From: Arnd Bergmann <arnd@arndb.de>
To: Joel Stanley <joel@jms.id.au>
Cc: Rob Herring <robh+dt@kernel.org>,
Andrew Jeffery <andrew@aj.id.au>, Arnd Bergmann <arnd@arndb.de>,
Ryan Chen <ryan_chen@aspeedtech.com>,
Paul Menzel <pmenzel@molgen.mpg.de>,
devicetree <devicetree@vger.kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
linux-aspeed <linux-aspeed@lists.ozlabs.org>
Subject: Re: [PATCH 3/3] ARM: aspeed: Add secure boot controller support
Date: Mon, 17 Jan 2022 15:51:15 +0100 [thread overview]
Message-ID: <CAK8P3a3MRf0aGt1drkgsuZyBbeoy+S7Ha18SBM01q+3f33oL+Q@mail.gmail.com> (raw)
In-Reply-To: <CACPK8XcSPiOoJZ4jyJySvCiW+EXxSVsxiEcK2eOZjGY9b1vrjA@mail.gmail.com>
On Tue, Jan 11, 2022 at 12:29 AM Joel Stanley <joel@jms.id.au> wrote:
> On Wed, 17 Nov 2021 at 03:51, Joel Stanley <joel@jms.id.au> wrote:
> >
> > This reads out the status of the secure boot controller and exposes it
> > in sysfs.
> >
> > An example on a AST2600A3 QEMU model:
> >
> > # grep . /sys/bus/soc/devices/soc0/*
> > /sys/bus/soc/devices/soc0/abr_image:0
> > /sys/bus/soc/devices/soc0/family:AST2600
> > /sys/bus/soc/devices/soc0/low_security_key:0
> > /sys/bus/soc/devices/soc0/machine:Rainier 2U
> > /sys/bus/soc/devices/soc0/otp_protected:0
> > /sys/bus/soc/devices/soc0/revision:A3
> > /sys/bus/soc/devices/soc0/secure_boot:1
> > /sys/bus/soc/devices/soc0/serial_number:888844441234abcd
> > /sys/bus/soc/devices/soc0/soc_id:05030303
> > /sys/bus/soc/devices/soc0/uart_boot:1
>
> Quoting from your response to my pull request:
>
> > - I actually want to avoid custom attributes on soc device instances as much
> > as possible. I have not looked in detail at what you add here, but the
> > number of custom attributes means we should discuss this properly.
>
> Can you explain the reasoning here?
>
> I am a bit surprised given we have this nice feature in struct
> soc_device_attribute:
>
> struct soc_device_attribute {
> ...
> const struct attribute_group *custom_attr_group;
> };
I have two main concerns:
- any attribute that makes sense across multiple SoC families should probably be
part of the standard set of attributes. Ideally this could fit
within the existing
attributes, but if you can make a reasonable case for adding further
ones, that
is fine as well. The standard attributes can then also be accessed from within
the kernel with soc_device_match(), rather than just being available
to user space.
- The attributes should all be used to identify the SoC, not a
particular part of
the SoC that is better represented as a separate device.
If you are adding five attributes at once, it's likely that these
don't all fit the
constraints, though I had not yet looked at the implementation.
From what I see in
+static ssize_t abr_image_show(struct device *dev, struct
device_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", !!(security_status & ABR_IMAGE_SOURCE));
+}
+
+static ssize_t low_security_key_show(struct device *dev, struct
device_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", !!(security_status & LOW_SEC_KEY));
+}
+
+static ssize_t otp_protected_show(struct device *dev, struct
device_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", !!(security_status & OTP_PROTECTED));
+}
+
+static ssize_t secure_boot_show(struct device *dev, struct
device_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", !!(security_status & SECURE_BOOT));
+}
+
+static ssize_t uart_boot_show(struct device *dev, struct
device_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", !(security_status & UART_BOOT));
+}
it appears that these are related to how the system was started, which doesn't
fit either of the requirements: the same information may be useful for
non-aspeed
systems, so it would be good to have it in a standardized interface rather than
vendor extensions, and it doesn't really identify the SoC but instead provides
information from a device that is inside of the SoC.
Maybe this could be turned into a generalized interface similar to soc_device
that exposes the boot status in sysfs? We have a couple of files that
determine e.g. whether the kernel was booted securely, and those could
all hook up here. It doesn't have to be anything complex, just a node under
/sys/firmware or /sys/power that has a couple of documented attributes
that can be filled by drivers.
Arnd
WARNING: multiple messages have this Message-ID (diff)
From: Arnd Bergmann <arnd@arndb.de>
To: Joel Stanley <joel@jms.id.au>
Cc: Rob Herring <robh+dt@kernel.org>,
Andrew Jeffery <andrew@aj.id.au>, Arnd Bergmann <arnd@arndb.de>,
Ryan Chen <ryan_chen@aspeedtech.com>,
Paul Menzel <pmenzel@molgen.mpg.de>,
devicetree <devicetree@vger.kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
linux-aspeed <linux-aspeed@lists.ozlabs.org>
Subject: Re: [PATCH 3/3] ARM: aspeed: Add secure boot controller support
Date: Mon, 17 Jan 2022 15:51:15 +0100 [thread overview]
Message-ID: <CAK8P3a3MRf0aGt1drkgsuZyBbeoy+S7Ha18SBM01q+3f33oL+Q@mail.gmail.com> (raw)
In-Reply-To: <CACPK8XcSPiOoJZ4jyJySvCiW+EXxSVsxiEcK2eOZjGY9b1vrjA@mail.gmail.com>
On Tue, Jan 11, 2022 at 12:29 AM Joel Stanley <joel@jms.id.au> wrote:
> On Wed, 17 Nov 2021 at 03:51, Joel Stanley <joel@jms.id.au> wrote:
> >
> > This reads out the status of the secure boot controller and exposes it
> > in sysfs.
