Message ID | 20200128153806.7780-1-benjamin.gaignard@st.com |
---|---|
Headers | show |
Series | Introduce bus firewall controller framework | expand |
On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote: > The goal of this framework is to offer an interface for the > hardware blocks controlling bus accesses rights. > > Bus firewall controllers are typically used to control if a > hardware block can perform read or write operations on bus. So put this in the bus-specific code that controls the bus that these devices live on. Why put it in the driver core when this is only on one "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)? And really, this should just be a totally new bus type, right? And any devices on this bus should be changed to be on this new bus, and the drivers changed to support them, instead of trying to overload the platform bus with more stuff. thanks, greg k-h
On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: > Bus firewall framework aims to provide a kernel API to set the configuration > of the harware blocks in charge of busses access control. > > Framework architecture is inspirated by pinctrl framework: > - a default configuration could be applied before bind the driver. > If a configuration could not be applied the driver is not bind > to avoid doing accesses on prohibited regions. > - configurations could be apllied dynamically by drivers. > - device node provides the bus firewall configurations. > > An example of bus firewall controller is STM32 ETZPC hardware block > which got 3 possible configurations: > - trust: hardware blocks are only accessible by software running on trust > zone (i.e op-tee firmware). > - non-secure: hardware blocks are accessible by non-secure software (i.e. > linux kernel). > - coprocessor: hardware blocks are only accessible by the coprocessor. > Up to 94 hardware blocks of the soc could be managed by ETZPC. > /me confused. Is ETZPC accessible from the non-secure kernel space to begin with ? If so, is it allowed to configure hardware blocks as secure or trusted ? I am failing to understand the overall design of a system with ETZPC controller. > At least two other hardware blocks can take benefits of this: > - ARM TZC-400: http://infocenter.arm.com/help/topic/com.arm.doc.100325_0001_02_en/arm_corelink_tzc400_trustzone_address_space_controller_trm_100325_0001_02_en.pdf > which is able to manage up to 8 regions in address space. I strongly have to disagree with the above and NACK any patch trying to do so. AFAIK, no system designed has TZC with non-secure access. So we simply can't access this in the kernel and hence need no driver for the same. Please avoid adding above misleading information in future. -- Regards, Sudeep
On 1/28/20 4:52 PM, Greg KH wrote: > On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote: >> The goal of this framework is to offer an interface for the >> hardware blocks controlling bus accesses rights. >> >> Bus firewall controllers are typically used to control if a >> hardware block can perform read or write operations on bus. > So put this in the bus-specific code that controls the bus that these > devices live on. Why put it in the driver core when this is only on one > "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)? It is really similar to what pin controller does, configuring an hardware block given DT information. I could argue that firewalls are not bus themselves they only interact with it. Bus firewalls exist on other SoC, I hope some others could be added in this framework. ETZPC is only the first. > > And really, this should just be a totally new bus type, right? And any > devices on this bus should be changed to be on this new bus, and the > drivers changed to support them, instead of trying to overload the > platform bus with more stuff. I have tried to use the bus notifier to avoid to add this code at probe time but without success: https://lkml.org/lkml/2018/2/27/300 I have also tried to disable the nodes at runtime and Mark Rutland explain me why it was wrong. Benjamin > > thanks, > > greg k-h
On 1/28/20 5:36 PM, Sudeep Holla wrote: > On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >> Bus firewall framework aims to provide a kernel API to set the configuration >> of the harware blocks in charge of busses access control. >> >> Framework architecture is inspirated by pinctrl framework: >> - a default configuration could be applied before bind the driver. >> If a configuration could not be applied the driver is not bind >> to avoid doing accesses on prohibited regions. >> - configurations could be apllied dynamically by drivers. >> - device node provides the bus firewall configurations. >> >> An example of bus firewall controller is STM32 ETZPC hardware block >> which got 3 possible configurations: >> - trust: hardware blocks are only accessible by software running on trust >> zone (i.e op-tee firmware). >> - non-secure: hardware blocks are accessible by non-secure software (i.e. >> linux kernel). >> - coprocessor: hardware blocks are only accessible by the coprocessor. >> Up to 94 hardware blocks of the soc could be managed by ETZPC. >> > /me confused. Is ETZPC accessible from the non-secure kernel space to > begin with ? If so, is it allowed to configure hardware blocks as secure > or trusted ? I am failing to understand the overall design of a system > with ETZPC controller. Non-secure kernel could read the values set in ETZPC, if it doesn't match with what is required by the device node the driver won't be probed. Benjamin > >> At least two other hardware blocks can take benefits of this: >> - ARM TZC-400: http://infocenter.arm.com/help/topic/com.arm.doc.100325_0001_02_en/arm_corelink_tzc400_trustzone_address_space_controller_trm_100325_0001_02_en.pdf >> which is able to manage up to 8 regions in address space. > I strongly have to disagree with the above and NACK any patch trying > to do so. AFAIK, no system designed has TZC with non-secure access. > So we simply can't access this in the kernel and hence need no driver > for the same. Please avoid adding above misleading information in future. > > -- > Regards, > Sudeep >
On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote: > > On 1/28/20 4:52 PM, Greg KH wrote: > > On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote: > >> The goal of this framework is to offer an interface for the > >> hardware blocks controlling bus accesses rights. > >> > >> Bus firewall controllers are typically used to control if a > >> hardware block can perform read or write operations on bus. > > So put this in the bus-specific code that controls the bus that these > > devices live on. Why put it in the driver core when this is only on one > > "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)? > > It is really similar to what pin controller does, configuring an > hardware block given DT information. Great, then use that instead :) > I could argue that firewalls are not bus themselves they only interact > with it. They live on a bus, and do so in bus-specific ways, right? > Bus firewalls exist on other SoC, I hope some others could be added in > this framework. ETZPC is only the first. Then put it on the bus it lives on, and the bus that the drivers for that device are being controlled with. That sounds like the sane place to do so, right? > > And really, this should just be a totally new bus type, right? And any > > devices on this bus should be changed to be on this new bus, and the > > drivers changed to support them, instead of trying to overload the > > platform bus with more stuff. > > I have tried to use the bus notifier to avoid to add this code at probe > time but without success: > > https://lkml.org/lkml/2018/2/27/300 Almost 2 years ago? I can't remember something written 1 week ago... Yes, don't abuse the notifier chain. I hate that thing as it is. > I have also tried to disable the nodes at runtime and Mark Rutland > explain me why it was wrong. The bus controller should do this, right? Why not just do it there? thanks, greg k-h
