mbox series

[v8,0/3] Add support for secure regions in NAND

Message ID 20210323073930.89754-1-manivannan.sadhasivam@linaro.org
Headers show
Series Add support for secure regions in NAND | expand

Message

Manivannan Sadhasivam March 23, 2021, 7:39 a.m. UTC
On a typical end product, a vendor may choose to secure some regions in
the NAND memory which are supposed to stay intact between FW upgrades.
The access to those regions will be blocked by a secure element like
Trustzone. So the normal world software like Linux kernel should not
touch these regions (including reading).

So this series adds a property for declaring such secure regions in DT
so that the driver can skip touching them. While at it, the Qcom NANDc
DT binding is also converted to YAML format.

Thanks,
Mani

Changes in v8:

* Reworked the secure region check logic based on input from Boris
* Removed the check where unnecessary in rawnand core.

Changes in v7:

* Made "size" u64 and fixed a warning reported by Kernel test bot

Changes in v6:

* Made use of "size" of the regions for comparision
* Used "secure" instead of "sec"
* Fixed the sizeof parameter in of_get_nand_secure_regions()

Changes in v5:

* Switched to "uint64-matrix" as suggested by Rob
* Moved the whole logic from qcom driver to nand core as suggested by Boris

Changes in v4:

* Used "uint32-matrix" instead of "uint32-array" as per Rob's review.
* Collected Rob's review tag for binding conversion patch

Changes in v3:

* Removed the nand prefix from DT property and moved the property parsing
  logic before nand_scan() in driver.

Changes in v2:

* Moved the secure-regions property to generic NAND binding as a NAND
  chip property and renamed it as "nand-secure-regions".

Manivannan Sadhasivam (3):
  dt-bindings: mtd: Convert Qcom NANDc binding to YAML
  dt-bindings: mtd: Add a property to declare secure regions in NAND
    chips
  mtd: rawnand: Add support for secure regions in NAND memory

 .../bindings/mtd/nand-controller.yaml         |   7 +
 .../devicetree/bindings/mtd/qcom,nandc.yaml   | 196 ++++++++++++++++++
 .../devicetree/bindings/mtd/qcom_nandc.txt    | 142 -------------
 drivers/mtd/nand/raw/nand_base.c              | 105 ++++++++++
 include/linux/mtd/rawnand.h                   |  14 ++
 5 files changed, 322 insertions(+), 142 deletions(-)
 create mode 100644 Documentation/devicetree/bindings/mtd/qcom,nandc.yaml
 delete mode 100644 Documentation/devicetree/bindings/mtd/qcom_nandc.txt

-- 
2.25.1


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

Comments

Miquel Raynal March 23, 2021, 4:57 p.m. UTC | #1
Hi Manivannan,

Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> wrote on Tue,
23 Mar 2021 13:09:30 +0530:

> On a typical end product, a vendor may choose to secure some regions in
> the NAND memory which are supposed to stay intact between FW upgrades.
> The access to those regions will be blocked by a secure element like
> Trustzone. So the normal world software like Linux kernel should not
> touch these regions (including reading).
> 
> The regions are declared using a NAND chip DT property,
> "secure-regions". So let's make use of this property in the raw NAND
> core and skip access to the secure regions present in a system.
> 
> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
> ---
>  drivers/mtd/nand/raw/nand_base.c | 105 +++++++++++++++++++++++++++++++
>  include/linux/mtd/rawnand.h      |  14 +++++
>  2 files changed, 119 insertions(+)
> 
> diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c
> index c33fa1b1847f..2a990219f498 100644
> --- a/drivers/mtd/nand/raw/nand_base.c
> +++ b/drivers/mtd/nand/raw/nand_base.c
> @@ -278,11 +278,46 @@ static int nand_block_bad(struct nand_chip *chip, loff_t ofs)
>  	return 0;
>  }
>  
> +/**
> + * nand_check_secure_region() - Check if the region is secured
> + * @chip: NAND chip object
> + * @offset: Offset of the region to check
> + * @size: Size of the region to check
> + *
> + * Checks if the region is secured by comparing the offset and size with the
> + * list of secure regions obtained from DT. Returns -EIO if the region is
> + * secured else 0.
> + */
> +static int nand_check_secure_region(struct nand_chip *chip, loff_t offset, u64 size)

