lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1602149965.8784.6.camel@mtkswgap22>
Date:   Thu, 8 Oct 2020 17:39:25 +0800
From:   Neal Liu <neal.liu@...iatek.com>
To:     Matthias Brugger <matthias.bgg@...il.com>
CC:     Neal Liu <neal.liu@...iatek.com>, Rob Herring <robh+dt@...nel.org>,
        Chun-Kuang Hu <chunkuang.hu@...nel.org>,
        <devicetree@...r.kernel.org>,
        <linux-arm-kernel@...ts.infradead.org>,
        <linux-mediatek@...ts.infradead.org>,
        lkml <linux-kernel@...r.kernel.org>, <wsd_upstream@...iatek.com>
Subject: Re: [PATCH v7 2/2] soc: mediatek: add mt6779 devapc driver

On Thu, 2020-10-08 at 10:45 +0200, Matthias Brugger wrote:
> 
> On 08/10/2020 04:35, Neal Liu wrote:
> > On Wed, 2020-10-07 at 12:44 +0200, Matthias Brugger wrote:
> >>
> >> On 27/08/2020 05:06, Neal Liu wrote:
> >>> MediaTek bus fabric provides TrustZone security support and data
> >>> protection to prevent slaves from being accessed by unexpected
> >>> masters.
> >>> The security violation is logged and sent to the processor for
> >>> further analysis or countermeasures.
> >>>
> >>> Any occurrence of security violation would raise an interrupt, and
> >>> it will be handled by mtk-devapc driver. The violation
> >>> information is printed in order to find the murderer.
> >>
> >> "The violation information is printed in order to find the responsible component."
> >>
> >> Nobody got actually killed, right :)
> > 
> > Correct !
> >>
> >>>
> >>> Signed-off-by: Neal Liu <neal.liu@...iatek.com>
> >>> ---
> >>>    drivers/soc/mediatek/Kconfig      |    9 ++
> >>>    drivers/soc/mediatek/Makefile     |    1 +
> >>>    drivers/soc/mediatek/mtk-devapc.c |  305 +++++++++++++++++++++++++++++++++++++
> >>>    3 files changed, 315 insertions(+)
> >>>    create mode 100644 drivers/soc/mediatek/mtk-devapc.c
> >>>
> >>> diff --git a/drivers/soc/mediatek/Kconfig b/drivers/soc/mediatek/Kconfig
> >>> index 59a56cd..1177c98 100644
> >>> --- a/drivers/soc/mediatek/Kconfig
> >>> +++ b/drivers/soc/mediatek/Kconfig
> >>> @@ -17,6 +17,15 @@ config MTK_CMDQ
> >>>    	  time limitation, such as updating display configuration during the
> >>>    	  vblank.
> >>>    
> >>> +config MTK_DEVAPC
> >>> +	tristate "Mediatek Device APC Support"
> >>> +	help
> >>> +	  Say yes here to enable support for Mediatek Device APC driver.
> >>> +	  This driver is mainly used to handle the violation which catches
> >>> +	  unexpected transaction.
> >>> +	  The violation information is logged for further analysis or
> >>> +	  countermeasures.
> >>> +
> >>>    config MTK_INFRACFG
> >>>    	bool "MediaTek INFRACFG Support"
> >>>    	select REGMAP
> >>> diff --git a/drivers/soc/mediatek/Makefile b/drivers/soc/mediatek/Makefile
> >>> index 01f9f87..abfd4ba 100644
> >>> --- a/drivers/soc/mediatek/Makefile
> >>> +++ b/drivers/soc/mediatek/Makefile
> >>> @@ -1,5 +1,6 @@
> >>>    # SPDX-License-Identifier: GPL-2.0-only
> >>>    obj-$(CONFIG_MTK_CMDQ) += mtk-cmdq-helper.o
> >>> +obj-$(CONFIG_MTK_DEVAPC) += mtk-devapc.o
> >>>    obj-$(CONFIG_MTK_INFRACFG) += mtk-infracfg.o
> >>>    obj-$(CONFIG_MTK_PMIC_WRAP) += mtk-pmic-wrap.o
> >>>    obj-$(CONFIG_MTK_SCPSYS) += mtk-scpsys.o
> >>> diff --git a/drivers/soc/mediatek/mtk-devapc.c b/drivers/soc/mediatek/mtk-devapc.c
> >>> new file mode 100644
> >>> index 0000000..0ba61d7
> >>> --- /dev/null
> >>> +++ b/drivers/soc/mediatek/mtk-devapc.c
> >>> @@ -0,0 +1,305 @@
> >>> +// SPDX-License-Identifier: GPL-2.0
> >>> +/*
> >>> + * Copyright (C) 2020 MediaTek Inc.
> >>> + */
> >>> +
> >>> +#include <linux/clk.h>
> >>> +#include <linux/interrupt.h>
> >>> +#include <linux/iopoll.h>
> >>> +#include <linux/module.h>
> >>> +#include <linux/platform_device.h>
> >>> +#include <linux/of_device.h>
> >>> +#include <linux/of_irq.h>
> >>> +#include <linux/of_address.h>
> >>> +
> >>> +#define VIO_MOD_TO_REG_IND(m)	((m) / 32)
> >>> +#define VIO_MOD_TO_REG_OFF(m)	((m) % 32)
> >>> +
> >>> +struct mtk_devapc_vio_dbgs {
> >>> +	union {
> >>> +		u32 vio_dbg0;
> >>> +		struct {
> >>> +			u32 mstid:16;
> >>> +			u32 dmnid:6;
> >>> +			u32 vio_w:1;
> >>> +			u32 vio_r:1;
> >>> +			u32 addr_h:4;
> >>> +			u32 resv:4;
> >>> +		} dbg0_bits;
> >>> +	};
> >>> +
> >>> +	u32 vio_dbg1;
> >>> +};
> >>> +
> >>> +struct mtk_devapc_data {
> >>> +	u32 vio_idx_num;
> >>> +	u32 vio_mask_offset;
> >>> +	u32 vio_sta_offset;
> >>> +	u32 vio_dbg0_offset;
> >>> +	u32 vio_dbg1_offset;
> >>> +	u32 apc_con_offset;
> >>> +	u32 vio_shift_sta_offset;
> >>> +	u32 vio_shift_sel_offset;
> >>> +	u32 vio_shift_con_offset;
> >>> +};
> >>
> >> Please describe the fields of the struct, that will make it easier to understand
> >> the driver.
> > 
> > Okay, I'll try to add more description about this struct. May be like:
> > 
> > struct mtk_devapc_data {
> > 	/* numbers of violation index */
> > 	u32 vio_idx_num;
> > 
> > 	/* reg offset */
> > 	u32 vio_mask_offset;
> > 	u32 vio_sta_offset;
> > 	u32 vio_dbg0_offset;
> > 	u32 vio_dbg1_offset;
> > 	u32 apc_con_offset;
> > 	u32 vio_shift_sta_offset;
> > 	u32 vio_shift_sel_offset;
> > 	u32 vio_shift_con_offset;
> > };
> > 
> >>
> >>> +
> >>> +struct mtk_devapc_context {
> >>> +	struct device *dev;
> >>> +	void __iomem *infra_base;
> >>> +	struct clk *infra_clk;
> >>> +	const struct mtk_devapc_data *data;
> >>> +};
> >>> +
> >>> +static void clear_vio_status(struct mtk_devapc_context *ctx)
> >>> +{
> >>> +	void __iomem *reg;
> >>> +	int i;
> >>> +
> >>> +	reg = ctx->infra_base + ctx->data->vio_sta_offset;
> >>> +
> >>> +	for (i = 0; i < VIO_MOD_TO_REG_IND(ctx->data->vio_idx_num - 1); i++)
> >>> +		writel(GENMASK(31, 0), reg + 4 * i);
> >>> +
> >>> +	writel(GENMASK(VIO_MOD_TO_REG_OFF(ctx->data->vio_idx_num - 1), 0),
> >>> +	       reg + 4 * i);
> >>> +}
> >>> +
> >>> +static void mask_module_irq(struct mtk_devapc_context *ctx, bool mask)
> >>> +{
> >>> +	void __iomem *reg;
> >>> +	u32 val;
> >>> +	int i;
> >>> +
> >>> +	reg = ctx->infra_base + ctx->data->vio_mask_offset;
> >>> +
> >>> +	if (mask)
> >>> +		val = GENMASK(31, 0);
> >>> +	else
> >>> +		val = 0;
> >>> +
> >>> +	for (i = 0; i < VIO_MOD_TO_REG_IND(ctx->data->vio_idx_num - 1); i++)
> >>
> >> Do I get that right? We have a number of virtual IO identifier. Their
> >> correspondending interrupt are grouped in 32 bit registers. And we want to
> >> enable/disable them by writing 0 or 1. We have to take care of the last
> >> registers as it could be the case that vio_idx_num is not a multiple of 32, correct?
> >>
> >> In this case we should traverse VIO_MOD_TO_REG_IND(ctx->data->vio_idx_num) - 1
> >> registers, which is (vio_idx_num / 32) - 1 and not (vio_idx_num - 1) / 32.
> >>
> > 
> > Yes, your understanding is correct. It should be
> > VIO_MOD_TO_REG_IND(ctx->data->vio_idx_num) - 1 instead of
> > VIO_MOD_TO_REG_IND(ctx->data->vio_idx_num - 1).
> > 
> >>> +		writel(val, reg + 4 * i);
> >>> +
> >>> +	val = readl(reg + 4 * i);
> >>> +	if (mask)
> >>> +		val |= GENMASK(VIO_MOD_TO_REG_OFF(ctx->data->vio_idx_num - 1),
> >>> +			       0);
> >>
> >> We have 511 IRQs, which gives us 31 bits in the last register to set/unset.
> >> Thats 510..0 bits, so from what I understand, once again we want
> >> GENMASK(VIO_MOD_TO_REG_OFF(ctx->data->vio_idx_num) - 1, 0)
> >> which is (vio_idx_num % 32) - 1
> >>
> >> Correct or do I understand something wrong?
> >> If so, same applies to clear_vio_status().
> >>
> > 
> > Correct. I'll fix it on next patch.
> > Thanks
> > 
> >>
> >>> +	else
> >>> +		val &= ~GENMASK(VIO_MOD_TO_REG_OFF(ctx->data->vio_idx_num - 1),
> >>> +				0);
> >>> +
> >>> +	writel(val, reg + 4 * i);
> >>> +}
> >>> +
> >>> +#define PHY_DEVAPC_TIMEOUT	0x10000
> >>> +
> >>> +/*
> >>> + * devapc_sync_vio_dbg - do "shift" mechansim" to get full violation information.
> >>> + *                       shift mechanism is depends on devapc hardware design.
> >>> + *                       Mediatek devapc set multiple slaves as a group.
> >>> + *                       When violation is triggered, violation info is kept
> >>> + *                       inside devapc hardware.
> >>> + *                       Driver should do shift mechansim to sync full violation
> >>> + *                       info to VIO_DBGs registers.
> >>> + *
> >>> + */
> >>> +static int devapc_sync_vio_dbg(struct mtk_devapc_context *ctx)
> >>> +{
> >>> +	void __iomem *pd_vio_shift_sta_reg;
> >>> +	void __iomem *pd_vio_shift_sel_reg;
> >>> +	void __iomem *pd_vio_shift_con_reg;
> >>> +	int min_shift_group;
> >>> +	int ret;
> >>> +	u32 val;
> >>> +
> >>> +	pd_vio_shift_sta_reg = ctx->infra_base +
> >>> +			       ctx->data->vio_shift_sta_offset;
> >>> +	pd_vio_shift_sel_reg = ctx->infra_base +
> >>> +			       ctx->data->vio_shift_sel_offset;
> >>> +	pd_vio_shift_con_reg = ctx->infra_base +
> >>> +			       ctx->data->vio_shift_con_offset;
> >>> +
> >>> +	/* Find the minimum shift group which has violation */
> >>> +	val = readl(pd_vio_shift_sta_reg);
> >>> +	if (!val)
> >>> +		return false;
> >>
> >> So bit 0 of selection register (pd_vio_shift_sel_reg) does not represent a
> >> violation group?
> >> I don't know how the HW works, but is seems odd to me. In case that's bit 0
> >> actually doesn't represent anything: how can an interrupt be triggered without
> >> any debug information present (means val == 0)?
> > 
> > This check implies HW status has something wrong. It cannot get any
> > debug information for this case.
> > It won't happen in normal scenario. Should we remove this check?
> > 
> 
> No I think the check is fine. I'd add a WARN() message as this is an indicator 
> that the HW is not working corretly.

Sure. add WARN() message is more helpful to understand.
I'll add it on next patch.
Thanks

> 
> >>
> >>> +
> >>> +	min_shift_group = __ffs(val);
> >>> +
> >>> +	/* Assign the group to sync */
> >>> +	writel(0x1 << min_shift_group, pd_vio_shift_sel_reg);
> >>> +
> >>> +	/* Start syncing */
> >>> +	writel(0x1, pd_vio_shift_con_reg);
> >>> +
> >>> +	ret = readl_poll_timeout(pd_vio_shift_con_reg, val, val == 0x3, 0,
> >>> +				 PHY_DEVAPC_TIMEOUT);
> >>> +	if (ret) {
> >>> +		dev_err(ctx->dev, "%s: Shift violation info failed\n", __func__);
> >>
> >> In which case this can happen? I'm asking, because we are calling
> >> devapc_sync_vio_dbg() in a while loop that could make the kernel hang here.
> >>
> >> Do I understand correctly, that we are using the while loop, because there can
> >> be more then one violation group which got triggered (read, more then one bit is
> >> set in pd_vio_shift_sta_reg)? Would it make more sense then to read the register
> >> once and do all the shift operation for all groups which bit set to 1 in the
> >> shift status register?
> > 
> > Yes, your understanding is correct.
> > This check also implies HW status has something wrong. We return false
> > to skip further violation info dump.
> > How could this case make the kernel hang?
> > 
> 
> The kernel can't hang, sorry my fault. In any case I'd add a WARN() here as 
> well. I understand that if we error out here, we have a HW/FW bug (my feeling 
> is, that behind this is a micro controller of some kind :)
> 

I'll also add warn messages on next patch.

> >>
> >>> +		return false;
> >>> +	}
> >>> +
> >>> +	/* Stop syncing */
> >>> +	writel(0x0, pd_vio_shift_con_reg);
> >>> +
> >>> +	/* Write clear */
> >>> +	writel(0x1 << min_shift_group, pd_vio_shift_sta_reg);
> >>> +
> >>> +	return true;
> >>> +}
> >>> +
> >>> +/*
> >>> + * devapc_extract_vio_dbg - extract full violation information after doing
> >>> + *                          shift mechanism.
> >>> + */
> >>> +static void devapc_extract_vio_dbg(struct mtk_devapc_context *ctx)
> >>> +{
> >>> +	struct mtk_devapc_vio_dbgs vio_dbgs;
> >>> +	void __iomem *vio_dbg0_reg;
> >>> +	void __iomem *vio_dbg1_reg;
> >>> +
> >>> +	vio_dbg0_reg = ctx->infra_base + ctx->data->vio_dbg0_offset;
> >>> +	vio_dbg1_reg = ctx->infra_base + ctx->data->vio_dbg1_offset;
> >>> +
> >>> +	vio_dbgs.vio_dbg0 = readl(vio_dbg0_reg);
> >>> +	vio_dbgs.vio_dbg1 = readl(vio_dbg1_reg);
> >>> +
> >>> +	/* Print violation information */
> >>> +	if (vio_dbgs.dbg0_bits.vio_w)
> >>> +		dev_info(ctx->dev, "Write Violation\n");
> >>> +	else if (vio_dbgs.dbg0_bits.vio_r)
> >>> +		dev_info(ctx->dev, "Read Violation\n");
> >>> +
> >>> +	dev_info(ctx->dev, "Bus ID:0x%x, Dom ID:0x%x, Vio Addr:0x%x\n",
> >>> +		 vio_dbgs.dbg0_bits.mstid, vio_dbgs.dbg0_bits.dmnid,
> >>> +		 vio_dbgs.vio_dbg1);
> >>> +}
> >>> +
> >>> +/*
> >>> + * devapc_violation_irq - the devapc Interrupt Service Routine (ISR) will dump
> >>> + *                        violation information including which master violates
> >>> + *                        access slave.
