lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CADrjBPqT=F+MALssnWsMa1E1RcPN7Sz8s+HfEZRU3pSgPO+z6w@mail.gmail.com>
Date: Tue, 6 Feb 2024 15:56:39 +0000
From: Peter Griffin <peter.griffin@...aro.org>
To: Sam Protsenko <semen.protsenko@...aro.org>
Cc: arnd@...db.de, krzysztof.kozlowski@...aro.org, linux@...ck-us.net, 
	wim@...ux-watchdog.org, alim.akhtar@...sung.com, jaewon02.kim@...sung.com, 
	kernel-team@...roid.com, alexey.klimov@...aro.org, tudor.ambarus@...aro.org, 
	andre.draszik@...aro.org, saravanak@...gle.com, willmcvicker@...gle.com, 
	linux-fsd@...la.com, linux-watchdog@...r.kernel.org, 
	devicetree@...r.kernel.org, linux-kernel@...r.kernel.org, 
	linux-arm-kernel@...ts.infradead.org, linux-samsung-soc@...r.kernel.org
Subject: Re: [PATCH v3 1/2] soc: samsung: exynos-pmu: Add regmap support for
 SoCs that protect PMU regs

Hi Sam,

Thanks for the great review feedback.

On Fri, 2 Feb 2024 at 17:35, Sam Protsenko <semen.protsenko@...aro.org> wrote:
>
> On Fri, Feb 2, 2024 at 8:57 AM Peter Griffin <peter.griffin@...aro.org> wrote:
> >
> > Some Exynos based SoCs like Tensor gs101 protect the PMU registers for
> > security hardening reasons so that they are only write accessible in el3
> > via an SMC call.
> >
> > As most Exynos drivers that need to write PMU registers currently obtain a
> > regmap via syscon (phys, pinctrl, watchdog). Support for the above usecase
> > is implemented in this driver using a custom regmap similar to syscon to
> > handle the SMC call. Platforms that don't secure PMU registers, get a mmio
> > regmap like before. As regmaps abstract out the underlying register access
> > changes to the leaf drivers are minimal.
> >
> > A new API exynos_get_pmu_regmap_by_phandle() is provided for leaf drivers
> > that currently use syscon_regmap_lookup_by_phandle(). This also handles
> > deferred probing.
> >
> > Signed-off-by: Peter Griffin <peter.griffin@...aro.org>
> > ---
> > Changes since v2
> >  - Add select REGMAP to Kconfig
> >  - Add constant for SET/CLEAR bits
> >  - Replace kerneldoc with one line comment
> >  - Fix kerneldoc for EXPORT_SYMBOL_GPL funcs
> >  - remove superflous extern keyword
> >  - dev_err_probe() on probe error
> >  - shorten regmcfg name
> >  - no compatibles inside probe, use match data
> >  - don't mix declarations with/without initializations
> >  - tensor_sec_reg_read() use mmio to avoid access restrictions
> >  - Collect up Reviewed-by
> >  - const for regmap_config structs
> > ---
> >  drivers/soc/samsung/Kconfig            |   1 +
> >  drivers/soc/samsung/exynos-pmu.c       | 233 ++++++++++++++++++++++++-
> >  drivers/soc/samsung/exynos-pmu.h       |   1 +
> >  include/linux/soc/samsung/exynos-pmu.h |  11 +-
> >  4 files changed, 241 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/soc/samsung/Kconfig b/drivers/soc/samsung/Kconfig
> > index 27ec99af77e3..1a5dfdc978dc 100644
> > --- a/drivers/soc/samsung/Kconfig
> > +++ b/drivers/soc/samsung/Kconfig
> > @@ -42,6 +42,7 @@ config EXYNOS_PMU
> >         depends on ARCH_EXYNOS || ((ARM || ARM64) && COMPILE_TEST)
> >         select EXYNOS_PMU_ARM_DRIVERS if ARM && ARCH_EXYNOS
> >         select MFD_CORE
> > +       select REGMAP_MMIO
> >
> >  # There is no need to enable these drivers for ARMv8
> >  config EXYNOS_PMU_ARM_DRIVERS
> > diff --git a/drivers/soc/samsung/exynos-pmu.c b/drivers/soc/samsung/exynos-pmu.c
> > index 250537d7cfd6..adf3549370d6 100644
> > --- a/drivers/soc/samsung/exynos-pmu.c
> > +++ b/drivers/soc/samsung/exynos-pmu.c
> > @@ -5,6 +5,7 @@
> >  //
> >  // Exynos - CPU PMU(Power Management Unit) support
> >
> > +#include <linux/arm-smccc.h>
> >  #include <linux/of.h>
> >  #include <linux/of_address.h>
> >  #include <linux/mfd/core.h>
> > @@ -12,19 +13,130 @@
> >  #include <linux/of_platform.h>
> >  #include <linux/platform_device.h>
> >  #include <linux/delay.h>
> > +#include <linux/regmap.h>
> >
> >  #include <linux/soc/samsung/exynos-regs-pmu.h>
> >  #include <linux/soc/samsung/exynos-pmu.h>
> >
> >  #include "exynos-pmu.h"
> >
> > +#define PMUALIVE_MASK GENMASK(14, 0)
>
> Are you sure it's not GENMASK(13, 0)?

