctx *ctx,
191 			    struct sec_amdgpu_bo *dst,
192 			    struct sec_amdgpu_bo *src,
193 			    const uint32_t size,
194 			    int secure)
195 {
196 	struct amdgpu_bo *bos[] = { dst->bo, src->bo };
197 	uint32_t packet[PACKET_LCOPY_SIZE];
198 
199 	amdgpu_sdma_lcopy(packet,
200 			  dst->va->address,
201 			  src->va->address,
202 			  size, secure);
203 	amdgpu_test_exec_cs_helper_raw(ctx->dev, ctx->context,
204 				       AMDGPU_HW_IP_DMA, ctx->ring_id,
205 				       ARRAY_SIZE(packet), packet,
206 				       ARRAY_SIZE(bos), bos,
207 				       &ctx->cs_ibinfo, &ctx->cs_req,
208 				       secure == 1);
209 }
210 
211 /**
212  * amdgpu_bo_move -- Evoke a move of the buffer object (BO)
213  * @dev: device to which this buffer object belongs to
214  * @bo: the buffer object to be moved
215  * @whereto: one of AMDGPU_GEM_DOMAIN_xyz
216  * @secure: set to 1 to submit secure IBs
217  *
218  * Evokes a move of the buffer object @bo to the GEM domain
219  * descibed by @whereto.
220  *
221  * Returns 0 on sucess; -errno on error.
222  */
amdgpu_bo_move(struct command_ctx * ctx,struct amdgpu_bo * bo,uint64_t whereto,int secure)223 static int amdgpu_bo_move(struct command_ctx *ctx,
224 			  struct amdgpu_bo *bo,
225 			  uint64_t whereto,
226 			  int secure)
227 {
228 	struct amdgpu_bo *bos[] = { bo };
229 	struct drm_amdgpu_gem_op gop = {
230 		.handle  = bo->handle,
231 		.op      = AMDGPU_GEM_OP_SET_PLACEMENT,
232 		.value   = whereto,
233 	};
234 	uint32_t packet[PACKET_NOP_SIZE];
235 	int res;
236 
237 	/* Change the buffer's placement.
238 	 */
239 	res = drmIoctl(ctx->dev->fd, DRM_IOCTL_AMDGPU_GEM_OP, &gop);
240 	if (res)
241 		return -errno;
242 
243 	/* Now issue a NOP to actually evoke the MM to move
244 	 * it to the desired location.
245 	 */
246 	amdgpu_sdma_nop(packet, PACKET_NOP_SIZE);
247 	amdgpu_test_exec_cs_helper_raw(ctx->dev, ctx->context,
248 				       AMDGPU_HW_IP_DMA, ctx->ring_id,
249 				       ARRAY_SIZE(packet), packet,
250 				       ARRAY_SIZE(bos), bos,
251 				       &ctx->cs_ibinfo, &ctx->cs_req,
252 				       secure == 1);
253 	return 0;
254 }
255 
256 /* Safe, O Sec!
257  */
258 static const uint8_t secure_pattern[] = { 0x5A, 0xFE, 0x05, 0xEC };
259 
260 #define SECURE_BUFFER_SIZE       (4 * 1024 * sizeof(secure_pattern))
261 
amdgpu_secure_bounce(void)262 static void amdgpu_secure_bounce(void)
263 {
264 	struct sec_amdgpu_bo alice, bob;
265 	struct command_ctx   sb_ctx;
266 	long page_size;
267 	uint8_t *pp;
268 	int res;
269 
270 	page_size = sysconf(_SC_PAGESIZE);
271 
272 	memset(&sb_ctx, 0, sizeof(sb_ctx));
273 	sb_ctx.dev = device_handle;
274 	res = amdgpu_cs_ctx_create(sb_ctx.dev, &sb_ctx.context);
275 	if (res) {
276 		PRINT_ERROR(res);
277 		CU_FAIL(SECURE_BOUNCE_FAILED_STR);
278 		return;
279 	}
280 
281 	/* Use the first present ring.
282 	 */
283 	res = ffs(sdma_info.available_rings) - 1;
284 	if (res == -1) {
285 		PRINT_ERROR(-ENOENT);
286 		CU_FAIL(SECURE_BOUNCE_FAILED_STR);
287 		goto Out_free_ctx;
288 	}
289 	sb_ctx.ring_id = res;
290 
291 	/* Allocate a buffer named Alice in VRAM.
