Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp5044239rwb; Wed, 17 Aug 2022 10:03:43 -0700 (PDT) X-Google-Smtp-Source: AA6agR7usRMKgiVNTVTXEG0SdE628u9aRYkB+mF3bgwfmUhBOp+yTt+KXnE5IayFfL71rcffKyWW X-Received: by 2002:a17:907:7349:b0:730:5f86:129a with SMTP id dq9-20020a170907734900b007305f86129amr17592001ejc.466.1660755823029; Wed, 17 Aug 2022 10:03:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660755823; cv=none; d=google.com; s=arc-20160816; b=W0Gb73r3FYFmmFytedQaqB5DtpCFJVpRMCVZhUIP0VY0ksEk+prJU+pkvcYOlgadCN wSJ4K0lW9od/OCpukLnH1mCtODlcUQIZN0Yt3rtn6sS+PjyqBJwZhjLmSiCvwWQzx+U0 0Nrdlw/RgvoJkLs8gNozPW5PmyWocqOZ7p31sRAiqSpnqzon9xnCDaOB2+j0T70tHUqh 2y3DI/JpSL9CScFRFh2uCHVkkAnMqYUTp6JDEfBbxpaRt90SAvEpV1eFvKb2RFn/PkuK /fi6Zf9AmQ00QkNycGpv332d4q9ILdWtg9d1JbQilL2EuewYuw1JXjcXQNvreFEwAKrg 9CIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=psS6cwHys2vdNUer94dWkNKwP2TUxFerA6mYN4LNRGk=; b=RCq8ZLOqbl60egCcimZSiZCZLR/xXmkEcZLrQTLO4wClCmykR2fEGBJUZojUT+fNWd Qu2uf1agpTuHFlJsy/Eq3o875EFvM/ElGbI0Zar+b+6jWkOencM+BcDYsVHxvz0XiPLv oe7PaM5yfZoHe+bbZ6Sbs5JOTef24icpv68EKdBhLJ/WhHFlD+gkfHc8m6YG01xL0ZA/ jFLaPJyuex0uwddldgQaMmtOT/50jqB385C2pry6bV7/V7NCRChK3dHTgQ6npYlYcCQ6 E87k9rORkDTmWNZMSUfXatmOLdjGvOUFLyRrml2/OPst4TSdZJ/qTqZJ8/OgkIN1bmIq IEag== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hv16-20020a17090760d000b00734b422b9b4si12434205ejc.366.2022.08.17.10.03.01; Wed, 17 Aug 2022 10:03:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241082AbiHQQNE (ORCPT + 99 others); Wed, 17 Aug 2022 12:13:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237605AbiHQQMq (ORCPT ); Wed, 17 Aug 2022 12:12:46 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8396A1A7D for ; Wed, 17 Aug 2022 09:12:07 -0700 (PDT) Received: from gallifrey.ext.pengutronix.de ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=[IPv6:::1]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oOLeF-0004Ag-27; Wed, 17 Aug 2022 18:12:03 +0200 Message-ID: Subject: Re: [EXT] Re: [PATCH 1/3] dma-buf: heaps: add Linaro secure dmabuf heap support From: Lucas Stach To: Nicolas Dufresne , Olivier Masse , "brian.starkey@arm.com" Cc: =?ISO-8859-1?Q?Cl=E9ment?= Faure , "benjamin.gaignard@collabora.com" , "linux-kernel@vger.kernel.org" , "dri-devel@lists.freedesktop.org" , "sumit.semwal@linaro.org" , "linaro-mm-sig@lists.linaro.org" , "nd@arm.com" , "christian.koenig@amd.com" , "linux-media@vger.kernel.org" Date: Wed, 17 Aug 2022 18:12:01 +0200 In-Reply-To: References: <20220805135330.970-1-olivier.masse@nxp.com> <20220805135330.970-2-olivier.masse@nxp.com> <20220805154139.2qkqxwklufjpsfdx@000377403353> <7e61668164f8bf02f6c4ee166e85abc42b5ee958.camel@nxp.com> <20220812163922.v7sf3havi5dpgi5u@000377403353> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.4 (3.40.4-1.fc34) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 2001:67c:670:201:5054:ff:fe8d:eefb X-SA-Exim-Mail-From: l.stach@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Mittwoch, dem 17.08.2022 um 10:29 -0400 schrieb Nicolas Dufresne: > Hi Folks, > > Le mardi 16 août 2022 à 11:20 +0000, Olivier Masse a écrit : > > Hi Brian, > > > > > > On ven., 2022-08-12 at 17:39 +0100, Brian Starkey wrote: > > > Caution: EXT Ema > > > > > [...] > > > > > > > Interesting, that's not how the devices I've worked on operated. > > > > > > Are you saying that you have to have a display controller driver > > > running in the TEE to display one of these buffers? > > > > In fact the display controller is managing 3 plans : UI, PiP and > > video. The video plan is protected in secure as you can see on slide > > 11: > > https://static.linaro.org/connect/san19/presentations/san19-107.pdf > > > > just wanted to highlight that all the WPE/GStreamer bit in this presentation is > based on NXP Vendor Media CODEC design, which rely on their own i.MX VPU API. I > don't see any effort to extend this to a wider audience. It is not explaining > how this can work with a mainline kernel with v4l2 stateful or stateless drivers > and generic GStreamer/FFMPEG/Chromium support. > > I'm raising this, since I'm worried that no one cares of solving that high level > problem from a generic point of view. In that context, any additions to the > mainline Linux kernel can only be flawed and will only serves specific vendors > and not the larger audience. > > Another aspect, is that this design might be bound to a specific (NXP ?) > security design. I've learn recently that newer HW is going to use multiple > level of MMU (like virtual machines do) to protect the memory rather then > marking pages. Will all this work for that too ? > I have not looked in any of this for quite a while, but IIRC the plan was something like that: The NXP RDC hardware is able to segment the DDR memory into sections and define access policies for all masters in the system. So for example for the secure VPU to display controller path you would define such a section, where only the VPU is able to write and DCSS is able to read from. CPU or other masters are not allowed to use this section. This then gets exposed to Linux as a DMA heap. The VPU driver could then allocate capture buffers from this heap and share them via dma-buf to the DCSS driver. Both drivers can live in non-trusted userspace and even the address allocation for the DMA heap can be done from Linux. Non-trusted Linux kernel/userspace just has no way to access the buffers directly. The more interesting question is on the VPU side: how do you make sure that the capture buffer is located in secure memory when the output buffer containing the secret bitstream is also in a secure heap? I guess you need some kind of TEE application to validate those settings, which means you can't give the non-trusted driver direct MMIO access to the VPU. Regards, Lucas