lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <19c52bda-aaaa-f67d-3627-d5a303386dae@roeck-us.net>
Date:   Sun, 3 Mar 2019 18:45:45 -0800
From:   Guenter Roeck <linux@...ck-us.net>
To:     Anson Huang <anson.huang@....com>
Cc:     "catalin.marinas@....com" <catalin.marinas@....com>,
        "will.deacon@....com" <will.deacon@....com>,
        "wim@...ux-watchdog.org" <wim@...ux-watchdog.org>,
        "shawnguo@...nel.org" <shawnguo@...nel.org>,
        "s.hauer@...gutronix.de" <s.hauer@...gutronix.de>,
        "kernel@...gutronix.de" <kernel@...gutronix.de>,
        "festevam@...il.com" <festevam@...il.com>,
        Andy Gross <andy.gross@...aro.org>,
        "heiko@...ech.de" <heiko@...ech.de>,
        "horms+renesas@...ge.net.au" <horms+renesas@...ge.net.au>,
        "arnd@...db.de" <arnd@...db.de>, "olof@...om.net" <olof@...om.net>,
        "bjorn.andersson@...aro.org" <bjorn.andersson@...aro.org>,
        "jagan@...rulasolutions.com" <jagan@...rulasolutions.com>,
        "enric.balletbo@...labora.com" <enric.balletbo@...labora.com>,
        "marc.w.gonzalez@...e.fr" <marc.w.gonzalez@...e.fr>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-watchdog@...r.kernel.org" <linux-watchdog@...r.kernel.org>,
        dl-linux-imx <linux-imx@....com>
Subject: Re: [PATCH V5 1/2] watchdog: imx_sc: Add i.MX system controller
 watchdog support

On 3/3/19 5:32 PM, Anson Huang wrote:
> Hi, Guenter
> 
> Best Regards!
> Anson Huang
> 
>> -----Original Message-----
>> From: Guenter Roeck [mailto:groeck7@...il.com] On Behalf Of Guenter
>> Roeck
>> Sent: 2019年3月2日 2:32
>> To: Anson Huang <anson.huang@....com>
>> Cc: catalin.marinas@....com; will.deacon@....com; wim@...ux-
>> watchdog.org; shawnguo@...nel.org; s.hauer@...gutronix.de;
>> kernel@...gutronix.de; festevam@...il.com; Andy Gross
>> <andy.gross@...aro.org>; heiko@...ech.de; horms+renesas@...ge.net.au;
>> arnd@...db.de; olof@...om.net; bjorn.andersson@...aro.org;
>> jagan@...rulasolutions.com; enric.balletbo@...labora.com;
>> marc.w.gonzalez@...e.fr; linux-arm-kernel@...ts.infradead.org; linux-
>> kernel@...r.kernel.org; linux-watchdog@...r.kernel.org; dl-linux-imx
>> <linux-imx@....com>
>> Subject: Re: [PATCH V5 1/2] watchdog: imx_sc: Add i.MX system controller
>> watchdog support
>>
>> On Fri, Mar 01, 2019 at 06:35:31AM +0000, Anson Huang wrote:
>>> i.MX8QXP is an ARMv8 SoC which has a Cortex-M4 system controller
>>> inside, the system controller is in charge of controlling power, clock
>>> and watchdog etc..
>>>
>>> This patch adds i.MX system controller watchdog driver support,
>>> watchdog operation needs to be done in secure EL3 mode via
>>> ARM-Trusted-Firmware, using SMC call, CPU will trap into
>>> ARM-Trusted-Firmware and then it will request system controller to do
>>> watchdog operation via IPC.
>>>
>>> Signed-off-by: Anson Huang <Anson.Huang@....com>
>>> ---
>>> Changes since V4:
>>> 	- change the module build dependency as depends on IMX_SCU and
>> HAVE_ARM_SMCCC, as this
>>> 	  driver is ONLY for i.MX SoC with SCU inside and it uses ARM SMC call.
