[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <61608010-fbce-46c6-a83d-94c04d0f000d@foss.st.com>
Date: Mon, 8 Apr 2024 10:42:59 +0200
From: Alexandre TORGUE <alexandre.torgue@...s.st.com>
To: Gatien Chevallier <gatien.chevallier@...s.st.com>,
<Oleksii_Moisieiev@...m.com>, <gregkh@...uxfoundation.org>,
<herbert@...dor.apana.org.au>, <davem@...emloft.net>,
<robh+dt@...nel.org>, <krzysztof.kozlowski+dt@...aro.org>,
<conor+dt@...nel.org>, <vkoul@...nel.org>, <jic23@...nel.org>,
<olivier.moysan@...s.st.com>, <arnaud.pouliquen@...s.st.com>,
<mchehab@...nel.org>, <fabrice.gasnier@...s.st.com>,
<andi.shyti@...nel.org>, <ulf.hansson@...aro.org>,
<edumazet@...gle.com>, <kuba@...nel.org>, <pabeni@...hat.com>,
<hugues.fruchet@...s.st.com>, <lee@...nel.org>, <will@...nel.org>,
<catalin.marinas@....com>, <arnd@...nel.org>,
<richardcochran@...il.com>, Frank Rowand <frowand.list@...il.com>,
<peng.fan@....nxp.com>, <lars@...afoo.de>, <rcsekar@...sung.com>,
<wg@...ndegger.com>, <mkl@...gutronix.de>
CC: <linux-crypto@...r.kernel.org>, <devicetree@...r.kernel.org>,
<linux-stm32@...md-mailman.stormreply.com>,
<linux-arm-kernel@...ts.infradead.org>, <linux-kernel@...r.kernel.org>,
<dmaengine@...r.kernel.org>, <linux-i2c@...r.kernel.org>,
<linux-iio@...r.kernel.org>, <alsa-devel@...a-project.org>,
<linux-media@...r.kernel.org>, <linux-mmc@...r.kernel.org>,
<netdev@...r.kernel.org>, <linux-phy@...ts.infradead.org>,
<linux-serial@...r.kernel.org>, <linux-spi@...r.kernel.org>,
<linux-usb@...r.kernel.org>
Subject: Re: [PATCH v9 00/13] Introduce STM32 Firewall framework
Hi Gatien,
On 1/5/24 14:03, Gatien Chevallier wrote:
> Introduce STM32 Firewall framework for STM32MP1x and STM32MP2x
> platforms. STM32MP1x(ETZPC) and STM32MP2x(RIFSC) Firewall controllers
> register to the framework to offer firewall services such as access
> granting.
>
> This series of patches is a new approach on the previous STM32 system
> bus, history is available here:
> https://lore.kernel.org/lkml/20230127164040.1047583/
>
> The need for such framework arises from the fact that there are now
> multiple hardware firewalls implemented across multiple products.
> Drivers are shared between different products, using the same code.
> When it comes to firewalls, the purpose mostly stays the same: Protect
> hardware resources. But the implementation differs, and there are
> multiple types of firewalls: peripheral, memory, ...
>
> Some hardware firewall controllers such as the RIFSC implemented on
> STM32MP2x platforms may require to take ownership of a resource before
> being able to use it, hence the requirement for firewall services to
> take/release the ownership of such resources.
>
> On the other hand, hardware firewall configurations are becoming
> more and more complex. These mecanisms prevent platform crashes
> or other firewall-related incoveniences by denying access to some
> resources.
>
> The stm32 firewall framework offers an API that is defined in
> firewall controllers drivers to best fit the specificity of each
> firewall.
>
> For every peripherals protected by either the ETZPC or the RIFSC, the
> firewall framework checks the firewall controlelr registers to see if
> the peripheral's access is granted to the Linux kernel. If not, the
> peripheral is configured as secure, the node is marked populated,
> so that the driver is not probed for that device.
>
> The firewall framework relies on the access-controller device tree
> binding. It is used by peripherals to reference a domain access
> controller. In this case a firewall controller. The bus uses the ID
> referenced by the access-controller property to know where to look
> in the firewall to get the security configuration for the peripheral.
> This allows a device tree description rather than a hardcoded peripheral
> table in the bus driver.
>
> The STM32 ETZPC device is responsible for filtering accesses based on
> security level, or co-processor isolation for any resource connected
> to it.
>
> The RIFSC is responsible for filtering accesses based on Compartment
> ID / security level / privilege level for any resource connected to
> it.
>
> STM32MP13/15/25 SoC device tree files are updated in this series to
> implement this mecanism.
>
..
After minor cosmetic fixes, series applied on stm32-next.
Seen with Arnd: it will be part on my next PR and will come through
arm-soc tree.
Thanks
Alex
Powered by blists - more mailing lists