Bus firewall framework aims to provide a kernel API to set the configuration of the harware blocks in charge of busses access control.
Framework architecture is inspirated by pinctrl framework: - a default configuration could be applied before bind the driver. If a configuration could not be applied the driver is not bind to avoid doing accesses on prohibited regions. - configurations could be apllied dynamically by drivers. - device node provides the bus firewall configurations.
An example of bus firewall controller is STM32 ETZPC hardware block which got 3 possible configurations: - trust: hardware blocks are only accessible by software running on trust zone (i.e op-tee firmware). - non-secure: hardware blocks are accessible by non-secure software (i.e. linux kernel). - coprocessor: hardware blocks are only accessible by the coprocessor. Up to 94 hardware blocks of the soc could be managed by ETZPC.
At least two other hardware blocks can take benefits of this: - ARM TZC-400: http://infocenter.arm.com/help/topic/com.arm.doc.100325_0001_02_en/arm_corel... which is able to manage up to 8 regions in address space. - IMX Ressource Domain Controller (RDC): supports four domains and up to eight regions
Version 2 has been rebased on top of v5.5 - Change framework name to "firewall" because the targeted hardware block are acting like firewall on the busses. - Mark Brown had reviewed the previous version but it was on kernel 5.1 and I change the name framework so I have decided to remove it. - Use yaml file to describe the bindings
Benjamin
Benjamin Gaignard (7): dt-bindings: bus: Add firewall bindings bus: Introduce firewall controller framework base: Add calls to firewall controller dt-bindings: bus: Add STM32 ETZPC firewall controller bus: firewall: Add driver for STM32 ETZPC controller ARM: dts: stm32: Add firewall node for stm32mp157 SoC ARM: dts: stm32: enable firewall controller node on stm32mp157c-ed1
.../bindings/bus/firewall/firewall-consumer.yaml | 25 ++ .../bindings/bus/firewall/firewall-provider.yaml | 18 ++ .../bindings/bus/firewall/st,stm32-etzpc.yaml | 41 ++++ arch/arm/boot/dts/stm32mp157c-ev1.dts | 2 + arch/arm/boot/dts/stm32mp157c.dtsi | 7 + drivers/base/dd.c | 9 + drivers/bus/Kconfig | 2 + drivers/bus/Makefile | 2 + drivers/bus/firewall/Kconfig | 14 ++ drivers/bus/firewall/Makefile | 2 + drivers/bus/firewall/firewall.c | 264 +++++++++++++++++++++ drivers/bus/firewall/stm32-etzpc.c | 140 +++++++++++ include/dt-bindings/bus/firewall/stm32-etzpc.h | 90 +++++++ include/linux/firewall.h | 70 ++++++ 14 files changed, 686 insertions(+) create mode 100644 Documentation/devicetree/bindings/bus/firewall/firewall-consumer.yaml create mode 100644 Documentation/devicetree/bindings/bus/firewall/firewall-provider.yaml create mode 100644 Documentation/devicetree/bindings/bus/firewall/st,stm32-etzpc.yaml create mode 100644 drivers/bus/firewall/Kconfig create mode 100644 drivers/bus/firewall/Makefile create mode 100644 drivers/bus/firewall/firewall.c create mode 100644 drivers/bus/firewall/stm32-etzpc.c create mode 100644 include/dt-bindings/bus/firewall/stm32-etzpc.h create mode 100644 include/linux/firewall.h
Add schemas for firewall consumer and provider.
Signed-off-by: Benjamin Gaignard benjamin.gaignard@st.com --- version 2: - describe bindings in yaml files .../bindings/bus/firewall/firewall-consumer.yaml | 25 ++++++++++++++++++++++ .../bindings/bus/firewall/firewall-provider.yaml | 18 ++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 Documentation/devicetree/bindings/bus/firewall/firewall-consumer.yaml create mode 100644 Documentation/devicetree/bindings/bus/firewall/firewall-provider.yaml
diff --git a/Documentation/devicetree/bindings/bus/firewall/firewall-consumer.yaml b/Documentation/devicetree/bindings/bus/firewall/firewall-consumer.yaml new file mode 100644 index 000000000000..ea7963c600f7 --- /dev/null +++ b/Documentation/devicetree/bindings/bus/firewall/firewall-consumer.yaml @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: BSD-2-Clause +%YAML 1.2 +--- +$id: http://devicetree.org/schemas/bus/firewall/firewall-consumer.yaml# +$schema: http://devicetree.org/meta-schemas/core.yaml# + +title: Common Bus Firewall consumer binding + +maintainers: + - Benjamin Gaignard benjamin.gaignard@st.com + +# always select the core schema +select: true + +properties: + firewall-0: true + + firewall-names: true + +patternProperties: + "firewall-[0-9]": + $ref: "/schemas/types.yaml#/definitions/phandle-array" + +dependencies: + firewall-names: [ firewall-0 ] diff --git a/Documentation/devicetree/bindings/bus/firewall/firewall-provider.yaml b/Documentation/devicetree/bindings/bus/firewall/firewall-provider.yaml new file mode 100644 index 000000000000..0f9a38b63fbe --- /dev/null +++ b/Documentation/devicetree/bindings/bus/firewall/firewall-provider.yaml @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: BSD-2-Clause +%YAML 1.2 +--- +$id: http://devicetree.org/schemas/bus/firewall/firewall-provider.yaml# +$schema: http://devicetree.org/meta-schemas/core.yaml# + +title: Common Bus Firewall provider binding + +maintainers: + - Benjamin Gaignard benjamin.gaignard@st.com + +properties: + '#firewall-cells': + $ref: /schemas/types.yaml#/definitions/uint32 + description: Number of cells in a bus firewall specifier + +required: + - '#firewall-cells'
The goal of this framework is to offer an interface for the hardware blocks controlling bus accesses rights.
Bus firewall controllers are typically used to control if a hardware block can perform read or write operations on bus.
Smarter firewall controllers could be able to define accesses rights per hardware blocks to control where they can read or write.
Firewall controller configurations are provided in device node, parsed by the framework and send to the driver to apply them. Each controller may need different number and type of inputs to configure the firewall so device-tree properties size have to be define by using "#firewall-cells". Firewall configurations properties have to be named "firewall-X" on device node. "firewall-names" keyword can also be used to give a name to a specific configuration.
Example of device-tree: ctrl0: firewall@0 { #firewall-cells = <2>; };
foo: foo@0 { firewall-names = "default", "setting1"; firewall-0 = <&ctrl0 1 2>; firewall-1 = <&ctrl0 3 4>; };
Configurations could be applied with functions like firewall_set_config_by_index() or firewall_set_config_by_name().
firewall_set_default_config() function will apply the configuration named "default" (if existing) or the configuration with index 0 (i.e. firewall-0).
Drivers could register/unregister themselves be calling firewall_register/firewall_unregister functions.
When a configuration has to be applied the driver callback, provided in the ops at registration time, set_config is called by the framework.
Signed-off-by: Benjamin Gaignard benjamin.gaignard@st.com --- version 2: - rename the framework "firewall" - rebased on top of v5.5
drivers/bus/Kconfig | 2 + drivers/bus/Makefile | 2 + drivers/bus/firewall/Kconfig | 7 ++ drivers/bus/firewall/Makefile | 1 + drivers/bus/firewall/firewall.c | 264 ++++++++++++++++++++++++++++++++++++++++ include/linux/firewall.h | 70 +++++++++++ 6 files changed, 346 insertions(+) create mode 100644 drivers/bus/firewall/Kconfig create mode 100644 drivers/bus/firewall/Makefile create mode 100644 drivers/bus/firewall/firewall.c create mode 100644 include/linux/firewall.h
diff --git a/drivers/bus/Kconfig b/drivers/bus/Kconfig index 50200d1c06ea..d3f636c64e1c 100644 --- a/drivers/bus/Kconfig +++ b/drivers/bus/Kconfig @@ -203,4 +203,6 @@ config DA8XX_MSTPRI
source "drivers/bus/fsl-mc/Kconfig"
+source "drivers/bus/firewall/Kconfig" + endmenu diff --git a/drivers/bus/Makefile b/drivers/bus/Makefile index 1320bcf9fa9d..278c27fd57cd 100644 --- a/drivers/bus/Makefile +++ b/drivers/bus/Makefile @@ -34,3 +34,5 @@ obj-$(CONFIG_UNIPHIER_SYSTEM_BUS) += uniphier-system-bus.o obj-$(CONFIG_VEXPRESS_CONFIG) += vexpress-config.o
obj-$(CONFIG_DA8XX_MSTPRI) += da8xx-mstpri.o + +obj-$(CONFIG_FIREWALL_CONTROLLERS) += firewall/ diff --git a/drivers/bus/firewall/Kconfig b/drivers/bus/firewall/Kconfig new file mode 100644 index 000000000000..893bacb955f5 --- /dev/null +++ b/drivers/bus/firewall/Kconfig @@ -0,0 +1,7 @@ +menu "Bus Firewall Controllers" + +config FIREWALL_CONTROLLERS + bool "Support of bus firewall controllers" + depends on OF + +endmenu diff --git a/drivers/bus/firewall/Makefile b/drivers/bus/firewall/Makefile new file mode 100644 index 000000000000..eb6b978d6450 --- /dev/null +++ b/drivers/bus/firewall/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_FIREWALL_CONTROLLERS) += firewall.o diff --git a/drivers/bus/firewall/firewall.c b/drivers/bus/firewall/firewall.c new file mode 100644 index 000000000000..765105d29075 --- /dev/null +++ b/drivers/bus/firewall/firewall.c @@ -0,0 +1,264 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) STMicroelectronics 2020 - All Rights Reserved + * Author: Benjamin Gaignard benjamin.gaignard@st.com for STMicroelectronics. + */ + +#include <linux/device.h> +#include <linux/firewall.h> +#include <linux/err.h> +#include <linux/init.h> +#include <linux/kernel.h> +#include <linux/list.h> +#include <linux/of.h> +#include <linux/slab.h> + +/* Mutex taken to protect firewall_list */ +static DEFINE_MUTEX(firewall_list_mutex); + +/* Global list of firewall control devices */ +static LIST_HEAD(firewall_list); + +struct firewall_ctrl { + struct list_head node; + struct device *dev; + struct firewall_ops *ops; +}; + +static struct firewall_ctrl *get_firewallctrl_from_node(struct device_node *np) +{ + struct firewall_ctrl *ctrl; + + mutex_lock(&firewall_list_mutex); + + list_for_each_entry(ctrl, &firewall_list, node) { + if (ctrl->dev->of_node == np) { + mutex_unlock(&firewall_list_mutex); + return ctrl; + } + } + + mutex_unlock(&firewall_list_mutex); + + return