Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp1719956rwb; Fri, 19 Aug 2022 08:17:41 -0700 (PDT) X-Google-Smtp-Source: AA6agR7bUUTdA394T1GN7S2GuhBBcTo6CQymILk8+K4T8PJ+P4UDlUKy43L+f8WZBmNMLGzrEQK4 X-Received: by 2002:a17:90a:b302:b0:1fa:ee2f:23a1 with SMTP id d2-20020a17090ab30200b001faee2f23a1mr2270163pjr.81.1660922261591; Fri, 19 Aug 2022 08:17:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660922261; cv=none; d=google.com; s=arc-20160816; b=Mfuacp/dj/7edrKlWyXBaWDDuR2h/1TNilJ8aB7eKckGYxy09/zQBpIza60kBeoMdP X/mUQ49KtLerswwJoCFvoJ56LyFGLU1ySiUEGdw1l9uqlx7ThLMLHaaefLyW7TI4lTjz jBVQd4nQbk6SiCdKa6XmYgHK76cd2KZhOXnYurlRdR7ORMK9sOLmZjqon0l/5V0A2Bcq xqBACo1CL+Yt+P3C8fFia/dE8yu0DBARGC6vQmclgy0D5ujBEsJa8u4t2a/C8Jkq0FGc Y4W7kkV5hOvPI0Bt2P+tYUO8A0IuRD1kDkHHrlcfVUErRDj9vB/M36Rkxo7v8rzt4c7C EScQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=nr8rrMVNiWjbEMsQN+8tx5Aw+8LLAcLghfGpTh/DJgw=; b=lb1KvqSFTqvSe5YGd498rzgVUM8Zchf/+eGvmXUvQL5/Z8/+R/a1MP1twi70lfcdwI Bvx+rXuvN64GGwlIJm2idER2V1ZNUqi03hPjNxCH5JTghb3OmL7k8nktLpBESPEXtBBj v8WFa+CRmcl5BCeG0Rm+aYWCz4nnVex6mjNxDiVNOubkjTF1EaTjxiZPSrZ+R382eRc7 0nMhoY2dXZ0AVVt9cex3+ozBw8C+fVa5tdYldFpeBYb9dUsrekYHWMjcarhGSegejJBb bdP2EQ7NE3HtMHyqyZ/x5Ih7PfAswWLQLIrjgp7FbefeweOGT5KlvfHwwyEFeWtsT1Wi 9QHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ndufresne-ca.20210112.gappssmtp.com header.s=20210112 header.b=5nvP9M5W; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jg12-20020a17090326cc00b00170a3f0029dsi3899765plb.551.2022.08.19.08.17.30; Fri, 19 Aug 2022 08:17:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ndufresne-ca.20210112.gappssmtp.com header.s=20210112 header.b=5nvP9M5W; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349653AbiHSPOD (ORCPT + 99 others); Fri, 19 Aug 2022 11:14:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57050 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349111AbiHSPOB (ORCPT ); Fri, 19 Aug 2022 11:14:01 -0400 Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 380803F1DB for ; Fri, 19 Aug 2022 08:13:57 -0700 (PDT) Received: by mail-qk1-x730.google.com with SMTP id f4so3439361qkl.7 for ; Fri, 19 Aug 2022 08:13:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ndufresne-ca.20210112.gappssmtp.com; s=20210112; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc; bh=nr8rrMVNiWjbEMsQN+8tx5Aw+8LLAcLghfGpTh/DJgw=; b=5nvP9M5Wh8IYYhZVJKc2Oil4ZK2LMQGsrk0Wh0yM2uyzwONdTlmAKiw0w/GNLRYA7M OTM9tisDyr5QHkdmU0u5CzFlDjrkubLL3JVPTKXqBx/2uKS5fuMU68tpMFhmnsjPt3aq +hd0BfqjCM6gxUO9J2JZRQOWSVxHB8IHiAhXVFtBQ8QA87JtpddvsED8dUlYzHy3Ia0A MymngRgRf5NT8GpoX5PmEwaJ0A4XE4bypuod4FAfaAAHXhjmM8/V89k40+DrTN6QnhT4 IQWQEgVKCzz59J0tOKHgEdor7QYFEIzAYvt4z2zuq5b8sF2rNqBUQ2LtwhlNrLwr4nJf VEag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc; bh=nr8rrMVNiWjbEMsQN+8tx5Aw+8LLAcLghfGpTh/DJgw=; b=d7OXcfsEs+jnK8yzt9d85IPvyTy+YZemzCndYjLZ3+BbIMD5TsmdPR/9QACgw6pIVZ VBDXV/JutG3FNkSUkk7etC1VRxv0ozaBBCgyy1yDuw9Nv1u1tlwFd+fmyZMOmtHUxA9K HlEhEHF7AzrI3bucu0ny5Y57FhqDm99niFFTTOv0DMuiKj3QmaGTYkTjEJXa94qWKYBc WXltEpYYZENJcw8vUjdqVcLOXnokHZYqxkCwcFShH5tFpLKi8OspjLACRhViQPZg2qN7 gbSrY8722zrM4nBBPlmJXU5DZ/AzK5LFVQlUfTtxA2Ee/BB2ELn/8UmbDyYcljjWPaXw vajQ== X-Gm-Message-State: ACgBeo0/MJbC7Vz0pnQa5RVZWn/bdkCFb0+DSrey9pzC3UG7AQZjJVfy lFRuO2pHq9Se8Os5SUYKO1PSWg== X-Received: by 2002:a05:620a:1289:b0:6ba:e98f:d2b0 with SMTP id w9-20020a05620a128900b006bae98fd2b0mr5628589qki.509.1660922036185; Fri, 19 Aug 2022 08:13:56 -0700 (PDT) Received: from nicolas-tpx395.localdomain (192-222-136-102.qc.cable.ebox.net. [192.222.136.102]) by smtp.gmail.com with ESMTPSA id q4-20020ac87344000000b00342f960d26esm3208762qtp.15.2022.08.19.08.13.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Aug 2022 08:13:55 -0700 (PDT) Message-ID: <09942d325e3b3c3149ebd9787794b065554f6064.camel@ndufresne.ca> Subject: Re: [EXT] Re: [PATCH 1/3] dma-buf: heaps: add Linaro secure dmabuf heap support From: Nicolas Dufresne To: Cyrille Fleury , Olivier Masse , "brian.starkey@arm.com" Cc: "sumit.semwal@linaro.org" , "linux-kernel@vger.kernel.org" , "linaro-mm-sig@lists.linaro.org" , "christian.koenig@amd.com" , "linux-media@vger.kernel.org" , "nd@arm.com" , =?ISO-8859-1?Q?Cl=E9ment?= Faure , "dri-devel@lists.freedesktop.org" , "benjamin.gaignard@collabora.com" Date: Fri, 19 Aug 2022 11:13:53 -0400 In-Reply-To: References: <20220805135330.970-1-olivier.masse@nxp.com> <20220805135330.970-2-olivier.masse@nxp.com> <20220805154139.2qkqxwklufjpsfdx@000377403353> <7e61668164f8bf02f6c4ee166e85abc42b5ee958.camel@nxp.com> <20220812163922.v7sf3havi5dpgi5u@000377403353> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.4 (3.44.4-1.fc36) MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, thanks for the additional information, we are starting to have a (still par= tial) overview of your team goals. Le jeudi 18 ao=C3=BBt 2022 =C3=A0 05:25 +0000, Cyrille Fleury a =C3=A9crit= =C2=A0: > Hi Nicolas, all, >=20 > The short reply: > - For DRM, gstreamer, ffmeg, ... we don't use anymore NXP VPU > proprietary API=20 > - We need secure dma-buf heaps to replace secure ion heaps >=20 > The more detailed reply to address concerns below in the thread: > - NXP doesn't design VPU, but rely on third party VPU hardware IP w= e > integrate in our soc. NXP proprietary API are for legacy applications ou= r > customers did without using gstreamer or ffmpeg, but we are now relying o= n > V4L2 API for WPE/gstreamer, chromium/ffmpeg ... > - Even with NXP legacy BSP, there was no API impact for WPE (or > chromium) due to NXP VPU API. We use WPE/gstreamer, then a gstreamer plug= ing > relying on NXP VPU proprietary API. But now we use V4L2. So we can forget= NXP > VPU proprietary API, and I'm very happy with that. > - We have moved from ion buffer to dma buff to manage secure memory > management. This is why we need secure dma-buf heaps, we protect with NXP > hardware as we did with ion heaps in the presentation Olivier shared. = =20 > - For secure video playback, the changes we need to do are in user = space > world (gstreamer, WPE, ...), to update our patches managing secure ion he= aps > by secure dma-buf heaps. But dma-buf is file descriptor based as ion heap= are. Do you have some links to these changes to user-space code that demonstrate= the usage of this new heap in its real context ? > - What will change between platforms, is how memory is protected. T= his > is why we requested to have dtb in OPTEE for secure memory, to be able to > provide a common API to secure DDR memory, and then to rely on proprieta= ry > code in OPTEE to secure it. > - We don't have a display controller or VPU decoder running in TEE.