Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp1873111imn; Mon, 1 Aug 2022 03:26:34 -0700 (PDT) X-Google-Smtp-Source: AA6agR4lU8I3c9wIS/tBJVan8KUX/HehTskn9XMozaFrGL0NQ0TBPlPgTwjn7G9Wgsi6DI2AkWAr X-Received: by 2002:a17:907:1dd7:b0:730:8dfd:9e13 with SMTP id og23-20020a1709071dd700b007308dfd9e13mr2135359ejc.239.1659349594615; Mon, 01 Aug 2022 03:26:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659349594; cv=none; d=google.com; s=arc-20160816; b=cP5n+/O3PvNIxDHQQ+ol36L+SymLuZAjUVFU/tHXjGqiHp3Wg75DI8p32U+PnmexOl WOht1VQl8UvLDH/v4EGgB8RSlR//o00UQVFzd1ehWbp/r4zhYPgbQSPwl+bM0GW/+QG/ dmw/ggvD8QxjG4KCzeITNseGNEQQFDZHYS6p0AqPMiM4t9MdjJuRVx6oZ/8Rpl2WJAiD WbkfSSsl4C8dIWEz7PXh5HTIP0oI3Em2n8CLfyCQXiulxkdw3a50ql5Y7yGXOXScX5vP XUktALAsxKDQ5TDnzBzSs4xKQ7FEEoq1PHj9G8NjRnpHkS+Yap3qjZKW0Zj64a1/TqdE SebQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=VaObLiYLqS6k9rESI1TfUbGxEUk96o73RQ9vf/8tFGY=; b=Lj4X7LRLgbKyzkT3gFBFFsUOmH65z8Xcjv59dKV6qqxA3Tv7u1k/khlXZHwNZyo+JT Jjg477UVQs+OtlSlYSKNub1kZe51FZXZUtb62Q/sz81h6XAp/TQ2Vd5RVFOwoaug9KoC caTP7Bru2bR+u9T6y7xB6tnXl9Pd1M1gNlClRSBSuwEnyvU4C8GLse+MlnxJkOeuAAtD CfLy732HkiKTNg3hebUlolV5jzbjOvqaw9EE2fpiqJ4fapYGHQul0Le0CUKM4LBx/1kL s80VD7i5veHTXNiJ8edMTKjKK+3fTYRo1yGUnYP5H4b+ANjBXsV0Q4q4E7WH66QcATH0 p+6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x9-20020a50ba89000000b0043bce7d8325si9685961ede.543.2022.08.01.03.26.10; Mon, 01 Aug 2022 03:26:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230026AbiHAKXV (ORCPT + 99 others); Mon, 1 Aug 2022 06:23:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54488 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230042AbiHAKXQ (ORCPT ); Mon, 1 Aug 2022 06:23:16 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9E0F914031; Mon, 1 Aug 2022 03:23:13 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 0D514139F; Mon, 1 Aug 2022 03:23:14 -0700 (PDT) Received: from bogus (unknown [10.57.11.114]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 2AFA53F67D; Mon, 1 Aug 2022 03:23:12 -0700 (PDT) Date: Mon, 1 Aug 2022 11:23:09 +0100 From: Sudeep Holla To: Jassi Brar Cc: Rob Herring , Krzysztof Kozlowski , Jassi Brar , linux-kernel@vger.kernel.org, devicetree@vger.kernel.org Subject: Re: [PATCH] dt-bindings: mailbox: arm,mhu: Make secure interrupt optional Message-ID: <20220801102309.efvmde2ackh3vyg4@bogus> References: <20220728190810.1290857-1-robh@kernel.org> <20220729111051.5me4vklrzskvsj4w@bogus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 29, 2022 at 10:18:04AM -0500, Jassi Brar wrote: > On Fri, Jul 29, 2022 at 6:10 AM Sudeep Holla wrote: > > On Thu, Jul 28, 2022 at 04:07:45PM -0500, Jassi Brar wrote: > > > > > > > > I could learn why specifying secure irq isn't desirable? > > > No non-secure client node would ask for that secure irq/channel, which > > > will simply lay unused. > > > > Did you mean would or wouldn't ? > > > I mean what's written. > Sorry for asking to be explicit. How can one ensure that doesn't happen if someone wants to exploit the secure side firmware. That is my concern and I understand we must block any users of it in the device tree. But that doesn't prevent people who can run any non-secure side software to exploit the secure side. > > Anyways I can insert a module that requests this channel and bring down > > the system as accessing anything configure secure from non-secure side > > on Juno results in system hang/error. > > > Why go to those lengths? These are already simpler options available ;-) > 1) while (1) ; // preferably in some atomic context > 2) *((int *) 0) = 0; // you might want to iterate over offset for > guaranteed results > 3) Slightly more work, but you also have the opportunity to erase your > storage device > I know these simple methods but can I hinder secure side services with these ? > > > index f6c55877fbd94..004b1566be74d 100644 > > > --- a/arch/arm64/boot/dts/arm/juno-base.dtsi > > > +++ b/arch/arm64/boot/dts/arm/juno-base.dtsi > > > @@ -26,7 +26,8 @@ mailbox: mhu@2b1f0000 { > > > compatible = "arm,mhu", "arm,primecell"; > > > reg = <0x0 0x2b1f0000 0x0 0x1000>; > > > interrupts = , > > > - ; > > > + , > > > + ; > > > interrupt-names = "mhu_lpri_rx", > > > "mhu_hpri_rx"; > > > #mbox-cells = <1>; > > > > > > If this works for you, I could submit a proper patch. > > > > No this doesn't work IMO. > > > If you _really_ tested and faced an error, please share it. > Yes, I did try. But as I hacked the DT to use it(or I can even hack the kernel if DT is not so easily upgradable). The main point is as the secure side uses this channel to communicate with SCP for some of the CPU idle management which is enable by default in the kernel, by just sending the command using the same secure channel from the Linux I can randomly ensure the messages sent by secure side is mangled and CPU may either fail to resume back from suspend or even fail to suspend. The end result is I just see it just hangs in the non-secure side. While you could argue it is expected that we should not have used the secure channel, but I would go further and ask if that needs to be exposed as there is no way to mark is as disabled or already in use by secure side. But yes, I see you point as well. Not sure which is better. > > Yes standalone everything looks fine, but you can > > insert a module requesting this channel and bring down the system. > > > If anyone other than a super-user is able to do that, then you have a > serious security problem at hand. If you do that as a super-user, have fun. > Yes I assuming super user itself. It may not help much to exploit on Juno much, but will such a mechanism help to exploit and understand the secure side communication from non-secure side was my general concern as we have seen and heard of such exploits quite a lot these days. That is the only reason I was suggesting to not expose any secure mailbox details to the non-secure world. Juno is probably not a good example platform to make my point. I wish there was a way to tell non-secure side that it is disabled for it's use as it is used by the secure side ????. As Juno platform maintainer, I am not comfortable adding this in case other platforms copy for it. -- Regards, Sudeep