NULL; +} + +/** + * firewall_dt_has_default + * + * Check if the device node provide firewall configuration + * + * @dev: device with possible firewall configuration + * + * Return: true is firewall-0 property exist in the device node + */ +static bool firewall_dt_has_default(struct device *dev) +{ + struct device_node *np; + struct property *prop; + int size; + + np = dev->of_node; + if (!np) + return false; + + prop = of_find_property(np, "firewall-0", &size); + + return prop ? true : false; +} + +/** + * firewall_set_config_by_index + * + * Set a firewall controller configuration based on given index. + * + * @dev: device with firewall configuration to apply. + * @index: the index of the configuration in device node. + * + * Return: 0 if OK, -EPROBE_DEFER if waiting for firewall controller to be + * registered or negative value on other errors. + */ +int firewall_set_config_by_index(struct device *dev, int index) +{ + struct device_node *np = dev->of_node; + char *propname; + int configs, i, err = 0; + + if (!np) + return 0; + + propname = kasprintf(GFP_KERNEL, "firewall-%d", index); + configs = of_count_phandle_with_args(np, propname, "#firewall-cells"); + if (configs < 0) { + err = -EINVAL; + goto error; + } + + for (i = 0; i < configs; i++) { + struct firewall_ctrl *ctrl; + struct of_phandle_args args; + + err = of_parse_phandle_with_args(np, propname, + "#firewall-cells", + i, &args); + if (err) + goto error; + + /* Test if the controller is (or will be) available */ + if (!of_device_is_available(args.np)) { + of_node_put(args.np); + continue; + } + + ctrl = get_firewallctrl_from_node(args.np); + of_node_put(args.np); + + /* Controller is not yet registered */ + if (!ctrl) { + err = -EPROBE_DEFER; + goto error; + } + + err = ctrl->ops->set_config(ctrl->dev, &args); + if (err) + goto error; + } + +error: + kfree(propname); + return err; +} +EXPORT_SYMBOL_GPL(firewall_set_config_by_index); + +/** + * firewall_set_config_by_name + * + * Set a firwall controller configuration based on given name. + * + * @dev: device with firewall configuration to apply. + * @name: the name of the configuration in device node. + * + * Return: 0 if OK, -EPROBE_DEFER if waiting for firewall controller to be + * registered or negative value on other errors. + */ +int firewall_set_config_by_name(struct device *dev, char *name) +{ + const char *configname; + int count, i; + + count = of_property_count_strings(dev->of_node, "firewall-names"); + for (i = 0; i < count; i++) { + int err; + + err = of_property_read_string_index(dev->of_node, + "firewall-names", + i, &configname); + if (err) + return err; + + if (strcmp(name, configname)) + continue; + + return firewall_set_config_by_index(dev, i); + } + + return -EINVAL; +} +EXPORT_SYMBOL_GPL(firewall_set_config_by_name); + +/** + * firewall_set_default_config + * + * Set the default configuration for device. + * First try to apply configuration named "default", if it fails + * or doesn't exist, try to apply firewall-0 configuration. + * + * @dev: device with firewall configuration to apply. + * + * Return: 0 if OK, -EPROBE_DEFER if waiting for firewall controller to be + * registered or negative value on other errors. + */ +int firewall_set_default_config(struct device *dev) +{ + int ret; + + /* Nothing to do if device node doesn't contain at least + * one configuration + */ + if (!firewall_dt_has_default(dev)) + return 0; + + ret = firewall_set_config_by_name(dev, "default"); + if (!ret || (ret == -EPROBE_DEFER)) + return ret; + + return firewall_set_config_by_index(dev, 0); +} +EXPORT_SYMBOL_GPL(firewall_set_default_config); + +/** + * firewall_register + * + * Register a firewall controller device. + * + * @dev: device implementing firewall controller. + * @ops: firewall controller operations. + * + * Return: 0 if OK or negative value on error. + */ +int firewall_register(struct device *dev, + struct firewall_ops *ops) +{ + struct firewall_ctrl *ctrl; + + if (!dev || !ops || !ops->set_config) + return -EINVAL; + + ctrl = kzalloc(sizeof(*ctrl), GFP_KERNEL); + if (!ctrl) + return -ENOMEM; + + INIT_LIST_HEAD(&ctrl->node); + + ctrl->dev = dev; + ctrl->ops = ops; + + mutex_lock(&firewall_list_mutex); + list_add_tail(&ctrl->node, &firewall_list); + mutex_unlock(&firewall_list_mutex); + + return 0; +} +EXPORT_SYMBOL_GPL(firewall_register); + +/** + * firewall_unregister + * + * Unregister a firewall controller device. + * + * @dev: device implementing firewall controller. + */ +void firewall_unregister(struct device *dev) +{ + struct firewall_ctrl *ctrl; + + ctrl = get_firewallctrl_from_node(dev->of_node); + if (!ctrl) + return; + + mutex_lock(&firewall_list_mutex); + list_del(&ctrl->node); + mutex_unlock(&firewall_list_mutex); + + kfree(ctrl); +} +EXPORT_SYMBOL_GPL(firewall_unregister); + +static int __init firewall_init(void) +{ + pr_info("initialized bus firewall controller subsystem\n"); + return 0; +} + +/* Init early since drivers really need to configure firewall early */ +core_initcall(firewall_init); diff --git a/include/linux/firewall.h b/include/linux/firewall.h new file mode 100644 index 000000000000..67eb9985821c --- /dev/null +++ b/include/linux/firewall.h @@ -0,0 +1,70 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) STMicroelectronics 2020 - All Rights Reserved + * Author: Benjamin Gaignard benjamin.gaignard@st.com for STMicroelectronics. + */ + +#ifndef _FIREWALL_H_ +#define _FIREWALL_H_ + +#include <linux/device.h> +#include <linux/of.h> + +/** + * struct firewall_ops + * + * Firewall controller operations structure to be filled by drivers. + */ +struct firewall_ops { + /** + * @set_config: + * + * Driver callback to set a firewall configuration on a controller. + * Configuration arguments are provided in out_args parameter. + * + * Return: 0 on success, a negative error code on failure. + */ + int (*set_config)(struct device *dev, struct of_phandle_args *out_args); +}; + +#ifdef CONFIG_FIREWALL_CONTROLLERS + +int firewall_set_config_by_index(struct device *dev, int index); +int firewall_set_config_by_name(struct device *dev, char *name); +int firewall_set_default_config(struct device *dev); + +int firewall_register(struct device *dev, struct firewall_ops *ops); + +void firewall_unregister(struct device *dev); + +#else + +static inline int firewall_set_config_by_index(struct device *dev, int index) +{ + return 0; +} + +static inline int firewall_set_config_by_name(struct device *dev, char *name) +{ + return 0; +} + +static inline int firewall_set_default_config(struct device *dev) +{ + return 0; +} + +static inline int firewall_register(struct device *dev, + struct firewall_ops *ops) +{ + return 0; +} + +static inline void firewall_unregister(struct device *dev) +{ + /* Empty */ +} + +#endif + +#endif /* _FIREWALL_H_ */
On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote:
The goal of this framework is to offer an interface for the hardware blocks controlling bus accesses rights.
Bus firewall controllers are typically used to control if a hardware block can perform read or write operations on bus.
So put this in the bus-specific code that controls the bus that these devices live on. Why put it in the driver core when this is only on one "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
And really, this should just be a totally new bus type, right? And any devices on this bus should be changed to be on this new bus, and the drivers changed to support them, instead of trying to overload the platform bus with more stuff.
thanks,
greg k-h
On 1/28/20 4:52 PM, Greg KH wrote:
On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote:
The goal of this framework is to offer an interface for the hardware blocks controlling bus accesses rights.
Bus firewall controllers are typically used to control if a hardware block can perform read or write operations on bus.
So put this in the bus-specific code that controls the bus that these devices live on. Why put it in the driver core when this is only on one "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
It is really similar to what pin controller does, configuring an hardware block given DT information.
I could argue that firewalls are not bus themselves they only interact with it.
Bus firewalls exist on other SoC, I hope some others could be added in this framework. ETZPC is only the first.
And really, this should just be a totally new bus type, right? And any devices on this bus should be changed to be on this new bus, and the drivers changed to support them, instead of trying to overload the platform bus with more stuff.
I have tried to use the bus notifier to avoid to add this code at probe time but without success:
https://lkml.org/lkml/2018/2/27/300
I have also tried to disable the nodes at runtime and Mark Rutland explain me why it was wrong.
Benjamin
thanks,
greg k-h
On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 4:52 PM, Greg KH wrote:
On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote:
The goal of this framework is to offer an interface for the hardware blocks controlling bus accesses rights.
Bus firewall controllers are typically used to control if a hardware block can perform read or write operations on bus.
So put this in the bus-specific code that controls the bus that these devices live on. Why put it in the driver core when this is only on one "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
It is really similar to what pin controller does, configuring an hardware block given DT information.
Great, then use that instead :)
I could argue that firewalls are not bus themselves they only interact with it.
They live on a bus, and do so in bus-specific ways, right?
Bus firewalls exist on other SoC, I hope some others could be added in this framework. ETZPC is only the first.
Then put it on the bus it lives on, and the bus that the drivers for that device are being controlled with. That sounds like the sane place to do so, right?