= They > remain under the full control of Linux/REE Word. If Linux/REE ask somethi= ng > breaking Widevine/PlayReady security rules, for example decode secure mem= ory > to non-secure memory, read from secure memory will return 0, write to sec= ure > memory will be ignored. Same with keys, certificates ... Can you explain how you would manage to make VP9 stateless decoding work ? = On IMX8MQ you have a chip that will produce a feedback binary, which contains = the probability data. The mainline driver will merge the forward probability to prepare the probability for the next decode. This basically means at least 1 output of the decoder needs to be non-secur= e (for CPU read-back). That breaks the notion of secure memory domain, which = is global to the HW. One could think you could just ask the TEE to copy it bac= k for you, but to do that safely, the TEE would need to control the CODEC program= ming, hence have a CODEC driver in the secure OS. I'm not familiar with it, but may that have impact on HDMI receivers, which= may need some buffers for CPU usage (perhaps HDR metadata, EDID, etc.). > - i.MX8 socs have a stateless VPU and there is no VPU firmware. i.M= X9 > socs have a stateful VPU with firmware. In secure memory context, with se= cure > memory, at software level, stateful VPU are even more simple to manage ->= =20 > less read/write operations performed by Linux world to parse the stream, = so > less patch to be done in the video framework. But for memory management, > stateful/stateless, same concern: we need to provide support of secure = dma > heaps to Linux, to allocate secure memory for the VPU and the display > controller, so it is just a different dma-buf heaps, so a different file > descriptor. i.MX8 boards may have stateless or stateful CODEC (Hantro chips are used in stateless fashion, while Amphion chips are driven by a stateful firmware). = I would have hoped NXP folks would know that, as this is what their users hav= e to deal with on day-to-day. May I interpret this as NXP is giving up on i.MX8 memory protection (or per= haps your team is only caring about i.MX9 ?), and this solution is on usable for stateful (less flexible) CODECs ? > - i.MX9 VPU will support "Virtual Machine VPU". Till now I don't se= e why > it will not work. I'm not an expert in VM, but from what I understood fro= m my > discussions with NXP VPU team integrating the new VPU hardware IP, from > outside world, VPU is seen as multiple VPUs, with multiple register banks= . So > virtualized OS will continue to read/write registers as today, and at sof= tware > level, secure memory is as non-secure memory, I mean at this end, it is > physical DDR memory. Of course hardware shall be able to read/write it, b= ut > this is not software related, this is hardware concern. And even without = VM, > we target to dedicate one virtual VPU to DRM, so one register bank, to s= etup > dedicated security rules for DRM. What you wrote here is about as much as I heard about the new security mode= l coming in newer chips (this is not NXP specific). I think in order to push forward designs and APIs, it would be logical to first present about these mechanism, now they work and how they affect drivers and user space. Its no= t clear how this mechanism inforces usage of non-mappable to kernel mmu memor= y. Providing Open Source kernel and userland to demonstrate and use this featu= re is also very helpful for reviewers and adopters, but also a requirement in the= drm tree. regards, Nicolas > =20 > I'm on vacation until end of this week. I can setup a call next week to= discuss this topic if more clarifications are needed. >=20 > Regards. >=20 > -----Original Message----- > From: Olivier Masse =20 > Sent: Wednesday, August 17, 2022 4:52 PM > To: nicolas@ndufresne.ca; Cyrille Fleury ; brian.= starkey@arm.com > Cc: sumit.semwal@linaro.org; linux-kernel@vger.kernel.org; linaro-mm-sig@= lists.linaro.org; christian.koenig@amd.com; linux-media@vger.kernel.org; nd= @arm.com; Cl=C3=A9ment Faure ; dri-devel@lists.freed= esktop.org; benjamin.gaignard@collabora.com > Subject: Re: [EXT] Re: [PATCH 1/3] dma-buf: heaps: add Linaro secure dmab= uf heap support >=20 > +Cyrille >=20 > Hi Nicolas, >=20 > On mer., 2022-08-17 at 10:29 -0400, Nicolas Dufresne wrote: > > Caution: EXT Email > >=20 > > Hi Folks, > >=20 > > Le mardi 16 ao=C3=BBt 2022 =C3=A0 11:20 +0000, Olivier Masse a =C3=A9cr= it : > > > Hi Brian, > > >=20 > > >=20 > > > On ven., 2022-08-12 at 17:39 +0100, Brian Starkey wrote: > > > > Caution: EXT Ema > > > >=20 > >=20 > > [...] > >=20 > > > >=20 > > > > Interesting, that's not how the devices I've worked on operated. > > > >=20 > > > > Are you saying that you have to have a display controller driver= =20 > > > > running in the TEE to display one of these buffers? > > >=20 > > > In fact the display controller is managing 3 plans : UI, PiP and=20 > > > video. The video plan is protected in secure as you can see on slide > > > 11: > > >=20 > https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fstati= c.linaro.org%2Fconnect%2Fsan19%2Fpresentations%2Fsan19-107.pdf&data=3D0= 5%7C01%7Colivier.masse%40nxp.com%7Ce0e00be789a54dff8e5208da805ce2f6%7C686ea= 1d3bc2b4c6fa92cd99c5c301635%7C0%7C1%7C637963433695707516%7CUnknown%7CTWFpbG= Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C= 3000%7C%7C%7C&sdata=3DGHjEfbgqRkfHK16oyNaYJob4LRVqvoffRElKR%2F7Rtes%3D&= amp;reserved=3D0 > >=20 > >=20 > >=20 > > just wanted to highlight that all the WPE/GStreamer bit in this=20 > > presentation is based on NXP Vendor Media CODEC design, which rely on= =20 > > their own i.MX VPU API. I don't see any effort to extend this to a=20 > > wider audience. It is not explaining how this can work with a mainline= =20 > > kernel with v4l2 stateful or stateless drivers and generic=20 > > GStreamer/FFMPEG/Chromium support. >=20 > Maybe Cyrille can explain what it is currently done at NXP level regardin= g the integration of v4l2 with NXP VPU. >=20 > >=20 > > I'm raising this, since I'm worried that no one cares of solving that= =20 > > high level problem from a generic point of view. In that context, any= =20 > > additions to the mainline Linux kernel can only be flawed and will=20 > > only serves specific vendors and not the larger audience. > >=20 > > Another aspect, is that this design might be bound to a specific (NXP > > ?) > > security design. I've learn recently that newer HW is going to use=20 > > multiple level of MMU (like virtual machines do) to protect the memory= =20 > > rather then marking pages. Will all this work for that too ? >=20 > our fire-walling hardware is protecting memory behind the MMU and so rely= on physical memory layout. > this work is only relying on a reserved physical memory. >=20 > Regards, > Olivier >=20 > >=20 > > regards, > > Nicolas