Yes, you're right, mask should be 0x3fff.

> Because SET_BITS has bit #14
> set, which overlaps with bit #14 from PMUALIVE_MASK, when being added
> in tensor_set_bit_atomic().
>
> This also can be aligned with below definitions.

Will update alignment
>
> > +#define SET_BITS       0xc000
> > +#define CLEAR_BITS     0x8000
>
> All 3 above values seem to be gs101 specific. At least I can't find
> any similar atomic registers in Exynos850 TRM, in PMU block. So I'd
> suggest also adding TENSOR_ prefix to those to make it clear and to
> prevent possible naming conflicts in future.

Sure, I can add a Tensor prefix. Unfortunately these atomic registers
aren't mentioned anywhere in gs101 TRM's either, so it is a bit of a
nature study :( It was implemented and used in the downstream drivers
though (and doesn't look to be implemented downstream for exynos850,
so you're likely correct it doesn't have it.). I tried to check some
other downstream product tree's, I found the hardware looks to exist
on Exynos 9820 [1]. But I think we can update the name if somebody
tries to upstream that platform in the future.

[1] https://github.com/PixelOS-Devices/kernel_samsung_exynos9820/blob/thirteen/drivers/soc/samsung/exynos-pmu.c#L32

>
> Also, not sure if it makes things better, but FWIW:
>
>     #define CLEAR_BITS     BIT(15)
>     #define SET_BITS       (BIT(15) | BIT(14))

I agree that would make it clearer.

>
> Just to show that those two bits don't overlap with PMUALIVE_MASK (if
> it can be fixed to 13:0), and show their relation. If I understand
> correctly what's going on anyway.

