Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp2563065rdb; Fri, 22 Sep 2023 02:13:01 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEvWyHJXTSQqakjxAT7exiASjBEm4APfRBLl4DlypF+ggovFY2bRMJ01kJIr3yeO9dRa841 X-Received: by 2002:a05:6a21:81a7:b0:11d:4c79:90ee with SMTP id pd39-20020a056a2181a700b0011d4c7990eemr7466726pzb.25.1695373981262; Fri, 22 Sep 2023 02:13:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695373981; cv=none; d=google.com; s=arc-20160816; b=lB5X2Je/z+jgM/lKEenPG5SW6lFa+rHhS71MOSf4q/zKj6CSIxrydTWh5AVBgYd+1m dW3Be2OvddVOi3AL55H2aDcD1Xo9h9Wz0npENTG7goOt6f97iycBQ8GbxQr+GHla+dgF 7D68wrCsPVcJHynKHvWes3C5P58SiEijKWNcddIYXVAkwn4KWJivwxReboo8njiRXN7f RcgBYjHhkUjFbe9TJ5t6+ndLSKdHl4+HbpGhLHAy0DAYGvquoKHfv3y8sD+gx/Th/g3o 5vrjz8R1sRkoYgngVh1KVr74Lc0l5YRrlR/sBiWFcMlouTyTrXqfBo9Em81T29U0A9+5 8VPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=kAxS5aneoDADNRZ7LRGA/GWsME2RGbrvGcmrwAd/oXE=; fh=tjOPaywA+Yw8Xd/vGN2ugb4d0a146SkXLsoskxO4Iso=; b=LNV1tuXdHRMSllWt1l1upGUjC9vyPI62Pz7jZYBriV6C21ZRjXo6HfYhia9fYqzYTb wFC2jQt4HG00AtMAY7N+dWOCdQHhd7ik+prI+rxLOHSd5maIAxcIaDXsmFzpmrNl4rzf M89tY7lYa0ynrEcwrDmpz2kLRktcdSxyUepjIQAISPq3n6Mvf82wDAmFJqR3BHQs+BJo DM0+O9bXw99xmljqyVduAcGYWl6rWyYXzXpVWNszUf7/LNP/omow0s2TPSqLpdht64Qs KcKQNW9equbmffBWBqQ/o7ngkB9/7h3hze+Zo/7m7mNNNUPx/TdUm1G4EjlPK5WOVviE cQzQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xs4all.nl Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id b7-20020a17090acc0700b002734f48cfd6si3476855pju.155.2023.09.22.02.13.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Sep 2023 02:13:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xs4all.nl Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id CC03680C77B5; Fri, 22 Sep 2023 01:44:29 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232784AbjIVIo2 (ORCPT + 99 others); Fri, 22 Sep 2023 04:44:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35954 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232764AbjIVIoV (ORCPT ); Fri, 22 Sep 2023 04:44:21 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1C471A2; Fri, 22 Sep 2023 01:44:13 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 37A04C433C8; Fri, 22 Sep 2023 08:44:10 +0000 (UTC) Message-ID: <3e053387-4ba6-49bc-a59a-46854e0a7c26@xs4all.nl> Date: Fri, 22 Sep 2023 10:44:08 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 12/14] media: medkatek: vcodec: set secure mode to decoder driver Content-Language: en-US, nl To: =?UTF-8?B?WXVuZmVpIERvbmcgKOiRo+S6kemjnik=?= , "jkardatzke@google.com" , "nicolas.dufresne@collabora.com" Cc: "linux-kernel@vger.kernel.org" , "linux-mediatek@lists.infradead.org" , "frkoenig@chromium.org" , "stevecho@chromium.org" , "wenst@chromium.org" , "nhebert@chromium.org" , "linux-media@vger.kernel.org" , "devicetree@vger.kernel.org" , "daniel@ffwll.ch" , Project_Global_Chrome_Upstream_Group , "benjamin.gaignard@collabora.com" , "hsinyi@chromium.org" , "linux-arm-kernel@lists.infradead.org" , "angelogioacchino.delregno@collabora.com" , "nfraprado@collabora.com" References: <20230911125936.10648-1-yunfei.dong@mediatek.com> <20230911125936.10648-13-yunfei.dong@mediatek.com> <1df3e79b84933dda0313d0d9719220dbc06c9022.camel@collabora.com> <5307203d79c0d90cc742a315bb161fa796b9960f.camel@mediatek.com> <00302ac675af858eb11d8398f100921af806bc30.camel@mediatek.com> From: Hans Verkuil In-Reply-To: <00302ac675af858eb11d8398f100921af806bc30.camel@mediatek.