1 // SPDX-License-Identifier: MIT 2 /* 3 * Copyright(c) 2024 Intel Corporation. 4 */ 5 6 #include "xe_pxp.h" 7 8 #include <drm/drm_managed.h> 9 #include <uapi/drm/xe_drm.h> 10 11 #include "xe_bo.h" 12 #include "xe_bo_types.h" 13 #include "xe_device_types.h" 14 #include "xe_exec_queue.h" 15 #include "xe_force_wake.h" 16 #include "xe_guc_exec_queue_types.h" 17 #include "xe_guc_submit.h" 18 #include "xe_gsc_proxy.h" 19 #include "xe_gt_types.h" 20 #include "xe_huc.h" 21 #include "xe_hw_engine.h" 22 #include "xe_mmio.h" 23 #include "xe_pm.h" 24 #include "xe_pxp_submit.h" 25 #include "xe_pxp_types.h" 26 #include "xe_uc_fw.h" 27 #include "regs/xe_irq_regs.h" 28 #include "regs/xe_pxp_regs.h" 29 30 /** 31 * DOC: PXP 32 * 33 * PXP (Protected Xe Path) allows execution and flip to display of protected 34 * (i.e. encrypted) objects. This feature is currently only supported in 35 * integrated parts. 36 */ 37 38 #define ARB_SESSION DRM_XE_PXP_HWDRM_DEFAULT_SESSION /* shorter define */ 39 40 /* 41 * A submission to GSC can take up to 250ms to complete, so use a 300ms 42 * timeout for activation where only one of those is involved. Termination 43 * additionally requires a submission to VCS and an interaction with KCR, so 44 * bump the timeout to 500ms for that. 45 */ 46 #define PXP_ACTIVATION_TIMEOUT_MS 300 47 #define PXP_TERMINATION_TIMEOUT_MS 500 48 49 bool xe_pxp_is_supported(const struct xe_device *xe) 50 { 51 return xe->info.has_pxp && IS_ENABLED(CONFIG_INTEL_MEI_GSC_PROXY); 52 } 53 54 bool xe_pxp_is_enabled(const struct xe_pxp *pxp) 55 { 56 return pxp; 57 } 58 59 static bool pxp_prerequisites_done(const struct xe_pxp *pxp) 60 { 61 struct xe_gt *gt = pxp->gt; 62 bool ready; 63 64 CLASS(xe_force_wake, fw_ref)(gt_to_fw(gt), XE_FORCEWAKE_ALL); 65 66 /* 67 * If force_wake fails we could falsely report the prerequisites as not 68 * done even if they are; the consequence of this would be that the 69 * callers won't go ahead with using PXP, but if force_wake doesn't work 70 * the GT is very likely in a bad state so not really a problem to abort 71 * PXP. Therefore, we can just log the force_wake error and not escalate 72 * it. 73 */ 74 XE_WARN_ON(!xe_force_wake_ref_has_domain(fw_ref.domains, XE_FORCEWAKE_ALL)); 75 76 /* PXP requires both HuC authentication via GSC and GSC proxy initialized */ 77 ready = xe_huc_is_authenticated(>->uc.huc, XE_HUC_AUTH_VIA_GSC) && 78 xe_gsc_proxy_init_done(>->uc.gsc); 79 80 return ready; 81 } 82 83 /** 84 * xe_pxp_get_readiness_status - check whether PXP is ready for userspace use 85 * @pxp: the xe_pxp pointer (can be NULL if PXP is disabled) 86 * 87 * Returns: 0 if PXP is not ready yet, 1 if it is ready, a negative errno value 88 * if PXP is not supported/enabled or if something went wrong in the 89 * initialization of the prerequisites. Note that the return values of this 90 * function follow the uapi (see drm_xe_query_pxp_status), so they can be used 91 * directly in the query ioctl. 