Bus firewall framework aims to provide a kernel API to set the configuration
of the harware blocks in charge of busses access control.
Framework architecture is inspirated by pinctrl framework:
- a default configuration could be applied before bind the driver.
If a configuration could not be applied the driver is not bind
to avoid doing accesses on prohibited regions.
- configurations could be apllied dynamically by drivers.
- device node provides the bus firewall configurations.
An example of bus firewall controller is STM32 ETZPC hardware block
which got 3 possible configurations:
- trust: hardware blocks are only accessible by software running on trust
zone (i.e op-tee firmware).
- non-secure: hardware blocks are accessible by non-secure software (i.e.
linux kernel).
- coprocessor: hardware blocks are only accessible by the coprocessor.
Up to 94 hardware blocks of the soc could be managed by ETZPC.
At least two other hardware blocks can take benefits of this:
- ARM TZC-400: http://infocenter.arm.com/help/topic/com.arm.doc.100325_0001_02_en/arm_corelink_tzc400_trustzone_address_space_controller_trm_100325_0001_02_en.pdf
which is able to manage up to 8 regions in address space.
- IMX Ressource Domain Controller (RDC): supports four domains and up to eight regions
Version 2 has been rebased on top of v5.5
- Change framework name to "firewall" because the targeted hardware block
are acting like firewall on the busses.
- Mark Brown had reviewed the previous version but it was on kernel 5.1 and I change
the name framework so I have decided to remove it.
- Use yaml file to describe the bindings
Benjamin
Benjamin Gaignard (7):
dt-bindings: bus: Add firewall bindings
bus: Introduce firewall controller framework
base: Add calls to firewall controller
dt-bindings: bus: Add STM32 ETZPC firewall controller
bus: firewall: Add driver for STM32 ETZPC controller
ARM: dts: stm32: Add firewall node for stm32mp157 SoC
ARM: dts: stm32: enable firewall controller node on stm32mp157c-ed1
.../bindings/bus/firewall/firewall-consumer.yaml | 25 ++
.../bindings/bus/firewall/firewall-provider.yaml | 18 ++
.../bindings/bus/firewall/st,stm32-etzpc.yaml | 41 ++++
arch/arm/boot/dts/stm32mp157c-ev1.dts | 2 +
arch/arm/boot/dts/stm32mp157c.dtsi | 7 +
drivers/base/dd.c | 9 +
drivers/bus/Kconfig | 2 +
drivers/bus/Makefile | 2 +
drivers/bus/firewall/Kconfig | 14 ++
drivers/bus/firewall/Makefile | 2 +
drivers/bus/firewall/firewall.c | 264 +++++++++++++++++++++
drivers/bus/firewall/stm32-etzpc.c | 140 +++++++++++
include/dt-bindings/bus/firewall/stm32-etzpc.h | 90 +++++++
include/linux/firewall.h | 70 ++++++
14 files changed, 686 insertions(+)
create mode 100644 Documentation/devicetree/bindings/bus/firewall/firewall-consumer.yaml
create mode 100644 Documentation/devicetree/bindings/bus/firewall/firewall-provider.yaml
create mode 100644 Documentation/devicetree/bindings/bus/firewall/st,stm32-etzpc.yaml
create mode 100644 drivers/bus/firewall/Kconfig
create mode 100644 drivers/bus/firewall/Makefile
create mode 100644 drivers/bus/firewall/firewall.c
create mode 100644 drivers/bus/firewall/stm32-etzpc.c
create mode 100644 include/dt-bindings/bus/firewall/stm32-etzpc.h
create mode 100644 include/linux/firewall.h
--
2.15.0
To avoid modifying all the drivers call firewall_set_default_config
before probe to apply the configuration define in device node (if any).
When unbinding the device try to apply configuration named "unbind".
Signed-off-by: Benjamin Gaignard <[email protected]>
---
drivers/base/dd.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/base/dd.c b/drivers/base/dd.c
index d811e60610d3..6a2153f6b19b 100644
--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -20,6 +20,7 @@
#include <linux/device.h>
#include <linux/delay.h>
#include <linux/dma-mapping.h>
+#include <linux/firewall.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kthread.h>
@@ -521,6 +522,10 @@ static int really_probe(struct device *dev, struct device_driver *drv)
re_probe:
dev->driver = drv;
+ ret = firewall_set_default_config(dev);
+ if (ret)
+ goto firewall_failed;
+
/* If using pinctrl, bind pins now before probing */
ret = pinctrl_bind_pins(dev);
if (ret)
@@ -601,6 +606,8 @@ static int really_probe(struct device *dev, struct device_driver *drv)
blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
BUS_NOTIFY_DRIVER_NOT_BOUND, dev);
pinctrl_bind_failed:
+ firewall_set_config_by_name(dev, "unbind");
+firewall_failed:
device_links_no_driver(dev);
devres_release_all(dev);
arch_teardown_dma_ops(dev);
@@ -1135,6 +1142,8 @@ static void __device_release_driver(struct device *dev, struct device *parent)
device_links_driver_cleanup(dev);
+ firewall_set_config_by_name(dev, "unbind");
+
devres_release_all(dev);
arch_teardown_dma_ops(dev);
dev->driver = NULL;
--
2.15.0
Add schemas for firewall consumer and provider.
Signed-off-by: Benjamin Gaignard <[email protected]>
---
version 2:
- describe bindings in yaml files
.../bindings/bus/firewall/firewall-consumer.yaml | 25 ++++++++++++++++++++++
.../bindings/bus/firewall/firewall-provider.yaml | 18 ++++++++++++++++
2 files changed, 43 insertions(+)
create mode 100644 Documentation/devicetree/bindings/bus/firewall/firewall-consumer.yaml
create mode 100644 Documentation/devicetree/bindings/bus/firewall/firewall-provider.yaml
diff --git a/Documentation/devicetree/bindings/bus/firewall/firewall-consumer.yaml b/Documentation/devicetree/bindings/bus/firewall/firewall-consumer.yaml
new file mode 100644
index 000000000000..ea7963c600f7
--- /dev/null
+++ b/Documentation/devicetree/bindings/bus/firewall/firewall-consumer.yaml
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: BSD-2-Clause
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/bus/firewall/firewall-consumer.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Common Bus Firewall consumer binding
+
+maintainers:
+ - Benjamin Gaignard <[email protected]>
+
+# always select the core schema
+select: true
+
+properties:
+ firewall-0: true
+
+ firewall-names: true
+
+patternProperties:
+ "firewall-[0-9]":
+ $ref: "/schemas/types.yaml#/definitions/phandle-array"
+
+dependencies:
+ firewall-names: [ firewall-0 ]
diff --git a/Documentation/devicetree/bindings/bus/firewall/firewall-provider.yaml b/Documentation/devicetree/bindings/bus/firewall/firewall-provider.yaml
new file mode 100644
index 000000000000..0f9a38b63fbe
--- /dev/null
+++ b/Documentation/devicetree/bindings/bus/firewall/firewall-provider.yaml
@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: BSD-2-Clause
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/bus/firewall/firewall-provider.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Common Bus Firewall provider binding
+
+maintainers:
+ - Benjamin Gaignard <[email protected]>
+
+properties:
+ '#firewall-cells':
+ $ref: /schemas/types.yaml#/definitions/uint32
+ description: Number of cells in a bus firewall specifier
+
+required:
+ - '#firewall-cells'
--
2.15.0
Enable ETZPC and set configuration for CEC node
Signed-off-by: Benjamin Gaignard <[email protected]>
---
arch/arm/boot/dts/stm32mp157c-ev1.dts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm/boot/dts/stm32mp157c-ev1.dts b/arch/arm/boot/dts/stm32mp157c-ev1.dts
index 3789312c8539..5b72ef2a54df 100644
--- a/arch/arm/boot/dts/stm32mp157c-ev1.dts
+++ b/arch/arm/boot/dts/stm32mp157c-ev1.dts
@@ -6,6 +6,7 @@
/dts-v1/;
#include "stm32mp157c-ed1.dts"
+#include <dt-bindings/bus/firewall/stm32-etzpc.h>
#include <dt-bindings/gpio/gpio.h>
#include <dt-bindings/input/input.h>
@@ -77,6 +78,7 @@
&cec {
pinctrl-names = "default";
pinctrl-0 = <&cec_pins_a>;
+ firewall-0 = <&etzpc STM32_ETZPC_CEC STM32_ETZPC_NON_SECURE>;
status = "okay";
};
--
2.15.0
The goal of this framework is to offer an interface for the
hardware blocks controlling bus accesses rights.
Bus firewall controllers are typically used to control if a
hardware block can perform read or write operations on bus.
Smarter firewall controllers could be able to define accesses
rights per hardware blocks to control where they can read
or write.
Firewall controller configurations are provided in device node,
parsed by the framework and send to the driver to apply them.
Each controller may need different number and type of inputs
to configure the firewall so device-tree properties size have to
be define by using "#firewall-cells".
Firewall configurations properties have to be named "firewall-X"
on device node.
"firewall-names" keyword can also be used to give a name to
a specific configuration.
Example of device-tree:
ctrl0: firewall@0 {
#firewall-cells = <2>;
};
foo: foo@0 {
firewall-names = "default", "setting1";
firewall-0 = <&ctrl0 1 2>;
firewall-1 = <&ctrl0 3 4>;
};
Configurations could be applied with functions like
firewall_set_config_by_index() or firewall_set_config_by_name().
firewall_set_default_config() function will apply the
configuration named "default" (if existing) or the configuration
with index 0 (i.e. firewall-0).
Drivers could register/unregister themselves be calling
firewall_register/firewall_unregister functions.
When a configuration has to be applied the driver callback,
provided in the ops at registration time, set_config is called
by the framework.
Signed-off-by: Benjamin Gaignard <[email protected]>
---
version 2:
- rename the framework "firewall"
- rebased on top of v5.5
drivers/bus/Kconfig | 2 +
drivers/bus/Makefile | 2 +
drivers/bus/firewall/Kconfig | 7 ++
drivers/bus/firewall/Makefile | 1 +
drivers/bus/firewall/firewall.c | 264 ++++++++++++++++++++++++++++++++++++++++
include/linux/firewall.h | 70 +++++++++++
6 files changed, 346 insertions(+)
create mode 100644 drivers/bus/firewall/Kconfig
create mode 100644 drivers/bus/firewall/Makefile
create mode 100644 drivers/bus/firewall/firewall.c
create mode 100644 include/linux/firewall.h
diff --git a/drivers/bus/Kconfig b/drivers/bus/Kconfig
index 50200d1c06ea..d3f636c64e1c 100644
--- a/drivers/bus/Kconfig
+++ b/drivers/bus/Kconfig
@@ -203,4 +203,6 @@ config DA8XX_MSTPRI
source "drivers/bus/fsl-mc/Kconfig"
+source "drivers/bus/firewall/Kconfig"
+
endmenu
diff --git a/drivers/bus/Makefile b/drivers/bus/Makefile
index 1320bcf9fa9d..278c27fd57cd 100644
--- a/drivers/bus/Makefile
+++ b/drivers/bus/Makefile
@@ -34,3 +34,5 @@ obj-$(CONFIG_UNIPHIER_SYSTEM_BUS) += uniphier-system-bus.o
obj-$(CONFIG_VEXPRESS_CONFIG) += vexpress-config.o
obj-$(CONFIG_DA8XX_MSTPRI) += da8xx-mstpri.o
+
+obj-$(CONFIG_FIREWALL_CONTROLLERS) += firewall/
diff --git a/drivers/bus/firewall/Kconfig b/drivers/bus/firewall/Kconfig
new file mode 100644
index 000000000000..893bacb955f5
--- /dev/null
+++ b/drivers/bus/firewall/Kconfig
@@ -0,0 +1,7 @@
+menu "Bus Firewall Controllers"
+
+config FIREWALL_CONTROLLERS
+ bool "Support of bus firewall controllers"
+ depends on OF
+
+endmenu
diff --git a/drivers/bus/firewall/Makefile b/drivers/bus/firewall/Makefile
new file mode 100644
index 000000000000..eb6b978d6450
--- /dev/null
+++ b/drivers/bus/firewall/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_FIREWALL_CONTROLLERS) += firewall.o
diff --git a/drivers/bus/firewall/firewall.c b/drivers/bus/firewall/firewall.c
new file mode 100644
index 000000000000..765105d29075
--- /dev/null
+++ b/drivers/bus/firewall/firewall.c
@@ -0,0 +1,264 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) STMicroelectronics 2020 - All Rights Reserved
+ * Author: Benjamin Gaignard <[email protected]> for STMicroelectronics.
+ */
+
+#include <linux/device.h>
+#include <linux/firewall.h>
+#include <linux/err.h>
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <linux/list.h>
+#include <linux/of.h>
+#include <linux/slab.h>
+
+/* Mutex taken to protect firewall_list */
+static DEFINE_MUTEX(firewall_list_mutex);
+
+/* Global list of firewall control devices */
+static LIST_HEAD(firewall_list);
+
+struct firewall_ctrl {
+ struct list_head node;
+ struct device *dev;
+ struct firewall_ops *ops;
+};
+
+static struct firewall_ctrl *get_firewallctrl_from_node(struct device_node *np)
+{
+ struct firewall_ctrl *ctrl;
+
+ mutex_lock(&firewall_list_mutex);
+
+ list_for_each_entry(ctrl, &firewall_list, node) {
+ if (ctrl->dev->of_node == np) {
+ mutex_unlock(&firewall_list_mutex);
+ return ctrl;
+ }
+ }
+
+ mutex_unlock(&firewall_list_mutex);
+
+ return NULL;
+}
+
+/**
+ * firewall_dt_has_default
+ *
+ * Check if the device node provide firewall configuration
+ *
+ * @dev: device with possible firewall configuration
+ *
+ * Return: true is firewall-0 property exist in the device node
+ */
+static bool firewall_dt_has_default(struct device *dev)
+{
+ struct device_node *np;
+ struct property *prop;
+ int size;
+
+ np = dev->of_node;
+ if (!np)
+ return false;
+
+ prop = of_find_property(np, "firewall-0", &size);
+
+ return prop ? true : false;
+}
+
+/**
+ * firewall_set_config_by_index
+ *
+ * Set a firewall controller configuration based on given index.
+ *
+ * @dev: device with firewall configuration to apply.
+ * @index: the index of the configuration in device node.
+ *
+ * Return: 0 if OK, -EPROBE_DEFER if waiting for firewall controller to be
+ * registered or negative value on other errors.
+ */
+int firewall_set_config_by_index(struct device *dev, int index)
+{
+ struct device_node *np = dev->of_node;
+ char *propname;
+ int configs, i, err = 0;
+
+ if (!np)
+ return 0;
+
+ propname = kasprintf(GFP_KERNEL, "firewall-%d", index);
+ configs = of_count_phandle_with_args(np, propname, "#firewall-cells");
+ if (configs < 0) {
+ err = -EINVAL;
+ goto error;
+ }
+
+ for (i = 0; i < configs; i++) {
+ struct firewall_ctrl *ctrl;
+ struct of_phandle_args args;
+
+ err = of_parse_phandle_with_args(np, propname,
+ "#firewall-cells",
+ i, &args);
+ if (err)
+ goto error;
+
+ /* Test if the controller is (or will be) available */
+ if (!of_device_is_available(args.np)) {
+ of_node_put(args.np);
+ continue;
+ }
+
+ ctrl = get_firewallctrl_from_node(args.np);
+ of_node_put(args.np);
+
+ /* Controller is not yet registered */
+ if (!ctrl) {
+ err = -EPROBE_DEFER;
+ goto error;
+ }
+
+ err = ctrl->ops->set_config(ctrl->dev, &args);
+ if (err)
+ goto error;
+ }
+
+error:
+ kfree(propname);
+ return err;
+}
+EXPORT_SYMBOL_GPL(firewall_set_config_by_index);
+
+/**
+ * firewall_set_config_by_name
+ *
+ * Set a firwall controller configuration based on given name.
+ *
+ * @dev: device with firewall configuration to apply.
+ * @name: the name of the configuration in device node.
+ *
+ * Return: 0 if OK, -EPROBE_DEFER if waiting for firewall controller to be
+ * registered or negative value on other errors.
+ */
+int firewall_set_config_by_name(struct device *dev, char *name)
+{
+ const char *configname;
+ int count, i;
+
+ count = of_property_count_strings(dev->of_node, "firewall-names");
+ for (i = 0; i < count; i++) {
+ int err;
+
+ err = of_property_read_string_index(dev->of_node,
+ "firewall-names",
+ i, &configname);
+ if (err)
+ return err;
+
+ if (strcmp(name, configname))
+ continue;
+
+ return firewall_set_config_by_index(dev, i);
+ }
+
+ return -EINVAL;
+}
+EXPORT_SYMBOL_GPL(firewall_set_config_by_name);
+
+/**
+ * firewall_set_default_config
+ *
+ * Set the default configuration for device.
+ * First try to apply configuration named "default", if it fails
+ * or doesn't exist, try to apply firewall-0 configuration.
+ *
+ * @dev: device with firewall configuration to apply.
+ *
+ * Return: 0 if OK, -EPROBE_DEFER if waiting for firewall controller to be
+ * registered or negative value on other errors.
+ */
+int firewall_set_default_config(struct device *dev)
+{
+ int ret;
+
+ /* Nothing to do if device node doesn't contain at least
+ * one configuration
+ */
+ if (!firewall_dt_has_default(dev))
+ return 0;
+
+ ret = firewall_set_config_by_name(dev, "default");
+ if (!ret || (ret == -EPROBE_DEFER))
+ return ret;
+
+ return firewall_set_config_by_index(dev, 0);
+}
+EXPORT_SYMBOL_GPL(firewall_set_default_config);
+
+/**
+ * firewall_register
+ *
+ * Register a firewall controller device.
+ *
+ * @dev: device implementing firewall controller.
+ * @ops: firewall controller operations.
+ *
+ * Return: 0 if OK or negative value on error.
+ */
+int firewall_register(struct device *dev,
+ struct firewall_ops *ops)
+{
+ struct firewall_ctrl *ctrl;
+
+ if (!dev || !ops || !ops->set_config)
+ return -EINVAL;
+
+ ctrl = kzalloc(sizeof(*ctrl), GFP_KERNEL);
+ if (!ctrl)
+ return -ENOMEM;
+
+ INIT_LIST_HEAD(&ctrl->node);
+
+ ctrl->dev = dev;
+ ctrl->ops = ops;
+
+ mutex_lock(&firewall_list_mutex);
+ list_add_tail(&ctrl->node, &firewall_list);
+ mutex_unlock(&firewall_list_mutex);
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(firewall_register);
+
+/**
+ * firewall_unregister
+ *
+ * Unregister a firewall controller device.
+ *
+ * @dev: device implementing firewall controller.