> >
> > An example on a AST2600A3 QEMU model:
> >
> > # grep . /sys/bus/soc/devices/soc0/*
> > /sys/bus/soc/devices/soc0/abr_image:0
> > /sys/bus/soc/devices/soc0/family:AST2600
> > /sys/bus/soc/devices/soc0/low_security_key:0
> > /sys/bus/soc/devices/soc0/machine:Rainier 2U
> > /sys/bus/soc/devices/soc0/otp_protected:0
> > /sys/bus/soc/devices/soc0/revision:A3
> > /sys/bus/soc/devices/soc0/secure_boot:1
> > /sys/bus/soc/devices/soc0/serial_number:888844441234abcd
> > /sys/bus/soc/devices/soc0/soc_id:05030303
> > /sys/bus/soc/devices/soc0/uart_boot:1
>
> Quoting from your response to my pull request:
>
> > - I actually want to avoid custom attributes on soc device instances as much
> > as possible. I have not looked in detail at what you add here, but the
> > number of custom attributes means we should discuss this properly.
>
> Can you explain the reasoning here?
>
> I am a bit surprised given we have this nice feature in struct
> soc_device_attribute:
>
> struct soc_device_attribute {
> ...
> const struct attribute_group *custom_attr_group;
> };
I have two main concerns:
- any attribute that makes sense across multiple SoC families should probably be
part of the standard set of attributes. Ideally this could fit
within the existing
attributes, but if you can make a reasonable case for adding further
ones, that
is fine as well. The standard attributes can then also be accessed from within
the kernel with soc_device_match(), rather than just being available
to user space.
- The attributes should all be used to identify the SoC, not a
particular part of
the SoC that is better represented as a separate device.
If you are adding five attributes at once, it's likely that these
don't all fit the
constraints, though I had not yet looked at the implementation.
From what I see in
+static ssize_t abr_image_show(struct device *dev, struct
device_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", !!(security_status & ABR_IMAGE_SOURCE));
+}
+
+static ssize_t low_security_key_show(struct device *dev, struct
device_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", !!(security_status & LOW_SEC_KEY));
+}
+
+static ssize_t otp_protected_show(struct device *dev, struct
device_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", !!(security_status & OTP_PROTECTED));
+}
+
+static ssize_t secure_boot_show(struct device *dev, struct
device_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", !!(security_status & SECURE_BOOT));
+}
+
+static ssize_t uart_boot_show(struct device *dev, struct
device_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", !(security_status & UART_BOOT));
+}
it appears that these are related to how the system was started, which doesn't
fit either of the requirements: the same information may be useful for
non-aspeed
systems, so it would be good to have it in a standardized interface rather than
vendor extensions, and it doesn't really identify the SoC but instead provides
information from a device that is inside of the SoC.
Maybe this could be turned into a generalized interface similar to soc_device
that exposes the boot status in sysfs? We have a couple of files that
determine e.g. whether the kernel was booted securely, and those could
all hook up here. It doesn't have to be anything complex, just a node under
/sys/firmware or /sys/power that has a couple of documented attributes
that can be filled by drivers.
Arnd
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-01-17 14:51 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-17 3:51 [PATCH 0/3] ARM: aspeed: Secure Boot Controller support Joel Stanley
2021-11-17 3:51 ` Joel Stanley
2021-11-17 3:51 ` [PATCH 1/3] dt-bindings: aspeed: Add Secure Boot Controller bindings Joel Stanley
2021-11-17 3:51 ` Joel Stanley
2021-11-29 22:41 ` Rob Herring
2021-11-29 22:41 ` Rob Herring
2021-11-17 3:51 ` [PATCH 2/3] ARM: dts: aspeed: Add secure boot controller node Joel Stanley
2021-11-17 3:51 ` Joel Stanley
2021-11-17 3:51 ` [PATCH 3/3] ARM: aspeed: Add secure boot controller support Joel Stanley
2021-11-17 3:51 ` Joel Stanley
2021-11-25 8:38 ` kernel test robot
2021-11-25 8:38 ` kernel test robot
2021-11-25 8:38 ` kernel test robot
2022-01-10 23:29 ` Joel Stanley
2022-01-10 23:29 ` Joel Stanley
2022-01-17 14:51 ` Arnd Bergmann [this message]
2022-01-17 14:51 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAK8P3a3MRf0aGt1drkgsuZyBbeoy+S7Ha18SBM01q+3f33oL+Q@mail.gmail.com \
--to=arnd@arndb.de \
--cc=andrew@aj.id.au \
--cc=devicetree@vger.kernel.org \
--cc=joel@jms.id.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-aspeed@lists.ozlabs.org \
--cc=pmenzel@molgen.mpg.de \
--cc=robh+dt@kernel.org \
--cc=ryan_chen@aspeedtech.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.