All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jens Wiklander <jens.wiklander@linaro.org>
To: Marc Zyngier <maz@kernel.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Linux ARM <linux-arm-kernel@lists.infradead.org>,
	OP-TEE TrustedFirmware <op-tee@lists.trustedfirmware.org>,
	Devicetree List <devicetree@vger.kernel.org>,
	Linux Doc Mailing List <linux-doc@vger.kernel.org>,
	Jerome Forissier <jerome@forissier.org>,
	Etienne Carriere <etienne.carriere@linaro.org>,
	Sumit Garg <sumit.garg@linaro.org>,
	Vincent Guittot <vincent.guittot@linaro.org>,
	Rob Herring <robh+dt@kernel.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH v3 1/6] docs: staging/tee.rst: add a section on OP-TEE notifications
Date: Tue, 27 Jul 2021 09:46:39 +0200	[thread overview]
Message-ID: <CAHUa44EhP5NCH6S27+Af8ePxAup9nJnrwGr_nMRUFumXOTh7uQ@mail.gmail.com> (raw)
In-Reply-To: <87zgud1giz.wl-maz@kernel.org>

On Fri, Jul 23, 2021 at 12:16 PM Marc Zyngier <maz@kernel.org> wrote:
>
> On Fri, 23 Jul 2021 10:44:17 +0100,
> Jens Wiklander <jens.wiklander@linaro.org> wrote:
> >
> > Adds a section on notifications used by OP-TEE, synchronous and
> > asynchronous.
> >
> > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > ---
> >  Documentation/staging/tee.rst | 27 +++++++++++++++++++++++++++
> >  1 file changed, 27 insertions(+)
> >
> > diff --git a/Documentation/staging/tee.rst b/Documentation/staging/tee.rst
> > index 4d4b5f889603..37bdd097336f 100644
> > --- a/Documentation/staging/tee.rst
> > +++ b/Documentation/staging/tee.rst
> > @@ -184,6 +184,33 @@ order to support device enumeration. In other words, OP-TEE driver invokes this
> >  application to retrieve a list of Trusted Applications which can be registered
> >  as devices on the TEE bus.
> >
> > +OP-TEE notifications
> > +--------------------
> > +
> > +There are two kinds of notifications that secure world can use to make
> > +normal world aware of some event.
> > +
> > +1. Synchronous notifications delivered with ``OPTEE_RPC_CMD_NOTIFICATION``
> > +   using the ``OPTEE_RPC_NOTIFICATION_SEND`` parameter.
> > +2. Asynchronous notifications delivered with a combination of a non-secure
> > +   interrupt and a fast call from the non-secure interrupt handler.
> > +
> > +Synchronous notifications are limited by depending on RPC for delivery,
> > +this is only usable when secure world is entered with a yielding call via
> > +``OPTEE_SMC_CALL_WITH_ARG``. This excludes such notifications from secure
> > +world interrupt handlers.
> > +
> > +An asynchronous notification is delivered via a non-secure interrupt to an
> > +interrupt handler registered in the OP-TEE driver. The actual notification
> > +value are retrieved with the fast call ``OPTEE_SMC_GET_ASYNC_NOTIF_VALUE``.
> > +
> > +One notification value ``OPTEE_SMC_ASYNC_NOTIF_VALUE_DO_BOTTOM_HALF`` has a
> > +special meaning. When this value is received it means that normal world is
> > +supposed to make a yielding call ``OPTEE_MSG_CMD_DO_BOTTOM_HALF``. This
> > +call is done from the thread assisting the interrupt handler. This is a
> > +building block for OP-TEE OS in secure world to implement the top half and
> > +bottom half style of device drivers.
> > +
>
> What I find missing here is a description of the trigger for this
> interrupt, and how it influences the way the kernel drivers interacts
> with the secure side:
>
> - if it is edge triggered, this is 'fire and forget'. The interrupt
>   will be consumed by the kernel handler, and whether it eventually
>   calls into the secure side has no impact on the interrupt flow.
>
> - if it is level triggered, then the interrupt may be asserted until
>   the kernel calls into the secure side, which may then drop the line
>   level if no other requests are pending.
>
> These are evidently two very different flows, and you need to pick a
> side. Note that not all interrupt controllers support both signalling
> modes, so you are likely to leave something behind. Or you can try and
> support both flows, but that may make the driver slightly more
> complex.
>
> Either way, this needs specifying, here and in the DT binding.

