From: Benjamin Gaignard <benjamin.gaignard@linaro.org>
To: Robin Murphy <robin.murphy@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>,
devicetree@vger.kernel.org,
Alexandre Torgue <alexandre.torgue@st.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Rob Herring <robh+dt@kernel.org>,
Maxime Coquelin <mcoquelin.stm32@gmail.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Benjamin Gaignard <benjamin.gaignard@st.com>
Subject: Re: [PATCH 0/3] STM32 Extended TrustZone Protection driver
Date: Wed, 28 Feb 2018 08:53:28 +0100 [thread overview]
Message-ID: <CA+M3ks5qR++8Vwwk8=5Oh6DBdT9NF3ysqfjayq4Gze-oke8Ayg@mail.gmail.com> (raw)
In-Reply-To: <11c3ceb2-8b8d-de59-a0be-0777a42f63a7@arm.com>
2018-02-27 20:46 GMT+01:00 Robin Murphy <robin.murphy@arm.com>:
> On 27/02/18 19:16, Benjamin Gaignard wrote:
>>
>> 2018-02-27 18:11 GMT+01:00 Mark Rutland <mark.rutland@arm.com>:
>>>
>>> On Tue, Feb 27, 2018 at 03:09:23PM +0100, Benjamin Gaignard wrote:
>>>>
>>>> On early boot stages STM32MP1 platform is able to dedicate some hardware
>>>> blocks
>>>> to a secure OS running in TrustZone.
>>>> We need to avoid using those hardware blocks on non-secure context (i.e.
>>>> kernel)
>>>> because read/write access will all be discarded.
>>>>
>>>> Extended TrustZone Protection driver register itself as listener of
>>>> BUS_NOTIFY_BIND_DRIVER and check, given the device address, if the
>>>> hardware block
>>>> could be used in a Linux context. If not it returns NOTIFY_BAD to driver
>>>> core
>>>> to stop driver probing.
>>>
>>>
>>> Huh?
>>>
>>> If these devices are not usable from the non-secure side, why are they
>>> not removed form the DT (or marked disabled)?
>>>
>>> In other cases, where resources are carved out for the secure side (e.g.
>>> DRAM carveouts), that's how we handle things.
>>>
>>
>> That true you can parse and disable a device a boot time but if DT doesn't
>> exactly reflect etzpc status bits we will in trouble when try to get
>> access to
>> the device.
>
>
> Well, yes. If the DT doesn't correctly represent the hardware, things will
> probably go wrong; that's hardly a novel concept, and it's certainly not
> unique to this particular SoC.
>
>> Changing the DT is a software protection while etzpc is an hardware
>> protection
>> so we need to check it anyway.
>
>
> There are several in-tree DT and code examples where devices are marked as
> disabled on certain boards/SoC variants/etc. because attempting to access
> them can abort/lock up/trigger a secure watchdog reset/etc. The only
> "special" thing in this particular situation is apparently that this device
> even allows its secure configuration to be probed from the non-secure side
> at all.
>
> Implementing a boardfile so that you can "check" the DT makes very little
> sense to me; Linux is not a firmware validation suite.
It is not about to "check" the DT but if Linux could get access to the hardware.
Hardware block assignment to secure or non-secure world could change at runtime
for example I2C block could be manage by secure OS for a trusted
application and when
it have finish "release" the it for Linux. I don't think that could be
done by changing DT.
I think that dhecking hardware blocks status bits before probe them is
also more robust than let
each driver discover at probe time that it hardware isn't responding.
Benjamin
>
> Robin.
next prev parent reply other threads:[~2018-02-28 7:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-27 14:09 [PATCH 0/3] STM32 Extended TrustZone Protection driver Benjamin Gaignard
2018-02-27 14:09 ` [PATCH 1/3] driver core: check notifier_call_chain return value Benjamin Gaignard
2018-03-15 17:10 ` Greg KH
2018-03-16 8:53 ` Benjamin Gaignard
2018-02-27 14:09 ` [PATCH 2/3] dt-bindings: stm32: Add bindings for Extended TrustZone Protection Benjamin Gaignard
2018-02-27 14:09 ` [PATCH 3/3] ARM: mach-stm32: Add Extended TrustZone Protection driver Benjamin Gaignard
2018-02-27 17:14 ` Mark Rutland
2018-02-27 19:23 ` Benjamin Gaignard
2018-02-27 17:11 ` [PATCH 0/3] STM32 " Mark Rutland
2018-02-27 19:16 ` Benjamin Gaignard
2018-02-27 19:46 ` Robin Murphy
2018-02-28 7:53 ` Benjamin Gaignard [this message]
2018-02-28 17:53 ` Mark Rutland
2018-02-28 18:32 ` Robin Murphy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+M3ks5qR++8Vwwk8=5Oh6DBdT9NF3ysqfjayq4Gze-oke8Ayg@mail.gmail.com' \
--to=benjamin.gaignard@linaro.org \
--cc=alexandre.torgue@st.com \
--cc=benjamin.gaignard@st.com \
--cc=devicetree@vger.kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mcoquelin.stm32@gmail.com \
--cc=robh+dt@kernel.org \
--cc=robin.murphy@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).