dt-bindings: mailbox: arm,mhu: Make secure interrupt optional

The secure interrupt is only useful to secure world, therefore for NS
users it shouldn't be required. Make it optional.

This fixes a warning on Arm Juno board:

mhu@2b1f0000: interrupts: [[0, 36, 4], [0, 35, 4]] is too short

Signed-off-by: Rob Herring <robh@kernel.org>
---
 Documentation/devicetree/bindings/mailbox/arm,mhu.yaml | 1 +
 1 file changed, 1 insertion(+)

On Thu, Jul 28, 2022 at 2:08 PM Rob Herring <robh@kernel.org> wrote:
>
> The secure interrupt is only useful to secure world, therefore for NS
> users it shouldn't be required. Make it optional.
>
> This fixes a warning on Arm Juno board:
>
> mhu@2b1f0000: interrupts: [[0, 36, 4], [0, 35, 4]] is too short
>
> Signed-off-by: Rob Herring <robh@kernel.org>
> ---
>  Documentation/devicetree/bindings/mailbox/arm,mhu.yaml | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml b/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml
> index bd49c201477d..d9a4f4a02d7c 100644
> --- a/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml
> +++ b/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml
> @@ -57,6 +57,7 @@ properties:
>      maxItems: 1
>
>    interrupts:
> +    minItems: 2
>      items:
>        - description: low-priority non-secure
>        - description: high-priority non-secure
>
Do we also want to specify that only the secure-irq is optional
because irqs are directly mapped onto channels in the driver, and only
omitting the secure (last) irq will work.

thanks



> --
> 2.34.1
>

On Thu, Jul 28, 2022 at 01:08:10PM -0600, Rob Herring wrote:
> The secure interrupt is only useful to secure world, therefore for NS
> users it shouldn't be required. Make it optional.
> 
> This fixes a warning on Arm Juno board:
> 
> mhu@2b1f0000: interrupts: [[0, 36, 4], [0, 35, 4]] is too short
>

Reviewed-by:  Sudeep Holla <sudeep.holla@arm.com>

On Thu, Jul 28, 2022 at 04:07:45PM -0500, Jassi Brar wrote:
> On Thu, Jul 28, 2022 at 3:17 PM Jassi Brar <jassisinghbrar@gmail.com> wrote:
> >
> > On Thu, Jul 28, 2022 at 2:08 PM Rob Herring <robh@kernel.org> wrote:
> > >
> > > The secure interrupt is only useful to secure world, therefore for NS
> > > users it shouldn't be required. Make it optional.
> > >
> > > This fixes a warning on Arm Juno board:
> > >
> > > mhu@2b1f0000: interrupts: [[0, 36, 4], [0, 35, 4]] is too short
> > >
> > > Signed-off-by: Rob Herring <robh@kernel.org>
> > > ---
> > >  Documentation/devicetree/bindings/mailbox/arm,mhu.yaml | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml b/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml
> > > index bd49c201477d..d9a4f4a02d7c 100644
> > > --- a/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml
> > > +++ b/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml
> > > @@ -57,6 +57,7 @@ properties:
> > >      maxItems: 1
> > >
> > >    interrupts:
> > > +    minItems: 2
> > >      items:
> > >        - description: low-priority non-secure
> > >        - description: high-priority non-secure
> > >
> > Do we also want to specify that only the secure-irq is optional
> > because irqs are directly mapped onto channels in the driver, and only
> > omitting the secure (last) irq will work.
> >
> I could learn why specifying secure irq isn't desirable?
> No non-secure client node would ask for that secure irq/channel, which
> will simply lay unused.
>

Did you mean would or wouldn't ?

Anyways I can insert a module that requests this channel and bring down
the system as accessing anything configure secure from non-secure side
on Juno results in system hang/error.

> The programming of the secure channel doesn't care if the mode is
> indeed secure. It all relies on providing accurate information in the
> device tree :- the controller provides secure and non-secure channels
> but only non-secure channels are _used_ in non-secure mode.
>

In general w.r.t the MHU IP may be yes. But if the secure side configures
it as secure only and claims the channel which is the case on Juno, any
attempt to access the same from non-secure side is fatal.

