ice: Extend malicious operations detection logic (7c4bc1f5) · Commits · EulixOS / Software / Kernel

drivers/net/ethernet/intel/ice/ice_hw_autogen.h

+8 −0

Original line number	Diff line number	Diff line
		@@ -219,6 +219,14 @@
		#define PF_MDET_TX_PQM_VALID_M BIT(0)
		#define PF_MDET_TX_TCLAN 0x000FC000
		#define PF_MDET_TX_TCLAN_VALID_M BIT(0)
		#define VP_MDET_RX(_VF) (0x00294400 + ((_VF) * 4))
		#define VP_MDET_RX_VALID_M BIT(0)
		#define VP_MDET_TX_PQM(_VF) (0x002D2000 + ((_VF) * 4))
		#define VP_MDET_TX_PQM_VALID_M BIT(0)
		#define VP_MDET_TX_TCLAN(_VF) (0x000FB800 + ((_VF) * 4))
		#define VP_MDET_TX_TCLAN_VALID_M BIT(0)
		#define VP_MDET_TX_TDPU(_VF) (0x00040000 + ((_VF) * 4))
		#define VP_MDET_TX_TDPU_VALID_M BIT(0)
		#define GLNVM_FLA 0x000B6108
		#define GLNVM_FLA_LOCKED_M BIT(6)
		#define GLNVM_GENS 0x000B6100

drivers/net/ethernet/intel/ice/ice_main.c

+46 −0

Original line number	Diff line number	Diff line
		@@ -951,6 +951,7 @@ static void ice_handle_mdd_event(struct ice_pf *pf)
		struct ice_hw *hw = &pf->hw;
		bool mdd_detected = false;
		u32 reg;
		int i;

		if (!test_bit(__ICE_MDD_EVENT_PENDING, pf->state))
		return;
		@@ -1040,6 +1041,51 @@ static void ice_handle_mdd_event(struct ice_pf *pf)
		}
		}

		/* see if one of the VFs needs to be reset */
		for (i = 0; i < pf->num_alloc_vfs && mdd_detected; i++) {
		struct ice_vf *vf = &pf->vf[i];

		reg = rd32(hw, VP_MDET_TX_PQM(i));
		if (reg & VP_MDET_TX_PQM_VALID_M) {
		wr32(hw, VP_MDET_TX_PQM(i), 0xFFFF);
		vf->num_mdd_events++;
		dev_info(&pf->pdev->dev, "TX driver issue detected on VF %d\n",
		i);
		}

		reg = rd32(hw, VP_MDET_TX_TCLAN(i));
		if (reg & VP_MDET_TX_TCLAN_VALID_M) {
		wr32(hw, VP_MDET_TX_TCLAN(i), 0xFFFF);
		vf->num_mdd_events++;
		dev_info(&pf->pdev->dev, "TX driver issue detected on VF %d\n",
		i);
		}

		reg = rd32(hw, VP_MDET_TX_TDPU(i));
		if (reg & VP_MDET_TX_TDPU_VALID_M) {
		wr32(hw, VP_MDET_TX_TDPU(i), 0xFFFF);
		vf->num_mdd_events++;
		dev_info(&pf->pdev->dev, "TX driver issue detected on VF %d\n",
		i);
		}

		reg = rd32(hw, VP_MDET_RX(i));
		if (reg & VP_MDET_RX_VALID_M) {
		wr32(hw, VP_MDET_RX(i), 0xFFFF);
		vf->num_mdd_events++;
		dev_info(&pf->pdev->dev, "RX driver issue detected on VF %d\n",
		i);
		}

		if (vf->num_mdd_events > ICE_DFLT_NUM_MDD_EVENTS_ALLOWED) {
		dev_info(&pf->pdev->dev,
		"Too many MDD events on VF %d, disabled\n", i);
		dev_info(&pf->pdev->dev,
		"Use PF Control I/F to re-enable the VF\n");
		set_bit(ICE_VF_STATE_DIS, vf->vf_states);
		}
		}

		/* re-enable MDD interrupt cause */
		clear_bit(__ICE_MDD_EVENT_PENDING, pf->state);
		reg = rd32(hw, PFINT_OICR_ENA);

drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h

+6 −2

Original line number	Diff line number	Diff line
		@@ -9,10 +9,13 @@
		#define ICE_VLAN_PRIORITY_S 12
		#define ICE_VLAN_M 0xFFF
		#define ICE_PRIORITY_M 0x7000
		#define ICE_MAX_VLAN_PER_VF 8 /* restriction for non-trusted VF */

		/* Restrict number of MACs a non-trusted VF can program */
		/* Restrict number of MAC Addr and VLAN that non-trusted VF can programmed */
		#define ICE_MAX_VLAN_PER_VF 8
		#define ICE_MAX_MACADDR_PER_VF 12

		/* Malicious Driver Detection */
		#define ICE_DFLT_NUM_MDD_EVENTS_ALLOWED 3
		#define ICE_DFLT_NUM_INVAL_MSGS_ALLOWED 10

		/* Static VF transaction/status register def */
		@@ -56,6 +59,7 @@ struct ice_vf {
		u8 trusted;
		u16 lan_vsi_idx; /* index into PF struct */
		u16 lan_vsi_num; /* ID as used by firmware */
		u64 num_mdd_events; /* number of mdd events detected */
		u64 num_inval_msgs; /* number of continuous invalid msgs */
		u64 num_valid_msgs; /* number of valid msgs detected */
		unsigned long vf_caps; /* vf's adv. capabilities */