mbox series

[0/3] STM32 Extended TrustZone Protection driver

Message ID 20180227140926.22996-1-benjamin.gaignard@st.com
Headers show
Series STM32 Extended TrustZone Protection driver | expand

Message

Benjamin Gaignard Feb. 27, 2018, 2:09 p.m. UTC
On early boot stages STM32MP1 platform is able to dedicate some hardware blocks
to a secure OS running in TrustZone.
We need to avoid using those hardware blocks on non-secure context (i.e. kernel)
because read/write access will all be discarded.

Extended TrustZone Protection driver register itself as listener of
BUS_NOTIFY_BIND_DRIVER and check, given the device address, if the hardware block
could be used in a Linux context. If not it returns NOTIFY_BAD to driver core
to stop driver probing.

NOTE: patches 2 and 3 should be applied only on
git://git.kernel.org/pub/scm/linux/kernel/git/atorgue/stm32.git stm32-next
but until this patch: https://lkml.org/lkml/2018/2/26/386
find it way to mailine KBuild will complain about them.

Benjamin Gaignard (3):
  driver core: check notifier_call_chain return value
  dt-bindings: stm32: Add bindings for Extended TrustZone Protection
  ARM: mach-stm32: Add Extended TrustZone Protection driver

 .../bindings/arm/stm32/st,stm32mp1-etzpc.txt       |  13 ++
 arch/arm/mach-stm32/Kconfig                        |   7 +
 arch/arm/mach-stm32/Makefile                       |   1 +
 arch/arm/mach-stm32/stm32-etzpc.c                  | 252 +++++++++++++++++++++
 drivers/base/dd.c                                  |   9 +-
 5 files changed, 279 insertions(+), 3 deletions(-)
 create mode 100644 Documentation/devicetree/bindings/arm/stm32/st,stm32mp1-etzpc.txt
 create mode 100644 arch/arm/mach-stm32/stm32-etzpc.c

-- 
2.15.0

--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Mark Rutland Feb. 27, 2018, 5:11 p.m. UTC | #1
On Tue, Feb 27, 2018 at 03:09:23PM +0100, Benjamin Gaignard wrote:
> On early boot stages STM32MP1 platform is able to dedicate some hardware blocks

> to a secure OS running in TrustZone.

> We need to avoid using those hardware blocks on non-secure context (i.e. kernel)

> because read/write access will all be discarded.

> 

> Extended TrustZone Protection driver register itself as listener of

> BUS_NOTIFY_BIND_DRIVER and check, given the device address, if the hardware block

> could be used in a Linux context. If not it returns NOTIFY_BAD to driver core

> to stop driver probing.


Huh?

If these devices are not usable from the non-secure side, why are they
not removed form the DT (or marked disabled)?

In other cases, where resources are carved out for the secure side (e.g.
DRAM carveouts), that's how we handle things.

Mark.

> 

> NOTE: patches 2 and 3 should be applied only on

> git://git.kernel.org/pub/scm/linux/kernel/git/atorgue/stm32.git stm32-next

> but until this patch: https://lkml.org/lkml/2018/2/26/386

> find it way to mailine KBuild will complain about them.

> 

> Benjamin Gaignard (3):

>   driver core: check notifier_call_chain return value

>   dt-bindings: stm32: Add bindings for Extended TrustZone Protection

>   ARM: mach-stm32: Add Extended TrustZone Protection driver

> 

>  .../bindings/arm/stm32/st,stm32mp1-etzpc.txt       |  13 ++

>  arch/arm/mach-stm32/Kconfig                        |   7 +

>  arch/arm/mach-stm32/Makefile                       |   1 +

>  arch/arm/mach-stm32/stm32-etzpc.c                  | 252 +++++++++++++++++++++

>  drivers/base/dd.c                                  |   9 +-

>  5 files changed, 279 insertions(+), 3 deletions(-)

>  create mode 100644 Documentation/devicetree/bindings/arm/stm32/st,stm32mp1-etzpc.txt

>  create mode 100644 arch/arm/mach-stm32/stm32-etzpc.c

> 

> -- 

> 2.15.0

> 

--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Benjamin Gaignard Feb. 27, 2018, 7:16 p.m. UTC | #2
2018-02-27 18:11 GMT+01:00 Mark Rutland <mark.rutland@arm.com>:
> On Tue, Feb 27, 2018 at 03:09:23PM +0100, Benjamin Gaignard wrote:

>> On early boot stages STM32MP1 platform is able to dedicate some hardware blocks

>> to a secure OS running in TrustZone.

>> We need to avoid using those hardware blocks on non-secure context (i.e. kernel)

>> because read/write access will all be discarded.

>>

>> Extended TrustZone Protection driver register itself as listener of

>> BUS_NOTIFY_BIND_DRIVER and check, given the device address, if the hardware block

>> could be used in a Linux context. If not it returns NOTIFY_BAD to driver core

>> to stop driver probing.

>

> Huh?

>

> If these devices are not usable from the non-secure side, why are they

> not removed form the DT (or marked disabled)?