In the example I'm using a level triggered interrupt which is
triggered by writing to GICD_ISPENDR by secure world. Reading of
GICC_IAR should clear the interrupt, the GICv2 reference manual is
quite clear on that. So, if I understand it correctly, it will for
this purpose work in the same way as an edge triggered interrupt. If
this wouldn't be the case in some configuration and the interrupt must
be cleared by some other action that would be a job for the receiver
of OPTEE_SMC_GET_ASYNC_NOTIF_VALUE, that is, a secure world problem.
The normal world flow should be the same.

Now that we describe the interrupt configuration in device tree it
must use something that mirrors the secure world expectations. I don't
see a point in restricting what's allowed as long it doesn't need code
changes in the kernel too. Does this make any sense?

If I just expand a bit above explaining that the interrupt handler
must call OPTEE_SMC_GET_ASYNC_NOTIF_VALUE as part of clearing the
interrupt even if it might be cleared anyway in some configurations.
Would that make it more clear, good enough even :-) ?

Thanks,
Jens

WARNING: multiple messages have this Message-ID
From: Jens Wiklander <jens.wiklander@linaro.org>
To: Marc Zyngier <maz@kernel.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	 Linux ARM <linux-arm-kernel@lists.infradead.org>,
	 OP-TEE TrustedFirmware <op-tee@lists.trustedfirmware.org>,
	 Devicetree List <devicetree@vger.kernel.org>,
	 Linux Doc Mailing List <linux-doc@vger.kernel.org>,
	Jerome Forissier <jerome@forissier.org>,
	 Etienne Carriere <etienne.carriere@linaro.org>,
	Sumit Garg <sumit.garg@linaro.org>,
	 Vincent Guittot <vincent.guittot@linaro.org>,
	Rob Herring <robh+dt@kernel.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH v3 1/6] docs: staging/tee.rst: add a section on OP-TEE notifications
Date: Tue, 27 Jul 2021 09:46:39 +0200	[thread overview]
Message-ID: <CAHUa44EhP5NCH6S27+Af8ePxAup9nJnrwGr_nMRUFumXOTh7uQ@mail.gmail.com> (raw)
In-Reply-To: <87zgud1giz.wl-maz@kernel.org>

On Fri, Jul 23, 2021 at 12:16 PM Marc Zyngier <maz@kernel.org> wrote:
>
> On Fri, 23 Jul 2021 10:44:17 +0100,
> Jens Wiklander <jens.wiklander@linaro.org> wrote:
> >
> > Adds a section on notifications used by OP-TEE, synchronous and
> > asynchronous.
> >
> > Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
> > ---
> >  Documentation/staging/tee.rst | 27 +++++++++++++++++++++++++++
> >  1 file changed, 27 insertions(+)
> >
> > diff --git a/Documentation/staging/tee.rst b/Documentation/staging/tee.rst
> > index 4d4b5f889603..37bdd097336f 100644
> > --- a/Documentation/staging/tee.rst
> > +++ b/Documentation/staging/tee.rst
> > @@ -184,6 +184,33 @@ order to support device enumeration. In other words, OP-TEE driver invokes this
> >  application to retrieve a list of Trusted Applications which can be registered
> >  as devices on the TEE bus.
> >
> > +OP-TEE notifications
> > +--------------------
> > +
> > +There are two kinds of notifications that secure world can use to make
> > +normal world aware of some event.
> > +
> > +1. Synchronous notifications delivered with ``OPTEE_RPC_CMD_NOTIFICATION``
> > +   using the ``OPTEE_RPC_NOTIFICATION_SEND`` parameter.
> > +2. Asynchronous notifications delivered with a combination of a non-secure
> > +   interrupt and a fast call from the non-secure interrupt handler.
> > +
> > +Synchronous notifications are limited by depending on RPC for delivery,
> > +this is only usable when secure world is entered with a yielding call via
> > +``OPTEE_SMC_CALL_WITH_ARG``. This excludes such notifications from secure
> > +world interrupt handlers.
> > +
> > +An asynchronous notification is delivered via a non-secure interrupt to an
> > +interrupt handler registered in the OP-TEE driver. The actual notification
> > +value are retrieved with the fast call ``OPTEE_SMC_GET_ASYNC_NOTIF_VALUE``.
> > +
> > +One notification value ``OPTEE_SMC_ASYNC_NOTIF_VALUE_DO_BOTTOM_HALF`` has a
> > +special meaning. When this value is received it means that normal world is
> > +supposed to make a yielding call ``OPTEE_MSG_CMD_DO_BOTTOM_HALF``. This
> > +call is done from the thread assisting the interrupt handler. This is a
> > +building block for OP-TEE OS in secure world to implement the top half and
> > +bottom half style of device drivers.
> > +
>
> What I find missing here is a description of the trigger for this
> interrupt, and how it influences the way the kernel drivers interacts
> with the secure side:
>
> - if it is edge triggered, this is 'fire and forget'. The interrupt
>   will be consumed by the kernel handler, and whether it eventually
>   calls into the secure side has no impact on the interrupt flow.
>
> - if it is level triggered, then the interrupt may be asserted until
>   the kernel calls into the secure side, which may then drop the line
>   level if no other requests are pending.
>
> These are evidently two very different flows, and you need to pick a
> side. Note that not all interrupt controllers support both signalling
> modes, so you are likely to leave something behind. Or you can try and
> support both flows, but that may make the driver slightly more
> complex.
>
> Either way, this needs specifying, here and in the DT binding.