+ */
+void firewall_unregister(struct device *dev)
+{
+ struct firewall_ctrl *ctrl;
+
+ ctrl = get_firewallctrl_from_node(dev->of_node);
+ if (!ctrl)
+ return;
+
+ mutex_lock(&firewall_list_mutex);
+ list_del(&ctrl->node);
+ mutex_unlock(&firewall_list_mutex);
+
+ kfree(ctrl);
+}
+EXPORT_SYMBOL_GPL(firewall_unregister);
+
+static int __init firewall_init(void)
+{
+ pr_info("initialized bus firewall controller subsystem\n");
+ return 0;
+}
+
+/* Init early since drivers really need to configure firewall early */
+core_initcall(firewall_init);
diff --git a/include/linux/firewall.h b/include/linux/firewall.h
new file mode 100644
index 000000000000..67eb9985821c
--- /dev/null
+++ b/include/linux/firewall.h
@@ -0,0 +1,70 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) STMicroelectronics 2020 - All Rights Reserved
+ * Author: Benjamin Gaignard <[email protected]> for STMicroelectronics.
+ */
+
+#ifndef _FIREWALL_H_
+#define _FIREWALL_H_
+
+#include <linux/device.h>
+#include <linux/of.h>
+
+/**
+ * struct firewall_ops
+ *
+ * Firewall controller operations structure to be filled by drivers.
+ */
+struct firewall_ops {
+ /**
+ * @set_config:
+ *
+ * Driver callback to set a firewall configuration on a controller.
+ * Configuration arguments are provided in out_args parameter.
+ *
+ * Return: 0 on success, a negative error code on failure.
+ */
+ int (*set_config)(struct device *dev, struct of_phandle_args *out_args);
+};
+
+#ifdef CONFIG_FIREWALL_CONTROLLERS
+
+int firewall_set_config_by_index(struct device *dev, int index);
+int firewall_set_config_by_name(struct device *dev, char *name);
+int firewall_set_default_config(struct device *dev);
+
+int firewall_register(struct device *dev, struct firewall_ops *ops);
+
+void firewall_unregister(struct device *dev);
+
+#else
+
+static inline int firewall_set_config_by_index(struct device *dev, int index)
+{
+ return 0;
+}
+
+static inline int firewall_set_config_by_name(struct device *dev, char *name)
+{
+ return 0;
+}
+
+static inline int firewall_set_default_config(struct device *dev)
+{
+ return 0;
+}
+
+static inline int firewall_register(struct device *dev,
+ struct firewall_ops *ops)
+{
+ return 0;
+}
+
+static inline void firewall_unregister(struct device *dev)
+{
+ /* Empty */
+}
+
+#endif
+
+#endif /* _FIREWALL_H_ */
--
2.15.0
On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote:
> The goal of this framework is to offer an interface for the
> hardware blocks controlling bus accesses rights.
>
> Bus firewall controllers are typically used to control if a
> hardware block can perform read or write operations on bus.
So put this in the bus-specific code that controls the bus that these
devices live on. Why put it in the driver core when this is only on one
"bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
And really, this should just be a totally new bus type, right? And any
devices on this bus should be changed to be on this new bus, and the
drivers changed to support them, instead of trying to overload the
platform bus with more stuff.
thanks,
greg k-h
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
> Bus firewall framework aims to provide a kernel API to set the configuration
> of the harware blocks in charge of busses access control.
>
> Framework architecture is inspirated by pinctrl framework:
> - a default configuration could be applied before bind the driver.
> If a configuration could not be applied the driver is not bind
> to avoid doing accesses on prohibited regions.
> - configurations could be apllied dynamically by drivers.
> - device node provides the bus firewall configurations.
>
> An example of bus firewall controller is STM32 ETZPC hardware block
> which got 3 possible configurations:
> - trust: hardware blocks are only accessible by software running on trust
> zone (i.e op-tee firmware).
> - non-secure: hardware blocks are accessible by non-secure software (i.e.
> linux kernel).
> - coprocessor: hardware blocks are only accessible by the coprocessor.
> Up to 94 hardware blocks of the soc could be managed by ETZPC.
>
/me confused. Is ETZPC accessible from the non-secure kernel space to
begin with ? If so, is it allowed to configure hardware blocks as secure
or trusted ? I am failing to understand the overall design of a system
with ETZPC controller.
> At least two other hardware blocks can take benefits of this:
> - ARM TZC-400: http://infocenter.arm.com/help/topic/com.arm.doc.100325_0001_02_en/arm_corelink_tzc400_trustzone_address_space_controller_trm_100325_0001_02_en.pdf
> which is able to manage up to 8 regions in address space.
I strongly have to disagree with the above and NACK any patch trying
to do so. AFAIK, no system designed has TZC with non-secure access.
So we simply can't access this in the kernel and hence need no driver
for the same. Please avoid adding above misleading information in future.
--
Regards,
Sudeep
On 1/28/20 4:52 PM, Greg KH wrote:
> On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote:
>> The goal of this framework is to offer an interface for the
>> hardware blocks controlling bus accesses rights.
>>
>> Bus firewall controllers are typically used to control if a
>> hardware block can perform read or write operations on bus.
> So put this in the bus-specific code that controls the bus that these
> devices live on. Why put it in the driver core when this is only on one
> "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
It is really similar to what pin controller does, configuring an
hardware block given DT information.
I could argue that firewalls are not bus themselves they only interact
with it.
Bus firewalls exist on other SoC, I hope some others could be added in
this framework. ETZPC is only the first.
>
> And really, this should just be a totally new bus type, right? And any
> devices on this bus should be changed to be on this new bus, and the
> drivers changed to support them, instead of trying to overload the
> platform bus with more stuff.
I have tried to use the bus notifier to avoid to add this code at probe
time but without success:
https://lkml.org/lkml/2018/2/27/300
I have also tried to disable the nodes at runtime and Mark Rutland
explain me why it was wrong.
Benjamin
>
> thanks,
>
> greg k-h
On 1/28/20 5:36 PM, Sudeep Holla wrote:
> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
>> Bus firewall framework aims to provide a kernel API to set the configuration
>> of the harware blocks in charge of busses access control.
>>
>> Framework architecture is inspirated by pinctrl framework:
>> - a default configuration could be applied before bind the driver.
>> If a configuration could not be applied the driver is not bind
>> to avoid doing accesses on prohibited regions.
>> - configurations could be apllied dynamically by drivers.
>> - device node provides the bus firewall configurations.
>>
>> An example of bus firewall controller is STM32 ETZPC hardware block
>> which got 3 possible configurations:
>> - trust: hardware blocks are only accessible by software running on trust
>> zone (i.e op-tee firmware).
>> - non-secure: hardware blocks are accessible by non-secure software (i.e.
>> linux kernel).
>> - coprocessor: hardware blocks are only accessible by the coprocessor.
>> Up to 94 hardware blocks of the soc could be managed by ETZPC.
>>
> /me confused. Is ETZPC accessible from the non-secure kernel space to
> begin with ? If so, is it allowed to configure hardware blocks as secure
> or trusted ? I am failing to understand the overall design of a system
> with ETZPC controller.
Non-secure kernel could read the values set in ETZPC, if it doesn't match
with what is required by the device node the driver won't be probed.
Benjamin
>
>> At least two other hardware blocks can take benefits of this:
>> - ARM TZC-400: http://infocenter.arm.com/help/topic/com.arm.doc.100325_0001_02_en/arm_corelink_tzc400_trustzone_address_space_controller_trm_100325_0001_02_en.pdf
>> which is able to manage up to 8 regions in address space.
> I strongly have to disagree with the above and NACK any patch trying
> to do so. AFAIK, no system designed has TZC with non-secure access.
> So we simply can't access this in the kernel and hence need no driver
> for the same. Please avoid adding above misleading information in future.
>
> --
> Regards,
> Sudeep
>
On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote:
>
> On 1/28/20 4:52 PM, Greg KH wrote:
> > On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote:
> >> The goal of this framework is to offer an interface for the
> >> hardware blocks controlling bus accesses rights.
> >>
> >> Bus firewall controllers are typically used to control if a
> >> hardware block can perform read or write operations on bus.
> > So put this in the bus-specific code that controls the bus that these
> > devices live on. Why put it in the driver core when this is only on one
> > "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
>
> It is really similar to what pin controller does, configuring an
> hardware block given DT information.
Great, then use that instead :)
> I could argue that firewalls are not bus themselves they only interact
> with it.
They live on a bus, and do so in bus-specific ways, right?
> Bus firewalls exist on other SoC, I hope some others could be added in
> this framework. ETZPC is only the first.
Then put it on the bus it lives on, and the bus that the drivers for
that device are being controlled with. That sounds like the sane place
to do so, right?
> > And really, this should just be a totally new bus type, right? And any
> > devices on this bus should be changed to be on this new bus, and the
> > drivers changed to support them, instead of trying to overload the
> > platform bus with more stuff.
>
> I have tried to use the bus notifier to avoid to add this code at probe
> time but without success:
>
> https://lkml.org/lkml/2018/2/27/300
Almost 2 years ago? I can't remember something written 1 week ago...
Yes, don't abuse the notifier chain. I hate that thing as it is.
> I have also tried to disable the nodes at runtime and Mark Rutland
> explain me why it was wrong.
The bus controller should do this, right? Why not just do it there?
thanks,
greg k-h
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
>
> On 1/28/20 5:36 PM, Sudeep Holla wrote:
> > On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
> >> Bus firewall framework aims to provide a kernel API to set the configuration
> >> of the harware blocks in charge of busses access control.
> >>
> >> Framework architecture is inspirated by pinctrl framework:
> >> - a default configuration could be applied before bind the driver.
> >> If a configuration could not be applied the driver is not bind
> >> to avoid doing accesses on prohibited regions.
> >> - configurations could be apllied dynamically by drivers.