And really, this should just be a totally new bus type, right? And any devices on this bus should be changed to be on this new bus, and the drivers changed to support them, instead of trying to overload the platform bus with more stuff.
I have tried to use the bus notifier to avoid to add this code at probe time but without success:
Almost 2 years ago? I can't remember something written 1 week ago...
Yes, don't abuse the notifier chain. I hate that thing as it is.
I have also tried to disable the nodes at runtime and Mark Rutland explain me why it was wrong.
The bus controller should do this, right? Why not just do it there?
thanks,
greg k-h
On 1/28/20 5:57 PM, Greg KH wrote:
On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 4:52 PM, Greg KH wrote:
On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote:
The goal of this framework is to offer an interface for the hardware blocks controlling bus accesses rights.
Bus firewall controllers are typically used to control if a hardware block can perform read or write operations on bus.
So put this in the bus-specific code that controls the bus that these devices live on. Why put it in the driver core when this is only on one "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
It is really similar to what pin controller does, configuring an hardware block given DT information.
Great, then use that instead :)
I think that Linus W. will complain if I do that :)
I could argue that firewalls are not bus themselves they only interact with it.
They live on a bus, and do so in bus-specific ways, right?
Bus firewalls exist on other SoC, I hope some others could be added in this framework. ETZPC is only the first.
Then put it on the bus it lives on, and the bus that the drivers for that device are being controlled with. That sounds like the sane place to do so, right?
If that means that all drivers have to be modified it will be problematic because not all
are specifics to the SoC.
And really, this should just be a totally new bus type, right? And any devices on this bus should be changed to be on this new bus, and the drivers changed to support them, instead of trying to overload the platform bus with more stuff.
I have tried to use the bus notifier to avoid to add this code at probe time but without success:
Almost 2 years ago? I can't remember something written 1 week ago...
Yes, don't abuse the notifier chain. I hate that thing as it is.
I have also tried to disable the nodes at runtime and Mark Rutland explain me why it was wrong.
The bus controller should do this, right? Why not just do it there?
The bus controller is a different hardware block.
thanks,
greg k-h
On Tue, Jan 28, 2020 at 08:29:45PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 5:57 PM, Greg KH wrote:
On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 4:52 PM, Greg KH wrote:
On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote:
The goal of this framework is to offer an interface for the hardware blocks controlling bus accesses rights.
Bus firewall controllers are typically used to control if a hardware block can perform read or write operations on bus.
So put this in the bus-specific code that controls the bus that these devices live on. Why put it in the driver core when this is only on one "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
It is really similar to what pin controller does, configuring an hardware block given DT information.
Great, then use that instead :)
I think that Linus W. will complain if I do that :)
I could argue that firewalls are not bus themselves they only interact with it.
They live on a bus, and do so in bus-specific ways, right?
Bus firewalls exist on other SoC, I hope some others could be added in this framework. ETZPC is only the first.
Then put it on the bus it lives on, and the bus that the drivers for that device are being controlled with. That sounds like the sane place to do so, right?
If that means that all drivers have to be modified it will be problematic because not all
are specifics to the SoC.
That's fine, we have loads of drivers that work on different types of busses.
Or, if this really is the "platform bus" then use that. (which is what I was hinting at all along but no one seems to realize that, should have been more obvious...)
And really, this should just be a totally new bus type, right? And any devices on this bus should be changed to be on this new bus, and the drivers changed to support them, instead of trying to overload the platform bus with more stuff.
I have tried to use the bus notifier to avoid to add this code at probe time but without success:
Almost 2 years ago? I can't remember something written 1 week ago...
Yes, don't abuse the notifier chain. I hate that thing as it is.
I have also tried to disable the nodes at runtime and Mark Rutland explain me why it was wrong.
The bus controller should do this, right? Why not just do it there?
The bus controller is a different hardware block.
Of course it is, but it controls a bus, and there are devices on that bus, right? Don't circumvent things please.
greg k-h
On Tue, Jan 28, 2020 at 9:30 PM Benjamin GAIGNARD benjamin.gaignard@st.com wrote:
On 1/28/20 5:57 PM, Greg KH wrote:
On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 4:52 PM, Greg KH wrote:
So put this in the bus-specific code that controls the bus that these devices live on. Why put it in the driver core when this is only on one "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
It is really similar to what pin controller does, configuring an hardware block given DT information.
Great, then use that instead :)
I think that Linus W. will complain if I do that :)
So the similarity would be something like the way that pin control states are configured in the device tree and the pin control handles are taken before probe in drivers/base/pinctrl.c embedding a hook into dd.c.
Not that it in any way controls any hardware even remotely similar to pin control. Pin control is an electronic thing, this firewalling is about bus access.
IIUC this framework wants to discover at kernel boot time whether certain devices are accessible to it or not by inspecting the state of the firewalling hardware and then avoid probing those that are inaccessible.
It needs the same deep hooks into dd.c to achieve this I believe.
Yours, Linus Walleij
On Wed, Jan 29, 2020 at 10:42:39AM +0100, Linus Walleij wrote:
On Tue, Jan 28, 2020 at 9:30 PM Benjamin GAIGNARD benjamin.gaignard@st.com wrote:
On 1/28/20 5:57 PM, Greg KH wrote:
On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 4:52 PM, Greg KH wrote:
So put this in the bus-specific code that controls the bus that these devices live on. Why put it in the driver core when this is only on one "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
It is really similar to what pin controller does, configuring an hardware block given DT information.
Great, then use that instead :)
I think that Linus W. will complain if I do that :)
So the similarity would be something like the way that pin control states are configured in the device tree and the pin control handles are taken before probe in drivers/base/pinctrl.c embedding a hook into dd.c.
Not that it in any way controls any hardware even remotely similar to pin control. Pin control is an electronic thing, this firewalling is about bus access.
IIUC this framework wants to discover at kernel boot time whether certain devices are accessible to it or not by inspecting the state of the firewalling hardware and then avoid probing those that are inaccessible.
It needs the same deep hooks into dd.c to achieve this I believe.
It just needs to be part of the bus logic for the specific bus that this "firewall" is on. Just like we do the same thing for USB or thunderbolt devices. Put this in the bus-specific code please.
thanks,
greg k-h
On Wed, Jan 29, 2020 at 10:52:40AM +0100, Greg KH wrote:
It just needs to be part of the bus logic for the specific bus that this "firewall" is on. Just like we do the same thing for USB or thunderbolt devices. Put this in the bus-specific code please.
I'd expect that this is going to affect at least platform and AMBA buses.
On 1/29/20 12:17 PM, Mark Brown wrote:
On Wed, Jan 29, 2020 at 10:52:40AM +0100, Greg KH wrote:
It just needs to be part of the bus logic for the specific bus that this "firewall" is on. Just like we do the same thing for USB or thunderbolt devices. Put this in the bus-specific code please.
I'd expect that this is going to affect at least platform and AMBA buses.
Correct me if I'm wrong but creating a new type of bus would mean
that all the drivers living on this bus must be changed to register themselves on this bus ?
Or does a solution exist to let them live on the platform bus and call firewalled bus before been probed ?
All the impacted drivers could work on the existing bus with or without the firewall so I don't want to break
that.
Benjamin
On Fri, Jan 31, 2020 at 08:37:27AM +0000, Benjamin GAIGNARD wrote:
On 1/29/20 12:17 PM, Mark Brown wrote:
On Wed, Jan 29, 2020 at 10:52:40AM +0100, Greg KH wrote:
It just needs to be part of the bus logic for the specific bus that this "firewall" is on. Just like we do the same thing for USB or thunderbolt devices. Put this in the bus-specific code please.
I'd expect that this is going to affect at least platform and AMBA buses.
Correct me if I'm wrong but creating a new type of bus would mean that all the drivers living on this bus must be changed to register themselves on this bus ?
Yes.
Or does a solution exist to let them live on the platform bus and call firewalled bus before been probed ?
Why do people want to abuse the platform bus so much? If a device is on a bus that can have such a controller, then it is on a real bus, use it!
All the impacted drivers could work on the existing bus with or without the firewall so I don't want to break
break what?
that.
Odd line-break :)
Just register the driver on both busses, no big deal.
Stop abusing the platform bus code for things that it is not for.
thanks,
greg k-h
On Fri, Jan 31, 2020 at 10:06 AM Greg KH gregkh@linuxfoundation.org wrote:
Why do people want to abuse the platform bus so much? If a device is on a bus that can have such a controller, then it is on a real bus, use it!
I'm not saying it is a good thing, but the reason why it is (ab)used so much can be found in: drivers/of/platform.c
TL;DR: struct platform_device is the Device McDeviceFace and platform bus the Bus McBusFace used by the device tree parser since it is slightly to completely unaware of what devices it is actually spawning.
And everything and its dog is using device tree in the embedded world. (A quick glance in drivers/acpi gives me the impression that ACPI is doing the very same thing but I am not a domain expert there so I am not really sure.)
Whenever a device is created from a device tree it gets spawned on either the platform bus or the amba bus. In 99 cases out of 100 it is going to be a platform_device.
In most device trees all devices ultimately spawn from the device tree and the root of absolutely everything including irq chips on the SoC, timers, PCI hosts and USB root hubs and whatnot is a platform device, because that is how the core device tree parser has chosen to spawn off devices.
This generic code goes back to commit eca3930163ba8884060ce9d9ff5ef0d9b7c7b00f "of: Merge of_platform_bus_type with platform_bus_type" where the device tree-specific bus was replaced by the platform bus. This code was then moved down to drivers/of and used in multiple architectures. Grant's patch makes perfect sense because at the time some devices were created using board files (thus platform_device) and others using device tree and having two different probe paths and driver files for this reason alone was not reasonable. The same reasoning will apply to ACPI vs device tree drivers.
What we *could* have done was to handle special devices special, like happened for AMBA PrimeCells. Mea Culpa, I suppose I am one of the guilty.
Supporting new bus types for root devices in systems described in device tree would requiring patching drivers/of/platform.c and people are afraid of that because the code there is pretty complex.
