[PATCH] MIPS: Add support for partial kernel mode on Xburst CPUs

[PATCH] MIPS: Add support for partial kernel mode on Xburst CPUs

[Paul Cercueil]

Support partial kernel mode of Xburst CPUs found in Ingenic SoCs.
Partial kernel mode means the userspace applications have access to
the TCSM0 banks of the VPU, and can execute cache instructions.

Signed-off-by: Paul Cercueil <paul@crapouillou.net>
---
 arch/mips/Kconfig                | 7 +++++++
 arch/mips/include/asm/mipsregs.h | 1 +
 arch/mips/kernel/cpu-probe.c     | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index ac9ed08a7fff..02831908d676 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -2986,6 +2986,13 @@ config MIPS_O32_FP64_SUPPORT
 
 	  If unsure, say N.
 
+config MIPS_XBURST_PARTIAL_KERNEL_MODE
+	bool "Partial kernel mode for Xburst CPUs" if MACH_INGENIC
+	help
+	  Support partial kernel mode of Xburst CPUs found in Ingenic SoCs.
+	  Partial kernel mode means the userspace applications have access to
+	  the TCSM0 banks of the VPU, and can execute cache instructions.
+
 config USE_OF
 	bool
 	select OF
diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h
index 1e6966e8527e..01e0fcb1d4c2 100644
--- a/arch/mips/include/asm/mipsregs.h
+++ b/arch/mips/include/asm/mipsregs.h
@@ -2813,6 +2813,7 @@ __BUILD_SET_C0(status)
 __BUILD_SET_C0(cause)
 __BUILD_SET_C0(config)
 __BUILD_SET_C0(config5)
+__BUILD_SET_C0(config7)
 __BUILD_SET_C0(intcontrol)
 __BUILD_SET_C0(intctl)
 __BUILD_SET_C0(srsmap)
diff --git a/arch/mips/kernel/cpu-probe.c b/arch/mips/kernel/cpu-probe.c
index a9c82338396a..fd275f37cb7c 100644
--- a/arch/mips/kernel/cpu-probe.c
+++ b/arch/mips/kernel/cpu-probe.c
@@ -1985,6 +1985,10 @@ static inline void cpu_probe_ingenic(struct cpuinfo_mips *c, unsigned int cpu)
 	 */
 	if ((c->processor_id & PRID_COMP_MASK) == PRID_COMP_INGENIC_D0)
 		c->isa_level &= ~MIPS_CPU_ISA_M32R2;
+
+	/* config7 bit 6 controls the "partial kernel mode" */
+	if (IS_ENABLED(CONFIG_MIPS_XBURST_PARTIAL_KERNEL_MODE))
+		set_c0_config7(BIT(6));
 }
 
 static inline void cpu_probe_netlogic(struct cpuinfo_mips *c, int cpu)
-- 
2.21.0.593.g511ec345e18

Re: [PATCH] MIPS: Add support for partial kernel mode on Xburst CPUs

[Paul Burton]

Hi Paul,

On Wed, Jul 24, 2019 at 07:46:54PM -0400, Paul Cercueil wrote:
> Support partial kernel mode of Xburst CPUs found in Ingenic SoCs.
> Partial kernel mode means the userspace applications have access to
> the TCSM0 banks of the VPU,

So far so (reasonably) good :)

> and can execute cache instructions.

Aaaah! Scary!

Does this allow *all* cache instructions? If so that's a big security &
stability hole - if userland can invalidate kernel data or data from
other programs then it can create all sorts of chaos.

Also do you know which Ingenic SoCs this is available on? I see it
documented in the JZ4780 Programming Manual, but Config7 bit 6 is shown
as reserved in my copy of the XBurst1 CPU Core Programming Manual.

I notice the JZ4780 documentation says it allows access "including TCSM,
CACHE instructions" which is scary too since it doesn't say that's *all*
it allows access to. Though just cache instructions by themselves are
enough to be game over for any notion of security as mentioned above.

What is it you want to do with this? I'm wondering if we could achieve
your goal is in a safer way.

Thanks,
    Paul

Re: [PATCH] MIPS: Add support for partial kernel mode on Xburst CPUs

[Paul Cercueil]

Le jeu. 25 juil. 2019 à 12:59, Paul Burton <paul.burton@mips.com> a 
écrit :
> Hi Paul,
> 
> On Wed, Jul 24, 2019 at 07:46:54PM -0400, Paul Cercueil wrote:
>>  Support partial kernel mode of Xburst CPUs found in Ingenic SoCs.
>>  Partial kernel mode means the userspace applications have access to
>>  the TCSM0 banks of the VPU,
> 
> So far so (reasonably) good :)
> 
>>  and can execute cache instructions.
> 
> Aaaah! Scary!
> 
> Does this allow *all* cache instructions? If so that's a big security 
> &
> stability hole - if userland can invalidate kernel data or data from
> other programs then it can create all sorts of chaos.

It looked a bit fishy to me as well, but I couldn't point a finger to
the exact problem. I don't exactly know what it allows and what it
doesn't.

> Also do you know which Ingenic SoCs this is available on? I see it
> documented in the JZ4780 Programming Manual, but Config7 bit 6 is 
> shown
> as reserved in my copy of the XBurst1 CPU Core Programming Manual.

I have no idea. I assume all SoCs with a VPU. I know the JZ4770 has it.

> I notice the JZ4780 documentation says it allows access "including 
> TCSM,
> CACHE instructions" which is scary too since it doesn't say that's 
> *all*
> it allows access to. Though just cache instructions by themselves are
> enough to be game over for any notion of security as mentioned above.
> 
> What is it you want to do with this? I'm wondering if we could achieve
> your goal is in a safer way.

The plan was to be able to communicate with the firmware running on the
VPU without going through expensive context switches all the time.

I guess we could mmap() the TCSM memories, but we'd need to bypass the
data cache (is there a flag for that?).

> Thanks,
>     Paul