Re: [PATCH] soc: qcom: cmd-db: map shared memory as WT, not WB

[Stephen Boyd <swboyd@chromium.org>]

Quoting Stephan Gerhold (2024-04-11 01:02:01)
> On Wed, Apr 10, 2024 at 10:12:37PM +0000, Volodymyr Babchuk wrote:
> > Stephan Gerhold <stephan@gerhold.net> writes:
> > > On Wed, Mar 27, 2024 at 11:29:09PM +0000, Caleb Connolly wrote:
> > >> On 27/03/2024 21:06, Konrad Dybcio wrote:
> > >> > On 27.03.2024 10:04 PM, Volodymyr Babchuk wrote:
> > >> >> Konrad Dybcio <konrad.dybcio@linaro.org> writes:
> > >> >>> On 27.03.2024 9:09 PM, Volodymyr Babchuk wrote:
> > >> >>>> It appears that hardware does not like cacheable accesses to this
> > >> >>>> region. Trying to access this shared memory region as Normal Memory
> > >> >>>> leads to secure interrupt which causes an endless loop somewhere in
> > >> >>>> Trust Zone.
> > >> >>>>
> > >> >>>> The only reason it is working right now is because Qualcomm Hypervisor
> > >> >>>> maps the same region as Non-Cacheable memory in Stage 2 translation
> > >> >>>> tables. The issue manifests if we want to use another hypervisor (like
> > >> >>>> Xen or KVM), which does not know anything about those specific
> > >> >>>> mappings. This patch fixes the issue by mapping the shared memory as
> > >> >>>> Write-Through. This removes dependency on correct mappings in Stage 2
> > >> >>>> tables.
> > >> >>>>
> > >> >>>> I tested this on SA8155P with Xen.
> > >> >>>>
> > >> >>>> Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
> > >> >>>> ---
> > >> >>>
> > >> >>> Interesting..
> > >> >>>
> > >> >>> +Doug, Rob have you ever seen this on Chrome? (FYI, Volodymyr, chromebooks
> > >> >>> ship with no qcom hypervisor)

ChromeOS boots the kernel at EL2 on sc7180. But more importantly we
don't enable whichever xPU it is that you're running into.

> > >> >>
> > >> >> Well, maybe I was wrong when called this thing "hypervisor". All I know
> > >> >> that it sits in hyp.mbn partition and all what it does is setup EL2
> > >> >> before switching to EL1 and running UEFI.
> > >> >>
> > >> >> In my experiments I replaced contents of hyp.mbn with U-Boot, which gave
> > >> >> me access to EL2 and I was able to boot Xen and then Linux as Dom0.
> > >> >
> > >> > Yeah we're talking about the same thing. I was just curious whether
> > >> > the Chrome folks have heard of it, or whether they have any changes/
> > >> > workarounds for it.
> > >>
> > >> Does Linux ever write to this region? Given that the Chromebooks don't
> > >> seem to have issues with this (we have a bunch of them in pmOS and I'd
> > >> be very very surprised if this was an issue there which nobody had tried
> > >> upstreaming before) I'd guess the significant difference here is between
> > >> booting Linux in EL2 (as Chromebooks do?) vs with Xen.
> > >>
> > >
> > > FWIW: This old patch series from Stephen Boyd is closely related:
> > > https://urldefense.com/v3/__https://lore.kernel.org/linux-arm-msm/20190910160903.65694-1-swboyd@chromium.org/__;!!GF_29dbcQIUBPA!yGecMHGezwkDU9t7XATVTI80PNGjZdQV2xsYFTl6EhpMMsRf_7xryKx8mEVpmTwTcKMGaaWomtyvr05zFcmsf2Kk$
> > > [lore[.]kernel[.]org]
> > >
> > >> The main use case I have is to map the command-db memory region on
> > >> Qualcomm devices with a read-only mapping. It's already a const marked
> > >> pointer and the API returns const pointers as well, so this series
> > >> makes sure that even stray writes can't modify the memory.
> > >
> > > Stephen, what was the end result of that patch series? Mapping the
> > > cmd-db read-only sounds cleaner than trying to be lucky with the right
> > > set of cache flags.
> > >
> >
> > I checked the series, but I am afraid that I have no capacity to finish
> > this. Will it be okay to move forward with my patch? I understand that
> > this is not the best solution, but it is simple and it works. If this is
> > fine, I'll send v2 with all comments addressed.
> >
>
> My current understanding is that the important property here is to have
> a non-cacheable mapping, which is the case for both MEMREMAP_WT and
> MEMREMAP_WC, but not MEMREMAP_WB. Unfortunately, the MEMREMAP_RO option
> Stephen introduced is also a cacheable mapping, which still seems to
> trigger the issue in some cases. I'm not sure why a cache writeback
> still happens when the mapping is read-only and nobody writes anything.

Qualcomm knows for certain. It's not a cache writeback per my
recollection. I recall the problem always being that it's a speculative
access to xPU protected memory. If there's a cacheable mapping in the
non-secure page tables then it may be loaded at the bus with the
non-secure bit set (NS). Once the xPU sees that it reboots the system.

It used to be that we could never map secure memory regions in the
kernel. I suspect with EL2 the story changes slightly. The hypervisor is
the one mapping cmd-db at stage2, so any speculative access goes on the
bus as EL2 tagged, and thus "approved" by the xPU. Then if the
hypervisor sees EL1 (secure or non-secure) access cmd-db, it traps and
makes sure it can actually access that address. If not, the hypervisor
"panics" and reboots. Either way, EL1 can have a cacheable mapping and
EL2 can make sure the secrets are safe, while the cache never goes out
to the bus as anything besides EL2.

>
> You can also test it if you want. For a quick test,
>
> -       cmd_db_header = memremap(rmem->base, rmem->size, MEMREMAP_WB);
> +       cmd_db_header = ioremap_prot(rmem->base, rmem->size, _PAGE_KERNEL_RO);
>
> should be (largely) equivalent to MEMREMAP_RO with Stephen's patch
> series. I asked Nikita to test this on SC7180 and it still seems to
> cause the crash.
>
> It seems to work only with a read-only non-cacheable mapping, e.g. with
>
> +       cmd_db_header = ioremap_prot(rmem->base, rmem->size,
>                                      ((PROT_NORMAL_NC & ~PTE_WRITE) | PTE_RDONLY));
>
> The lines I just suggested for testing are highly architecture-specific
> though so not usable for a proper patch. If MEMREMAP_RO does not solve
> the real problem here then the work to make an usable read-only mapping
> would go beyond just finishing Stephen's patch series, since one would
> need to introduce some kind of MEMREMAP_RO_NC flag that creates a
> read-only non-cacheable mapping.
>
> It is definitely easier to just change the driver to use the existing
> MEMREMAP_WC. Given the crash you found, the hardware/firmware seems to
> have a built-in write protection on most platforms anyway. :D
>

How is Xen mapping this protected memory region? It sounds like maybe
that should be mapped differently. Also, how is EL2 accessible on this
device?