Re: [PATCH] coresight: tmc-etr: Don't fail probe when non-secure access is disabled

From: Robin Murphy <robin.murphy@arm.com>
To: Yabin Cui <yabinc@google.com>, Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: Mike Leach <mike.leach@linaro.org>,
	James Clark <james.clark@arm.com>, Leo Yan <leo.yan@linaro.org>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	coresight@lists.linaro.org, linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] coresight: tmc-etr: Don't fail probe when non-secure access is disabled
Date: Thu, 31 Aug 2023 11:05:09 +0100	[thread overview]
Message-ID: <8d2eec52-a47e-f712-51fc-45f2414990e6@arm.com> (raw)
In-Reply-To: <CALJ9ZPODSc0R=B4yJb2QO3f+gmEaBHO7ZZQy3bNRp+jz3rnr9Q@mail.gmail.com>

On 2023-08-30 18:49, Yabin Cui wrote:
> Hi Suzuki,
> 
>> Are you not able to build the coresight drivers as modules and load
>> them after the device has been authenticated and NS access enabled ?
>> Running a trace session without NS access enabled on a normal device
>> would be asking for trouble in the "normal world".
> 
> Theoretically we can load coresight drivers after getting NS access.
> But in practice,
> it makes the userspace work more complex. The process will be as below:
> 1. Use device specific checks to know if we have NS access authorized.
>      Because we can't use the general coresight sysfs interface to read
> authstatus.
> 2. Load coresight driver modules.
> 3. Use ETM/ETR.
> 
> It needs to add device specific checks in Android AOSP code (which we
> don't prefer),
> and add an extra step to load driver modules. It's more complex no matter we do
> it in a daemon or want to use ETM/ETR manually.
> 
> If we can load the coresight drivers at boot time. The process is
> simplified as below:
> 1. Use the coresight sysfs interface to read authstatus. It works on
> all devices.
> 2. If authorized, use ETM/ETR.
> 
> The authorization used on Pixel devices can be granted/revoked while running.
> So not allowing loading coresight drivers doesn't help us. We always need to
> check authstatus each time before using ETM/ETR. And the check can be
> easily added in tools using ETM/ETR.

What, and "needing to connect to a server to verify identification after 
booting" isn't already a complex extra step? You have to do that, and 
you presumably have to trigger some firmware call to toggle DBGEN, so it 
doesn't seem obvious why you couldn't synchronise module loading to a 
point within that process. Heck, it doesn't even need to be a module 
load, you could simply trigger a manual re-probe of a built-in (or 
already-loaded) driver. If you can parse sysfs to find a specific path 
to a device's "authstatus" attribute at the point when you think it 
should be available, I'm sure you can just as easily construct the 
relevant string to write to the relevant "probe" attribute if it is not.

Really the big question here is why should upstream care about 
supporting some private product-specific internal workflow that is 
irrelevant to end users? Especially if doing so makes the end users' 
experience objectively worse, by making the driver look like it should 
work when in reality it won't.

Thanks,
Robin.

> 
> Thanks,
> Yabin
> 
> On Wed, Aug 30, 2023 at 1:52 AM Suzuki K Poulose <suzuki.poulose@arm.com> wrote:
>>
>> Hi Yabin
>>
>> On 29/08/2023 22:16, Yabin Cui wrote:
>>>> How can this be enabled ? Why not enable it before probing the ETR ?
>>> How can a user know if this has been done or not ?
>>>
>>> Pixel devices (like Pixel 6, 7) support enabling some debugging features
>>> (including granting non-secure access to ETM/ETR) even on devices with
>>> secure boot. It is only used internally and has strict requirements,
>>> needing to connect to a server to verify identification after booting.
>>> So it can't be established when probing ETR at device boot time.
>>
>> Are you not able to build the coresight drivers as modules and load
>> them after the device has been authenticated and NS access enabled ?
>> Running a trace session without NS access enabled on a normal device
>> would be asking for trouble in the "normal world".
>>
>> Suzuki
>>
>>>
>>>
>>> On Sun, Aug 27, 2023 at 2:37 PM Suzuki K Poulose <suzuki.poulose@arm.com> wrote:
>>>>
>>>> On 26/08/2023 00:39, Yabin Cui wrote:
>>>>> Because the non-secure access can be enabled later on some devices.
>>>>
>>>> How can this be enabled ? Why not enable it before probing the ETR ?
>>>> How can a user know if this has been done or not ? It is asking for
>>>> trouble to continue without this.
>>>>
>>>> Suzuki
>>>>
>>>>>
>>>>> Signed-off-by: Yabin Cui <yabinc@google.com>
>>>>> ---
>>>>>     drivers/hwtracing/coresight/coresight-tmc-core.c | 2 +-
>>>>>     1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/drivers/hwtracing/coresight/coresight-tmc-core.c b/drivers/hwtracing/coresight/coresight-tmc-core.c
>>>>> index c106d142e632..5ebfd12b627b 100644
>>>>> --- a/drivers/hwtracing/coresight/coresight-tmc-core.c
>>>>> +++ b/drivers/hwtracing/coresight/coresight-tmc-core.c
>>>>> @@ -370,7 +370,7 @@ static int tmc_etr_setup_caps(struct device *parent, u32 devid, void *dev_caps)
>>>>>         struct tmc_drvdata *drvdata = dev_get_drvdata(parent);
>>>>>
>>>>>         if (!tmc_etr_has_non_secure_access(drvdata))
>>>>> -             return -EACCES;
>>>>> +             dev_warn(parent, "TMC ETR doesn't have non-secure access\n");
>>>>>
>>>>>         /* Set the unadvertised capabilities */
>>>>>         tmc_etr_init_caps(drvdata, (u32)(unsigned long)dev_caps);
>>>>
>>
> 
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel