lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 24 Aug 2015 18:17:17 +0100
From:	Marc Zyngier <marc.zyngier@....com>
To:	Qais Yousef <qais.yousef@...tec.com>,
	Thomas Gleixner <tglx@...utronix.de>
CC:	"alsa-devel@...a-project.org" <alsa-devel@...a-project.org>,
	Jason Cooper <jason@...edaemon.net>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-mips@...ux-mips.org" <linux-mips@...ux-mips.org>,
	Mark Rutland <Mark.Rutland@....com>
Subject: Re: [PATCH 01/10] irqchip: irq-mips-gic: export gic_send_ipi

[adding Mark Rutland, as this is heading straight into uncharted DT
territory]

On 24/08/15 17:39, Qais Yousef wrote:
> On 08/24/2015 04:07 PM, Thomas Gleixner wrote:
>> On Mon, 24 Aug 2015, Qais Yousef wrote:
>>> On 08/24/2015 02:32 PM, Marc Zyngier wrote:
>>>> I'd rather see something more "architected" than this blind export, or
>>>> at least some level of filtering (the idea random drivers can access
>>>> such a low-level function doesn't make me feel very good).
>>> I don't know how to architect this better or how to perform  the filtering,
>>> but I'm happy to hear suggestions and try them out.
>>> Keep in mind that detecting GIC and writing your own gic_send_ipi() is very
>>> simple. I have done this when the driver was out of tree. So restricting it by
>>> not exporting it will not prevent someone from really accessing the
>>> functionality, it's just they have to do it their own way.
>> Keep in mind that we are not talking about out of tree hackery. We
>> talk about a kernel code submission and I doubt, that you will get
>> away with a GIC detection/fiddling burried in your driver code.
>>
>> Keep in mind that just slapping an export to some random function is
>> not much better than doing a GIC hack in the driver.
>>
>> Marcs concerns about blindly exposing IPI functionality to drivers is
>> well justified and that kind of coprocessor stuff is not unique to
>> your particular SoC. We're going to see such things more frequently in
>> the not so distant future, so we better think now about proper
>> solutions to that problem.
> 
> Sure I'm not trying to argue against that.
> 
>>
>> There are a couple of issues to solve:
>>
>> 1) How is the IPI which is received by the coprocessor reserved in the
>>     system?
>>
>> 2) How is it associated to a particular driver?
> 
> Shouldn't 'interrupts' property in DT take care of these 2 questions? 
> Maybe we can give it an alias name to make it more readable that this 
> interrupt is requested for external IPI.

The "interrupts" property has a rather different meaning, and isn't
designed to hardcode IPIs. Also, this property describes an interrupt
from a device to the CPU, not the other way around (I imagine you also
have an interrupt coming from the AXD to the CPU, possibly using an IPI
too).

We can deal with these issues, but that's not something we can improvise.

What I had in mind was something fairly generic:
- interrupt-source: something generating an interrupt
- interrupt-sink: something being targeted by an interrupt

You could then express things like:

intc: interrupt-controller@...0 {
	interrupt-controller;
};

mydevice@...00000 {
	interrupt-source = <&intc INT_SPEC 2 &inttarg1 &inttarg1>;
};

inttarg1: mydevice@...00000 {
	interrupt-sink = <&intc HWAFFINITY1>;
};

inttarg2: cpu@1 {
	interrupt-sink = <&intc HWAFFINITY2>;
};

You could also imagine having CPUs being both source and sink.

>>
>> 3) How do we ensure that a driver cannot issue random IPIs and can
>>     only send the associated ones?
> 
> If we get the irq number from DT then I'm not sure how feasible it is to 
> implement a generic_send_ipi() function that takes this number to 
> generate an IPI.
> 
> Do you think this approach would work?

If you follow the above approach, it should be pretty easy to derive a
source identifier and a sink identifier from the DT, and have the core
code to route one to the other and do the right thing.

The source identifier could also be used to describe an IPI in a fairly
safe way (the target being fixed by DT, but the actual number used
dynamically allocated by the kernel).

This is just a 10 minutes braindump, so feel free to throw rocks at it
and to come up with a better solution! :-)

Thanks,

	M.
-- 
Jazz is not dead. It just smells funny...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