I think I would prefer a boolean return value here, with a rename:

static bool nand_region_is_secured() or
nand_region_is_accessible/reachable/whatever()

then something lik:

	if (nand_region_is_secured())
		return -EIO;

> +{
> +	int i;
> +
> +	/* Skip touching the secure regions if present */
> +	for (i = 0; i < chip->nr_secure_regions; i++) {
> +		const struct nand_secure_region *region = &chip->secure_regions[i];
> +
> +		if (offset + size < region->offset ||
> +		    offset >= region->offset + region->size)

I think as-is the condition does not work.

Let's assume we want to check the region { .offset = 1, size = 1 } and
the region { .offset = 2, size = 1 } is reserved. This is:

		if ((1 + 1 < 2) /* false */ ||
		    (1 >= 2 + 1) /* false */)
			continue;
		return -EIO; /* EIO is returned while the area is valid
		*/

> +			continue;
> +

Perhaps a dev_dbg() entry here would make sense.

> +		return -EIO;
> +	}
> +
> +	return 0;
> +}
> +

[...]

> +static int of_get_nand_secure_regions(struct nand_chip *chip)
> +{
> +	struct device_node *dn = nand_get_flash_node(chip);
> +	struct property *prop;
> +	int length, nr_elem, i, j;
> +
> +	prop = of_find_property(dn, "secure-regions", &length);
> +	if (prop) {

I generally prefer the below logic:

	if (!prop)
		return 0;

Then you earn an indentation level.

> +		nr_elem = length / sizeof(u64);

of_property_count_elems_of_size() ?

> +		chip->nr_secure_regions = nr_elem / 2;
> +
> +		chip->secure_regions = kcalloc(nr_elem, sizeof(*chip->secure_regions), GFP_KERNEL);

IIRC ->secure_regions is a structure with lengths and offset, so you
don't want to allocate nr_elem but nr_secure_regions number of
items here.

> +		if (!chip->secure_regions)
> +			return -ENOMEM;
> +
> +		for (i = 0, j = 0; i < chip->nr_secure_regions; i++, j += 2) {
> +			of_property_read_u64_index(dn, "secure-regions", j,
> +						   &chip->secure_regions[i].offset);
> +			of_property_read_u64_index(dn, "secure-regions", j + 1,
> +						   &chip->secure_regions[i].size);
> +		}
> +	}
> +
> +	return 0;
> +}
> +
>  static int rawnand_dt_init(struct nand_chip *chip)
>  {
>  	struct nand_device *nand = mtd_to_nanddev(nand_to_mtd(chip));
>  	struct device_node *dn = nand_get_flash_node(chip);
> +	int ret;
>  
>  	if (!dn)
>  		return 0;
> @@ -5015,6 +5107,16 @@ static int rawnand_dt_init(struct nand_chip *chip)
>  	of_get_nand_ecc_user_config(nand);
>  	of_get_nand_ecc_legacy_user_config(chip);
>  
> +	/*
> +	 * Look for secure regions in the NAND chip. These regions are supposed
> +	 * to be protected by a secure element like Trustzone. So the read/write
> +	 * accesses to these regions will be blocked in the runtime by this
> +	 * driver.
> +	 */
> +	ret = of_get_nand_secure_regions(chip);
> +	if (!ret)
> +		return ret;

I think we can do this initialization pretty much when we want in the
init process as long as it is done before the BBT parsing logic.

Here, besides the fact the memory will not be freed from
rawnand_dt_init()'s caller if something goes wrong, we are at a point
where nand_cleanup will not be called. nand_cleanup() will only be
called if the controller driver encounters an error *after* a
successful nand_scan().

We could perhaps move this call to nand_scan() which would simply solve
the situation. We don't need it in rawnand_dt_init() as this won't be
rawnand specific anyway...

> +
>  	/*
>  	 * If neither the user nor the NAND controller have
> requested a specific
>  	 * ECC engine type, we will default to
> NAND_ECC_ENGINE_TYPE_ON_HOST. @@ -6068,6 +6170,9 @@ void
> nand_cleanup(struct nand_chip *chip) /* Free manufacturer priv data.
> */ nand_manufacturer_cleanup(chip);
>  
> +	/* Free secure regions data */
> +	kfree(chip->secure_regions);
> +
>  	/* Free controller specific allocations after chip
> identification */ nand_detach(chip);
>  
> diff --git a/include/linux/mtd/rawnand.h b/include/linux/mtd/rawnand.h
> index 6b3240e44310..17ddc900a1dc 100644
> --- a/include/linux/mtd/rawnand.h
> +++ b/include/linux/mtd/rawnand.h
> @@ -1036,6 +1036,16 @@ struct nand_manufacturer {
>  	void *priv;
>  };
>  
> +/**
> + * struct nand_secure_region - NAND secure region structure
> + * @offset: Offset of the start of the secure region
> + * @size: Size of the secure region
> + */
> +struct nand_secure_region {
> +	u64 offset;
> +	u64 size;
> +};
> +
>  /**
>   * struct nand_chip - NAND Private Flash Chip Data
>   * @base: Inherit from the generic NAND device
> @@ -1086,6 +1096,8 @@ struct nand_manufacturer {
>   *          NAND Controller drivers should not modify this value,
> but they're
>   *          allowed to read it.
>   * @read_retries: The number of read retry modes supported
> + * @secure_regions: Structure containing the secure regions info
> + * @nr_secure_regions: Number of secure regions
>   * @controller: The hardware controller	structure which is
> shared among multiple
>   *              independent devices
>   * @ecc: The ECC controller structure
> @@ -1135,6 +1147,8 @@ struct nand_chip {
>  	unsigned int suspended : 1;
>  	int cur_cs;
>  	int read_retries;
> +	struct nand_secure_region *secure_regions;
> +	u8 nr_secure_regions;
>  
>  	/* Externals */
>  	struct nand_controller *controller;

Thanks,
Miquèl
Rob Herring (Arm) March 23, 2021, 10:29 p.m. UTC | #2
On Tue, 23 Mar 2021 13:09:29 +0530, Manivannan Sadhasivam wrote:
> On a typical end product, a vendor may choose to secure some regions in

> the NAND memory which are supposed to stay intact between FW upgrades.

> The access to those regions will be blocked by a secure element like

> Trustzone. So the normal world software like Linux kernel should not

> touch these regions (including reading).

> 

> So let's add a property for declaring such secure regions so that the

> drivers can skip touching them.

> 

> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>

> ---

>  Documentation/devicetree/bindings/mtd/nand-controller.yaml | 7 +++++++

>  1 file changed, 7 insertions(+)

> 


Reviewed-by: Rob Herring <robh@kernel.org>


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
Boris Brezillon April 1, 2021, 3:50 p.m. UTC | #3
On Thu, 1 Apr 2021 15:48:12 +0530
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> wrote:

>  static int nand_isbad_bbm(struct nand_chip *chip, loff_t ofs)

>  {

> +       struct mtd_info *mtd = nand_to_mtd(chip);

> +       int last_page = ((mtd->erasesize - mtd->writesize) >>

> +                        chip->page_shift) & chip->pagemask;

>         int ret;

>  

>         if (chip->options & NAND_NO_BBM_QUIRK)

>                 return 0;

>  

>         /* Check if the region is secured */

> -       ret = nand_check_secure_region(chip, ofs, 0);

> +       ret = nand_check_secure_region(chip, ofs, last_page);


or just:

	ret = nand_check_secure_region(chip, ofs, mtd->erasesize);


>         if (ret)

>                 return ret;

> 

> > 		*/

> > 


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/