292 	 */
293 	res = amdgpu_bo_alloc_map(device_handle,
294 				  SECURE_BUFFER_SIZE,
295 				  page_size,
296 				  AMDGPU_GEM_DOMAIN_VRAM,
297 				  AMDGPU_GEM_CREATE_ENCRYPTED,
298 				  &alice);
299 	if (res) {
300 		PRINT_ERROR(res);
301 		CU_FAIL(SECURE_BOUNCE_FAILED_STR);
302 		return;
303 	}
304 
305 	/* Fill Alice with a pattern.
306 	 */
307 	for (pp = alice.bo->cpu_ptr;
308 	     pp < (typeof(pp)) alice.bo->cpu_ptr + SECURE_BUFFER_SIZE;
309 	     pp += sizeof(secure_pattern))
310 		memcpy(pp, secure_pattern, sizeof(secure_pattern));
311 
312 	/* Allocate a buffer named Bob in VRAM.
313 	 */
314 	res = amdgpu_bo_alloc_map(device_handle,
315 				  SECURE_BUFFER_SIZE,
316 				  page_size,
317 				  AMDGPU_GEM_DOMAIN_VRAM,
318 				  0 /* AMDGPU_GEM_CREATE_ENCRYPTED */,
319 				  &bob);
320 	if (res) {
321 		PRINT_ERROR(res);
322 		CU_FAIL(SECURE_BOUNCE_FAILED_STR);
323 		goto Out_free_Alice;
324 	}
325 
326 	/* sDMA clear copy from Alice to Bob.
327 	 */
328 	amdgpu_bo_lcopy(&sb_ctx, &bob, &alice, SECURE_BUFFER_SIZE, 0);
329 
330 	/* Move Bob to the GTT domain.
331 	 */
332 	res = amdgpu_bo_move(&sb_ctx, bob.bo, AMDGPU_GEM_DOMAIN_GTT, 0);
333 	if (res) {
334 		PRINT_ERROR(res);
335 		CU_FAIL(SECURE_BOUNCE_FAILED_STR);
336 		goto Out_free_all;
337 	}
338 
339 	/* sDMA clear copy from Bob to Alice.
340 	 */
341 	amdgpu_bo_lcopy(&sb_ctx, &alice, &bob, SECURE_BUFFER_SIZE, 0);
342 
343 	/* Verify the contents of Alice.
344 	 */
345 	for (pp = alice.bo->cpu_ptr;
346 	     pp < (typeof(pp)) alice.bo->cpu_ptr + SECURE_BUFFER_SIZE;
347 	     pp += sizeof(secure_pattern)) {
348 		res = memcmp(pp, secure_pattern, sizeof(secure_pattern));
349 		if (res) {
350 			fprintf(stderr, SECURE_BOUNCE_FAILED_STR);
351 			CU_FAIL(SECURE_BOUNCE_FAILED_STR);
352 			break;
353 		}
354 	}
355 
356 Out_free_all:
357 	amdgpu_bo_unmap_free(&bob, SECURE_BUFFER_SIZE);
358 Out_free_Alice:
359 	amdgpu_bo_unmap_free(&alice, SECURE_BUFFER_SIZE);
360 Out_free_ctx:
361 	res = amdgpu_cs_ctx_free(sb_ctx.context);
362 	CU_ASSERT_EQUAL(res, 0);
363 }
364 
365 /* ----------------------------------------------------------------- */
366 
amdgpu_security_alloc_buf_test(void)367 static void amdgpu_security_alloc_buf_test(void)
368 {
369 	amdgpu_bo_handle bo;
370 	amdgpu_va_handle va_handle;
371 	uint64_t bo_mc;
372 	int r;
373 
374 	/* Test secure buffer allocation in VRAM */
375 	bo = gpu_mem_alloc(device_handle, 4096, 4096,
376 			   AMDGPU_GEM_DOMAIN_VRAM,
377 			   AMDGPU_GEM_CREATE_ENCRYPTED,
378 			   &bo_mc, &va_handle);
379 
380 	r = gpu_mem_free(bo, va_handle, bo_mc, 4096);
381 	CU_ASSERT_EQUAL(r, 0);
382 
383 	/* Test secure buffer allocation in system memory */
384 	bo = gpu_mem_alloc(device_handle, 4096, 4096,
385 			   AMDGPU_GEM_DOMAIN_GTT,
386 			   AMDGPU_GEM_CREATE_ENCRYPTED,
387 			   &bo_mc, &va_handle);
388 
389 	r = gpu_mem_free(bo, va_handle, bo_mc, 4096);
390 	CU_ASSERT_EQUAL(r, 0);
391 