>>> ---
>>>   drivers/watchdog/Kconfig      |  14 +++
>>>   drivers/watchdog/Makefile     |   1 +
>>>   drivers/watchdog/imx_sc_wdt.c | 201
>>> ++++++++++++++++++++++++++++++++++++++++++
>>>   3 files changed, 216 insertions(+)
>>>   create mode 100644 drivers/watchdog/imx_sc_wdt.c
>>>
>>> diff --git a/drivers/watchdog/Kconfig b/drivers/watchdog/Kconfig index
>>> 65c3c42..a6bfa54 100644
>>> --- a/drivers/watchdog/Kconfig
>>> +++ b/drivers/watchdog/Kconfig
>>> @@ -625,6 +625,20 @@ config IMX2_WDT
>>>   	  To compile this driver as a module, choose M here: the
>>>   	  module will be called imx2_wdt.
>>>
>>> +config IMX_SC_WDT
>>> +	tristate "IMX SC Watchdog"
>>> +	depends on IMX_SCU
>>> +	depends on HAVE_ARM_SMCCC
>>> +	select WATCHDOG_CORE
>>> +	help
>>> +	  This is the driver for the system controller watchdog
>>> +	  on the NXP i.MX SoCs with system controller inside.
>>> +	  If you have one of these processors and wish to have
>>> +	  watchdog support enabled, say Y, otherwise say N.
>>> +
>>> +	  To compile this driver as a module, choose M here: the
>>> +	  module will be called imx_sc_wdt.
>>> +
>>>   config UX500_WATCHDOG
>>>   	tristate "ST-Ericsson Ux500 watchdog"
>>>   	depends on MFD_DB8500_PRCMU
>>> diff --git a/drivers/watchdog/Makefile b/drivers/watchdog/Makefile
>>> index 4e78a8c..0c9da63 100644
>>> --- a/drivers/watchdog/Makefile
>>> +++ b/drivers/watchdog/Makefile
>>> @@ -68,6 +68,7 @@ obj-$(CONFIG_NUC900_WATCHDOG) +=
>> nuc900_wdt.o
>>>   obj-$(CONFIG_TS4800_WATCHDOG) += ts4800_wdt.o
>>>   obj-$(CONFIG_TS72XX_WATCHDOG) += ts72xx_wdt.o
>>>   obj-$(CONFIG_IMX2_WDT) += imx2_wdt.o
>>> +obj-$(CONFIG_IMX_SC_WDT) += imx_sc_wdt.o
>>>   obj-$(CONFIG_UX500_WATCHDOG) += ux500_wdt.o
>>>   obj-$(CONFIG_RETU_WATCHDOG) += retu_wdt.o
>>>   obj-$(CONFIG_BCM2835_WDT) += bcm2835_wdt.o diff --git
>>> a/drivers/watchdog/imx_sc_wdt.c b/drivers/watchdog/imx_sc_wdt.c new
>>> file mode 100644 index 0000000..50b49b2
>>> --- /dev/null
>>> +++ b/drivers/watchdog/imx_sc_wdt.c
>>> @@ -0,0 +1,201 @@
>>> +// SPDX-License-Identifier: GPL-2.0
>>> +/*
>>> + * Copyright 2018-2019 NXP.
>>> + */
>>> +
>>> +#include <linux/arm-smccc.h>
>>> +#include <linux/io.h>
>>> +#include <linux/init.h>
>>> +#include <linux/kernel.h>
>>> +#include <linux/module.h>
>>> +#include <linux/moduleparam.h>
>>> +#include <linux/of.h>
>>
>> Should no longer be needed.
> 
> Correct, I will remove it.
> 
>>
>>> +#include <linux/platform_device.h>
>>> +#include <linux/reboot.h>
>>> +#include <linux/watchdog.h>
>>> +
>>> +#define DEFAULT_TIMEOUT 60
>>> +/*
>>> + * Software timer tick implemented in scfw side, support 10ms to
>>> +0xffffffff ms
>>> + * in theory, but for normal case, 1s~128s is enough, you can change
>>> +this max
>>> + * value in case it's not enough.
