[PATCH 0/3] misc: sram: Introduce protect-exec region type

[PATCH 0/3] misc: sram: Introduce protect-exec region type

[Dave Gerlach]

Hi,
There are several instances when one would want to execute out of on-chip
SRAM, such as PM code on ARM platforms, so once again revisiting this
series to allow that in a generic manner. Seems that having a solution for
allowing SRAM to be mapped as executable will help clean up PM code on several
ARM platforms that are using ARM internal __arm_ioremap_exec API
and also open the door for PM support on new platforms like TI AM335x and
AM437x.

Previously a generic solution was attempted by introducing a memremap
executable API and then calling this from the generic sram driver here [1].
Russell King brought up the point that we should not just be mapping
memory as both writable and executable for security reasons which led to
the solution proposed in this series. 

The generic SRAM driver already has a concept of "partitions" which can be
defined and flagged in the device tree, so this series introduces a new flag,
protect-exec, which indicates the region of SRAM that has been blocked out in
the DT is protected and executable. It will share the same capabilities of the
already present sram "pool" which will allow allocation through the use of the
genalloc framework but also be protected through the use of an "sram_exec_copy"
helper function to handle the copying of data to the space and also the page
attributes. In this context protected means the memory is managed such that
it is *either* writeable and non-executable or read-only and executable through
manipulation of the page attributes.

Unforunately, unlike the previously proposed solution, this is not a drop in
replacement for __arm_ioremap_exec, A large side effect of allocating
executable SRAM as this series does is that it will require rework for some
SRAM code as a lot of the assembly code I have seen makes use of PC relative
memory locations at the end of the code for local variables. This will no
longer be possible if we must maintain the read-only executable status of
the memory. If that's required then SRAM code will need to use pointers to
a separately allocated region of sram that is just a normal writable pool.

As mentioned in previous series I still see several platforms (at-91,
imx6, socfpga, omap3) that could make use of this although some rework may
be required unlike with the last solution, and it will be needed for the
forthcoming TI am335x and am437x PM code as portions of PM code are
moving in to drivers. An example of this in use can be seen at [2] in the 
drivers/memory/ti-emif-sram.c and drivers/soc/ti/pm33xx.c files.

Regards,
Dave

[1] http://www.spinics.net/lists/linux-omap/msg132728.html
[2] https://github.com/dgerlach/linux-pm/tree/upstream/v4.10/sram-exec-copy-pm

Dave Gerlach (3):
  misc: sram: Split sram data structures into local header
  misc: sram: Introduce support code for protect-exec sram type
  misc: sram: Integrate protect-exec reserved sram area type

 Documentation/devicetree/bindings/sram/sram.txt |   6 ++
 drivers/misc/Kconfig                            |   4 +
 drivers/misc/Makefile                           |   1 +
 drivers/misc/sram-exec.c                        | 105 ++++++++++++++++++++++++
 drivers/misc/sram.c                             |  51 +++++-------
 drivers/misc/sram.h                             |  58 +++++++++++++
 include/linux/sram.h                            |  27 ++++++
 7 files changed, 222 insertions(+), 30 deletions(-)
 create mode 100644 drivers/misc/sram-exec.c
 create mode 100644 drivers/misc/sram.h
 create mode 100644 include/linux/sram.h

-- 
2.11.0

[PATCH 0/3] misc: sram: Introduce protect-exec region type

[Dave Gerlach]

Hi,
There are several instances when one would want to execute out of on-chip
SRAM, such as PM code on ARM platforms, so once again revisiting this
series to allow that in a generic manner. Seems that having a solution for
allowing SRAM to be mapped as executable will help clean up PM code on several
ARM platforms that are using ARM internal __arm_ioremap_exec API
and also open the door for PM support on new platforms like TI AM335x and
AM437x.

Previously a generic solution was attempted by introducing a memremap
executable API and then calling this from the generic sram driver here [1].
Russell King brought up the point that we should not just be mapping
memory as both writable and executable for security reasons which led to
the solution proposed in this series. 

The generic SRAM driver already has a concept of "partitions" which can be
defined and flagged in the device tree, so this series introduces a new flag,
protect-exec, which indicates the region of SRAM that has been blocked out in
the DT is protected and executable. It will share the same capabilities of the
already present sram "pool" which will allow allocation through the use of the
genalloc framework but also be protected through the use of an "sram_exec_copy"
helper function to handle the copying of data to the space and also the page
attributes. In this context protected means the memory is managed such that
it is *either* writeable and non-executable or read-only and executable through
manipulation of the page attributes.

Unforunately, unlike the previously proposed solution, this is not a drop in
replacement for __arm_ioremap_exec, A large side effect of allocating
executable SRAM as this series does is that it will require rework for some
SRAM code as a lot of the assembly code I have seen makes use of PC relative
memory locations at the end of the code for local variables. This will no
longer be possible if we must maintain the read-only executable status of
the memory. If that's required then SRAM code will need to use pointers to
a separately allocated region of sram that is just a normal writable pool.

As mentioned in previous series I still see several platforms (at-91,
imx6, socfpga, omap3) that could make use of this although some rework may
be required unlike with the last solution, and it will be needed for the
forthcoming TI am335x and am437x PM code as portions of PM code are
moving in to drivers. An example of this in use can be seen at [2] in the 
drivers/memory/ti-emif-sram.c and drivers/soc/ti/pm33xx.c files.

Regards,
Dave

[1] http://www.spinics.net/lists/linux-omap/msg132728.html
[2] https://github.com/dgerlach/linux-pm/tree/upstream/v4.10/sram-exec-copy-pm

Dave Gerlach (3):
  misc: sram: Split sram data structures into local header
  misc: sram: Introduce support code for protect-exec sram type
  misc: sram: Integrate protect-exec reserved sram area type

 Documentation/devicetree/bindings/sram/sram.txt |   6 ++
 drivers/misc/Kconfig                            |   4 +
 drivers/misc/Makefile                           |   1 +
 drivers/misc/sram-exec.c                        | 105 ++++++++++++++++++++++++
 drivers/misc/sram.c                             |  51 +++++-------
 drivers/misc/sram.h                             |  58 +++++++++++++
 include/linux/sram.h                            |  27 ++++++
 7 files changed, 222 insertions(+), 30 deletions(-)
 create mode 100644 drivers/misc/sram-exec.c
 create mode 100644 drivers/misc/sram.h
 create mode 100644 include/linux/sram.h

-- 
2.11.0

[PATCH 0/3] misc: sram: Introduce protect-exec region type

[Dave Gerlach]

Hi,
There are several instances when one would want to execute out of on-chip
SRAM, such as PM code on ARM platforms, so once again revisiting this
series to allow that in a generic manner. Seems that having a solution for
allowing SRAM to be mapped as executable will help clean up PM code on several
ARM platforms that are using ARM internal __arm_ioremap_exec API
and also open the door for PM support on new platforms like TI AM335x and
AM437x.

Previously a generic solution was attempted by introducing a memremap
executable API and then calling this from the generic sram driver here [1].
Russell King brought up the point that we should not just be mapping
memory as both writable and executable for security reasons which led to
the solution proposed in this series. 

The generic SRAM driver already has a concept of "partitions" which can be
defined and flagged in the device tree, so this series introduces a new flag,
protect-exec, which indicates the region of SRAM that has been blocked out in
the DT is protected and executable. It will share the same capabilities of the
already present sram "pool" which will allow allocation through the use of the
genalloc framework but also be protected through the use of an "sram_exec_copy"
helper function to handle the copying of data to the space and also the page
attributes. In this context protected means the memory is managed such that
it is *either* writeable and non-executable or read-only and executable through
manipulation of the page attributes.

Unforunately, unlike the previously proposed solution, this is not a drop in
replacement for __arm_ioremap_exec, A large side effect of allocating
executable SRAM as this series does is that it will require rework for some
SRAM code as a lot of the assembly code I have seen makes use of PC relative
memory locations at the end of the code for local variables. This will no
longer be possible if we must maintain the read-only executable status of
the memory. If that's required then SRAM code will need to use pointers to
a separately allocated region of sram that is just a normal writable pool.

As mentioned in previous series I still see several platforms (at-91,
imx6, socfpga, omap3) that could make use of this although some rework may
be required unlike with the last solution, and it will be needed for the
forthcoming TI am335x and am437x PM code as portions of PM code are
moving in to drivers. An example of this in use can be seen at [2] in the 
drivers/memory/ti-emif-sram.c and drivers/soc/ti/pm33xx.c files.

Regards,
Dave

[1] http://www.spinics.net/lists/linux-omap/msg132728.html
[2] https://github.com/dgerlach/linux-pm/tree/upstream/v4.10/sram-exec-copy-pm

Dave Gerlach (3):
  misc: sram: Split sram data structures into local header
  misc: sram: Introduce support code for protect-exec sram type
  misc: sram: Integrate protect-exec reserved sram area type

 Documentation/devicetree/bindings/sram/sram.txt |   6 ++
 drivers/misc/Kconfig                            |   4 +
 drivers/misc/Makefile                           |   1 +
 drivers/misc/sram-exec.c                        | 105 ++++++++++++++++++++++++
 drivers/misc/sram.c                             |  51 +++++-------
 drivers/misc/sram.h                             |  58 +++++++++++++
 include/linux/sram.h                            |  27 ++++++
 7 files changed, 222 insertions(+), 30 deletions(-)
 create mode 100644 drivers/misc/sram-exec.c
 create mode 100644 drivers/misc/sram.h
 create mode 100644 include/linux/sram.h

-- 
2.11.0

[PATCH 1/3] misc: sram: Split sram data structures into local header

[Dave Gerlach]

In preparation of a coming file split of the sram driver, move the
common data structures into a local header file that can be shared
between files related to the sram driver.

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
---
 drivers/misc/sram.c | 30 ++----------------------------
 drivers/misc/sram.h | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 28 deletions(-)
 create mode 100644 drivers/misc/sram.h

diff --git a/drivers/misc/sram.c b/drivers/misc/sram.c
index b33ab8ce47ab..4ef5affd03d7 100644
--- a/drivers/misc/sram.c
+++ b/drivers/misc/sram.c
@@ -31,35 +31,9 @@
 #include <linux/mfd/syscon.h>
 #include <soc/at91/atmel-secumod.h>
 
-#define SRAM_GRANULARITY	32
-
-struct sram_partition {
-	void __iomem *base;
-
-	struct gen_pool *pool;
-	struct bin_attribute battr;
-	struct mutex lock;
-};
-
-struct sram_dev {
-	struct device *dev;
-	void __iomem *virt_base;
-
-	struct gen_pool *pool;
-	struct clk *clk;
+#include "sram.h"
 
-	struct sram_partition *partition;
-	u32 partitions;
-};
-
-struct sram_reserve {
-	struct list_head list;
-	u32 start;
-	u32 size;
-	bool export;
-	bool pool;
-	const char *label;
-};
+#define SRAM_GRANULARITY	32
 
 static ssize_t sram_read(struct file *filp, struct kobject *kobj,
 			 struct bin_attribute *attr,
diff --git a/drivers/misc/sram.h b/drivers/misc/sram.h
new file mode 100644
index 000000000000..52501a84468c
--- /dev/null
+++ b/drivers/misc/sram.h
@@ -0,0 +1,39 @@
+/*
+ * Defines for the SRAM driver
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef __SRAM_H
+#define __SRAM_H
+
+struct sram_partition {
+	void __iomem *base;
+
+	struct gen_pool *pool;
+	struct bin_attribute battr;
+	struct mutex lock;
+	struct list_head list;
+};
+
+struct sram_dev {
+	struct device *dev;
+	void __iomem *virt_base;
+
+	struct gen_pool *pool;
+	struct clk *clk;
+
+	struct sram_partition *partition;
+	u32 partitions;
+};
+
+struct sram_reserve {
+	struct list_head list;
+	u32 start;
+	u32 size;
+	bool export;
+	bool pool;
+	const char *label;
+};
+#endif /* __SRAM_H */
-- 
2.11.0

[PATCH 1/3] misc: sram: Split sram data structures into local header

[Dave Gerlach]

In preparation of a coming file split of the sram driver, move the
common data structures into a local header file that can be shared
between files related to the sram driver.

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
---
 drivers/misc/sram.c | 30 ++----------------------------
 drivers/misc/sram.h | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 28 deletions(-)
 create mode 100644 drivers/misc/sram.h

diff --git a/drivers/misc/sram.c b/drivers/misc/sram.c
index b33ab8ce47ab..4ef5affd03d7 100644
--- a/drivers/misc/sram.c
+++ b/drivers/misc/sram.c
@@ -31,35 +31,9 @@
 #include <linux/mfd/syscon.h>
 #include <soc/at91/atmel-secumod.h>
 
-#define SRAM_GRANULARITY	32
-
-struct sram_partition {
-	void __iomem *base;
-
-	struct gen_pool *pool;
-	struct bin_attribute battr;
-	struct mutex lock;
-};
-
-struct sram_dev {
-	struct device *dev;
-	void __iomem *virt_base;
-
-	struct gen_pool *pool;
-	struct clk *clk;
+#include "sram.h"
 
-	struct sram_partition *partition;
-	u32 partitions;
-};
-
-struct sram_reserve {
-	struct list_head list;
-	u32 start;
-	u32 size;
-	bool export;
-	bool pool;
-	const char *label;
-};
+#define SRAM_GRANULARITY	32
 
 static ssize_t sram_read(struct file *filp, struct kobject *kobj,
 			 struct bin_attribute *attr,
diff --git a/drivers/misc/sram.h b/drivers/misc/sram.h
new file mode 100644
index 000000000000..52501a84468c
--- /dev/null
+++ b/drivers/misc/sram.h
@@ -0,0 +1,39 @@
+/*
+ * Defines for the SRAM driver
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef __SRAM_H
+#define __SRAM_H
+
+struct sram_partition {
+	void __iomem *base;
+
+	struct gen_pool *pool;
+	struct bin_attribute battr;
+	struct mutex lock;
+	struct list_head list;
+};
+
+struct sram_dev {
+	struct device *dev;
+	void __iomem *virt_base;
+
+	struct gen_pool *pool;
+	struct clk *clk;
+
+	struct sram_partition *partition;
+	u32 partitions;
+};
+
+struct sram_reserve {
+	struct list_head list;
+	u32 start;
+	u32 size;
+	bool export;
+	bool pool;
+	const char *label;
+};
+#endif /* __SRAM_H */
-- 
2.11.0

[PATCH 1/3] misc: sram: Split sram data structures into local header

[Dave Gerlach]

In preparation of a coming file split of the sram driver, move the
common data structures into a local header file that can be shared
between files related to the sram driver.

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
---
 drivers/misc/sram.c | 30 ++----------------------------
 drivers/misc/sram.h | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 28 deletions(-)
 create mode 100644 drivers/misc/sram.h

diff --git a/drivers/misc/sram.c b/drivers/misc/sram.c
index b33ab8ce47ab..4ef5affd03d7 100644
--- a/drivers/misc/sram.c
+++ b/drivers/misc/sram.c
@@ -31,35 +31,9 @@
 #include <linux/mfd/syscon.h>
 #include <soc/at91/atmel-secumod.h>
 
-#define SRAM_GRANULARITY	32
-
-struct sram_partition {
-	void __iomem *base;
-
-	struct gen_pool *pool;
-	struct bin_attribute battr;
-	struct mutex lock;
-};
-
-struct sram_dev {
-	struct device *dev;
-	void __iomem *virt_base;
-
-	struct gen_pool *pool;
-	struct clk *clk;
+#include "sram.h"
 
-	struct sram_partition *partition;
-	u32 partitions;
-};
-
-struct sram_reserve {
-	struct list_head list;
-	u32 start;
-	u32 size;
-	bool export;
-	bool pool;
-	const char *label;
-};
+#define SRAM_GRANULARITY	32
 
 static ssize_t sram_read(struct file *filp, struct kobject *kobj,
 			 struct bin_attribute *attr,
diff --git a/drivers/misc/sram.h b/drivers/misc/sram.h
new file mode 100644
index 000000000000..52501a84468c
--- /dev/null
+++ b/drivers/misc/sram.h
@@ -0,0 +1,39 @@
+/*
+ * Defines for the SRAM driver
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef __SRAM_H
+#define __SRAM_H
+
+struct sram_partition {
+	void __iomem *base;
+
+	struct gen_pool *pool;
+	struct bin_attribute battr;
+	struct mutex lock;
+	struct list_head list;
+};
+
+struct sram_dev {
+	struct device *dev;
+	void __iomem *virt_base;
+
+	struct gen_pool *pool;
+	struct clk *clk;
+
+	struct sram_partition *partition;
+	u32 partitions;
+};
+
+struct sram_reserve {
+	struct list_head list;
+	u32 start;
+	u32 size;
+	bool export;
+	bool pool;
+	const char *label;
+};
+#endif /* __SRAM_H */
-- 
2.11.0

[PATCH 2/3] misc: sram: Introduce support code for protect-exec sram type

[Dave Gerlach]

Some platforms, like many ARM SoCs, require the ability to run code from
on-chip memory like SRAM for tasks like reconfiguring the SDRAM
controller or entering low-power sleep modes. In order to do this we
must be able to allocate memory that the code can be copied to but then
change the mapping to be read-only and executable so that no memory is
both writable and executable at the same time to avoid opening any
unneccesary security holes.

By using the existing "pool" partition type that the SRAM driver allows
we can create a memory space that will already be exposed by the
genalloc framework to allow for allocating memory but we must extend
this to meet the executable requirements. By making use of various
set_memory_* APIs we can change the attributes of pages to make them
writable for code upload but then read-only and executable when we want
to actually run code.  Because SRAM is a shared resource we need a
centralized manager of these set memory calls. Because the SRAM driver
itself is responsible for allocating the memory we can introduce a
sram_copy_exec API for the driver that works like memcpy but also
manages the page attributes and locking to allow multiple users of the
same SRAM space to all copy their code over independent of other each
before starting execution.

It is maintained in a separate file from the core SRAM driver to allow
it to be selectively built depending on whether or not a platform has
the appropriate set_memory_* APIs. A future patch will integrate it with
the core SRAM driver.

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
---
 drivers/misc/sram-exec.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++
 drivers/misc/sram.h      |  18 ++++++++
 include/linux/sram.h     |  27 ++++++++++++
 3 files changed, 150 insertions(+)
 create mode 100644 drivers/misc/sram-exec.c
 create mode 100644 include/linux/sram.h

diff --git a/drivers/misc/sram-exec.c b/drivers/misc/sram-exec.c
new file mode 100644
index 000000000000..ac522417c462
--- /dev/null
+++ b/drivers/misc/sram-exec.c
@@ -0,0 +1,105 @@
+/*
+ * SRAM protect-exec region helper functions
+ *
+ * Copyright (C) 2017 Texas Instruments Incorporated - http://www.ti.com/
+ *	Dave Gerlach
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed "as is" WITHOUT ANY WARRANTY of any
+ * kind, whether express or implied; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#include <linux/device.h>
+#include <linux/genalloc.h>
+#include <linux/sram.h>
+
+#include <asm/cacheflush.h>
+
+#include "sram.h"
+
+static DEFINE_MUTEX(exec_pool_list_mutex);
+static LIST_HEAD(exec_pool_list);
+
+int sram_check_protect_exec(struct sram_dev *sram, struct sram_reserve *block,
+			    struct sram_partition *part)
+{
+	unsigned long base = (unsigned long)part->base;
+	unsigned long end = base + block->size;
+
+	if (!PAGE_ALIGNED(base) || !PAGE_ALIGNED(end)) {
+		dev_err(sram->dev,
+			"SRAM pool marked with 'protect-exec' is not page aligned and will not be created.\n");
+		return -ENOMEM;
+	}
+
+	return 0;
+}
+
+int sram_add_protect_exec(struct sram_partition *part)
+{
+	mutex_lock(&exec_pool_list_mutex);
+	list_add_tail(&part->list, &exec_pool_list);
+	mutex_unlock(&exec_pool_list_mutex);
+
+	return 0;
+}
+
+/**
+ * sram_exec_copy - copy data to a protected executable region of sram
+ *
+ * @pool: struct gen_pool retrieved that is part of this sram
+ * @dst: Destination address for the copy, that must be inside pool
+ * @src: Source address for the data to copy
+ * @size: Size of copy to perform, which starting from dst, must reside in pool
+ *
+ * This helper function allows sram driver to act as central control location
+ * of 'protect-exec' pools which are normal sram pools but are always set
+ * read-only and executable except when copying data to them, at which point
+ * they are set to read-write non-executable, to make sure no memory is
+ * writeable and executable at the same time. This region must be page-aligned
+ * and is checked during probe, otherwise page attribute manipulation would
+ * not be possible.
+ */
+int sram_exec_copy(struct gen_pool *pool, void *dst, void *src,
+		   size_t size)
+{
+	struct sram_partition *part = NULL, *p;
+	unsigned long base;
+	int pages;
+
+	mutex_lock(&exec_pool_list_mutex);
+	list_for_each_entry(p, &exec_pool_list, list) {
+		if (p->pool == pool)
+			part = p;
+	}
+	mutex_unlock(&exec_pool_list_mutex);
+
+	if (!part)
+		return -EINVAL;
+
+	if (!addr_in_gen_pool(pool, (unsigned long)dst, size))
+		return -EINVAL;
+
+	base = (unsigned long)part->base;
+	pages = PAGE_ALIGN(size) / PAGE_SIZE;
+
+	mutex_lock(&part->lock);
+
+	set_memory_nx((unsigned long)base, pages);
+	set_memory_rw((unsigned long)base, pages);
+
+	memcpy(dst, src, size);
+
+	set_memory_ro((unsigned long)base, pages);
+	set_memory_x((unsigned long)base, pages);
+
+	mutex_unlock(&part->lock);
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(sram_exec_copy);
diff --git a/drivers/misc/sram.h b/drivers/misc/sram.h
index 52501a84468c..b268cd3f55bb 100644
--- a/drivers/misc/sram.h
+++ b/drivers/misc/sram.h
@@ -36,4 +36,22 @@ struct sram_reserve {
 	bool pool;
 	const char *label;
 };
+
+#ifdef CONFIG_SRAM_EXEC
+int sram_check_protect_exec(struct sram_dev *sram, struct sram_reserve *block,
+			    struct sram_partition *part);
+int sram_add_protect_exec(struct sram_partition *part);
+#else
+static inline int sram_check_protect_exec(struct sram_dev *sram,
+					  struct sram_reserve *block,
+					  struct sram_partition *part)
+{
+	return -ENODEV;
+}
+
+static inline int sram_add_protect_exec(struct sram_partition *part)
+{
+	return -ENODEV;
+}
+#endif /* CONFIG_SRAM_EXEC */
 #endif /* __SRAM_H */
diff --git a/include/linux/sram.h b/include/linux/sram.h
new file mode 100644
index 000000000000..c97dcbe8ce25
--- /dev/null
+++ b/include/linux/sram.h
@@ -0,0 +1,27 @@
+/*
+ * Generic SRAM Driver Interface
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation version 2.
+ *
+ * This program is distributed "as is" WITHOUT ANY WARRANTY of any
+ * kind, whether express or implied; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+#ifndef __LINUX_SRAM_H__
+#define __LINUX_SRAM_H__
+
+struct gen_pool;
+
+#ifdef CONFIG_SRAM_EXEC
+int sram_exec_copy(struct gen_pool *pool, void *dst, void *src, size_t size);
+#else
+static inline int sram_exec_copy(struct gen_pool *pool, void *dst, void *src,
+				 size_t size)
+{
+	return -ENODEV;
+}
+#endif /* CONFIG_SRAM_EXEC */
+#endif /* __LINUX_SRAM_H__ */
-- 
2.11.0

[PATCH 2/3] misc: sram: Introduce support code for protect-exec sram type

[Dave Gerlach]

Some platforms, like many ARM SoCs, require the ability to run code from
on-chip memory like SRAM for tasks like reconfiguring the SDRAM
controller or entering low-power sleep modes. In order to do this we
must be able to allocate memory that the code can be copied to but then
change the mapping to be read-only and executable so that no memory is
both writable and executable at the same time to avoid opening any
unneccesary security holes.