I think you've understood what's happening here perfectly

>
> > +
> > +#define TENSOR_SMC_PMU_SEC_REG         0x82000504
> > +#define TENSOR_PMUREG_READ             0
> > +#define TENSOR_PMUREG_WRITE            1
> > +#define TENSOR_PMUREG_RMW              2
> > +
> >  struct exynos_pmu_context {
> >         struct device *dev;
> >         const struct exynos_pmu_data *pmu_data;
> > +       struct regmap *pmureg;
> >  };
> >
> >  void __iomem *pmu_base_addr;
> >  static struct exynos_pmu_context *pmu_context;
> > +static struct platform_driver exynos_pmu_driver;
>
> Just an idea: maybe add a comment saying it's a forward declaration,
> and the variable is assigned below, as it might be confusing. Not sure
> if it's worth it though.
>
> > +
> > +/*
> > + * Tensor SoCs are configured so that PMU_ALIVE registers can only be written
> > + * from EL3, but are still read accessible. As Linux needs to write some of
> > + * these registers, the following functions are provided and exposed via
> > + * regmap.
> > + *
> > + * Note: This SMC interface is known to be implemented on gs101 and derivative
> > + * SoCs.
> > + */
> > +
> > +/* Write to a protected PMU register. */
> > +static int tensor_sec_reg_write(void *base, unsigned int reg, unsigned int val)
> > +{
> > +       struct arm_smccc_res res;
> > +       unsigned long pmu_base = (unsigned long)base;
> > +
> > +       arm_smccc_smc(TENSOR_SMC_PMU_SEC_REG, pmu_base + reg,
> > +                     TENSOR_PMUREG_WRITE, val, 0, 0, 0, 0, &res);
> > +
> > +       /* returns -EINVAL if access isn't allowed or 0 */
> > +       if (res.a0)
> > +               pr_warn("%s(): SMC failed: %d\n", __func__, (int)res.a0);
> > +
> > +       return (int)res.a0;
> > +}
> > +
> > +/* Read/Modify/Write a protected PMU register. */
> > +static int tensor_sec_reg_rmw(void *base, unsigned int reg,
> > +                             unsigned int mask, unsigned int val)
> > +{
> > +       struct arm_smccc_res res;
> > +       unsigned long pmu_base = (unsigned long)base;
> > +
> > +       arm_smccc_smc(TENSOR_SMC_PMU_SEC_REG, pmu_base + reg,
> > +                     TENSOR_PMUREG_RMW, mask, val, 0, 0, 0, &res);
> > +
> > +       /* returns -EINVAL if access isn't allowed or 0*/
> > +       if (res.a0)
> > +               pr_warn("%s(): SMC failed: %d\n", __func__, (int)res.a0);
> > +
> > +       return (int)res.a0;
> > +}
> > +
> > +/*
> > + * Read a protected PMU register. All PMU registers can be read by Linux.
> > + * Note: The SMC read register is not used, as only registers that can be
> > + * written are readable via SMC.
> > + */
> > +static int tensor_sec_reg_read(void *base, unsigned int reg, unsigned int *val)
> > +{
> > +       *val = pmu_raw_readl(reg);
> > +       return 0;
> > +}
> > +
> > +/*
> > + * For SoCs that have set/clear bit hardware this function can be used when
> > + * the PMU register will be accessed by multiple masters.
> > + *
> > + * For example, to set bits 13:8 in PMU reg offset 0x3e80
> > + * tensor_set_bit_atomic(0x3e80, 0x3f00, 0x3f00);
> > + *
> > + * To clear bits 13:8 in PMU offset 0x3e80
> > + * tensor_set_bit_atomic(0x3e80, 0x0, 0x3f00);
> > + */
> > +static inline int tensor_set_bit_atomic(void *ctx, unsigned int offset,
>
> set_bit -> set_bits?

Will change

>
> > +                                       u32 val, u32 mask)
> > +{
> > +       int ret;
> > +       unsigned int i;
> > +
> > +       for (i = 0; i < 32; i++) {
> > +               if (mask & BIT(i)) {
>
> Maybe replace it with:
>
>     if (!(mask & BIT(i)))
>         continue;
>
> to reduce the indentation level?

Will do

>
> > +                       if (val & BIT(i))
> > +                               offset |= SET_BITS;
> > +                       else
> > +                               offset |= CLEAR_BITS;
>
> What if someone calls this functions like this:
>
>     tensor_set_bit_atomic(0x3e80, 0x100, 0x3f00);
>
> which means "set bit #8, and clear bits 13:9). But because the offset
> variable will hold SET_BITS set during bit #8 handling, bits 13:9 are
> also going to be set, effectively making that call act like
> tensor_set_bit_atomic(0x3e80, 0x3f00, 0x3f00) instead. So I'd add
> something like:
>
>     offset &= ~SET_BITS;
>
> before doing |= operations.

Good catch! Will fix in v4

>
> > +
> > +                       ret = tensor_sec_reg_write(ctx, offset, i);
> > +                       if (ret)
> > +                               goto out;
>
> Maybe remove "out" and just do return ret here?

