thunderbolt: Add support for de-authorizing devices

		If a device is authorized automatically during boot its

		boot attribute is set to 1.

What: /sys/bus/thunderbolt/devices/.../domainX/deauthorization

Date:		May 2021

KernelVersion:	5.12

Contact:	Mika Westerberg <mika.westerberg@linux.intel.com>

Description:	This attribute tells whether the system supports

		de-authorization of devices. Value of 1 means user can

		de-authorize PCIe tunnel by writing 0 to authorized

		attribute under each device.

What: /sys/bus/thunderbolt/devices/.../domainX/iommu_dma_protection

Date:		Mar 2019

KernelVersion:	4.21

Contact:	thunderbolt-software@lists.01.org

Description:	This attribute is used to authorize Thunderbolt devices

		after they have been connected. If the device is not

		authorized, no devices such as PCIe and Display port are

		available to the system.

		authorized, no PCIe devices are available to the system.

		Contents of this attribute will be 0 when the device is not

		yet authorized.

		Possible values are supported:

		==  ===========================================

		==  ===================================================

		0   The device will be de-authorized (only supported if

		    deauthorization attribute under domain contains 1)

		1   The device will be authorized and connected

		==  ===========================================

		==  ===================================================

		When key attribute contains 32 byte hex string the possible

		values are:

		==  ========================================================

		0   The device will be de-authorized (only supported if

		    deauthorization attribute under domain contains 1)

		1   The 32 byte hex string is added to the device NVM and

		    the device is authorized.

		2   Send a challenge based on the 32 byte hex string. If the

the device without a key or write a new key and write 1 to the

``authorized`` file to get the new key stored on the device NVM.

De-authorizing devices

----------------------

It is possible to de-authorize devices by writing ``0`` to their

``authorized`` attribute. This requires support from the connection

manager implementation and can be checked by reading domain

``deauthorization`` attribute. If it reads ``1`` then the feature is

supported.

When a device is de-authorized the PCIe tunnel from the parent device

PCIe downstream (or root) port to the device PCIe upstream port is torn

down. This is essentially the same thing as PCIe hot-remove and the PCIe

toplogy in question will not be accessible anymore until the device is

authorized again. If there is storage such as NVMe or similar involved,

there is a risk for data loss if the filesystem on that storage is not

properly shut down. You have been warned!

DMA protection utilizing IOMMU

------------------------------

Recent systems from 2018 and forward with Thunderbolt ports may natively

}

static DEVICE_ATTR_RW(boot_acl);

static ssize_t deauthorization_show(struct device *dev,

				    struct device_attribute *attr,

				    char *buf)

{

	const struct tb *tb = container_of(dev, struct tb, dev);

	return sprintf(buf, "%d\n", !!tb->cm_ops->disapprove_switch);

}

static DEVICE_ATTR_RO(deauthorization);

static ssize_t iommu_dma_protection_show(struct device *dev,

					 struct device_attribute *attr,

					 char *buf)

static struct attribute *domain_attrs[] = {

	&dev_attr_boot_acl.attr,

	&dev_attr_deauthorization.attr,

	&dev_attr_iommu_dma_protection.attr,

	&dev_attr_security.attr,

	NULL,

	return 0;

}

/**

 * tb_domain_disapprove_switch() - Disapprove switch

 * @tb: Domain the switch belongs to

 * @sw: Switch to disapprove

 *

 * This will disconnect PCIe tunnel from parent to this @sw.

 *

 * Return: %0 on success and negative errno in case of failure.

 */

int tb_domain_disapprove_switch(struct tb *tb, struct tb_switch *sw)

{

	if (!tb->cm_ops->disapprove_switch)

		return -EPERM;

	return tb->cm_ops->disapprove_switch(tb, sw);

}

/**

 * tb_domain_approve_switch() - Approve switch

 * @tb: Domain the switch belongs to

 * @sw: Switch to approve

 *

 * This will approve switch by connection manager specific means. In

 * case of success the connection manager will create tunnels for all

 * supported protocols.

 * case of success the connection manager will create PCIe tunnel from

 * parent to @sw.

 */

int tb_domain_approve_switch(struct tb *tb, struct tb_switch *sw)

{

	return sprintf(buf, "%u\n", sw->authorized);

}

static int disapprove_switch(struct device *dev, void *not_used)

{

	struct tb_switch *sw;

	sw = tb_to_switch(dev);

	if (sw && sw->authorized) {

		int ret;

		/* First children */

		ret = device_for_each_child_reverse(&sw->dev, NULL, disapprove_switch);

		if (ret)

			return ret;

		ret = tb_domain_disapprove_switch(sw->tb, sw);

		if (ret)

			return ret;

		sw->authorized = 0;

		kobject_uevent(&sw->dev.kobj, KOBJ_CHANGE);

	}

	return 0;

}

static int tb_switch_set_authorized(struct tb_switch *sw, unsigned int val)

{

	int ret = -EINVAL;

	if (!mutex_trylock(&sw->tb->lock))

		return restart_syscall();

	if (sw->authorized)

	if (!!sw->authorized == !!val)

		goto unlock;

	switch (val) {

	/* Disapprove switch */

	case 0:

		if (tb_route(sw)) {

			ret = disapprove_switch(&sw->dev, NULL);

			goto unlock;

		}

		break;

	/* Approve switch */

	case 1:

		if (sw->key)

	}

}

static int tb_disconnect_pci(struct tb *tb, struct tb_switch *sw)

{

	struct tb_tunnel *tunnel;

	struct tb_port *up;

	up = tb_switch_find_port(sw, TB_TYPE_PCIE_UP);

	if (WARN_ON(!up))

		return -ENODEV;

	tunnel = tb_find_tunnel(tb, TB_TUNNEL_PCI, NULL, up);

	if (WARN_ON(!tunnel))

		return -ENODEV;

	tb_tunnel_deactivate(tunnel);

	list_del(&tunnel->list);

	tb_tunnel_free(tunnel);

	return 0;

}

static int tb_tunnel_pci(struct tb *tb, struct tb_switch *sw)

{

	struct tb_port *up, *down, *port;

	.runtime_suspend = tb_runtime_suspend,

	.runtime_resume = tb_runtime_resume,

	.handle_event = tb_handle_event,

	.disapprove_switch = tb_disconnect_pci,

	.approve_switch = tb_tunnel_pci,

	.approve_xdomain_paths = tb_approve_xdomain_paths,

	.disconnect_xdomain_paths = tb_disconnect_xdomain_paths,