By using the existing "pool" partition type that the SRAM driver allows
we can create a memory space that will already be exposed by the
genalloc framework to allow for allocating memory but we must extend
this to meet the executable requirements. By making use of various
set_memory_* APIs we can change the attributes of pages to make them
writable for code upload but then read-only and executable when we want
to actually run code.  Because SRAM is a shared resource we need a
centralized manager of these set memory calls. Because the SRAM driver
itself is responsible for allocating the memory we can introduce a
sram_copy_exec API for the driver that works like memcpy but also
manages the page attributes and locking to allow multiple users of the
same SRAM space to all copy their code over independent of other each
before starting execution.

It is maintained in a separate file from the core SRAM driver to allow
it to be selectively built depending on whether or not a platform has
the appropriate set_memory_* APIs. A future patch will integrate it with
the core SRAM driver.

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
---
 drivers/misc/sram-exec.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++
 drivers/misc/sram.h      |  18 ++++++++
 include/linux/sram.h     |  27 ++++++++++++
 3 files changed, 150 insertions(+)
 create mode 100644 drivers/misc/sram-exec.c
 create mode 100644 include/linux/sram.h

diff --git a/drivers/misc/sram-exec.c b/drivers/misc/sram-exec.c
new file mode 100644
index 000000000000..ac522417c462
--- /dev/null
+++ b/drivers/misc/sram-exec.c
@@ -0,0 +1,105 @@
+/*
+ * SRAM protect-exec region helper functions
+ *
+ * Copyright (C) 2017 Texas Instruments Incorporated - http://www.ti.com/
+ *	Dave Gerlach
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed "as is" WITHOUT ANY WARRANTY of any
+ * kind, whether express or implied; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#include <linux/device.h>
+#include <linux/genalloc.h>
+#include <linux/sram.h>
+
+#include <asm/cacheflush.h>
+
+#include "sram.h"
+
+static DEFINE_MUTEX(exec_pool_list_mutex);
+static LIST_HEAD(exec_pool_list);
+
+int sram_check_protect_exec(struct sram_dev *sram, struct sram_reserve *block,
+			    struct sram_partition *part)
+{
+	unsigned long base = (unsigned long)part->base;
+	unsigned long end = base + block->size;
+
+	if (!PAGE_ALIGNED(base) || !PAGE_ALIGNED(end)) {
+		dev_err(sram->dev,
+			"SRAM pool marked with 'protect-exec' is not page aligned and will not be created.\n");
+		return -ENOMEM;
+	}
+
+	return 0;
+}
+
+int sram_add_protect_exec(struct sram_partition *part)
+{
+	mutex_lock(&exec_pool_list_mutex);
+	list_add_tail(&part->list, &exec_pool_list);
+	mutex_unlock(&exec_pool_list_mutex);
+
+	return 0;
+}
+
+/**
+ * sram_exec_copy - copy data to a protected executable region of sram
+ *
+ * @pool: struct gen_pool retrieved that is part of this sram
+ * @dst: Destination address for the copy, that must be inside pool
+ * @src: Source address for the data to copy
+ * @size: Size of copy to perform, which starting from dst, must reside in pool
+ *
+ * This helper function allows sram driver to act as central control location
+ * of 'protect-exec' pools which are normal sram pools but are always set
+ * read-only and executable except when copying data to them, at which point
+ * they are set to read-write non-executable, to make sure no memory is
+ * writeable and executable at the same time. This region must be page-aligned
+ * and is checked during probe, otherwise page attribute manipulation would
+ * not be possible.
+ */
+int sram_exec_copy(struct gen_pool *pool, void *dst, void *src,
+		   size_t size)
+{
+	struct sram_partition *part = NULL, *p;
+	unsigned long base;
+	int pages;
+
+	mutex_lock(&exec_pool_list_mutex);
+	list_for_each_entry(p, &exec_pool_list, list) {
+		if (p->pool == pool)
+			part = p;
+	}
+	mutex_unlock(&exec_pool_list_mutex);
+
+	if (!part)
+		return -EINVAL;
+
+	if (!addr_in_gen_pool(pool, (unsigned long)dst, size))
+		return -EINVAL;
+
+	base = (unsigned long)part->base;
+	pages = PAGE_ALIGN(size) / PAGE_SIZE;
+
+	mutex_lock(&part->lock);
+
+	set_memory_nx((unsigned long)base, pages);
+	set_memory_rw((unsigned long)base, pages);
+
+	memcpy(dst, src, size);
+
+	set_memory_ro((unsigned long)base, pages);
+	set_memory_x((unsigned long)base, pages);
+
+	mutex_unlock(&part->lock);
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(sram_exec_copy);
diff --git a/drivers/misc/sram.h b/drivers/misc/sram.h
index 52501a84468c..b268cd3f55bb 100644
--- a/drivers/misc/sram.h
+++ b/drivers/misc/sram.h
@@ -36,4 +36,22 @@ struct sram_reserve {
 	bool pool;
 	const char *label;
 };
+
+#ifdef CONFIG_SRAM_EXEC
+int sram_check_protect_exec(struct sram_dev *sram, struct sram_reserve *block,
+			    struct sram_partition *part);
+int sram_add_protect_exec(struct sram_partition *part);
+#else
+static inline int sram_check_protect_exec(struct sram_dev *sram,
+					  struct sram_reserve *block,
+					  struct sram_partition *part)
+{
+	return -ENODEV;
+}
+
+static inline int sram_add_protect_exec(struct sram_partition *part)
+{
+	return -ENODEV;
+}
+#endif /* CONFIG_SRAM_EXEC */
 #endif /* __SRAM_H */
diff --git a/include/linux/sram.h b/include/linux/sram.h
new file mode 100644
index 000000000000..c97dcbe8ce25
--- /dev/null
+++ b/include/linux/sram.h
@@ -0,0 +1,27 @@
+/*
+ * Generic SRAM Driver Interface
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation version 2.
+ *
+ * This program is distributed "as is" WITHOUT ANY WARRANTY of any
+ * kind, whether express or implied; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+#ifndef __LINUX_SRAM_H__
+#define __LINUX_SRAM_H__
+
+struct gen_pool;
+
+#ifdef CONFIG_SRAM_EXEC
+int sram_exec_copy(struct gen_pool *pool, void *dst, void *src, size_t size);
+#else
+static inline int sram_exec_copy(struct gen_pool *pool, void *dst, void *src,
+				 size_t size)
+{
+	return -ENODEV;
+}
+#endif /* CONFIG_SRAM_EXEC */
+#endif /* __LINUX_SRAM_H__ */
-- 
2.11.0

[PATCH 2/3] misc: sram: Introduce support code for protect-exec sram type

[Dave Gerlach]

Some platforms, like many ARM SoCs, require the ability to run code from
on-chip memory like SRAM for tasks like reconfiguring the SDRAM
controller or entering low-power sleep modes. In order to do this we
must be able to allocate memory that the code can be copied to but then
change the mapping to be read-only and executable so that no memory is
both writable and executable at the same time to avoid opening any
unneccesary security holes.

By using the existing "pool" partition type that the SRAM driver allows
we can create a memory space that will already be exposed by the
genalloc framework to allow for allocating memory but we must extend
this to meet the executable requirements. By making use of various
set_memory_* APIs we can change the attributes of pages to make them
writable for code upload but then read-only and executable when we want
to actually run code.  Because SRAM is a shared resource we need a
centralized manager of these set memory calls. Because the SRAM driver
itself is responsible for allocating the memory we can introduce a
sram_copy_exec API for the driver that works like memcpy but also
manages the page attributes and locking to allow multiple users of the
same SRAM space to all copy their code over independent of other each
before starting execution.

It is maintained in a separate file from the core SRAM driver to allow
it to be selectively built depending on whether or not a platform has
the appropriate set_memory_* APIs. A future patch will integrate it with
the core SRAM driver.