In the example I'm using a level triggered interrupt which is
triggered by writing to GICD_ISPENDR by secure world. Reading of
GICC_IAR should clear the interrupt, the GICv2 reference manual is
quite clear on that. So, if I understand it correctly, it will for
this purpose work in the same way as an edge triggered interrupt. If
this wouldn't be the case in some configuration and the interrupt must
be cleared by some other action that would be a job for the receiver
of OPTEE_SMC_GET_ASYNC_NOTIF_VALUE, that is, a secure world problem.
The normal world flow should be the same.

Now that we describe the interrupt configuration in device tree it
must use something that mirrors the secure world expectations. I don't
see a point in restricting what's allowed as long it doesn't need code
changes in the kernel too. Does this make any sense?

If I just expand a bit above explaining that the interrupt handler
must call OPTEE_SMC_GET_ASYNC_NOTIF_VALUE as part of clearing the
interrupt even if it might be cleared anyway in some configurations.
Would that make it more clear, good enough even :-) ?

Thanks,
Jens

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

  reply	other threads:[~2021-07-27  7:46 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-23  9:44 [PATCH v3 0/6] Asynchronous notifications from secure world Jens Wiklander
2021-07-23  9:44 ` Jens Wiklander
2021-07-23  9:44 ` [PATCH v3 1/6] docs: staging/tee.rst: add a section on OP-TEE notifications Jens Wiklander
2021-07-23  9:44   ` Jens Wiklander
2021-07-23 10:16   ` Marc Zyngier
2021-07-23 10:16     ` Marc Zyngier
2021-07-27  7:46     ` Jens Wiklander [this message]
2021-07-27  7:46       ` Jens Wiklander
2021-07-27  8:32       ` Marc Zyngier
2021-07-27  8:32         ` Marc Zyngier
2021-07-27 14:57         ` Jens Wiklander
2021-07-27 14:57           ` Jens Wiklander
2021-08-04 14:39           ` Marc Zyngier
2021-08-04 14:39             ` Marc Zyngier
2021-07-23  9:44 ` [PATCH v3 2/6] dt-bindings: arm: optee: add interrupt property Jens Wiklander
2021-07-23  9:44   ` Jens Wiklander
2021-07-23  9:44 ` [PATCH v3 3/6] tee: fix put order in teedev_close_context() Jens Wiklander
2021-07-23  9:44   ` Jens Wiklander
2021-07-23  9:44 ` [PATCH v3 4/6] tee: add tee_dev_open_helper() primitive Jens Wiklander
2021-07-23  9:44   ` Jens Wiklander
2021-07-23  9:44 ` [PATCH v3 5/6] optee: separate notification functions Jens Wiklander
2021-07-23  9:44   ` Jens Wiklander
2021-07-23  9:44 ` [PATCH v3 6/6] optee: add asynchronous notifications Jens Wiklander
2021-07-23  9:44   ` Jens Wiklander

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHUa44EhP5NCH6S27+Af8ePxAup9nJnrwGr_nMRUFumXOTh7uQ@mail.gmail.com \
    --to=jens.wiklander@linaro.org \
    --cc=ardb@kernel.org \
    --cc=corbet@lwn.net \
    --cc=devicetree@vger.kernel.org \
    --cc=etienne.carriere@linaro.org \
    --cc=jerome@forissier.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maz@kernel.org \
    --cc=op-tee@lists.trustedfirmware.org \
    --cc=robh+dt@kernel.org \
    --cc=sumit.garg@linaro.org \
    --cc=vincent.guittot@linaro.org \
    --subject='Re: [PATCH v3 1/6] docs: staging/tee.rst: add a section on OP-TEE notifications' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.