On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote: > > On 1/28/20 5:36 PM, Sudeep Holla wrote: > > On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: > >> Bus firewall framework aims to provide a kernel API to set the configuration > >> of the harware blocks in charge of busses access control. > >> > >> Framework architecture is inspirated by pinctrl framework: > >> - a default configuration could be applied before bind the driver. > >> If a configuration could not be applied the driver is not bind > >> to avoid doing accesses on prohibited regions. > >> - configurations could be apllied dynamically by drivers. > >> - device node provides the bus firewall configurations. > >> > >> An example of bus firewall controller is STM32 ETZPC hardware block > >> which got 3 possible configurations: > >> - trust: hardware blocks are only accessible by software running on trust > >> zone (i.e op-tee firmware). > >> - non-secure: hardware blocks are accessible by non-secure software (i.e. > >> linux kernel). > >> - coprocessor: hardware blocks are only accessible by the coprocessor. > >> Up to 94 hardware blocks of the soc could be managed by ETZPC. > >> > > /me confused. Is ETZPC accessible from the non-secure kernel space to > > begin with ? If so, is it allowed to configure hardware blocks as secure > > or trusted ? I am failing to understand the overall design of a system > > with ETZPC controller. > > Non-secure kernel could read the values set in ETZPC, if it doesn't match > with what is required by the device node the driver won't be probed. > OK, but I was under the impression that it was made clear that Linux is not firmware validation suite. The firmware need to ensure all the devices that are not accessible in the Linux kernel are marked as disabled and this needs to happen before entering the kernel. So if this is what this patch series achieves, then there is no need for it. Please stop pursuing this any further or provide any other reasons(if any) to have it. Until you have other reasons, NACK for this series. Note you haven't cc-ed 2 people who has comments earlier[1][2] -- Regards, Sudeep [1] https://lkml.org/lkml/2018/2/27/512 [2] https://lkml.org/lkml/2018/2/27/598
On 1/28/20 6:17 PM, Sudeep Holla wrote: > On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote: >> On 1/28/20 5:36 PM, Sudeep Holla wrote: >>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >>>> Bus firewall framework aims to provide a kernel API to set the configuration >>>> of the harware blocks in charge of busses access control. >>>> >>>> Framework architecture is inspirated by pinctrl framework: >>>> - a default configuration could be applied before bind the driver. >>>> If a configuration could not be applied the driver is not bind >>>> to avoid doing accesses on prohibited regions. >>>> - configurations could be apllied dynamically by drivers. >>>> - device node provides the bus firewall configurations. >>>> >>>> An example of bus firewall controller is STM32 ETZPC hardware block >>>> which got 3 possible configurations: >>>> - trust: hardware blocks are only accessible by software running on trust >>>> zone (i.e op-tee firmware). >>>> - non-secure: hardware blocks are accessible by non-secure software (i.e. >>>> linux kernel). >>>> - coprocessor: hardware blocks are only accessible by the coprocessor. >>>> Up to 94 hardware blocks of the soc could be managed by ETZPC. >>>> >>> /me confused. Is ETZPC accessible from the non-secure kernel space to >>> begin with ? If so, is it allowed to configure hardware blocks as secure >>> or trusted ? I am failing to understand the overall design of a system >>> with ETZPC controller. >> Non-secure kernel could read the values set in ETZPC, if it doesn't match >> with what is required by the device node the driver won't be probed. >> > OK, but I was under the impression that it was made clear that Linux is > not firmware validation suite. The firmware need to ensure all the devices > that are not accessible in the Linux kernel are marked as disabled and > this needs to happen before entering the kernel. So if this is what this > patch series achieves, then there is no need for it. Please stop pursuing > this any further or provide any other reasons(if any) to have it. Until > you have other reasons, NACK for this series. No it doesn't disable the nodes. When the firmware disable a node before the kernel that means it change the DTB and that is a problem when you want to sign it. With my proposal the DTB remains the same. > > Note you haven't cc-ed 2 people who has comments earlier[1][2] I will cc them, thanks > -- > Regards, > Sudeep > > [1] https://lkml.org/lkml/2018/2/27/512 > [2] https://lkml.org/lkml/2018/2/27/598
On 1/28/20 5:57 PM, Greg KH wrote: > On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote: >> On 1/28/20 4:52 PM, Greg KH wrote: >>> On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote: >>>> The goal of this framework is to offer an interface for the >>>> hardware blocks controlling bus accesses rights. >>>> >>>> Bus firewall controllers are typically used to control if a >>>> hardware block can perform read or write operations on bus. >>> So put this in the bus-specific code that controls the bus that these >>> devices live on. Why put it in the driver core when this is only on one >>> "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)? >> It is really similar to what pin controller does, configuring an >> hardware block given DT information. > Great, then use that instead :) I think that Linus W. will complain if I do that :) > >> I could argue that firewalls are not bus themselves they only interact >> with it. > They live on a bus, and do so in bus-specific ways, right? > >> Bus firewalls exist on other SoC, I hope some others could be added in >> this framework. ETZPC is only the first. > Then put it on the bus it lives on, and the bus that the drivers for > that device are being controlled with. That sounds like the sane place > to do so, right? If that means that all drivers have to be modified it will be problematic because not all are specifics to the SoC. > >>> And really, this should just be a totally new bus type, right? And any >>> devices on this bus should be changed to be on this new bus, and the >>> drivers changed to support them, instead of trying to overload the >>> platform bus with more stuff. >> I have tried to use the bus notifier to avoid to add this code at probe >> time but without success: >> >> https://lkml.org/lkml/2018/2/27/300 > Almost 2 years ago? I can't remember something written 1 week ago... > > Yes, don't abuse the notifier chain. I hate that thing as it is. > >> I have also tried to disable the nodes at runtime and Mark Rutland >> explain me why it was wrong. > The bus controller should do this, right? Why not just do it there? The bus controller is a different hardware block. > > thanks, > > greg k-h
On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote: > > On 1/28/20 6:17 PM, Sudeep Holla wrote: >> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote: >>> On 1/28/20 5:36 PM, Sudeep Holla wrote: >>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >>>>> Bus firewall framework aims to provide a kernel API to set the configuration >>>>> of the harware blocks in charge of busses access control. >>>>> >>>>> Framework architecture is inspirated by pinctrl framework: >>>>> - a default configuration could be applied before bind the driver. >>>>> If a configuration could not be applied the driver is not bind >>>>> to avoid doing accesses on prohibited regions. >>>>> - configurations could be apllied dynamically by drivers. >>>>> - device node provides the bus firewall configurations. >>>>> >>>>> An example of bus firewall controller is STM32 ETZPC hardware block >>>>> which got 3 possible configurations: >>>>> - trust: hardware blocks are only accessible by software running on trust >>>>> zone (i.e op-tee firmware). >>>>> - non-secure: hardware blocks are accessible by non-secure software (i.e. >>>>> linux kernel). >>>>> - coprocessor: hardware blocks are only accessible by the coprocessor. >>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC. >>>>> >>>> /me confused. Is ETZPC accessible from the non-secure kernel space to >>>> begin with ? If so, is it allowed to configure hardware blocks as secure >>>> or trusted ? I am failing to understand the overall design of a system >>>> with ETZPC controller. >>> Non-secure kernel could read the values set in ETZPC, if it doesn't match >>> with what is required by the device node the driver won't be probed. >>> >> OK, but I was under the impression that it was made clear that Linux is >> not firmware validation suite. The firmware need to ensure all the devices >> that are not accessible in the Linux kernel are marked as disabled and >> this needs to happen before entering the kernel. So if this is what this >> patch series achieves, then there is no need for it. Please stop pursuing >> this any further or provide any other reasons(if any) to have it. Until >> you have other reasons, NACK for this series. > > No it doesn't disable the nodes. > > When the firmware disable a node before the kernel that means it change > > the DTB and that is a problem when you want to sign it. With my proposal > > the DTB remains the same. ??? :/ The DTB is used to pass the kernel command line, memory reservations, random seeds, and all manner of other things dynamically generated by firmware at boot-time. Apologies for being blunt but if "changing the DTB" is considered a problem then I can't help but think you're doing it wrong. Robin.