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
---
 drivers/misc/sram-exec.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++
 drivers/misc/sram.h      |  18 ++++++++
 include/linux/sram.h     |  27 ++++++++++++
 3 files changed, 150 insertions(+)
 create mode 100644 drivers/misc/sram-exec.c
 create mode 100644 include/linux/sram.h

diff --git a/drivers/misc/sram-exec.c b/drivers/misc/sram-exec.c
new file mode 100644
index 000000000000..ac522417c462
--- /dev/null
+++ b/drivers/misc/sram-exec.c
@@ -0,0 +1,105 @@
+/*
+ * SRAM protect-exec region helper functions
+ *
+ * Copyright (C) 2017 Texas Instruments Incorporated - http://www.ti.com/
+ *	Dave Gerlach
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed "as is" WITHOUT ANY WARRANTY of any
+ * kind, whether express or implied; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#include <linux/device.h>
+#include <linux/genalloc.h>
+#include <linux/sram.h>
+
+#include <asm/cacheflush.h>
+
+#include "sram.h"
+
+static DEFINE_MUTEX(exec_pool_list_mutex);
+static LIST_HEAD(exec_pool_list);
+
+int sram_check_protect_exec(struct sram_dev *sram, struct sram_reserve *block,
+			    struct sram_partition *part)
+{
+	unsigned long base = (unsigned long)part->base;
+	unsigned long end = base + block->size;
+
+	if (!PAGE_ALIGNED(base) || !PAGE_ALIGNED(end)) {
+		dev_err(sram->dev,
+			"SRAM pool marked with 'protect-exec' is not page aligned and will not be created.\n");
+		return -ENOMEM;
+	}
+
+	return 0;
+}
+
+int sram_add_protect_exec(struct sram_partition *part)
+{
+	mutex_lock(&exec_pool_list_mutex);
+	list_add_tail(&part->list, &exec_pool_list);
+	mutex_unlock(&exec_pool_list_mutex);
+
+	return 0;
+}
+
+/**
+ * sram_exec_copy - copy data to a protected executable region of sram
+ *
+ * @pool: struct gen_pool retrieved that is part of this sram
+ * @dst: Destination address for the copy, that must be inside pool
+ * @src: Source address for the data to copy
+ * @size: Size of copy to perform, which starting from dst, must reside in pool
+ *
+ * This helper function allows sram driver to act as central control location
+ * of 'protect-exec' pools which are normal sram pools but are always set
+ * read-only and executable except when copying data to them, at which point
+ * they are set to read-write non-executable, to make sure no memory is
+ * writeable and executable at the same time. This region must be page-aligned
+ * and is checked during probe, otherwise page attribute manipulation would
+ * not be possible.
+ */
+int sram_exec_copy(struct gen_pool *pool, void *dst, void *src,
+		   size_t size)
+{
+	struct sram_partition *part = NULL, *p;
+	unsigned long base;
+	int pages;
+
+	mutex_lock(&exec_pool_list_mutex);
+	list_for_each_entry(p, &exec_pool_list, list) {
+		if (p->pool == pool)
+			part = p;
+	}
+	mutex_unlock(&exec_pool_list_mutex);
+
+	if (!part)
+		return -EINVAL;
+
+	if (!addr_in_gen_pool(pool, (unsigned long)dst, size))
+		return -EINVAL;
+
+	base = (unsigned long)part->base;
+	pages = PAGE_ALIGN(size) / PAGE_SIZE;
+
+	mutex_lock(&part->lock);
+
+	set_memory_nx((unsigned long)base, pages);
+	set_memory_rw((unsigned long)base, pages);
+
+	memcpy(dst, src, size);
+
+	set_memory_ro((unsigned long)base, pages);
+	set_memory_x((unsigned long)base, pages);
+
+	mutex_unlock(&part->lock);
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(sram_exec_copy);
diff --git a/drivers/misc/sram.h b/drivers/misc/sram.h
index 52501a84468c..b268cd3f55bb 100644
--- a/drivers/misc/sram.h
+++ b/drivers/misc/sram.h
@@ -36,4 +36,22 @@ struct sram_reserve {
 	bool pool;
 	const char *label;
 };
+
+#ifdef CONFIG_SRAM_EXEC
+int sram_check_protect_exec(struct sram_dev *sram, struct sram_reserve *block,
+			    struct sram_partition *part);
+int sram_add_protect_exec(struct sram_partition *part);
+#else
+static inline int sram_check_protect_exec(struct sram_dev *sram,
+					  struct sram_reserve *block,
+					  struct sram_partition *part)
+{
+	return -ENODEV;
+}
+
+static inline int sram_add_protect_exec(struct sram_partition *part)
+{
+	return -ENODEV;
+}
+#endif /* CONFIG_SRAM_EXEC */
 #endif /* __SRAM_H */
diff --git a/include/linux/sram.h b/include/linux/sram.h
new file mode 100644
index 000000000000..c97dcbe8ce25
--- /dev/null
+++ b/include/linux/sram.h
@@ -0,0 +1,27 @@
+/*
+ * Generic SRAM Driver Interface
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation version 2.
+ *
+ * This program is distributed "as is" WITHOUT ANY WARRANTY of any
+ * kind, whether express or implied; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+#ifndef __LINUX_SRAM_H__
+#define __LINUX_SRAM_H__
+
+struct gen_pool;
+
+#ifdef CONFIG_SRAM_EXEC
+int sram_exec_copy(struct gen_pool *pool, void *dst, void *src, size_t size);
+#else
+static inline int sram_exec_copy(struct gen_pool *pool, void *dst, void *src,
+				 size_t size)
+{
+	return -ENODEV;
+}
+#endif /* CONFIG_SRAM_EXEC */
+#endif /* __LINUX_SRAM_H__ */
-- 
2.11.0

[PATCH 3/3] misc: sram: Integrate protect-exec reserved sram area type

[Dave Gerlach]

Introduce a new "protect-exec" reserved sram area type which is
makes use of the the existing functionality provided for the "pool"
sram region type for use with the genalloc framework and with the
added requirement that it be maintained as read-only and executable
while allowing for an arbitrary number of drivers to share the space.

This introduces a common way to maintain a region of sram as read-only
and executable and also introduces a helper function, sram_exec_copy,
which allows for copying data to this protected region while maintaining
locking to avoid conflicts between multiple users of the same space. A
region of memory that is marked with the "protect-exec" flag in the
device tree also has the requirement of providing a page aligned block
of memory so that the page attribute manipulation does not affect
surrounding regions.

Also, selectively enable this only for builds that support set_memory_*
calls, for now just ARM, through the use of Kconfig.

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
---
 Documentation/devicetree/bindings/sram/sram.txt |  6 ++++++
 drivers/misc/Kconfig                            |  4 ++++
 drivers/misc/Makefile                           |  1 +
 drivers/misc/sram.c                             | 21 +++++++++++++++++++--
 drivers/misc/sram.h                             |  1 +
 5 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/Documentation/devicetree/bindings/sram/sram.txt b/Documentation/devicetree/bindings/sram/sram.txt
index 068c2c03c38f..267da4410aef 100644
--- a/Documentation/devicetree/bindings/sram/sram.txt
+++ b/Documentation/devicetree/bindings/sram/sram.txt
@@ -42,6 +42,12 @@ Optional properties in the area nodes:
          and in use by another device or devices
 - export : indicates that the reserved SRAM area may be accessed outside
            of the kernel, e.g. by bootloader or userspace
+- protect-exec : Same as 'pool' above but with the additional
+		 constraint that code wil be run from the region and
+		 that the memory is maintained as read-only, executable
+		 during code execution. NOTE: This region must be page
+		 aligned on start and end in order to properly allow
+		 manipulation of the page attributes.
 - label : the name for the reserved partition, if omitted, the label
           is taken from the node name excluding the unit address.
 
diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
index 64971baf11fa..0444a8f9b094 100644
--- a/drivers/misc/Kconfig
+++ b/drivers/misc/Kconfig
@@ -474,11 +474,15 @@ config SRAM
 	bool "Generic on-chip SRAM driver"
 	depends on HAS_IOMEM
 	select GENERIC_ALLOCATOR
+	select SRAM_EXEC if ARM
 	help
 	  This driver allows you to declare a memory region to be managed by
 	  the genalloc API. It is supposed to be used for small on-chip SRAM
 	  areas found on many SoCs.
 
