From: Robin Murphy <robin.murphy@arm.com> To: Benjamin Gaignard <benjamin.gaignard@linaro.org>, Mark Rutland <mark.rutland@arm.com> Cc: devicetree@vger.kernel.org, Alexandre Torgue <alexandre.torgue@st.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, Rob Herring <robh+dt@kernel.org>, Maxime Coquelin <mcoquelin.stm32@gmail.com>, Linux ARM <linux-arm-kernel@lists.infradead.org>, Benjamin Gaignard <benjamin.gaignard@st.com> Subject: Re: [PATCH 0/3] STM32 Extended TrustZone Protection driver Date: Tue, 27 Feb 2018 19:46:29 +0000 [thread overview] Message-ID: <11c3ceb2-8b8d-de59-a0be-0777a42f63a7@arm.com> (raw) In-Reply-To: <CA+M3ks6qV_pGdE6mr3n7TiY9VhbqEkrdH6tN=8e-A=oa4UbDHw@mail.gmail.com> On 27/02/18 19:16, Benjamin Gaignard wrote: > 2018-02-27 18:11 GMT+01:00 Mark Rutland <mark.rutland@arm.com>: >> On Tue, Feb 27, 2018 at 03:09:23PM +0100, Benjamin Gaignard wrote: >>> On early boot stages STM32MP1 platform is able to dedicate some hardware blocks >>> to a secure OS running in TrustZone. >>> We need to avoid using those hardware blocks on non-secure context (i.e. kernel) >>> because read/write access will all be discarded. >>> >>> Extended TrustZone Protection driver register itself as listener of >>> BUS_NOTIFY_BIND_DRIVER and check, given the device address, if the hardware block >>> could be used in a Linux context. If not it returns NOTIFY_BAD to driver core >>> to stop driver probing. >> >> Huh? >> >> If these devices are not usable from the non-secure side, why are they >> not removed form the DT (or marked disabled)? >> >> In other cases, where resources are carved out for the secure side (e.g. >> DRAM carveouts), that's how we handle things. >> > > That true you can parse and disable a device a boot time but if DT doesn't > exactly reflect etzpc status bits we will in trouble when try to get access to > the device. Well, yes. If the DT doesn't correctly represent the hardware, things will probably go wrong; that's hardly a novel concept, and it's certainly not unique to this particular SoC. > Changing the DT is a software protection while etzpc is an hardware protection > so we need to check it anyway. There are several in-tree DT and code examples where devices are marked as disabled on certain boards/SoC variants/etc. because attempting to access them can abort/lock up/trigger a secure watchdog reset/etc. The only "special" thing in this particular situation is apparently that this device even allows its secure configuration to be probed from the non-secure side at all. Implementing a boardfile so that you can "check" the DT makes very little sense to me; Linux is not a firmware validation suite. Robin.