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Fri, 22 Sep 2023 01:44:29 -0700 (PDT) On 22/09/2023 05:28, Yunfei Dong (董云飞) wrote: > Hi Hans, > > Thanks for your help to give some good advice. > On Wed, 2023-09-20 at 09:20 +0200, Hans Verkuil wrote: >> >>>>>> In any case, using a control to switch to secure mode and using >> a control >>>>>> to convert a dmabuf fd to a secure handle seems a poor choice to >> me. >>>>>> >>>>>> I was wondering if it wouldn't be better to create a new >> V4L2_MEMORY_ type, >>>>>> e.g. V4L2_MEMORY_DMABUF_SECURE (or perhaps _DMABUF_OPTEE). That >> ensures that >>>>>> once you create buffers for the first time, the driver can >> switch into secure >>>>>> mode, and until all buffers are released again you know that the >> driver will >>>>>> stay in secure mode. >>>>> >>>>> Why do you think the control for setting secure mode is a poor >> choice? >>>>> There's various places in the driver code where functionality >> changes >>>>> based on being secure/non-secure mode, so this is very much a >> 'global' >>>>> setting for the driver. It could be inferred based off a new >> memory >>>>> type for the queues...which then sets that flag in the driver; >> but >>>>> that seems like it would be more fragile and would require >> checking >>>>> for incompatible output/capture memory types. I'm not against >> another >>>>> way of doing this; but didn't see why you think the proposed >> method is >>>>> a poor choice. >>>> >>>> I assume you are either decoding to secure memory all the time, or >> not >>>> at all. That's something you would want to select the moment you >> allocate >>>> the first buffer. Using the V4L2_MEMORY_ value would be the >> natural place >>>> for that. A control can typically be toggled at any time, and it >> makes >>>> no sense to do that for secure streaming. >>>> >>>> Related to that: if you pass a dmabuf fd you will need to check >> somewhere >>>> if the fd points to secure memory or not. You don't want to mix >> the two >>>> but you want to check that at VIDIOC_QBUF time. >>>> >>>> Note that the V4L2_MEMORY_ value is already checked in the v4l2 >> core, >>>> drivers do not need to do that. >>> >>> Just to clarify a bit, and make sure I understand this too. You are >> proposing to >>> introduce something like: >>> >>> V4L2_MEMORY_SECURE_DMABUF >>> >>> Which like V4L2_MEMORY_DMABUF is meant to import dmabuf, while >> telling the >>> driver that the memory is secure according to the definition of >> "secure" for the >>> platform its running on. >>> >>> This drivers also allocate secure SHM (a standard tee concept) and >> have internal >>> allocation for reconstruction buffer and some hw specific reference >> metadata. So >>> the idea would be that it would keep allocation using the dmabuf >> heap internal >>> APIs ? And decide which type of memory based on the memory type >> found in the >>> queue? >> >> Yes. Once you request the first buffer you basically tell the driver >> whether it >> will operate in secure or non-secure mode, and that stays that way >> until all >> buffers are freed. I think that makes sense. >> > > According to iommu's information, the dma operation for secure and non- > secure are the same, whether just need to add one memory type in v4l2 > framework the same as V4L2_MEMORY_DMABUF? The dma operation in > videobuf2-dma-contig.c can use the same functions. So if I pass a non-secure dma fd to the capture queue of the codec, who will check that it can't write the data to that fd? Since doing so would expose the video. Presumably at some point the tee code will prevent that? (I sincerely hope so!) Having a separate V4L2_MEMORY_DMABUF_SECURE type is to indicate to the driver that 1) it can expect secure dmabuf fds, 2) it can configure itself for that (that avoids using a control to toggle between normal and secure mode), and at VIDIOC_QBUF time it is easy for the V4L2 core to verify that the fd that is passed in is for secure memory. This means that mistakes by userspace are caught at QBUF time. Of course, this will not protect you (people can disable this check by recompiling the kernel), that still has to be done by the firmware, but it catches userspace errors early on. Also, while for this hardware the DMA operation is the same, that might not be the case for other hardware. Regards, Hans > > Best Regards, > Yunfei Dong >