> >> - device node provides the bus firewall configurations.
> >>
> >> An example of bus firewall controller is STM32 ETZPC hardware block
> >> which got 3 possible configurations:
> >> - trust: hardware blocks are only accessible by software running on trust
> >> zone (i.e op-tee firmware).
> >> - non-secure: hardware blocks are accessible by non-secure software (i.e.
> >> linux kernel).
> >> - coprocessor: hardware blocks are only accessible by the coprocessor.
> >> Up to 94 hardware blocks of the soc could be managed by ETZPC.
> >>
> > /me confused. Is ETZPC accessible from the non-secure kernel space to
> > begin with ? If so, is it allowed to configure hardware blocks as secure
> > or trusted ? I am failing to understand the overall design of a system
> > with ETZPC controller.
>
> Non-secure kernel could read the values set in ETZPC, if it doesn't match
> with what is required by the device node the driver won't be probed.
>
OK, but I was under the impression that it was made clear that Linux is
not firmware validation suite. The firmware need to ensure all the devices
that are not accessible in the Linux kernel are marked as disabled and
this needs to happen before entering the kernel. So if this is what this
patch series achieves, then there is no need for it. Please stop pursuing
this any further or provide any other reasons(if any) to have it. Until
you have other reasons, NACK for this series.
Note you haven't cc-ed 2 people who has comments earlier[1][2]
--
Regards,
Sudeep
[1] https://lkml.org/lkml/2018/2/27/512
[2] https://lkml.org/lkml/2018/2/27/598
On 1/28/20 6:17 PM, Sudeep Holla wrote:
> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
>> On 1/28/20 5:36 PM, Sudeep Holla wrote:
>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
>>>> Bus firewall framework aims to provide a kernel API to set the configuration
>>>> of the harware blocks in charge of busses access control.
>>>>
>>>> Framework architecture is inspirated by pinctrl framework:
>>>> - a default configuration could be applied before bind the driver.
>>>> If a configuration could not be applied the driver is not bind
>>>> to avoid doing accesses on prohibited regions.
>>>> - configurations could be apllied dynamically by drivers.
>>>> - device node provides the bus firewall configurations.
>>>>
>>>> An example of bus firewall controller is STM32 ETZPC hardware block
>>>> which got 3 possible configurations:
>>>> - trust: hardware blocks are only accessible by software running on trust
>>>> zone (i.e op-tee firmware).
>>>> - non-secure: hardware blocks are accessible by non-secure software (i.e.
>>>> linux kernel).
>>>> - coprocessor: hardware blocks are only accessible by the coprocessor.
>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC.
>>>>
>>> /me confused. Is ETZPC accessible from the non-secure kernel space to
>>> begin with ? If so, is it allowed to configure hardware blocks as secure
>>> or trusted ? I am failing to understand the overall design of a system
>>> with ETZPC controller.
>> Non-secure kernel could read the values set in ETZPC, if it doesn't match
>> with what is required by the device node the driver won't be probed.
>>
> OK, but I was under the impression that it was made clear that Linux is
> not firmware validation suite. The firmware need to ensure all the devices
> that are not accessible in the Linux kernel are marked as disabled and
> this needs to happen before entering the kernel. So if this is what this
> patch series achieves, then there is no need for it. Please stop pursuing
> this any further or provide any other reasons(if any) to have it. Until
> you have other reasons, NACK for this series.
No it doesn't disable the nodes.
When the firmware disable a node before the kernel that means it change
the DTB and that is a problem when you want to sign it. With my proposal
the DTB remains the same.
>
> Note you haven't cc-ed 2 people who has comments earlier[1][2]
I will cc them, thanks
> --
> Regards,
> Sudeep
>
> [1] https://lkml.org/lkml/2018/2/27/512
> [2] https://lkml.org/lkml/2018/2/27/598
On 1/28/20 5:57 PM, Greg KH wrote:
> On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote:
>> On 1/28/20 4:52 PM, Greg KH wrote:
>>> On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote:
>>>> The goal of this framework is to offer an interface for the
>>>> hardware blocks controlling bus accesses rights.
>>>>
>>>> Bus firewall controllers are typically used to control if a
>>>> hardware block can perform read or write operations on bus.
>>> So put this in the bus-specific code that controls the bus that these
>>> devices live on. Why put it in the driver core when this is only on one
>>> "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
>> It is really similar to what pin controller does, configuring an
>> hardware block given DT information.
> Great, then use that instead :)
I think that Linus W. will complain if I do that :)
>
>> I could argue that firewalls are not bus themselves they only interact
>> with it.
> They live on a bus, and do so in bus-specific ways, right?
>
>> Bus firewalls exist on other SoC, I hope some others could be added in
>> this framework. ETZPC is only the first.
> Then put it on the bus it lives on, and the bus that the drivers for
> that device are being controlled with. That sounds like the sane place
> to do so, right?
If that means that all drivers have to be modified it will be
problematic because not all
are specifics to the SoC.
>
>>> And really, this should just be a totally new bus type, right? And any
>>> devices on this bus should be changed to be on this new bus, and the
>>> drivers changed to support them, instead of trying to overload the
>>> platform bus with more stuff.
>> I have tried to use the bus notifier to avoid to add this code at probe
>> time but without success:
>>
>> https://lkml.org/lkml/2018/2/27/300
> Almost 2 years ago? I can't remember something written 1 week ago...
>
> Yes, don't abuse the notifier chain. I hate that thing as it is.
>
>> I have also tried to disable the nodes at runtime and Mark Rutland
>> explain me why it was wrong.
> The bus controller should do this, right? Why not just do it there?
The bus controller is a different hardware block.
>
> thanks,
>
> greg k-h
On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
>
> On 1/28/20 6:17 PM, Sudeep Holla wrote:
>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
>>> On 1/28/20 5:36 PM, Sudeep Holla wrote:
>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
>>>>> Bus firewall framework aims to provide a kernel API to set the configuration
>>>>> of the harware blocks in charge of busses access control.
>>>>>
>>>>> Framework architecture is inspirated by pinctrl framework:
>>>>> - a default configuration could be applied before bind the driver.
>>>>> If a configuration could not be applied the driver is not bind
>>>>> to avoid doing accesses on prohibited regions.
>>>>> - configurations could be apllied dynamically by drivers.
>>>>> - device node provides the bus firewall configurations.
>>>>>
>>>>> An example of bus firewall controller is STM32 ETZPC hardware block
>>>>> which got 3 possible configurations:
>>>>> - trust: hardware blocks are only accessible by software running on trust
>>>>> zone (i.e op-tee firmware).
>>>>> - non-secure: hardware blocks are accessible by non-secure software (i.e.
>>>>> linux kernel).
>>>>> - coprocessor: hardware blocks are only accessible by the coprocessor.
>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC.
>>>>>
>>>> /me confused. Is ETZPC accessible from the non-secure kernel space to
>>>> begin with ? If so, is it allowed to configure hardware blocks as secure
>>>> or trusted ? I am failing to understand the overall design of a system
>>>> with ETZPC controller.
>>> Non-secure kernel could read the values set in ETZPC, if it doesn't match
>>> with what is required by the device node the driver won't be probed.
>>>
>> OK, but I was under the impression that it was made clear that Linux is
>> not firmware validation suite. The firmware need to ensure all the devices
>> that are not accessible in the Linux kernel are marked as disabled and
>> this needs to happen before entering the kernel. So if this is what this
>> patch series achieves, then there is no need for it. Please stop pursuing
>> this any further or provide any other reasons(if any) to have it. Until
>> you have other reasons, NACK for this series.
>
> No it doesn't disable the nodes.
>
> When the firmware disable a node before the kernel that means it change
>
> the DTB and that is a problem when you want to sign it. With my proposal
>
> the DTB remains the same.
???
:/
The DTB is used to pass the kernel command line, memory reservations,
random seeds, and all manner of other things dynamically generated by
firmware at boot-time. Apologies for being blunt but if "changing the
DTB" is considered a problem then I can't help but think you're doing it
wrong.
Robin.
On Tue, Jan 28, 2020 at 08:29:45PM +0000, Benjamin GAIGNARD wrote:
>
> On 1/28/20 5:57 PM, Greg KH wrote:
> > On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote:
> >> On 1/28/20 4:52 PM, Greg KH wrote:
> >>> On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote:
> >>>> The goal of this framework is to offer an interface for the
> >>>> hardware blocks controlling bus accesses rights.
> >>>>
> >>>> Bus firewall controllers are typically used to control if a
> >>>> hardware block can perform read or write operations on bus.
> >>> So put this in the bus-specific code that controls the bus that these
> >>> devices live on. Why put it in the driver core when this is only on one
> >>> "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
> >> It is really similar to what pin controller does, configuring an
> >> hardware block given DT information.
> > Great, then use that instead :)
> I think that Linus W. will complain if I do that :)
> >
> >> I could argue that firewalls are not bus themselves they only interact
> >> with it.
> > They live on a bus, and do so in bus-specific ways, right?
> >
> >> Bus firewalls exist on other SoC, I hope some others could be added in
> >> this framework. ETZPC is only the first.
> > Then put it on the bus it lives on, and the bus that the drivers for
> > that device are being controlled with. That sounds like the sane place
> > to do so, right?
>
> If that means that all drivers have to be modified it will be
> problematic because not all
>
> are specifics to the SoC.
That's fine, we have loads of drivers that work on different types of
busses.
Or, if this really is the "platform bus" then use that. (which is what
I was hinting at all along but no one seems to realize that, should have
been more obvious...)
> >>> And really, this should just be a totally new bus type, right? And any
> >>> devices on this bus should be changed to be on this new bus, and the
> >>> drivers changed to support them, instead of trying to overload the
> >>> platform bus with more stuff.
