Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp632105img; Wed, 20 Mar 2019 07:46:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqw+1cenkrj8AAlcfhLERVSifIDNPgOoZ+C5Ai0eFR+j3iRxEGocmeKEdAAmvVUW7ask+hI8 X-Received: by 2002:a63:104d:: with SMTP id 13mr5610250pgq.343.1553093160181; Wed, 20 Mar 2019 07:46:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553093160; cv=none; d=google.com; s=arc-20160816; b=mf5Q75o/ci3M9AjDF0vd2cojem6TliRnSraJtXQciLQzvh+0VNchrl2g0fh9mgRQab A7QhjQEK19Yon9YbbcBZg6OZNjYCHrH5dB0jKiJOls5bZvMMQapnajAJ34sBKiUG9rdN 1kcjYCSPySf4huLPuc/z+dMk5S4o2cJoVZSJaCCtgMYL3/V9gOuFJ7b0Q2TlnlO4Oxes Pio7a9kK+rbvwtsNyCd9jre9pbX80IZUhOmH8t0FafCEUrJ3XowEu5wQqlmdPS0gQGK5 ofuOtgLqifiKylqiByclbwvQrzzm5r63+VqAKCgSYKXm/Pgbz8osWEVePEfMmJPBAlhq Aehg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=21XJBEUzYaEtEtGW1tH8M0L395mqIwwx2Kbu7w78btU=; b=JUjviIB25noJvquIqtyufLEuhpJr7+/lgSWCNmsu0v2IMfmzAqvRp696JY+eiLNFVj 0f7scdGT6ezLuRANLL4i8kdcL9k5SG7uVsx05n3ra9qswjHlnbQiqFTd0baip9o9TjmM O8TfApXkEJFVWXX8kGfwTEXGwhklsZ9rfOytBkBW7YUt/SZ4PCPoSaQUvDhqGnsW1Xp1 H7T47HIHxaplYm7hlr0pa2XDw8bWyrvVnb0N/XOphXcZEOKTHfk4BnRFD6xggA1fephj NfJkHtjAZcX+BtnDApnmoWUarUFWFqnN/1ORkOZEwHRpq20hYa1W5msapMg96lar00pG Zl1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ti.com header.s=ti-com-17Q1 header.b=IxZiFyfb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=ti.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c22si1891741pgj.405.2019.03.20.07.45.44; Wed, 20 Mar 2019 07:46:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ti.com header.s=ti-com-17Q1 header.b=IxZiFyfb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=ti.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726916AbfCTOon (ORCPT + 99 others); Wed, 20 Mar 2019 10:44:43 -0400 Received: from lelv0143.ext.ti.com ([198.47.23.248]:38440 "EHLO lelv0143.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725996AbfCTOon (ORCPT ); Wed, 20 Mar 2019 10:44:43 -0400 Received: from lelv0266.itg.ti.com ([10.180.67.225]) by lelv0143.ext.ti.com (8.15.2/8.15.2) with ESMTP id x2KEiOmt064455; Wed, 20 Mar 2019 09:44:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com; s=ti-com-17Q1; t=1553093064; bh=21XJBEUzYaEtEtGW1tH8M0L395mqIwwx2Kbu7w78btU=; h=Subject:To:CC:References:From:Date:In-Reply-To; b=IxZiFyfbhvfb9dGt1QKl/NoHRitoLXL1YeMF/lA6JToiXZ6ZC6vORjdcfTw911zn7 ZsNgvmlWqlou+I08ej+RXdJLlSL9bZfZWb1YMCa0K8eZTEUoqbJiIw3zmfe23jJDCv UXTZxGKg3haZmnrnUoe92kxMMzWaVVZauv8F+Fuw= Received: from DFLE102.ent.ti.com (dfle102.ent.ti.com [10.64.6.23]) by lelv0266.itg.ti.com (8.15.2/8.15.2) with ESMTPS id x2KEiOa5087943 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 20 Mar 2019 09:44:24 -0500 Received: from DFLE103.ent.ti.com (10.64.6.24) by DFLE102.ent.ti.com (10.64.6.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Wed, 20 Mar 2019 09:44:24 -0500 Received: from dlep33.itg.ti.com (157.170.170.75) by DFLE103.ent.ti.com (10.64.6.24) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1713.5 via Frontend Transport; Wed, 20 Mar 2019 09:44:24 -0500 Received: from [10.250.67.168] (ileax41-snat.itg.ti.com [10.172.224.153]) by dlep33.itg.ti.com (8.14.3/8.13.8) with ESMTP id x2KEiN6m025567; Wed, 20 Mar 2019 09:44:23 -0500 Subject: Re: [RFC][PATCH 0/5 v2] DMA-BUF Heaps (destaging ION) To: Benjamin Gaignard , John Stultz CC: Rob Clark , Alistair Strachan , Vincent Donnefort , Greg KH , Chenbo Feng , lkml , Liam Mark , Marissa Wall , dri-devel References: <1551819273-640-1-git-send-email-john.stultz@linaro.org> From: "Andrew F. Davis" Message-ID: Date: Wed, 20 Mar 2019 09:44:23 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 8bit X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/20/19 4:16 AM, Benjamin Gaignard wrote: > Le mar. 19 mars 2019 à 23:36, John Stultz a écrit : >> >> On Tue, Mar 19, 2019 at 2:58 PM Rob Clark wrote: >>> >>> On Tue, Mar 19, 2019 at 1:00 PM Andrew F. Davis wrote: >>>> >>>> On 3/19/19 11:54 AM, Benjamin Gaignard wrote: >>>>> Le mer. 13 mars 2019 à 23:31, John Stultz a écrit : >>>>>> >>>>>> On Wed, Mar 