Instead platform_device is (ab)used to carry stuff over from the device tree to respective subsystem.
In some cases the struct platform_device from device tree is discarded after use, it is just left dangling in memory with no other purpose than to serve as .parent for whatever device on whatever bus we were really creating.
For some devices such as root irq_chips they serve no purpose whatsoever, they are just created and sitting around never to be probed, because the code instantiating them parse the device tree directly.
For the devices that actually probe to drive a piece of silicon, arguably a different type of device on a different bus should be created, such as (I am making this up) struct soc_device on soc_bus. (Incidentally soc_bus exists, but its current use case is not for this.)
I don't really see any better option for Benjamin or anyone else though?
The reason why it is used so much should at least be clarified now I think.
Yours, Linus Walleij
On Fri, Feb 14, 2020 at 05:05:07PM +0100, Linus Walleij wrote:
On Fri, Jan 31, 2020 at 10:06 AM Greg KH gregkh@linuxfoundation.org wrote:
Why do people want to abuse the platform bus so much? If a device is on a bus that can have such a controller, then it is on a real bus, use it!
I'm not saying it is a good thing, but the reason why it is (ab)used so much can be found in: drivers/of/platform.c
TL;DR: struct platform_device is the Device McDeviceFace and platform bus the Bus McBusFace used by the device tree parser since it is slightly to completely unaware of what devices it is actually spawning.
<snip>
Yeah, great explaination, and I understand. DT stuff really is ok to be on a platform bus, as that's what almost all of them are.
But, when you try to start messing around with things like this "firewall" says it is doing, it's then obvious that this really isn't a DT like thing, but rather you do have a bus involved with a controller so that should be used instead.
Or just filter away the DT stuff so that the kernel never even sees those devices, which might just be simplest :)
thanks,
greg k-h
On 2/14/20 10:40 PM, Greg KH wrote:
On Fri, Feb 14, 2020 at 05:05:07PM +0100, Linus Walleij wrote:
On Fri, Jan 31, 2020 at 10:06 AM Greg KH gregkh@linuxfoundation.org wrote:
Why do people want to abuse the platform bus so much? If a device is on a bus that can have such a controller, then it is on a real bus, use it!
I'm not saying it is a good thing, but the reason why it is (ab)used so much can be found in: drivers/of/platform.c
TL;DR: struct platform_device is the Device McDeviceFace and platform bus the Bus McBusFace used by the device tree parser since it is slightly to completely unaware of what devices it is actually spawning.
<snip>
Yeah, great explaination, and I understand. DT stuff really is ok to be on a platform bus, as that's what almost all of them are.
But, when you try to start messing around with things like this "firewall" says it is doing, it's then obvious that this really isn't a DT like thing, but rather you do have a bus involved with a controller so that should be used instead.
Ok but how put in place a new bus while keeping the devices on platform bus to avoid changing all the drivers ?
Or just filter away the DT stuff so that the kernel never even sees those devices, which might just be simplest :)
yes but we lost the possibility to change the firewall configuration at run time. I do expect to be able to describe in the DT firewall configuration and to use them at run time. That could allow, for example, to handover a HW block to the coprocessor when the main core is going to be suspended to save power.
Benjamin
thanks,
greg k-h
On Sat, Feb 15, 2020 at 12:41:07PM +0000, Benjamin GAIGNARD wrote:
On 2/14/20 10:40 PM, Greg KH wrote:
On Fri, Feb 14, 2020 at 05:05:07PM +0100, Linus Walleij wrote:
On Fri, Jan 31, 2020 at 10:06 AM Greg KH gregkh@linuxfoundation.org wrote:
Why do people want to abuse the platform bus so much? If a device is on a bus that can have such a controller, then it is on a real bus, use it!
I'm not saying it is a good thing, but the reason why it is (ab)used so much can be found in: drivers/of/platform.c
TL;DR: struct platform_device is the Device McDeviceFace and platform bus the Bus McBusFace used by the device tree parser since it is slightly to completely unaware of what devices it is actually spawning.
<snip>
Yeah, great explaination, and I understand. DT stuff really is ok to be on a platform bus, as that's what almost all of them are.
But, when you try to start messing around with things like this "firewall" says it is doing, it's then obvious that this really isn't a DT like thing, but rather you do have a bus involved with a controller so that should be used instead.
Ok but how put in place a new bus while keeping the devices on platform bus to avoid changing all the drivers ?
You don't, you put them all on your real bus, as that is what you now have.
Or just filter away the DT stuff so that the kernel never even sees those devices, which might just be simplest :)
yes but we lost the possibility to change the firewall configuration at run time. I do expect to be able to describe in the DT firewall configuration and to use them at run time. That could allow, for example, to handover a HW block to the coprocessor when the main core is going to be suspended to save power.
Then use a real bus :)
thanks,
greg k-h
To avoid modifying all the drivers call firewall_set_default_config before probe to apply the configuration define in device node (if any).
When unbinding the device try to apply configuration named "unbind".
Signed-off-by: Benjamin Gaignard benjamin.gaignard@st.com --- drivers/base/dd.c | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/drivers/base/dd.c b/drivers/base/dd.c index d811e60610d3..6a2153f6b19b 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -20,6 +20,7 @@ #include <linux/device.h> #include <linux/delay.h> #include <linux/dma-mapping.h> +#include <linux/firewall.h> #include <linux/init.h> #include <linux/module.h> #include <linux/kthread.h> @@ -521,6 +522,10 @@ static int really_probe(struct device *dev, struct device_driver *drv) re_probe: dev->driver = drv;
+ ret = firewall_set_default_config(dev); + if (ret) + goto firewall_failed; + /* If using pinctrl, bind pins now before probing */ ret = pinctrl_bind_pins(dev); if (ret) @@ -601,6 +606,8 @@ static int really_probe(struct device *dev, struct device_driver *drv) blocking_notifier_call_chain(&dev->bus->p->bus_notifier, BUS_NOTIFY_DRIVER_NOT_BOUND, dev); pinctrl_bind_failed: + firewall_set_config_by_name(dev, "unbind"); +firewall_failed: device_links_no_driver(dev); devres_release_all(dev); arch_teardown_dma_ops(dev); @@ -1135,6 +1142,8 @@ static void __device_release_driver(struct device *dev, struct device *parent)
device_links_driver_cleanup(dev);
+ firewall_set_config_by_name(dev, "unbind"); + devres_release_all(dev); arch_teardown_dma_ops(dev); dev->driver = NULL;
Document STM32 ETZPC firewall controller bindings
Signed-off-by: Benjamin Gaignard benjamin.gaignard@st.com --- version 2: - use ymal file to describe the bindings .../bindings/bus/firewall/st,stm32-etzpc.yaml | 41 ++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 Documentation/devicetree/bindings/bus/firewall/st,stm32-etzpc.yaml
diff --git a/Documentation/devicetree/bindings/bus/firewall/st,stm32-etzpc.yaml b/Documentation/devicetree/bindings/bus/firewall/st,stm32-etzpc.yaml new file mode 100644 index 000000000000..a162e31e4529 --- /dev/null +++ b/Documentation/devicetree/bindings/bus/firewall/st,stm32-etzpc.yaml @@ -0,0 +1,41 @@ +# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause) +%YAML 1.2 +--- +$id: http://devicetree.org/schemas/bus/firewall/st,stm32-etzpc.yaml# +$schema: http://devicetree.org/meta-schemas/core.yaml# + +title: STM32 Extended TrustZone Protection controller + +maintainers: + - Benjamin Gaignard benjamin.gaignard@st.com + +description: STMicroelectronics's STM32 firewall controller implementation + +allOf: + - $ref: "firewall-provider.yaml#" + +properties: + compatible: + enum: + - st,stm32-etzpc + + reg: + maxItems: 1 + + '#firewall-cells': + const: 2 + +required: + - compatible + - reg + - '#firewall-cells' + +examples: + - | + etzpc@5c007000 { + compatible = "st,stm32-etzpc"; + reg = <0x5c007000 0x400>; + #firewall-cells = <2>; + }; + +...
STM32 Extended TrustZone Protection Controller (ETZPC) got 3 possible configurations per hardware block: - secure: hardware blocks are only accessible by software running on trust zone (i.e op-tee firmware). - non-secure: hardware blocks are accessible by non-secure software (i.e. linux kernel). - coprocessor: hardware blocks are only accessible by the coprocessor.
Each hardware block status is defined by a 2 bits field and all of them are packed into 32 bits registers. ETZPC can manage up to 94 hardware blocks.
Signed-off-by: Benjamin Gaignard benjamin.gaignard@st.com --- version 2: - provide the full list the hardware blocks drivers/bus/firewall/Kconfig | 7 ++ drivers/bus/firewall/Makefile | 1 + drivers/bus/firewall/stm32-etzpc.c | 140 +++++++++++++++++++++++++ include/dt-bindings/bus/firewall/stm32-etzpc.h | 90 ++++++++++++++++ 4 files changed, 238 insertions(+) create mode 100644 drivers/bus/firewall/stm32-etzpc.c create mode 100644 include/dt-bindings/bus/firewall/stm32-etzpc.h
diff --git a/drivers/bus/firewall/Kconfig b/drivers/bus/firewall/Kconfig index 893bacb955f5..f724c09801e0 100644 --- a/drivers/bus/firewall/Kconfig +++ b/drivers/bus/firewall/Kconfig @@ -4,4 +4,11 @@ config FIREWALL_CONTROLLERS bool "Support of bus firewall controllers" depends on OF
+config STM32_ETZPC + bool "STM32 ETZPC Domain Controller" + depends on FIREWALL_CONTROLLERS && MACH_STM32MP157 + help + Select y to enable STM32 Extended TrustZone Protection + Controller (ETZPC) + endmenu diff --git a/drivers/bus/firewall/Makefile b/drivers/bus/firewall/Makefile index eb6b978d6450..d42e99b5865e 100644 --- a/drivers/bus/firewall/Makefile +++ b/drivers/bus/firewall/Makefile @@ -1 +1,2 @@ obj-$(CONFIG_FIREWALL_CONTROLLERS) += firewall.o +obj-$(CONFIG_STM32_ETZPC) += stm32-etzpc.o diff --git a/drivers/bus/firewall/stm32-etzpc.c b/drivers/bus/firewall/stm32-etzpc.c new file mode 100644 index 000000000000..39999579fe92 --- /dev/null +++ b/drivers/bus/firewall/stm32-etzpc.c @@ -0,0 +1,140 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) STMicroelectronics 2020 - All Rights Reserved + * Author: Benjamin Gaignard benjamin.gaignard@st.com for STMicroelectronics. + */ + +#include <linux/device.h> +#include <linux/firewall.h> +#include <linux/err.h> +#include <linux/init.h> +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/of.h> +#include <linux/platform_device.h> +#include <linux/regmap.h> + +#include <dt-bindings/bus/firewall/stm32-etzpc.h> + +#define ETZPC_DECPROT 0x010 +#define ETZPC_NUM_LOCKS 94 + +struct stm32_etzpc { + struct regmap_field *fields[ETZPC_NUM_LOCKS]; +}; + +static int stm32_etzpc_set_config(struct device *dev, + struct of_phandle_args *out_args) +{ + struct stm32_etzpc *etzpc = dev_get_drvdata(dev); + int index = out_args->args[0]; + unsigned int value = out_args->args[1]; + u32 status; + + if (out_args->args_count != 2) + return -EINVAL; + + if (index >= ETZPC_NUM_LOCKS) + return -EINVAL; + + if (value > STM32_ETZPC_NON_SECURE) + return -EINVAL; + + regmap_field_force_write(etzpc->fields[index], value); + + /* Hardware could denied the new value, read it back to check it */ + regmap_field_read(etzpc->fields[index], &status); + + if (value != status) { + dev_info(dev, "failed to set configuration: index %d, value %d\n", + index, value); + return -EINVAL; + } + + return 0; +} + +static struct firewall_ops stm32_etzpc_ops = { + .set_config = stm32_etzpc_set_config, +}; + +static const struct regmap_config stm32_etzpc_regmap_cfg = { + .reg_bits = 32, + .val_bits = 32, + .reg_stride = sizeof(u32), + .max_register = 0x3FF, + .fast_io = true, +}; + +static int stm32_etzpc_probe(struct platform_device *pdev) +{ + struct stm32_etzpc *etzpc; + struct resource *res; + void __iomem *mmio; + struct regmap *regmap; + int i; + + etzpc = devm_kzalloc(&pdev->dev, sizeof(*etzpc), GFP_KERNEL); + if (!etzpc) + return -ENOMEM; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + mmio = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(mmio)) + return PTR_ERR(mmio); + + regmap = devm_regmap_init_mmio(&pdev->dev, mmio, + &stm32_etzpc_regmap_cfg); + + for (i = 0; i < ETZPC_NUM_LOCKS; i++) { + struct reg_field field; + + /* + * Each hardware block status is defined by + * a 2 bits field and all of them are packed into + * 32 bits registers. Do some computation to get + * register offset and the shift. + */ + field.reg = ETZPC_DECPROT + (i >> 4) * sizeof(u32); + field.lsb = (i % 0x10) << 1; + field.msb = field.lsb + 1; + + etzpc->fields[i] = devm_regmap_field_alloc(&pdev->dev, + regmap, field); + } + + platform_set_drvdata(pdev, etzpc); + + return firewall_register(&pdev->dev, &stm32_etzpc_ops); +} + +static int stm32_etzpc_remove(struct platform_device *pdev) +{ + firewall_unregister(&pdev->dev); + + return 0; +} + +static const struct of_device_id stm32_etzpc_of_match[] = { + { .compatible = "st,stm32-etzpc" }, + { /* end node */ } +}; +MODULE_DEVICE_TABLE(of, stm32_etzpc_of_match); + +static struct platform_driver stm32_etzpc_driver = { + .probe = stm32_etzpc_probe, + .remove = stm32_etzpc_remove, + .driver = { + .name = "stm32-etzpc", + .of_match_table = stm32_etzpc_of_match, + }, +}; + +static int __init stm32_etzpc_init(void) +{ + return platform_driver_register(&stm32_etzpc_driver); +} +arch_initcall(stm32_etzpc_init); + +MODULE_AUTHOR("Benjamin Gaignard benjamin.gaignard@st.com"); +MODULE_DESCRIPTION("STMicroelectronics STM32 Bus Firewall Controller"); diff --git a/include/dt-bindings/bus/firewall/stm32-etzpc.h b/include/dt-bindings/bus/firewall/stm32-etzpc.h new file mode 100644 index 000000000000..9c4783b9783c --- /dev/null +++ b/include/dt-bindings/bus/firewall/stm32-etzpc.h @@ -0,0 +1,90 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (C) STMicroelectronics 2020 - All Rights Reserved + * Author: Benjamin Gaignard benjamin.gaignard@st.com for STMicroelectronics. + */ + +#ifndef _STM32_ETZPC_H_ +#define _STM32_ETZPC_H_ + +/* ETZPC configurations: trust-zone, non-secure or coprocessor*/ +#define STM32_ETZPC_TRUST 1 +#define STM32_ETPCZ_COPRO 2 +#define STM32_ETZPC_NON_SECURE 3 + +/* ETZPC hard blocks index */ +#define STM32_ETZPC_USART1 3 +#define STM32_ETZPC_SPI6 4 +#define STM32_ETZPC_I2C4 5 +#define STM32_ETZPC_RNG1 7 +#define STM32_ETZPC_HASH1 8 +#define STM32_ETZPC_CRYP1 9 +#define STM32_ETZPC_I2C6 12 +#define STM32_ETZPC_TIM2 16 +#define STM32_ETZPC_TIM3 17 +#define STM32_ETZPC_TIM4 18 +#define STM32_ETZPC_TIM5 19 +#define STM32_ETZPC_TIM6 20 +#define STM32_ETZPC_TIM7 21 +#define STM32_ETZPC_TIM12 22 +#define STM32_ETZPC_TIM13 23 +#define STM32_ETZPC_TIM14 24 +#define STM32_ETZPC_LPTIM1 25 +#define STM32_ETZPC_SPI2 27 +#define STM32_ETZPC_SPI3 28 +#define STM32_ETZPC_USART2 30 +#define STM32_ETZPC_USART3 31 +#define STM32_ETZPC_USART4 32 +#define STM32_ETZPC_USART5 33 +#define STM32_ETZPC_I2C1 34 +#define STM32_ETZPC_I2C2 35 +#define STM32_ETZPC_I2C3 36 +#define STM32_ETZPC_I2C5 37 +#define STM32_ETZPC_CEC 38 +#define STM32_ETZPC_DAC 39 +#define STM32_ETZPC_UART7 40 +#define STM32_ETZPC_UART8 41 +#define STM32_ETZPC_MDIOS 44 +#define STM32_ETZPC_TIM1 48 +#define STM32_ETZPC_TIM8 49 +#define STM32_ETZPC_USART6 51 +#define STM32_ETZPC_SPI1 52 +#define STM32_ETZPC_SPI4 53 +#define STM32_ETZPC_TIM15 54 +#define STM32_ETZPC_TIM16 55 +#define STM32_ETZPC_TIM17 56 +#define STM32_ETZPC_SPI5 57 +#define STM32_ETZPC_SAI1 58 +#define STM32_ETZPC_SAI2 59 +#define STM32_ETZPC_SAI3 60 +#define STM32_ETZPC_DFSDM 61 +#define STM32_ETZPC_TT_FDCAN 62 +#define STM32_ETZPC_LPTIM2 64 +#define STM32_ETZPC_LPTIM3 65 +#define STM32_ETZPC_LPTIM4 66 +#define STM32_ETZPC_LPTIM5 67 +#define STM32_ETZPC_SAI4 68 +#define STM32_ETZPC_VREFBUF 69 +#define STM32_ETZPC_DCMI 70 +#define STM32_ETZPC_CRC2 71 +#define STM32_ETZPC_ADC 72 +#define STM32_ETZPC_HASH2 73 +#define STM32_ETZPC_RNG2 74 +#define STM32_ETZPC_CRYP2 75 +#define STM32_ETZPC_SRAM1 80 +#define STM32_ETZPC_SRAM2 81 +#define STM32_ETZPC_SRAM3 82 +#define STM32_ETZPC_SRAM4 83 +#define STM32_ETZPC_RETRAM 84 +#define STM32_ETZPC_OTG 85 +#define STM32_ETZPC_SDMMC3 86 +#define STM32_ETZPC_DLYBSD3 87 +#define STM32_ETZPC_DMA1 88 +#define STM32_ETZPC_DMA2 89 +#define STM32_ETZPC_DMAMUX 90 +#define STM32_ETZPC_FMC 91 +#define STM32_ETZPC_QSPI 92 +#define STM32_ETZPC_DLYBQ 93 +#define STM32_ETZPC_ETH1 94 + +#endif /* _STM32_ETZPC_H_ */
Declare ETZPC device as a firewall controller node for stm32mp157 SoC
Signed-off-by: Benjamin Gaignard benjamin.gaignard@st.com --- arch/arm/boot/dts/stm32mp157c.dtsi | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/arch/arm/boot/dts/stm32mp157c.dtsi b/arch/arm/boot/dts/stm32mp157c.dtsi index ed8b258256d7..8a00dad9688e 100644 --- a/arch/arm/boot/dts/stm32mp157c.dtsi +++ b/arch/arm/boot/dts/stm32mp157c.dtsi @@ -1499,6 +1499,13 @@ }; };
+ etzpc: etzpc@5c007000 { + compatible = "st,stm32-etzpc"; + reg = <0x5c007000 0x400>; + #firewall-cells = <2>; + status = "okay"; + }; + i2c6: i2c@5c009000 { compatible = "st,stm32f7-i2c"; reg = <0x5c009000 0x400>;
Enable ETZPC and set configuration for CEC node
Signed-off-by: Benjamin Gaignard benjamin.gaignard@st.com --- arch/arm/boot/dts/stm32mp157c-ev1.dts | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/arch/arm/boot/dts/stm32mp157c-ev1.dts b/arch/arm/boot/dts/stm32mp157c-ev1.dts index 3789312c8539..5b72ef2a54df 100644 --- a/arch/arm/boot/dts/stm32mp157c-ev1.dts +++ b/arch/arm/boot/dts/stm32mp157c-ev1.dts @@ -6,6 +6,7 @@ /dts-v1/;
#include "stm32mp157c-ed1.dts" +#include <dt-bindings/bus/firewall/stm32-etzpc.h> #include <dt-bindings/gpio/gpio.h> #include <dt-bindings/input/input.h>
@@ -77,6 +78,7 @@ &cec { pinctrl-names = "default"; pinctrl-0 = <&cec_pins_a>; + firewall-0 = <&etzpc STM32_ETZPC_CEC STM32_ETZPC_NON_SECURE>; status = "okay"; };
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
Bus firewall framework aims to provide a kernel API to set the configuration of the harware blocks in charge of busses access control.
