1. 20 Nov, 2020 3 commits
    • Christian Kellner's avatar
      manager: better logging for domain de-registration · f3395f9c
      Christian Kellner authored
      Use the LOG_DOM () macro and do not use `bolt_domain_get_id`
      which might return NULL for disconnected domains.
      f3395f9c
    • Christian Kellner's avatar
      manager: clean up stale domains on store upgrade · 9e859394
      Christian Kellner authored
      When the store is upgraded, clean up any stale domains. Previous
      versions of bolt (< 0.9.1) would store domains that did not have
      stable uuids, i.e. their uuid would change on every boot. These
      stored domains would be loaded and exported but would never come
      online, since they can not ever by matched to an online domain.
      When the store cleanup method is executed, in the manager's
      initialization method, the domain controller should either be
      powered (they use runtime power management only and are thus not
      physically powered down on ice lake anyway) or force-powered and
      thus any domain that is not yet online will be removed. This can
      fail if the domain has a boot acl journal with entries, which
      protects the loss of data for domains that are not force-powered,
      maybe because they are even slower, but do have a stable uuid.
      9e859394
    • Christian Kellner's avatar
      manager: correctly report upgraded version · 3ec3e0ef
      Christian Kellner authored
      After the store was upgraded, get the new version from the store
      and report that in the logs, not the old, pre-upgrade version.
      3ec3e0ef
  2. 17 Nov, 2020 1 commit
    • Christian Kellner's avatar
      manager: un-export device in deregister_device · 04c3bb1e
      Christian Kellner authored
      Remove some duplicated code by moving the un-export code for the
      device to a central location: `manager_deregister_device`. This
      method will be called for all devices that can be de-registered,
      i.e. either devices that got disconnected and are not store via
      the `handle_udev_device_removed` udev event handler, or devices
      that got remove from the store and are disconnected. The latter
      is handled via `handle_store_device_removed`. In both cases the
      device should be de-registered and (if exported) be un-exported.
      Thus this is where the un-export code is now moved to.
      04c3bb1e
  3. 10 Nov, 2020 3 commits
    • Christian Kellner's avatar
      manager: upgrade the store · ef6e6d1c
      Christian Kellner authored
      Use the new store upgrade mechanism to upgrade the store. Currently
      nothing is done if an upgrade happens, but it will be used to clean
      up stale domains, which might have accumulated due to the ice lake
      domain uuid instability.
      ef6e6d1c
    • Christian Kellner's avatar
      store: convert to be initable · acd72a98
      Christian Kellner authored
      Convert the store use the GInitable interface. This prepares for
      store on-disk initialization that can fail. Currently, nothing
      is actually done in initialize and thus it will never fail.
      
      Adapt all tests to check for potential store creation errors and
      also convert the manager's store initialization method to handle
      the error.
      acd72a98
    • Christian Kellner's avatar
      manager: extract store initialization · 374bf33b
      Christian Kellner authored
      Instead of initializing the store in the basic object init method,
      create a new method that bundles all store related initialization
      and call that from bolt_manager_initialize. This prepares for the
      possibility that store initialization can fail.
      374bf33b
  4. 21 Sep, 2020 1 commit
  5. 02 Sep, 2020 3 commits
    • Christian Kellner's avatar
      manager: only store domains if uuid is stable · ba4ce0f7
      Christian Kellner authored
      The bolt daemon uses the uuid of the host controller, i.e. the
      thunderbolt switch, to uniquely identify the domain across
      reboots. The main reason for this was the boot acl, which can
      change in the absence of the domain: in older tbt hardware, the
      controller was powered in hardware when no device was attached.
      If a user then wanted to remove a device from the controller,
      that needed to be recorded and synced back to the boot acl
      when the controller later became available again.
      
      All this relies on the fact that the uuid of the controller is
      stable, i.e. does not change across reboots. This sadly, is not
      true for integrated TBT, like e.g. on ice lake (ICL) and tiger
      lake (TGL).