On Tue, Jan 28, 2020 at 08:29:45PM +0000, Benjamin GAIGNARD wrote: > > On 1/28/20 5:57 PM, Greg KH wrote: > > On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote: > >> On 1/28/20 4:52 PM, Greg KH wrote: > >>> On Tue, Jan 28, 2020 at 04:38:01PM +0100, Benjamin Gaignard wrote: > >>>> The goal of this framework is to offer an interface for the > >>>> hardware blocks controlling bus accesses rights. > >>>> > >>>> Bus firewall controllers are typically used to control if a > >>>> hardware block can perform read or write operations on bus. > >>> So put this in the bus-specific code that controls the bus that these > >>> devices live on. Why put it in the driver core when this is only on one > >>> "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)? > >> It is really similar to what pin controller does, configuring an > >> hardware block given DT information. > > Great, then use that instead :) > I think that Linus W. will complain if I do that :) > > > >> I could argue that firewalls are not bus themselves they only interact > >> with it. > > They live on a bus, and do so in bus-specific ways, right? > > > >> Bus firewalls exist on other SoC, I hope some others could be added in > >> this framework. ETZPC is only the first. > > Then put it on the bus it lives on, and the bus that the drivers for > > that device are being controlled with. That sounds like the sane place > > to do so, right? > > If that means that all drivers have to be modified it will be > problematic because not all > > are specifics to the SoC. That's fine, we have loads of drivers that work on different types of busses. Or, if this really is the "platform bus" then use that. (which is what I was hinting at all along but no one seems to realize that, should have been more obvious...) > >>> And really, this should just be a totally new bus type, right? And any > >>> devices on this bus should be changed to be on this new bus, and the > >>> drivers changed to support them, instead of trying to overload the > >>> platform bus with more stuff. > >> I have tried to use the bus notifier to avoid to add this code at probe > >> time but without success: > >> > >> https://lkml.org/lkml/2018/2/27/300 > > Almost 2 years ago? I can't remember something written 1 week ago... > > > > Yes, don't abuse the notifier chain. I hate that thing as it is. > > > >> I have also tried to disable the nodes at runtime and Mark Rutland > >> explain me why it was wrong. > > The bus controller should do this, right? Why not just do it there? > > The bus controller is a different hardware block. Of course it is, but it controls a bus, and there are devices on that bus, right? Don't circumvent things please. greg k-h
On Tue, Jan 28, 2020 at 9:30 PM Benjamin GAIGNARD <benjamin.gaignard@st.com> wrote: > On 1/28/20 5:57 PM, Greg KH wrote: > > On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote: > >> On 1/28/20 4:52 PM, Greg KH wrote: > >>> So put this in the bus-specific code that controls the bus that these > >>> devices live on. Why put it in the driver core when this is only on one > >>> "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)? > >> It is really similar to what pin controller does, configuring an > >> hardware block given DT information. > > Great, then use that instead :) > I think that Linus W. will complain if I do that :) So the similarity would be something like the way that pin control states are configured in the device tree and the pin control handles are taken before probe in drivers/base/pinctrl.c embedding a hook into dd.c. Not that it in any way controls any hardware even remotely similar to pin control. Pin control is an electronic thing, this firewalling is about bus access. IIUC this framework wants to discover at kernel boot time whether certain devices are accessible to it or not by inspecting the state of the firewalling hardware and then avoid probing those that are inaccessible. It needs the same deep hooks into dd.c to achieve this I believe. Yours, Linus Walleij
On Wed, Jan 29, 2020 at 10:42:39AM +0100, Linus Walleij wrote: > On Tue, Jan 28, 2020 at 9:30 PM Benjamin GAIGNARD > <benjamin.gaignard@st.com> wrote: > > On 1/28/20 5:57 PM, Greg KH wrote: > > > On Tue, Jan 28, 2020 at 04:41:29PM +0000, Benjamin GAIGNARD wrote: > > >> On 1/28/20 4:52 PM, Greg KH wrote: > > > >>> So put this in the bus-specific code that controls the bus that these > > >>> devices live on. Why put it in the driver core when this is only on one > > >>> "bus" (i.e. the catch-all-and-a-bag-of-chips platform bus)? > > > >> It is really similar to what pin controller does, configuring an > > >> hardware block given DT information. > > > > Great, then use that instead :) > > > I think that Linus W. will complain if I do that :) > > So the similarity would be something like the way that pin control > states are configured in the device tree and the pin control > handles are taken before probe in drivers/base/pinctrl.c embedding > a hook into dd.c. > > Not that it in any way controls any hardware even remotely > similar to pin control. Pin control is an electronic thing, > this firewalling is about bus access. > > IIUC this framework wants to discover at kernel boot time > whether certain devices are accessible to it or not by inspecting > the state of the firewalling hardware and then avoid probing > those that are inaccessible. > > It needs the same deep hooks into dd.c to achieve this > I believe. It just needs to be part of the bus logic for the specific bus that this "firewall" is on. Just like we do the same thing for USB or thunderbolt devices. Put this in the bus-specific code please. thanks, greg k-h
On Wed, Jan 29, 2020 at 10:52:40AM +0100, Greg KH wrote: > It just needs to be part of the bus logic for the specific bus that this > "firewall" is on. Just like we do the same thing for USB or thunderbolt > devices. Put this in the bus-specific code please. I'd expect that this is going to affect at least platform and AMBA buses.
On 1/28/20 11:06 PM, Robin Murphy wrote: > On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote: >> >> On 1/28/20 6:17 PM, Sudeep Holla wrote: >>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote: >>>> On 1/28/20 5:36 PM, Sudeep Holla wrote: >>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >>>>>> Bus firewall framework aims to provide a kernel API to set the >>>>>> configuration >>>>>> of the harware blocks in charge of busses access control. >>>>>> >>>>>> Framework architecture is inspirated by pinctrl framework: >>>>>> - a default configuration could be applied before bind the driver. >>>>>> If a configuration could not be applied the driver is not bind >>>>>> to avoid doing accesses on prohibited regions. >>>>>> - configurations could be apllied dynamically by drivers. >>>>>> - device node provides the bus firewall configurations. >>>>>> >>>>>> An example of bus firewall controller is STM32 ETZPC hardware block >>>>>> which got 3 possible configurations: >>>>>> - trust: hardware blocks are only accessible by software running >>>>>> on trust >>>>>> zone (i.e op-tee firmware). >>>>>> - non-secure: hardware blocks are accessible by non-secure >>>>>> software (i.e. >>>>>> linux kernel). >>>>>> - coprocessor: hardware blocks are only accessible by the >>>>>> coprocessor. >>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC. >>>>>> >>>>> /me confused. Is ETZPC accessible from the non-secure kernel space to >>>>> begin with ? If so, is it allowed to configure hardware blocks as >>>>> secure >>>>> or trusted ? I am failing to understand the overall design of a >>>>> system >>>>> with ETZPC controller. >>>> Non-secure kernel could read the values set in ETZPC, if it doesn't >>>> match >>>> with what is required by the device node the driver won't be probed. >>>> >>> OK, but I was under the impression that it was made clear that Linux is >>> not firmware validation suite. The firmware need to ensure all the >>> devices >>> that are not accessible in the Linux kernel are marked as disabled and >>> this needs to happen before entering the kernel. So if this is what >>> this >>> patch series achieves, then there is no need for it. Please stop >>> pursuing >>> this any further or provide any other reasons(if any) to have it. Until >>> you have other reasons, NACK for this series. >> >> No it doesn't disable the nodes. >> >> When the firmware disable a node before the kernel that means it change >> >> the DTB and that is a problem when you want to sign it. With my proposal >> >> the DTB remains the same. > > ??? > > :/ > > The DTB is used to pass the kernel command line, memory reservations, > random seeds, and all manner of other things dynamically generated by > firmware at boot-time. Apologies for being blunt but if "changing the > DTB" is considered a problem then I can't help but think you're doing > it wrong. Yes but I would like to limit the number of cases where a firmware has to change the DTB. With this proposal nodes remain the same and embedded the firewall configuration(s). Until now firewall configuration is "static", the firmware disable (or remove) the nodes not accessible from Linux. If Linux can rely on node's firewall information it could allow switch dynamically an hardware block from Linux to a coprocessor. For example Linux could manage the display pipe configuration and when going to suspend handover the display hardware block to a coprocessor in charge a refreshing only some pixels. Benjamin > > Robin.
On 1/29/20 12:17 PM, Mark Brown wrote: > On Wed, Jan 29, 2020 at 10:52:40AM +0100, Greg KH wrote: > >> It just needs to be part of the bus logic for the specific bus that this >> "firewall" is on. Just like we do the same thing for USB or thunderbolt >> devices. Put this in the bus-specific code please. > I'd expect that this is going to affect at least platform and AMBA > buses. Correct me if I'm wrong but creating a new type of bus would mean that all the drivers living on this bus must be changed to register themselves on this bus ? Or does a solution exist to let them live on the platform bus and call firewalled bus before been probed ? All the impacted drivers could work on the existing bus with or without the firewall so I don't want to break that. Benjamin
On Fri, Jan 31, 2020 at 08:37:27AM +0000, Benjamin GAIGNARD wrote: > > On 1/29/20 12:17 PM, Mark Brown wrote: > > On Wed, Jan 29, 2020 at 10:52:40AM +0100, Greg KH wrote: > > > >> It just needs to be part of the bus logic for the specific bus that this > >> "firewall" is on. Just like we do the same thing for USB or thunderbolt > >> devices. Put this in the bus-specific code please. > > I'd expect that this is going to affect at least platform and AMBA > > buses. > > Correct me if I'm wrong but creating a new type of bus would mean > that all the drivers living on this bus must be changed to register > themselves on this bus ? Yes. > Or does a solution exist to let them live on the platform bus and call > firewalled bus before been probed ? Why do people want to abuse the platform bus so much? If a device is on a bus that can have such a controller, then it is on a real bus, use it! > All the impacted drivers could work on the existing bus with or without > the firewall so I don't want to break break what? > > that. Odd line-break :) Just register the driver on both busses, no big deal. Stop abusing the platform bus code for things that it is not for. thanks, greg k-h
On 29/01/2020 1:40 pm, Benjamin GAIGNARD wrote: > > On 1/28/20 11:06 PM, Robin Murphy wrote: >> On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote: >>> >>> On 1/28/20 6:17 PM, Sudeep Holla wrote: >>>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote: >>>>> On 1/28/20 5:36 PM, Sudeep Holla wrote: >>>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >>>>>>> Bus firewall framework aims to provide a kernel API to set the >>>>>>> configuration >>>>>>> of the harware blocks in charge of busses access control. >>>>>>> >>>>>>> Framework architecture is inspirated by pinctrl framework: >>>>>>> - a default configuration could be applied before bind the driver. >>>>>>> If a configuration could not be applied the driver is not bind >>>>>>> to avoid doing accesses on prohibited regions. >>>>>>> - configurations could be apllied dynamically by drivers. >>>>>>> - device node provides the bus firewall configurations. >>>>>>> >>>>>>> An example of bus firewall controller is STM32 ETZPC hardware block >>>>>>> which got 3 possible configurations: >>>>>>> - trust: hardware blocks are only accessible by software running >>>>>>> on trust >>>>>>> zone (i.e op-tee firmware). >>>>>>> - non-secure: hardware blocks are accessible by non-secure >>>>>>> software (i.e. >>>>>>> linux kernel). >>>>>>> - coprocessor: hardware blocks are only accessible by the >>>>>>> coprocessor. >>>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC. >>>>>>> >>>>>> /me confused. Is ETZPC accessible from the non-secure kernel space to >>>>>> begin with ? If so, is it allowed to configure hardware blocks as >>>>>> secure >>>>>> or trusted ? I am failing to understand the overall design of a >>>>>> system >>>>>> with ETZPC controller. >>>>> Non-secure kernel could read the values set in ETZPC, if it doesn't >>>>> match >>>>> with what is required by the device node the driver won't be probed. >>>>> >>>> OK, but I was under the impression that it was made clear that Linux is >>>> not firmware validation suite. The firmware need to ensure all the >>>> devices >>>> that are not accessible in the Linux kernel are marked as disabled and >>>> this needs to happen before entering the kernel. So if this is what >>>> this >>>> patch series achieves, then there is no need for it. Please stop >>>> pursuing >>>> this any further or provide any other reasons(if any) to have it. Until >>>> you have other reasons, NACK for this series. >>> >>> No it doesn't disable the nodes. >>> >>> When the firmware disable a node before the kernel that means it change >>> >>> the DTB and that is a problem when you want to sign it. With my proposal >>> >>> the DTB remains the same. >> >> ??? >> >> :/ >> >> The DTB is used to pass the kernel command line, memory reservations, >> random seeds, and all manner of other things dynamically generated by >> firmware at boot-time. Apologies for being blunt but if "changing the >> DTB" is considered a problem then I can't help but think you're doing >> it wrong. > > Yes but I would like to limit the number of cases where a firmware has > to change the DTB. Sure, but unless you can limit that number to strictly zero, then presumably the firmware must have the general capability to verify, modify, and re-sign a DTB. At that point having it also tweak the status of nodes that it wants for itself doesn't seem like a particularly big ask. > With this proposal nodes remain the same and embedded the firewall > configuration(s). > > Until now firewall configuration is "static", the firmware disable (or > remove) the nodes not accessible from Linux. > > If Linux can rely on node's firewall information it could allow switch > dynamically an hardware block from Linux to a coprocessor. > > For example Linux could manage the display pipe configuration and when > going to suspend handover the display hardware block to a coprocessor in > charge a refreshing only some pixels. And like I'm sure I said before, the interface between Linux and the Secure environment to ultimately achieve that will almost certainly make inspecting a passive status bit in a register redundant anyway. In the interest of being productive, though, there is another way of looking at this. If we drop the pretence that it's in any way generic or ever going to be relevant beyond certain configurations of certain STMicro SoCs, then in plain terms it's just some block of MMIO registers that have *something* to do with various other devices. At that point, the answer is just to treat it as a syscon and make the relevant drivers for those SoCs aware of it. I'm most familiar with the "General Register File" on Rockchip SoCs as a prime example of "bunch of registers that relate to the integration of various IP blocks", which manages to be supported just fine without invasive hooks in the driver core. Robin.
On 1/28/20 12:06 PM, Benjamin GAIGNARD wrote: > > On 1/28/20 6:17 PM, Sudeep Holla wrote: >> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote: >>> On 1/28/20 5:36 PM, Sudeep Holla wrote: >>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >>>>> Bus firewall framework aims to provide a kernel API to set the configuration >>>>> of the harware blocks in charge of busses access control. >>>>> >>>>> Framework architecture is inspirated by pinctrl framework: >>>>> - a default configuration could be applied before bind the driver. >>>>> If a configuration could not be applied the driver is not bind >>>>> to avoid doing accesses on prohibited regions. >>>>> - configurations could be apllied dynamically by drivers. >>>>> - device node provides the bus firewall configurations. >>>>> >>>>> An example of bus firewall controller is STM32 ETZPC hardware block >>>>> which got 3 possible configurations: >>>>> - trust: hardware blocks are only accessible by software running on trust >>>>> zone (i.e op-tee firmware). >>>>> - non-secure: hardware blocks are accessible by non-secure software (i.e. >>>>> linux kernel). >>>>> - coprocessor: hardware blocks are only accessible by the coprocessor. >>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC. >>>>> >>>> /me confused. Is ETZPC accessible from the non-secure kernel space to >>>> begin with ? If so, is it allowed to configure hardware blocks as secure >>>> or trusted ? I am failing to understand the overall design of a system >>>> with ETZPC controller. >>> Non-secure kernel could read the values set in ETZPC, if it doesn't match >>> with what is required by the device node the driver won't be probed. >>> >> OK, but I was under the impression that it was made clear that Linux is >> not firmware validation suite. The firmware need to ensure all the devices >> that are not accessible in the Linux kernel are marked as disabled and >> this needs to happen before entering the kernel. So if this is what this >> patch series achieves, then there is no need for it. Please stop pursuing >> this any further or provide any other reasons(if any) to have it. Until >> you have other reasons, NACK for this series. > > No it doesn't disable the nodes. > > When the firmware disable a node before the kernel that means it change > > the DTB and that is a problem when you want to sign it. With my proposal > > the DTB remains the same. Could you use an overlay then which is the result of the firewalling results by your firewall block, which is smaller than the main SoC/board DTB and can be easily audited not to accidentally enable blocks, but only disable them by adding/changing the respective "status" property. Worst case, your driver probes, has been firewalled and this is not reflected in the DTB, you get a bus error, or a hang, or however it gets implemented. Like Robin and Sudeep here, I do not understand why the kernel should have any business in this, let alone allowing blocks to change owners, that sounds contrary to the purpose of a firewall being controlled under an untrusted entity (Linux).