Framework architecture is inspirated by pinctrl framework:
- a default configuration could be applied before bind the driver. If a configuration could not be applied the driver is not bind to avoid doing accesses on prohibited regions.
- configurations could be apllied dynamically by drivers.
- device node provides the bus firewall configurations.
An example of bus firewall controller is STM32 ETZPC hardware block which got 3 possible configurations:
- trust: hardware blocks are only accessible by software running on trust zone (i.e op-tee firmware).
- non-secure: hardware blocks are accessible by non-secure software (i.e. linux kernel).
- coprocessor: hardware blocks are only accessible by the coprocessor.
Up to 94 hardware blocks of the soc could be managed by ETZPC.
/me confused. Is ETZPC accessible from the non-secure kernel space to begin with ? If so, is it allowed to configure hardware blocks as secure or trusted ? I am failing to understand the overall design of a system with ETZPC controller.
At least two other hardware blocks can take benefits of this:
- ARM TZC-400: http://infocenter.arm.com/help/topic/com.arm.doc.100325_0001_02_en/arm_corel... which is able to manage up to 8 regions in address space.
I strongly have to disagree with the above and NACK any patch trying to do so. AFAIK, no system designed has TZC with non-secure access. So we simply can't access this in the kernel and hence need no driver for the same. Please avoid adding above misleading information in future.
-- Regards, Sudeep
On 1/28/20 5:36 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
Bus firewall framework aims to provide a kernel API to set the configuration of the harware blocks in charge of busses access control.
Framework architecture is inspirated by pinctrl framework:
- a default configuration could be applied before bind the driver. If a configuration could not be applied the driver is not bind to avoid doing accesses on prohibited regions.
- configurations could be apllied dynamically by drivers.
- device node provides the bus firewall configurations.
An example of bus firewall controller is STM32 ETZPC hardware block which got 3 possible configurations:
- trust: hardware blocks are only accessible by software running on trust zone (i.e op-tee firmware).
- non-secure: hardware blocks are accessible by non-secure software (i.e. linux kernel).
- coprocessor: hardware blocks are only accessible by the coprocessor.
Up to 94 hardware blocks of the soc could be managed by ETZPC.
/me confused. Is ETZPC accessible from the non-secure kernel space to begin with ? If so, is it allowed to configure hardware blocks as secure or trusted ? I am failing to understand the overall design of a system with ETZPC controller.
Non-secure kernel could read the values set in ETZPC, if it doesn't match
with what is required by the device node the driver won't be probed.
Benjamin
At least two other hardware blocks can take benefits of this:
- ARM TZC-400: http://infocenter.arm.com/help/topic/com.arm.doc.100325_0001_02_en/arm_corel... which is able to manage up to 8 regions in address space.
I strongly have to disagree with the above and NACK any patch trying to do so. AFAIK, no system designed has TZC with non-secure access. So we simply can't access this in the kernel and hence need no driver for the same. Please avoid adding above misleading information in future.
-- Regards, Sudeep
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 5:36 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
Bus firewall framework aims to provide a kernel API to set the configuration of the harware blocks in charge of busses access control.
Framework architecture is inspirated by pinctrl framework:
- a default configuration could be applied before bind the driver. If a configuration could not be applied the driver is not bind to avoid doing accesses on prohibited regions.
- configurations could be apllied dynamically by drivers.
- device node provides the bus firewall configurations.
An example of bus firewall controller is STM32 ETZPC hardware block which got 3 possible configurations:
- trust: hardware blocks are only accessible by software running on trust zone (i.e op-tee firmware).
- non-secure: hardware blocks are accessible by non-secure software (i.e. linux kernel).
- coprocessor: hardware blocks are only accessible by the coprocessor.
Up to 94 hardware blocks of the soc could be managed by ETZPC.
/me confused. Is ETZPC accessible from the non-secure kernel space to begin with ? If so, is it allowed to configure hardware blocks as secure or trusted ? I am failing to understand the overall design of a system with ETZPC controller.
Non-secure kernel could read the values set in ETZPC, if it doesn't match with what is required by the device node the driver won't be probed.
OK, but I was under the impression that it was made clear that Linux is not firmware validation suite. The firmware need to ensure all the devices that are not accessible in the Linux kernel are marked as disabled and this needs to happen before entering the kernel. So if this is what this patch series achieves, then there is no need for it. Please stop pursuing this any further or provide any other reasons(if any) to have it. Until you have other reasons, NACK for this series.
Note you haven't cc-ed 2 people who has comments earlier[1][2] -- Regards, Sudeep
[1] https://lkml.org/lkml/2018/2/27/512 [2] https://lkml.org/lkml/2018/2/27/598
On 1/28/20 6:17 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 5:36 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
Bus firewall framework aims to provide a kernel API to set the configuration of the harware blocks in charge of busses access control.
Framework architecture is inspirated by pinctrl framework:
- a default configuration could be applied before bind the driver. If a configuration could not be applied the driver is not bind to avoid doing accesses on prohibited regions.
- configurations could be apllied dynamically by drivers.
- device node provides the bus firewall configurations.
An example of bus firewall controller is STM32 ETZPC hardware block which got 3 possible configurations:
- trust: hardware blocks are only accessible by software running on trust zone (i.e op-tee firmware).
- non-secure: hardware blocks are accessible by non-secure software (i.e. linux kernel).
- coprocessor: hardware blocks are only accessible by the coprocessor.
Up to 94 hardware blocks of the soc could be managed by ETZPC.
/me confused. Is ETZPC accessible from the non-secure kernel space to begin with ? If so, is it allowed to configure hardware blocks as secure or trusted ? I am failing to understand the overall design of a system with ETZPC controller.
Non-secure kernel could read the values set in ETZPC, if it doesn't match with what is required by the device node the driver won't be probed.
OK, but I was under the impression that it was made clear that Linux is not firmware validation suite. The firmware need to ensure all the devices that are not accessible in the Linux kernel are marked as disabled and this needs to happen before entering the kernel. So if this is what this patch series achieves, then there is no need for it. Please stop pursuing this any further or provide any other reasons(if any) to have it. Until you have other reasons, NACK for this series.
No it doesn't disable the nodes.
When the firmware disable a node before the kernel that means it change
the DTB and that is a problem when you want to sign it. With my proposal
the DTB remains the same.
Note you haven't cc-ed 2 people who has comments earlier[1][2]
I will cc them, thanks
-- Regards, Sudeep
[1] https://lkml.org/lkml/2018/2/27/512 [2] https://lkml.org/lkml/2018/2/27/598
On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
On 1/28/20 6:17 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 5:36 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
Bus firewall framework aims to provide a kernel API to set the configuration of the harware blocks in charge of busses access control.
Framework architecture is inspirated by pinctrl framework:
- a default configuration could be applied before bind the driver. If a configuration could not be applied the driver is not bind to avoid doing accesses on prohibited regions.
- configurations could be apllied dynamically by drivers.
- device node provides the bus firewall configurations.
An example of bus firewall controller is STM32 ETZPC hardware block which got 3 possible configurations:
- trust: hardware blocks are only accessible by software running on trust zone (i.e op-tee firmware).
- non-secure: hardware blocks are accessible by non-secure software (i.e. linux kernel).
- coprocessor: hardware blocks are only accessible by the coprocessor.
Up to 94 hardware blocks of the soc could be managed by ETZPC.
/me confused. Is ETZPC accessible from the non-secure kernel space to begin with ? If so, is it allowed to configure hardware blocks as secure or trusted ? I am failing to understand the overall design of a system with ETZPC controller.
Non-secure kernel could read the values set in ETZPC, if it doesn't match with what is required by the device node the driver won't be probed.
OK, but I was under the impression that it was made clear that Linux is not firmware validation suite. The firmware need to ensure all the devices that are not accessible in the Linux kernel are marked as disabled and this needs to happen before entering the kernel. So if this is what this patch series achieves, then there is no need for it. Please stop pursuing this any further or provide any other reasons(if any) to have it. Until you have other reasons, NACK for this series.
No it doesn't disable the nodes.
When the firmware disable a node before the kernel that means it change
the DTB and that is a problem when you want to sign it. With my proposal
the DTB remains the same.
???
:/
The DTB is used to pass the kernel command line, memory reservations, random seeds, and all manner of other things dynamically generated by firmware at boot-time. Apologies for being blunt but if "changing the DTB" is considered a problem then I can't help but think you're doing it wrong.
Robin.
On 1/28/20 11:06 PM, Robin Murphy wrote:
On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
On 1/28/20 6:17 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 5:36 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
Bus firewall framework aims to provide a kernel API to set the configuration of the harware blocks in charge of busses access control.
Framework architecture is inspirated by pinctrl framework:
- a default configuration could be applied before bind the driver.
If a configuration could not be applied the driver is not bind to avoid doing accesses on prohibited regions.
