2015-02-02 16:08:47

by Ong Boon Leong

[permalink] [raw]
Subject: RE: [PATCH v8 1/2] x86: Add Isolated Memory Regions for Quark X1000

Tested v8 with Galileo Gen v2. Log below:

root@quark:~# dmesg | grep imr
[ 3.712804] imr: protecting kernel .text - .rodata: 9244 KiB (c1000000 - c1907000)
[ 3.721338] imr_selftest: pass zero sized IMR
[ 3.726374] imr_selftest: pass overlapped IMR @ (0xc1000000 - 0xc1907000)
[ 3.734167] imr_selftest: pass overlapped IMR @ (0xc1906c00 - 0xc220dc00)
[ 3.741961] imr_selftest: pass overlapped IMR @ (0xc0fff400 - 0xc1906400)
[ 3.749648] imr_selftest: pass 1KiB IMR @ 0x00000000 - access-all
[ 3.756669] imr_selftest: pass 1KiB IMR @ 0x00000000 - cpu-access
[ 3.763596] imr_selftest: pass teardown - cpu-access
[ 3.769375] imr_selftest: pass 2KiB IMR @ 0x00000000
[ 3.775053] imr_selftest: pass teardown 2KiB
root@quark:~# cat /sys/kernel/debug/imr_state
imr00: base=0x00000000, end=0x00000000, size=0x00000000 rmask=0xbfffffff, wmask=0xffffffff, disabled, unlocked
imr01: base=0x00000000, end=0x00000000, size=0x00000000 rmask=0xbfffffff, wmask=0xffffffff, disabled, unlocked
imr02: base=0x00000000, end=0x00000000, size=0x00000000 rmask=0xbfffffff, wmask=0xffffffff, disabled, unlocked
imr03: base=0x00000000, end=0x00000000, size=0x00000000 rmask=0xbfffffff, wmask=0xffffffff, disabled, unlocked
imr04: base=0x00000000, end=0x00000000, size=0x00000000 rmask=0xbfffffff, wmask=0xffffffff, disabled, unlocked
imr05: base=0x00097000, end=0x00097fff, size=0x00000fff rmask=0x00000001, wmask=0x40000001, enabled , locked
imr06: base=0x0efdf000, end=0x0fdeefff, size=0x00e0ffff rmask=0x00000001, wmask=0x40000001, enabled , locked
imr07: base=0x01000000, end=0x01906fff, size=0x00906fff rmask=0x00000001, wmask=0x00000001, enabled , locked
root@quark:~# grep __end_rodata /proc/kallsyms
c1907000 R __end_rodata
root@quark:~# grep _text /proc/kallsyms
c1000000 T _text

Thanks Bryan.

>-----Original Message-----
>From: Bryan O'Donoghue [mailto:[email protected]]
>Sent: Saturday, January 31, 2015 12:30 AM
>To: [email protected]; [email protected]; [email protected]; [email protected];
>[email protected]; [email protected]; Ong, Boon Leong; linux-
>[email protected]
>Cc: Bryan O'Donoghue
>Subject: [PATCH v8 1/2] x86: Add Isolated Memory Regions for Quark X1000
>
>Intel's Quark X1000 SoC contains a set of registers called Isolated Memory
>Regions. IMRs are accessed over the IOSF mailbox interface. IMRs are areas
>carved out of memory that define read/write access rights to the various
>system agents within the Quark system. For a given agent in the system it is
>possible to specify if that agent may read or write an area of memory
>defined by an IMR with a granularity of 1 KiB.
>
>Quark_SecureBootPRM_330234_001.pdf section 4.5 details the concept of IMRs
>quark-x1000-datasheet.pdf section 12.7.4 details the implementation of IMRs
>in silicon.
>
>eSRAM flush, CPU Snoop write-only, CPU SMM Mode, CPU non-SMM mode,
>RMU and
>PCIe Virtual Channels (VC0 and VC1) can have individual read/write access
>masks applied to them for a given memory region in Quark X1000. This
>enables IMRs to treat each memory transaction type listed above on an
>individual basis and to filter appropriately based on the IMR access mask
>for the memory region. Quark supports eight IMRs.
>
>Since all of the DMA capable SoC components in the X1000 are mapped to VC0
>it is possible to define sections of memory as invalid for DMA write
>operations originating from Ethernet, USB, SD and any other DMA capable
>south-cluster component on VC0. Similarly it is possible to mark kernel
>memory as non-SMM mode read/write only or to mark BIOS runtime memory as
>SMM
>mode accessible only depending on the particular memory footprint on a given
>system.
>
>On an IMR violation Quark SoC X1000 systems are configured to reset the
>system, so ensuring that the IMR memory map is consistent with the EFI
>provided memory map is critical to ensure no IMR violations reset the
>system.
>
>The API for accessing IMRs is based on MTRR code but doesn't provide a /proc
>or /sys interface to manipulate IMRs. Defining the size and extent of IMRs
>is exclusively the domain of in-kernel code.
>
>Quark firmware sets up a series of locked IMRs around pieces of memory that
>firmware owns such as ACPI runtime data. During boot a series of unlocked
>IMRs are placed around items in memory to guarantee no DMA modification of
>those items can take place. Grub also places an unlocked IMR around the
>kernel boot params data structure and compressed kernel image. It is
>necessary for the kernel to tear down all unlocked IMRs in order to ensure
>that the kernel's view of memory passed via the EFI memory map is consistent
>with the IMR memory map. Without tearing down all unlocked IMRs on boot
>transitory IMRs such as those used to protect the compressed kernel image
>will cause IMR violations and system reboots.
>
>The IMR init code tears down all unlocked IMRs and sets a protective IMR
>around the kernel .text and .rodata as one contiguous block. This sanitizes
>the IMR memory map with respect to the EFI memory map and protects the
>read-only portions of the kernel from unwarranted DMA access.
>
>Signed-off-by: Bryan O'Donoghue <[email protected]>
>Reviewed-by: Andy Shevchenko <[email protected]>
>Reviewed-by: Darren Hart <[email protected]>
>Reviewed-by: Ingo Molnar <[email protected]>
>Reviewed-by: Ong, Boon Leong <[email protected]>
>Tested-by: Ong, Boon Leong <[email protected]>
>---
> arch/x86/Kconfig.debug | 13 +
> arch/x86/include/asm/imr.h | 60 +++
> arch/x86/platform/intel-quark/Makefile | 2 +
> arch/x86/platform/intel-quark/imr.c | 668
>+++++++++++++++++++++++++++
> arch/x86/platform/intel-quark/imr_selftest.c | 129 ++++++
> drivers/platform/x86/Kconfig | 25 +
> 6 files changed, 897 insertions(+)
> create mode 100644 arch/x86/include/asm/imr.h
> create mode 100644 arch/x86/platform/intel-quark/Makefile
> create mode 100644 arch/x86/platform/intel-quark/imr.c
> create mode 100644 arch/x86/platform/intel-quark/imr_selftest.c
>
>diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
>index 61bd2ad..20028da 100644
>--- a/arch/x86/Kconfig.debug
>+++ b/arch/x86/Kconfig.debug
>@@ -313,6 +313,19 @@ config DEBUG_NMI_SELFTEST
>
> If unsure, say N.
>
>+config DEBUG_IMR_SELFTEST
>+ bool "Isolated Memory Region self test"
>+ default n
>+ depends on INTEL_IMR
>+ ---help---
>+ This option enables automated sanity testing of the IMR code.
>+ Some simple tests are run to verify IMR bounds checking, alignment
>+ and overlapping. This option is really only useful if you are
>+ debugging an IMR memory map or are modifying the IMR code and
>want to
>+ test your changes.
>+
>+ If unsure say N here.
>+
> config X86_DEBUG_STATIC_CPU_HAS
> bool "Debug alternatives"
> depends on DEBUG_KERNEL
>diff --git a/arch/x86/include/asm/imr.h b/arch/x86/include/asm/imr.h
>new file mode 100644
>index 0000000..cd2ce40
>--- /dev/null
>+++ b/arch/x86/include/asm/imr.h
>@@ -0,0 +1,60 @@
>+/*
>+ * imr.h: Isolated Memory Region API
>+ *
>+ * Copyright(c) 2013 Intel Corporation.
>+ * Copyright(c) 2015 Bryan O'Donoghue <[email protected]>
>+ *
>+ * This program is free software; you can redistribute it and/or
>+ * modify it under the terms of the GNU General Public License
>+ * as published by the Free Software Foundation; version 2
>+ * of the License.
>+ */
>+#ifndef _IMR_H
>+#define _IMR_H
>+
>+#include <linux/types.h>
>+
>+/*
>+ * IMR agent access mask bits
>+ * See section 12.7.4.7 from quark-x1000-datasheet.pdf for register
>+ * definitions.
>+ */
>+#define IMR_ESRAM_FLUSH BIT(31)
>+#define IMR_CPU_SNOOP BIT(30) /* Applicable only to
>write */
>+#define IMR_RMU BIT(29)
>+#define IMR_VC1_SAI_ID3 BIT(15)
>+#define IMR_VC1_SAI_ID2 BIT(14)
>+#define IMR_VC1_SAI_ID1 BIT(13)
>+#define IMR_VC1_SAI_ID0 BIT(12)
>+#define IMR_VC0_SAI_ID3 BIT(11)
>+#define IMR_VC0_SAI_ID2 BIT(10)
>+#define IMR_VC0_SAI_ID1 BIT(9)
>+#define IMR_VC0_SAI_ID0 BIT(8)
>+#define IMR_CPU_0 BIT(1) /* SMM mode */
>+#define IMR_CPU BIT(0) /* Non SMM mode */
>+#define IMR_ACCESS_NONE 0
>+
>+/*
>+ * Read/Write access-all bits here include some reserved bits
>+ * These are the values firmware uses and are accepted by hardware.
>+ * The kernel defines read/write access-all in the same way as firmware
>+ * in order to have a consistent and crisp definition across firmware,
>+ * bootloader and kernel.
