lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <02b34c80-f37e-deee-29cd-de7db902797d@gmail.com>
Date:   Mon, 17 Apr 2023 11:01:13 -0700
From:   Florian Fainelli <f.fainelli@...il.com>
To:     Nikunj Kela <quic_nkela@...cinc.com>, sudeep.holla@....com
Cc:     cristian.marussi@....com, robh+dt@...nel.org,
        krzysztof.kozlowski+dt@...aro.org,
        linux-arm-kernel@...ts.infradead.org, devicetree@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 2/2] firmware: arm_scmi: Augment SMC/HVC to allow
 optional parameter

On 4/17/23 10:44, Nikunj Kela wrote:
> This patch add support for passing shmem channel address as parameter
> in smc/hvc call. This patch is useful when multiple scmi instances are
> using same smc-id and firmware needs to distiguish among the instances.

Typo: distinguish.

It really would have been a lot clearer and made a whole lot more sense 
to encode a VM ID/channel number within some of the SMCCC parameters, 
possibly as part of the function ID itself.

> 
> Signed-off-by: Nikunj Kela <quic_nkela@...cinc.com>
> ---
>   drivers/firmware/arm_scmi/driver.c |  1 +
>   drivers/firmware/arm_scmi/smc.c    | 25 ++++++++++++++++++++++++-
>   2 files changed, 25 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
> index e7d97b59963b..b5957cc12fee 100644
> --- a/drivers/firmware/arm_scmi/driver.c
> +++ b/drivers/firmware/arm_scmi/driver.c
> @@ -2914,6 +2914,7 @@ static const struct of_device_id scmi_of_match[] = {
>   #endif
>   #ifdef CONFIG_ARM_SCMI_TRANSPORT_SMC
>   	{ .compatible = "arm,scmi-smc", .data = &scmi_smc_desc},
> +	{ .compatible = "arm,scmi-smc-param", .data = &scmi_smc_desc},
>   #endif
>   #ifdef CONFIG_ARM_SCMI_TRANSPORT_VIRTIO
>   	{ .compatible = "arm,scmi-virtio", .data = &scmi_virtio_desc},
> diff --git a/drivers/firmware/arm_scmi/smc.c b/drivers/firmware/arm_scmi/smc.c
> index 93272e4bbd12..e28387346d33 100644
> --- a/drivers/firmware/arm_scmi/smc.c
> +++ b/drivers/firmware/arm_scmi/smc.c
> @@ -20,6 +20,9 @@
>   
>   #include "common.h"
>   
> +#define lower32(x)	((u32)((x) & 0xffffffff))
> +#define upper32(x)	((u32)(((u64)(x) >> 32) & 0xffffffff))

Cannot you use the existing lower_32_bits and upper_32_bits macros from 
kernel.h here?

> +
>   /**
>    * struct scmi_smc - Structure representing a SCMI smc transport
>    *
> @@ -30,6 +33,8 @@
>    * @inflight: Atomic flag to protect access to Tx/Rx shared memory area.
>    *	      Used when operating in atomic mode.
>    * @func_id: smc/hvc call function id
> + * @is_smc64: smc/hvc calling convention type 64 vs 32
> + * @param: physical address of the shmem channel
>    */
>   
>   struct scmi_smc {
> @@ -40,6 +45,8 @@ struct scmi_smc {
>   #define INFLIGHT_NONE	MSG_TOKEN_MAX
>   	atomic_t inflight;
>   	u32 func_id;
> +	bool is_smc64;
> +	phys_addr_t param;
>   };
>   
>   static irqreturn_t smc_msg_done_isr(int irq, void *data)
> @@ -137,6 +144,8 @@ static int smc_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
>   	if (ret < 0)
>   		return ret;
>   
> +	if (of_device_is_compatible(dev->of_node, "arm,scmi-smc-param"))
> +		scmi_info->param = res.start;

There is not even a check that this is going to be part of the kernel's 
view of memory, that seems a bit brittle and possibly a security hole, 
too. Your hypervisor presumably needs to have carved out some amount of 
memory in order for the messages to be written to/read from, and so 
would the VM kernel, so eventually we should have a 'reserved-memory' 
entry of some sort, no?

>   	/*
>   	 * If there is an interrupt named "a2p", then the service and
>   	 * completion of a message is signaled by an interrupt rather than by
> @@ -156,6 +165,7 @@ static int smc_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
>   	}
>   
>   	scmi_info->func_id = func_id;
> +	scmi_info->is_smc64 = ARM_SMCCC_IS_64(func_id);
>   	scmi_info->cinfo = cinfo;
>   	smc_channel_lock_init(scmi_info);
>   	cinfo->transport_info = scmi_info;
> @@ -188,7 +198,20 @@ static int smc_send_message(struct scmi_chan_info *cinfo,
>   
>   	shmem_tx_prepare(scmi_info->shmem, xfer, cinfo);
>   
> -	arm_smccc_1_1_invoke(scmi_info->func_id, 0, 0, 0, 0, 0, 0, 0, &res);
> +#ifdef CONFIG_ARM64
> +	/*
> +	 * if SMC32 convention is used, pass 64 bit address in
> +	 * two parameters
> +	 */
> +	if (!scmi_info->is_smc64)

There is no need for scmi_info to store is_smc64, just check the func_id 
here and declare is_smc64 as a local variable to the function.

Also, another way to approach this would be to encode the parameters 
region in 4KB units such that event on a 32-bit system with LPAE you are 
guaranteed to fit the region into a 32-bit unsigned long. AFAIR 
virtualization and LPAE are indistinguishable on real CPUs?

> +		arm_smccc_1_1_invoke(scmi_info->func_id,
> +				     lower32(scmi_info->param),
> +				     upper32(scmi_info->param),
> +				     0, 0, 0, 0, 0, &res);
> +	else
> +#endif
> +		arm_smccc_1_1_invoke(scmi_info->func_id, scmi_info->param,
> +				     0, 0, 0, 0, 0, 0, &res);
>   
>   	/* Only SMCCC_RET_NOT_SUPPORTED is valid error code */
>   	if (res.a0) {

-- 
Florian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