Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5332234rdb; Wed, 13 Dec 2023 06:01:42 -0800 (PST) X-Google-Smtp-Source: AGHT+IFMtx0h9Qv+WSuA6bGWBru+NzCvgb0H45ULP2UEqoPZhUNyj6ZR9NX1SxVr9RoLry9zYZeU X-Received: by 2002:a05:6808:d51:b0:3b9:e897:a83 with SMTP id w17-20020a0568080d5100b003b9e8970a83mr7715999oik.3.1702476100732; Wed, 13 Dec 2023 06:01:40 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1702476100; cv=pass; d=google.com; s=arc-20160816; b=BivMxwsotxWmourwlvhTS4Vc/yanEPoWdeJw07Y+1JucIq5NaEEZqBYEuFktpYvmiq 668YlEvktz8WrFjOxxloOI2M8ffQnR2enEFkM/BrTL7a+U7g70SvmkuVlh/u1b7onSrh ihBeXE8b1x8eZewDEqFSAtjbWdEoRuQyzYLqq4LWvwfYJrqWnV51Pmqt8LNNp+ej09Fz sNMkahpTkPSK19V3PI+3dxpGjEOyLOyr5cRTRXPFqYq7In///7LGE7+4lm7di+dndV3e RePG+Dfs6DuloXsmqbidWssIzCr+REs+Ojor6jo+llpsbqFp8PsUXxb1I0OFmFDokVbS APsQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :in-reply-to:from:references:cc:to:content-language:subject :user-agent:date:message-id:dkim-signature; bh=959RlqaNHZFPTzWiCYmR8CRuOuvZOPyVf4+d9qW21eE=; fh=7dixJYYBElvn1C2iOFVCj2ASKPEtxrYPr/70SfyLSZk=; b=KItD4afwmz5QzKq95yY1EGwaWUZgZOulJ3bZLght29PCIAhg+kYXnOpt8ix6gRgAFb RChVmmKjjpGGYjqEc2litH+4PvKVNR7IWZh4HA5aiCkaYhDb9cZ/c9faY3dDbbYUz0fr jcYI/UtHuOzkgZFZ9I/iLAx7LOGUK7rkFI2TJEfx9/1HZ2FmUVelrxK1YQuOMOPW4TeB YM8vMwRH7LnwLPp62DDoLYyG2nlqS7xfR1DlKZ1tdgr2HqXG2FQBZpFWyi7s+ihag9S+ DVU80v/gNeUIexe9i6gVYG4s/acS5Re+zhbz0V0rleB+/g2rkKNQUExuZBt5I4mbr96h S52g== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amd.com header.s=selector1 header.b=wOmtkwUX; arc=pass (i=1 spf=pass spfdomain=amd.com dkim=pass dkdomain=amd.com dmarc=pass fromdomain=amd.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amd.com Return-Path: Received: from morse.vger.email (morse.vger.email. [23.128.96.31]) by mx.google.com with ESMTPS id bc4-20020a056808170400b003b6fef0d830si3913695oib.318.2023.12.13.06.01.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 06:01:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31; Authentication-Results: mx.google.com; dkim=pass header.i=@amd.com header.s=selector1 header.b=wOmtkwUX; arc=pass (i=1 spf=pass spfdomain=amd.com dkim=pass dkdomain=amd.com dmarc=pass fromdomain=amd.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amd.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 625718217A5F; Wed, 13 Dec 2023 06:01:31 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235378AbjLMOBH (ORCPT + 99 others); Wed, 13 Dec 2023 09:01:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1441814AbjLMOAp (ORCPT ); Wed, 13 Dec 2023 09:00:45 -0500 Received: from NAM02-BN1-obe.outbound.protection.outlook.com (mail-bn1nam02on2045.outbound.protection.outlook.com [40.107.212.45]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D1571703; Wed, 13 Dec 2023 05:59:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dpy0gpQczUwGj76PKeP+1ZXxp+pJ8ec5IwpFzNppjn0BZtejoe7qBwRy1Qb4g1SRL34I4xw8fjBCnk/JzEXuWYeOW3eBFk2JKz9udDYUarqN4EB22blJ9wdIyfh5OX5Qgy3mf3zICH7NSJ4LAZS9xrOL06G+9C5Vuy6dHYd5y7VqJrwlYu4t6PyagzCd7+Ph5LqZgy6L4QIQqHd8zIKwQ+xnO2/7/4JHA68TqNuc07w5PN3K5zqvVLH/XHSxRBnJR6zTciJpdrohu/+ai2p+5MTAWHiNZn5ugjF5ijPyl/BFoLHCFAysMIMamUa9kESqvEZZLxCaK/MEGUaP2uB55g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=959RlqaNHZFPTzWiCYmR8CRuOuvZOPyVf4+d9qW21eE=; b=GiV+MPBBmH179z5up7qBMNoDqo/tuAkpZBJBqr2SF7TKMXnR5wMTSP+aQH/Gu2iFq0dyIkakBTwjATGV8FEclsw/UiGWGJQpT0FgN6Kvx7fA/z759UQ+fHv5laSqgpElHlR/9z8yZnbJQ+AIZxUoBCRbXNaaOuhH4uZUaOokfQo8umTFjATxv7MAx4MIyX73X+sfe3SIxtFddt6Z6QZHvroCNx+35pOqB0E+IOa/rXmabLiDPu+ioK2bQiLAhCNHEqERpyy+wjAHdNeNSTEJbQtepHAdGrthpnxmVmcYIlY6K4aoL8gJCeI/DJ0SgjBiApsnfYho70YaiyP9hDmsIA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=959RlqaNHZFPTzWiCYmR8CRuOuvZOPyVf4+d9qW21eE=; b=wOmtkwUXQwR3hXS7L3NBVA8pFFFdlSdXlMpLaWaD75RxkD/x84xxVyXVRPtacF4Hs6gO9VeU4YhSRVIaF8Ei/McHAnf97hKiyirElD95EHQwTzj0uAUk8I2LwpeZ596Zb3Mh0d6QQUUt1AOp05WBF7U16YPy8EJXVhajgpr0LtA= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com; Received: from BN8PR12MB3587.namprd12.prod.outlook.com (2603:10b6:408:43::13) by PH0PR12MB5677.namprd12.prod.outlook.com (2603:10b6:510:14d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.26; Wed, 13 Dec 2023 13:59:46 +0000 Received: from BN8PR12MB3587.namprd12.prod.outlook.com ([fe80::ca80:8f1c:c11:ded3]) by BN8PR12MB3587.namprd12.prod.outlook.com ([fe80::ca80:8f1c:c11:ded3%7]) with mapi id 15.20.7091.022; Wed, 13 Dec 2023 13:59:46 +0000 Message-ID: Date: Wed, 13 Dec 2023 14:59:28 +0100 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3 0/7] dma-buf: heaps: Add secure heap Content-Language: en-US To: Joakim Bech , Pekka Paalanen Cc: Simon Ser , Yong Wu , Rob Herring , Sumit Semwal , christian.koenig@amd.com, Matthias Brugger , dri-devel@lists.freedesktop.org, John Stultz , Krzysztof Kozlowski , Jeffrey Kardatzke , Benjamin Gaignard , Vijayanand Jitta , Nicolas Dufresne , jianjiao.zeng@mediatek.com, linux-media@vger.kernel.org, devicetree@vger.kernel.org, Conor Dooley , linaro-mm-sig@lists.linaro.org, linux-mediatek@lists.infradead.org, tjmercier@google.com, linux-arm-kernel@lists.infradead.org, AngeloGioacchino Del Regno , kuohong.wang@mediatek.com, linux-kernel@vger.kernel.org References: <20231212024607.3681-1-yong.wu@mediatek.com> <20231213110517.6ce36aca@eldfell> <20231213101549.lioqfzjxcvmqxqu3@pop-os.localdomain> <20231213133825.0a329864@eldfell> <20231213132229.q3uxdhtdsxuzw3w6@pop-os.localdomain> From: =?UTF-8?Q?Christian_K=C3=B6nig?= In-Reply-To: <20231213132229.q3uxdhtdsxuzw3w6@pop-os.localdomain> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-ClientProxiedBy: FR3P281CA0182.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a4::17) To BN8PR12MB3587.namprd12.prod.outlook.com (2603:10b6:408:43::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8PR12MB3587:EE_|PH0PR12MB5677:EE_ X-MS-Office365-Filtering-Correlation-Id: 19176b9f-e92d-4621-7f03-08dbfbe3c38c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KpIYws6ptnnE5G3HSmOjucw0l0+uVzoyzOBYUiWiWzzs0oLgk65snyrXbGCkvO7ugwZ+C9Qi/0vPETvzny8cZ42LwCe+cgAGtMF0uhzwLslY1bPWZIbE4t8yzjRBURbQaMZIfWDm3+uAAqgALqeARBf5xKnh8kG9wIu0LQrWOpkqOF0k5dAjQt30TjamAvr8MfOh3rdXpjGEctNHMMBDHvdCwuGgHIAbGDXXFH0Gzn+FDyuktnZkH0J9CmJK+3B18h0+pZ1Qm38FRM9rxMeywFsVbEzrEoJQMGfA1NFYkCg7af6YFoCWdWaZyrmpjbxzdDCYcqaa5HwfIG1dpzwImp2u9YNSlgrcz1ttmnh4YUq67cThaivtTRIBAHiMzbmbCwpBI2jSSMDvxwakYCj+NpYu61wIJX6bckBOXZnzmGGCh8U8rkndwjVby6TFHRmYYbDZELuBhj5WecKoAWwLLnrddIVk/rAfQ7zsXQcS+q0nbp4HDJM35JQU6gRLo5TlyQgUDATCtGDIQNBYCnjDYOkJg6N8cNJTp+zor4AjxMkVw5+gS0kGE7oKgE6s2PynZCE9phRTaXXw97cl1v6+m7CF3bopF5l9gP/95EZJ9ZUBm4TVNwsFCgcS43AKHFejgADvd68JlJ3f2m7ews0FzA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN8PR12MB3587.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(346002)(396003)(376002)(136003)(366004)(39860400002)(230922051799003)(186009)(451199024)(1800799012)(64100799003)(31686004)(66899024)(110136005)(66946007)(66476007)(38100700002)(31696002)(36756003)(86362001)(66556008)(26005)(83380400001)(6512007)(6506007)(2616005)(2906002)(7416002)(6486002)(54906003)(316002)(478600001)(6666004)(5660300002)(8936002)(8676002)(4326008)(41300700001)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?VzZSSjJvWCtzMTVrSnh2Qnk2MmI3N1VYd0MxalF2VEx4M3ZmRGUwTTJJaGhB?= =?utf-8?B?aWEvZ0c1SkdjaVYwZ2dxQnI4VlpZRkU5RldvUms0MmVFZVJJWisxTC9LZFk5?= =?utf-8?B?R3ViS1NsbVVVeDlRUVZmSUJoU0VZWmNYRFJsNGgybG4xOEFMblE0R2xFT0Fk?= =?utf-8?B?TnlrYUNGdGh4SFZXcFFHMUM0eElmYWdTUXZVaXhCUk9nZHMyRU1SUCsraW02?= =?utf-8?B?dEJHY0xvTGhBM2NtRmFWK0hNb0NZU0hwekRFNHFTUU8vbm1XNVJmSXRpMmRI?= =?utf-8?B?RTZJUlF3RUp4THlJWWRhd1M3dHV3WWRvQitnNUJyV0NpTUFjZTdSam5Jcmo0?= =?utf-8?B?RDkxRy9RVERSRlIwc2twOFJjTG4vQXl5eXFpdTBpTW5UdnFEY0FvdEp2Yytm?= =?utf-8?B?YTVrYTlJL3ErR2NaUlJXVG02Y0pPUUI0Ym9FdVlaNDJUdGhRR2s1d1pEaUJL?= =?utf-8?B?RnNNUWRyQ0dKUmV2K2FlQ0lkbGpwSUl3QkI1WUlCK2cxQWZVVmkvdTUxV2VW?= =?utf-8?B?N3FLUmFYSTNDbW9QUXhnRHZ0bWNaQTE5UnhDK2FLSStIM0FCUzB5UHVGeHNB?= =?utf-8?B?YnFtc2lPTFdweWFwZXM3cFgzbWVKRit1ZmZLNTlKZU9LUXZyQnEyQlZhMUxy?= =?utf-8?B?R3oramQ0NG5QSE8wRldkeVMrODZ2YU00amdvREZOdmM3NzVDTG16VjhjckNL?= =?utf-8?B?dHBia0VpclR1c050YXhsUHVCQWFuSVNaSVl6c1dqRWFWVmpVdWc2cW02eFlK?= =?utf-8?B?UHEvUTFKcXN4d05Wb01SdnYrdkk0M0VyN1ZLTklTQXFMUUMzUDF2T2R0MWg4?= =?utf-8?B?Yi8rNmU1K1YyejRDTTdSVXRRL1lMSlJ1SzFrSFVRWXpsUnBIMHQ3VEcvVzdB?= =?utf-8?B?NlBiR3NFUTJrWFBHM0pwOC83WEYwSHk2MUxhLzRwelMrS2FqNVpRa3dNcGFk?= =?utf-8?B?MGZaS2JxSmV0clFWdkxXUWJTSzhOY05vMWpTZXdNOWlxaTJsVERBbEVIeWFU?= =?utf-8?B?M0VpMUdVaGpBbDgvbXQra09XSDgzY01MZFkzbXByRnVlVnBES3k5RHFYZzkx?= =?utf-8?B?UGpGRXlaUU1JRE1wNW9pbzcyZ0lTUVkweVdmYXhPR04xQmx6ZWNxdmthbCsw?= =?utf-8?B?QTNCeC84NE9aV3FGZ2ZldzhLdDFxYTFrT1ZYVVl5cDJyMlhGRE9rUHRNVjMy?= =?utf-8?B?L0pUYXdzb3B5MFBoRysySXdFamp6cTM0QU81eGxSQWI3TFRCWFpQb25qemNo?= =?utf-8?B?dmxpdUl0UVlEMVZlcDFFR0tDUU0wMmtXYjhBOGZ6SmRiLzVHa2lJTmIzTml2?= =?utf-8?B?eFhKeC9QOVNxM2lxcVkrdUQ2SWNzR2l3OFJxd2syc0JGUmticEp6Wk5rQjlX?= =?utf-8?B?SWR6cGF1Tll2b3JWRzhUTG12b3l0WUFmSkNEQXJwWjVnSGowemlkc0lhbnUr?= =?utf-8?B?Ymdwemh3WmRHTThSWm13WmRMcEovOXZab3FETysvUXRHNHRkSk4vQXl1YWdB?= =?utf-8?B?RVZZV25hQ3RsLzlTVHFZenBXcmd4N2J3R1dqa2w3ei9RbFF3Z1NtL29ZQTBM?= =?utf-8?B?Q05MTXViTXZ1Y1ZoSnp3RE5KNnJIQkdqb3ViKzZ4TkcrTWtweUlWSTdWZ1VP?= =?utf-8?B?dGhxRDB2d2lXK2t1Y2Irai9aM0JWb0pjNDA3cWN6Ui93YlF1OXZCQngyS2Vv?= =?utf-8?B?ZXNadVp5a0tsNDg1dVNxNVZsN016RFBkSDZJNDg3clgvbklIYlZhcEpIYlpI?= =?utf-8?B?L25CQ3FRU1NsYk1SZVpXQXJxdGdlZDZVWEJVTURvZ29RQ0ZtS3FiZlcwVm5I?= =?utf-8?B?NWZpaGVMVlZlVW9FRVVyZ0hGbXhhV0NGU2pUcVdnbzhJaU9XeExZMmFYK1lp?= =?utf-8?B?TlJ4V0NnbUgreEpOZzRQQjR6cytLQVJzWS84Qlc5N0pmMGp5bGQ3dm1aUUhM?= =?utf-8?B?M0lJdjdRTWtrWEx0TnMzNHdLMGhOYm5scTIyZ1lqTmtFcEs4aTdTbWM3RkV6?= =?utf-8?B?WWJ4OTZPRExaRE9mS0p0QmhSYVdQNFlGTWtVamMzdHhJUlFlUWRIbVBmR3g4?= =?utf-8?B?RnZXR1NoVUUwaDNFV1NrYTJMSkZ0WXZBaW5SZUZFd3NWZ3E2VlNCZFlGdmla?= =?utf-8?Q?hRm8=3D?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 19176b9f-e92d-4621-7f03-08dbfbe3c38c X-MS-Exchange-CrossTenant-AuthSource: BN8PR12MB3587.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Dec 2023 13:59:46.1743 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: q/l27ZpzoJzCatgjft+ydWH2RcVITPsWcrpanm+tRHhAa7/4mFWAHoSS/r7Z7GSv X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR12MB5677 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Wed, 13 Dec 2023 06:01:31 -0800 (PST) Am 13.12.23 um 14:22 schrieb Joakim Bech: > On Wed, Dec 13, 2023 at 01:38:25PM +0200, Pekka Paalanen wrote: >> On Wed, 13 Dec 2023 11:15:49 +0100 >> Joakim Bech wrote: >> >>> On Wed, Dec 13, 2023 at 11:05:17AM +0200, Pekka Paalanen wrote: >>>> On Tue, 12 Dec 2023 16:36:35 +0000 >>>> Simon Ser wrote: >>>> >>>>> Is there a chance to pick a better name than "secure" here? >>>>> >>>>> "Secure" is super overloaded, it's not clear at all what it means from >>>>> just the name. Something like "restricted" would be an improvement. >>>>> >>>> My thoughts exactly. Every time I see "secure" used for something that >>>> either gives you garbage, refuses to work, or crashes your whole machine >>>> *intentionally* when you try to do normal usual things to it in >>>> userspace (like use it for GL texturing, or try to use KMS writeback), I >>>> get an unscratchable itch. >>>> >>>> There is nothing "secure" from security perspective there for end users >>>> and developers. It's just inaccessible buffers. >>>> >>>> I've been biting my lip until now, thinking it's too late. >>>> >>> The characteristics we're looking for here is a buffer where the content >>> is inaccessible to the normal OS and user space, i.e., Non-secure EL0 to >>> EL2. I.e, the content of the buffer is meant to be used and accessible >>> primarily by the secure side and other devices that has been granted >> s/secure side/proprietary side/ >> > I'm using the nomenclature as written by Arm (other architectures have > other names for their secure execution states). AMDs GPUs call that "trusted" which is only minimal better than secure I think. > >> I presume nothing of the other side can ever be in any way open? >> > I'm sure there are lots of examples of things running on the secure side > that are open. The OP-TEE project where I'm a maintainer has been fully > open source since 2014, to give one example that I'm familiar with > myself. On AMDs GPUs you can actually write shaders which works with the trusted data and can read and write. What is prevented is that you copy the data outside of the trusted zone, e.g. to the CPU. When you do this you only get garbage. Only engines which have the proper decryption key can send out the data (for example) to a display device which has authenticated itself using HDCP. Just a few infos how this is done elsewhere. Cheers, Christian. > >> Maybe the other side is even less secure than the FOSS side... >> >>> access to it (for example decoders, display controllers if we're talking >>> about video use cases). However, since the use cases for this exercises >>> the whole stack, from non-secure user space (EL0) all the way to secure >>> user space (S-EL0), with various devices needing access to the buffer at >>> various times, it makes sense to let Linux manage the buffers, although >>> it still cannot access the content. That's the overall context. >> Yes, we know all this (except for the exact meaning of EL0 etc.). >> > Great! > >>> As for the name, it's always difficult to find a name suitable precisely >>> describing what it is. "Secure" is perhaps vague, but it might still a >>> good choice, if you