392 	/* Test secure buffer allocation in invisible VRAM */
393 	bo = gpu_mem_alloc(device_handle, 4096, 4096,
394 			   AMDGPU_GEM_DOMAIN_GTT,
395 			   AMDGPU_GEM_CREATE_ENCRYPTED |
396 			   AMDGPU_GEM_CREATE_NO_CPU_ACCESS,
397 			   &bo_mc, &va_handle);
398 
399 	r = gpu_mem_free(bo, va_handle, bo_mc, 4096);
400 	CU_ASSERT_EQUAL(r, 0);
401 }
402 
amdgpu_security_gfx_submission_test(void)403 static void amdgpu_security_gfx_submission_test(void)
404 {
405 	amdgpu_command_submission_write_linear_helper_with_secure(device_handle,
406 								  AMDGPU_HW_IP_GFX,
407 								  true);
408 }
409 
amdgpu_security_sdma_submission_test(void)410 static void amdgpu_security_sdma_submission_test(void)
411 {
412 	amdgpu_command_submission_write_linear_helper_with_secure(device_handle,
413 								  AMDGPU_HW_IP_DMA,
414 								  true);
415 }
416 
417 /* ----------------------------------------------------------------- */
418 
419 CU_TestInfo security_tests[] = {
420 	{ "allocate secure buffer test",        amdgpu_security_alloc_buf_test },
421 	{ "graphics secure command submission", amdgpu_security_gfx_submission_test },
422 	{ "sDMA secure command submission",     amdgpu_security_sdma_submission_test },
423 	{ SECURE_BOUNCE_TEST_STR,               amdgpu_secure_bounce },
424 	CU_TEST_INFO_NULL,
425 };
426 
suite_security_tests_enable(void)427 CU_BOOL suite_security_tests_enable(void)
428 {
429 	CU_BOOL enable = CU_TRUE;
430 
431 	if (amdgpu_device_initialize(drm_amdgpu[0], &major_version,
432 				     &minor_version, &device_handle))
433 		return CU_FALSE;
434 
435 	if (device_handle->info.family_id != AMDGPU_FAMILY_RV) {
436 		printf("\n\nDon't support TMZ (trust memory zone), security suite disabled\n");
437 		enable = CU_FALSE;
438 	}
439 
440 	if ((major_version < 3) ||
441 		((major_version == 3) && (minor_version < 37))) {
442 		printf("\n\nDon't support TMZ (trust memory zone), kernel DRM version (%d.%d)\n",
443 			major_version, minor_version);
444 		printf("is older, security suite disabled\n");
445 		enable = CU_FALSE;
446 	}
447 
448 	if (amdgpu_device_deinitialize(device_handle))
449 		return CU_FALSE;
450 
451 	return enable;
452 }
453 
suite_security_tests_init(void)454 int suite_security_tests_init(void)
455 {
456 	int res;
457 
458 	res = amdgpu_device_initialize(drm_amdgpu[0], &major_version,
459 				       &minor_version, &device_handle);
460 	if (res) {
461 		PRINT_ERROR(res);
462 		return CUE_SINIT_FAILED;
463 	}
464 
465 	res = amdgpu_query_hw_ip_info(device_handle,
466 				      AMDGPU_HW_IP_DMA,
467 				      0, &sdma_info);
468 	if (res) {
469 		PRINT_ERROR(res);
470 		return CUE_SINIT_FAILED;
471 	}
472 
473 	return CUE_SUCCESS;
474 }
475 
suite_security_tests_clean(void)476 int suite_security_tests_clean(void)
477 {
478 	int res;
479 
480 	res = amdgpu_device_deinitialize(device_handle);
481 	if (res)
482 		return CUE_SCLEAN_FAILED;
483 
484 	return CUE_SUCCESS;
485 }
486