WARNING: multiple messages have this Message-ID (diff)
From: robin.murphy@arm.com (Robin Murphy) To: linux-arm-kernel@lists.infradead.org Subject: [PATCH 0/3] STM32 Extended TrustZone Protection driver Date: Tue, 27 Feb 2018 19:46:29 +0000 [thread overview] Message-ID: <11c3ceb2-8b8d-de59-a0be-0777a42f63a7@arm.com> (raw) In-Reply-To: <CA+M3ks6qV_pGdE6mr3n7TiY9VhbqEkrdH6tN=8e-A=oa4UbDHw@mail.gmail.com> On 27/02/18 19:16, Benjamin Gaignard wrote: > 2018-02-27 18:11 GMT+01:00 Mark Rutland <mark.rutland@arm.com>: >> On Tue, Feb 27, 2018 at 03:09:23PM +0100, Benjamin Gaignard wrote: >>> On early boot stages STM32MP1 platform is able to dedicate some hardware blocks >>> to a secure OS running in TrustZone. >>> We need to avoid using those hardware blocks on non-secure context (i.e. kernel) >>> because read/write access will all be discarded. >>> >>> Extended TrustZone Protection driver register itself as listener of >>> BUS_NOTIFY_BIND_DRIVER and check, given the device address, if the hardware block >>> could be used in a Linux context. If not it returns NOTIFY_BAD to driver core >>> to stop driver probing. >> >> Huh? >> >> If these devices are not usable from the non-secure side, why are they >> not removed form the DT (or marked disabled)? >> >> In other cases, where resources are carved out for the secure side (e.g. >> DRAM carveouts), that's how we handle things. >> > > That true you can parse and disable a device a boot time but if DT doesn't > exactly reflect etzpc status bits we will in trouble when try to get access to > the device. Well, yes. If the DT doesn't correctly represent the hardware, things will probably go wrong; that's hardly a novel concept, and it's certainly not unique to this particular SoC. > Changing the DT is a software protection while etzpc is an hardware protection > so we need to check it anyway. There are several in-tree DT and code examples where devices are marked as disabled on certain boards/SoC variants/etc. because attempting to access them can abort/lock up/trigger a secure watchdog reset/etc. The only "special" thing in this particular situation is apparently that this device even allows its secure configuration to be probed from the non-secure side at all. Implementing a boardfile so that you can "check" the DT makes very little sense to me; Linux is not a firmware validation suite. Robin.
next prev parent reply other threads:[~2018-02-27 19:46 UTC|newest] Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-02-27 14:09 [PATCH 0/3] STM32 Extended TrustZone Protection driver Benjamin Gaignard 2018-02-27 14:09 ` Benjamin Gaignard 2018-02-27 14:09 ` [PATCH 1/3] driver core: check notifier_call_chain return value Benjamin Gaignard 2018-02-27 14:09 ` Benjamin Gaignard 2018-03-15 17:10 ` Greg KH 2018-03-15 17:10 ` Greg KH 2018-03-16 8:53 ` Benjamin Gaignard 2018-03-16 8:53 ` Benjamin Gaignard 2018-02-27 14:09 ` [PATCH 2/3] dt-bindings: stm32: Add bindings for Extended TrustZone Protection Benjamin Gaignard 2018-02-27 14:09 ` Benjamin Gaignard 2018-02-27 14:09 ` [PATCH 3/3] ARM: mach-stm32: Add Extended TrustZone Protection driver Benjamin Gaignard 2018-02-27 14:09 ` Benjamin Gaignard 2018-02-27 17:14 ` Mark Rutland 2018-02-27 17:14 ` Mark Rutland 2018-02-27 19:23 ` Benjamin Gaignard 2018-02-27 19:23 ` Benjamin Gaignard 2018-02-27 17:11 ` [PATCH 0/3] STM32 " Mark Rutland 2018-02-27 17:11 ` Mark Rutland 2018-02-27 19:16 ` Benjamin Gaignard 2018-02-27 19:16 ` Benjamin Gaignard 2018-02-27 19:46 ` Robin Murphy [this message] 2018-02-27 19:46 ` Robin Murphy 2018-02-28 7:53 ` Benjamin Gaignard 2018-02-28 7:53 ` Benjamin Gaignard 2018-02-28 17:53 ` Mark Rutland 2018-02-28 17:53 ` Mark Rutland 2018-02-28 18:32 ` Robin Murphy 2018-02-28 18:32 ` Robin Murphy
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=11c3ceb2-8b8d-de59-a0be-0777a42f63a7@arm.com \ --to=robin.murphy@arm.com \ --cc=alexandre.torgue@st.com \ --cc=benjamin.gaignard@linaro.org \ --cc=benjamin.gaignard@st.com \ --cc=devicetree@vger.kernel.org \ --cc=gregkh@linuxfoundation.org \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mark.rutland@arm.com \ --cc=mcoquelin.stm32@gmail.com \ --cc=robh+dt@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.