On 1/29/20 5:40 AM, Benjamin GAIGNARD wrote: > > On 1/28/20 11:06 PM, Robin Murphy wrote: >> On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote: >>> >>> On 1/28/20 6:17 PM, Sudeep Holla wrote: >>>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote: >>>>> On 1/28/20 5:36 PM, Sudeep Holla wrote: >>>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >>>>>>> Bus firewall framework aims to provide a kernel API to set the >>>>>>> configuration >>>>>>> of the harware blocks in charge of busses access control. >>>>>>> >>>>>>> Framework architecture is inspirated by pinctrl framework: >>>>>>> - a default configuration could be applied before bind the driver. >>>>>>> If a configuration could not be applied the driver is not bind >>>>>>> to avoid doing accesses on prohibited regions. >>>>>>> - configurations could be apllied dynamically by drivers. >>>>>>> - device node provides the bus firewall configurations. >>>>>>> >>>>>>> An example of bus firewall controller is STM32 ETZPC hardware block >>>>>>> which got 3 possible configurations: >>>>>>> - trust: hardware blocks are only accessible by software running >>>>>>> on trust >>>>>>> zone (i.e op-tee firmware). >>>>>>> - non-secure: hardware blocks are accessible by non-secure >>>>>>> software (i.e. >>>>>>> linux kernel). >>>>>>> - coprocessor: hardware blocks are only accessible by the >>>>>>> coprocessor. >>>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC. >>>>>>> >>>>>> /me confused. Is ETZPC accessible from the non-secure kernel space to >>>>>> begin with ? If so, is it allowed to configure hardware blocks as >>>>>> secure >>>>>> or trusted ? I am failing to understand the overall design of a >>>>>> system >>>>>> with ETZPC controller. >>>>> Non-secure kernel could read the values set in ETZPC, if it doesn't >>>>> match >>>>> with what is required by the device node the driver won't be probed. >>>>> >>>> OK, but I was under the impression that it was made clear that Linux is >>>> not firmware validation suite. The firmware need to ensure all the >>>> devices >>>> that are not accessible in the Linux kernel are marked as disabled and >>>> this needs to happen before entering the kernel. So if this is what >>>> this >>>> patch series achieves, then there is no need for it. Please stop >>>> pursuing >>>> this any further or provide any other reasons(if any) to have it. Until >>>> you have other reasons, NACK for this series. >>> >>> No it doesn't disable the nodes. >>> >>> When the firmware disable a node before the kernel that means it change >>> >>> the DTB and that is a problem when you want to sign it. With my proposal >>> >>> the DTB remains the same. >> >> ??? >> >> :/ >> >> The DTB is used to pass the kernel command line, memory reservations, >> random seeds, and all manner of other things dynamically generated by >> firmware at boot-time. Apologies for being blunt but if "changing the >> DTB" is considered a problem then I can't help but think you're doing >> it wrong. > > Yes but I would like to limit the number of cases where a firmware has > to change the DTB. > > With this proposal nodes remain the same and embedded the firewall > configuration(s). > > Until now firewall configuration is "static", the firmware disable (or > remove) the nodes not accessible from Linux. > > If Linux can rely on node's firewall information it could allow switch > dynamically an hardware block from Linux to a coprocessor. > > For example Linux could manage the display pipe configuration and when > going to suspend handover the display hardware block to a coprocessor in > charge a refreshing only some pixels. OK, let's continue that example, would not it make sense then to just steal the peripheral away from Linux by ensuring that Linux is no longer running and the only thing that you need to make sure of is that either you restore the HW in the exact same that you stole it from, or that Linux is capable of refreshing its state against what the HW state was left in? If you have a set of display pipeline drivers, on your way to suspend, you can define a protocol with the co-processor so as to signal an ownership change, and the co-processor can take control from there. In your example, it sounds like the firewall could be meant to detect uncoordinated concurrent accesses to the same HW block between different SW/FW entities. If that is the case, this is most likely a bug and you can probably just get away with doing reporting instead of an entirely new subsystem?
On Fri, Jan 31, 2020 at 12:48:33PM -0800, Florian Fainelli wrote: > Like Robin and Sudeep here, I do not understand why the kernel should > have any business in this, let alone allowing blocks to change owners, > that sounds contrary to the purpose of a firewall being controlled under > an untrusted entity (Linux). Can we rely on there being a more trusted level of software than Linux on a system? It wasn't standard to have anything on 32 bit Arm systems as far as I remember so you could end up with some IP blocks intended to support TrustZone sitting idle.
On 1/31/20 7:25 PM, Robin Murphy wrote: > On 29/01/2020 1:40 pm, Benjamin GAIGNARD wrote: >> >> On 1/28/20 11:06 PM, Robin Murphy wrote: >>> On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote: >>>> >>>> On 1/28/20 6:17 PM, Sudeep Holla wrote: >>>>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote: >>>>>> On 1/28/20 5:36 PM, Sudeep Holla wrote: >>>>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >>>>>>>> Bus firewall framework aims to provide a kernel API to set the >>>>>>>> configuration >>>>>>>> of the harware blocks in charge of busses access control. >>>>>>>> >>>>>>>> Framework architecture is inspirated by pinctrl framework: >>>>>>>> - a default configuration could be applied before bind the driver. >>>>>>>> If a configuration could not be applied the driver is not >>>>>>>> bind >>>>>>>> to avoid doing accesses on prohibited regions. >>>>>>>> - configurations could be apllied dynamically by drivers. >>>>>>>> - device node provides the bus firewall configurations. >>>>>>>> >>>>>>>> An example of bus firewall controller is STM32 ETZPC hardware >>>>>>>> block >>>>>>>> which got 3 possible configurations: >>>>>>>> - trust: hardware blocks are only accessible by software running >>>>>>>> on trust >>>>>>>> zone (i.e op-tee firmware). >>>>>>>> - non-secure: hardware blocks are accessible by non-secure >>>>>>>> software (i.e. >>>>>>>> linux kernel). >>>>>>>> - coprocessor: hardware blocks are only accessible by the >>>>>>>> coprocessor. >>>>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC. >>>>>>>> >>>>>>> /me confused. Is ETZPC accessible from the non-secure kernel >>>>>>> space to >>>>>>> begin with ? If so, is it allowed to configure hardware blocks as >>>>>>> secure >>>>>>> or trusted ? I am failing to understand the overall design of a >>>>>>> system >>>>>>> with ETZPC controller. >>>>>> Non-secure kernel could read the values set in ETZPC, if it doesn't >>>>>> match >>>>>> with what is required by the device node the driver won't be probed. >>>>>> >>>>> OK, but I was under the impression that it was made clear that >>>>> Linux is >>>>> not firmware validation suite. The firmware need to ensure all the >>>>> devices >>>>> that are not accessible in the Linux kernel are marked as disabled >>>>> and >>>>> this needs to happen before entering the kernel. So if this is what >>>>> this >>>>> patch series achieves, then there is no need for it. Please stop >>>>> pursuing >>>>> this any further or provide any other reasons(if any) to have it. >>>>> Until >>>>> you have other reasons, NACK for this series. >>>> >>>> No it doesn't disable the nodes. >>>> >>>> When the firmware disable a node before the kernel that means it >>>> change >>>> >>>> the DTB and that is a problem when you want to sign it. With my >>>> proposal >>>> >>>> the DTB remains the same. >>> >>> ??? >>> >>> :/ >>> >>> The DTB is used to pass the kernel command line, memory reservations, >>> random seeds, and all manner of other things dynamically generated by >>> firmware at boot-time. Apologies for being blunt but if "changing the >>> DTB" is considered a problem then I can't help but think you're doing >>> it wrong. >> >> Yes but I would like to limit the number of cases where a firmware has >> to change the DTB. > > Sure, but unless you can limit that number to strictly zero, then > presumably the firmware must have the general capability to verify, > modify, and re-sign a DTB. At that point having it also tweak the > status of nodes that it wants for itself doesn't seem like a > particularly big ask. > >> With this proposal nodes remain the same and embedded the firewall >> configuration(s). >> >> Until now firewall configuration is "static", the firmware disable (or >> remove) the nodes not accessible from Linux. >> >> If Linux can rely on node's firewall information it could allow switch >> dynamically an hardware block from Linux to a coprocessor. >> >> For example Linux could manage the display pipe configuration and when >> going to suspend handover the display hardware block to a coprocessor in >> charge a refreshing only some pixels. > > And like I'm sure I said before, the interface between Linux and the > Secure environment to ultimately achieve that will almost certainly > make inspecting a passive status bit in a register redundant anyway. It is not only about secure and non secure hardware blocks split but also about the split with the coprocessor. The goal is to describe, in the device tree, these possible configurations to be able to use them dynamically rather than having a static configuration. It could also help to detect misconfiguration between the firewall and the DT nodes. > > In the interest of being productive, though, there is another way of > looking at this. If we drop the pretence that it's in any way generic > or ever going to be relevant beyond certain configurations of certain > STMicro SoCs, then in plain terms it's just some block of MMIO > registers that have *something* to do with various other devices. At > that point, the answer is just to treat it as a syscon and make the > relevant drivers for those SoCs aware of it. I'm most familiar with > the "General Register File" on Rockchip SoCs as a prime example of > "bunch of registers that relate to the integration of various IP > blocks", which manages to be supported just fine without invasive > hooks in the driver core. I had thought to use syscon but there is some problems with that way: if the firewall hardware change the way it encode the information you have change all it customers. That would mean add in each driver a test to detect the firewall version and act accordingly. That doesn't sound reasonable to me so I decide to create an interface to abstract the firewall to avoid this problem. I could reuse this interface in the ~40 impacted drivers (not all dedicated to STMicro SoCs) but adding it in the driver core as a generic service was making more sens for me. Note that I have take care of using a compilation flag to not impact the others architectures. Benjamin > > Robin.
