| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Oct 2020 17:39:25 +0800
From: Neal Liu <neal.liu@...iatek.com>
To: Matthias Brugger <matthias.bgg@...il.com>
CC: Neal Liu <neal.liu@...iatek.com>, Rob Herring <robh+dt@...nel.org>,
Chun-Kuang Hu <chunkuang.hu@...nel.org>,
<devicetree@...r.kernel.org>,
<linux-arm-kernel@...ts.infradead.org>,
<linux-mediatek@...ts.infradead.org>,
lkml <linux-kernel@...r.kernel.org>, <wsd_upstream@...iatek.com>
Subject: Re: [PATCH v7 2/2] soc: mediatek: add mt6779 devapc driver
On Thu, 2020-10-08 at 10:45 +0200, Matthias Brugger wrote:
>
> On 08/10/2020 04:35, Neal Liu wrote:
> > On Wed, 2020-10-07 at 12:44 +0200, Matthias Brugger wrote:
> >>
> >> On 27/08/2020 05:06, Neal Liu wrote:
> >>> MediaTek bus fabric provides TrustZone security support and data
> >>> protection to prevent slaves from being accessed by unexpected
> >>> masters.
> >>> The security violation is logged and sent to the processor for
> >>> further analysis or countermeasures.
> >>>
> >>> Any occurrence of security violation would raise an interrupt, and
> >>> it will be handled by mtk-devapc driver. The violation
> >>> information is printed in order to find the murderer.
> >>
> >> "The violation information is printed in order to find the responsible component."
> >>
> >> Nobody got actually killed, right :)
> >
> > Correct !
> >>
> >>>
> >>> Signed-off-by: Neal Liu <neal.liu@...iatek.com>
> >>> ---
> >>> drivers/soc/mediatek/Kconfig | 9 ++
> >>> drivers/soc/mediatek/Makefile | 1 +
> >>> drivers/soc/mediatek/mtk-devapc.c | 305 +++++++++++++++++++++++++++++++++++++
> >>> 3 files changed, 315 insertions(+)
> >>> create mode 100644 drivers/soc/mediatek/mtk-devapc.c
> >>>
> >>> diff --git a/drivers/soc/mediatek/Kconfig b/drivers/soc/mediatek/Kconfig
> >>> index 59a56cd..1177c98 100644
> >>> --- a/drivers/soc/mediatek/Kconfig
> >>> +++ b/drivers/soc/mediatek/Kconfig
> >>> @@ -17,6 +17,15 @@ config MTK_CMDQ
> >>> time limitation, such as updating display configuration during the
> >>> vblank.
> >>>
> >>> +config MTK_DEVAPC
> >>> + tristate "Mediatek Device APC Support"
> >>> + help
> >>> + Say yes here to enable support for Mediatek Device APC driver.
> >>> + This driver is mainly used to handle the violation which catches
> >>> + unexpected transaction.
> >>> + The violation information is logged for further analysis or
> >>> + countermeasures.
> >>> +
> >>> config MTK_INFRACFG
> >>> bool "MediaTek INFRACFG Support"
> >>> select REGMAP
> >>> diff --git a/drivers/soc/mediatek/Makefile b/drivers/soc/mediatek/Makefile
> >>> index 01f9f87..abfd4ba 100644
> >>> --- a/drivers/soc/mediatek/Makefile
> >>> +++ b/drivers/soc/mediatek/Makefile
> >>> @@ -1,5 +1,6 @@
> >>> # SPDX-License-Identifier: GPL-2.0-only
> >>> obj-$(CONFIG_MTK_CMDQ) += mtk-cmdq-helper.o
> >>> +obj-$(CONFIG_MTK_DEVAPC) += mtk-devapc.o
> >>> obj-$(CONFIG_MTK_INFRACFG) += mtk-infracfg.o
> >>> obj-$(CONFIG_MTK_PMIC_WRAP) += mtk-pmic-wrap.o
> >>> obj-$(CONFIG_MTK_SCPSYS) += mtk-scpsys.o
> >>> diff --git a/drivers/soc/mediatek/mtk-devapc.c b/drivers/soc/mediatek/mtk-devapc.c
> >>> new file mode 100644
> >>> index 0000000..0ba61d7
> >>> --- /dev/null
> >>> +++ b/drivers/soc/mediatek/mtk-devapc.c
> >>> @@ -0,0 +1,305 @@
> >>> +// SPDX-License-Identifier: GPL-2.0
> >>> +/*
> >>> + * Copyright (C) 2020 MediaTek Inc.
