Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp21235051ybl; Mon, 6 Jan 2020 00:08:24 -0800 (PST) X-Google-Smtp-Source: APXvYqyOdOmoCIdABox42LeqLQ/DUsHWAap5PAwCv3VfEnbhwGo7OVn/FUA2kIdSo3BLFW91kHvG X-Received: by 2002:a05:6830:1116:: with SMTP id w22mr117311281otq.63.1578298104109; Mon, 06 Jan 2020 00:08:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578298104; cv=none; d=google.com; s=arc-20160816; b=ZAx6n/xn6HgIOLjrxGRXOetpEhP+mHpy2eNiqv3MAL6QRgOTRSaBZ0YPXNvlkAKQHM 8zDvQECK/sQW7XVId0nPid/dCMkRaK1Y7sQbeVzYkFgowUoLiXRzjesiIk6hnbbX/bRr xLf8IqVDCI/c+J36Hgc+nfwMb2z9gIJTTYd8VWHiuG2YQUHjtE6PXhE4b32eU9wTd0hH 43WUSFIAgqGHzFf4AGDCLn7hjoVzwtm7uG6dujoVLPb32lV6SoDkWgAG/Lgwcpp24fKg aMzxuJ1XGtGEyashfQ7Uvn7kHPjgbqiroq4w15RFpv+TuFkI9yQ4WLyI+Ov6ZbmanQTm SDvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=DW1SIti7NHYB1AbqgFvyF14dNMwa3qPTzBW09JetqYs=; b=ZB04++9nKnZXsu6pHpXT8pYciUybCC7Q3hPZh+HCXRhselgpmR128xLneVT/bMoRGr k8ZBq0/94jmPYfapLDfukibEq/MwQTqEjoqexhFsVOQrDR1tONtv8aMypW5c/msKjsmT /q13G2sZ7Kq0pjc+pKH4t4Xh6QhcqLw4FOHOZT3n7iFK+iMXEg/qbYqZR93nUbdON/Yu iVqL5wilAleDMlqhCQxi6sgy6XnPP4qkcbPyqPQaVSGQD6COQO1oAgPouhp9wYvAu/Q8 5jxCq8vX0g1ExZs/Hf964x/zsz/BNMgqnnO9LuN1K+3JKosAz1VfxafWjSNvUPwe+PZt iVSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d192si32556645oig.21.2020.01.06.00.08.11; Mon, 06 Jan 2020 00:08:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726508AbgAFIHG (ORCPT + 99 others); Mon, 6 Jan 2020 03:07:06 -0500 Received: from mail-ot1-f67.google.com ([209.85.210.67]:38285 "EHLO mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726133AbgAFIHG (ORCPT ); Mon, 6 Jan 2020 03:07:06 -0500 Received: by mail-ot1-f67.google.com with SMTP id d7so66167981otf.5; Mon, 06 Jan 2020 00:07:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DW1SIti7NHYB1AbqgFvyF14dNMwa3qPTzBW09JetqYs=; b=fLBvsDRjAp27Ry4z3ybY4TWK2AC39HDKg34iIBO0JHpK4ZW8DIG1X0FLVIcoaFKQPl FcnASseG3YV7gK9AzPCfrox2rjHnRyOSipoEyNKXwGcFFAr30aIEn5KWFdaHrUWaP8sg n8YLlfwpGwRBi7DndS5zY0CSnLwdZeUvyur4u+IrJr/GjJFnn5e0SV8PwOgD5QxajggX GpPTfAuE8jxPWVJ5ZdfdCOhDlZckyYGQmpZ4jNGMQGaOXu2yFjnpx6aV04qnhqKXsmJ+ ssGU5M8L6v9M9e3oOx/tIo3A+JENrzYd/59yzbk/ZCZ9GS10i08SoBX1FERJnR3L3Qs6 25mA== X-Gm-Message-State: APjAAAVOtT996oCGUCAki2uSbSzYITPnZYYhM2djUur4DzuhvbVL9rQn M4Mz7A9vSrpKvjWYnukfm26QXsOikh8nIZxQS6s= X-Received: by 2002:a9d:dc1:: with SMTP id 59mr15235457ots.250.1578298025342; Mon, 06 Jan 2020 00:07:05 -0800 (PST) MIME-Version: 1.0 References: <20191127084253.16356-1-geert+renesas@glider.be> <20191127084253.16356-7-geert+renesas@glider.be> In-Reply-To: From: Geert Uytterhoeven Date: Mon, 6 Jan 2020 09:06:53 +0100 Message-ID: Subject: Re: [PATCH v3 6/7] docs: gpio: Add GPIO Aggregator/Repeater documentation To: Linus Walleij Cc: Geert Uytterhoeven , Bartosz Golaszewski , Jonathan Corbet , Rob Herring , Mark Rutland , Harish Jenny K N , Eugeniu Rosca , Alexander Graf , Peter Maydell , Paolo Bonzini , Phil Reid , Marc Zyngier , Christoffer Dall , Magnus Damm , "open list:GPIO SUBSYSTEM" , Linux Doc Mailing List , "open list:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS" , Linux-Renesas , "linux-kernel@vger.kernel.org" , QEMU Developers Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Linus, On