>+ */
>+#define IMR_READ_ACCESS_ALL 0xBFFFFFFF
>+#define IMR_WRITE_ACCESS_ALL 0xFFFFFFFF
>+
>+/* Number of IMRs provided by Quark X1000 SoC */
>+#define QUARK_X1000_IMR_MAX 0x08
>+#define QUARK_X1000_IMR_REGBASE 0x40
>+
>+/* IMR alignment bits - only bits 31:10 are checked for IMR validity */
>+#define IMR_ALIGN 0x400
>+#define IMR_MASK (IMR_ALIGN - 1)
>+
>+int imr_add_range(phys_addr_t base, size_t size,
>+ unsigned int rmask, unsigned int wmask, bool lock);
>+
>+int imr_remove_range(phys_addr_t base, size_t size);
>+
>+#endif /* _IMR_H */
>diff --git a/arch/x86/platform/intel-quark/Makefile b/arch/x86/platform/intel-
>quark/Makefile
>new file mode 100644
>index 0000000..9cc57ed
>--- /dev/null
>+++ b/arch/x86/platform/intel-quark/Makefile
>@@ -0,0 +1,2 @@
>+obj-$(CONFIG_INTEL_IMR) += imr.o
>+obj-$(CONFIG_DEBUG_IMR_SELFTEST) += imr_selftest.o
>diff --git a/arch/x86/platform/intel-quark/imr.c b/arch/x86/platform/intel-
>quark/imr.c
>new file mode 100644
>index 0000000..16e4df1
>--- /dev/null
>+++ b/arch/x86/platform/intel-quark/imr.c
>@@ -0,0 +1,668 @@
>+/**
>+ * imr.c
>+ *
>+ * Copyright(c) 2013 Intel Corporation.
>+ * Copyright(c) 2015 Bryan O'Donoghue <[email protected]>
>+ *
>+ * IMR registers define an isolated region of memory that can
>+ * be masked to prohibit certain system agents from accessing memory.
>+ * When a device behind a masked port performs an access - snooped or
>+ * not, an IMR may optionally prevent that transaction from changing
>+ * the state of memory or from getting correct data in response to the
>+ * operation.
>+ *
>+ * Write data will be dropped and reads will return 0xFFFFFFFF, the
>+ * system will reset and system BIOS will print out an error message to
>+ * inform the user that an IMR has been violated.
>+ *
>+ * This code is based on the Linux MTRR code and reference code from
>+ * Intel's Quark BSP EFI, Linux and grub code.
>+ *
>+ * See quark-x1000-datasheet.pdf for register definitions.
>+ *
>http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/
>quark-x1000-datasheet.pdf
>+ */
>+
>+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>+
>+#include <asm-generic/sections.h>
>+#include <asm/cpu_device_id.h>
>+#include <asm/imr.h>
>+#include <asm/iosf_mbi.h>
>+#include <linux/debugfs.h>
>+#include <linux/init.h>
>+#include <linux/mm.h>
>+#include <linux/module.h>
>+#include <linux/types.h>
>+
>+struct imr_device {
>+ struct dentry *file;
>+ bool init;
>+ struct mutex lock;
>+ int max_imr;
>+ int reg_base;
>+};
>+
>+static struct imr_device imr_dev;
>+
>+/*
>+ * IMR read/write mask control registers.
>+ * See quark-x1000-datasheet.pdf sections 12.7.4.5 and 12.7.4.6 for
>+ * bit definitions.
>+ *
>+ * addr_hi
>+ * 31 Lock bit
>+ * 30:24 Reserved
>+ * 23:2 1 KiB aligned lo address
>+ * 1:0 Reserved
>+ *
>+ * addr_hi
>+ * 31:24 Reserved
>+ * 23:2 1 KiB aligned hi address
>+ * 1:0 Reserved
>+ */
>+#define IMR_LOCK BIT(31)
>+
>+struct imr_regs {
>+ u32 addr_lo;
>+ u32 addr_hi;
>+ u32 rmask;
>+ u32 wmask;
>+};
>+
>+#define IMR_NUM_REGS (sizeof(struct imr_regs)/sizeof(u32))
>+#define IMR_SHIFT 8
>+#define imr_to_phys(x) ((x) << IMR_SHIFT)
>+#define phys_to_imr(x) ((x) >> IMR_SHIFT)
>+
>+/**
>+ * imr_is_enabled - true if an IMR is enabled false otherwise.
>+ *
>+ * Determines if an IMR is enabled based on address range and read/write
>+ * mask. An IMR set with an address range set to zero and a read/write
>+ * access mask set to all is considered to be disabled. An IMR in any
>+ * other state - for example set to zero but without read/write access
>+ * all is considered to be enabled. This definition of disabled is how
>+ * firmware switches off an IMR and is maintained in kernel for
>+ * consistency.
>+ *
>+ * @imr: pointer to IMR descriptor.
>+ * @return: true if IMR enabled false if disabled.
>+ */
>+static inline int imr_is_enabled(struct imr_regs *imr)
>+{
>+ return !(imr->rmask == IMR_READ_ACCESS_ALL &&
>+ imr->wmask == IMR_WRITE_ACCESS_ALL &&
>+ imr_to_phys(imr->addr_lo) == 0 &&
>+ imr_to_phys(imr->addr_hi) == 0);
>+}
>+
>+/**
>+ * imr_read - read an IMR at a given index.
>+ *
>+ * Requires caller to hold imr mutex.
>+ *
>+ * @idev: pointer to imr_device structure.
>+ * @imr_id: IMR entry to read.
>+ * @imr: IMR structure representing address and access masks.
>+ * @return: 0 on success or error code passed from mbi_iosf on failure.
>+ */
>+static int imr_read(struct imr_device *idev, u32 imr_id, struct imr_regs *imr)
>+{
>+ u32 reg = imr_id * IMR_NUM_REGS + idev->reg_base;
>+ int ret;
>+
>+ ret = iosf_mbi_read(QRK_MBI_UNIT_MM, QRK_MBI_MM_READ,
>+ reg++, &imr->addr_lo);
>+ if (ret)
>+ return ret;
>+
>+ ret = iosf_mbi_read(QRK_MBI_UNIT_MM, QRK_MBI_MM_READ,
>+ reg++, &imr->addr_hi);
>+ if (ret)
>+ return ret;
>+
>+ ret = iosf_mbi_read(QRK_MBI_UNIT_MM, QRK_MBI_MM_READ,
>+ reg++, &imr->rmask);
>+ if (ret)
>+ return ret;
>+
>+ ret = iosf_mbi_read(QRK_MBI_UNIT_MM, QRK_MBI_MM_READ,
>+ reg++, &imr->wmask);
>+ if (ret)
>+ return ret;
>+
>+ return 0;
>+}
>+
>+/**
>+ * imr_write - write an IMR at a given index.
>+ *
>+ * Requires caller to hold imr mutex.
>+ * Note lock bits need to be written independently of address bits.
>+ *
>+ * @idev: pointer to imr_device structure.
>+ * @imr_id: IMR entry to write.
>+ * @imr: IMR structure representing address and access masks.
>+ * @lock: indicates if the IMR lock bit should be applied.
>+ * @return: 0 on success or error code passed from mbi_iosf on failure.
>+ */
>+static int imr_write(struct imr_device *idev, u32 imr_id,
>+ struct imr_regs *imr, bool lock)
>+{
>+ unsigned long flags;
>+ u32 reg = imr_id * IMR_NUM_REGS + idev->reg_base;
>+ int ret;
>+
>+ local_irq_save(flags);
>+
>+ ret = iosf_mbi_write(QRK_MBI_UNIT_MM, QRK_MBI_MM_WRITE,
>reg++,
>+ imr->addr_lo);
>+ if (ret)
>+ goto failed;
>+
>+ ret = iosf_mbi_write(QRK_MBI_UNIT_MM, QRK_MBI_MM_WRITE,
>+ reg++, imr->addr_hi);
>+ if (ret)
>+ goto failed;
>+
>+ ret = iosf_mbi_write(QRK_MBI_UNIT_MM, QRK_MBI_MM_WRITE,
>+ reg++, imr->rmask);
>+ if (ret)
>+ goto failed;
>+
>+ ret = iosf_mbi_write(QRK_MBI_UNIT_MM, QRK_MBI_MM_WRITE,
>+ reg++, imr->wmask);
>+ if (ret)
>+ goto failed;
>+
>+ /* Lock bit must be set separately to addr_lo address bits. */
>+ if (lock) {
>+ imr->addr_lo |= IMR_LOCK;
>+ ret = iosf_mbi_write(QRK_MBI_UNIT_MM,
>QRK_MBI_MM_WRITE,
>+ reg - IMR_NUM_REGS, imr->addr_lo);
>+ if (ret)
>+ goto failed;
>+ }
>+
>+ local_irq_restore(flags);
>+ return 0;
>+failed:
>+ /*
>+ * If writing to the IOSF failed then we're in an unknown state,
>+ * likely a very bad state. An IMR in an invalid state will almost
>+ * certainly lead to a memory access violation.
>+ */
>+ local_irq_restore(flags);
>+ WARN(ret, "IOSF-MBI write fail range 0x%08x-0x%08x unreliable\n",
>+ imr_to_phys(imr->addr_lo), imr_to_phys(imr->addr_hi) +
>IMR_MASK);
>+
>+ return ret;
>+}
>+
>+/**
>+ * imr_dbgfs_state_show - print state of IMR registers.
>+ *
>+ * @s: pointer to seq_file for output.
>+ * @unused: unused parameter.
>+ * @return: 0 on success or error code passed from mbi_iosf on failure.
>+ */
>+static int imr_dbgfs_state_show(struct seq_file *s, void *unused)
>+{
>+ phys_addr_t base;
>+ phys_addr_t end;
>+ int i;
>+ struct imr_device *idev = s->private;
>+ struct imr_regs imr;
>+ size_t size;
>+ int ret = -ENODEV;
>+
>+ mutex_lock(&idev->lock);
>+
>+ for (i = 0; i < idev->max_imr; i++) {
>+
>+ ret = imr_read(idev, i, &imr);
>+ if (ret)
>+ break;
>+
>+ /*
>+ * Remember to add IMR_ALIGN bytes to size to indicate the
>+ * inherent IMR_ALIGN size bytes contained in the masked away
>+ * lower ten bits.
>+ */
>+ if (imr_is_enabled(&imr)) {
>+ base = imr_to_phys(imr.addr_lo);
>+ end = imr_to_phys(imr.addr_hi) + IMR_MASK;
>+ } else {
>+ base = 0;
>+ end = 0;
>+ }
>+ size = end - base;
>+ seq_printf(s, "imr%02i: base=%pa, end=%pa, size=0x%08zx "
>+ "rmask=0x%08x, wmask=0x%08x, %s, %s\n", i,
>+ &base, &end, size, imr.rmask, imr.wmask,
>+ imr_is_enabled(&imr) ? "enabled " : "disabled",
>+ imr.addr_lo & IMR_LOCK ? "locked" : "unlocked");
>+ }
>+
>+ mutex_unlock(&idev->lock);
>+ return ret;
>+}
>+
>+/**
>+ * imr_state_open - debugfs open callback.
>+ *
>+ * @inode: pointer to struct inode.
>+ * @file: pointer to struct file.
>+ * @return: result of single open.
>+ */
>+static int imr_state_open(struct inode *inode, struct file *file)
>+{
>+ return single_open(file, imr_dbgfs_state_show, inode->i_private);
>+}
>+
>+static const struct file_operations imr_state_ops = {
>+ .open = imr_state_open,
>+ .read = seq_read,
>+ .llseek = seq_lseek,
>+ .release = single_release,
>+};
>+
>+/**
>+ * imr_debugfs_register - register debugfs hooks.
>+ *
>+ * @idev: pointer to imr_device structure.
>+ * @return: 0 on success - errno on failure.
>+ */
>+static int imr_debugfs_register(struct imr_device *idev)
>+{
>+ idev->file = debugfs_create_file("imr_state", S_IFREG | S_IRUGO, NULL,
>+ idev, &imr_state_ops);
>+ if (IS_ERR(idev->file))
>+ return PTR_ERR(idev->file);
>+
>+ return 0;
>+}
>+
>+/**
>+ * imr_debugfs_unregister - unregister debugfs hooks.
>+ *
>+ * @idev: pointer to imr_device structure.
>+ * @return:
>+ */
>+static void imr_debugfs_unregister(struct imr_device *idev)
>+{
>+ debugfs_remove(idev->file);
>+}
>+
>+/**
>+ * imr_check_params - check passed address range IMR alignment and non-
>zero size
>+ *
>+ * @base: base address of intended IMR.
>+ * @size: size of intended IMR.
>+ * @return: zero on valid range -EINVAL on unaligned base/size.
>+ */
>+static int imr_check_params(phys_addr_t base, size_t size)
>+{
>+ if ((base & IMR_MASK) || (size & IMR_MASK)) {
>+ pr_err("base %pa size 0x%08zx must align to 1KiB\n",
>+ &base, size);
>+ return -EINVAL;
>+ }
>+ if (size == 0)
>+ return -EINVAL;
>+
>+ return 0;
>+}
>+
>+/**
>+ * imr_raw_size - account for the IMR_ALIGN bytes that addr_hi appends.
>+ *
>+ * IMR addr_hi has a built in offset of plus IMR_ALIGN (0x400) bytes from the
>+ * value in the register. We need to subtract IMR_ALIGN bytes from input sizes
>+ * as a result.
>+ *
>+ * @size: input size bytes.
>+ * @return: reduced size.
>+ */
>+static inline size_t imr_raw_size(size_t size)
>+{
>+ return size - IMR_ALIGN;
>+}
>+
>+/**
>+ * imr_address_overlap - detects an address overlap.
>+ *
>+ * @addr: address to check against an existing IMR.
>+ * @imr: imr being checked.
>+ * @return: true for overlap false for no overlap.
>+ */
>+static inline int imr_address_overlap(phys_addr_t addr, struct imr_regs *imr)
>+{
>+ return addr >= imr_to_phys(imr->addr_lo) && addr <=
>imr_to_phys(imr->addr_hi);
>+}
>+
>+/**
>+ * imr_add_range - add an Isolated Memory Region.
>+ *
>+ * @base: physical base address of region aligned to 1KiB.
>+ * @size: physical size of region in bytes must be aligned to 1KiB.
>+ * @read_mask: read access mask.
>+ * @write_mask: write access mask.
>+ * @lock: indicates whether or not to permanently lock this region.
>+ * @return: zero on success or negative value indicating error.
>+ */
>+int imr_add_range(phys_addr_t base, size_t size,
>+ unsigned int rmask, unsigned int wmask, bool lock)
>+{
>+ phys_addr_t end;
>+ unsigned int i;
>+ struct imr_device *idev = &imr_dev;
>+ struct imr_regs imr;
>+ size_t raw_size;
>+ int reg;
>+ int ret;
>+
>+ if (WARN_ONCE(idev->init == false, "driver not initialized"))
>+ return -ENODEV;
>+
>+ ret = imr_check_params(base, size);
>+ if (ret)
>+ return ret;
>+
>+ /* Tweak the size value. */
>+ raw_size = imr_raw_size(size);
>+ end = base + raw_size;
>+
>+ /*
>+ * Check for reserved IMR value common to firmware, kernel and grub
>+ * indicating a disabled IMR.
>+ */
>+ imr.addr_lo = phys_to_imr(base);
>+ imr.addr_hi = phys_to_imr(end);
>+ imr.rmask = rmask;
>+ imr.wmask = wmask;
>+ if (!imr_is_enabled(&imr))
>+ return -ENOTSUPP;
>+
>+ mutex_lock(&idev->lock);
>+
>+ /*
>+ * Find a free IMR while checking for an existing overlapping range.
>+ * Note there's no restriction in silicon to prevent IMR overlaps.
>+ * For the sake of simplicity and ease in defining/debugging an IMR
>+ * memory map we exclude IMR overlaps.
>+ */
>+ reg = -1;
>+ for (i = 0; i < idev->max_imr; i++) {
>+ ret = imr_read(idev, i, &imr);
>+ if (ret)
>+ goto failed;
>+
>+ /* Find overlap @ base or end of requested range. */
>+ ret = -EINVAL;
>+ if (imr_is_enabled(&imr)) {
>+ if (imr_address_overlap(base, &imr))
>+ goto failed;
>+ if (imr_address_overlap(end, &imr))
>+ goto failed;
>+ } else {
>+ reg = i;
>+ }
>+ }
>+
>+ /* Error out if we have no free IMR entries. */
>+ if (reg == -1) {
>+ ret = -ENOMEM;
>+ goto failed;
>+ }
>+
>+ pr_debug("add %d phys %pa-%pa size %zx mask 0x%08x wmask
>0x%08x\n",
>+ reg, &base, &end, raw_size, rmask, wmask);
>+
>+ /* Enable IMR at specified range and access mask. */
>+ imr.addr_lo = phys_to_imr(base);
>+ imr.addr_hi = phys_to_imr(end);
>+ imr.rmask = rmask;
>+ imr.wmask = wmask;
>+
>+ ret = imr_write(idev, reg, &imr, lock);
>+ if (ret < 0) {
>+ /*
>+ * In the highly unlikely event iosf_mbi_write failed
>+ * attempt to rollback the IMR setup skipping the trapping
>+ * of further IOSF write failures.
