| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 25 May 2024 16:24:18 -0300 From: Wedson Almeida Filho <wedsonaf@...il.com> To: Philipp Stanner <pstanner@...hat.com> Cc: Dave Airlie <airlied@...il.com>, Miguel Ojeda <miguel.ojeda.sandonis@...il.com>, Danilo Krummrich <dakr@...hat.com>, gregkh@...uxfoundation.org, rafael@...nel.org, bhelgaas@...gle.com, ojeda@...nel.org, alex.gaynor@...il.com, boqun.feng@...il.com, gary@...yguo.net, bjorn3_gh@...tonmail.com, benno.lossin@...ton.me, a.hindborg@...sung.com, aliceryhl@...gle.com, fujita.tomonori@...il.com, lina@...hilina.net, ajanulgu@...hat.com, lyude@...hat.com, rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org, linux-pci@...r.kernel.org Subject: Re: [RFC PATCH 10/11] rust: add basic abstractions for iomem operations On Tue, 21 May 2024 at 05:03, Philipp Stanner <pstanner@...hat.com> wrote: > > On Tue, 2024-05-21 at 00:01 -0300, Wedson Almeida Filho wrote: > > On Mon, 20 May 2024 at 23:07, Dave Airlie <airlied@...il.com> wrote: > > > > > > > > > > > Wedson wrote a similar abstraction in the past > > > > (`rust/kernel/io_mem.rs` in the old `rust` branch), with a > > > > compile-time `SIZE` -- it is probably worth taking a look. > > > > > > > > > > Just on this point, we can't know in advance what size the IO BARs > > > are > > > at compile time. > > > > > > The old method just isn't useful for real devices with runtime IO > > > BAR sizes. > > > > The compile-time `SIZE` in my implementation is a minimum size. > > > > Attempts to read/write with constants within that size (offset + > > size) > > were checked at compile time, that is, they would have zero > > additional > > runtime cost when compared to C. Reads/writes beyond the minimum > > would > > have to be checked at runtime. > > > > We looked at this implementation > > Its disadvantage is that it moves the responsibility for setting that > minimum size to the driver programmer. Andreas Hindborg is using that > currently for rnvme [1]. > > I believe that the driver programmer in Rust should not be responsible > for controlling such sensitive parameters (one could far more easily > provide invalid values), but the subsystem (e.g. PCI) should do it, > because it knows about the exact resource lengths. There is no responsibility being moved. The bus is still that one that knows about the resources attached to the device. The driver, however, can say for example: I need at least 4 registers of 32 bits starting at offset X, which results in a minimum size of X + 16. If at runtime a device compatible with this driver appears and has an io mem of at least that size, then the driver can drive it without any additional runtime checks. I did this in the gpio driver here: https://lwn.net/Articles/863459/ Note that in addition to not having to check offset at runtime, the reads/writes are also infallible because all failures are caught at compile time. Obviously not all drivers can benefit from this, but it is considerable simplification for the ones that can. > The only way to set the actual, real value is through subsystem code. > But when we (i.e., currently, the driver programmer) have to use that > anyways, we can just use it from the very beginning and have the exact > valid parameters. Yes, only the bus knows. But to reiterate: if the driver declares and checks a minimum size at attach time, it obviates the needs to check again throughout the lifetime of the driver, which is more performant and eliminates error paths.
Powered by blists - more mailing lists