      
      In the manager, the stability of the domain's uuid is now
      detected via the PCI id of the native host interface. If it is
      in fact not stable, or if the PCI id is unknown, the domain will
      not be stored. As a result, removing devices from the boot acl
      while the controller is offline, will not properly be synced
      to the controller. Since modern controllers are actually not
      powered down, but use runtime PM, i.e. they go to D3 cold state,
      this should indeed not matter much. Additionally, modern systems
      use the IOMMU to secure device access and there the firmware can
      and will indeed authorize the device during boot. Therefore the
      boot acl becomes less important, and there seems indeed to be no
      boot acl entries slots on ICL even.
      ba4ce0f7
    • Christian Kellner's avatar
      manager: extract domain storing coding · 1202173e
      Christian Kellner authored
      Extract the code that stores the domain, together with the error
      checking path, into its own small helper function.
      This is mostly to prepare for conditional storing of domains, in
      the case when their uuid is not stable across reboots.
      1202173e
    • Christian Kellner's avatar
      manager: better warning if device creation fails · a425544a
      Christian Kellner authored
      In handle_udev_device_added (), if the device creation failed,
      show the sysfs path, so it is easy to identify the underlying
      udev device.
      a425544a
  6. 04 Mar, 2020 1 commit
  7. 13 Jan, 2020 1 commit
  8. 26 Nov, 2019 2 commits
  9. 11 Nov, 2019 1 commit
  10. 06 Nov, 2019 1 commit
    • Christian Kellner's avatar
      manager: add 'generation' property · 8d8374ce
      Christian Kellner authored
      Add a global 'generation' attribute ('Generation' on the D-Bus) that
      will proxy the generation attribute of the host controller, or the
      maximum generation, in the case that there is more than one. It is
      done for convenience so that clients, interested in detecting USB4,
      don't have to lookup the host device.
      8d8374ce
  11. 01 Nov, 2019 3 commits
    • Christian Kellner's avatar
      manager: persist the host device · f9205d16
      Christian Kellner authored
      When the thunderbolt controller is in non-native enumeration mode,
      it is only powered by the firmware when something is plugged into
      the thunderbolt port. In those cases the domain and device nodes
      are missing in sysfs and we have no information about the host
      device, including the (new) generation attribute. Always persisting
      the host solves that issue and does no harm in native enumeration
      mode either.
      f9205d16
    • Christian Kellner's avatar
      manager: extract storing from check in auto-import · a29df146
      Christian Kellner authored
      Extract the storing bits from the rest of the decision making code,
      so we can re-use it.
      a29df146
    • Christian Kellner's avatar
      manager: remove key var in auto-import · 72fa1b01
      Christian Kellner authored
      It was not used anyway and probably is a left over from initial
      attempts to also support auto imports of devices in 'secure' mode
      by reading the key from sysfs. This undertaking has been abandoned
      because in reality that is a very unlikely scenario that is not
      worth supporting.
      72fa1b01
  12. 22 Oct, 2019 1 commit
  13. 07 Aug, 2019 1 commit
    • Christian Kellner's avatar
      manager: enable watchdog integration · fa43b307
      Christian Kellner authored
      Create a watchdog object, which in turn will handle sending pings
      via NOTIFY_SOCKET, if enabled, i.e. the relevant environment
      variables are set (NOTIFY_SOCKET, WATCHDOG_USEC).
      fa43b307
  14. 05 Aug, 2019 1 commit
  15. 02 Aug, 2019 1 commit
  16. 13 Jun, 2019 1 commit
  17. 16 May, 2019 2 commits
    • Christian Kellner's avatar
      key: prepare for possible key creation failures · 656a94b4
      Christian Kellner authored
      Introduce a new GError out param to bolt_key_new and prepare the
      whole code base to handle the case that key creation can fail.
      656a94b4
    • Christian Kellner's avatar
      manager: unify enroll preparation code paths · 64c5d33f
      Christian Kellner authored
      There were two code paths that did basically the same: one for auto
      enrolling new devices and the other one when enrolling devices via a
      dbus call. In both cases the BoltAuth object was prepared with the
      same semantics. Now both cases are handled by a single code path in
      manager_enroll_device_prepare().
      64c5d33f
  18. 11 Apr, 2019 1 commit
  19. 20 Mar, 2019 1 commit
    • Christian Kellner's avatar
      manager: use bolt_get_store_path · 8f345b47
      Christian Kellner authored
      Use the new helper to determine the store path, there should not
      be any semantic change, because the helper currently behaves exactly
      old code in manager.c
      8f345b47
  20. 22 Feb, 2019 8 commits
    • Christian Kellner's avatar
      manager: adjust policy to 'iommu' if iommu is on · 7945f092
      Christian Kellner authored
      When enrolling new devices with a default policy and iommu is turned
      on, always adjust the policy to 'iommu'. This might lead to a
      situation where a device needs to be manually authorized when it was
      enrolled while iommu was on and iommu is now disabled. While not ideal
      this seems to be the most secure situation to end up in.
      7945f092
    • Christian Kellner's avatar
      manager: import devices authorized by the firmware · 58c686cf
      Christian Kellner authored
      All devices that have active PCIe channels that were authorized by
      the firmware (in contrast to the user) should be imported. The
      policy 'iommu' should be used for most of them since the only case
      where it is safe to use 'auto' in 'user' SL1 when the boot flag
      is not set and iommu is not active.
      Additionally code to handle the impossible case of 'secure' mode
      with a valid key but a boot flag is removed, because that can
      never actually happen in the wild.
      58c686cf
    • Christian Kellner's avatar
      manager: refactor auto import method · 80259b55
      Christian Kellner authored
      Refactor the auto import method so the policy decision whether to
      import at all, and with which policy, is more clear and in one
      place. That should make it easy to follow future changes.
      No policy change should have occurred with this refactoring.
      80259b55
    • Christian Kellner's avatar
      manager: auto-authorize for iommu · 40a24bb2
      Christian Kellner authored
      When a device has the IOMMU policy set and the domain it is connected
      to has iommu enabled, automatically authorize the device. NB: the
      usual security level checks still apply, i.e. if the domain is in the
      SECURE mode and the device as no key, NO auto-authorization will
      happen.
      40a24bb2
    • Christian Kellner's avatar
      manager: refactor auto-authorize method · dedc334c
      Christian Kellner authored
      Refactor the function to make it more verbose so it should be
      clearer what checks are happening at which point in the function,
      and make the security check in general more obvious.
      Also rename the function to be more consistent with auto-enroll.
      dedc334c
    • Christian Kellner's avatar
      manager: auto-enroll devices when iommu is active · 9661db8d
      Christian Kellner authored
      Support auto-enrolling, i.e. authorizing and storing, of new and
      not yet authorized devices when IOMMU protection is active. Since
      we can't really trust the device the policy the devices will be
      enrolled in is 'BOLT_POLICY_IOMMU'.
      9661db8d
    • Christian Kellner's avatar
      manager: call maybe_import only if authorized · 26094863
      Christian Kellner authored
      Only if the device that got connected (and is not yet stored) call
      the manager_maybe_import function. Until now the check was done
      within manager_maybe_import itself.
      26094863
    • Christian Kellner's avatar
      manager: rename manager_maybe_auto_import_device · d3a373c8
      Christian Kellner authored
      Now called manager_maybe_import; no semantic change.
      d3a373c8
  21. 10 Jan, 2019 1 commit
    • Christian Kellner's avatar
      manager: store policy in auth during enrollment · 768ac1c5
      Christian Kellner authored
      BoltAuth supports storing the indented policy now, so use that in
      order to avoid re-parsing the policy string from the dbus call.
      NB: the policy must not be DEFAULT, which handle_enroll_device
      ensures by adjusting the policy if it is DEFAULT.
      768ac1c5
  22. 01 Jan, 2019 1 commit
  23. 21 Dec, 2018 1 commit