lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aDl3lXiw3+l43+Cj@lpieralisi>
Date: Fri, 30 May 2025 11:17:09 +0200
From: Lorenzo Pieralisi <lpieralisi@...nel.org>
To: Peter Maydell <peter.maydell@...aro.org>
Cc: Marc Zyngier <maz@...nel.org>, Thomas Gleixner <tglx@...utronix.de>,
	Rob Herring <robh@...nel.org>,
	Krzysztof Kozlowski <krzk+dt@...nel.org>,
	Conor Dooley <conor+dt@...nel.org>,
	Catalin Marinas <catalin.marinas@....com>,
	Will Deacon <will@...nel.org>, andre.przywara@....com,
	Arnd Bergmann <arnd@...db.de>,
	Sascha Bischoff <sascha.bischoff@....com>,
	Timothy Hayes <timothy.hayes@....com>,
	"Liam R. Howlett" <Liam.Howlett@...cle.com>,
	Mark Rutland <mark.rutland@....com>,
	Jiri Slaby <jirislaby@...nel.org>, linux-kernel@...r.kernel.org,
	devicetree@...r.kernel.org
Subject: Re: [PATCH v4 01/26] dt-bindings: interrupt-controller: Add Arm GICv5

[+Suzuki]

On Thu, May 29, 2025 at 03:30:51PM +0100, Peter Maydell wrote:
> On Thu, 29 May 2025 at 15:21, Lorenzo Pieralisi <lpieralisi@...nel.org> wrote:
> > On Thu, May 29, 2025 at 02:17:26PM +0100, Peter Maydell wrote:
> > > The dt bindings do allow for describing Secure-world devices:
> > > Documentation/devicetree/bindings/arm/secure.txt has the
> > > details. We use this in QEMU so we can provide a DTB to
> > > guest EL3 firmware that tells it where the hardware is
> > > (and which EL3 can then pass on to an NS kernel). It would
> > > be helpful for the GICv5 binding to be defined in a way that
> > > we can do this for a GICv5 system too.
> > >
> > > > Two questions:
> > > >
> > > > - I don't have to spell out the IRS/ITS config frame (and SETLPI, by
> > > >   the way) as non-secure, since that's implicit, is that correct ?
> > >
> > > Do you want the DT binding to handle the case of "CPU and GIC do not
> > > implement EL3, and the only implemented security state is Secure"
> > > without the kernel needing to do something different from "ditto ditto
> > > but the only implemented security state is Nonsecure" ?
> >
> > Not sure I follow you here sorry :)
> 
> In a hypothetical system like that the dt could either
> define the (only) IRS frame in reg[], or in secure-reg[].
> The former would let the kernel not care about the fact it was
> in Secure, but would be a bit weird. But I think we can probably
> ignore this hypothetical in favour of keeping the binding simple.
> 
> > > (Currently booting.html says you must be in NS, so we effectively
> > > say we don't support booting on this particular unicorn :-)
> > > But the secure.txt bindings envisage "kernel got booted in S",
> > > mostly for the benefit of aarch32.)
> > >
> > > > - How can the schema describe, if present, EL3, Secure and Realm frames ?
> > >
> > > The tempting thing to do is to have regs[] list the frames
> > > in some given order, but the spec makes them not simple
> > > supersets, allowing all of:
> > >  * NS
> > >  * S
> > >  * NS, S, EL3
> > >  * NS, Realm, EL3
> > >  * NS, Realm, S, EL3
> > >
> > > secure.txt says:
> > > # The general principle of the naming scheme for Secure world bindings
> > > # is that any property that needs a different value in the Secure world
> > > # can be supported by prefixing the property name with "secure-". So for
> > > # instance "secure-foo" would override "foo".
> > >
> > > So maybe we could have
> > >  reg : the NS frame(s)
> > >  secure-reg : the S frame(s)
> > >  realm-reg : the Realm frame(s)
> > >  root-reg : the EL3 frame(s)
> > >
> > > ??
> >
> > I assume someone has to write the root/realm binding extensions.
> >
> > In Documentation/devicetree/bindings/arm/secure.txt I don't think that
> > reg is a contemplated property - I don't know if the list of properties
> > is up-to-date.
> 
> It's up to date in the sense that so far we've only needed
> to have the 'status' property have a secure- variant. My
> suggestion here is that we might extend that to also allow
> secure-reg, and to have root- and realm- prefixes too.
> Though I don't think we would want to permit secure-reg for
> any old device, so maybe something more-GICv5-specific would
> work better.

I am not sure this is a GICv5 only requirement (looking at SMMUv3,
for instance and there might be more IPs that require security
state awareness).

Or maybe it is a non-existing problem IIUC the paragraph below
correctly (albeit to be frank I don't understand how to determine
whether a dtb is consumed by eg secure-world-only).

"Note that it is still valid for bindings intended for purely Secure
world consumers (like kernels that run entirely in Secure) to simply
describe the view of Secure world using the standard bindings. These
secure- bindings only need to be used where both the Secure and Normal
world views need to be described in a single device tree."

I assume "standard bindings" there would mean that "reg" for the
GICv5 would be just eg "config frame" with no NS/S/Realm/Root attached.

We don't strictly need to have the same dts file for NS and S (example),
NS will never "need" the S bindings at least for GICv5.

Thoughts ?

Thanks,
Lorenzo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