>

> In other cases, where resources are carved out for the secure side (e.g.

> DRAM carveouts), that's how we handle things.

>


That true you can parse and disable a device a boot time but if DT doesn't
exactly reflect etzpc status bits we will in trouble when try to get access to
the device.
Changing the DT is a software protection while etzpc is an hardware protection
so we need to check it anyway.

Benjamin


> Mark.

>

>>

>> NOTE: patches 2 and 3 should be applied only on

>> git://git.kernel.org/pub/scm/linux/kernel/git/atorgue/stm32.git stm32-next

>> but until this patch: https://lkml.org/lkml/2018/2/26/386

>> find it way to mailine KBuild will complain about them.

>>

>> Benjamin Gaignard (3):

>>   driver core: check notifier_call_chain return value

>>   dt-bindings: stm32: Add bindings for Extended TrustZone Protection

>>   ARM: mach-stm32: Add Extended TrustZone Protection driver

>>

>>  .../bindings/arm/stm32/st,stm32mp1-etzpc.txt       |  13 ++

>>  arch/arm/mach-stm32/Kconfig                        |   7 +

>>  arch/arm/mach-stm32/Makefile                       |   1 +

>>  arch/arm/mach-stm32/stm32-etzpc.c                  | 252 +++++++++++++++++++++

>>  drivers/base/dd.c                                  |   9 +-

>>  5 files changed, 279 insertions(+), 3 deletions(-)

>>  create mode 100644 Documentation/devicetree/bindings/arm/stm32/st,stm32mp1-etzpc.txt

>>  create mode 100644 arch/arm/mach-stm32/stm32-etzpc.c

>>

>> --

>> 2.15.0

>>

--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Robin Murphy Feb. 27, 2018, 7:46 p.m. UTC | #3
On 27/02/18 19:16, Benjamin Gaignard wrote:
> 2018-02-27 18:11 GMT+01:00 Mark Rutland <mark.rutland@arm.com>:

>> On Tue, Feb 27, 2018 at 03:09:23PM +0100, Benjamin Gaignard wrote:

>>> On early boot stages STM32MP1 platform is able to dedicate some hardware blocks

>>> to a secure OS running in TrustZone.

>>> We need to avoid using those hardware blocks on non-secure context (i.e. kernel)

>>> because read/write access will all be discarded.

>>>

>>> Extended TrustZone Protection driver register itself as listener of

>>> BUS_NOTIFY_BIND_DRIVER and check, given the device address, if the hardware block

>>> could be used in a Linux context. If not it returns NOTIFY_BAD to driver core

>>> to stop driver probing.

>>

>> Huh?

>>

>> If these devices are not usable from the non-secure side, why are they

>> not removed form the DT (or marked disabled)?

>>

>> In other cases, where resources are carved out for the secure side (e.g.

>> DRAM carveouts), that's how we handle things.

>>

> 

> That true you can parse and disable a device a boot time but if DT doesn't

> exactly reflect etzpc status bits we will in trouble when try to get access to

> the device.


Well, yes. If the DT doesn't correctly represent the hardware, things 
will probably go wrong; that's hardly a novel concept, and it's 
certainly not unique to this particular SoC.

> Changing the DT is a software protection while etzpc is an hardware protection

> so we need to check it anyway.


There are several in-tree DT and code examples where devices are marked 
as disabled on certain boards/SoC variants/etc. because attempting to 
access them can abort/lock up/trigger a secure watchdog reset/etc. The 
only "special" thing in this particular situation is apparently that 
this device even allows its secure configuration to be probed from the 
non-secure side at all.

Implementing a boardfile so that you can "check" the DT makes very 
little sense to me; Linux is not a firmware validation suite.

Robin.
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Benjamin Gaignard Feb. 28, 2018, 7:53 a.m. UTC | #4
2018-02-27 20:46 GMT+01:00 Robin Murphy <robin.murphy@arm.com>:
> On 27/02/18 19:16, Benjamin Gaignard wrote:

>>

>> 2018-02-27 18:11 GMT+01:00 Mark Rutland <mark.rutland@arm.com>:

>>>

>>> On Tue, Feb 27, 2018 at 03:09:23PM +0100, Benjamin Gaignard wrote:

>>>>

>>>> On early boot stages STM32MP1 platform is able to dedicate some hardware

>>>> blocks

>>>> to a secure OS running in TrustZone.

>>>> We need to avoid using those hardware blocks on non-secure context (i.e.

>>>> kernel)

>>>> because read/write access will all be discarded.

>>>>

>>>> Extended TrustZone Protection driver register itself as listener of

>>>> BUS_NOTIFY_BIND_DRIVER and check, given the device address, if the

>>>> hardware block

>>>> could be used in a Linux context. If not it returns NOTIFY_BAD to driver

>>>> core

>>>> to stop driver probing.

>>>

>>>

>>> Huh?

>>>

>>> If these devices are not usable from the non-secure side, why are they

>>> not removed form the DT (or marked disabled)?

>>>

>>> In other cases, where resources are carved out for the secure side (e.g.

>>> DRAM carveouts), that's how we handle things.

