RFD 316 HSS/SP communication protocol

magic

u32

0x1DE19CC

version

u32

The protocol version number. This will be incremented as necessary for changes in the command set or to the data associated with a command. Ideally, both the SP and the Host should be willing to accept and use a small number of previous protocol versions.

sequence

u64

Increments for each new HSS→SP message.
SP uses request value when building a response, but also sets the top bit as an indicator that this is a reply message.

command

u8

In rust, command is likely to be an enum and hubpack encodes enums as a u8; it should be sufficient, particularly since each direction has its own set of values.

data

[u8; n]

Varies based on command, n <= MAX_MESSAGE_SIZE - HEADER_SIZE (17) - CHECKSUM_SIZE (2)

checksum

u16

Fletcher-16

0x1 (HSSReboot)

-

Host requests reboot; no response is expected from the SP.

0x2 (HSSPowerOff)

-

Host requests power off; no response is expected from the SP.

0x3 (HSSBsu)

-

Host requests Boot Storage Unit (BSU) value (see [rfd241])

0x4 (HSSIdent)

-

Host requests identifying data (model, revision, serial)

0x5 (HSSMac)

-

Host requests MAC addresses

0x6 (HSSBootFail)

reason: u8,
data: [u8; n]

Host boot failure; no response is expected from the SP. A reason code is sent followed by data providing more detail. Reasons are:
* 1 → General failure.
* 2 → Could not locate a phase 2 image.
* 3 → Phase 2 protocol header problem.
* 4 → Integrity failure.
* 5 → Ramdisk problem.
The SP should record this information and propagate it to the control plane. Typically the host will follow this command with an HSSReboot.

0x7 (HSSPanic)

cause: u16,
data: [u8; n]

The host has panicked. The cause field gives a high level overview of the cause, currently defined values are:
* 0xcall the panic() function was explicitly called;
* 0xa9nn a trap occurred. The trap number is identified by nn;
* 0x5enn fatal userland trap nn occurred;
* 0xeb00 early boot panic;
* 0xeb97 early boot prom panic;
* 0xeba9 early boot trap occurred.
The data following the cause provides more information about the panic including data such as the stack trace. This is considered opaque by the SP.
The SP should record this information and propagate it to the control plane but not take action such as power cycling the host. The host will send an HSSReboot command when ready - it may, for example, spend some time writing a crash dump to disk.

0x8 (HSSStatus)

-

Host requests SP status register values.
See [_the_sps_status_registers] for further details.

0x9 (HSSAckStart)

-

Host acknowledges SP task startup.

0xa (HSSAlert)

-

Host requests a pending alert message from the SP.

0xb (HSSRot)

TBD

Reserved for host RoT Request
For reference, the RoT operations include: GetCertificates, AddHostMeasurements, GetMeasurements, SignTranscript).
See [rfd256].

0xc (HSSRotMeas)

TBD

Reserved for host measurements (see [rfd256])

0xd (HSSImageBlock)

hash: [u8; 32]
offset: u64

Request data from a phase 2 image with the provided hash, starting at the requested byte offset. There is no length parameter, the SP should send as much data as it can (up to MAX_PACKET_SIZE). In practice this limited by the amount of data that can fit in a UDP packet between MGS and the SP.

0xe (HSSKeyLookup)

key: u8
maxresponse: u16

Perform a lookup for the specified key. The size of the buffer which is available to receive the corresponding value is also provided as part of the request which allows the SP to fast fail if the buffer will not be large enough. key is a u8 in order that it can be easily encoded from an enum by hubpack. Currently defined keys are:
* 0 → ping (the SP will respond with "pong") [RO];
* 1 → Installinator Image ID [RO];
* 2 → Inventory status, as a tuple of (count, version). The version is always 0 for now, but is included for forward-compatibility; the count is the limit for HSSGetInventoryData (below) [RO];
* 3 → /etc/system file content [RW, max 256 bytes];
* 4 → /kernel/drv/dtrace.conf content [RW, max 4096 bytes].