>>> + */
>>> +#define MAX_TIMEOUT 128
>>> +
>>> +#define IMX_SIP_TIMER			0xC2000002
>>> +#define IMX_SIP_TIMER_START_WDOG		0x01
>>> +#define IMX_SIP_TIMER_STOP_WDOG		0x02
>>> +#define IMX_SIP_TIMER_SET_WDOG_ACT	0x03
>>> +#define IMX_SIP_TIMER_PING_WDOG		0x04
>>> +#define IMX_SIP_TIMER_SET_TIMEOUT_WDOG	0x05
>>> +#define IMX_SIP_TIMER_GET_WDOG_STAT	0x06
>>> +#define IMX_SIP_TIMER_SET_PRETIME_WDOG	0x07
>>> +
>>> +#define SC_TIMER_WDOG_ACTION_PARTITION	0
>>> +
>>> +static bool nowayout = WATCHDOG_NOWAYOUT;
>> module_param(nowayout,
>>> +bool, 0000); MODULE_PARM_DESC(nowayout, "Watchdog cannot be
>> stopped
>>> +once started (default="
>>> +		 __MODULE_STRING(WATCHDOG_NOWAYOUT) ")");
>>> +
>>> +static unsigned int timeout = DEFAULT_TIMEOUT; module_param(timeout,
>>> +uint, 0000); MODULE_PARM_DESC(timeout, "Watchdog timeout in
>> seconds
>>> +(default="
>>> +		 __MODULE_STRING(DEFAULT_TIMEOUT) ")");
>>> +
>>> +static struct platform_device *imx_sc_wdt_pdev;
>>> +
>>> +static int imx_sc_wdt_ping(struct watchdog_device *wdog) {
>>> +	struct arm_smccc_res res;
>>> +
>>> +	arm_smccc_smc(IMX_SIP_TIMER, IMX_SIP_TIMER_PING_WDOG,
>>> +		      0, 0, 0, 0, 0, 0, &res);
>>> +
>>> +	return 0;
>>> +}
>>> +
>>> +static int imx_sc_wdt_start(struct watchdog_device *wdog) {
>>> +	struct arm_smccc_res res;
>>> +
>>> +	arm_smccc_smc(IMX_SIP_TIMER, IMX_SIP_TIMER_START_WDOG,
>>> +		      0, 0, 0, 0, 0, 0, &res);
>>> +	if (res.a0)
>>> +		return -EACCES;
>>> +
>>> +	arm_smccc_smc(IMX_SIP_TIMER, IMX_SIP_TIMER_SET_WDOG_ACT,
>>> +		      SC_TIMER_WDOG_ACTION_PARTITION,
>>> +		      0, 0, 0, 0, 0, &res);
>>> +	return res.a0 ? -EACCES : 0;
>>> +}
>>> +
>>> +static int imx_sc_wdt_stop(struct watchdog_device *wdog) {
>>> +	struct arm_smccc_res res;
>>> +
>>> +	arm_smccc_smc(IMX_SIP_TIMER, IMX_SIP_TIMER_STOP_WDOG,
>>> +		      0, 0, 0, 0, 0, 0, &res);
>>> +
>>> +	return res.a0 ? -EACCES : 0;
>>> +}
>>> +
>>> +static int imx_sc_wdt_set_timeout(struct watchdog_device *wdog,
>>> +				unsigned int timeout)
>>> +{
>>> +	struct arm_smccc_res res;
>>> +
>>> +	wdog->timeout = timeout;
>>> +	arm_smccc_smc(IMX_SIP_TIMER,
>> IMX_SIP_TIMER_SET_TIMEOUT_WDOG,
>>> +		      timeout * 1000, 0, 0, 0, 0, 0, &res);
>>> +
>>> +	return res.a0 ? -EACCES : 0;
>>> +}
>>> +
>>> +static const struct watchdog_ops imx_sc_wdt_ops = {
>>> +	.owner = THIS_MODULE,
>>> +	.start = imx_sc_wdt_start,
>>> +	.stop  = imx_sc_wdt_stop,
>>> +	.ping  = imx_sc_wdt_ping,
>>> +	.set_timeout = imx_sc_wdt_set_timeout, };
>>> +
>>> +static const struct watchdog_info imx_sc_wdt_info = {
>>> +	.identity	= "i.MX SC watchdog timer",
>>> +	.options	= WDIOF_SETTIMEOUT | WDIOF_KEEPALIVEPING |