> >>> + */
> >>> +
> >>> +#include <linux/clk.h>
> >>> +#include <linux/interrupt.h>
> >>> +#include <linux/iopoll.h>
> >>> +#include <linux/module.h>
> >>> +#include <linux/platform_device.h>
> >>> +#include <linux/of_device.h>
> >>> +#include <linux/of_irq.h>
> >>> +#include <linux/of_address.h>
> >>> +
> >>> +#define VIO_MOD_TO_REG_IND(m) ((m) / 32)
> >>> +#define VIO_MOD_TO_REG_OFF(m) ((m) % 32)
> >>> +
> >>> +struct mtk_devapc_vio_dbgs {
> >>> + union {
> >>> + u32 vio_dbg0;
> >>> + struct {
> >>> + u32 mstid:16;
> >>> + u32 dmnid:6;
> >>> + u32 vio_w:1;
> >>> + u32 vio_r:1;
> >>> + u32 addr_h:4;
> >>> + u32 resv:4;
> >>> + } dbg0_bits;
> >>> + };
> >>> +
> >>> + u32 vio_dbg1;
> >>> +};
> >>> +
> >>> +struct mtk_devapc_data {
> >>> + u32 vio_idx_num;
> >>> + u32 vio_mask_offset;
> >>> + u32 vio_sta_offset;
> >>> + u32 vio_dbg0_offset;
> >>> + u32 vio_dbg1_offset;
> >>> + u32 apc_con_offset;
> >>> + u32 vio_shift_sta_offset;
> >>> + u32 vio_shift_sel_offset;
> >>> + u32 vio_shift_con_offset;
> >>> +};
> >>
> >> Please describe the fields of the struct, that will make it easier to understand
> >> the driver.
> >
> > Okay, I'll try to add more description about this struct. May be like:
> >
> > struct mtk_devapc_data {
> > /* numbers of violation index */
> > u32 vio_idx_num;
> >
> > /* reg offset */
> > u32 vio_mask_offset;
> > u32 vio_sta_offset;
> > u32 vio_dbg0_offset;
> > u32 vio_dbg1_offset;
> > u32 apc_con_offset;
> > u32 vio_shift_sta_offset;
> > u32 vio_shift_sel_offset;
> > u32 vio_shift_con_offset;
> > };
> >
> >>
> >>> +
> >>> +struct mtk_devapc_context {
> >>> + struct device *dev;
> >>> + void __iomem *infra_base;
> >>> + struct clk *infra_clk;
> >>> + const struct mtk_devapc_data *data;
> >>> +};
> >>> +
> >>> +static void clear_vio_status(struct mtk_devapc_context *ctx)
> >>> +{
> >>> + void __iomem *reg;
> >>> + int i;
> >>> +
> >>> + reg = ctx->infra_base + ctx->data->vio_sta_offset;
> >>> +
> >>> + for (i = 0; i < VIO_MOD_TO_REG_IND(ctx->data->vio_idx_num - 1); i++)
> >>> + writel(GENMASK(31, 0), reg + 4 * i);
> >>> +
> >>> + writel(GENMASK(VIO_MOD_TO_REG_OFF(ctx->data->vio_idx_num - 1), 0),
> >>> + reg + 4 * i);
> >>> +}
> >>> +
> >>> +static void mask_module_irq(struct mtk_devapc_context *ctx, bool mask)
> >>> +{
> >>> + void __iomem *reg;
> >>> + u32 val;
> >>> + int i;
> >>> +
> >>> + reg = ctx->infra_base + ctx->data->vio_mask_offset;
> >>> +
> >>> + if (mask)
> >>> + val = GENMASK(31, 0);
> >>> + else
> >>> + val = 0;
> >>> +
> >>> + for (i = 0; i < VIO_MOD_TO_REG_IND(ctx->data->vio_idx_num - 1); i++)
> >>
> >> Do I get that right? We have a number of virtual IO identifier. Their
> >> correspondending interrupt are grouped in 32 bit registers. And we want to
> >> enable/disable them by writing 0 or 1. We have to take care of the last
> >> registers as it could be the case that vio_idx_num is not a multiple of 32, correct?
> >>
> >> In this case we should traverse VIO_MOD_TO_REG_IND(ctx->data->vio_idx_num) - 1
> >> registers, which is (vio_idx_num / 32) - 1 and not (vio_idx_num - 1) / 32.
> >>
> >
> > Yes, your understanding is correct. It should be
> > VIO_MOD_TO_REG_IND(ctx->data->vio_idx_num) - 1 instead of
> > VIO_MOD_TO_REG_IND(ctx->data->vio_idx_num - 1).
> >
> >>> + writel(val, reg + 4 * i);
> >>> +
> >>> + val = readl(reg + 4 * i);
> >>> + if (mask)
> >>> + val |= GENMASK(VIO_MOD_TO_REG_OFF(ctx->data->vio_idx_num - 1),
> >>> + 0);
> >>
> >> We have 511 IRQs, which gives us 31 bits in the last register to set/unset.
> >> Thats 510..0 bits, so from what I understand, once again we want
> >> GENMASK(VIO_MOD_TO_REG_OFF(ctx->data->vio_idx_num) - 1, 0)
> >> which is (vio_idx_num % 32) - 1
> >>
> >> Correct or do I understand something wrong?
> >> If so, same applies to clear_vio_status().
> >>
> >
> > Correct. I'll fix it on next patch.
> > Thanks
> >
> >>
> >>> + else
> >>> + val &= ~GENMASK(VIO_MOD_TO_REG_OFF(ctx->data->vio_idx_num - 1),
> >>> + 0);
> >>> +
> >>> + writel(val, reg + 4 * i);
> >>> +}
> >>> +
> >>> +#define PHY_DEVAPC_TIMEOUT 0x10000
> >>> +
> >>> +/*
> >>> + * devapc_sync_vio_dbg - do "shift" mechansim" to get full violation information.
> >>> + * shift mechanism is depends on devapc hardware design.
> >>> + * Mediatek devapc set multiple slaves as a group.
> >>> + * When violation is triggered, violation info is kept
> >>> + * inside devapc hardware.
> >>> + * Driver should do shift mechansim to sync full violation
> >>> + * info to VIO_DBGs registers.
> >>> + *
> >>> + */
> >>> +static int devapc_sync_vio_dbg(struct mtk_devapc_context *ctx)
> >>> +{
> >>> + void __iomem *pd_vio_shift_sta_reg;
> >>> + void __iomem *pd_vio_shift_sel_reg;
> >>> + void __iomem *pd_vio_shift_con_reg;
> >>> + int min_shift_group;
> >>> + int ret;
> >>> + u32 val;
> >>> +
> >>> + pd_vio_shift_sta_reg = ctx->infra_base +
> >>> + ctx->data->vio_shift_sta_offset;
> >>> + pd_vio_shift_sel_reg = ctx->infra_base +
> >>> + ctx->data->vio_shift_sel_offset;
> >>> + pd_vio_shift_con_reg = ctx->infra_base +
> >>> + ctx->data->vio_shift_con_offset;
> >>> +
> >>> + /* Find the minimum shift group which has violation */
> >>> + val = readl(pd_vio_shift_sta_reg);
> >>> + if (!val)
> >>> + return false;
> >>
> >> So bit 0 of selection register (pd_vio_shift_sel_reg) does not represent a
> >> violation group?
> >> I don't know how the HW works, but is seems odd to me. In case that's bit 0
> >> actually doesn't represent anything: how can an interrupt be triggered without
> >> any debug information present (means val == 0)?
> >
> > This check implies HW status has something wrong. It cannot get any
> > debug information for this case.
> > It won't happen in normal scenario. Should we remove this check?
> >
>
> No I think the check is fine. I'd add a WARN() message as this is an indicator
> that the HW is not working corretly.
Sure. add WARN() message is more helpful to understand.
I'll add it on next patch.
Thanks
>
> >>
> >>> +
> >>> + min_shift_group = __ffs(val);
> >>> +
> >>> + /* Assign the group to sync */
> >>> + writel(0x1 << min_shift_group, pd_vio_shift_sel_reg);
> >>> +
> >>> + /* Start syncing */
> >>> + writel(0x1, pd_vio_shift_con_reg);
> >>> +
> >>> + ret = readl_poll_timeout(pd_vio_shift_con_reg, val, val == 0x3, 0,
> >>> + PHY_DEVAPC_TIMEOUT);
> >>> + if (ret) {
> >>> + dev_err(ctx->dev, "%s: Shift violation info failed\n", __func__);
> >>
> >> In which case this can happen? I'm asking, because we are calling
> >> devapc_sync_vio_dbg() in a while loop that could make the kernel hang here.
> >>
> >> Do I understand correctly, that we are using the while loop, because there can
> >> be more then one violation group which got triggered (read, more then one bit is
> >> set in pd_vio_shift_sta_reg)? Would it make more sense then to read the register
> >> once and do all the shift operation for all groups which bit set to 1 in the
> >> shift status register?
> >
> > Yes, your understanding is correct.
> > This check also implies HW status has something wrong. We return false
> > to skip further violation info dump.
> > How could this case make the kernel hang?
> >
>
> The kernel can't hang, sorry my fault. In any case I'd add a WARN() here as
> well. I understand that if we error out here, we have a HW/FW bug (my feeling
> is, that behind this is a micro controller of some kind :)
>
I'll also add warn messages on next patch.
> >>
> >>> + return false;
> >>> + }
> >>> +
> >>> + /* Stop syncing */
> >>> + writel(0x0, pd_vio_shift_con_reg);
> >>> +
> >>> + /* Write clear */
> >>> + writel(0x1 << min_shift_group, pd_vio_shift_sta_reg);
> >>> +
> >>> + return true;
> >>> +}
> >>> +
> >>> +/*
> >>> + * devapc_extract_vio_dbg - extract full violation information after doing
> >>> + * shift mechanism.
> >>> + */
> >>> +static void devapc_extract_vio_dbg(struct mtk_devapc_context *ctx)
> >>> +{
> >>> + struct mtk_devapc_vio_dbgs vio_dbgs;
> >>> + void __iomem *vio_dbg0_reg;
> >>> + void __iomem *vio_dbg1_reg;
> >>> +
> >>> + vio_dbg0_reg = ctx->infra_base + ctx->data->vio_dbg0_offset;
> >>> + vio_dbg1_reg = ctx->infra_base + ctx->data->vio_dbg1_offset;
> >>> +
> >>> + vio_dbgs.vio_dbg0 = readl(vio_dbg0_reg);
> >>> + vio_dbgs.vio_dbg1 = readl(vio_dbg1_reg);
> >>> +
> >>> + /* Print violation information */
> >>> + if (vio_dbgs.dbg0_bits.vio_w)
> >>> + dev_info(ctx->dev, "Write Violation\n");
> >>> + else if (vio_dbgs.dbg0_bits.vio_r)
> >>> + dev_info(ctx->dev, "Read Violation\n");
> >>> +
> >>> + dev_info(ctx->dev, "Bus ID:0x%x, Dom ID:0x%x, Vio Addr:0x%x\n",
> >>> + vio_dbgs.dbg0_bits.mstid, vio_dbgs.dbg0_bits.dmnid,
> >>> + vio_dbgs.vio_dbg1);
> >>> +}
> >>> +
> >>> +/*
> >>> + * devapc_violation_irq - the devapc Interrupt Service Routine (ISR) will dump
> >>> + * violation information including which master violates
> >>> + * access slave.
> >>> + */
> >>> +static irqreturn_t devapc_violation_irq(int irq_number,
> >>> + struct mtk_devapc_context *ctx)
> >>
> >> static irqreturn_t devapc_violation_irq(int irq_number, void *data)
> >> {
> >> struct mtk_devapc_context *ctx = data;
> >
> > Okay, I'll fix it on next patch.
