Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9CC3C636CC for ; Wed, 15 Feb 2023 14:40:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229800AbjBOOkR (ORCPT ); Wed, 15 Feb 2023 09:40:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229824AbjBOOkJ (ORCPT ); Wed, 15 Feb 2023 09:40:09 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2FC0E392A4 for ; Wed, 15 Feb 2023 06:40:07 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 34B7461C32 for ; Wed, 15 Feb 2023 14:40:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9D7D3C43444; Wed, 15 Feb 2023 14:40:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1676472006; bh=WnQPbs4n1y1YaJMz86cqFKn9DIUxfburG9yYT2GXgMQ=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=ZGlDGKlyBCLn+xCU9PPiTvYbaCGGnGtjWXJMh1EBZvpHzmODVMSo1Zhr6kSkoDist fsotcA98jofBgdFPUN9HTjIclRkq3gI5JKYhHswzd9Mjo6ShrSgMNz0+xX6RSPYm+O kWDUWQQawc4xnHBxIQoRTOPnK1GLW/BOANJC1Oyyqd4z3Yi54FzhzE+4AZjNMoJqeC Ey2WV7v4nMj/vffHZKHl8Y2fd4vV+wmt9va12poOS6FBiK+AFxZB8M3U6hUuZeXFbd eYGFKUpDX1dPl0ycs3Vk1yd3p8LcrFikuU94uGLYWgdFCSvK1mcwfSdR9CSDR7LwVD q0jPbFzZyzlvw== Received: from sofa.misterjones.org ([185.219.108.64] helo=goblin-girl.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pSIx2-00AcCS-A6; Wed, 15 Feb 2023 14:40:04 +0000 Date: Wed, 15 Feb 2023 14:40:04 +0000 Message-ID: <86ttznxa9n.wl-maz@kernel.org> From: Marc Zyngier To: Sudeep Holla Cc: Florian Fainelli , linux-arm-kernel@lists.infradead.org, Thomas Gleixner , Oliver Upton , "open list:IRQCHIP DRIVERS" , Broadcom internal kernel review list Subject: Re: [PATCH 3/3] irqchip/gic-v3: Save and restore distributor and re-distributor In-Reply-To: <20230215121050.d57tnfh7wzpyqzti@bogus> References: <20230214233426.2994501-1-f.fainelli@gmail.com> <20230214233426.2994501-4-f.fainelli@gmail.com> <87o7pvz78z.wl-maz@kernel.org> <20230215121050.d57tnfh7wzpyqzti@bogus> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/28.2 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: sudeep.holla@arm.com, f.fainelli@gmail.com, linux-arm-kernel@lists.infradead.org, tglx@linutronix.de, oliver.upton@linux.dev, linux-kernel@vger.kernel.org, bcm-kernel-feedback-list@broadcom.com X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 15 Feb 2023 12:10:50 +0000, Sudeep Holla wrote: > > On Wed, Feb 15, 2023 at 08:02:20AM +0000, Marc Zyngier wrote: > > On Tue, 14 Feb 2023 23:34:26 +0000, > > Florian Fainelli wrote: > > > > > > On platforms implementing Suspend to RAM where the GIC loses power, we > > > are not properly saving and restoring the GIC distributor and > > > re-distributor registers thus leading to the system resuming without any > > > functional interrupts. > > > > The real question is *why* we need any of this. On any decent system, > > this is the firmware's job. It was *never* the OS GIC driver's job > > the first place. > > > > Completely agreed on the points you have made here, no disagreement. > However I would like to iterate some of the arguments/concerns the > firmware teams I have interacted in the past have made around this. > And this is while ago(couple of years) and they may have different > views. I am repeating them as I think it may be still valid on some > systems so that we can make some suggestions if we have here. > > > Importantly, the OS cannot save the full state: a large part of it is > > only accessible via secure, and Linux doesn't run in secure mode. How > > do you restore the group configuration, for example? Oh wait, you > > don't even save it. > > > > Agreed, we can't manage secure side configurations. But one of the concern > was about the large memory footprint to save the larger non-secure GIC > context in the smaller secure memory. > > One of the suggestion at the time was to carve out a chunk of non-secure > memory and let the secure side use the same for context save and restore. > Not sure if this was tried out especially for the GIC. I may need to > chase that with the concerned teams. The main issue is that you still need secure memory to save the secure state, as leaving it in NS memory would be an interesting attack vector! Other than that, I see no issue with FW carving out the memory it needs to save/restore the NS state of the GIC. Note that this isn't only the (re-)distributor(s) PPI/SPI registers. The LPI setup must also be saved, and that includes all the ITS registers. I'm surprised the FW folks are, all of a sudden, discovering this requirements. It isn't like the GIC architecture is a novelty, and they have had ample time to review the spec... > > Thanks Florian for starting this thread and sorry that I couldn't recollect > lots of the information when we chatted in the private about this. Marc > response triggered all the memory back. > > > So unless you have a single security state system, this cannot > > work. And apart from VMs (which by the way do not need any of this), > > there is no GICv3-based system without EL3. If you know of one, please > > let me know. And if it existed, then all the save/restore should > > happen only when GICD_CTLR.DS==1. > > > > Yes, now I remember the discussion we had probably almost 9-10 years > back when I first added the CPU PM notifiers for GICv3. I am sure we > would have discussed this at-least couple of times after that. Yet I > just got carried away by the fact that GICv2 does the save/restore and > this should also be possible. Sorry for that. GICv2 is just as fsck'd. It is just that we pretend it works for the sake of 32bit that may run in secure mode. On a 64bit machine, or in a NS setup, it is doomed for the same reasons. There really isn't any substitute for secure firmware here. M. -- Without deviation from the norm, progress is not possible.