carefully describe what secure means for this >>> particular heap (in the source code and the documentation for it). For >> Carefully describe, as in, re-define. >> >>> example, the definition of "secure" for a secure heap as here could mean >>> that buffer content is inaccessible to the host OS and user space >>> running in normal world (using Arm nomenclature). I wouldn't have any >>> problems with calling it secure if, as said it's defined what we mean by >>> saying so. But I'm all ears for other suggestions as well. >>> >>> Safe, protected, shielded, unreachable, isolated, inaccessible, >>> unaccessible, fortified, ... would any of these make more sense? >> "Restricted" sounds like a good compromise to me. The buffers' usage is >> severely restricted. >> > Yes, restricted isn't a bad choice. We would still need to describe what > we mean by saying it's restricted, i.e., what is it restricted from, > since I'd guess that "restricted" by itself also could be a bit open > ended for a lot of people. > >> It is the opposite of "safe", because accessing the contents the wrong >> way can return garbage or intentionally crash the whole system, >> depending on the hardware implementation. One example is attempting to >> put such a buffer on a KMS plane while the connector HDCP state is not >> high enough, or a writeback connector is connected to the CRTC. It is >> really fragile. (Do KMS drivers fail an atomic commit that would >> violate the heap rules? Somehow I doubt that, who'd even know what the >> rules are.) >> > I believe one of the goals with reviewing the patches is to highlight > issues like this and try to figure out how to avoid ending up in > situations like what you described by suggesting alternative solutions > and ideas. > >> It is protected/shielded/fortified from all the kernel and userspace, >> but a more familiar word to describe that is inaccessible. >> "Inaccessible buffer" per se OTOH sounds like a useless concept. >> >> It is not secure, because it does not involve security in any way. In >> fact, given it's so fragile, I'd classify it as mildly opposite of >> secure, as e.g. clients of a Wayland compositor can potentially DoS the >> compositor with it by simply sending such a dmabuf. Or DoS the whole >> system. >> > I hear what you are saying and DoS is a known problem and attack vector, > but regardless, we have use cases where we don't want to expose > information in the clear and where we also would like to have some > guarantees about correctness. That is where various secure elements and > more generally security is needed. > > So, it sounds like we have two things here, the first is the naming and > the meaning behind it. I'm pretty sure the people following and > contributing to this thread can agree on a name that makes sense. Would > you personally be OK with "restricted" as the name? It sounds like that. > > The other thing is the feature and functionality itself offered by this > patch series. My impression from reading your replies is that you think > this is the wrong approach. If my impression is correct, what would you > suggest as an alternative approach? > >> "Poisonous heap" would be fitting but politically inappropriate I >> guess. After all, "poison" is data that is not meant to be read by >> anything normal. >> >> >> Thanks, >> pq