> >>> + */
> >>> +static irqreturn_t devapc_violation_irq(int irq_number,
> >>> +					struct mtk_devapc_context *ctx)
> >>
> >> static irqreturn_t devapc_violation_irq(int irq_number, void *data)
> >> {
> >> 	struct mtk_devapc_context *ctx = data;
> > 
> > Okay, I'll fix it on next patch.
> > Thanks
> > 
> >>
> >>> +{
> >>> +	while (devapc_sync_vio_dbg(ctx))
> >>> +		devapc_extract_vio_dbg(ctx);
> >>> +
> >>> +	clear_vio_status(ctx);
> >>> +
> >>> +	return IRQ_HANDLED;
> >>> +}
> >>> +
> >>> +/*
> >>> + * start_devapc - unmask slave's irq to start receiving devapc violation.
> >>> + */
> >>> +static void start_devapc(struct mtk_devapc_context *ctx)
> >>> +{
> >>> +	writel(BIT(31), ctx->infra_base + ctx->data->apc_con_offset);
> >>> +
> >>> +	mask_module_irq(ctx, false);
> >>> +}
> >>> +
> >>> +/*
> >>> + * stop_devapc - mask slave's irq to stop service.
> >>> + */
> >>> +static void stop_devapc(struct mtk_devapc_context *ctx)
> >>> +{
> >>> +	mask_module_irq(ctx, true);
> >>> +
> >>> +	writel(BIT(2), ctx->infra_base + ctx->data->apc_con_offset);
> >>> +}
> >>> +
> >>> +static const struct mtk_devapc_data devapc_mt6779 = {
> >>> +	.vio_idx_num = 511,
> >>> +	.vio_mask_offset = 0x0,
> >>> +	.vio_sta_offset = 0x400,
> >>> +	.vio_dbg0_offset = 0x900,
> >>> +	.vio_dbg1_offset = 0x904,
> >>> +	.apc_con_offset = 0xF00,
> >>> +	.vio_shift_sta_offset = 0xF10,
> >>> +	.vio_shift_sel_offset = 0xF14,
> >>> +	.vio_shift_con_offset = 0xF20,
> >>> +};
> >>> +
> >>> +static const struct of_device_id mtk_devapc_dt_match[] = {
> >>> +	{
> >>> +		.compatible = "mediatek,mt6779-devapc",
> >>> +		.data = &devapc_mt6779,
> >>> +	}, {
> >>> +	},
> >>> +};
> >>> +
> >>> +static int mtk_devapc_probe(struct platform_device *pdev)
> >>> +{
> >>> +	struct device_node *node = pdev->dev.of_node;
> >>> +	struct mtk_devapc_context *ctx;
> >>> +	u32 devapc_irq;
> >>> +	int ret;
> >>> +
> >>> +	if (IS_ERR(node))
> >>> +		return -ENODEV;
> >>> +
> >>> +	ctx = devm_kzalloc(&pdev->dev, sizeof(*ctx), GFP_KERNEL);
> >>> +	if (!ctx)
> >>> +		return -ENOMEM;
> >>> +
> >>> +	ctx->data = of_device_get_match_data(&pdev->dev);
> >>> +	ctx->dev = &pdev->dev;
> >>> +
> >>> +	ctx->infra_base = of_iomap(node, 0);
> >>
> >> Does this mean the device is part of the infracfg block?
> >> I wasn't able to find any information about it.
> > 
> > I'm not sure why you would ask infracfg block. devapc is parts of our
> > SoC infra, it's different with infracfg.
> > 
> 
> I'm asking because I want to understand the HW better. I'm not able to find any 
> information in the datasheets. I want to avoid a situation as we had with the 
> MMSYS where a clock driver was submitted first and later on we realized that 
> MMSYS is much more then that and we had to work hard to get the driver right.
> 
> Now it's happening with SCPSYS, where a driver with the scpsys compatible was 
> send years ago. But SCPSYS is much more then the driver submitted. In this case 
> we opted to write a new driver, but moving from one driver to another one is 
> painfull and full of problems. For that I want to make sure we fully understand 
> Device APC (by the way, what does APC stands for?). Is it a totally independent 
> HW block or is it part of a subsystem, like for example SCP?
> 
> Regards,
> Matthias

It's a totally independent HW block instead of a subsystem.
I think it's more simple than MMSYS or SCPSYS. But if you would like to
understand more about this HW, we could find another way/channel to
introduce it.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