+config SRAM_EXEC
+	bool
+
 config VEXPRESS_SYSCFG
 	bool "Versatile Express System Configuration driver"
 	depends on VEXPRESS_CONFIG
diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
index 31983366090a..7a3ea89339b4 100644
--- a/drivers/misc/Makefile
+++ b/drivers/misc/Makefile
@@ -47,6 +47,7 @@ obj-$(CONFIG_INTEL_MEI)		+= mei/
 obj-$(CONFIG_VMWARE_VMCI)	+= vmw_vmci/
 obj-$(CONFIG_LATTICE_ECP3_CONFIG)	+= lattice-ecp3-config.o
 obj-$(CONFIG_SRAM)		+= sram.o
+obj-$(CONFIG_SRAM_EXEC)		+= sram-exec.o
 obj-y				+= mic/
 obj-$(CONFIG_GENWQE)		+= genwqe/
 obj-$(CONFIG_ECHO)		+= echo/
diff --git a/drivers/misc/sram.c b/drivers/misc/sram.c
index 4ef5affd03d7..15792970edf6 100644
--- a/drivers/misc/sram.c
+++ b/drivers/misc/sram.c
@@ -122,6 +122,18 @@ static int sram_add_partition(struct sram_dev *sram, struct sram_reserve *block,
 		if (ret)
 			return ret;
 	}
+	if (block->protect_exec) {
+		ret = sram_check_protect_exec(sram, block, part);
+		if (ret)
+			return ret;
+
+		ret = sram_add_pool(sram, block, start, part);
+		if (ret)
+			return ret;
+
+		sram_add_protect_exec(part);
+	}
+
 	sram->partitions++;
 
 	return 0;
@@ -207,7 +219,11 @@ static int sram_reserve_regions(struct sram_dev *sram, struct resource *res)
 		if (of_find_property(child, "pool", NULL))
 			block->pool = true;
 
-		if ((block->export || block->pool) && block->size) {
+		if (of_find_property(child, "protect-exec", NULL))
+			block->protect_exec = true;
+
+		if ((block->export || block->pool || block->protect_exec) &&
+		    block->size) {
 			exports++;
 
 			label = NULL;
@@ -267,7 +283,8 @@ static int sram_reserve_regions(struct sram_dev *sram, struct resource *res)
 			goto err_chunks;
 		}
 
-		if ((block->export || block->pool) && block->size) {
+		if ((block->export || block->pool || block->protect_exec) &&
+		    block->size) {
 			ret = sram_add_partition(sram, block,
 						 res->start + block->start);
 			if (ret) {
diff --git a/drivers/misc/sram.h b/drivers/misc/sram.h
index b268cd3f55bb..c181ce4c8fca 100644
--- a/drivers/misc/sram.h
+++ b/drivers/misc/sram.h
@@ -34,6 +34,7 @@ struct sram_reserve {
 	u32 size;
 	bool export;
 	bool pool;
+	bool protect_exec;
 	const char *label;
 };
 
-- 
2.11.0

[PATCH 3/3] misc: sram: Integrate protect-exec reserved sram area type

[Dave Gerlach]

Introduce a new "protect-exec" reserved sram area type which is
makes use of the the existing functionality provided for the "pool"
sram region type for use with the genalloc framework and with the
added requirement that it be maintained as read-only and executable
while allowing for an arbitrary number of drivers to share the space.

This introduces a common way to maintain a region of sram as read-only
and executable and also introduces a helper function, sram_exec_copy,
which allows for copying data to this protected region while maintaining
locking to avoid conflicts between multiple users of the same space. A
region of memory that is marked with the "protect-exec" flag in the
device tree also has the requirement of providing a page aligned block
of memory so that the page attribute manipulation does not affect
surrounding regions.

Also, selectively enable this only for builds that support set_memory_*
calls, for now just ARM, through the use of Kconfig.

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
---
 Documentation/devicetree/bindings/sram/sram.txt |  6 ++++++
 drivers/misc/Kconfig                            |  4 ++++
 drivers/misc/Makefile                           |  1 +
 drivers/misc/sram.c                             | 21 +++++++++++++++++++--
 drivers/misc/sram.h                             |  1 +
 5 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/Documentation/devicetree/bindings/sram/sram.txt b/Documentation/devicetree/bindings/sram/sram.txt
index 068c2c03c38f..267da4410aef 100644
--- a/Documentation/devicetree/bindings/sram/sram.txt
+++ b/Documentation/devicetree/bindings/sram/sram.txt
@@ -42,6 +42,12 @@ Optional properties in the area nodes:
          and in use by another device or devices
 - export : indicates that the reserved SRAM area may be accessed outside
            of the kernel, e.g. by bootloader or userspace
+- protect-exec : Same as 'pool' above but with the additional
+		 constraint that code wil be run from the region and
+		 that the memory is maintained as read-only, executable
+		 during code execution. NOTE: This region must be page
+		 aligned on start and end in order to properly allow
+		 manipulation of the page attributes.
 - label : the name for the reserved partition, if omitted, the label
           is taken from the node name excluding the unit address.
 
diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
index 64971baf11fa..0444a8f9b094 100644
--- a/drivers/misc/Kconfig
+++ b/drivers/misc/Kconfig
@@ -474,11 +474,15 @@ config SRAM
 	bool "Generic on-chip SRAM driver"
 	depends on HAS_IOMEM
 	select GENERIC_ALLOCATOR
+	select SRAM_EXEC if ARM
 	help
 	  This driver allows you to declare a memory region to be managed by
 	  the genalloc API. It is supposed to be used for small on-chip SRAM
 	  areas found on many SoCs.
 
+config SRAM_EXEC
+	bool
+
 config VEXPRESS_SYSCFG
 	bool "Versatile Express System Configuration driver"
 	depends on VEXPRESS_CONFIG
diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
index 31983366090a..7a3ea89339b4 100644
--- a/drivers/misc/Makefile
+++ b/drivers/misc/Makefile
@@ -47,6 +47,7 @@ obj-$(CONFIG_INTEL_MEI)		+= mei/
 obj-$(CONFIG_VMWARE_VMCI)	+= vmw_vmci/
 obj-$(CONFIG_LATTICE_ECP3_CONFIG)	+= lattice-ecp3-config.o
 obj-$(CONFIG_SRAM)		+= sram.o
+obj-$(CONFIG_SRAM_EXEC)		+= sram-exec.o
 obj-y				+= mic/
 obj-$(CONFIG_GENWQE)		+= genwqe/
 obj-$(CONFIG_ECHO)		+= echo/
diff --git a/drivers/misc/sram.c b/drivers/misc/sram.c
index 4ef5affd03d7..15792970edf6 100644
--- a/drivers/misc/sram.c
+++ b/drivers/misc/sram.c
@@ -122,6 +122,18 @@ static int sram_add_partition(struct sram_dev *sram, struct sram_reserve *block,
 		if (ret)
 			return ret;
 	}
+	if (block->protect_exec) {
+		ret = sram_check_protect_exec(sram, block, part);
+		if (ret)
+			return ret;
+
+		ret = sram_add_pool(sram, block, start, part);
+		if (ret)
+			return ret;
+
+		sram_add_protect_exec(part);
+	}
+
 	sram->partitions++;
 
 	return 0;
@@ -207,7 +219,11 @@ static int sram_reserve_regions(struct sram_dev *sram, struct resource *res)
 		if (of_find_property(child, "pool", NULL))
 			block->pool = true;
 
-		if ((block->export || block->pool) && block->size) {
+		if (of_find_property(child, "protect-exec", NULL))
+			block->protect_exec = true;
+
+		if ((block->export || block->pool || block->protect_exec) &&
+		    block->size) {
 			exports++;
 
 			label = NULL;
@@ -267,7 +283,8 @@ static int sram_reserve_regions(struct sram_dev *sram, struct resource *res)
 			goto err_chunks;
 		}
 
-		if ((block->export || block->pool) && block->size) {
+		if ((block->export || block->pool || block->protect_exec) &&
+		    block->size) {
 			ret = sram_add_partition(sram, block,
 						 res->start + block->start);
 			if (ret) {
diff --git a/drivers/misc/sram.h b/drivers/misc/sram.h
index b268cd3f55bb..c181ce4c8fca 100644
--- a/drivers/misc/sram.h
+++ b/drivers/misc/sram.h
@@ -34,6 +34,7 @@ struct sram_reserve {
 	u32 size;
 	bool export;
 	bool pool;
+	bool protect_exec;
 	const char *label;
 };
 
-- 
2.11.0

[PATCH 3/3] misc: sram: Integrate protect-exec reserved sram area type

[Dave Gerlach]

Introduce a new "protect-exec" reserved sram area type which is
makes use of the the existing functionality provided for the "pool"
sram region type for use with the genalloc framework and with the
added requirement that it be maintained as read-only and executable
while allowing for an arbitrary number of drivers to share the space.

