From patchwork Tue Jun 20 12:40:06 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christian Loehle <CLoehle@hyperstone.com>
X-Patchwork-Id: 694650
Return-Path: <linux-mmc-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 9AC9AEB64D7
 for <linux-mmc@archiver.kernel.org>; Tue, 20 Jun 2023 12:40:15 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S231894AbjFTMkP (ORCPT <rfc822;linux-mmc@archiver.kernel.org>);
 Tue, 20 Jun 2023 08:40:15 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58804 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S231384AbjFTMkN (ORCPT
 <rfc822;linux-mmc@vger.kernel.org>); Tue, 20 Jun 2023 08:40:13 -0400
Received: from mail5.swissbit.com (mail5.swissbit.com [148.251.244.252])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0317D10F8;
 Tue, 20 Jun 2023 05:40:11 -0700 (PDT)
Received: from mail5.swissbit.com (localhost [127.0.0.1])
 by DDEI (Postfix) with ESMTP id 51FFC3A2694;
 Tue, 20 Jun 2023 14:40:10 +0200 (CEST)
Received: from mail5.swissbit.com (localhost [127.0.0.1])
 by DDEI (Postfix) with ESMTP id 3538D3A25AA;
 Tue, 20 Jun 2023 14:40:10 +0200 (CEST)
X-TM-AS-ERS: 10.181.10.103-127.5.254.253
X-TM-AS-SMTP: 1.0 bXgxLmRtei5zd2lzc2JpdC5jb20= Y2xvZWhsZUBoeXBlcnN0b25lLmNvb
 Q==
X-DDEI-TLS-USAGE: Used
Received: from mx1.dmz.swissbit.com (mx1.dmz.swissbit.com [10.181.10.103])
 by mail5.swissbit.com (Postfix) with ESMTPS;
 Tue, 20 Jun 2023 14:40:10 +0200 (CEST)
From: Christian Loehle <CLoehle@hyperstone.com>
To: "linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
 Ulf Hansson <ulf.hansson@linaro.org>,
 Adrian Hunter <adrian.hunter@intel.com>
CC: Avri Altman <avri.altman@wdc.com>
Subject: [PATCHv3 0/1]  mmc: block: ioctl: Enhance userspace err-checking
Thread-Topic: [PATCHv3 0/1] mmc: block: ioctl: Enhance userspace err-checking
Thread-Index: AdmjdBOfF8QZigS5QRG0uDWJ7O/Rrg==
Date: Tue, 20 Jun 2023 12:40:06 +0000
Message-ID: <1ef05ea7f0304f56b83b12b105248e7a@hyperstone.com>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
MIME-Version: 1.0
X-TMASE-Version: DDEI-5.1-9.0.1002-27702.007
X-TMASE-Result: 10--7.885200-10.000000
X-TMASE-MatchedRID: Wr10g8+tn8kx0Ef1LOCr0ENF5tKVli5K0NnUUVMlTKYli8Y5a0svLwoO
 Pjrr9EUjy5mHbqk+bZO46fDNSVBzTaGDMgFJdihf+LfLuKfgdOBPnKxAOPp4WTd4L/plQfz0j3d
 ZSyALReJzNhvK4/9wOg0wwSAB0/Gt7c0is1Jg1Fc6N/cDgNNi4Xdtc9b/HMCuzf+duMCJLEyE3Q
 pvaMjVSYspy5fJnP2k+YJ8C27gzimmg8dBfLCnVyBpp+DpTrQjDjwwT0r6EXRShcWO/83xoj88n
 yn5HOwB3xN6jyfnVfp06bp/ch03xd4bgXBxaoBLWCjDJRYeAZ2ycrvYxo9Kp8fASe7knCtt8G2K
 jYrJJRSl5r6zKe2MaIAy6p60ZV62bNcocRFO1E1uHY1mnovlhBd8X4RCJhxmwt5o33NI92ZLDkq
 ngSrjOB4N/rMhmMkEdPnk759AG3U/BcVD4b6t1UTF9NPMDcW5
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
X-TMASE-INERTIA: 0-0;;;;
X-TMASE-XGENCLOUD: 2973455d-e388-468a-9914-b5c69a8a7554-0-0-200-0
Precedence: bulk
List-ID: <linux-mmc.vger.kernel.org>
X-Mailing-List: linux-mmc@vger.kernel.org

This series enhances the ioctl path so that userspace callers are
able to reliably check all error bits for their operation.

The current implementation poses the problem of error bits which
the caller cannot check, this is potentially a security issue.

If the phrase security issue has woken you up, but you haven't been using:
mmc-utils sanitize
mmc-utils erase secure-trim{1|2}
mmc-utils secure-erase
mmc-utils rpmb write-block
you can go back to sleep, sorry to bother you.
If you have, you are probably still fine, if there was no active
attacker sabotaging your eMMC, the secure operation probably
succeeded.
There is just no way to confirm that it actually has.

Examples include e.g. a flash-fail of the eMMC.
Card behavior differs here, R1 bit 19 could be set,
many cards will just shut off on flash-fail, so if you want to play
with this patch I would suggest aiming for WP_ERASE_SKIP,
although that technically doesn't need the patch, as WP groups could
be queried before and after erase.

sudo ./mmc writeprotect user set temp 0x0 $(($(blockdev --getsz /dev/mmcblk2))) /dev/mmcblk2
sudo ./mmc erase secure-erase 0 $(($(blockdev --getsz /dev/mmcblk2)-1)) /dev/mmcblk2

will yield

Executing Secure Erase from 0x00000000 to 0x0773ffff
High Capacity Erase Unit Size=524288 bytes
High Capacity Erase Timeout=600 ms
High Capacity Write Protect Group Size=2097152 bytes
RSP0: 0x00008900 # added by author, this is what the patch will add to RSP0
 Secure Erase Succeed!

even though no erase is issued.

v3:
- restored check on rpmb reads
- refactored to use __mmc_poll_for_busy directly
v2:
- removed extra flag and made it default behavior for write or R1B
- aggregate error flag in resp[0] instead of abusing resp[1]
- avoid open loop busy polling and reuse __mmc_poll_for_busy


Christian Loehle (1):
  mmc: block: ioctl: Add PROG-error aggregation

 drivers/mmc/core/block.c   | 26 +++++++++++++++-----------
 drivers/mmc/core/mmc_ops.c | 14 +++++++-------
 drivers/mmc/core/mmc_ops.h |  9 +++++++++
 3 files changed, 31 insertions(+), 18 deletions(-)
---
2.37.3