lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <PAXPR10MB48428C9241301E4ACFA9DF8E8A6A9@PAXPR10MB4842.EURPRD10.PROD.OUTLOOK.COM>
Date:   Wed, 17 Aug 2022 07:09:57 +0000
From:   Loic PALLARDY <loic.pallardy@...com>
To:     Ahmad Fatoum <a.fatoum@...gutronix.de>,
        Oleksii Moisieiev <Oleksii_Moisieiev@...m.com>,
        "robh+dt@...nel.org" <robh+dt@...nel.org>
CC:     "mcoquelin.stm32@...il.com" <mcoquelin.stm32@...il.com>,
        Alexandre TORGUE <alexandre.torgue@...com>,
        "linus.walleij@...aro.org" <linus.walleij@...aro.org>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "devicetree@...r.kernel.org" <devicetree@...r.kernel.org>,
        "tomase@...inx.com" <tomase@...inx.com>,
        Benjamin Gaignard <benjamin.gaignard@...labora.com>,
        "broonie@...nel.org" <broonie@...nel.org>,
        "arnd@...db.de" <arnd@...db.de>,
        "shawnguo@...nel.org" <shawnguo@...nel.org>,
        "fabio.estevam@....com" <fabio.estevam@....com>,
        "mark.rutland@....com" <mark.rutland@....com>,
        Sudeep Holla <sudeep.holla@....com>,
        Cristian Marussi <cristian.marussi@....com>,
        Stefano Stabellini <sstabellini@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Pengutronix Kernel Team <kernel@...gutronix.de>,
        "Peng Fan (OSS)" <peng.fan@....nxp.com>,
        Loic PALLARDY - foss <loic.pallardy@...s.st.com>
Subject: RE: [PATCH v4 0/2] dt-bindings: Intorduce domain-controller

Hello,


ST Restricted

> -----Original Message-----
> From: Ahmad Fatoum <a.fatoum@...gutronix.de>
> Sent: Monday, August 15, 2022 6:37 PM
> To: Oleksii Moisieiev <Oleksii_Moisieiev@...m.com>; robh+dt@...nel.org
> Cc: mcoquelin.stm32@...il.com; Alexandre TORGUE
> <alexandre.torgue@...com>; linus.walleij@...aro.org;
> gregkh@...uxfoundation.org; devicetree@...r.kernel.org; tomase@...inx.com;
> Benjamin Gaignard <benjamin.gaignard@...labora.com>; broonie@...nel.org;
> arnd@...db.de; shawnguo@...nel.org; fabio.estevam@....com; Loic
> PALLARDY <loic.pallardy@...com>; mark.rutland@....com; Sudeep Holla
> <sudeep.holla@....com>; Cristian Marussi <cristian.marussi@....com>;
> Stefano Stabellini <sstabellini@...nel.org>; linux-kernel@...r.kernel.org;
> Pengutronix Kernel Team <kernel@...gutronix.de>; Peng Fan (OSS)
> <peng.fan@....nxp.com>
> Subject: Re: [PATCH v4 0/2] dt-bindings: Intorduce domain-controller
> 
> Hello Oleksii,
> 
> On 07.07.22 12:25, Oleksii Moisieiev wrote:
> > Introducing the domain controller provider/consumenr bindngs which allow
> to
> > divided system on chip into multiple domains that can be used to select
> > by who hardware blocks could be accessed.
> > A domain could be a cluster of CPUs, a group of hardware blocks or the
> > set of devices, passed-through to the Guest in the virtualized systems.
> >
> > Device controllers are typically used to set the permissions of the hardware
> > block. The contents of the domain configuration properties are defined by the
> > binding for the individual domain controller device.
> >
> > The device controller conception in the virtualized systems is to set
> > the device configuration for SCMI (System Control and Management
> > Interface) which controls clocks/power-domains/resets etc from the
> > Firmware. This configuratio sets the device_id to set the device permissions
> > for the Fimware using BASE_SET_DEVICE_PERMISSIONS message (see
> 4.2.2.10 of [0]).
> > There is no BASE_GET_DEVICE_PERMISSIONS call in SCMI and the way to
> > determine device_id is not covered by the specification.
> > Device permissions management described in DEN 0056, Section 4.2.2.10 [0].
> > Given parameter should set the device_id, needed to set device
> > permissions in the Firmware.
> > This property is used by trusted Agent (which is hypervisor in our case)
> > to set permissions for the devices, passed-through to the non-trusted
> > Agents. Trusted Agent will use device-perms to set the Device
> > permissions for the Firmware (See Section 4.2.2.10 [0] for details).
> > Agents concept is described in Section 4.2.1 [0].
> >
> > Domains in Device-tree node example:
> > usb@...90000
> > {
> >     domain-0 = <&scmi 19>; //Set domain id 19 to usb node
> >     clocks = <&scmi_clock 3>, <&scmi_clock 2>;
> >     resets = <&scmi_reset 10>, <&scmi_reset 9>;
> >     power-domains = <&scmi_power 0>;
> > };
> >
> > &scmi {
> >     #domain-cells = <1>;
> > }
> >
> > All mentioned bindings are going to be processed by XEN SCMI mediator
> > feature, which is responsible to redirect SCMI calls from guests to the
> > firmware, and not going be passed to the guests.
> >
> > Domain-controller provider/consumenr concept was taken from the bus
> > controller framework patch series, provided in the following thread:
> > [1].
> 
> I also was inspired by Benjamin's series to draft up a binding, but for a slightly
> different problem: Some SoCs like the i.MX8MP have a great deal of variation
> in which IPs are actually available. After factory testing, fuses are burnt
> to describe which IPs are available and as the upstream DT only describes
> the full featured SoCs, either board DT or bootloader is expected to turn
> off the device that are unavailable.
> 
> What I came up with as a binding for the bootloader to guide its fixup
> looks very similar to what you have:
> 
> feat: &ocotp { /* This is the efuse (On-Chip OTP) device */
>     feature-controller;
>     feature-cells = <1>;
> };
> 
> &vpu_g1 {
>     features-gates = <&feat IMX8MP_VPU>;
> };
> 
> The OCOTP driver would see that it has a feature-controller property and
> register
> a callback with a feature controller framework that checks whether a device
> is available. barebox, that I implemented this binding for, would walk
> the kernel device tree on boot looking for the feature-gates property and then
> disable/delete nodes as indicated without having to write any SoC specific code
> and especially without hardcoding node names and hierarchies, which is quite
> brittle.
> 
> There was a previous attempt at defining a binding for this, but Rob's NAK
> mentioned that a solution should cover both cases:
> 
>  https://lore.kernel.org/all/20220324042024.26813-1-peng.fan@oss.nxp.com/
> 
> Having implemented nearly the same binding as what you describe, I obviously
> like your
> patch. Only thing I think that should be changed is the naming. A domain doesn't
> really describe this gated-by-fuses scenario I have. Calling it feature-gates
> instead OTOH makes sense for both your and my use case. Same goes for the
> documentation
> that could be worded more generically. I am open to other suggestions of
> course. :-)