>+ */
>+ imr.addr_lo = 0;
>+ imr.addr_hi = 0;
>+ imr.rmask = IMR_READ_ACCESS_ALL;
>+ imr.wmask = IMR_WRITE_ACCESS_ALL;
>+ imr_write(idev, reg, &imr, false);
>+ }
>+failed:
>+ mutex_unlock(&idev->lock);
>+ return ret;
>+}
>+EXPORT_SYMBOL_GPL(imr_add_range);
>+
>+/**
>+ * __imr_remove_range - delete an Isolated Memory Region.
>+ *
>+ * This function allows you to delete an IMR by its index specified by reg or
>+ * by address range specified by base and size respectively. If you specify an
>+ * index on its own the base and size parameters are ignored.
>+ * imr_remove_range(0, base, size); delete IMR at index 0 base/size ignored.
>+ * imr_remove_range(-1, base, size); delete IMR from base to base+size.
>+ *
>+ * @reg: imr index to remove.
>+ * @base: physical base address of region aligned to 1 KiB.
>+ * @size: physical size of region in bytes aligned to 1 KiB.
>+ * @return: -EINVAL on invalid range or out or range id
>+ * -ENODEV if reg is valid but no IMR exists or is locked
>+ * 0 on success.
>+ */
>+static int __imr_remove_range(int reg, phys_addr_t base, size_t size)
>+{
>+ phys_addr_t end;
>+ bool found = false;
>+ unsigned int i;
>+ struct imr_device *idev = &imr_dev;
>+ struct imr_regs imr;
>+ size_t raw_size;
>+ int ret = 0;
>+
>+ if (WARN_ONCE(idev->init == false, "driver not initialized"))
>+ return -ENODEV;
>+
>+ /*
>+ * Validate address range if deleting by address, else we are
>+ * deleting by index where base and size will be ignored.
>+ */
>+ if (reg == -1) {
>+ ret = imr_check_params(base, size);
>+ if (ret)
>+ return ret;
>+ }
>+
>+ /* Tweak the size value. */
>+ raw_size = imr_raw_size(size);
>+ end = base + raw_size;
>+
>+ mutex_lock(&idev->lock);
>+
>+ if (reg >= 0) {
>+ /* If a specific IMR is given try to use it. */
>+ ret = imr_read(idev, reg, &imr);
>+ if (ret)
>+ goto failed;
>+
>+ if (!imr_is_enabled(&imr) || imr.addr_lo & IMR_LOCK) {
>+ ret = -ENODEV;
>+ goto failed;
>+ }
>+ found = true;
>+ } else {
>+ /* Search for match based on address range. */
>+ for (i = 0; i < idev->max_imr; i++) {
>+ ret = imr_read(idev, i, &imr);
>+ if (ret)
>+ goto failed;
>+
>+ if (!imr_is_enabled(&imr) || imr.addr_lo & IMR_LOCK)
>+ continue;
>+
>+ if ((imr_to_phys(imr.addr_lo) == base) &&
>+ (imr_to_phys(imr.addr_hi) == end)) {
>+ found = true;
>+ reg = i;
>+ break;
>+ }
>+ }
>+ }
>+
>+ if (!found) {
>+ ret = -ENODEV;
>+ goto failed;
>+ }
>+
>+ pr_debug("remove %d phys %pa-%pa size %zx\n", reg, &base, &end,
>raw_size);
>+
>+ /* Tear down the IMR. */
>+ imr.addr_lo = 0;
>+ imr.addr_hi = 0;
>+ imr.rmask = IMR_READ_ACCESS_ALL;
>+ imr.wmask = IMR_WRITE_ACCESS_ALL;
>+
>+ ret = imr_write(idev, reg, &imr, false);
>+
>+failed:
>+ mutex_unlock(&idev->lock);
>+ return ret;
>+}
>+
>+/**
>+ * imr_remove_range - delete an Isolated Memory Region by address
>+ *
>+ * This function allows you to delete an IMR by an address range specified
>+ * by base and size respectively.
>+ * imr_remove_range(base, size); delete IMR from base to base+size.
>+ *
>+ * @base: physical base address of region aligned to 1 KiB.
>+ * @size: physical size of region in bytes aligned to 1 KiB.
>+ * @return: -EINVAL on invalid range or out or range id
>+ * -ENODEV if reg is valid but no IMR exists or is locked
>+ * 0 on success.
>+ */
>+int imr_remove_range(phys_addr_t base, size_t size)
>+{
>+ return __imr_remove_range(-1, base, size);
>+}
>+EXPORT_SYMBOL_GPL(imr_remove_range);
>+
>+/**
>+ * imr_clear - delete an Isolated Memory Region by index
>+ *
>+ * This function allows you to delete an IMR by an address range specified
>+ * by the index of the IMR. Useful for initial sanitization of the IMR
>+ * address map.
>+ * imr_ge(base, size); delete IMR from base to base+size.
>+ *
>+ * @reg: imr index to remove.