This introduces a common way to maintain a region of sram as read-only
and executable and also introduces a helper function, sram_exec_copy,
which allows for copying data to this protected region while maintaining
locking to avoid conflicts between multiple users of the same space. A
region of memory that is marked with the "protect-exec" flag in the
device tree also has the requirement of providing a page aligned block
of memory so that the page attribute manipulation does not affect
surrounding regions.

Also, selectively enable this only for builds that support set_memory_*
calls, for now just ARM, through the use of Kconfig.

Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
---
 Documentation/devicetree/bindings/sram/sram.txt |  6 ++++++
 drivers/misc/Kconfig                            |  4 ++++
 drivers/misc/Makefile                           |  1 +
 drivers/misc/sram.c                             | 21 +++++++++++++++++++--
 drivers/misc/sram.h                             |  1 +
 5 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/Documentation/devicetree/bindings/sram/sram.txt b/Documentation/devicetree/bindings/sram/sram.txt
index 068c2c03c38f..267da4410aef 100644
--- a/Documentation/devicetree/bindings/sram/sram.txt
+++ b/Documentation/devicetree/bindings/sram/sram.txt
@@ -42,6 +42,12 @@ Optional properties in the area nodes:
          and in use by another device or devices
 - export : indicates that the reserved SRAM area may be accessed outside
            of the kernel, e.g. by bootloader or userspace
+- protect-exec : Same as 'pool' above but with the additional
+		 constraint that code wil be run from the region and
+		 that the memory is maintained as read-only, executable
+		 during code execution. NOTE: This region must be page
+		 aligned on start and end in order to properly allow
+		 manipulation of the page attributes.
 - label : the name for the reserved partition, if omitted, the label
           is taken from the node name excluding the unit address.
 
diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
index 64971baf11fa..0444a8f9b094 100644
--- a/drivers/misc/Kconfig
+++ b/drivers/misc/Kconfig
@@ -474,11 +474,15 @@ config SRAM
 	bool "Generic on-chip SRAM driver"
 	depends on HAS_IOMEM
 	select GENERIC_ALLOCATOR
+	select SRAM_EXEC if ARM
 	help
 	  This driver allows you to declare a memory region to be managed by
 	  the genalloc API. It is supposed to be used for small on-chip SRAM
 	  areas found on many SoCs.
 
+config SRAM_EXEC
+	bool
+
 config VEXPRESS_SYSCFG
 	bool "Versatile Express System Configuration driver"
 	depends on VEXPRESS_CONFIG
diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
index 31983366090a..7a3ea89339b4 100644
--- a/drivers/misc/Makefile
+++ b/drivers/misc/Makefile
@@ -47,6 +47,7 @@ obj-$(CONFIG_INTEL_MEI)		+= mei/
 obj-$(CONFIG_VMWARE_VMCI)	+= vmw_vmci/
 obj-$(CONFIG_LATTICE_ECP3_CONFIG)	+= lattice-ecp3-config.o
 obj-$(CONFIG_SRAM)		+= sram.o
+obj-$(CONFIG_SRAM_EXEC)		+= sram-exec.o
 obj-y				+= mic/
 obj-$(CONFIG_GENWQE)		+= genwqe/
 obj-$(CONFIG_ECHO)		+= echo/
diff --git a/drivers/misc/sram.c b/drivers/misc/sram.c
index 4ef5affd03d7..15792970edf6 100644
--- a/drivers/misc/sram.c
+++ b/drivers/misc/sram.c
@@ -122,6 +122,18 @@ static int sram_add_partition(struct sram_dev *sram, struct sram_reserve *block,
 		if (ret)
 			return ret;
 	}
+	if (block->protect_exec) {
+		ret = sram_check_protect_exec(sram, block, part);
+		if (ret)
+			return ret;
+
+		ret = sram_add_pool(sram, block, start, part);
+		if (ret)
+			return ret;
+
+		sram_add_protect_exec(part);
+	}
+
 	sram->partitions++;
 
 	return 0;
@@ -207,7 +219,11 @@ static int sram_reserve_regions(struct sram_dev *sram, struct resource *res)
 		if (of_find_property(child, "pool", NULL))
 			block->pool = true;
 
-		if ((block->export || block->pool) && block->size) {
+		if (of_find_property(child, "protect-exec", NULL))
+			block->protect_exec = true;
+
+		if ((block->export || block->pool || block->protect_exec) &&
+		    block->size) {
 			exports++;
 
 			label = NULL;
@@ -267,7 +283,8 @@ static int sram_reserve_regions(struct sram_dev *sram, struct resource *res)
 			goto err_chunks;
 		}
 
-		if ((block->export || block->pool) && block->size) {
+		if ((block->export || block->pool || block->protect_exec) &&
+		    block->size) {
 			ret = sram_add_partition(sram, block,
 						 res->start + block->start);
 			if (ret) {
diff --git a/drivers/misc/sram.h b/drivers/misc/sram.h
index b268cd3f55bb..c181ce4c8fca 100644
--- a/drivers/misc/sram.h
+++ b/drivers/misc/sram.h
@@ -34,6 +34,7 @@ struct sram_reserve {
 	u32 size;
 	bool export;
 	bool pool;
+	bool protect_exec;
 	const char *label;
 };
 
-- 
2.11.0

Re: [PATCH 0/3] misc: sram: Introduce protect-exec region type

[Tony Lindgren]

* Dave Gerlach <d-gerlach@ti.com> [170112 12:54]:
> Hi,
> There are several instances when one would want to execute out of on-chip
> SRAM, such as PM code on ARM platforms, so once again revisiting this
> series to allow that in a generic manner. Seems that having a solution for
> allowing SRAM to be mapped as executable will help clean up PM code on several
> ARM platforms that are using ARM internal __arm_ioremap_exec API
> and also open the door for PM support on new platforms like TI AM335x and
> AM437x.
> 
> Previously a generic solution was attempted by introducing a memremap
> executable API and then calling this from the generic sram driver here [1].
> Russell King brought up the point that we should not just be mapping
> memory as both writable and executable for security reasons which led to
> the solution proposed in this series. 
> 
> The generic SRAM driver already has a concept of "partitions" which can be
> defined and flagged in the device tree, so this series introduces a new flag,
> protect-exec, which indicates the region of SRAM that has been blocked out in
> the DT is protected and executable. It will share the same capabilities of the
> already present sram "pool" which will allow allocation through the use of the
> genalloc framework but also be protected through the use of an "sram_exec_copy"
> helper function to handle the copying of data to the space and also the page
> attributes. In this context protected means the memory is managed such that
> it is *either* writeable and non-executable or read-only and executable through
> manipulation of the page attributes.
> 
> Unforunately, unlike the previously proposed solution, this is not a drop in
> replacement for __arm_ioremap_exec, A large side effect of allocating
> executable SRAM as this series does is that it will require rework for some
> SRAM code as a lot of the assembly code I have seen makes use of PC relative
> memory locations at the end of the code for local variables. This will no
> longer be possible if we must maintain the read-only executable status of
> the memory. If that's required then SRAM code will need to use pointers to
> a separately allocated region of sram that is just a normal writable pool.
> 
> As mentioned in previous series I still see several platforms (at-91,
> imx6, socfpga, omap3) that could make use of this although some rework may
> be required unlike with the last solution, and it will be needed for the
> forthcoming TI am335x and am437x PM code as portions of PM code are
> moving in to drivers. An example of this in use can be seen at [2] in the 
> drivers/memory/ti-emif-sram.c and drivers/soc/ti/pm33xx.c files.