92 */ 93 int xe_pxp_get_readiness_status(struct xe_pxp *pxp) 94 { 95 int ret = 0; 96 97 if (!xe_pxp_is_enabled(pxp)) 98 return -ENODEV; 99 100 /* if the GSC or HuC FW are in an error state, PXP will never work */ 101 if (xe_uc_fw_status_to_error(pxp->gt->uc.huc.fw.status) || 102 xe_uc_fw_status_to_error(pxp->gt->uc.gsc.fw.status)) 103 return -EIO; 104 105 guard(xe_pm_runtime)(pxp->xe); 106 107 /* PXP requires both HuC loaded and GSC proxy initialized */ 108 if (pxp_prerequisites_done(pxp)) 109 ret = 1; 110 111 return ret; 112 } 113 114 static bool pxp_session_is_in_play(struct xe_pxp *pxp, u32 id) 115 { 116 struct xe_gt *gt = pxp->gt; 117 118 return xe_mmio_read32(>->mmio, KCR_SIP) & BIT(id); 119 } 120 121 static int pxp_wait_for_session_state(struct xe_pxp *pxp, u32 id, bool in_play) 122 { 123 struct xe_gt *gt = pxp->gt; 124 u32 mask = BIT(id); 125 126 return xe_mmio_wait32(>->mmio, KCR_SIP, mask, in_play ? mask : 0, 127 250, NULL, false); 128 } 129 130 static void pxp_invalidate_queues(struct xe_pxp *pxp); 131 132 static int pxp_terminate_hw(struct xe_pxp *pxp) 133 { 134 struct xe_gt *gt = pxp->gt; 135 int ret = 0; 136 137 drm_dbg(&pxp->xe->drm, "Terminating PXP\n"); 138 139 CLASS(xe_force_wake, fw_ref)(gt_to_fw(gt), XE_FW_GT); 140 if (!xe_force_wake_ref_has_domain(fw_ref.domains, XE_FW_GT)) 141 return -EIO; 142 143 /* terminate the hw session */ 144 ret = xe_pxp_submit_session_termination(pxp, ARB_SESSION); 145 if (ret) 146 return ret; 147 148 ret = pxp_wait_for_session_state(pxp, ARB_SESSION, false); 149 if (ret) 150 return ret; 151 152 /* Trigger full HW cleanup */ 153 xe_mmio_write32(>->mmio, KCR_GLOBAL_TERMINATE, 1); 154 155 /* now we can tell the GSC to clean up its own state */ 156 return xe_pxp_submit_session_invalidation(&pxp->gsc_res, ARB_SESSION); 157 } 158 159 static void mark_termination_in_progress(struct xe_pxp *pxp) 160 { 161 lockdep_assert_held(&pxp->mutex); 162 163 reinit_completion(&pxp->termination); 164 pxp->status = XE_PXP_TERMINATION_IN_PROGRESS; 165 } 166 167 static void pxp_terminate(struct xe_pxp *pxp) 168 { 169 int ret = 0; 170 struct xe_device *xe = pxp->xe; 171 172 if (!wait_for_completion_timeout(&pxp->activation, 173 msecs_to_jiffies(PXP_ACTIVATION_TIMEOUT_MS))) 174 drm_err(&xe->drm, "failed to wait for PXP start before termination\n"); 175 176 mutex_lock(&pxp->mutex); 177 178 if (pxp->status == XE_PXP_ACTIVE) 179 pxp->key_instance++; 180 181 /* 182 * we'll mark the status as needing termination on resume, so no need to 183 * emit a termination now. 184 */ 185 if (pxp->status == XE_PXP_SUSPENDED) { 186 mutex_unlock(&pxp->mutex); 187 return; 188 } 189 190 /* 191 * If we have a termination already in progress, we need to wait for 192 * it to complete before queueing another one. Once the first 193 * termination is completed we'll set the state back to 194 * NEEDS_TERMINATION and leave it to the pxp start code to issue it. 195 */ 196 if (pxp->status == XE_PXP_TERMINATION_IN_PROGRESS) { 197 pxp->status = XE_PXP_NEEDS_ADDITIONAL_TERMINATION; 198 mutex_unlock(&pxp->mutex); 199 return; 200 } 201 202 mark_termination_in_progress(pxp); 203 204 mutex_unlock(&pxp->mutex); 205 206 pxp_invalidate_queues(pxp); 207 208 ret = pxp_terminate_hw(pxp); 209 if (ret) { 210 drm_err(&xe->drm, "PXP termination failed: %pe\n", ERR_PTR(ret)); 211 mutex_lock(&pxp->mutex); 212 pxp->status = XE_PXP_ERROR; 213 complete_all(&pxp->termination); 214 mutex_unlock(&pxp->mutex); 215 } 216 } 217 218 static void pxp_terminate_complete(struct xe_pxp *pxp) 219 { 220 /* 221 * We expect PXP to be in one of 3 states when we get here: 222 * - XE_PXP_TERMINATION_IN_PROGRESS: a single termination event was 223 * requested and it is now completing, so we're ready to start. 224 * - XE_PXP_NEEDS_ADDITIONAL_TERMINATION: a second termination was 225 * requested while the first one was still being processed. 226 * - XE_PXP_SUSPENDED: PXP is now suspended, so we defer everything to 227 * when we come back on resume. 