Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2914509rwd; Mon, 29 May 2023 02:56:48 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5WYowbUftkK7nJJBrGQ9rjzttWyzRAuL91TsLsfjRq1ZOHaP6lgZ+nghmhJi8reHJybwmB X-Received: by 2002:a05:6a20:2594:b0:10b:e54f:1c00 with SMTP id k20-20020a056a20259400b0010be54f1c00mr8445878pzd.57.1685354207902; Mon, 29 May 2023 02:56:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685354207; cv=none; d=google.com; s=arc-20160816; b=y321rYYLDtXfUAY77Aex2+0fejVeapsKDeqFlqDeIbv+12lT1Uj6uF+x8UhFBkYbk7 8lhxLTyOdSlvsjUl/cA5jYV8G7WvKBISHDHGLZwXGSOKpABlFMHDSq7LHVLLCLuWlLZP 7sZOHi8Cd2bpxTarHZ9t1V/onC2RZvM7nMy1VRUeD+adfiXCCefkbU2YOwugmJY0+odR ROSUfOfqbPbbyA4T9Lfkzs1oL6QaIZJ0b9SHRvXhc/bVLOOOf5gZtnqRp+5VCpYQikLL weMNM0VD/AQIJiiWIQj+vYaaYw5S7XTXBJgm+lglohT8IrcIhJZnySzwRXzay5fhdaTS RSvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=LFbbd8vL2/0xpMiz4YHG2+mx1F2OjhCF3O93KZ3LWCA=; b=ZtDUnJpy0OD9piJqCcJfYk62coLlm/gKdGvRKd9L99rVAWcPnUbjZQjDFd3Kwb76+S 8YPnbFX8fLmVTb7r33J+0Rb728xwxBaUV91q7J7PIQtAurXIE8bYDoBSYysxdBX5syaE YhvEb8PjyHAYlOMqbbXwvQ0APEnnZKO038y1T5jDE2/j2AcOvnsQ2jTNPtrA1UFQHp7i Ehs7Oe/gTWqwW9bc/ylwHECjJzzrsqkZvVIhvNs+OA/2981qkjmk0TPEkLpvqIKEvgpw COThQGpQRNr6IQ4XHJAvvHrTF0q1CEFSUL7jXZUHKRRd0iS/Vwkdtogp9XymoQwWRnsg T3IQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=iVNG6Df4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 200-20020a6307d1000000b00520861f7c0csi7730304pgh.501.2023.05.29.02.56.34; Mon, 29 May 2023 02:56:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=iVNG6Df4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231705AbjE2JlD (ORCPT + 99 others); Mon, 29 May 2023 05:41:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42352 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231708AbjE2Jkv (ORCPT ); Mon, 29 May 2023 05:40:51 -0400 Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72D4DD2 for ; Mon, 29 May 2023 02:40:27 -0700 (PDT) Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-3f6077660c6so19401635e9.0 for ; Mon, 29 May 2023 02:40:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1685353226; x=1687945226; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=LFbbd8vL2/0xpMiz4YHG2+mx1F2OjhCF3O93KZ3LWCA=; b=iVNG6Df4rmQejpEZn+Mx68vZiXf+V8jwtkmoIP8EmnW25fKyKs3FYbxjWlHPqLsc/r DT+uIRlf5KziejMk0PETlT0DOMleXSiq+8IhvpAL4G4CJHTvIpfxuJnrKruNmNTvF51e 0j7a6IRklJ6dNICOT1FrE/CMC5piTJG3TE133xjoB+oFsLn3SOmitBoMkzBcZ+kuihlY CTaq0VQ4qxDlKW1brE9Rc4iCzdoMrA94z6++F9B01SMu1xzvri/dQ6+x2X4oLfQ5fk2K zLbBfQWmuRbKTL7Qk4pnQMAFdkERY/v0vEsLwXLKYvA4ZXAa9m+Mc9zpSCYMmVMMcv+6 bHnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685353226; x=1687945226; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LFbbd8vL2/0xpMiz4YHG2+mx1F2OjhCF3O93KZ3LWCA=; b=UBHZaieyLG7Tw4y0nVWsaVIyLS7Qjn4qxe5sb1lu/0xPL8LKpcQ7q45Jb7NaIzyd5r XmVzGS9fb0gyrlNl2k03XoquucaD/mfy+oiz3ihxnqsJeO1h/sPCKcNufe4Ds03mVJ+x UB2sbhhALpL0YyoQHp6updvvOCJqDZaGuQJuVeICF3aoLwi6O6EYBFz2duAP6s79TOY3 m6uUB4Qv4oNLYCoY79HUHGL3HYCFPJjAa4y3bfAFK6Js0s53wHVyhHDC/8p1dQvcmq6v vxKy9XNP8Cl6BCR0gZVaTSUXS72shT1xjb5CWV2Q7RMz732aaNuKKo8gby6JQXx2h/c0 ukbw== X-Gm-Message-State: AC+VfDzjvvo60zWK8f6yq3HRmKaB92gvLMTE1JBRlbcMEd7vUIre4KXo cUd5CcKWW3UiZPg74C42uH4pLbouF01oDkWi0bIB/rF/alvEfV/A X-Received: by 2002:a05:600c:22d7:b0:3f6:938:1001 with SMTP id 23-20020a05600c22d700b003f609381001mr10026004wmg.8.1685353225907; Mon, 29 May 2023 02:40:25 -0700 (PDT) MIME-Version: 1.0 References: <20230517143311.585080-1-sumit.garg@linaro.org> In-Reply-To: From: Jens Wiklander Date: Mon, 29 May 2023 11:40:15 +0200 Message-ID: Subject: Re: [PATCH v9 3/4] tee: optee: support tracking system threads To: Sumit Garg Cc: Etienne CARRIERE , "linux-kernel@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , "op-tee@lists.trustedfirmware.org" , "sudeep.holla@arm.com" , "cristian.marussi@arm.com" , "vincent.guittot@linaro.org" , Etienne CARRIERE - foss Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 29, 2023 at 9:11=E2=80=AFAM Sumit Garg = wrote: > > On Fri, 26 May 2023 at 01:05, Etienne CARRIERE = wrote: > > > > > > > De: Jens Wiklander > > > Envoy=C3=A9 : jeudi 25 mai 2023 17:20 > > > > > > Hi, > > > > > > On Thu, May 25, 2023 at 1:48=E2=80=AFPM Etienne CARRIERE > > > wrote:> > > > > > > > > > > > > > > De : Sumit Garg > > > > > Envoy=C3=A9 : mercredi 24 mai 2023 09:31 > > > > > > On Tue, 23 May 2023 at 12:41, Etienne Carriere > > > > > wrote: > > > > > > Hello Sumit, > > > > > > > > > > > > > > > > > > On Wed, 17 May 2023 at 16:33, Sumit Garg wrote: > > > > > > > > > > > > > > From: Etienne Carriere > > > > > > > > > > > > > > Adds support in the OP-TEE driver to keep track of reserved s= ystem > > > > > > > threads. The