> index f6c55877fbd94..004b1566be74d 100644
> --- a/arch/arm64/boot/dts/arm/juno-base.dtsi
> +++ b/arch/arm64/boot/dts/arm/juno-base.dtsi
> @@ -26,7 +26,8 @@ mailbox: mhu@2b1f0000 {
>         compatible = "arm,mhu", "arm,primecell";
>         reg = <0x0 0x2b1f0000 0x0 0x1000>;
>         interrupts = <GIC_SPI 36 IRQ_TYPE_LEVEL_HIGH>,
> -                <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>;
> +                <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>,
> +                <GIC_SPI 37 IRQ_TYPE_LEVEL_HIGH>;
>         interrupt-names = "mhu_lpri_rx",
>                   "mhu_hpri_rx";
>         #mbox-cells = <1>;
> 
> If this works for you, I could submit a proper patch.
>

No this doesn't work IMO. Yes standalone everything looks fine, but you can
insert a module requesting this channel and bring down the system. So I am
not for this change.

On Fri, Jul 29, 2022 at 6:10 AM Sudeep Holla <sudeep.holla@arm.com> wrote:
> On Thu, Jul 28, 2022 at 04:07:45PM -0500, Jassi Brar wrote:

> > >
> > I could learn why specifying secure irq isn't desirable?
> > No non-secure client node would ask for that secure irq/channel, which
> > will simply lay unused.
>
> Did you mean would or wouldn't ?
>
I mean what's written.

> Anyways I can insert a module that requests this channel and bring down
> the system as accessing anything configure secure from non-secure side
> on Juno results in system hang/error.
>
Why go to those lengths? These are already simpler options available  ;-)
1)   while (1) ;      // preferably in some atomic context
2)   *((int *) 0) = 0;   // you might want to iterate over offset for
guaranteed results
3) Slightly more work, but you also have the opportunity to erase your
storage device


> > index f6c55877fbd94..004b1566be74d 100644
> > --- a/arch/arm64/boot/dts/arm/juno-base.dtsi
> > +++ b/arch/arm64/boot/dts/arm/juno-base.dtsi
> > @@ -26,7 +26,8 @@ mailbox: mhu@2b1f0000 {
> >         compatible = "arm,mhu", "arm,primecell";
> >         reg = <0x0 0x2b1f0000 0x0 0x1000>;
> >         interrupts = <GIC_SPI 36 IRQ_TYPE_LEVEL_HIGH>,
> > -                <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>;
> > +                <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>,
> > +                <GIC_SPI 37 IRQ_TYPE_LEVEL_HIGH>;
> >         interrupt-names = "mhu_lpri_rx",
> >                   "mhu_hpri_rx";
> >         #mbox-cells = <1>;
> >
> > If this works for you, I could submit a proper patch.
>
> No this doesn't work IMO.
>
If you _really_ tested and faced an error, please share it.

> Yes standalone everything looks fine, but you can
> insert a module requesting this channel and bring down the system.
>
If anyone other than a super-user is able to do that, then you have a
serious security problem at hand.
If you do that as a super-user, have fun.

cheers.

On Fri, Jul 29, 2022 at 5:10 AM Sudeep Holla <sudeep.holla@arm.com> wrote:
>
> On Thu, Jul 28, 2022 at 04:07:45PM -0500, Jassi Brar wrote:
> > On Thu, Jul 28, 2022 at 3:17 PM Jassi Brar <jassisinghbrar@gmail.com> wrote:
> > >
> > > On Thu, Jul 28, 2022 at 2:08 PM Rob Herring <robh@kernel.org> wrote:
> > > >
> > > > The secure interrupt is only useful to secure world, therefore for NS
> > > > users it shouldn't be required. Make it optional.
> > > >
> > > > This fixes a warning on Arm Juno board:
> > > >
> > > > mhu@2b1f0000: interrupts: [[0, 36, 4], [0, 35, 4]] is too short
> > > >
> > > > Signed-off-by: Rob Herring <robh@kernel.org>
> > > > ---
> > > >  Documentation/devicetree/bindings/mailbox/arm,mhu.yaml | 1 +
> > > >  1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml b/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml
> > > > index bd49c201477d..d9a4f4a02d7c 100644
> > > > --- a/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml
> > > > +++ b/Documentation/devicetree/bindings/mailbox/arm,mhu.yaml
> > > > @@ -57,6 +57,7 @@ properties:
> > > >      maxItems: 1
> > > >
> > > >    interrupts:
> > > > +    minItems: 2
> > > >      items:
> > > >        - description: low-priority non-secure
> > > >        - description: high-priority non-secure
> > > >
> > > Do we also want to specify that only the secure-irq is optional
> > > because irqs are directly mapped onto channels in the driver, and only
> > > omitting the secure (last) irq will work.
> > >
> > I could learn why specifying secure irq isn't desirable?
> > No non-secure client node would ask for that secure irq/channel, which
> > will simply lay unused.
> >
>
> Did you mean would or wouldn't ?
>
> Anyways I can insert a module that requests this channel and bring down
> the system as accessing anything configure secure from non-secure side
> on Juno results in system hang/error.
>
> > The programming of the secure channel doesn't care if the mode is
> > indeed secure. It all relies on providing accurate information in the
> > device tree :- the controller provides secure and non-secure channels
> > but only non-secure channels are _used_ in non-secure mode.
> >
>
> In general w.r.t the MHU IP may be yes. But if the secure side configures
> it as secure only and claims the channel which is the case on Juno, any
> attempt to access the same from non-secure side is fatal.
>
> > index f6c55877fbd94..004b1566be74d 100644
> > --- a/arch/arm64/boot/dts/arm/juno-base.dtsi
> > +++ b/arch/arm64/boot/dts/arm/juno-base.dtsi
> > @@ -26,7 +26,8 @@ mailbox: mhu@2b1f0000 {
> >         compatible = "arm,mhu", "arm,primecell";
> >         reg = <0x0 0x2b1f0000 0x0 0x1000>;
> >         interrupts = <GIC_SPI 36 IRQ_TYPE_LEVEL_HIGH>,
> > -                <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>;
> > +                <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>,
> > +                <GIC_SPI 37 IRQ_TYPE_LEVEL_HIGH>;
> >         interrupt-names = "mhu_lpri_rx",
> >                   "mhu_hpri_rx";

Missing name.

> >         #mbox-cells = <1>;
> >
> > If this works for you, I could submit a proper patch.
> >
>
> No this doesn't work IMO. Yes standalone everything looks fine, but you can
> insert a module requesting this channel and bring down the system. So I am
> not for this change.

Not having the interrupt listed in DT doesn't prevent that. Is this
security by obscurity?

I don't really care which way this is fixed though. I just want the
warning gone. We've all got better things to worry about. The DT not
having the interrupt has been that way for years (presumably) and the
kernel never needs the interrupt, so the schema should reflect
reality. On the flip side, considering it *can* be present already,
there's not really much argument for not having it.

Rob

On Fri, Jul 29, 2022 at 10:18:04AM -0500, Jassi Brar wrote:
> On Fri, Jul 29, 2022 at 6:10 AM Sudeep Holla <sudeep.holla@arm.com> wrote:
> > On Thu, Jul 28, 2022 at 04:07:45PM -0500, Jassi Brar wrote:
> 
> > > >
> > > I could learn why specifying secure irq isn't desirable?
> > > No non-secure client node would ask for that secure irq/channel, which
> > > will simply lay unused.
> >
> > Did you mean would or wouldn't ?
> >
> I mean what's written.
>

Sorry for asking to be explicit. How can one ensure that doesn't happen
if someone wants to exploit the secure side firmware. That is my concern
and I understand we must block any users of it in the device tree. But
that doesn't prevent people who can run any non-secure side software to
exploit the secure side.

> > Anyways I can insert a module that requests this channel and bring down
> > the system as accessing anything configure secure from non-secure side
> > on Juno results in system hang/error.
> >
> Why go to those lengths? These are already simpler options available  ;-)
> 1)   while (1) ;      // preferably in some atomic context
> 2)   *((int *) 0) = 0;   // you might want to iterate over offset for
> guaranteed results
> 3) Slightly more work, but you also have the opportunity to erase your
> storage device
>

I know these simple methods but can I hinder secure side services with
these ?

> > > index f6c55877fbd94..004b1566be74d 100644
> > > --- a/arch/arm64/boot/dts/arm/juno-base.dtsi
> > > +++ b/arch/arm64/boot/dts/arm/juno-base.dtsi
> > > @@ -26,7 +26,8 @@ mailbox: mhu@2b1f0000 {
> > >         compatible = "arm,mhu", "arm,primecell";
> > >         reg = <0x0 0x2b1f0000 0x0 0x1000>;
> > >         interrupts = <GIC_SPI 36 IRQ_TYPE_LEVEL_HIGH>,
> > > -                <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>;
> > > +                <GIC_SPI 35 IRQ_TYPE_LEVEL_HIGH>,
> > > +                <GIC_SPI 37 IRQ_TYPE_LEVEL_HIGH>;
> > >         interrupt-names = "mhu_lpri_rx",
> > >                   "mhu_hpri_rx";
> > >         #mbox-cells = <1>;
> > >
> > > If this works for you, I could submit a proper patch.
> >
> > No this doesn't work IMO.
> >
> If you _really_ tested and faced an error, please share it.
>

Yes, I did try. But as I hacked the DT to use it(or I can even hack the
kernel if DT is not so easily upgradable). The main point is as the secure
side uses this channel to communicate with SCP for some of the CPU idle
management which is enable by default in the kernel, by just sending the
command using the same secure channel from the Linux I can randomly
ensure the messages sent by secure side is mangled and CPU may either
fail to resume back from suspend or even fail to suspend.