> >> I have tried to use the bus notifier to avoid to add this code at probe
> >> time but without success:
> >>
> >> https://lkml.org/lkml/2018/2/27/300
> > Almost 2 years ago? I can't remember something written 1 week ago...
> >
> > Yes, don't abuse the notifier chain. I hate that thing as it is.
> >
> >> I have also tried to disable the nodes at runtime and Mark Rutland
> >> explain me why it was wrong.
> > The bus controller should do this, right? Why not just do it there?
>
> The bus controller is a different hardware block.
Of course it is, but it controls a bus, and there are devices on that
bus, right? Don't circumvent things please.
greg k-h
On Tue, Jan 28, 2020 at 9:30 PM Benjamin GAIGNARD
<[email protected]> wrote:
> On 1/28/20 5:57 PM, Greg KH wrote:
> > On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote:
> >> On 1/28/20 4:52 PM, Greg KH wrote:
> >>> So put this in the bus-specific code that controls the bus that these
> >>> devices live on. Why put it in the driver core when this is only on one
> >>> "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
> >> It is really similar to what pin controller does, configuring an
> >> hardware block given DT information.
> > Great, then use that instead :)
> I think that Linus W. will complain if I do that :)
So the similarity would be something like the way that pin control
states are configured in the device tree and the pin control
handles are taken before probe in drivers/base/pinctrl.c embedding
a hook into dd.c.
Not that it in any way controls any hardware even remotely
similar to pin control. Pin control is an electronic thing,
this firewalling is about bus access.
IIUC this framework wants to discover at kernel boot time
whether certain devices are accessible to it or not by inspecting
the state of the firewalling hardware and then avoid probing
those that are inaccessible.
It needs the same deep hooks into dd.c to achieve this
I believe.
Yours,
Linus Walleij
On Wed, Jan 29, 2020 at 10:42:39AM +0100, Linus Walleij wrote:
> On Tue, Jan 28, 2020 at 9:30 PM Benjamin GAIGNARD
> <[email protected]> wrote:
> > On 1/28/20 5:57 PM, Greg KH wrote:
> > > On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote:
> > >> On 1/28/20 4:52 PM, Greg KH wrote:
>
> > >>> So put this in the bus-specific code that controls the bus that these
> > >>> devices live on. Why put it in the driver core when this is only on one
> > >>> "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)?
>
> > >> It is really similar to what pin controller does, configuring an
> > >> hardware block given DT information.
>
> > > Great, then use that instead :)
>
> > I think that Linus W. will complain if I do that :)
>
> So the similarity would be something like the way that pin control
> states are configured in the device tree and the pin control
> handles are taken before probe in drivers/base/pinctrl.c embedding
> a hook into dd.c.
>
> Not that it in any way controls any hardware even remotely
> similar to pin control. Pin control is an electronic thing,
> this firewalling is about bus access.
>
> IIUC this framework wants to discover at kernel boot time
> whether certain devices are accessible to it or not by inspecting
> the state of the firewalling hardware and then avoid probing
> those that are inaccessible.
>
> It needs the same deep hooks into dd.c to achieve this
> I believe.
It just needs to be part of the bus logic for the specific bus that this
"firewall" is on. Just like we do the same thing for USB or thunderbolt
devices. Put this in the bus-specific code please.
thanks,
greg k-h
On Wed, Jan 29, 2020 at 10:52:40AM +0100, Greg KH wrote:
> It just needs to be part of the bus logic for the specific bus that this
> "firewall" is on. Just like we do the same thing for USB or thunderbolt
> devices. Put this in the bus-specific code please.
I'd expect that this is going to affect at least platform and AMBA
buses.
On 1/28/20 11:06 PM, Robin Murphy wrote:
> On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
>>
>> On 1/28/20 6:17 PM, Sudeep Holla wrote:
>>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
>>>> On 1/28/20 5:36 PM, Sudeep Holla wrote:
>>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
>>>>>> Bus firewall framework aims to provide a kernel API to set the
>>>>>> configuration
>>>>>> of the harware blocks in charge of busses access control.
>>>>>>
>>>>>> Framework architecture is inspirated by pinctrl framework:
>>>>>> - a default configuration could be applied before bind the driver.
>>>>>> If a configuration could not be applied the driver is not bind
>>>>>> to avoid doing accesses on prohibited regions.
>>>>>> - configurations could be apllied dynamically by drivers.
>>>>>> - device node provides the bus firewall configurations.
>>>>>>
>>>>>> An example of bus firewall controller is STM32 ETZPC hardware block
>>>>>> which got 3 possible configurations:
>>>>>> - trust: hardware blocks are only accessible by software running
>>>>>> on trust
>>>>>> zone (i.e op-tee firmware).
>>>>>> - non-secure: hardware blocks are accessible by non-secure
>>>>>> software (i.e.
>>>>>> linux kernel).
>>>>>> - coprocessor: hardware blocks are only accessible by the
>>>>>> coprocessor.
>>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC.
>>>>>>
>>>>> /me confused. Is ETZPC accessible from the non-secure kernel space to
>>>>> begin with ? If so, is it allowed to configure hardware blocks as
>>>>> secure
>>>>> or trusted ? I am failing to understand the overall design of a
>>>>> system
>>>>> with ETZPC controller.
>>>> Non-secure kernel could read the values set in ETZPC, if it doesn't
>>>> match
>>>> with what is required by the device node the driver won't be probed.
>>>>
>>> OK, but I was under the impression that it was made clear that Linux is
>>> not firmware validation suite. The firmware need to ensure all the
>>> devices
>>> that are not accessible in the Linux kernel are marked as disabled and
>>> this needs to happen before entering the kernel. So if this is what
>>> this
>>> patch series achieves, then there is no need for it. Please stop
>>> pursuing
>>> this any further or provide any other reasons(if any) to have it. Until
>>> you have other reasons, NACK for this series.
>>
>> No it doesn't disable the nodes.
>>
>> When the firmware disable a node before the kernel that means it change
>>
>> the DTB and that is a problem when you want to sign it. With my proposal
>>
>> the DTB remains the same.
>
> ???
>
> :/
>
> The DTB is used to pass the kernel command line, memory reservations,
> random seeds, and all manner of other things dynamically generated by
> firmware at boot-time. Apologies for being blunt but if "changing the
> DTB" is considered a problem then I can't help but think you're doing
> it wrong.
Yes but I would like to limit the number of cases where a firmware has
to change the DTB.
With this proposal nodes remain the same and embedded the firewall
configuration(s).
Until now firewall configuration is "static", the firmware disable (or
remove) the nodes not accessible from Linux.
If Linux can rely on node's firewall information it could allow switch
dynamically an hardware block from Linux to a coprocessor.
For example Linux could manage the display pipe configuration and when
going to suspend handover the display hardware block to a coprocessor in
charge a refreshing only some pixels.
Benjamin
>
> Robin.
On 1/29/20 12:17 PM, Mark Brown wrote:
> On Wed, Jan 29, 2020 at 10:52:40AM +0100, Greg KH wrote:
>
>> It just needs to be part of the bus logic for the specific bus that this
>> "firewall" is on. Just like we do the same thing for USB or thunderbolt
>> devices. Put this in the bus-specific code please.
> I'd expect that this is going to affect at least platform and AMBA
> buses.
Correct me if I'm wrong but creating a new type of bus would mean
that all the drivers living on this bus must be changed to register
themselves on this bus ?
Or does a solution exist to let them live on the platform bus and call
firewalled bus before been probed ?
All the impacted drivers could work on the existing bus with or without
the firewall so I don't want to break
that.
Benjamin
On Fri, Jan 31, 2020 at 08:37:27AM +0000, Benjamin GAIGNARD wrote:
>
> On 1/29/20 12:17 PM, Mark Brown wrote:
> > On Wed, Jan 29, 2020 at 10:52:40AM +0100, Greg KH wrote:
> >
> >> It just needs to be part of the bus logic for the specific bus that this
> >> "firewall" is on. Just like we do the same thing for USB or thunderbolt
> >> devices. Put this in the bus-specific code please.
> > I'd expect that this is going to affect at least platform and AMBA
> > buses.
>
> Correct me if I'm wrong but creating a new type of bus would mean
> that all the drivers living on this bus must be changed to register
> themselves on this bus ?
Yes.
> Or does a solution exist to let them live on the platform bus and call
> firewalled bus before been probed ?
Why do people want to abuse the platform bus so much? If a device is on
a bus that can have such a controller, then it is on a real bus, use it!
> All the impacted drivers could work on the existing bus with or without
> the firewall so I don't want to break
break what?
>
> that.
Odd line-break :)
Just register the driver on both busses, no big deal.
Stop abusing the platform bus code for things that it is not for.
thanks,
greg k-h
On 29/01/2020 1:40 pm, Benjamin GAIGNARD wrote:
>
> On 1/28/20 11:06 PM, Robin Murphy wrote:
>> On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
>>>
>>> On 1/28/20 6:17 PM, Sudeep Holla wrote:
>>>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
>>>>> On 1/28/20 5:36 PM, Sudeep Holla wrote:
>>>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
>>>>>>> Bus firewall framework aims to provide a kernel API to set the
>>>>>>> configuration
>>>>>>> of the harware blocks in charge of busses access control.
>>>>>>>
>>>>>>> Framework architecture is inspirated by pinctrl framework:
>>>>>>> - a default configuration could be applied before bind the driver.
>>>>>>> If a configuration could not be applied the driver is not bind
>>>>>>> to avoid doing accesses on prohibited regions.