Sat, Jan 4, 2020 at 1:21 AM Linus Walleij wrote: > On Thu, Dec 12, 2019 at 3:48 PM Geert Uytterhoeven wrote: > > On Thu, Dec 12, 2019 at 3:42 PM Linus Walleij wrote: > > > On Wed, Nov 27, 2019 at 9:43 AM Geert Uytterhoeven > > > wrote: > > > > +The GPIO Aggregator allows access control for individual GPIOs, by aggregating > > > > +them into a new gpio_chip, which can be assigned to a group or user using > > > > +standard UNIX file ownership and permissions. Furthermore, this simplifies and > > > > +hardens exporting GPIOs to a virtual machine, as the VM can just grab the full > > > > +GPIO controller, and no longer needs to care about which GPIOs to grab and > > > > +which not, reducing the attack surface. > > > > + > > > > +Aggregated GPIO controllers are instantiated and destroyed by writing to > > > > +write-only attribute files in sysfs. > > > > > > I suppose virtual machines will have a lengthy config file where > > > they specify which GPIO lines to pick and use for their GPIO > > > aggregator, and that will all be fine, the VM starts and the aggregator > > > is there and we can start executing. > > > > > > I would perhaps point out a weakness as with all sysfs and with the current > > > gpio sysfs: if a process creates an aggregator device, and then that > > > process crashes, what happens when you try to restart the process and > > > run e.g. your VM again? > > > > > > Time for a hard reboot? Or should we add some design guidelines for > > > these machines so that they can cleanly tear down aggregators > > > previously created by the crashed VM? > > > > No, the VM does not create the aggregator. > > > > The idea is for the user to create one or more aggregators, set up > > permissions on /dev/gpiochipX, and launch the VM, passing the aggregated > > /dev/gpiochipX as parameters. > > If the VM crashes, just launch it again. > > > > Destroying the aggregators is a manual and independent process, after > > the VM has exited. > > I'm thinking about someone making some industrial application for some > control of a machinery say a robotic arm. > > And do make sure this VM is only controlling these GPIOs related to > this robotic arm, they create a GPIO aggregator. And we care about > cases like that since we provide this security argument. > > Surely that machine will be rebooted. > > Surely they don't have a printed paper with all the commands lying > at the console, and asking whoever powers it back on to manually > type it all in again. That feels a bit 1981. > > So they will have a script for this I suppose. Possibly in some > initscript so it is set up on boot. And this script echos stuff > all over the place to set up the aggregator. > > Is this the use case you're thinking of? Exactly. And they can configure that by echoing the GPIO specifiers to /sys/bus/platform/drivers/gpio-aggregator/new_device. If their system has DT, another option is to describe the device in DT, and add its compatible value to gpio_aggregator_dt_ids[], cfr. the frobnicator example. > I just like to have the whole picture here. Sure. If anything is still unclear, please let me know! Thanks! Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds