lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Apr 2024 11:37:24 +0200
From: Alexandre TORGUE <alexandre.torgue@...s.st.com>
To: Rob Herring <robh+dt@...nel.org>
CC: Gatien Chevallier <gatien.chevallier@...s.st.com>,
        <Oleksii_Moisieiev@...m.com>, <gregkh@...uxfoundation.org>,
        <herbert@...dor.apana.org.au>, <davem@...emloft.net>,
        <krzysztof.kozlowski+dt@...aro.org>, <conor+dt@...nel.org>,
        <vkoul@...nel.org>, <jic23@...nel.org>, <olivier.moysan@...s.st.com>,
        <arnaud.pouliquen@...s.st.com>, <mchehab@...nel.org>,
        <fabrice.gasnier@...s.st.com>, <andi.shyti@...nel.org>,
        <ulf.hansson@...aro.org>, <edumazet@...gle.com>, <kuba@...nel.org>,
        <pabeni@...hat.com>, <hugues.fruchet@...s.st.com>, <lee@...nel.org>,
        <will@...nel.org>, <catalin.marinas@....com>, <arnd@...nel.org>,
        <richardcochran@...il.com>, Frank Rowand <frowand.list@...il.com>,
        <peng.fan@....nxp.com>, <lars@...afoo.de>, <rcsekar@...sung.com>,
        <wg@...ndegger.com>, <mkl@...gutronix.de>,
        <linux-crypto@...r.kernel.org>, <devicetree@...r.kernel.org>,
        <linux-stm32@...md-mailman.stormreply.com>,
        <linux-arm-kernel@...ts.infradead.org>, <linux-kernel@...r.kernel.org>,
        <dmaengine@...r.kernel.org>, <linux-i2c@...r.kernel.org>,
        <linux-iio@...r.kernel.org>, <alsa-devel@...a-project.org>,
        <linux-media@...r.kernel.org>, <linux-mmc@...r.kernel.org>,
        <netdev@...r.kernel.org>, <linux-phy@...ts.infradead.org>,
        <linux-serial@...r.kernel.org>, <linux-spi@...r.kernel.org>,
        <linux-usb@...r.kernel.org>
Subject: Re: [PATCH v9 00/13] Introduce STM32 Firewall framework

Hi Rob

On 4/9/24 19:13, Rob Herring wrote:
> On Mon, Apr 8, 2024 at 3:44 AM Alexandre TORGUE
> <alexandre.torgue@...s.st.com> wrote:
>>
>> Hi Gatien,
>>
>> On 1/5/24 14:03, Gatien Chevallier wrote:
>>> Introduce STM32 Firewall framework for STM32MP1x and STM32MP2x
>>> platforms. STM32MP1x(ETZPC) and STM32MP2x(RIFSC) Firewall controllers
>>> register to the framework to offer firewall services such as access
>>> granting.
>>>
>>> This series of patches is a new approach on the previous STM32 system
>>> bus, history is available here:
>>> https://lore.kernel.org/lkml/20230127164040.1047583/
>>>
>>> The need for such framework arises from the fact that there are now
>>> multiple hardware firewalls implemented across multiple products.
>>> Drivers are shared between different products, using the same code.
>>> When it comes to firewalls, the purpose mostly stays the same: Protect
>>> hardware resources. But the implementation differs, and there are
>>> multiple types of firewalls: peripheral, memory, ...
>>>
>>> Some hardware firewall controllers such as the RIFSC implemented on
>>> STM32MP2x platforms may require to take ownership of a resource before
>>> being able to use it, hence the requirement for firewall services to
>>> take/release the ownership of such resources.
>>>
>>> On the other hand, hardware firewall configurations are becoming
>>> more and more complex. These mecanisms prevent platform crashes
>>> or other firewall-related incoveniences by denying access to some
>>> resources.
>>>
>>> The stm32 firewall framework offers an API that is defined in
>>> firewall controllers drivers to best fit the specificity of each
>>> firewall.
>>>
>>> For every peripherals protected by either the ETZPC or the RIFSC, the
>>> firewall framework checks the firewall controlelr registers to see if
>>> the peripheral's access is granted to the Linux kernel. If not, the
>>> peripheral is configured as secure, the node is marked populated,
>>> so that the driver is not probed for that device.
>>>
>>> The firewall framework relies on the access-controller device tree
>>> binding. It is used by peripherals to reference a domain access
>>> controller. In this case a firewall controller. The bus uses the ID
>>> referenced by the access-controller property to know where to look
>>> in the firewall to get the security configuration for the peripheral.
>>> This allows a device tree description rather than a hardcoded peripheral
>>> table in the bus driver.
>>>
>>> The STM32 ETZPC device is responsible for filtering accesses based on
>>> security level, or co-processor isolation for any resource connected
>>> to it.
>>>
>>> The RIFSC is responsible for filtering accesses based on Compartment
>>> ID / security level / privilege level for any resource connected to
>>> it.
>>>
>>> STM32MP13/15/25 SoC device tree files are updated in this series to
>>> implement this mecanism.
>>>
>>
>> ...
>>
>> After minor cosmetic fixes, series applied on stm32-next.
>> Seen with Arnd: it will be part on my next PR and will come through
>> arm-soc tree.
> 
> And there's some new warnings in next with it:
> 
>        1  venc@...e0000: 'access-controllers' does not match any of the
> regexes: 'pinctrl-[0-9]+'
>        1  vdec@...d0000: 'access-controllers' does not match any of the
> regexes: 'pinctrl-[0-9]+'

Yes I noticed it to my colleague. YAML update has been sent for VEND/VDENC.

https://lore.kernel.org/lkml/171276671618.403884.13818480350194550959.robh@kernel.org/T/

As soon as it is acked I could merge it in my tree.

Alex

> 
> Rob




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