Will update

>
> > +               }
> > +       }
> > +out:
> > +       return ret;
> > +}
> > +
> > +static int tensor_sec_update_bits(void *ctx, unsigned int reg,
> > +                                 unsigned int mask, unsigned int val)
> > +{
> > +       /*
> > +        * Use atomic operations for PMU_ALIVE registers (offset 0~0x3FFF)
> > +        * as the target registers can be accessed by multiple masters.
> > +        */
> > +       if (reg > PMUALIVE_MASK)
> > +               return tensor_sec_reg_rmw(ctx, reg, mask, val);
> > +
> > +       return tensor_set_bit_atomic(ctx, reg, val, mask);
> > +}
> >
> >  void pmu_raw_writel(u32 val, u32 offset)
> >  {
> > @@ -75,11 +187,41 @@ void exynos_sys_powerdown_conf(enum sys_powerdown mode)
> >  #define exynos_pmu_data_arm_ptr(data)  NULL
> >  #endif
> >
> > +static const struct regmap_config regmap_smccfg = {
> > +       .name = "pmu_regs",
> > +       .reg_bits = 32,
> > +       .reg_stride = 4,
> > +       .val_bits = 32,
> > +       .fast_io = true,
> > +       .use_single_read = true,
> > +       .use_single_write = true,
> > +       .reg_read = tensor_sec_reg_read,
> > +       .reg_write = tensor_sec_reg_write,
> > +       .reg_update_bits = tensor_sec_update_bits,
> > +};
> > +
> > +static const struct regmap_config regmap_mmiocfg = {
> > +       .name = "pmu_regs",
> > +       .reg_bits = 32,
> > +       .reg_stride = 4,
> > +       .val_bits = 32,
> > +       .fast_io = true,
> > +       .use_single_read = true,
> > +       .use_single_write = true,
> > +};
> > +
> > +static const struct exynos_pmu_data gs101_pmu_data = {
> > +       .pmu_secure = true
> > +};
> > +
> >  /*
> >   * PMU platform driver and devicetree bindings.
> >   */
> >  static const struct of_device_id exynos_pmu_of_device_ids[] = {
> >         {
> > +               .compatible = "google,gs101-pmu",
> > +               .data = &gs101_pmu_data,
> > +       }, {
> >                 .compatible = "samsung,exynos3250-pmu",
> >                 .data = exynos_pmu_data_arm_ptr(exynos3250_pmu_data),
> >         }, {
> > @@ -113,19 +255,73 @@ static const struct mfd_cell exynos_pmu_devs[] = {
> >         { .name = "exynos-clkout", },
> >  };
> >
> > +/**
> > + * exynos_get_pmu_regmap() - Obtain pmureg regmap
> > + *
> > + * Find the pmureg regmap previously configured in probe() and return regmap
> > + * pointer.
> > + *
> > + * Return: A pointer to regmap if found or ERR_PTR error value.
> > + */
> >  struct regmap *exynos_get_pmu_regmap(void)
> >  {
> >         struct device_node *np = of_find_matching_node(NULL,
> >                                                       exynos_pmu_of_device_ids);
> >         if (np)
> > -               return syscon_node_to_regmap(np);
> > +               return exynos_get_pmu_regmap_by_phandle(np, NULL);
> >         return ERR_PTR(-ENODEV);
> >  }
> >  EXPORT_SYMBOL_GPL(exynos_get_pmu_regmap);
> >
> > +/**
> > + * exynos_get_pmu_regmap_by_phandle() - Obtain pmureg regmap via phandle
> > + * @np: Pointer to device's Device Tree node
> > + * @property: Device Tree property name which references the pmu
> > + *
> > + * Find the pmureg regmap previously configured in probe() and return regmap
> > + * pointer.
> > + *
> > + * Return: A pointer to regmap if found or ERR_PTR error value.
> > + */
> > +struct regmap *exynos_get_pmu_regmap_by_phandle(struct device_node *np,
> > +                                               const char *property)
> > +{
> > +       struct device *dev;
> > +       struct exynos_pmu_context *ctx;
> > +       struct device_node *pmu_np;
> > +
> > +       if (property)
> > +               pmu_np = of_parse_phandle(np, property, 0);
> > +       else
> > +               pmu_np = np;
> > +
> > +       if (!pmu_np)
> > +               return ERR_PTR(-ENODEV);
> > +
> > +       /*
> > +        * Determine if exynos-pmu device has probed and therefore regmap
> > +        * has been created and can be returned to the caller. Otherwise we
> > +        * return -EPROBE_DEFER.
> > +        */
> > +       dev = driver_find_device_by_of_node(&exynos_pmu_driver.driver,
> > +                                           (void *)pmu_np);
> > +
> > +       of_node_put(pmu_np);
> > +       if (!dev)
> > +               return ERR_PTR(-EPROBE_DEFER);
> > +
> > +       ctx = dev_get_drvdata(dev);
> > +
> > +       return ctx->pmureg;
> > +}
> > +EXPORT_SYMBOL_GPL(exynos_get_pmu_regmap_by_phandle);
> > +
> >  static int exynos_pmu_probe(struct platform_device *pdev)
> >  {
> >         struct device *dev = &pdev->dev;
> > +       struct regmap_config pmu_regmcfg;
> > +       struct regmap *regmap;
> > +       struct resource *res;
> >         int ret;
> >
> >         pmu_base_addr = devm_platform_ioremap_resource(pdev, 0);
> > @@ -133,13 +329,42 @@ static int exynos_pmu_probe(struct platform_device *pdev)
> >                 return PTR_ERR(pmu_base_addr);
> >
> >         pmu_context = devm_kzalloc(&pdev->dev,
> > -                       sizeof(struct exynos_pmu_context),
> > -                       GFP_KERNEL);
> > +                                  sizeof(struct exynos_pmu_context),
> > +                                  GFP_KERNEL);
> >         if (!pmu_context)
> >                 return -ENOMEM;
> > -       pmu_context->dev = dev;
> > +
> > +       res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> > +       if (!res)
> > +               return -ENODEV;
> > +
> >         pmu_context->pmu_data = of_device_get_match_data(dev);
> >
> > +       /* For SoCs that secure PMU register writes use custom regmap */
> > +       if (pmu_context->pmu_data && pmu_context->pmu_data->pmu_secure) {
> > +               pmu_regmcfg = regmap_smccfg;
> > +               pmu_regmcfg.max_register = resource_size(res) -
> > +                                          pmu_regmcfg.reg_stride;
> > +               /* Need physical address for SMC call */
> > +               regmap = devm_regmap_init(dev, NULL,
> > +                                         (void *)(uintptr_t)res->start,
> > +                                         &pmu_regmcfg);
> > +       } else {
> > +               /* all other SoCs use a MMIO regmap */
>
> Suggest starting with a capital letter, for consistency with previous comments.