>>>>>>> - configurations could be apllied dynamically by drivers.
>>>>>>> - device node provides the bus firewall configurations.
>>>>>>>
>>>>>>> An example of bus firewall controller is STM32 ETZPC hardware block
>>>>>>> which got 3 possible configurations:
>>>>>>> - trust: hardware blocks are only accessible by software running
>>>>>>> on trust
>>>>>>> zone (i.e op-tee firmware).
>>>>>>> - non-secure: hardware blocks are accessible by non-secure
>>>>>>> software (i.e.
>>>>>>> linux kernel).
>>>>>>> - coprocessor: hardware blocks are only accessible by the
>>>>>>> coprocessor.
>>>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC.
>>>>>>>
>>>>>> /me confused. Is ETZPC accessible from the non-secure kernel space to
>>>>>> begin with ? If so, is it allowed to configure hardware blocks as
>>>>>> secure
>>>>>> or trusted ? I am failing to understand the overall design of a
>>>>>> system
>>>>>> with ETZPC controller.
>>>>> Non-secure kernel could read the values set in ETZPC, if it doesn't
>>>>> match
>>>>> with what is required by the device node the driver won't be probed.
>>>>>
>>>> OK, but I was under the impression that it was made clear that Linux is
>>>> not firmware validation suite. The firmware need to ensure all the
>>>> devices
>>>> that are not accessible in the Linux kernel are marked as disabled and
>>>> this needs to happen before entering the kernel. So if this is what
>>>> this
>>>> patch series achieves, then there is no need for it. Please stop
>>>> pursuing
>>>> this any further or provide any other reasons(if any) to have it. Until
>>>> you have other reasons, NACK for this series.
>>>
>>> No it doesn't disable the nodes.
>>>
>>> When the firmware disable a node before the kernel that means it change
>>>
>>> the DTB and that is a problem when you want to sign it. With my proposal
>>>
>>> the DTB remains the same.
>>
>> ???
>>
>> :/
>>
>> The DTB is used to pass the kernel command line, memory reservations,
>> random seeds, and all manner of other things dynamically generated by
>> firmware at boot-time. Apologies for being blunt but if "changing the
>> DTB" is considered a problem then I can't help but think you're doing
>> it wrong.
>
> Yes but I would like to limit the number of cases where a firmware has
> to change the DTB.
Sure, but unless you can limit that number to strictly zero, then
presumably the firmware must have the general capability to verify,
modify, and re-sign a DTB. At that point having it also tweak the status
of nodes that it wants for itself doesn't seem like a particularly big ask.
> With this proposal nodes remain the same and embedded the firewall
> configuration(s).
>
> Until now firewall configuration is "static", the firmware disable (or
> remove) the nodes not accessible from Linux.
>
> If Linux can rely on node's firewall information it could allow switch
> dynamically an hardware block from Linux to a coprocessor.
>
> For example Linux could manage the display pipe configuration and when
> going to suspend handover the display hardware block to a coprocessor in
> charge a refreshing only some pixels.
And like I'm sure I said before, the interface between Linux and the
Secure environment to ultimately achieve that will almost certainly make
inspecting a passive status bit in a register redundant anyway.
In the interest of being productive, though, there is another way of
looking at this. If we drop the pretence that it's in any way generic or
ever going to be relevant beyond certain configurations of certain
STMicro SoCs, then in plain terms it's just some block of MMIO registers
that have *something* to do with various other devices. At that point,
the answer is just to treat it as a syscon and make the relevant drivers
for those SoCs aware of it. I'm most familiar with the "General Register
File" on Rockchip SoCs as a prime example of "bunch of registers that
relate to the integration of various IP blocks", which manages to be
supported just fine without invasive hooks in the driver core.
Robin.
On 1/28/20 12:06 PM, Benjamin GAIGNARD wrote:
>
> On 1/28/20 6:17 PM, Sudeep Holla wrote:
>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
>>> On 1/28/20 5:36 PM, Sudeep Holla wrote:
>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
>>>>> Bus firewall framework aims to provide a kernel API to set the configuration
>>>>> of the harware blocks in charge of busses access control.
>>>>>
>>>>> Framework architecture is inspirated by pinctrl framework:
>>>>> - a default configuration could be applied before bind the driver.
>>>>> If a configuration could not be applied the driver is not bind
>>>>> to avoid doing accesses on prohibited regions.
>>>>> - configurations could be apllied dynamically by drivers.
>>>>> - device node provides the bus firewall configurations.
>>>>>
>>>>> An example of bus firewall controller is STM32 ETZPC hardware block
>>>>> which got 3 possible configurations:
>>>>> - trust: hardware blocks are only accessible by software running on trust
>>>>> zone (i.e op-tee firmware).
>>>>> - non-secure: hardware blocks are accessible by non-secure software (i.e.
>>>>> linux kernel).
>>>>> - coprocessor: hardware blocks are only accessible by the coprocessor.
>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC.
>>>>>
>>>> /me confused. Is ETZPC accessible from the non-secure kernel space to
>>>> begin with ? If so, is it allowed to configure hardware blocks as secure
>>>> or trusted ? I am failing to understand the overall design of a system
>>>> with ETZPC controller.
>>> Non-secure kernel could read the values set in ETZPC, if it doesn't match
>>> with what is required by the device node the driver won't be probed.
>>>
>> OK, but I was under the impression that it was made clear that Linux is
>> not firmware validation suite. The firmware need to ensure all the devices
>> that are not accessible in the Linux kernel are marked as disabled and
>> this needs to happen before entering the kernel. So if this is what this
>> patch series achieves, then there is no need for it. Please stop pursuing
>> this any further or provide any other reasons(if any) to have it. Until
>> you have other reasons, NACK for this series.
>
> No it doesn't disable the nodes.
>
> When the firmware disable a node before the kernel that means it change
>
> the DTB and that is a problem when you want to sign it. With my proposal
>
> the DTB remains the same.
Could you use an overlay then which is the result of the firewalling
results by your firewall block, which is smaller than the main SoC/board
DTB and can be easily audited not to accidentally enable blocks, but
only disable them by adding/changing the respective "status" property.
Worst case, your driver probes, has been firewalled and this is not
reflected in the DTB, you get a bus error, or a hang, or however it gets
implemented.
Like Robin and Sudeep here, I do not understand why the kernel should
have any business in this, let alone allowing blocks to change owners,
that sounds contrary to the purpose of a firewall being controlled under
an untrusted entity (Linux).
--
Florian
On 1/29/20 5:40 AM, Benjamin GAIGNARD wrote:
>
> On 1/28/20 11:06 PM, Robin Murphy wrote:
>> On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
>>>
>>> On 1/28/20 6:17 PM, Sudeep Holla wrote:
>>>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
>>>>> On 1/28/20 5:36 PM, Sudeep Holla wrote:
>>>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
>>>>>>> Bus firewall framework aims to provide a kernel API to set the
>>>>>>> configuration
>>>>>>> of the harware blocks in charge of busses access control.
>>>>>>>
>>>>>>> Framework architecture is inspirated by pinctrl framework:
>>>>>>> - a default configuration could be applied before bind the driver.
>>>>>>> If a configuration could not be applied the driver is not bind
>>>>>>> to avoid doing accesses on prohibited regions.
>>>>>>> - configurations could be apllied dynamically by drivers.
>>>>>>> - device node provides the bus firewall configurations.
>>>>>>>
>>>>>>> An example of bus firewall controller is STM32 ETZPC hardware block
>>>>>>> which got 3 possible configurations:
>>>>>>> - trust: hardware blocks are only accessible by software running
>>>>>>> on trust
>>>>>>> zone (i.e op-tee firmware).
>>>>>>> - non-secure: hardware blocks are accessible by non-secure
>>>>>>> software (i.e.
>>>>>>> linux kernel).
>>>>>>> - coprocessor: hardware blocks are only accessible by the
>>>>>>> coprocessor.
>>>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC.
>>>>>>>
>>>>>> /me confused. Is ETZPC accessible from the non-secure kernel space to
>>>>>> begin with ? If so, is it allowed to configure hardware blocks as
>>>>>> secure
>>>>>> or trusted ? I am failing to understand the overall design of a
>>>>>> system
>>>>>> with ETZPC controller.
>>>>> Non-secure kernel could read the values set in ETZPC, if it doesn't
>>>>> match
>>>>> with what is required by the device node the driver won't be probed.
>>>>>
>>>> OK, but I was under the impression that it was made clear that Linux is
>>>> not firmware validation suite. The firmware need to ensure all the
>>>> devices
>>>> that are not accessible in the Linux kernel are marked as disabled and
>>>> this needs to happen before entering the kernel. So if this is what
>>>> this
>>>> patch series achieves, then there is no need for it. Please stop
>>>> pursuing
>>>> this any further or provide any other reasons(if any) to have it. Until
>>>> you have other reasons, NACK for this series.
>>>
>>> No it doesn't disable the nodes.
>>>
>>> When the firmware disable a node before the kernel that means it change
>>>
>>> the DTB and that is a problem when you want to sign it. With my proposal
>>>
>>> the DTB remains the same.
>>
>> ???
>>
>> :/
>>
>> The DTB is used to pass the kernel command line, memory reservations,
>> random seeds, and all manner of other things dynamically generated by
>> firmware at boot-time. Apologies for being blunt but if "changing the
>> DTB" is considered a problem then I can't help but think you're doing
>> it wrong.
>
> Yes but I would like to limit the number of cases where a firmware has
> to change the DTB.
>
> With this proposal nodes remain the same and embedded the firewall
> configuration(s).
>
> Until now firewall configuration is "static", the firmware disable (or
> remove) the nodes not accessible from Linux.