>>> +			  WDIOF_MAGICCLOSE | WDIOF_PRETIMEOUT, };
>>> +
>>> +static int imx_sc_wdt_probe(struct platform_device *pdev) {
>>> +	struct watchdog_device *imx_sc_wdd;
>>> +	int ret;
>>> +
>>> +	imx_sc_wdd = devm_kzalloc(&pdev->dev, sizeof(*imx_sc_wdd),
>> GFP_KERNEL);
>>> +	if (!imx_sc_wdd)
>>> +		return -ENOMEM;
>>> +
>>> +	platform_set_drvdata(pdev, imx_sc_wdd);
>>> +
>>> +	imx_sc_wdd->info = &imx_sc_wdt_info;
>>> +	imx_sc_wdd->ops = &imx_sc_wdt_ops;
>>> +	imx_sc_wdd->min_timeout = 1;
>>> +	imx_sc_wdd->max_timeout = MAX_TIMEOUT;
>>> +	imx_sc_wdd->parent = &pdev->dev;
>>> +	imx_sc_wdd->timeout = DEFAULT_TIMEOUT;
>>> +
>>> +	ret = watchdog_init_timeout(imx_sc_wdd, timeout, &pdev->dev);
>>> +	if (ret)
>>> +		dev_warn(&pdev->dev, "Failed to set timeout value, using
>>> +default\n");
>>> +
>>> +	watchdog_stop_on_reboot(imx_sc_wdd);
>>> +	watchdog_stop_on_unregister(imx_sc_wdd);
>>> +
>>> +	ret = devm_watchdog_register_device(&pdev->dev, imx_sc_wdd);
>>> +	if (ret) {
>>> +		dev_err(&pdev->dev, "Failed to register watchdog device\n");
>>> +		return ret;
>>> +	}
>>> +
>>> +	return 0;
>>> +}
>>> +
>>> +static int __maybe_unused imx_sc_wdt_suspend(struct device *dev) {
>>> +	struct watchdog_device *imx_sc_wdd = dev_get_drvdata(dev);
>>> +
>>> +	if (watchdog_active(imx_sc_wdd))
>>> +		imx_sc_wdt_stop(imx_sc_wdd);
>>> +
>>> +	return 0;
>>> +}
>>> +
>>> +static int __maybe_unused imx_sc_wdt_resume(struct device *dev) {
>>> +	struct watchdog_device *imx_sc_wdd = dev_get_drvdata(dev);
>>> +
>>> +	if (watchdog_active(imx_sc_wdd))
>>> +		imx_sc_wdt_start(imx_sc_wdd);
>>> +
>>> +	return 0;
>>> +}
>>> +
>>> +static SIMPLE_DEV_PM_OPS(imx_sc_wdt_pm_ops,
>>> +			 imx_sc_wdt_suspend, imx_sc_wdt_resume);
>>> +
>>> +static struct platform_driver imx_sc_wdt_driver = {
>>> +	.probe		= imx_sc_wdt_probe,
>>> +	.driver		= {
>>> +		.name	= "imx-sc-wdt",
>>> +		.pm	= &imx_sc_wdt_pm_ops,
>>> +	},
>>> +};
>>> +
>>> +static int __init imx_sc_wdt_init(void) {
>>> +	int ret;
>>> +
>>> +	ret = platform_driver_register(&imx_sc_wdt_driver);
>>> +	if (ret)
>>> +		return ret;
>>> +
>>> +	imx_sc_wdt_pdev = platform_device_register_simple("imx-sc-wdt", -
>> 1, NULL, 0);
>>> +	if (IS_ERR(imx_sc_wdt_pdev)) {
>>> +		platform_driver_unregister(&imx_sc_wdt_driver);
>>> +		return PTR_ERR(imx_sc_wdt_pdev);
>>> +	}
>>
>> I just realized what you are doing here. So the watchdog will always be
>> instantiated if/when the module is loaded. I don't think that was the idea,
>> and it seems to be risky. What happens if someone loads the module on a
>> system where the watchdog is not supported ? There maye be lots of "Access
>> Denied" errors, or something undefined may happen.