Will update

>
> > +               pmu_regmcfg = regmap_mmiocfg;
> > +               pmu_regmcfg.max_register = resource_size(res) -
> > +                                          pmu_regmcfg.reg_stride;
> > +               regmap = devm_regmap_init_mmio(dev, pmu_base_addr,
> > +                                              &pmu_regmcfg);
> > +       }
> > +
> > +       if (IS_ERR(regmap))
> > +               dev_err_probe(&pdev->dev, PTR_ERR(regmap),
> > +                             "regmap init failed\n");
>
> Why not "return dev_err_probe()"? Is it ok to continue with no regmap created?

That should have been return dev_err_probe. Will fix

Peter



>
> > +
> > +       pmu_context->pmureg = regmap;
> > +       pmu_context->dev = dev;
> > +
> >         if (pmu_context->pmu_data && pmu_context->pmu_data->pmu_init)
> >                 pmu_context->pmu_data->pmu_init();
> >
> > diff --git a/drivers/soc/samsung/exynos-pmu.h b/drivers/soc/samsung/exynos-pmu.h
> > index 1c652ffd79b4..0a49a2c9a08e 100644
> > --- a/drivers/soc/samsung/exynos-pmu.h
> > +++ b/drivers/soc/samsung/exynos-pmu.h
> > @@ -21,6 +21,7 @@ struct exynos_pmu_conf {
> >  struct exynos_pmu_data {
> >         const struct exynos_pmu_conf *pmu_config;
> >         const struct exynos_pmu_conf *pmu_config_extra;
> > +       bool pmu_secure;
> >
> >         void (*pmu_init)(void);
> >         void (*powerdown_conf)(enum sys_powerdown);
> > diff --git a/include/linux/soc/samsung/exynos-pmu.h b/include/linux/soc/samsung/exynos-pmu.h
> > index a4f5516cc956..406ed73614fd 100644
> > --- a/include/linux/soc/samsung/exynos-pmu.h
> > +++ b/include/linux/soc/samsung/exynos-pmu.h
> > @@ -20,12 +20,21 @@ enum sys_powerdown {
> >
> >  extern void exynos_sys_powerdown_conf(enum sys_powerdown mode);
> >  #ifdef CONFIG_EXYNOS_PMU
> > -extern struct regmap *exynos_get_pmu_regmap(void);
> > +struct regmap *exynos_get_pmu_regmap(void);
> > +
>
> Usually empty line delimeter is not needed in cases like that.
>
> > +struct regmap *exynos_get_pmu_regmap_by_phandle(struct device_node *np,
> > +                                               const char *property);
> >  #else
> >  static inline struct regmap *exynos_get_pmu_regmap(void)
> >  {
> >         return ERR_PTR(-ENODEV);
> >  }
> > +
> > +static inline struct regmap *exynos_get_pmu_regmap_by_phandle(struct device_node *np,
> > +                                                             const char *property)
> > +{
> > +       return ERR_PTR(-ENODEV);
> > +}
> >  #endif
> >
> >  #endif /* __LINUX_SOC_EXYNOS_PMU_H */
> > --
> > 2.43.0.594.gd9cf4e227d-goog
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