>
> If Linux can rely on node's firewall information it could allow switch
> dynamically an hardware block from Linux to a coprocessor.
>
> For example Linux could manage the display pipe configuration and when
> going to suspend handover the display hardware block to a coprocessor in
> charge a refreshing only some pixels.
OK, let's continue that example, would not it make sense then to just
steal the peripheral away from Linux by ensuring that Linux is no longer
running and the only thing that you need to make sure of is that either
you restore the HW in the exact same that you stole it from, or that
Linux is capable of refreshing its state against what the HW state was
left in?
If you have a set of display pipeline drivers, on your way to suspend,
you can define a protocol with the co-processor so as to signal an
ownership change, and the co-processor can take control from there.
In your example, it sounds like the firewall could be meant to detect
uncoordinated concurrent accesses to the same HW block between different
SW/FW entities. If that is the case, this is most likely a bug and you
can probably just get away with doing reporting instead of an entirely
new subsystem?
--
Florian
On Fri, Jan 31, 2020 at 12:48:33PM -0800, Florian Fainelli wrote:
> Like Robin and Sudeep here, I do not understand why the kernel should
> have any business in this, let alone allowing blocks to change owners,
> that sounds contrary to the purpose of a firewall being controlled under
> an untrusted entity (Linux).
Can we rely on there being a more trusted level of software than
Linux on a system? It wasn't standard to have anything on 32 bit
Arm systems as far as I remember so you could end up with some IP
blocks intended to support TrustZone sitting idle.
On 1/31/20 7:25 PM, Robin Murphy wrote:
> On 29/01/2020 1:40 pm, Benjamin GAIGNARD wrote:
>>
>> On 1/28/20 11:06 PM, Robin Murphy wrote:
>>> On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
>>>>
>>>> On 1/28/20 6:17 PM, Sudeep Holla wrote:
>>>>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
>>>>>> On 1/28/20 5:36 PM, Sudeep Holla wrote:
>>>>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
>>>>>>>> Bus firewall framework aims to provide a kernel API to set the
>>>>>>>> configuration
>>>>>>>> of the harware blocks in charge of busses access control.
>>>>>>>>
>>>>>>>> Framework architecture is inspirated by pinctrl framework:
>>>>>>>> - a default configuration could be applied before bind the driver.
>>>>>>>> If a configuration could not be applied the driver is not
>>>>>>>> bind
>>>>>>>> to avoid doing accesses on prohibited regions.
>>>>>>>> - configurations could be apllied dynamically by drivers.
>>>>>>>> - device node provides the bus firewall configurations.
>>>>>>>>
>>>>>>>> An example of bus firewall controller is STM32 ETZPC hardware
>>>>>>>> block
>>>>>>>> which got 3 possible configurations:
>>>>>>>> - trust: hardware blocks are only accessible by software running
>>>>>>>> on trust
>>>>>>>> zone (i.e op-tee firmware).
>>>>>>>> - non-secure: hardware blocks are accessible by non-secure
>>>>>>>> software (i.e.
>>>>>>>> linux kernel).
>>>>>>>> - coprocessor: hardware blocks are only accessible by the
>>>>>>>> coprocessor.
>>>>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC.
>>>>>>>>
>>>>>>> /me confused. Is ETZPC accessible from the non-secure kernel
>>>>>>> space to
>>>>>>> begin with ? If so, is it allowed to configure hardware blocks as
>>>>>>> secure
>>>>>>> or trusted ? I am failing to understand the overall design of a
>>>>>>> system
>>>>>>> with ETZPC controller.
>>>>>> Non-secure kernel could read the values set in ETZPC, if it doesn't
>>>>>> match
>>>>>> with what is required by the device node the driver won't be probed.
>>>>>>
>>>>> OK, but I was under the impression that it was made clear that
>>>>> Linux is
>>>>> not firmware validation suite. The firmware need to ensure all the
>>>>> devices
>>>>> that are not accessible in the Linux kernel are marked as disabled
>>>>> and
>>>>> this needs to happen before entering the kernel. So if this is what
>>>>> this
>>>>> patch series achieves, then there is no need for it. Please stop
>>>>> pursuing
>>>>> this any further or provide any other reasons(if any) to have it.
>>>>> Until
>>>>> you have other reasons, NACK for this series.
>>>>
>>>> No it doesn't disable the nodes.
>>>>
>>>> When the firmware disable a node before the kernel that means it
>>>> change
>>>>
>>>> the DTB and that is a problem when you want to sign it. With my
>>>> proposal
>>>>
>>>> the DTB remains the same.
>>>
>>> ???
>>>
>>> :/
>>>
>>> The DTB is used to pass the kernel command line, memory reservations,
>>> random seeds, and all manner of other things dynamically generated by
>>> firmware at boot-time. Apologies for being blunt but if "changing the
>>> DTB" is considered a problem then I can't help but think you're doing
>>> it wrong.
>>
>> Yes but I would like to limit the number of cases where a firmware has
>> to change the DTB.
>
> Sure, but unless you can limit that number to strictly zero, then
> presumably the firmware must have the general capability to verify,
> modify, and re-sign a DTB. At that point having it also tweak the
> status of nodes that it wants for itself doesn't seem like a
> particularly big ask.
>
>> With this proposal nodes remain the same and embedded the firewall
>> configuration(s).
>>
>> Until now firewall configuration is "static", the firmware disable (or
>> remove) the nodes not accessible from Linux.
>>
>> If Linux can rely on node's firewall information it could allow switch
>> dynamically an hardware block from Linux to a coprocessor.
>>
>> For example Linux could manage the display pipe configuration and when
>> going to suspend handover the display hardware block to a coprocessor in
>> charge a refreshing only some pixels.
>
> And like I'm sure I said before, the interface between Linux and the
> Secure environment to ultimately achieve that will almost certainly
> make inspecting a passive status bit in a register redundant anyway.
It is not only about secure and non secure hardware blocks split but
also about the split with the coprocessor.
The goal is to describe, in the device tree, these possible
configurations to be able to use them dynamically rather than
having a static configuration. It could also help to detect
misconfiguration between the firewall and the DT nodes.
>
> In the interest of being productive, though, there is another way of
> looking at this. If we drop the pretence that it's in any way generic
> or ever going to be relevant beyond certain configurations of certain
> STMicro SoCs, then in plain terms it's just some block of MMIO
> registers that have *something* to do with various other devices. At
> that point, the answer is just to treat it as a syscon and make the
> relevant drivers for those SoCs aware of it. I'm most familiar with
> the "General Register File" on Rockchip SoCs as a prime example of
> "bunch of registers that relate to the integration of various IP
> blocks", which manages to be supported just fine without invasive
> hooks in the driver core.
I had thought to use syscon but there is some problems with that way: if
the firewall hardware change the way it encode the information you have
change all it customers. That would mean add in each driver a test to
detect the firewall version and act accordingly. That doesn't sound
reasonable to me so I decide to create an interface to abstract the
firewall to avoid this problem.
I could reuse this interface in the ~40 impacted drivers (not all
dedicated to STMicro SoCs) but adding it in the driver core as a generic
service was making more sens for me. Note that I have take care of using
a compilation flag to not impact the others architectures.
Benjamin
>
> Robin.
On 1/31/20 9:51 PM, Florian Fainelli wrote:
> On 1/29/20 5:40 AM, Benjamin GAIGNARD wrote:
>> On 1/28/20 11:06 PM, Robin Murphy wrote:
>>> On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote:
>>>> On 1/28/20 6:17 PM, Sudeep Holla wrote:
>>>>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote:
>>>>>> On 1/28/20 5:36 PM, Sudeep Holla wrote:
>>>>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote:
>>>>>>>> Bus firewall framework aims to provide a kernel API to set the
>>>>>>>> configuration
>>>>>>>> of the harware blocks in charge of busses access control.
>>>>>>>>
>>>>>>>> Framework architecture is inspirated by pinctrl framework:
>>>>>>>> - a default configuration could be applied before bind the driver.
>>>>>>>> If a configuration could not be applied the driver is not bind
>>>>>>>> to avoid doing accesses on prohibited regions.
>>>>>>>> - configurations could be apllied dynamically by drivers.
>>>>>>>> - device node provides the bus firewall configurations.
>>>>>>>>
>>>>>>>> An example of bus firewall controller is STM32 ETZPC hardware block
>>>>>>>> which got 3 possible configurations:
>>>>>>>> - trust: hardware blocks are only accessible by software running
>>>>>>>> on trust
>>>>>>>> zone (i.e op-tee firmware).
>>>>>>>> - non-secure: hardware blocks are accessible by non-secure
>>>>>>>> software (i.e.
>>>>>>>> linux kernel).
>>>>>>>> - coprocessor: hardware blocks are only accessible by the
>>>>>>>> coprocessor.
>>>>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC.
>>>>>>>>
>>>>>>> /me confused. Is ETZPC accessible from the non-secure kernel space to
>>>>>>> begin with ? If so, is it allowed to configure hardware blocks as
>>>>>>> secure
>>>>>>> or trusted ? I am failing to understand the overall design of a
>>>>>>> system
>>>>>>> with ETZPC controller.
>>>>>> Non-secure kernel could read the values set in ETZPC, if it doesn't
>>>>>> match
>>>>>> with what is required by the device node the driver won't be probed.
>>>>>>
>>>>> OK, but I was under the impression that it was made clear that Linux is
>>>>> not firmware validation suite. The firmware need to ensure all the
>>>>> devices
>>>>> that are not accessible in the Linux kernel are marked as disabled and
>>>>> this needs to happen before entering the kernel. So if this is what
>>>>> this
>>>>> patch series achieves, then there is no need for it. Please stop
>>>>> pursuing
>>>>> this any further or provide any other reasons(if any) to have it. Until
>>>>> you have other reasons, NACK for this series.
