lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Zw5ffeYW5uRpsaG3@lpieralisi>
Date: Tue, 15 Oct 2024 14:26:37 +0200
From: Lorenzo Pieralisi <lpieralisi@...nel.org>
To: Elliot Berman <quic_eberman@...cinc.com>
Cc: Shivendra Pratap <quic_spratap@...cinc.com>,
	Bjorn Andersson <andersson@...nel.org>,
	Konrad Dybcio <konrad.dybcio@...aro.org>,
	Sebastian Reichel <sre@...nel.org>, Rob Herring <robh@...nel.org>,
	Krzysztof Kozlowski <krzysztof.kozlowski+dt@...aro.org>,
	Conor Dooley <conor+dt@...nel.org>, Vinod Koul <vkoul@...nel.org>,
	Andy Yan <andy.yan@...k-chips.com>,
	Mark Rutland <mark.rutland@....com>,
	Bartosz Golaszewski <bartosz.golaszewski@...aro.org>,
	Satya Durga Srinivasu Prabhala <quic_satyap@...cinc.com>,
	Melody Olvera <quic_molvera@...cinc.com>,
	devicetree@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-arm-kernel@...ts.infradead.org,
	Florian Fainelli <florian.fainelli@...adcom.com>,
	linux-pm@...r.kernel.org, linux-arm-msm@...r.kernel.org,
	quic_spratap@...inc.com
Subject: Re: [PATCH v5 3/4] firmware: psci: Read and use vendor reset types