228 */ 229 mutex_lock(&pxp->mutex); 230 231 switch (pxp->status) { 232 case XE_PXP_TERMINATION_IN_PROGRESS: 233 pxp->status = XE_PXP_READY_TO_START; 234 break; 235 case XE_PXP_NEEDS_ADDITIONAL_TERMINATION: 236 pxp->status = XE_PXP_NEEDS_TERMINATION; 237 break; 238 case XE_PXP_SUSPENDED: 239 /* Nothing to do */ 240 break; 241 default: 242 drm_err(&pxp->xe->drm, 243 "PXP termination complete while status was %u\n", 244 pxp->status); 245 } 246 247 complete_all(&pxp->termination); 248 249 mutex_unlock(&pxp->mutex); 250 } 251 252 static void pxp_irq_work(struct work_struct *work) 253 { 254 struct xe_pxp *pxp = container_of(work, typeof(*pxp), irq.work); 255 struct xe_device *xe = pxp->xe; 256 u32 events = 0; 257 258 spin_lock_irq(&xe->irq.lock); 259 events = pxp->irq.events; 260 pxp->irq.events = 0; 261 spin_unlock_irq(&xe->irq.lock); 262 263 if (!events) 264 return; 265 266 /* 267 * If we're processing a termination irq while suspending then don't 268 * bother, we're going to re-init everything on resume anyway. 269 */ 270 if ((events & PXP_TERMINATION_REQUEST) && !xe_pm_runtime_get_if_active(xe)) 271 return; 272 273 if (events & PXP_TERMINATION_REQUEST) { 274 events &= ~PXP_TERMINATION_COMPLETE; 275 pxp_terminate(pxp); 276 } 277 278 if (events & PXP_TERMINATION_COMPLETE) 279 pxp_terminate_complete(pxp); 280 281 if (events & PXP_TERMINATION_REQUEST) 282 xe_pm_runtime_put(xe); 283 } 284 285 /** 286 * xe_pxp_irq_handler - Handles PXP interrupts. 287 * @xe: the xe_device structure 288 * @iir: interrupt vector 289 */ 290 void xe_pxp_irq_handler(struct xe_device *xe, u16 iir) 291 { 292 struct xe_pxp *pxp = xe->pxp; 293 294 if (!xe_pxp_is_enabled(pxp)) { 295 drm_err(&xe->drm, "PXP irq 0x%x received with PXP disabled!\n", iir); 296 return; 297 } 298 299 lockdep_assert_held(&xe->irq.lock); 300 301 if (unlikely(!iir)) 302 return; 303 304 if (iir & (KCR_PXP_STATE_TERMINATED_INTERRUPT | 305 KCR_APP_TERMINATED_PER_FW_REQ_INTERRUPT)) 306 pxp->irq.events |= PXP_TERMINATION_REQUEST; 307 308 if (iir & KCR_PXP_STATE_RESET_COMPLETE_INTERRUPT) 309 pxp->irq.events |= PXP_TERMINATION_COMPLETE; 310 311 if (pxp->irq.events) 312 queue_work(pxp->irq.wq, &pxp->irq.work); 313 } 314 315 static int kcr_pxp_set_status(const struct xe_pxp *pxp, bool enable) 316 { 317 u32 val = enable ? REG_MASKED_FIELD_ENABLE(KCR_INIT_ALLOW_DISPLAY_ME_WRITES) : 318 REG_MASKED_FIELD_DISABLE(KCR_INIT_ALLOW_DISPLAY_ME_WRITES); 319 320 CLASS(xe_force_wake, fw_ref)(gt_to_fw(pxp->gt), XE_FW_GT); 321 if (!xe_force_wake_ref_has_domain(fw_ref.domains, XE_FW_GT)) 322 return -EIO; 323 324 xe_mmio_write32(&pxp->gt->mmio, KCR_INIT, val); 325 326 return 0; 327 } 328 329 static int kcr_pxp_enable(const struct xe_pxp *pxp) 330 { 331 return kcr_pxp_set_status(pxp, true); 332 } 333 334 static int kcr_pxp_disable(const struct xe_pxp *pxp) 335 { 336 return kcr_pxp_set_status(pxp, false); 337 } 338 339 static void pxp_fini(void *arg) 340 { 341 struct xe_pxp *pxp = arg; 342 343 destroy_workqueue(pxp->irq.wq); 344 xe_pxp_destroy_execution_resources(pxp); 345 346 /* no need to explicitly disable KCR since we're going to do an FLR */ 347 } 348 349 /** 350 * xe_pxp_init - initialize PXP support 351 * @xe: the xe_device structure 352 * 353 * Initialize the HW state and allocate the objects required for PXP support. 354 * Note that some of the requirement for PXP support (GSC proxy init, HuC auth) 355 * are performed asynchronously as part of the GSC init. PXP can only be used 356 * after both this function and the async worker have completed. 