Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3619674yba; Tue, 23 Apr 2019 06:58:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqzFCbIGNblpDO+ghVi8rKVDUT47hA5tlVHXfeH8Ba3zUCfanyUeIBSdDwdWSNh/Scaeg1d7 X-Received: by 2002:a65:51c9:: with SMTP id i9mr25108931pgq.187.1556027927736; Tue, 23 Apr 2019 06:58:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556027927; cv=none; d=google.com; s=arc-20160816; b=d0/GtanURc3H0xRXZTlYjpec4F4uj51YywcS94aofuTHVzrVZioYsCHQT0QJee1jkN e2npdMZ/VcGQyXreIwJlvHVBp4bghiJ/dN9EfLA0GFC6w3sqkqwdRqPz7qNm6tPxAAPt +wnl9F6zfouBtlF5mlRzz9UybeQ5fk+cmi/DjrPP/Y33C/cuVQTre0N30NiF/RaeF2vL nCL5/VFUWko72NAk24oQd0vvkjUK+6tA7izEnXWC5iQHqeZ0tk7OxMeo/FEY4W8iHGQ3 s7mKY2nkJ8ux2r6g6XG/A47/qfg+Kz+WU362YYr6fAP6uSgpPddiw/Xf5JxwkIVp/yR9 cjdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=acdBwGND2c6XIoK+32w/ZVeuvkDpYK2f+KnR9YEdXZc=; b=kVGoApHUgtpiOg57BhvGhsSdWjazc2GsC9Y3SkO3isIfy6hDLuVD3nfJCfs+CW5dj1 6PEKISH1dsc+FTS9TD265vQf+Mev1SpYyr7VqFm99nH4Tx7BZC8wnG/5BbJigf4AittR KEiyVQqB+wEljboD7TNN25Nr0+oRjunUh+4mr0U+xAYgopXr7QgGqkg234DD3vH6HHmq ygFc70z3KVXvo9Fhm147BC6uRYkJxJ/s/uEN2ZAHxbm7RQKu1ToUDt0I1SsLRT16f6x9 Q0qeA5fGrwZOfbnRwWSOz77eY2aG0IhOAm7ZZxFI9tEv5L80bVhgn+5M+MOy3z5+PfZ3 BMWA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q2si17013790pfi.165.2019.04.23.06.58.32; Tue, 23 Apr 2019 06:58:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727956AbfDWNz5 (ORCPT + 99 others); Tue, 23 Apr 2019 09:55:57 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:56860 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727225AbfDWNz5 (ORCPT ); Tue, 23 Apr 2019 09:55:57 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 14B20EBD; Tue, 23 Apr 2019 06:55:56 -0700 (PDT) Received: from e107155-lin (e107155-lin.cambridge.arm.com [10.1.196.42]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 963583F238; Tue, 23 Apr 2019 06:55:53 -0700 (PDT) Date: Tue, 23 Apr 2019 14:55:50 +0100 From: Sudeep Holla To: Benjamin GAIGNARD Cc: Benjamin Gaignard , Mark Brown , Rob Herring , Arnd Bergmann , Shawn Guo , "s.hauer@pengutronix.de" , Fabio Estevam , Loic PALLARDY , Greg Kroah-Hartman , Linux Kernel Mailing List , "linux-imx@nxp.com" , "kernel@pengutronix.de" , Linux ARM Subject: Re: [RESEND PATCH 0/7] Introduce bus domains controller framework Message-ID: <20190423135550.GB3892@e107155-lin> References: <20190318100605.29120-1-benjamin.gaignard@st.com> <20190318104343.GA15574@e107155-lin> <20190423132116.GA3892@e107155-lin> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 23, 2019 at 01:33:19PM +0000, Benjamin GAIGNARD wrote: > > On 4/23/19 3:21 PM, Sudeep Holla wrote: > > On Mon, Mar 18, 2019 at 12:05:54PM +0100, Benjamin Gaignard wrote: > >> Le lun. 18 mars 2019 à 11:43, Sudeep Holla a écrit : > >>> On Mon, Mar 18, 2019 at 11:05:58AM +0100, Benjamin Gaignard wrote: > >>>> Bus domains controllers allow to divided system on chip into multiple domains > >>>> that can be used to select by who hardware blocks could be accessed. > >>>> A domain could be a cluster of CPUs (or coprocessors), a range of addresses or > >>>> a group of hardware blocks. > >>>> > >>>> Framework architecture is inspirated by pinctrl framework: > >>>> - a default configuration could be applied before bind the driver > >>>> - configurations could be apllied dynamically by drivers > >>>> - device node provides the bus domains configurations > >>>> > >>>> An example of bus domains controller is STM32 ETZPC hardware block > >>>> which got 3 domains: > >>>> - secure: hardware blocks are only accessible by software running on trust > >>>> zone. > >>>> - non-secure: hardware blocks are accessible by non-secure software (i.e. > >>>> linux kernel). > >>>> - coprocessor: hardware blocks are only accessible by the corpocessor. > >>>> Up to 94 hardware blocks of the soc could be managed by ETZPC and > >>>> assigned to one of the three domains. > >>>> > >>> You fail to explain why do we need this in non-secure Linux ? > >>> You need to have solid reasons as why this can't be done in secure > >>> firmware. And yes I mean even on arm32. On platforms with such hardware > >>> capabilities you will need some secure firmware to be running and these > >>> things can be done there. I don't want this enabled for ARM64 at all, > >>> firmware *has to deal* with this. > >> We use ETZPC to define if hardware blocks can be used by Cortex A7 or Cortex > >> M4 (both non-secure) on STM32MP1 SoC, this new framework allow to change > >> hardware block split at runtime. This could be done even on non-secure world > >> because their is nothing critical to change hardware blocks users. > > OK, that's interesting, assuming Cortex M4 execution as non-secure. I would > > expect otherwise. Even if it's configurable, I would see that happen in > > secure entity via OPTEE or something similar from non-secure side. > Your assumption is correct Cortex M4 execution is non-secure. Sorry if I was not clear. I told Cortex M4 non-secure execution is interesting as I expected it to be secure. > > > > Do you have any documents that I can refer to get the overall security > > design for such platforms ? > > SoC datasheet is here: > > https://www.st.com/resource/en/datasheet/stm32mp157a.pdf > > with just few words about ETZPC: > > 3.14 TrustZone protection controller (ETZPC) > ETZPC is used to configure TrustZone security of bus masters and slaves with > programmable-security attributes (securable resources) such as: > • On-chip SYSRAM with programmable secure region size > • AHB and APB peripherals to be made secure > Notice that by default, SYSRAM and peripheral are set to secure access > only, so, not accessible by non-secure masters such as Cortex-M4 or DMA1/DMA2. > ETZPC can also allocate peripherals and SRAM to be accessible only by > the Cortex-M4 and/or DMA1/DMA2. This ensures the safe execution of the > Cortex-M4 firmware, protected from other masters (e.g. Cortex-A7) unwanted > accesses. > The above statement makes me wonder if Cortex-M4 firmware is really non-secure, if so why does it need such an isolation from other masters like Cortex-A7. For me Cortex-M4 is secure and Cortex-A7 can execute in non-secure hence Cortex-M4 needs to be isolated from Cortex-A7 as mentioned in the above excerpts from the datasheet. -- Regards, Sudeep