Looks good to me:

Acked-by: Tony Lindgren <tony@atomide.com>

> [1] http://www.spinics.net/lists/linux-omap/msg132728.html
> [2] https://github.com/dgerlach/linux-pm/tree/upstream/v4.10/sram-exec-copy-pm
> 
> Dave Gerlach (3):
>   misc: sram: Split sram data structures into local header
>   misc: sram: Introduce support code for protect-exec sram type
>   misc: sram: Integrate protect-exec reserved sram area type
> 
>  Documentation/devicetree/bindings/sram/sram.txt |   6 ++
>  drivers/misc/Kconfig                            |   4 +
>  drivers/misc/Makefile                           |   1 +
>  drivers/misc/sram-exec.c                        | 105 ++++++++++++++++++++++++
>  drivers/misc/sram.c                             |  51 +++++-------
>  drivers/misc/sram.h                             |  58 +++++++++++++
>  include/linux/sram.h                            |  27 ++++++
>  7 files changed, 222 insertions(+), 30 deletions(-)
>  create mode 100644 drivers/misc/sram-exec.c
>  create mode 100644 drivers/misc/sram.h
>  create mode 100644 include/linux/sram.h

Re: [PATCH 0/3] misc: sram: Introduce protect-exec region type

[Tony Lindgren]

* Dave Gerlach <d-gerlach@ti.com> [170112 12:54]:
> Hi,
> There are several instances when one would want to execute out of on-chip
> SRAM, such as PM code on ARM platforms, so once again revisiting this
> series to allow that in a generic manner. Seems that having a solution for
> allowing SRAM to be mapped as executable will help clean up PM code on several
> ARM platforms that are using ARM internal __arm_ioremap_exec API
> and also open the door for PM support on new platforms like TI AM335x and
> AM437x.
> 
> Previously a generic solution was attempted by introducing a memremap
> executable API and then calling this from the generic sram driver here [1].
> Russell King brought up the point that we should not just be mapping
> memory as both writable and executable for security reasons which led to
> the solution proposed in this series. 
> 
> The generic SRAM driver already has a concept of "partitions" which can be
> defined and flagged in the device tree, so this series introduces a new flag,
> protect-exec, which indicates the region of SRAM that has been blocked out in
> the DT is protected and executable. It will share the same capabilities of the
> already present sram "pool" which will allow allocation through the use of the
> genalloc framework but also be protected through the use of an "sram_exec_copy"
> helper function to handle the copying of data to the space and also the page
> attributes. In this context protected means the memory is managed such that
> it is *either* writeable and non-executable or read-only and executable through
> manipulation of the page attributes.
> 
> Unforunately, unlike the previously proposed solution, this is not a drop in
> replacement for __arm_ioremap_exec, A large side effect of allocating
> executable SRAM as this series does is that it will require rework for some
> SRAM code as a lot of the assembly code I have seen makes use of PC relative
> memory locations at the end of the code for local variables. This will no
> longer be possible if we must maintain the read-only executable status of
> the memory. If that's required then SRAM code will need to use pointers to
> a separately allocated region of sram that is just a normal writable pool.
> 
> As mentioned in previous series I still see several platforms (at-91,
> imx6, socfpga, omap3) that could make use of this although some rework may
> be required unlike with the last solution, and it will be needed for the
> forthcoming TI am335x and am437x PM code as portions of PM code are
> moving in to drivers. An example of this in use can be seen at [2] in the 
> drivers/memory/ti-emif-sram.c and drivers/soc/ti/pm33xx.c files.

Looks good to me:

Acked-by: Tony Lindgren <tony@atomide.com>

> [1] http://www.spinics.net/lists/linux-omap/msg132728.html
> [2] https://github.com/dgerlach/linux-pm/tree/upstream/v4.10/sram-exec-copy-pm
> 
> Dave Gerlach (3):
>   misc: sram: Split sram data structures into local header
>   misc: sram: Introduce support code for protect-exec sram type
>   misc: sram: Integrate protect-exec reserved sram area type
> 
>  Documentation/devicetree/bindings/sram/sram.txt |   6 ++
>  drivers/misc/Kconfig                            |   4 +
>  drivers/misc/Makefile                           |   1 +
>  drivers/misc/sram-exec.c                        | 105 ++++++++++++++++++++++++
>  drivers/misc/sram.c                             |  51 +++++-------
>  drivers/misc/sram.h                             |  58 +++++++++++++
>  include/linux/sram.h                            |  27 ++++++
>  7 files changed, 222 insertions(+), 30 deletions(-)
>  create mode 100644 drivers/misc/sram-exec.c
>  create mode 100644 drivers/misc/sram.h
>  create mode 100644 include/linux/sram.h

[PATCH 0/3] misc: sram: Introduce protect-exec region type

[Tony Lindgren]

* Dave Gerlach <d-gerlach@ti.com> [170112 12:54]:
> Hi,
> There are several instances when one would want to execute out of on-chip
> SRAM, such as PM code on ARM platforms, so once again revisiting this
> series to allow that in a generic manner. Seems that having a solution for
> allowing SRAM to be mapped as executable will help clean up PM code on several
> ARM platforms that are using ARM internal __arm_ioremap_exec API
> and also open the door for PM support on new platforms like TI AM335x and
> AM437x.
> 
> Previously a generic solution was attempted by introducing a memremap
> executable API and then calling this from the generic sram driver here [1].
> Russell King brought up the point that we should not just be mapping
> memory as both writable and executable for security reasons which led to
> the solution proposed in this series. 
> 
> The generic SRAM driver already has a concept of "partitions" which can be
> defined and flagged in the device tree, so this series introduces a new flag,
> protect-exec, which indicates the region of SRAM that has been blocked out in
> the DT is protected and executable. It will share the same capabilities of the
> already present sram "pool" which will allow allocation through the use of the
> genalloc framework but also be protected through the use of an "sram_exec_copy"
> helper function to handle the copying of data to the space and also the page
> attributes. In this context protected means the memory is managed such that
> it is *either* writeable and non-executable or read-only and executable through
> manipulation of the page attributes.
> 
> Unforunately, unlike the previously proposed solution, this is not a drop in
> replacement for __arm_ioremap_exec, A large side effect of allocating
> executable SRAM as this series does is that it will require rework for some
> SRAM code as a lot of the assembly code I have seen makes use of PC relative
> memory locations at the end of the code for local variables. This will no
> longer be possible if we must maintain the read-only executable status of
> the memory. If that's required then SRAM code will need to use pointers to
> a separately allocated region of sram that is just a normal writable pool.
> 
> As mentioned in previous series I still see several platforms (at-91,
> imx6, socfpga, omap3) that could make use of this although some rework may
> be required unlike with the last solution, and it will be needed for the
> forthcoming TI am335x and am437x PM code as portions of PM code are
> moving in to drivers. An example of this in use can be seen at [2] in the 
> drivers/memory/ti-emif-sram.c and drivers/soc/ti/pm33xx.c files.

Looks good to me:

Acked-by: Tony Lindgren <tony@atomide.com>

> [1] http://www.spinics.net/lists/linux-omap/msg132728.html
> [2] https://github.com/dgerlach/linux-pm/tree/upstream/v4.10/sram-exec-copy-pm
> 
> Dave Gerlach (3):
>   misc: sram: Split sram data structures into local header
>   misc: sram: Introduce support code for protect-exec sram type
>   misc: sram: Integrate protect-exec reserved sram area type
> 
>  Documentation/devicetree/bindings/sram/sram.txt |   6 ++
>  drivers/misc/Kconfig                            |   4 +
>  drivers/misc/Makefile                           |   1 +
>  drivers/misc/sram-exec.c                        | 105 ++++++++++++++++++++++++
>  drivers/misc/sram.c                             |  51 +++++-------
>  drivers/misc/sram.h                             |  58 +++++++++++++
>  include/linux/sram.h                            |  27 ++++++
>  7 files changed, 222 insertions(+), 30 deletions(-)
>  create mode 100644 drivers/misc/sram-exec.c
>  create mode 100644 drivers/misc/sram.h
>  create mode 100644 include/linux/sram.h