> 
> I thought the "depends on IMX_SCU" was already added in Kconfig, that means
> the module will be ONLY built with IMX_SCU enabled, and watchdog will be always
> enabled if IMX_SCU is enabled. Is it safe enough?
> 
No. The driver will be built with arm64:defconfig, meaning it will be built
for all arm64 systems using defconfig. Any such system will have the
driver installed as module, and nothing will prevent the user from
running modprobe. But even if it wasn't enabled with defconfig, we must
not instantiate the driver on an arbitrary system.

>>
>> Is everyone on Cc: ok with this ? Is this how we handle instantiations
>> nowadays ?  Or should the driver be instantiated from imx_scu_probe() in
>> drivers/firmware/imx/imx-scu.c ?
>>
>> Sorry if the answer is obvious, but I am still struggling with "no more
>> instantiations through devicetree".
>>
>> If the driver is auto-instantiated when the module is loaded, as currently
>> written, there needs to be some check if it is actually supported, possibly in
>> imx_sc_wdt_init() or, if that is not possible, in the probe function. I don't like
>> that, but it would at least prevent the module from being loaded when the
>> hardware is not supported.
> 
> Other modules depend on the IMX_SCU IPC will have defer probe there to make
> sure IMX_SCU driver is ready for IPC handle, since watchdog driver ONLY uses
> ARM SMC but no IPC call, so I did NOT add the defer probe handle here, so if adding
> it can answer your question/concern, then I can add it, although I think the dependency
> in Kconfig should be good here. Without SCU firmware ready, the SoC does NOT boot
> up A core with ATF/Linux at all.
> 
That has nothing to do with deferred probing. My concern is that the driver will
be instantiated just by loading it, no matter if the hardware supporting it
is present or not.

Having a devicetree node would have prevented that since it instantiates the
child drivers with devm_of_platform_populate() in imx_scu_probe(). The
equivalent is to register the platform device from imx_scu_probe().
That is the only means to prevent the driver from being instantiated where
it shouldn't. As mentioned before, I would have preferred the devicetree method,
but having it no longer available doesn't mean that we should add risky code.

Maybe you can check in the init function if the 'fsl,imx-scu' node exists,
and instantiate the driver if it does. I don't like that either, but it would
be acceptable to me - and maybe better than instantiating it manually from
imx_scu_probe().

Guenter

> Thanks,
> Anson.
> 
> RTC:
>   68 static int imx_sc_rtc_probe(struct platform_device *pdev)
>   69 {
>   70         int ret;
>   71
>   72         ret = imx_scu_get_handle(&rtc_ipc_handle);
>   73         if (ret)
>   74                 return ret;
> 
> SCU:
>   92 int imx_scu_get_handle(struct imx_sc_ipc **ipc)
>   93 {
>   94         if (!imx_sc_ipc_handle)
>   95                 return -EPROBE_DEFER;
>   96
>   97         *ipc = imx_sc_ipc_handle;
>   98         return 0;
>   99 }
> 100 EXPORT_SYMBOL(imx_scu_get_handle);
> 
>>
>> Guenter
>>
>>> +
>>> +	return 0;
>>> +}
>>> +module_init(imx_sc_wdt_init);
>>> +
>>> +static void __exit imx_sc_wdt_exit(void) {
>>> +	platform_driver_unregister(&imx_sc_wdt_driver);
>>> +	platform_device_unregister(imx_sc_wdt_pdev);
>>> +}
>>> +module_exit(imx_sc_wdt_exit);
>>> +
>>> +MODULE_AUTHOR("Robin Gong <yibin.gong@....com>");
>>> +MODULE_DESCRIPTION("NXP i.MX system controller watchdog driver");
>>> +MODULE_LICENSE("GPL v2");
>>> --
>>> 2.7.4
>>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