>+ * @return: -EINVAL on invalid range or out or range id
>+ * -ENODEV if reg is valid but no IMR exists or is locked
>+ * 0 on success.
>+ */
>+static inline int imr_clear(int reg)
>+{
>+ return __imr_remove_range(reg, 0, 0);
>+}
>+
>+/**
>+ * imr_fixup_memmap - Tear down IMRs used during bootup.
>+ *
>+ * BIOS and Grub both setup IMRs around compressed kernel, initrd memory
>+ * that need to be removed before the kernel hands out one of the IMR
>+ * encased addresses to a downstream DMA agent such as the SD or Ethernet.
>+ * IMRs on Galileo are setup to immediately reset the system on violation.
>+ * As a result if you're running a root filesystem from SD - you'll need
>+ * the boot-time IMRs torn down or you'll find seemingly random resets when
>+ * using your filesystem.
>+ *
>+ * @idev: pointer to imr_device structure.
>+ * @return:
>+ */
>+static void __init imr_fixup_memmap(struct imr_device *idev)
>+{
>+ phys_addr_t base = virt_to_phys(&_text);
>+ size_t size = virt_to_phys(&__end_rodata) - base;
>+ int i;
>+ int ret;
>+
>+ /* Tear down all existing unlocked IMRs. */
>+ for (i = 0; i < idev->max_imr; i++)
>+ imr_clear(i);
>+
>+ /*
>+ * Setup a locked IMR around the physical extent of the kernel
>+ * from the beginning of the .text secton to the end of the
>+ * .rodata section as one physically contiguous block.
>+ */
>+ ret = imr_add_range(base, size, IMR_CPU, IMR_CPU, true);
>+ if (ret < 0) {
>+ pr_err("unable to setup IMR for kernel: (%p - %p)\n",
>+ &_text, &__end_rodata);
>+ } else {
>+ pr_info("protecting kernel .text - .rodata: %zu KiB (%p - %p)\n",
>+ size / 1024, &_text, &__end_rodata);
>+ }
>+
>+}
>+
>+static const struct x86_cpu_id imr_ids[] __initconst = {
>+ { X86_VENDOR_INTEL, 5, 9 }, /* Intel Quark SoC X1000. */
>+ {}
>+};
>+MODULE_DEVICE_TABLE(x86cpu, imr_ids);
>+
>+/**
>+ * imr_init - entry point for IMR driver.
>+ *
>+ * return: -ENODEV for no IMR support 0 if good to go.
>+ */
>+static int __init imr_init(void)
>+{
>+ struct imr_device *idev = &imr_dev;
>+ int ret;
>+
>+ if (!x86_match_cpu(imr_ids) || !iosf_mbi_available())
>+ return -ENODEV;
>+
>+ idev->max_imr = QUARK_X1000_IMR_MAX;
>+ idev->reg_base = QUARK_X1000_IMR_REGBASE;
>+ idev->init = true;
>+
>+ mutex_init(&idev->lock);
>+ ret = imr_debugfs_register(idev);
>+ if (ret != 0)
>+ pr_warn("debugfs register failed!\n");
>+ imr_fixup_memmap(idev);
>+ return 0;
>+}
>+
>+/**
>+ * imr_exit - exit point for IMR code.
>+ *
>+ * Deregisters debugfs, leave IMR state as-is.
>+ *
>+ * return:
>+ */
>+static void __exit imr_exit(void)
>+{
>+ imr_debugfs_unregister(&imr_dev);
>+}
>+
>+module_init(imr_init);
>+module_exit(imr_exit);
>+
>+MODULE_AUTHOR("Bryan O'Donoghue <[email protected]>");
>+MODULE_DESCRIPTION("Intel Isolated Memory Region driver");
>+MODULE_LICENSE("Dual BSD/GPL");
>diff --git a/arch/x86/platform/intel-quark/imr_selftest.c
>b/arch/x86/platform/intel-quark/imr_selftest.c
>new file mode 100644
>index 0000000..c9a0838
>--- /dev/null
>+++ b/arch/x86/platform/intel-quark/imr_selftest.c
>@@ -0,0 +1,129 @@
>+/**
>+ * imr_selftest.c
>+ *
>+ * Copyright(c) 2013 Intel Corporation.
>+ * Copyright(c) 2015 Bryan O'Donoghue <[email protected]>
>+ *
>+ * IMR self test. The purpose of this module is to run a set of tests on the
>+ * IMR API to validate it's sanity. We check for overlapping, reserved
>+ * addresses and setup/teardown sanity.
>+ *
>+ */
>+
>+#include <asm-generic/sections.h>
>+#include <asm/imr.h>
>+#include <linux/init.h>
>+#include <linux/mm.h>
>+#include <linux/module.h>
>+#include <linux/types.h>
>+
>+#define SELFTEST KBUILD_MODNAME ": "
>+/**
>+ * imr_self_test_result - Print result string for self test.
>+ *
>+ * @res: result code - true if test passed false otherwise.
>+ * @fmt: format string.
>+ * ... variadic argument list.
>+ */
>+static void __init imr_self_test_result(int res, const char *fmt, ...)
>+{
>+ va_list vlist;
>+
>+ /* Print pass/fail. */
>+ if (res)
>+ pr_info(SELFTEST "pass ");
>+ else
>+ pr_info(SELFTEST "fail ");
>+
>+ /* Print variable string. */
>+ va_start(vlist, fmt);
>+ vprintk(fmt, vlist);
>+ va_end(vlist);
>+
>+ /* Optional warning. */
>+ WARN(res == 0, "test failed");
>+}
>+#undef SELFTEST
>+
>+/**
>+ * imr_self_test
>+ *
>+ * Verify IMR self_test with some simple tests to verify overlap,
>+ * zero sized allocations and 1 KiB sized areas.
>+ *
>+ */
>+static void __init imr_self_test(void)
>+{
>+ phys_addr_t base = virt_to_phys(&_text);
>+ size_t size = virt_to_phys(&__end_rodata) - base;
>+ const char *fmt_over = "overlapped IMR @ (0x%08lx - 0x%08lx)\n";
>+ int ret;
>+
>+ /* Test zero zero. */
>+ ret = imr_add_range(0, 0, 0, 0, false);
>+ imr_self_test_result(ret < 0, "zero sized IMR\n");
>+
>+ /* Test exact overlap. */
>+ ret = imr_add_range(base, size, IMR_CPU, IMR_CPU, false);
>+ imr_self_test_result(ret < 0, fmt_over, __va(base), __va(base + size));
>+
>+ /* Test overlap with base inside of existing. */
>+ base += size - IMR_ALIGN;
>+ ret = imr_add_range(base, size, IMR_CPU, IMR_CPU, false);
>+ imr_self_test_result(ret < 0, fmt_over, __va(base), __va(base + size));
>+
>+ /* Test overlap with end inside of existing. */
>+ base -= size + IMR_ALIGN * 2;
>+ ret = imr_add_range(base, size, IMR_CPU, IMR_CPU, false);
>+ imr_self_test_result(ret < 0, fmt_over, __va(base), __va(base + size));
>+
>+ /* Test that a 1 KiB IMR @ zero with read/write all will bomb out. */
>+ ret = imr_add_range(0, IMR_ALIGN, IMR_READ_ACCESS_ALL,
>+ IMR_WRITE_ACCESS_ALL, false);
>+ imr_self_test_result(ret < 0, "1KiB IMR @ 0x00000000 - access-all\n");
>+
>+ /* Test that a 1 KiB IMR @ zero with CPU only will work. */
>+ ret = imr_add_range(0, IMR_ALIGN, IMR_CPU, IMR_CPU, false);
>+ imr_self_test_result(ret >= 0, "1KiB IMR @ 0x00000000 - cpu-
>access\n");
>+ if (ret >= 0) {
>+ ret = imr_remove_range(0, IMR_ALIGN);
>+ imr_self_test_result(ret == 0, "teardown - cpu-access\n");
>+ }
>+
>+ /* Test 2 KiB works. */
>+ size = IMR_ALIGN * 2;
>+ ret = imr_add_range(0, size, IMR_READ_ACCESS_ALL,
>+ IMR_WRITE_ACCESS_ALL, false);
>+ imr_self_test_result(ret >= 0, "2KiB IMR @ 0x00000000\n");
>+ if (ret >= 0) {
>+ ret = imr_remove_range(0, size);
>+ imr_self_test_result(ret == 0, "teardown 2KiB\n");
>+ }
>+}
>+
>+/**
>+ * imr_self_test_init - entry point for IMR driver.
>+ *
>+ * return: -ENODEV for no IMR support 0 if good to go.
>+ */
>+static int __init imr_self_test_init(void)
>+{
>+ imr_self_test();
>+ return 0;
>+}
>+
>+/**
>+ * imr_self_test_exit - exit point for IMR code.
>+ *
>+ * return:
>+ */
>+static void __exit imr_self_test_exit(void)
>+{
>+}
>+
>+module_init(imr_self_test_init);
>+module_exit(imr_self_test_exit);
>+
>+MODULE_AUTHOR("Bryan O'Donoghue <[email protected]>");
>+MODULE_DESCRIPTION("Intel Isolated Memory Region self-test driver");
>+MODULE_LICENSE("Dual BSD/GPL");
>diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
>index 638e7970..9752761 100644
>--- a/drivers/platform/x86/Kconfig
>+++ b/drivers/platform/x86/Kconfig
>@@ -735,6 +735,31 @@ config INTEL_IPS
> functionality. If in doubt, say Y here; it will only load on
> supported platforms.
>
>+config INTEL_IMR
>+ bool "Intel Isolated Memory Region support"
>+ default n
>+ depends on X86_INTEL_QUARK && IOSF_MBI
>+ ---help---
>+ This option provides a means to manipulate Isolated Memory Regions.
>+ IMRs are a set of registers that define read and write access masks
>+ to prohibit certain system agents from accessing memory with 1 KiB
>+ granularity.
>+
>+ IMRs make it possible to control read/write access to an address
>+ by hardware agents inside the SoC. Read and write masks can be
>+ defined for:
>+ - eSRAM flush
>+ - Dirty CPU snoop (write only)
>+ - RMU access
>+ - PCI Virtual Channel 0/Virtual Channel 1
>+ - SMM mode
>+ - Non SMM mode
>+
>+ Quark contains a set of eight IMR registers and makes use of those
>+ registers during its bootup process.
>+
>+ If you are running on a Galileo/Quark say Y here.
>+
> config IBM_RTL
> tristate "Device driver to enable PRTL support"
> depends on X86 && PCI
>--
>1.9.1


2015-02-06 15:58:32

by Bryan O'Donoghue

[permalink] [raw]
Subject: Re: [PATCH v8 1/2] x86: Add Isolated Memory Regions for Quark X1000

Ping.

Bumping this up the list, as a reminder for 3.20 if possible.

--
BOD