357 * 358 * Returns 0 if PXP is not supported or if PXP initialization is successful, 359 * other errno value if there is an error during the init. 360 */ 361 int xe_pxp_init(struct xe_device *xe) 362 { 363 struct xe_gt *gt = xe->tiles[0].media_gt; 364 struct xe_pxp *pxp; 365 int err; 366 367 if (!xe_pxp_is_supported(xe)) 368 return 0; 369 370 /* we only support PXP on single tile devices with a media GT */ 371 if (xe->info.tile_count > 1 || !gt) 372 return 0; 373 374 /* The GSCCS is required for submissions to the GSC FW */ 375 if (!(gt->info.engine_mask & BIT(XE_HW_ENGINE_GSCCS0))) 376 return 0; 377 378 /* PXP requires both GSC and HuC firmwares to be available */ 379 if (!xe_uc_fw_is_loadable(>->uc.gsc.fw) || 380 !xe_uc_fw_is_loadable(>->uc.huc.fw)) { 381 drm_info(&xe->drm, "skipping PXP init due to missing FW dependencies"); 382 return 0; 383 } 384 385 /* 386 * On PTL, older GSC FWs have a bug that can cause them to crash during 387 * PXP invalidation events, which leads to a complete loss of power 388 * management on the media GT. Therefore, we can't use PXP on FWs that 389 * have this bug, which was fixed in PTL GSC build 1396. 390 */ 391 if (xe->info.platform == XE_PANTHERLAKE && 392 gt->uc.gsc.fw.versions.found[XE_UC_FW_VER_RELEASE].build < 1396) { 393 drm_info(&xe->drm, "PXP requires PTL GSC build 1396 or newer\n"); 394 return 0; 395 } 396 397 pxp = drmm_kzalloc(&xe->drm, sizeof(struct xe_pxp), GFP_KERNEL); 398 if (!pxp) { 399 err = -ENOMEM; 400 goto out; 401 } 402 403 INIT_LIST_HEAD(&pxp->queues.list); 404 spin_lock_init(&pxp->queues.lock); 405 INIT_WORK(&pxp->irq.work, pxp_irq_work); 406 pxp->xe = xe; 407 pxp->gt = gt; 408 409 pxp->key_instance = 1; 410 pxp->last_suspend_key_instance = 1; 411 412 /* 413 * we'll use the completions to check if there is an action pending, 414 * so we start them as completed and we reinit it when an action is 415 * triggered. 416 */ 417 init_completion(&pxp->activation); 418 init_completion(&pxp->termination); 419 complete_all(&pxp->termination); 420 complete_all(&pxp->activation); 421 422 mutex_init(&pxp->mutex); 423 424 pxp->irq.wq = alloc_ordered_workqueue("pxp-wq", 0); 425 if (!pxp->irq.wq) { 426 err = -ENOMEM; 427 goto out_free; 428 } 429 430 err = kcr_pxp_enable(pxp); 431 if (err) 432 goto out_wq; 433 434 err = xe_pxp_allocate_execution_resources(pxp); 435 if (err) 436 goto out_kcr_disable; 437 438 xe->pxp = pxp; 439 440 return devm_add_action_or_reset(xe->drm.dev, pxp_fini, pxp); 441 442 out_kcr_disable: 443 kcr_pxp_disable(pxp); 444 out_wq: 445 destroy_workqueue(pxp->irq.wq); 446 out_free: 447 drmm_kfree(&xe->drm, pxp); 448 out: 449 drm_err(&xe->drm, "PXP initialization failed: %pe\n", ERR_PTR(err)); 450 return err; 451 } 452 453 static int __pxp_start_arb_session(struct xe_pxp *pxp) 454 { 455 int ret; 456 457 CLASS(xe_force_wake, fw_ref)(gt_to_fw(pxp->gt), XE_FW_GT); 458 if (!xe_force_wake_ref_has_domain(fw_ref.domains, XE_FW_GT)) 459 return -EIO; 460 461 if (pxp_session_is_in_play(pxp, ARB_SESSION)) 462 return -EEXIST; 463 464 ret = xe_pxp_submit_session_init(&pxp->gsc_res, ARB_SESSION); 465 if (ret) { 466 drm_err(&pxp->xe->drm, "Failed to init PXP arb session: %pe\n", ERR_PTR(ret)); 467 return ret; 468 } 469 470 ret = pxp_wait_for_session_state(pxp, ARB_SESSION, true); 471 if (ret) { 472 drm_err(&pxp->xe->drm, "PXP ARB session failed to go in play%pe\n", ERR_PTR(ret)); 473 return ret; 474 } 475 476 drm_dbg(&pxp->xe->drm, "PXP ARB session is active\n"); 477 return 0; 478 } 479 480 /** 481 * xe_pxp_exec_queue_set_type - Mark a queue as using PXP 482 * @pxp: the xe->pxp pointer (it will be NULL if PXP is disabled) 483 * @q: the queue to mark as using PXP 484 * @type: the type of PXP session this queue will use 485 * 486 * Returns 0 if the selected PXP type is supported, -ENODEV otherwise. 487 */ 488 int xe_pxp_exec_queue_set_type(struct xe_pxp *pxp, struct xe_exec_queue *q, u8 type) 489 { 490 if (!xe_pxp_is_enabled(pxp)) 491 return -ENODEV; 492 493 /* we only support HWDRM sessions right now */ 494 xe_assert(pxp->xe, type == DRM_XE_PXP_TYPE_HWDRM); 495 496 q->pxp.type = type; 497 498 return 0; 499 } 500 501 static int __exec_queue_add(struct xe_pxp *pxp, struct xe_exec_queue *q) 502 { 503 int ret = 0; 504 505 /* 506 * A queue can be added to the list only if the PXP is in active status, 507 * otherwise the termination might not handle it correctly. 508 */ 509 mutex_lock(&pxp->mutex); 510 511 if (pxp->status == XE_PXP_ACTIVE) { 512 spin_lock_irq(&pxp->queues.lock); 513 list_add_tail(&q->pxp.link, &pxp->queues.list); 514 spin_unlock_irq(&pxp->queues.lock); 515 } else if (pxp->status == XE_PXP_ERROR || pxp->status == XE_PXP_SUSPENDED) { 516 ret = -EIO; 517 } else { 518 ret = -EBUSY; /* try again later */ 519 } 520 521 mutex_unlock(&pxp->mutex); 522 523 return ret; 524 } 525 526 static int pxp_start(struct xe_pxp *pxp, u8 type) 527 { 528 int ret = 0; 529 bool restart; 530 531 if (!xe_pxp_is_enabled(pxp)) 532 return -ENODEV; 533 534 /* we only support HWDRM sessions right now */ 535 xe_assert(pxp->xe, type == DRM_XE_PXP_TYPE_HWDRM); 536 537 /* get_readiness_status() returns 0 for in-progress and 1 for done */ 538 ret = xe_pxp_get_readiness_status(pxp); 539 if (ret <= 0) 540 return ret ?: -EBUSY; 541 542 ret = 0; 543 544 wait_for_idle: 545 /* 546 * if there is an action in progress, wait for it. We need to wait 547 * outside the lock because the completion is done from within the lock. 548 * Note that the two actions should never be pending at the same time. 549 */ 550 if (!wait_for_completion_timeout(&pxp->termination, 551 msecs_to_jiffies(PXP_TERMINATION_TIMEOUT_MS))) 552 return -ETIMEDOUT; 553 554 if (!wait_for_completion_timeout(&pxp->activation, 555 msecs_to_jiffies(PXP_ACTIVATION_TIMEOUT_MS))) 556 return -ETIMEDOUT; 557 558 restart = false; 559 560 mutex_lock(&pxp->mutex); 561 562 /* If PXP is not already active, turn it on */ 563 switch (pxp->status) { 564 case XE_PXP_ERROR: 565 ret = -EIO; 566 goto out_unlock; 567 case XE_PXP_ACTIVE: 568 goto out_unlock; 569 case XE_PXP_READY_TO_START: 570 pxp->status = XE_PXP_START_IN_PROGRESS; 571 reinit_completion(&pxp->activation); 572 break; 573 case XE_PXP_START_IN_PROGRESS: 574 /* If a start is in progress then the completion must not be done */ 575 XE_WARN_ON(completion_done(&pxp->activation)); 576 restart = true; 577 goto out_unlock; 578 case XE_PXP_NEEDS_TERMINATION: 579 mark_termination_in_progress(pxp); 580 break; 581 case XE_PXP_TERMINATION_IN_PROGRESS: 582 case XE_PXP_NEEDS_ADDITIONAL_TERMINATION: 583 /* If a termination is in progress then the completion must not be done */ 584 XE_WARN_ON(completion_done(&pxp->termination)); 585 restart = true; 586 goto out_unlock; 587 case XE_PXP_SUSPENDED: 588 default: 589 drm_err(&pxp->xe->drm, "unexpected state during PXP start: %u\n", pxp->status); 590 ret = -EIO; 591 goto out_unlock; 592 } 593 594 mutex_unlock(&pxp->mutex); 595 596 if (!completion_done(&pxp->termination)) { 597 ret = pxp_terminate_hw(pxp); 598 if (ret) { 599 drm_err(&pxp->xe->drm, "PXP termination failed before start\n"); 600 mutex_lock(&pxp->mutex); 601 pxp->status = XE_PXP_ERROR; 602 complete_all(&pxp->termination); 603 604 goto out_unlock; 605 } 606 607 goto wait_for_idle; 608 } 609 610 /* All the cases except for start should have exited earlier */ 611 XE_WARN_ON(completion_done(&pxp->activation)); 612 ret = __pxp_start_arb_session(pxp); 613 614 mutex_lock(&pxp->mutex); 615 616 complete_all(&pxp->activation); 617 618 /* 619 * Any other process should wait until the state goes away from 620 * XE_PXP_START_IN_PROGRESS, so if the state is not that something went 621 * wrong. Mark the status as needing termination and try again. 622 */ 623 if (pxp->status != XE_PXP_START_IN_PROGRESS) { 624 drm_err(&pxp->xe->drm, "unexpected state after PXP start: %u\n", pxp->status); 625 pxp->status = XE_PXP_NEEDS_TERMINATION; 626 restart = true; 627 goto out_unlock; 628 } 629 630 /* If everything went ok, update the status and add the queue to the list */ 631 if (!ret) 632 pxp->status = XE_PXP_ACTIVE; 633 else 634 pxp->status = XE_PXP_ERROR; 635 636 out_unlock: 637 mutex_unlock(&pxp->mutex); 638 639 if (restart) 640 goto wait_for_idle; 641 642 return ret; 643 } 644 645 /** 646 * xe_pxp_exec_queue_add - add a queue to the PXP list 647 * @pxp: the xe->pxp pointer (it will be NULL if PXP is disabled) 648 * @q: the queue to add to the list 649 * 650 * If PXP is enabled and the prerequisites are done, start the PXP default 651 * session (if not already running) and add the queue to the PXP list. 652 * 653 * Returns 0 if the PXP session is running and the queue is in the list, 654 * -ENODEV if PXP is disabled, -EBUSY if the PXP prerequisites are not done, 655 * other errno value if something goes wrong during the session start. 656 */ 657 int xe_pxp_exec_queue_add(struct xe_pxp *pxp, struct xe_exec_queue *q) 658 { 659 int ret; 660 661 if (!xe_pxp_is_enabled(pxp)) 662 return -ENODEV; 663 664 /* 665 * Runtime suspend kills PXP, so we take a reference to prevent it from 666 * happening while we have active queues that use PXP 667 */ 668 xe_pm_runtime_get(pxp->xe); 669 670 start: 671 ret = pxp_start(pxp, q->pxp.type); 672 673 if (!ret) { 674 ret = __exec_queue_add(pxp, q); 675 if (ret == -EBUSY) 676 goto start; 677 } 678 679 /* 680 * in the successful case the PM ref is released from 681 * xe_pxp_exec_queue_remove 682 */ 683 if (ret) 684 xe_pm_runtime_put(pxp->xe); 685 686 return ret; 687 } 688 ALLOW_ERROR_INJECTION(xe_pxp_exec_queue_add, ERRNO); 689 690 static void __pxp_exec_queue_remove(struct xe_pxp *pxp, struct xe_exec_queue *q, bool lock) 691 { 692 bool need_pm_put = false; 693 694 if (!xe_pxp_is_enabled(pxp)) 695 return; 696 697 if (lock) 698 spin_lock_irq(&pxp->queues.lock); 699 700 if (!list_empty(&q->pxp.link)) { 701 list_del_init(&q->pxp.link); 702 need_pm_put = true; 703 } 704 705 q->pxp.type = DRM_XE_PXP_TYPE_NONE; 706 707 if (lock) 708 spin_unlock_irq(&pxp->queues.lock); 709 710 if (need_pm_put) 711 xe_pm_runtime_put(pxp->xe); 712 } 713 714 /** 715 * xe_pxp_exec_queue_remove - remove a queue from the PXP list 716 * @pxp: the xe->pxp pointer (it will be NULL if PXP is disabled) 717 * @q: the queue to remove from the list 718 * 719 * If PXP is enabled and the exec_queue is in the list, the queue will be 720 * removed from the list and its PM reference will be released. It is safe to 721 * call this function multiple times for the same queue. 722 */ 723 void xe_pxp_exec_queue_remove(struct xe_pxp *pxp, struct xe_exec_queue *q) 724 { 725 __pxp_exec_queue_remove(pxp, q, true); 726 } 727 728 static void pxp_invalidate_queues(struct xe_pxp *pxp) 729 { 730 struct xe_exec_queue *tmp, *q; 731 LIST_HEAD(to_clean); 732 733 spin_lock_irq(&pxp->queues.lock); 734 735 list_for_each_entry_safe(q, tmp, &pxp->queues.list, pxp.link) { 736 q = xe_exec_queue_get_unless_zero(q); 737 if (!q) 738 continue; 739 740 list_move_tail(&q->pxp.link, &to_clean); 741 } 742 spin_unlock_irq(&pxp->queues.lock); 743 744 list_for_each_entry_safe(q, tmp, &to_clean, pxp.link) { 745 drm_dbg(&pxp->xe->drm, 746 "Killing queue due to PXP termination: eclass=%s, guc_id=%d\n", 747 xe_hw_engine_class_to_str(q->class), q->guc->id); 748 749 xe_exec_queue_kill(q); 750 751 /* 752 * We hold a ref to the queue so there is no risk of racing with 753 * the calls to exec_queue_remove coming from exec_queue_destroy. 754 */ 755 __pxp_exec_queue_remove(pxp, q, false); 756 757 xe_exec_queue_put(q); 758 } 759 } 760 761 /** 762 * xe_pxp_key_assign - mark a BO as using the current PXP key iteration 763 * @pxp: the xe->pxp pointer (it will be NULL if PXP is disabled) 764 * @bo: the BO to mark 765 * 766 * Returns: -ENODEV if PXP is disabled, 0 otherwise. 767 */ 768 int xe_pxp_key_assign(struct xe_pxp *pxp, struct xe_bo *bo) 769 { 770 if (!xe_pxp_is_enabled(pxp)) 771 return -ENODEV; 772 773 xe_assert(pxp->xe, !bo->pxp_key_instance); 774 775 /* 776 * Note that the PXP key handling is inherently racey, because the key 777 * can theoretically change at any time (although it's unlikely to do 778 * so without triggers), even right after we copy it. Taking a lock 779 * wouldn't help because the value might still change as soon as we 780 * release the lock. 781 * Userspace needs to handle the fact that their BOs can go invalid at 782 * any point. 783 */ 784 bo->pxp_key_instance = pxp->key_instance; 785 786 return 0; 787 } 788 789 /** 790 * xe_pxp_bo_key_check - check if the key used by a xe_bo is valid 791 * @pxp: the xe->pxp pointer (it will be NULL if PXP is disabled) 792 * @bo: the BO we want to check 793 * 794 * Checks whether a BO was encrypted with the current key or an obsolete one. 795 * 796 * Returns: 0 if the key is valid, -ENODEV if PXP is disabled, -EINVAL if the 797 * BO is not using PXP, -ENOEXEC if the key is not valid. 798 */ 799 int xe_pxp_bo_key_check(struct xe_pxp *pxp, struct xe_bo *bo) 800 { 801 if (!xe_pxp_is_enabled(pxp)) 802 return -ENODEV; 803 804 if (!xe_bo_is_protected(bo)) 805 return -EINVAL; 806 807 xe_assert(pxp->xe, bo->pxp_key_instance); 808 809 /* 810 * Note that the PXP key handling is inherently racey, because the key 811 * can theoretically change at any time (although it's unlikely to do 812 * so without triggers), even right after we check it. Taking a lock 813 * wouldn't help because the value might still change as soon as we 814 * release the lock. 815 * We mitigate the risk by checking the key at multiple points (on each 816 * submission involving the BO and right before flipping it on the 817 * display), but there is still a very small chance that we could 818 * operate on an invalid BO for a single submission or a single frame 819 * flip. This is a compromise made to protect the encrypted data (which 820 * is what the key termination is for). 821 */ 822 if (bo->pxp_key_instance != pxp->key_instance) 823 return -ENOEXEC; 824 825 return 0; 826 } 827 828 /** 829 * xe_pxp_obj_key_check - check if the key used by a drm_gem_obj is valid 830 * @obj: the drm_gem_obj we want to check 831 * 832 * Checks whether a drm_gem_obj was encrypted with the current key or an 833 * obsolete one. 834 * 835 * Returns: 0 if the key is valid, -ENODEV if PXP is disabled, -EINVAL if the 836 * obj is not using PXP, -ENOEXEC if the key is not valid. 837 */ 838 int xe_pxp_obj_key_check(struct drm_gem_object *obj) 839 { 840 struct xe_bo *bo = gem_to_xe_bo(obj); 841 struct xe_device *xe = xe_bo_device(bo); 842 struct xe_pxp *pxp = xe->pxp; 843 844 return xe_pxp_bo_key_check(pxp, bo); 845 } 846 847 /** 848 * xe_pxp_pm_suspend - prepare PXP for HW suspend 849 * @pxp: the xe->pxp pointer (it will be NULL if PXP is disabled) 850 * 851 * Makes sure all PXP actions have completed and invalidates all PXP queues 852 * and objects before we go into a suspend state. 853 * 854 * Returns: 0 if successful, a negative errno value otherwise. 855 */ 856 int xe_pxp_pm_suspend(struct xe_pxp *pxp) 857 { 858 bool needs_queue_inval = false; 859 int ret = 0; 860 861 if (!xe_pxp_is_enabled(pxp)) 862 return 0; 863 864 wait_for_activation: 865 if (!wait_for_completion_timeout(&pxp->activation, 866 msecs_to_jiffies(PXP_ACTIVATION_TIMEOUT_MS))) 867 ret = -ETIMEDOUT; 868 869 mutex_lock(&pxp->mutex); 870 871 switch (pxp->status) { 872 case XE_PXP_ERROR: 873 case XE_PXP_READY_TO_START: 874 case XE_PXP_SUSPENDED: 875 case XE_PXP_TERMINATION_IN_PROGRESS: 876 case XE_PXP_NEEDS_ADDITIONAL_TERMINATION: 877 /* 878 * If PXP is not running there is nothing to cleanup. If there 879 * is a termination pending then no need to issue another one. 880 */ 881 break; 882 case XE_PXP_START_IN_PROGRESS: 883 mutex_unlock(&pxp->mutex); 884 goto wait_for_activation; 885 case XE_PXP_NEEDS_TERMINATION: 886 /* If PXP was never used we can skip the cleanup */ 887 if (pxp->key_instance == pxp->last_suspend_key_instance) 888 break; 889 fallthrough; 890 case XE_PXP_ACTIVE: 891 pxp->key_instance++; 892 needs_queue_inval = true; 893 break; 894 } 895 896 /* 897 * We set this even if we were in error state, hoping the suspend clears 898 * the error. Worse case we fail again and go in error state again. 899 */ 900 pxp->status = XE_PXP_SUSPENDED; 901 902 mutex_unlock(&pxp->mutex); 903 904 if (needs_queue_inval) 905 pxp_invalidate_queues(pxp); 906 907 /* 908 * if there is a termination in progress, wait for it. 909 * We need to wait outside the lock because the completion is done from 910 * within the lock 911 */ 912 if (!wait_for_completion_timeout(&pxp->termination, 913 msecs_to_jiffies(PXP_TERMINATION_TIMEOUT_MS))) 914 ret = -ETIMEDOUT; 915 916 pxp->last_suspend_key_instance = pxp->key_instance; 917 918 return ret; 919 } 920 921 /** 922 * xe_pxp_pm_resume - re-init PXP after HW suspend 923 * @pxp: the xe->pxp pointer (it will be NULL if PXP is disabled) 924 */ 925 void xe_pxp_pm_resume(struct xe_pxp *pxp) 926 { 927 int err; 928 929 if (!xe_pxp_is_enabled(pxp)) 930 return; 931 932 err = kcr_pxp_enable(pxp); 933 934 mutex_lock(&pxp->mutex); 935 936 xe_assert(pxp->xe, pxp->status == XE_PXP_SUSPENDED); 937 938 if (err) 939 pxp->status = XE_PXP_ERROR; 940 else 941 pxp->status = XE_PXP_NEEDS_TERMINATION; 942 943 mutex_unlock(&pxp->mutex); 944 } 945