On 1/31/20 9:51 PM, Florian Fainelli wrote: > On 1/29/20 5:40 AM, Benjamin GAIGNARD wrote: >> On 1/28/20 11:06 PM, Robin Murphy wrote: >>> On 2020-01-28 8:06 pm, Benjamin GAIGNARD wrote: >>>> On 1/28/20 6:17 PM, Sudeep Holla wrote: >>>>> On Tue, Jan 28, 2020 at 04:46:41PM +0000, Benjamin GAIGNARD wrote: >>>>>> On 1/28/20 5:36 PM, Sudeep Holla wrote: >>>>>>> On Tue, Jan 28, 2020 at 04:37:59PM +0100, Benjamin Gaignard wrote: >>>>>>>> Bus firewall framework aims to provide a kernel API to set the >>>>>>>> configuration >>>>>>>> of the harware blocks in charge of busses access control. >>>>>>>> >>>>>>>> Framework architecture is inspirated by pinctrl framework: >>>>>>>> - a default configuration could be applied before bind the driver. >>>>>>>> If a configuration could not be applied the driver is not bind >>>>>>>> to avoid doing accesses on prohibited regions. >>>>>>>> - configurations could be apllied dynamically by drivers. >>>>>>>> - device node provides the bus firewall configurations. >>>>>>>> >>>>>>>> An example of bus firewall controller is STM32 ETZPC hardware block >>>>>>>> which got 3 possible configurations: >>>>>>>> - trust: hardware blocks are only accessible by software running >>>>>>>> on trust >>>>>>>> zone (i.e op-tee firmware). >>>>>>>> - non-secure: hardware blocks are accessible by non-secure >>>>>>>> software (i.e. >>>>>>>> linux kernel). >>>>>>>> - coprocessor: hardware blocks are only accessible by the >>>>>>>> coprocessor. >>>>>>>> Up to 94 hardware blocks of the soc could be managed by ETZPC. >>>>>>>> >>>>>>> /me confused. Is ETZPC accessible from the non-secure kernel space to >>>>>>> begin with ? If so, is it allowed to configure hardware blocks as >>>>>>> secure >>>>>>> or trusted ? I am failing to understand the overall design of a >>>>>>> system >>>>>>> with ETZPC controller. >>>>>> Non-secure kernel could read the values set in ETZPC, if it doesn't >>>>>> match >>>>>> with what is required by the device node the driver won't be probed. >>>>>> >>>>> OK, but I was under the impression that it was made clear that Linux is >>>>> not firmware validation suite. The firmware need to ensure all the >>>>> devices >>>>> that are not accessible in the Linux kernel are marked as disabled and >>>>> this needs to happen before entering the kernel. So if this is what >>>>> this >>>>> patch series achieves, then there is no need for it. Please stop >>>>> pursuing >>>>> this any further or provide any other reasons(if any) to have it. Until >>>>> you have other reasons, NACK for this series. >>>> No it doesn't disable the nodes. >>>> >>>> When the firmware disable a node before the kernel that means it change >>>> >>>> the DTB and that is a problem when you want to sign it. With my proposal >>>> >>>> the DTB remains the same. >>> ??? >>> >>> :/ >>> >>> The DTB is used to pass the kernel command line, memory reservations, >>> random seeds, and all manner of other things dynamically generated by >>> firmware at boot-time. Apologies for being blunt but if "changing the >>> DTB" is considered a problem then I can't help but think you're doing >>> it wrong. >> Yes but I would like to limit the number of cases where a firmware has >> to change the DTB. >> >> With this proposal nodes remain the same and embedded the firewall >> configuration(s). >> >> Until now firewall configuration is "static", the firmware disable (or >> remove) the nodes not accessible from Linux. >> >> If Linux can rely on node's firewall information it could allow switch >> dynamically an hardware block from Linux to a coprocessor. >> >> For example Linux could manage the display pipe configuration and when >> going to suspend handover the display hardware block to a coprocessor in >> charge a refreshing only some pixels. > OK, let's continue that example, would not it make sense then to just > steal the peripheral away from Linux by ensuring that Linux is no longer > running and the only thing that you need to make sure of is that either > you restore the HW in the exact same that you stole it from, or that > Linux is capable of refreshing its state against what the HW state was > left in? > > If you have a set of display pipeline drivers, on your way to suspend, > you can define a protocol with the co-processor so as to signal an > ownership change, and the co-processor can take control from there. To handover a hardware block to the co-processor we need to inform it and change the firewall configuration. My proposal only aim to cover this last point by describing in the device tree the possible configuration. The example I had mind is how the pinctrl framework is working with it states so doing something like changing firewall configuration and then inform the co-processor in suspend function. > > In your example, it sounds like the firewall could be meant to detect > uncoordinated concurrent accesses to the same HW block between different > SW/FW entities. If that is the case, this is most likely a bug and you > can probably just get away with doing reporting instead of an entirely > new subsystem? Prohibited accesses, most of the time, generate an abort on the bus so your platform just crash and yes it is a bug. This new subsystem won't change that, it only allow to describe and dynamically set a configuration for DT information rather doing that for type of firewall. Benjamin
On Fri, Jan 31, 2020 at 10:06 AM Greg KH <gregkh@linuxfoundation.org> wrote: > Why do people want to abuse the platform bus so much? If a device is on > a bus that can have such a controller, then it is on a real bus, use it! I'm not saying it is a good thing, but the reason why it is (ab)used so much can be found in: drivers/of/platform.c TL;DR: struct platform_device is the Device McDeviceFace and platform bus the Bus McBusFace used by the device tree parser since it is slightly to completely unaware of what devices it is actually spawning. And everything and its dog is using device tree in the embedded world. (A quick glance in drivers/acpi gives me the impression that ACPI is doing the very same thing but I am not a domain expert there so I am not really sure.) Whenever a device is created from a device tree it gets spawned on either the platform bus or the amba bus. In 99 cases out of 100 it is going to be a platform_device. In most device trees all devices ultimately spawn from the device tree and the root of absolutely everything including irq chips on the SoC, timers, PCI hosts and USB root hubs and whatnot is a platform device, because that is how the core device tree parser has chosen to spawn off devices. This generic code goes back to commit eca3930163ba8884060ce9d9ff5ef0d9b7c7b00f "of: Merge of_platform_bus_type with platform_bus_type" where the device tree-specific bus was replaced by the platform bus. This code was then moved down to drivers/of and used in multiple architectures. Grant's patch makes perfect sense because at the time some devices were created using board files (thus platform_device) and others using device tree and having two different probe paths and driver files for this reason alone was not reasonable. The same reasoning will apply to ACPI vs device tree drivers. What we *could* have done was to handle special devices special, like happened for AMBA PrimeCells. Mea Culpa, I suppose I am one of the guilty. Supporting new bus types for root devices in systems described in device tree would requiring patching drivers/of/platform.c and people are afraid of that because the code there is pretty complex. Instead platform_device is (ab)used to carry stuff over from the device tree to respective subsystem. In some cases the struct platform_device from device tree is discarded after use, it is just left dangling in memory with no other purpose than to serve as .parent for whatever device on whatever bus we were really creating. For some devices such as root irq_chips they serve no purpose whatsoever, they are just created and sitting around never to be probed, because the code instantiating them parse the device tree directly. For the devices that actually probe to drive a piece of silicon, arguably a different type of device on a different bus should be created, such as (I am making this up) struct soc_device on soc_bus. (Incidentally soc_bus exists, but its current use case is not for this.) I don't really see any better option for Benjamin or anyone else though? The reason why it is used so much should at least be clarified now I think. Yours, Linus Walleij
On Fri, Feb 14, 2020 at 05:05:07PM +0100, Linus Walleij wrote: > On Fri, Jan 31, 2020 at 10:06 AM Greg KH <gregkh@linuxfoundation.org> wrote: > > > Why do people want to abuse the platform bus so much? If a device is on > > a bus that can have such a controller, then it is on a real bus, use it! > > I'm not saying it is a good thing, but the reason why it is (ab)used so > much can be found in: > drivers/of/platform.c > > TL;DR: struct platform_device is the Device McDeviceFace and > platform bus the Bus McBusFace used by the device tree parser since > it is slightly to completely unaware of what devices it is actually > spawning. <snip> Yeah, great explaination, and I understand. DT stuff really is ok to be on a platform bus, as that's what almost all of them are. But, when you try to start messing around with things like this "firewall" says it is doing, it's then obvious that this really isn't a DT like thing, but rather you do have a bus involved with a controller so that should be used instead. Or just filter away the DT stuff so that the kernel never even sees those devices, which might just be simplest :) thanks, greg k-h
On 2/14/20 10:40 PM, Greg KH wrote: > On Fri, Feb 14, 2020 at 05:05:07PM +0100, Linus Walleij wrote: >> On Fri, Jan 31, 2020 at 10:06 AM Greg KH <gregkh@linuxfoundation.org> wrote: >> >>> Why do people want to abuse the platform bus so much? If a device is on >>> a bus that can have such a controller, then it is on a real bus, use it! >> I'm not saying it is a good thing, but the reason why it is (ab)used so >> much can be found in: >> drivers/of/platform.c >> >> TL;DR: struct platform_device is the Device McDeviceFace and >> platform bus the Bus McBusFace used by the device tree parser since >> it is slightly to completely unaware of what devices it is actually >> spawning. > <snip> > > Yeah, great explaination, and I understand. DT stuff really is ok to be > on a platform bus, as that's what almost all of them are. > > But, when you try to start messing around with things like this > "firewall" says it is doing, it's then obvious that this really isn't a > DT like thing, but rather you do have a bus involved with a controller > so that should be used instead. Ok but how put in place a new bus while keeping the devices on platform bus to avoid changing all the drivers ? > > Or just filter away the DT stuff so that the kernel never even sees > those devices, which might just be simplest :) yes but we lost the possibility to change the firewall configuration at run time. I do expect to be able to describe in the DT firewall configuration and to use them at run time. That could allow, for example, to handover a HW block to the coprocessor when the main core is going to be suspended to save power. Benjamin > > thanks, > > greg k-h
On Sat, Feb 15, 2020 at 12:41:07PM +0000, Benjamin GAIGNARD wrote: > > On 2/14/20 10:40 PM, Greg KH wrote: > > On Fri, Feb 14, 2020 at 05:05:07PM +0100, Linus Walleij wrote: > >> On Fri, Jan 31, 2020 at 10:06 AM Greg KH <gregkh@linuxfoundation.org> wrote: > >> > >>> Why do people want to abuse the platform bus so much? If a device is on > >>> a bus that can have such a controller, then it is on a real bus, use it! > >> I'm not saying it is a good thing, but the reason why it is (ab)used so > >> much can be found in: > >> drivers/of/platform.c > >> > >> TL;DR: struct platform_device is the Device McDeviceFace and > >> platform bus the Bus McBusFace used by the device tree parser since > >> it is slightly to completely unaware of what devices it is actually > >> spawning. > > <snip> > > > > Yeah, great explaination, and I understand. DT stuff really is ok to be > > on a platform bus, as that's what almost all of them are. > > > > But, when you try to start messing around with things like this > > "firewall" says it is doing, it's then obvious that this really isn't a > > DT like thing, but rather you do have a bus involved with a controller > > so that should be used instead. > > Ok but how put in place a new bus while keeping the devices on platform > bus to avoid changing all the drivers ? You don't, you put them all on your real bus, as that is what you now have. > > Or just filter away the DT stuff so that the kernel never even sees > > those devices, which might just be simplest :) > > yes but we lost the possibility to change the firewall configuration at > run time. I do expect to be able to describe in the DT firewall configuration > and to use them at run time. That could allow, for example, to handover > a HW block to the coprocessor when the main core is going to be suspended > to save power. Then use a real bus :) thanks, greg k-h