On Thu, Aug 15, 2024 at 11:05:09AM -0700, Elliot Berman wrote:
> On Thu, Aug 15, 2024 at 04:40:55PM +0200, Lorenzo Pieralisi wrote:
> > On Mon, Aug 12, 2024 at 11:46:08PM +0530, Shivendra Pratap wrote:
> > > 
> > > 
> > > On 8/9/2024 10:28 PM, Elliot Berman wrote:
> > > > On Fri, Aug 09, 2024 at 03:30:38PM +0200, Lorenzo Pieralisi wrote:
> > > >> On Wed, Aug 07, 2024 at 11:10:50AM -0700, Elliot Berman wrote:
> > > >>
> > > >> [...]
> > > >>
> > > >>>>> +static void psci_vendor_sys_reset2(unsigned long action, void *data)
> > > >>>>
> > > >>>> 'action' is unused and therefore it is not really needed.
> > > >>>>
> > > >>>>> +{
> > > >>>>> +	const char *cmd = data;
> > > >>>>> +	unsigned long ret;
> > > >>>>> +	size_t i;
> > > >>>>> +
> > > >>>>> +	for (i = 0; i < num_psci_reset_params; i++) {
> > > >>>>> +		if (!strcmp(psci_reset_params[i].mode, cmd)) {
> > > >>>>> +			ret = invoke_psci_fn(PSCI_FN_NATIVE(1_1, SYSTEM_RESET2),
> > > >>>>> +					     psci_reset_params[i].reset_type,
> > > >>>>> +					     psci_reset_params[i].cookie, 0);
> > > >>>>> +			pr_err("failed to perform reset \"%s\": %ld\n",
> > > >>>>> +				cmd, (long)ret);
> > > >>>>> +		}
> > > >>>>> +	}
> > > >>>>> +}
> > > >>>>> +
> > > >>>>>  static int psci_sys_reset(struct notifier_block *nb, unsigned long action,
> > > >>>>>  			  void *data)
> > > >>>>>  {
> > > >>>>> +	if (data && num_psci_reset_params)
> > > >>>>
> > > >>>> So, reboot_mode here is basically ignored; if there is a vendor defined
> > > >>>> reset, we fire it off.
> > > >>>>
> > > >>>> I think Mark mentioned his concerns earlier related to REBOOT_* mode and
> > > >>>> reset type (granted, the context was different):
> > > >>>>
> > > >>>> https://lore.kernel.org/all/20200320120105.GA36658@C02TD0UTHF1T.local/
> > > >>>>
> > > >>>> I would like to understand if this is the right thing to do before
> > > >>>> accepting this patchset.
> > > >>>>
> > > >>>
> > > >>> I don't have any concerns to move this part below checking reboot_mode.
> > > >>> Or, I could add reboot_mode == REBOOT_COLD check.
> > > >>
> > > >> The question is how can we map vendor specific reboot magic to Linux
> > > >> reboot modes sensibly in generic PSCI code - that's by definition
> > > >> vendor specific.
> > > >>
> > > > 
> > > > I don't think it's a reasonable thing to do. "reboot bootloader" or
> > > > "reboot edl" don't make sense to the Linux reboot modes.
> > > > 
> > > > I believe the Linux reboot modes enum is oriented to perspective of
> > > > Linux itself and the vendor resets are oriented towards behavior of the
> > > > SoC.
> > > > 
> > > > Thanks,
> > > > Elliot
> > > > 
> > > 
> > > Agree.
> > > 
> > > from perspective of linux reboot modes, kernel's current
> > > implementation in reset path is like:
> > >
> > > __
> > > #1 If reboot_mode is WARM/SOFT and PSCI_SYSRESET2 is supported 
> > >     Call PSCI - SYSTEM_RESET2 - ARCH RESET
> > > #2 ELSE
> > >     Call PSCI - SYSTEM_RESET COLD RESET
> > > ___
> > > 
> > > ARM SPECS for PSCI SYSTEM_RESET2
> > > This function extends SYSTEM_RESET. It provides:
> > > • ARCH RESET: set Bit[31] to 0               = > This is already in place in condition #1.
> > > • vendor-specific resets: set Bit[31] to 1.  = > current patchset adds this part before kernel's reboot_mode reset at #0.
> > > 
> > > 
> > > In current patchset, we see a condition added at
> > > #0-psci_vendor_reset2 being called before kernel’s current
> > > reboot_mode condition and it can take any action only if all below
> > > conditions are satisfied.
> > > - PSCI SYSTEM_RESET2 is supported.
> > > - psci dt node defines an entry "bootloader" as a reboot-modes.
> > > - User issues reboot with a command say - (reboot bootloader).
> > > - If vendor reset fails, default reboot mode will execute as is.
> > > 
> > > Don't see if we will skip or break the kernel reboot_mode flow with
> > > this patch.  Also if user issues reboot <cmd> and <cmd> is supported
> > > on SOC vendor reset psci node, should cmd take precedence over
> > > kernel reboot mode enum? may be yes? 
> > > 
> > 
> > Please wrap lines when replying.
> > 
> > I don't think it is a matter of precedence. reboot_mode and the reboot
> > command passed to the reboot() syscall are there for different (?)
> > reasons.
> > 
> > What I am asking is whether it is always safe to execute a PSCI vendor
> > reset irrispective of the reboot_mode value.
> 
> The only way I see it to be unsafe is we need some other driver using
> the reboot_mode to configure something and then the PSCI vendor reset
> being incompatible with whatever that other driver did. I don't see that
> happens today, so it is up to us to decide what the policy ought to be.
> The PSCI spec doesn't help us here because the reboot_mode enum is
> totally a Linux construct. In my opinion, firmware should be able to
> deal with whatever the driver did or (less ideal) the driver need to be
> aware of the PSCI vendor resets. Thus, it would be always safe to
> execute a PSCI vendor reset regardless of the reboot_mode value.

It is hard to understand history behind reboot_mode and
the LINUX_REBOOT_CMD_RESTART2 cmd, at least *I* don't
understand it fully.

What I do understand is:

- reboot_mode can be set from userspace and kernel params
- It affects some drivers restart handler behaviours
- Incidentally, I noticed that reboot_mode affects the EFI reset
  being issued (and EFI ignores the cmd and platform specific
  resets AFAICS). This is not related to this thread but may provide
  some guidance
- if reboot_mode is set to REBOOT_GPIO - it is impossible to understand
  what PSCI code should do other than ignoring it ? It is not that
  REBOOT_WARM/COLD/HARD/SOFT are easier to fathom either to be honest,
  would be happy if anyone could chime in and shed some light.

My biggest fear here is that after merging this code, various quirks
based on what SYSTEM_RESET2 platform specific parameters are set-up
will appear, whereby a driver needs to do this or that in its restart
handler depending on the specific reset being issued in PSCI
(an example was provided in this same thread).

Thoughts ? I'd like to see some progress on this but it is proving
to be ways more complex than I thought initially.

Thanks,
Lorenzo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