- configurations could be apllied dynamically by drivers.
- device node provides the bus firewall configurations.
An example of bus firewall controller is STM32 ETZPC hardware block which got 3 possible configurations:
- trust: hardware blocks are only accessible by software running
on trust zone (i.e op-tee firmware).
- non-secure: hardware blocks are accessible by non-secure
software (i.e. linux kernel).
- coprocessor: hardware blocks are only accessible by the
coprocessor. Up to 94 hardware blocks of the soc could be managed by ETZPC.
/me confused. Is ETZPC accessible from the non-secure kernel space to begin with ? If so, is it allowed to configure hardware blocks as secure or trusted ? I am failing to understand the overall design of a system with ETZPC controller.
Non-secure kernel could read the values set in ETZPC, if it doesn't match with what is required by the device node the driver won't be probed.
OK, but I was under the impression that it was made clear that Linux is not firmware validation suite. The firmware need to ensure all the devices that are not accessible in the Linux kernel are marked as disabled and this needs to happen before entering the kernel. So if this is what this patch series achieves, then there is no need for it. Please stop pursuing this any further or provide any other reasons(if any) to have it. Until you have other reasons, NACK for this series.
No it doesn't disable the nodes.
When the firmware disable a node before the kernel that means it change
the DTB and that is a problem when you want to sign it. With my proposal
the DTB remains the same.
???
:/
The DTB is used to pass the kernel command line, memory reservations, random seeds, and all manner of other things dynamically generated by firmware at boot-time. Apologies for being blunt but if "changing the DTB" is considered a problem then I can't help but think you're doing it wrong.
Yes but I would like to limit the number of cases where a firmware has to change the DTB.
With this proposal nodes remain the same and embedded the firewall configuration(s).
Until now firewall configuration is "static", the firmware disable (or remove) the nodes not accessible from Linux.
If Linux can rely on node's firewall information it could allow switch dynamically an hardware block from Linux to a coprocessor.
For example Linux could manage the display pipe configuration and when going to suspend handover the display hardware block to a coprocessor in charge a refreshing only some pixels.
Benjamin
Robin.
On 29/01/2020 1:40 pm, Benjamin GAIGNARD wrote:
On 1/28/20 11:06 PM, Robin Murphy wrote:
On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
On 1/28/20 6:17 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 5:36 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: > Bus firewall framework aims to provide a kernel API to set the > configuration > of the harware blocks in charge of busses access control. > > Framework architecture is inspirated by pinctrl framework: > - a default configuration could be applied before bind the driver. > If a configuration could not be applied the driver is not bind > to avoid doing accesses on prohibited regions. > - configurations could be apllied dynamically by drivers. > - device node provides the bus firewall configurations. > > An example of bus firewall controller is STM32 ETZPC hardware block > which got 3 possible configurations: > - trust: hardware blocks are only accessible by software running > on trust > zone (i.e op-tee firmware). > - non-secure: hardware blocks are accessible by non-secure > software (i.e. > linux kernel). > - coprocessor: hardware blocks are only accessible by the > coprocessor. > Up to 94 hardware blocks of the soc could be managed by ETZPC. > /me confused. Is ETZPC accessible from the non-secure kernel space to begin with ? If so, is it allowed to configure hardware blocks as secure or trusted ? I am failing to understand the overall design of a system with ETZPC controller.
Non-secure kernel could read the values set in ETZPC, if it doesn't match with what is required by the device node the driver won't be probed.
OK, but I was under the impression that it was made clear that Linux is not firmware validation suite. The firmware need to ensure all the devices that are not accessible in the Linux kernel are marked as disabled and this needs to happen before entering the kernel. So if this is what this patch series achieves, then there is no need for it. Please stop pursuing this any further or provide any other reasons(if any) to have it. Until you have other reasons, NACK for this series.
No it doesn't disable the nodes.
When the firmware disable a node before the kernel that means it change
the DTB and that is a problem when you want to sign it. With my proposal
the DTB remains the same.
???
:/
The DTB is used to pass the kernel command line, memory reservations, random seeds, and all manner of other things dynamically generated by firmware at boot-time. Apologies for being blunt but if "changing the DTB" is considered a problem then I can't help but think you're doing it wrong.
Yes but I would like to limit the number of cases where a firmware has to change the DTB.
Sure, but unless you can limit that number to strictly zero, then presumably the firmware must have the general capability to verify, modify, and re-sign a DTB. At that point having it also tweak the status of nodes that it wants for itself doesn't seem like a particularly big ask.
With this proposal nodes remain the same and embedded the firewall configuration(s).
Until now firewall configuration is "static", the firmware disable (or remove) the nodes not accessible from Linux.
If Linux can rely on node's firewall information it could allow switch dynamically an hardware block from Linux to a coprocessor.
For example Linux could manage the display pipe configuration and when going to suspend handover the display hardware block to a coprocessor in charge a refreshing only some pixels.
And like I'm sure I said before, the interface between Linux and the Secure environment to ultimately achieve that will almost certainly make inspecting a passive status bit in a register redundant anyway.
In the interest of being productive, though, there is another way of looking at this. If we drop the pretence that it's in any way generic or ever going to be relevant beyond certain configurations of certain STMicro SoCs, then in plain terms it's just some block of MMIO registers that have *something* to do with various other devices. At that point, the answer is just to treat it as a syscon and make the relevant drivers for those SoCs aware of it. I'm most familiar with the "General Register File" on Rockchip SoCs as a prime example of "bunch of registers that relate to the integration of various IP blocks", which manages to be supported just fine without invasive hooks in the driver core.
Robin.
On 1/31/20 7:25 PM, Robin Murphy wrote:
On 29/01/2020 1:40 pm, Benjamin GAIGNARD wrote:
On 1/28/20 11:06 PM, Robin Murphy wrote:
On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
On 1/28/20 6:17 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 5:36 PM, Sudeep Holla wrote: > On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >> Bus firewall framework aims to provide a kernel API to set the >> configuration >> of the harware blocks in charge of busses access control. >> >> Framework architecture is inspirated by pinctrl framework: >> - a default configuration could be applied before bind the driver. >> If a configuration could not be applied the driver is not >> bind >> to avoid doing accesses on prohibited regions. >> - configurations could be apllied dynamically by drivers. >> - device node provides the bus firewall configurations. >> >> An example of bus firewall controller is STM32 ETZPC hardware >> block >> which got 3 possible configurations: >> - trust: hardware blocks are only accessible by software running >> on trust >> zone (i.e op-tee firmware). >> - non-secure: hardware blocks are accessible by non-secure >> software (i.e. >> linux kernel). >> - coprocessor: hardware blocks are only accessible by the >> coprocessor. >> Up to 94 hardware blocks of the soc could be managed by ETZPC. >> > /me confused. Is ETZPC accessible from the non-secure kernel > space to > begin with ? If so, is it allowed to configure hardware blocks as > secure > or trusted ? I am failing to understand the overall design of a > system > with ETZPC controller. Non-secure kernel could read the values set in ETZPC, if it doesn't match with what is required by the device node the driver won't be probed.
OK, but I was under the impression that it was made clear that Linux is not firmware validation suite. The firmware need to ensure all the devices that are not accessible in the Linux kernel are marked as disabled and this needs to happen before entering the kernel. So if this is what this patch series achieves, then there is no need for it. Please stop pursuing this any further or provide any other reasons(if any) to have it. Until you have other reasons, NACK for this series.
No it doesn't disable the nodes.
When the firmware disable a node before the kernel that means it change
the DTB and that is a problem when you want to sign it. With my proposal
the DTB remains the same.
???
:/
The DTB is used to pass the kernel command line, memory reservations, random seeds, and all manner of other things dynamically generated by firmware at boot-time. Apologies for being blunt but if "changing the DTB" is considered a problem then I can't help but think you're doing it wrong.
Yes but I would like to limit the number of cases where a firmware has to change the DTB.
Sure, but unless you can limit that number to strictly zero, then presumably the firmware must have the general capability to verify, modify, and re-sign a DTB. At that point having it also tweak the status of nodes that it wants for itself doesn't seem like a particularly big ask.
With this proposal nodes remain the same and embedded the firewall configuration(s).
Until now firewall configuration is "static", the firmware disable (or remove) the nodes not accessible from Linux.
If Linux can rely on node's firewall information it could allow switch dynamically an hardware block from Linux to a coprocessor.
For example Linux could manage the display pipe configuration and when going to suspend handover the display hardware block to a coprocessor in charge a refreshing only some pixels.
And like I'm sure I said before, the interface between Linux and the Secure environment to ultimately achieve that will almost certainly make inspecting a passive status bit in a register redundant anyway.
It is not only about secure and non secure hardware blocks split but also about the split with the coprocessor.
The goal is to describe, in the device tree, these possible configurations to be able to use them dynamically rather than
having a static configuration. It could also help to detect misconfiguration between the firewall and the DT nodes.
In the interest of being productive, though, there is another way of looking at this. If we drop the pretence that it's in any way generic or ever going to be relevant beyond certain configurations of certain STMicro SoCs, then in plain terms it's just some block of MMIO registers that have *something* to do with various other devices. At that point, the answer is just to treat it as a syscon and make the relevant drivers for those SoCs aware of it. I'm most familiar with the "General Register File" on Rockchip SoCs as a prime example of "bunch of registers that relate to the integration of various IP blocks", which manages to be supported just fine without invasive hooks in the driver core.
I had thought to use syscon but there is some problems with that way: if the firewall hardware change the way it encode the information you have change all it customers. That would mean add in each driver a test to detect the firewall version and act accordingly. That doesn't sound reasonable to me so I decide to create an interface to abstract the firewall to avoid this problem.
I could reuse this interface in the ~40 impacted drivers (not all dedicated to STMicro SoCs) but adding it in the driver core as a generic service was making more sens for me. Note that I have take care of using a compilation flag to not impact the others architectures.
Benjamin
Robin.