The end result is I just see it just hangs in the non-secure side. While
you could argue it is expected that we should not have used the secure
channel, but I would go further and ask if that needs to be exposed as
there is no way to mark is as disabled or already in use by secure side.

But yes, I see you point as well. Not sure which is better.

> > Yes standalone everything looks fine, but you can
> > insert a module requesting this channel and bring down the system.
> >
> If anyone other than a super-user is able to do that, then you have a
> serious security problem at hand. If you do that as a super-user, have fun.
>

Yes I assuming super user itself. It may not help much to exploit on Juno
much, but will such a mechanism help to exploit and understand the secure
side communication from non-secure side was my general concern as we have
seen and heard of such exploits quite a lot these days. That is the only
reason I was suggesting to not expose any secure mailbox details to the
non-secure world. Juno is probably not a good example platform to make
my point.

I wish there was a way to tell non-secure side that it is disabled for it's
use as it is used by the secure side 🙁.

As Juno platform maintainer, I am not comfortable adding this in case other
platforms copy for it.

--
Regards,
Sudeep

On Fri, Jul 29, 2022 at 05:17:26PM -0600, Rob Herring wrote:
> On Fri, Jul 29, 2022 at 5:10 AM Sudeep Holla <sudeep.holla@arm.com> wrote:

[...]

> >
> > No this doesn't work IMO. Yes standalone everything looks fine, but you can
> > insert a module requesting this channel and bring down the system. So I am
> > not for this change.
>
> Not having the interrupt listed in DT doesn't prevent that. Is this
> security by obscurity?
>

I agree, as I mentioned in the other thread, if we had a way to mark that
channel as used elsewhere or disabled or unavailable, it would have been
great.

> I don't really care which way this is fixed though.

Understood.

> I just want the warning gone. We've all got better things to worry about.

Agreed.

> The DT not having the interrupt has been that way for years (presumably)
> and the kernel never needs the interrupt, so the schema should reflect
> reality.

I prefer this approach.

> On the flip side, considering it *can* be present already, there's not
> really much argument for not having it.
>

Can't disagree/argue that 😄.

--
Regards,
Sudeep

On Mon, 1 Aug 2022 at 05:23, Sudeep Holla <sudeep.holla@arm.com> wrote:
> On Fri, Jul 29, 2022 at 10:18:04AM -0500, Jassi Brar wrote:
>
> > > Anyways I can insert a module that requests this channel and bring down
> > > the system as accessing anything configure secure from non-secure side
> > > on Juno results in system hang/error.
> > >
> > Why go to those lengths? These are already simpler options available  ;-)
> > 1)   while (1) ;      // preferably in some atomic context
> > 2)   *((int *) 0) = 0;   // you might want to iterate over offset for
> > guaranteed results
> > 3) Slightly more work, but you also have the opportunity to erase your
> > storage device
>
> I know these simple methods but can I hinder secure side services with
> these ?
>
Ideally, no. And neither if we enumerate the secure-channel in dt and driver.

See, even if you remove support for the secure channel in the kernel,
a doped super-user could always insmod a module that attempts to
access the secure address space that you want to "hide".

cheers.

On Mon, Aug 01, 2022 at 08:57:52AM -0500, Jassi Brar wrote:
> On Mon, 1 Aug 2022 at 05:23, Sudeep Holla <sudeep.holla@arm.com> wrote:
> > On Fri, Jul 29, 2022 at 10:18:04AM -0500, Jassi Brar wrote:
> >
> > > > Anyways I can insert a module that requests this channel and bring down
> > > > the system as accessing anything configure secure from non-secure side
> > > > on Juno results in system hang/error.
> > > >
> > > Why go to those lengths? These are already simpler options available  ;-)
> > > 1)   while (1) ;      // preferably in some atomic context
> > > 2)   *((int *) 0) = 0;   // you might want to iterate over offset for
> > > guaranteed results
> > > 3) Slightly more work, but you also have the opportunity to erase your
> > > storage device
> >
> > I know these simple methods but can I hinder secure side services with
> > these ?
> >
> Ideally, no. And neither if we enumerate the secure-channel in dt and driver.
> 
> See, even if you remove support for the secure channel in the kernel,
> a doped super-user could always insmod a module that attempts to
> access the secure address space that you want to "hide".
>

True, generally they should have put this in a separate page/range so
TZ could program accordingly and prohibit any access 🙁.

--
Regards,
Sudeep