0xf (HSSGetInventoryData)

index: u32

Performs a lookup for the specified inventory item. The index must be less than the inventory count returned by HSSKeyLookup. For details on inventory, see [rfd360].

0x10 (HSSKeySet)

key: u8
data: [u8; n]

Set a value for the specified key. The key indices are the same as those listed above for HSSKeyLookup. Only the keys flagged as RW can have their values set via this command, and their lengths are limited to the sizes shown.

0x1 (SPAck)

-

SP acknowledges request. Used when there is no data to send back. Host will check the sequence number to determine that the acknowledgement is for the message it last sent.

0x2 (SPDecodeFail)

reason: u8

SP could not decode request, reasons are:
* 1 → COBS decode failure (The sequence will be set to all 1s)
* 2 → CRC mismatch
* 3 → Deserialization failure (The sequence will be set all 1s)
* 4 → Magic number mismatch
* 5 → Protocol version unsupported (try a lower one if you can)
* 6 → Sequence invalid (high bit set)
* 7 → Data length incorrect

0x3 (SPBsu)

bsu: u8

SP provides BSU
* 0x41 → BSU A
* 0x42 → BSU B

0x4 (SPIdent)

model: [u8; 11]
revision: u32,
serial: [u8; 11]

SP provides identifying data.
See [rfd219] for the format of serial numbers.

0x5 (SPMac)

base: [u8; 6]
count: u16
stride: u8

SP provides MAC address data in the FRUID format proposed in [rfd320].

0x6 (SPStatus)

status: u64
startup_options: u64

SP provides status register values.
See [_the_sps_status_registers] for further details.

0x7 (SPAlert)

action: u8,
data: [u8; n]

SP provides a pending alert message in response to request. If there are no pending alerts, then action is 0 and there is no data.
Currently alert messages with a non-zero action are displayed to the OS console and sent to the system log. In future, action may be extended to allow messages to be delivered to other endpoints — via a door to a userland application such as sled-agent, for example.
Care must be taken to avoid losing any alert messages as a result of [retransmission]. Whenever the SP sends an SPAlert message to the host, it must retain a copy in a buffer and resend it if it subsequently receives a HSSAlert message with the same sequence number. The cached message can be discarded once an HSSAlert request is received with a different sequence number.

0x8 (SPRot)

TBD

Reserved for SP RoT Response

0x9 (SPImageBlock)

data: [u8; n]

Provide phase2 image block.

0xa (SPKeyLookup)

result: u8
data: [u8; n]

Provide a response to an attempted value-by-key lookup. result is one of:
* 0 → Successful lookup, value follows;
* 1 → Invalid key;
* 2 → No value exists for requested key;
* 3 → Buffer too small for key’s value.

0xb (SPInventoryData)

result: u8
name: [u8; 32]
type: u8
data: [u8; n]

Provide a response to an attempted inventory data lookup. result is one of:
* 0 → Successful lookup, more data follows;
* 1 → Invalid index;
* 2 → Communication with the target failed in a way that suggests device absence (e.g. I²C NACK);
* 3 → Communication with the target failed in a different way.
name is a unique identifier for the given inventory item, with trailing 0 bytes. The identifier is typically the designator of the relevant IC on the PCA; if the IC is on a daughterboard, it is a nested list of designators separated by /. type is a discriminator that specifies how data is to be decoded; data is a type-specific serialized struct. The values and encoding for type + data form a private interface between the SP and the host. For forward-compatibility, we should only append fields to a given data payload; the host can then ignore any trailing bytes that it doesn’t know about.

0xc (SPKeySet)

result: u8

Provide a response to an attempted key set operation. result is one of:
* 0 → The value was stored successfully;
* 1 → Invalid key;
* 2 → Key is read-only;
* 3 → Provided data too long for key.