>>>> No it doesn't disable the nodes.
>>>>
>>>> When the firmware disable a node before the kernel that means it change
>>>>
>>>> the DTB and that is a problem when you want to sign it. With my proposal
>>>>
>>>> the DTB remains the same.
>>> ???
>>>
>>> :/
>>>
>>> The DTB is used to pass the kernel command line, memory reservations,
>>> random seeds, and all manner of other things dynamically generated by
>>> firmware at boot-time. Apologies for being blunt but if "changing the
>>> DTB" is considered a problem then I can't help but think you're doing
>>> it wrong.
>> Yes but I would like to limit the number of cases where a firmware has
>> to change the DTB.
>>
>> With this proposal nodes remain the same and embedded the firewall
>> configuration(s).
>>
>> Until now firewall configuration is "static", the firmware disable (or
>> remove) the nodes not accessible from Linux.
>>
>> If Linux can rely on node's firewall information it could allow switch
>> dynamically an hardware block from Linux to a coprocessor.
>>
>> For example Linux could manage the display pipe configuration and when
>> going to suspend handover the display hardware block to a coprocessor in
>> charge a refreshing only some pixels.
> OK, let's continue that example, would not it make sense then to just
> steal the peripheral away from Linux by ensuring that Linux is no longer
> running and the only thing that you need to make sure of is that either
> you restore the HW in the exact same that you stole it from, or that
> Linux is capable of refreshing its state against what the HW state was
> left in?
>
> If you have a set of display pipeline drivers, on your way to suspend,
> you can define a protocol with the co-processor so as to signal an
> ownership change, and the co-processor can take control from there.
To handover a hardware block to the co-processor we need to inform it
and change the firewall configuration.
My proposal only aim to cover this last point by describing in the
device tree the possible configuration.
The example I had mind is how the pinctrl framework is working with it
states so doing something like changing firewall configuration and then
inform the co-processor in suspend function.
>
> In your example, it sounds like the firewall could be meant to detect
> uncoordinated concurrent accesses to the same HW block between different
> SW/FW entities. If that is the case, this is most likely a bug and you
> can probably just get away with doing reporting instead of an entirely
> new subsystem?
Prohibited accesses, most of the time, generate an abort on the bus so
your platform just crash and yes it is a bug.
This new subsystem won't change that, it only allow to describe and
dynamically set a configuration for DT information rather doing that for
type of firewall.
Benjamin
On Fri, Jan 31, 2020 at 10:06 AM Greg KH <[email protected]> wrote:
> Why do people want to abuse the platform bus so much? If a device is on
> a bus that can have such a controller, then it is on a real bus, use it!
I'm not saying it is a good thing, but the reason why it is (ab)used so
much can be found in:
drivers/of/platform.c
TL;DR: struct platform_device is the Device McDeviceFace and
platform bus the Bus McBusFace used by the device tree parser since
it is slightly to completely unaware of what devices it is actually
spawning.
And everything and its dog is using device tree in the embedded
world. (A quick glance in drivers/acpi gives me the impression
that ACPI is doing the very same thing but I am not a domain expert
there so I am not really sure.)
Whenever a device is created from a device tree it gets spawned
on either the platform bus or the amba bus. In 99 cases out of
100 it is going to be a platform_device.
In most device trees all devices ultimately spawn from the device
tree and the root of absolutely everything including irq chips on
the SoC, timers, PCI hosts and USB root hubs and whatnot is a
platform device, because that is how the core device tree parser has
chosen to spawn off devices.
This generic code goes back to
commit eca3930163ba8884060ce9d9ff5ef0d9b7c7b00f
"of: Merge of_platform_bus_type with platform_bus_type"
where the device tree-specific bus was replaced by the
platform bus. This code was then moved down to drivers/of
and used in multiple architectures. Grant's patch makes perfect
sense because at the time some devices were created using board
files (thus platform_device) and others using device tree and having
two different probe paths and driver files for this reason alone
was not reasonable. The same reasoning will apply to ACPI
vs device tree drivers.
What we *could* have done was to handle special devices
special, like happened for AMBA PrimeCells. Mea Culpa, I suppose
I am one of the guilty.
Supporting new bus types for root devices in systems described
in device tree would requiring patching drivers/of/platform.c
and people are afraid of that because the code there is pretty
complex.
Instead platform_device is (ab)used to carry stuff over from the
device tree to respective subsystem.
In some cases the struct platform_device from device tree is
discarded after use, it is just left dangling in memory with no other
purpose than to serve as .parent for whatever device on whatever
bus we were really creating.
For some devices such as root irq_chips they serve no purpose
whatsoever, they are just created and sitting around never
to be probed, because the code instantiating them parse the
device tree directly.
For the devices that actually probe to drive a piece of silicon,
arguably a different type of device on a different bus should be
created, such as (I am making this up) struct soc_device
on soc_bus. (Incidentally soc_bus exists, but its current use case
is not for this.)
I don't really see any better option for Benjamin or anyone else
though?
The reason why it is used so much should at least be clarified
now I think.
Yours,
Linus Walleij
On Fri, Feb 14, 2020 at 05:05:07PM +0100, Linus Walleij wrote:
> On Fri, Jan 31, 2020 at 10:06 AM Greg KH <[email protected]> wrote:
>
> > Why do people want to abuse the platform bus so much? If a device is on
> > a bus that can have such a controller, then it is on a real bus, use it!
>
> I'm not saying it is a good thing, but the reason why it is (ab)used so
> much can be found in:
> drivers/of/platform.c
>
> TL;DR: struct platform_device is the Device McDeviceFace and
> platform bus the Bus McBusFace used by the device tree parser since
> it is slightly to completely unaware of what devices it is actually
> spawning.
<snip>
Yeah, great explaination, and I understand. DT stuff really is ok to be
on a platform bus, as that's what almost all of them are.
But, when you try to start messing around with things like this
"firewall" says it is doing, it's then obvious that this really isn't a
DT like thing, but rather you do have a bus involved with a controller
so that should be used instead.
Or just filter away the DT stuff so that the kernel never even sees
those devices, which might just be simplest :)
thanks,
greg k-h
On 2/14/20 10:40 PM, Greg KH wrote:
> On Fri, Feb 14, 2020 at 05:05:07PM +0100, Linus Walleij wrote:
>> On Fri, Jan 31, 2020 at 10:06 AM Greg KH <[email protected]> wrote:
>>
>>> Why do people want to abuse the platform bus so much? If a device is on
>>> a bus that can have such a controller, then it is on a real bus, use it!
>> I'm not saying it is a good thing, but the reason why it is (ab)used so
>> much can be found in:
>> drivers/of/platform.c
>>
>> TL;DR: struct platform_device is the Device McDeviceFace and
>> platform bus the Bus McBusFace used by the device tree parser since
>> it is slightly to completely unaware of what devices it is actually
>> spawning.
> <snip>
>
> Yeah, great explaination, and I understand. DT stuff really is ok to be
> on a platform bus, as that's what almost all of them are.
>
> But, when you try to start messing around with things like this
> "firewall" says it is doing, it's then obvious that this really isn't a
> DT like thing, but rather you do have a bus involved with a controller
> so that should be used instead.
Ok but how put in place a new bus while keeping the devices on platform
bus to avoid changing all the drivers ?
>
> Or just filter away the DT stuff so that the kernel never even sees
> those devices, which might just be simplest :)
yes but we lost the possibility to change the firewall configuration at
run time. I do expect to be able to describe in the DT firewall configuration
and to use them at run time. That could allow, for example, to handover
a HW block to the coprocessor when the main core is going to be suspended
to save power.
Benjamin
>
> thanks,
>
> greg k-h
On Sat, Feb 15, 2020 at 12:41:07PM +0000, Benjamin GAIGNARD wrote:
>
> On 2/14/20 10:40 PM, Greg KH wrote:
> > On Fri, Feb 14, 2020 at 05:05:07PM +0100, Linus Walleij wrote:
> >> On Fri, Jan 31, 2020 at 10:06 AM Greg KH <[email protected]> wrote:
> >>
> >>> Why do people want to abuse the platform bus so much? If a device is on
> >>> a bus that can have such a controller, then it is on a real bus, use it!
> >> I'm not saying it is a good thing, but the reason why it is (ab)used so
> >> much can be found in:
> >> drivers/of/platform.c
> >>
> >> TL;DR: struct platform_device is the Device McDeviceFace and
> >> platform bus the Bus McBusFace used by the device tree parser since
> >> it is slightly to completely unaware of what devices it is actually
> >> spawning.
> > <snip>
> >
> > Yeah, great explaination, and I understand. DT stuff really is ok to be
> > on a platform bus, as that's what almost all of them are.
> >
> > But, when you try to start messing around with things like this
> > "firewall" says it is doing, it's then obvious that this really isn't a
> > DT like thing, but rather you do have a bus involved with a controller
> > so that should be used instead.
>
> Ok but how put in place a new bus while keeping the devices on platform
> bus to avoid changing all the drivers ?
You don't, you put them all on your real bus, as that is what you now
have.
> > Or just filter away the DT stuff so that the kernel never even sees
> > those devices, which might just be simplest :)
>
> yes but we lost the possibility to change the firewall configuration at
> run time. I do expect to be able to describe in the DT firewall configuration
> and to use them at run time. That could allow, for example, to handover
> a HW block to the coprocessor when the main core is going to be suspended
> to save power.
Then use a real bus :)
thanks,
greg k-h