>>>

>>

>> That true you can parse and disable a device a boot time but if DT doesn't

>> exactly reflect etzpc status bits we will in trouble when try to get

>> access to

>> the device.

>

>

> Well, yes. If the DT doesn't correctly represent the hardware, things will

> probably go wrong; that's hardly a novel concept, and it's certainly not

> unique to this particular SoC.

>

>> Changing the DT is a software protection while etzpc is an hardware

>> protection

>> so we need to check it anyway.

>

>

> There are several in-tree DT and code examples where devices are marked as

> disabled on certain boards/SoC variants/etc. because attempting to access

> them can abort/lock up/trigger a secure watchdog reset/etc. The only

> "special" thing in this particular situation is apparently that this device

> even allows its secure configuration to be probed from the non-secure side

> at all.

>

> Implementing a boardfile so that you can "check" the DT makes very little

> sense to me; Linux is not a firmware validation suite.


It is not about to "check" the DT but if Linux could get access to the hardware.
Hardware block assignment to secure or non-secure world could change at runtime
for example I2C block could be manage by secure OS for a trusted
application and when
it have finish "release" the it for Linux. I don't think that could be
done by changing DT.

I think that dhecking hardware blocks status bits before probe them is
also more robust than let
each driver discover at probe time that it hardware isn't responding.

Benjamin

>

> Robin.

--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Robin Murphy Feb. 28, 2018, 6:32 p.m. UTC | #5
On 28/02/18 17:53, Mark Rutland wrote:
[...]
>> It is not about to "check" the DT but if Linux could get access to the

>> hardware.  Hardware block assignment to secure or non-secure world

>> could change at runtime for example I2C block could be manage by

>> secure OS for a trusted application and when it have finish "release"

>> the it for Linux.

> 

> The driver does not do this today. It probe the HW once during early

> boot, then aborts driver probes. It provides no provision for dynamic

> assignment.

> 

> Is this something you plan to implement? How will the secure world

> notify the non-secure world of its intent to manage a device, or

> vice-versa?


Note that this is another thing which in general already happens - 
control of (and correspondingly, hardware access to) things like display 
engines and video decoders can get transferred between Linux (well, 
Android at least) and a trusted OS. You need communication and 
cooperation between the two sides via channels like tee-supplicant to 
make it usable, though, at which point the fact that this ETZPC provides 
non-secure-visible status unlike other TZASCs is rather superfluous - if 
the secure side could just blindly take ownership of the I2C block in 
response to some event, while the Linux I2C driver is in the middle of 
its own transfer, a status bit in a register somewhere else isn't going 
to be much help overall.

>> I don't think that could be done by changing DT.

>>

>> I think that dhecking hardware blocks status bits before probe them is

>> also more robust than let

>> each driver discover at probe time that it hardware isn't responding.

> 

> I don't follow. Robin and I suggest that gets encoded in the DT, which

> is *more* efficient than having each driver probe the DT, begin probing,

> then abort via the notifier.

> 

> This really seems like something that should be done *prior* to entering

> Linux.


Indeed; the DT by nature describes the initial state of the system at 
the point that Linux takes control, and thus it really *should* reflect 
whatever the current ETZPC configuration is. Note what DTSpec actually says:

     "disabled" 	

     Indicates that the device is not presently operational, but it might
     become operational in the future (for example, something is not
     plugged in, or switched off).

     Refer to the device binding for details on what disabled means for a
     given device.

The fact that the current behaviour of our OF platform code doesn't 
really respect that last point and makes it tricky to bring 
initially-unavailable devices to life later is a separate issue.

Robin.
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Greg Kroah-Hartman March 15, 2018, 5:10 p.m. UTC | #6
On Tue, Feb 27, 2018 at 03:09:24PM +0100, Benjamin Gaignard wrote:
> When being notified that a driver is about to be bind a listener

> could return NOTIFY_BAD.

> Check the return to be sure that the driver could be bind.

> 

> Signed-off-by: Benjamin Gaignard <benjamin.gaignard@st.com>

> ---

>  drivers/base/dd.c | 9 ++++++---

>  1 file changed, 6 insertions(+), 3 deletions(-)

> 

> diff --git a/drivers/base/dd.c b/drivers/base/dd.c

> index de6fd092bf2f..9275f2c0fed2 100644

> --- a/drivers/base/dd.c

> +++ b/drivers/base/dd.c

> @@ -304,9 +304,12 @@ static int driver_sysfs_add(struct device *dev)

>  {

>  	int ret;

>  

> -	if (dev->bus)

> -		blocking_notifier_call_chain(&dev->bus->p->bus_notifier,

> -					     BUS_NOTIFY_BIND_DRIVER, dev);

> +	if (dev->bus) {

> +		if (blocking_notifier_call_chain(&dev->bus->p->bus_notifier,

> +						 BUS_NOTIFY_BIND_DRIVER, dev) ==

> +						 NOTIFY_BAD)

> +			return -EINVAL;


checkpatch does not complain about this?

And what is going to break when we enable this, as we have never checked
this before?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html