13, 2019 at 1:11 PM Liam Mark wrote: >>>>>>> On Tue, 5 Mar 2019, John Stultz wrote: >>>>>>>> >>>>>>>> Eventual TODOS: >>>>>>>> * Reimplement page-pool for system heap (working on this) >>>>>>>> * Add stats accounting to system/cma heaps >>>>>>>> * Make the kselftest actually useful >>>>>>>> * Add other heaps folks see as useful (would love to get >>>>>>>> some help from actual carveout/chunk users)! >>>>>>> >>>>>>> We use a modified carveout heap for certain secure use cases. >>>>>> >>>>>> Cool! It would be great to see if you have any concerns about adding >>>>>> such a secure-carveout heap to this framework. I suspect it would be >>>>>> fairly similar to how its integrated into ION, but particularly I'd be >>>>>> interested in issues around the lack of private flags and other >>>>>> allocation arguments like alignment. >>>>>> >>>>>>> Although there would probably be some benefit in discssing how the dma-buf >>>>>>> heap framework may want to support >>>>>>> secure heaps in the future it is a large topic which I assume you don't >>>>>>> want to tackle now. >>>>>> >>>>>> So I suspect others (Benjamin?) would have a more informed opinion on >>>>>> the details, but the intent is to allow secure heap implementations. >>>>>> I'm not sure what areas of concern you have for this allocation >>>>>> framework in particular? >>>>> >>>>> yes I would be great to understand how you provide the information to >>>>> tell that a dmabuf >>>>> is secure (or not) since we can't add flag in dmabuf structure itself. >>>>> An option is manage >>>>> the access rights when a device attach itself to the dmabuf but in >>>>> this case you need define >>>>> a list of allowed devices per heap... >>>>> If you have a good solution for secure heaps you are welcome :-) >>>>> >>>> >>>> Do we really need any of that? A secure buffer is secured by the >>>> hardware firewalls that keep out certain IP (including often the >>>> processor running Linux). So the only thing we need to track internally >>>> is that we should not allow mmap/kmap on the buffer. That can be done in >>>> the per-heap layer, everything else stays the same as a standard >>>> carveout heap. >>> >>> For at least some hw the importing driver needs to configure things >>> differently for secure buffers :-/ >> >> Does the import ioctl need/use a flag for that then? Userland already >> has to keep meta-data about dmabufs around. > > To secure a buffer you need to know who is allowed to write/read it and > hardware block involved in the dataflow may need to know that the buffer > is secure to configure themself. > As example for a video decoding you allow hw video decoder to read in > a buffer and display to read it. You can also allow cpu to write on the buffer > to add subtitles. For that we need to be able to mmap/kmap the buffer. > Using a carveout heap for secure buffer mean that you reserved a large > memory region only for this purpose, that isn't possible on embedded device > where we are always limited in memory so we use CMA. > In the past I have used dmabuf's attach function to know who write into > the buffer and then configure who will be able to read it. It was working well > but the issue was how to in generic way this behavior. > Okay, I think I see what you are saying now. The way we handle secure playback is to firewall everything upfront and it is up to the application to inform the hardware about what it can and cannot do to the buffer, or simply not ask anything not allowed (E.g. writeback the decrypted stream) else it will get a firewall exception. The buffer itself doesn't have to carry any information. It sounds like you want the hardware driver to be able to detect the use-case based on the buffer itself and configure itself accordingly? Or the exporter at attach time to check access permissions? The first would need a change to DMA-BUF framework, maybe an added flag. The second would just need a heap exporter with the system wide smarts, but as you say that is not very generic.. Andrew >> >> thanks >> -john