optee_cq_*() functions are updated to handle thi= s if > > > > > > > enabled. The SMC ABI part of the driver enables this tracking= , but the > > > > > > > FF-A ABI part does not. > > > > > > > > > > > > > > The logic allows atleast 1 OP-TEE thread can be reserved to T= EE system > > > > > > > sessions. For sake of simplicity, initialization of call queu= e > > > > > > > management is factorized into new helper function optee_cq_in= it(). > > > > > > > > > > > > > > Co-developed-by: Jens Wiklander > > > > > > > Signed-off-by: Jens Wiklander > > > > > > > Signed-off-by: Etienne Carriere > > > > > > > Co-developed-by: Sumit Garg > > > > > > > Signed-off-by: Sumit Garg > > > > > > > --- > > > > > > > > > > > > > > Disclaimer: Compile tested only > > > > > > > > > > > > > > Hi Etienne, > > > > > > > > > > > > > > Overall the idea we agreed upon was okay but the implementati= on looked > > > > > > > complex to me. So I thought it would be harder to explain tha= t via > > > > > > > review and I decided myself to give a try at simplification. = I would > > > > > > > like you to test it if this still addresses the SCMI deadlock= problem or > > > > > > > not. Also, feel free to include this in your patchset if all = goes fine > > > > > > > wrt testing. > > > > > > > > > > > > With these changes, there is no more a specific waiting list fo= r TEE > > > > > > system threads hence when a waiting queue can complete, we'll p= ick any > > > > > > TEE thread, not a TEE system thread first.. > > > > > > > > > > I had thought about this but I can't see any value in having a > > > > > separate wait queue for system threads. Here we only need to prov= ide > > > > > an extra privileged thread for system sessions (kernel clients) s= uch > > > > > that user-space doesn't contend for that thread. This prevents ke= rnel > > > > > client's starvation or deadlock like in the SCMI case. > > > > > > > > > > > Also, as stated in a below answer, these change unconditionally > > > > > > reserve a TEE thread for TEE system calls even if no TEE client > > > > > > reserved such. > > > > > > > > > > I don't think we should make thread reservations based on the pre= sence > > > > > of TEE clients. You never know how much user-space or kernel TEE > > > > > clients you are dealing with. And reserving a single privileged t= hread > > > > > unconditionally for system sessions shouldn't be much of a burden= for > > > > > memory constrained devices too. > > > > > > > > > > Also, this way we would enable every kernel TEE client to leverag= e > > > > > system sessions as it's very likely they wouldn't like to compete= with > > > > > user-space for thread availability. Two other kernel TEE clients = that > > > > > are on top of my head are HWRNG and Trusted Keys which can benefi= t > > > > > from this feature. > > > > > > > > Trusted Keys is an interesting use case. When OP-TEE accesses Trust= ed Keys, > > > > it may need to access the eMMC/RPMB using the Linux OS tee-supplica= nt > > > > whichj may repuire an eMMC clock or voltage regulator to be enable= d. > > > > If that clock or regulator is under an SCMI control, then we need 2 > > > > reserved TEE thread: one for invoking the Trusted Key TA and > > > > another for the SCMI request to reach the TEE will the Trusted Key > > > > TA invocation still consumes a thread. > > Trusked keys TA doesn't need access to secure storage (eMMC/RPMB). It > only requires a RNG and access to a key derived from HUK. Because it's always compiled as an early TA so no rollback protection is us= ed? > > > > > > > > Why would the Trusted Keys session need a system thread? To me, it > > > seems that the session could use the normal client priority. > > The system thread priority as per my patch is nothing but an extra > thread available in the thread pool for kernel clients as compared to > user-space clients. > > Trusted keys use-case was really motivated by: "every kernel TEE > client would like to avoid competing with user-space for thread > availability". However, HWRNG has a real case that user-space > shouldn't starve kernel RNG thread for OP-TEE thread availability. > > System thread can be useful for trusted keys in case the disk > encryption key is backed by a trusted key. With well-behaving TAs every TEE client will get its thread in due time. The system thread feature was originally intended as a way of avoiding a deadlock. So far we have otherwise assigned threads on a first-come first-served basis. If we now also need a way of giving priority to kernel clients for less critical reasons we may need to take a step back and redesign because reserving a thread for each kernel client doesn't scale. Thanks, Jens