> > Thanks
> >
> >>
> >>> +{
> >>> + while (devapc_sync_vio_dbg(ctx))
> >>> + devapc_extract_vio_dbg(ctx);
> >>> +
> >>> + clear_vio_status(ctx);
> >>> +
> >>> + return IRQ_HANDLED;
> >>> +}
> >>> +
> >>> +/*
> >>> + * start_devapc - unmask slave's irq to start receiving devapc violation.
> >>> + */
> >>> +static void start_devapc(struct mtk_devapc_context *ctx)
> >>> +{
> >>> + writel(BIT(31), ctx->infra_base + ctx->data->apc_con_offset);
> >>> +
> >>> + mask_module_irq(ctx, false);
> >>> +}
> >>> +
> >>> +/*
> >>> + * stop_devapc - mask slave's irq to stop service.
> >>> + */
> >>> +static void stop_devapc(struct mtk_devapc_context *ctx)
> >>> +{
> >>> + mask_module_irq(ctx, true);
> >>> +
> >>> + writel(BIT(2), ctx->infra_base + ctx->data->apc_con_offset);
> >>> +}
> >>> +
> >>> +static const struct mtk_devapc_data devapc_mt6779 = {
> >>> + .vio_idx_num = 511,
> >>> + .vio_mask_offset = 0x0,
> >>> + .vio_sta_offset = 0x400,
> >>> + .vio_dbg0_offset = 0x900,
> >>> + .vio_dbg1_offset = 0x904,
> >>> + .apc_con_offset = 0xF00,
> >>> + .vio_shift_sta_offset = 0xF10,
> >>> + .vio_shift_sel_offset = 0xF14,
> >>> + .vio_shift_con_offset = 0xF20,
> >>> +};
> >>> +
> >>> +static const struct of_device_id mtk_devapc_dt_match[] = {
> >>> + {
> >>> + .compatible = "mediatek,mt6779-devapc",
> >>> + .data = &devapc_mt6779,
> >>> + }, {
> >>> + },
> >>> +};
> >>> +
> >>> +static int mtk_devapc_probe(struct platform_device *pdev)
> >>> +{
> >>> + struct device_node *node = pdev->dev.of_node;
> >>> + struct mtk_devapc_context *ctx;
> >>> + u32 devapc_irq;
> >>> + int ret;
> >>> +
> >>> + if (IS_ERR(node))
> >>> + return -ENODEV;
> >>> +
> >>> + ctx = devm_kzalloc(&pdev->dev, sizeof(*ctx), GFP_KERNEL);
> >>> + if (!ctx)
> >>> + return -ENOMEM;
> >>> +
> >>> + ctx->data = of_device_get_match_data(&pdev->dev);
> >>> + ctx->dev = &pdev->dev;
> >>> +
> >>> + ctx->infra_base = of_iomap(node, 0);
> >>
> >> Does this mean the device is part of the infracfg block?
> >> I wasn't able to find any information about it.
> >
> > I'm not sure why you would ask infracfg block. devapc is parts of our
> > SoC infra, it's different with infracfg.
> >
>
> I'm asking because I want to understand the HW better. I'm not able to find any
> information in the datasheets. I want to avoid a situation as we had with the
> MMSYS where a clock driver was submitted first and later on we realized that
> MMSYS is much more then that and we had to work hard to get the driver right.
>
> Now it's happening with SCPSYS, where a driver with the scpsys compatible was
> send years ago. But SCPSYS is much more then the driver submitted. In this case
> we opted to write a new driver, but moving from one driver to another one is
> painfull and full of problems. For that I want to make sure we fully understand
> Device APC (by the way, what does APC stands for?). Is it a totally independent
> HW block or is it part of a subsystem, like for example SCP?
>
> Regards,
> Matthias
It's a totally independent HW block instead of a subsystem.
I think it's more simple than MMSYS or SCPSYS. But if you would like to
understand more about this HW, we could find another way/channel to
introduce it.
Powered by blists - more mailing lists