Issue looks the same as the initial one, how to guarantee Linux kernel won't try to access to
resources protected by firewall or OTP.

Initial proposal from Benjamin was NAK for different reasons and DT bindings were also
discussed during system DT calls without any agreement at the end.
Today we have decided to implement a platform bus to check access like proposed by Greg [1].
Indeed, a new framework was rejected at the time being.
The main difference compared to [2] is that bus identifies peripheral thanks to its base address "reg" and 
then verifies associated access properties before probing or not device.
It was a proposal from Rob we discussed during a system DT call to avoid an additional binding.

We are late to send an update because we are also working on OP-TEE and U-Boot to verify
the approach and be sure we can cover our specific SoC cases with this solution.

Regards,
Loic

[1] https://patchwork.ozlabs.org/project/devicetree-bindings/cover/20200128153806.7780-1-benjamin.gaignard@st.com/
[2] https://lore.kernel.org/all/20200701132523.32533-1-benjamin.gaignard@st.com/

> 
> Also a general gpio-controller like property would be nice. It would allow drivers
> to easily check whether they are supposed to register a domain/feature
> controller.
> For devices like yours where a dedicated device node represents the domain
> controller,
> it's redundant, but for a fuse bank, it's useful. #feature-cells could be used for
> that, but I think a dedicated property may be better.
> 
> Let me know what you think and thanks for working on this!
> 
> Cheers,
> Ahmad
> 
> 
> >
> > I think we can cooperate with the bus controller framework developers
> > and produce the common binding, which will fit the requirements of both
> > features
> >
> > Also, I think that binding can also be used for STM32 ETZPC bus
> > controller feature, proposed in the following thread: [2].
> >
> > Looking forward for your thoughts and ideas.
> >
> > [0] https://developer.arm.com/documentation/den0056/latest
> > [1] https://lore.kernel.org/all/20190318100605.29120-1-
> benjamin.gaignard@...com/
> > [2] https://lore.kernel.org/all/20200701132523.32533-1-
> benjamin.gaignard@...com/
> >
> > ---
> > Changes v1 -> V2:
> >    - update parameter name, made it xen-specific
> >    - add xen vendor bindings
> >
> > Changes V2 -> V3:
> >    - update parameter name, make it generic
> >    - update parameter format, add link to controller
> >    - do not include xen vendor bindings as already upstreamed
> >
> > Changes V3 -> V4:
> >    - introduce domain controller provider/consumer device tree bindings
> >    - making scmi node to act as domain controller provider when the
> >      device permissions should be configured
> > ---
> >
> > Oleksii Moisieiev (2):
> >   dt-bindings: Document common device controller bindings
> >   dt-bindings: Update scmi node description
> >
> >  .../bindings/domains/domain-controller.yaml   | 80 +++++++++++++++++++
> >  .../bindings/firmware/arm,scmi.yaml           | 25 ++++++
> >  2 files changed, 105 insertions(+)
> >  create mode 100644 Documentation/devicetree/bindings/domains/domain-
> controller.yaml
> >
> 
> 
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