On 1/29/20 5:40 AM, Benjamin GAIGNARD wrote:
On 1/28/20 11:06 PM, Robin Murphy wrote:
On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
On 1/28/20 6:17 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 5:36 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: > Bus firewall framework aims to provide a kernel API to set the > configuration > of the harware blocks in charge of busses access control. > > Framework architecture is inspirated by pinctrl framework: > - a default configuration could be applied before bind the driver. > If a configuration could not be applied the driver is not bind > to avoid doing accesses on prohibited regions. > - configurations could be apllied dynamically by drivers. > - device node provides the bus firewall configurations. > > An example of bus firewall controller is STM32 ETZPC hardware block > which got 3 possible configurations: > - trust: hardware blocks are only accessible by software running > on trust > zone (i.e op-tee firmware). > - non-secure: hardware blocks are accessible by non-secure > software (i.e. > linux kernel). > - coprocessor: hardware blocks are only accessible by the > coprocessor. > Up to 94 hardware blocks of the soc could be managed by ETZPC. > /me confused. Is ETZPC accessible from the non-secure kernel space to begin with ? If so, is it allowed to configure hardware blocks as secure or trusted ? I am failing to understand the overall design of a system with ETZPC controller.
Non-secure kernel could read the values set in ETZPC, if it doesn't match with what is required by the device node the driver won't be probed.
OK, but I was under the impression that it was made clear that Linux is not firmware validation suite. The firmware need to ensure all the devices that are not accessible in the Linux kernel are marked as disabled and this needs to happen before entering the kernel. So if this is what this patch series achieves, then there is no need for it. Please stop pursuing this any further or provide any other reasons(if any) to have it. Until you have other reasons, NACK for this series.
No it doesn't disable the nodes.
When the firmware disable a node before the kernel that means it change
the DTB and that is a problem when you want to sign it. With my proposal
the DTB remains the same.
???
:/
The DTB is used to pass the kernel command line, memory reservations, random seeds, and all manner of other things dynamically generated by firmware at boot-time. Apologies for being blunt but if "changing the DTB" is considered a problem then I can't help but think you're doing it wrong.
Yes but I would like to limit the number of cases where a firmware has to change the DTB.
With this proposal nodes remain the same and embedded the firewall configuration(s).
Until now firewall configuration is "static", the firmware disable (or remove) the nodes not accessible from Linux.
If Linux can rely on node's firewall information it could allow switch dynamically an hardware block from Linux to a coprocessor.
For example Linux could manage the display pipe configuration and when going to suspend handover the display hardware block to a coprocessor in charge a refreshing only some pixels.
OK, let's continue that example, would not it make sense then to just steal the peripheral away from Linux by ensuring that Linux is no longer running and the only thing that you need to make sure of is that either you restore the HW in the exact same that you stole it from, or that Linux is capable of refreshing its state against what the HW state was left in?
If you have a set of display pipeline drivers, on your way to suspend, you can define a protocol with the co-processor so as to signal an ownership change, and the co-processor can take control from there.
In your example, it sounds like the firewall could be meant to detect uncoordinated concurrent accesses to the same HW block between different SW/FW entities. If that is the case, this is most likely a bug and you can probably just get away with doing reporting instead of an entirely new subsystem?
On 1/31/20 9:51 PM, Florian Fainelli wrote:
On 1/29/20 5:40 AM, Benjamin GAIGNARD wrote:
On 1/28/20 11:06 PM, Robin Murphy wrote:
On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
On 1/28/20 6:17 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 5:36 PM, Sudeep Holla wrote: > On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >> Bus firewall framework aims to provide a kernel API to set the >> configuration >> of the harware blocks in charge of busses access control. >> >> Framework architecture is inspirated by pinctrl framework: >> - a default configuration could be applied before bind the driver. >> If a configuration could not be applied the driver is not bind >> to avoid doing accesses on prohibited regions. >> - configurations could be apllied dynamically by drivers. >> - device node provides the bus firewall configurations. >> >> An example of bus firewall controller is STM32 ETZPC hardware block >> which got 3 possible configurations: >> - trust: hardware blocks are only accessible by software running >> on trust >> zone (i.e op-tee firmware). >> - non-secure: hardware blocks are accessible by non-secure >> software (i.e. >> linux kernel). >> - coprocessor: hardware blocks are only accessible by the >> coprocessor. >> Up to 94 hardware blocks of the soc could be managed by ETZPC. >> > /me confused. Is ETZPC accessible from the non-secure kernel space to > begin with ? If so, is it allowed to configure hardware blocks as > secure > or trusted ? I am failing to understand the overall design of a > system > with ETZPC controller. Non-secure kernel could read the values set in ETZPC, if it doesn't match with what is required by the device node the driver won't be probed.
OK, but I was under the impression that it was made clear that Linux is not firmware validation suite. The firmware need to ensure all the devices that are not accessible in the Linux kernel are marked as disabled and this needs to happen before entering the kernel. So if this is what this patch series achieves, then there is no need for it. Please stop pursuing this any further or provide any other reasons(if any) to have it. Until you have other reasons, NACK for this series.
No it doesn't disable the nodes.
When the firmware disable a node before the kernel that means it change
the DTB and that is a problem when you want to sign it. With my proposal
the DTB remains the same.
???
:/
The DTB is used to pass the kernel command line, memory reservations, random seeds, and all manner of other things dynamically generated by firmware at boot-time. Apologies for being blunt but if "changing the DTB" is considered a problem then I can't help but think you're doing it wrong.
Yes but I would like to limit the number of cases where a firmware has to change the DTB.
With this proposal nodes remain the same and embedded the firewall configuration(s).
Until now firewall configuration is "static", the firmware disable (or remove) the nodes not accessible from Linux.
If Linux can rely on node's firewall information it could allow switch dynamically an hardware block from Linux to a coprocessor.
For example Linux could manage the display pipe configuration and when going to suspend handover the display hardware block to a coprocessor in charge a refreshing only some pixels.
OK, let's continue that example, would not it make sense then to just steal the peripheral away from Linux by ensuring that Linux is no longer running and the only thing that you need to make sure of is that either you restore the HW in the exact same that you stole it from, or that Linux is capable of refreshing its state against what the HW state was left in?
If you have a set of display pipeline drivers, on your way to suspend, you can define a protocol with the co-processor so as to signal an ownership change, and the co-processor can take control from there.
To handover a hardware block to the co-processor we need to inform it and change the firewall configuration. My proposal only aim to cover this last point by describing in the device tree the possible configuration. The example I had mind is how the pinctrl framework is working with it states so doing something like changing firewall configuration and then inform the co-processor in suspend function.
In your example, it sounds like the firewall could be meant to detect uncoordinated concurrent accesses to the same HW block between different SW/FW entities. If that is the case, this is most likely a bug and you can probably just get away with doing reporting instead of an entirely new subsystem?
Prohibited accesses, most of the time, generate an abort on the bus so your platform just crash and yes it is a bug. This new subsystem won't change that, it only allow to describe and dynamically set a configuration for DT information rather doing that for type of firewall.
Benjamin
On 1/28/20 12:06 PM, Benjamin GAIGNARD wrote:
On 1/28/20 6:17 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
On 1/28/20 5:36 PM, Sudeep Holla wrote:
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
Bus firewall framework aims to provide a kernel API to set the configuration of the harware blocks in charge of busses access control.
Framework architecture is inspirated by pinctrl framework:
- a default configuration could be applied before bind the driver. If a configuration could not be applied the driver is not bind to avoid doing accesses on prohibited regions.
- configurations could be apllied dynamically by drivers.
- device node provides the bus firewall configurations.
An example of bus firewall controller is STM32 ETZPC hardware block which got 3 possible configurations:
- trust: hardware blocks are only accessible by software running on trust zone (i.e op-tee firmware).
- non-secure: hardware blocks are accessible by non-secure software (i.e. linux kernel).
- coprocessor: hardware blocks are only accessible by the coprocessor.
Up to 94 hardware blocks of the soc could be managed by ETZPC.
/me confused. Is ETZPC accessible from the non-secure kernel space to begin with ? If so, is it allowed to configure hardware blocks as secure or trusted ? I am failing to understand the overall design of a system with ETZPC controller.
Non-secure kernel could read the values set in ETZPC, if it doesn't match with what is required by the device node the driver won't be probed.
OK, but I was under the impression that it was made clear that Linux is not firmware validation suite. The firmware need to ensure all the devices that are not accessible in the Linux kernel are marked as disabled and this needs to happen before entering the kernel. So if this is what this patch series achieves, then there is no need for it. Please stop pursuing this any further or provide any other reasons(if any) to have it. Until you have other reasons, NACK for this series.
No it doesn't disable the nodes.
When the firmware disable a node before the kernel that means it change
the DTB and that is a problem when you want to sign it. With my proposal
the DTB remains the same.
Could you use an overlay then which is the result of the firewalling results by your firewall block, which is smaller than the main SoC/board DTB and can be easily audited not to accidentally enable blocks, but only disable them by adding/changing the respective "status" property. Worst case, your driver probes, has been firewalled and this is not reflected in the DTB, you get a bus error, or a hang, or however it gets implemented.
Like Robin and Sudeep here, I do not understand why the kernel should have any business in this, let alone allowing blocks to change owners, that sounds contrary to the purpose of a firewall being controlled under an untrusted entity (Linux).
On Fri, Jan 31, 2020 at 12:48:33PM -0800, Florian Fainelli wrote:
Like Robin and Sudeep here, I do not understand why the kernel should have any business in this, let alone allowing blocks to change owners, that sounds contrary to the purpose of a firewall being controlled under an untrusted entity (Linux).
Can we rely on there being a more trusted level of software than Linux on a system? It wasn't standard to have anything on 32 bit Arm systems as far as I remember so you could end up with some IP blocks intended to support TrustZone sitting idle.
system-dt@lists.openampproject.org
-
Benjamin GAIGNARD -
Benjamin Gaignard
-
Florian Fainelli -
Greg KH -
Linus Walleij -
Mark Brown -
Robin Murphy -
Sudeep Holla