Pull hw lockdown support from David Howells:
"Annotation of module parameters that configure hardware resources
including ioports, iomem addresses, irq lines and dma channels.
This allows a future patch to prohibit the use of such module
parameters to prevent that hardware from being abused to gain access
to the running kernel image as part of locking the kernel down under
UEFI secure boot conditions.
Annotations are made by changing:
module_param(n, t, p)
module_param_named(n, v, t, p)
module_param_array(n, t, m, p)
to:
module_param_hw(n, t, hwtype, p)
module_param_hw_named(n, v, t, hwtype, p)
module_param_hw_array(n, t, hwtype, m, p)
where the module parameter refers to a hardware setting
hwtype specifies the type of the resource being configured. This can
be one of:
ioport Module parameter configures an I/O port
iomem Module parameter configures an I/O mem address
ioport_or_iomem Module parameter could be either (runtime set)
irq Module parameter configures an I/O port
dma Module parameter configures a DMA channel
dma_addr Module parameter configures a DMA buffer address
other Module parameter configures some other value
Note that the hwtype is compile checked, but not currently stored (the
lockdown code probably won't require it). It is, however, there for
future use.
A bonus is that the hwtype can also be used for grepping.
The intention is for the kernel to ignore or reject attempts to set
annotated module parameters if lockdown is enabled. This applies to
options passed on the boot command line, passed to insmod/modprobe or
direct twiddling in /sys/module/ parameter files.
The module initialisation then needs to handle the parameter not being
set, by (1) giving an error, (2) probing for a value or (3) using a
reasonable default.
What I can't do is just reject a module out of hand because it may
take a hardware setting in the module parameters. Some important
modules, some ipmi stuff for instance, both probe for hardware and
allow hardware to be manually specified; if the driver is aborts with
any error, you don't get any ipmi hardware.
Further, trying to do this entirely in the module initialisation code
doesn't protect against sysfs twiddling.
[!] Note that in and of itself, this series of patches should have no
effect on the the size of the kernel or code execution - that is
left to a patch in the next series to effect. It does mark
annotated kernel parameters with a KERNEL_PARAM_FL_HWPARAM flag in
an already existing field"
* tag 'hwparam-20170420' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: (38 commits)
Annotate hardware config module parameters in sound/pci/
Annotate hardware config module parameters in sound/oss/
Annotate hardware config module parameters in sound/isa/
Annotate hardware config module parameters in sound/drivers/
Annotate hardware config module parameters in fs/pstore/
Annotate hardware config module parameters in drivers/watchdog/
Annotate hardware config module parameters in drivers/video/
Annotate hardware config module parameters in drivers/tty/
Annotate hardware config module parameters in drivers/staging/vme/
Annotate hardware config module parameters in drivers/staging/speakup/
Annotate hardware config module parameters in drivers/staging/media/
Annotate hardware config module parameters in drivers/scsi/
Annotate hardware config module parameters in drivers/pcmcia/
Annotate hardware config module parameters in drivers/pci/hotplug/
Annotate hardware config module parameters in drivers/parport/
Annotate hardware config module parameters in drivers/net/wireless/
Annotate hardware config module parameters in drivers/net/wan/
Annotate hardware config module parameters in drivers/net/irda/
Annotate hardware config module parameters in drivers/net/hamradio/
Annotate hardware config module parameters in drivers/net/ethernet/
...
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
device to access or modify the kernel image.
To this end, annotate module_param* statements that refer to hardware
configuration and indicate for future reference what type of parameter they
specify. The parameter parser in the core sees this information and can
skip such parameters with an error message if the kernel is locked down.
The module initialisation then runs as normal, but just sees whatever the
default values for those parameters is.
Note that we do still need to do the module initialisation because some
drivers have viable defaults set in case parameters aren't specified and
some drivers support automatic configuration (e.g. PNP or PCI) in addition
to manually coded parameters.
This patch annotates drivers in drivers/pcmcia/.
Suggested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-pcmcia@lists.infradead.org
We'd like to eventually remove NO_IRQ on powerpc, so remove usages of it
from electra_cf.c which is a powerpc-only driver.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
The newly introduced soc_pcmcia_regulator_set() function sometimes
returns without setting its return code, as shown by this warning:
drivers/pcmcia/soc_common.c: In function 'soc_pcmcia_regulator_set':
drivers/pcmcia/soc_common.c:112:5: error: 'ret' may be used uninitialized in this function [-Werror=maybe-uninitialized]
This changes it to propagate the regulator_disable() result instead.
Fixes: ac61b6001a ("pcmcia: soc_common: add support for Vcc and Vpp regulators")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Add a driver-data pointer so that low level drivers can add additional
data to the soc_common pcmcia socket structure.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Constify the pcmcia_low_level operation pointer to soc_pcmcia_init_one()
which has no need to modify it.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Switch to a per-socket cpufreq notifier rather than a global notifier.
This allows each socket to be self-contained.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Add support for handling supply regulators in the soc_common code. This
allows us to separate out the board specifics for setting voltages from
the PCMCIA code.
We detect when setting a voltage fails, and report this fact - some
platforms have fixed-voltage supplies (eg, for CF sockets at 3.3V) and
we need to ignore attempts to configure for 5V, as per the existing
board specific drivers.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Add a helper to get the voltage state of CF sockets, where the voltage
sense pins are not wired up. Switch assabet and cerf to use this
helper.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
If an attempt to set a socket state returns an error, restore the
previous socket state. If restoring the previous socket state
fails, warn about this.
This allows us to have simple error handling in the socket state
configuration handlers - there is no need for every handler
implementation to manually undo the updates, which can be complex
when regulators are involved.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Add support to soc_common for controlling reset and bus enable GPIOs
from within the generic soc_common layer, rather than having
individual drivers having to perform this themselves.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Request the legacy card detect signal with the active low property and
remove our own negation of the detection value. This allows us to use
the firmware-defined polarities rather than hard-coding it into the
driver.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
If gpiod_to_irq() returns an invalid interrupt, we should not try to use
it as an interrupt number.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Use devm_gpio_request_one() to request the GPIOs so we can avoid
manual clean up these gpio resources.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
When testing Lubbock, it was noticed that the sa1111 pcmcia driver bound
but was not functional due to no sockets being registered. This is
because the return code from the lowlevel board initialisation was not
being propagated out of the probe function. Fix this.
Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Add units to the timing information, so we know that the numbers are
nanoseconds. The output changes from:
I/O : 165 (172)
attribute: 300 (316)
common : 300 (316)
to:
I/O : 165ns (172ns)
attribute: 300ns (316ns)
common : 300ns (316ns)
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Manuel Lauss
Greg Kroah-Hartman
Linus Torvalds
David Howells
Michael Ellerman
Sudip Mukherjee
Arnd Bergmann
Russell King
Robert Jarzmik