| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Jun 2013 14:22:08 +0530 From: Jassi Brar <jassisinghbrar@...il.com> To: Alexandre Courbot <gnurou@...il.com> Cc: Alexandre Courbot <acourbot@...dia.com>, Stephen Warren <swarren@...dotorg.org>, Joseph Lo <josephl@...dia.com>, Karan Jhavar <kjhavar@...dia.com>, Varun Wadekar <vwadekar@...dia.com>, Chris Johnson <CJohnson@...dia.com>, Matthew Longnecker <MLongnecker@...dia.com>, "devicetree-discuss@...ts.ozlabs.org" <devicetree-discuss@...ts.ozlabs.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, "linux-tegra@...r.kernel.org" <linux-tegra@...r.kernel.org>, "linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org> Subject: Re: [PATCH] ARM: tegra: add basic SecureOS support On Fri, Jun 7, 2013 at 12:43 PM, Alexandre Courbot <gnurou@...il.com> wrote: > On Thu, Jun 6, 2013 at 9:26 PM, Jassi Brar <jassisinghbrar@...il.com> wrote: >> On Thu, Jun 6, 2013 at 12:58 PM, Alexandre Courbot <acourbot@...dia.com> wrote: >>> Boot loaders on some Tegra devices can be unlocked but do not let the >>> system operate without SecureOS. SecureOS prevents access to some >>> registers and requires the operating system to perform certain >>> operations through Secure Monitor Calls instead of directly accessing >>> the hardware. >>> >> IOW, some critical h/w controls on Tegra are accessible only from >> Secure mode (not unusual). So if we(Linux) run in NS mode we need to >> make calls to the SecureOS, over SMC, to do things for us? > > Exactly. > OK so this just an instance of a situation that is going to be more common in future - most modern cpus (CortexA based at least) support TrustZone and it's a matter of device functionality before a board designer chucks the Linux kernel (that we usually run in Secure mode while development) into NS mode and have some SecureOS/TrustedOS/Hypervisor et al control access to the secure peripherals from Secure Mode. >>> This patch introduces basic SecureOS support for Tegra. SecureOS support >>> can be enabled by adding a "nvidia,secure-os" property to the "chosen" >>> node of the device tree. >>> >> Probably just a nit, but shouldn't it be "nvidia,nonsecure-os" >> instead, denoting the mode Linux is going to run? (and then I wonder >> if we could detect the mode (S or NS) at runtime and avoid this flag >> at all). > > Detection of the secure mode at runtime would only solve half of the > issue: we would know that we are running in non-secure mode, but we > would still not know what monitor is operating. Detecting that part is > impossible AFAIK, so I'm afraid we need to pass that information > through the DT here. > Yes, Stephen's suggestion is far more generally applicable. We should go for it, just bearing in mind that ABI need and type is going to be board specific. Cheers, -Jassi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists