core: stm32_gpio: register firewall controllers for GPIO access rights #7102
Conversation
etienne-lms
force-pushed
the
stm32-gpio
branch
from
523c9ca
to
d049439
Compare
|
Rebased to fix merge conflicts. CI / Code Style checkpatch reports are all false positive: |
|
7 first patches (device tree):
|
|
Comments on the 7 first commits addressed. CI / Code style reports false positive (trace message impl. exceeding 80char/line + use BIT() in DT binding header file). CI / make check (QEMUv8, Clang) failed on optee_rust_examples_ext-1.0 build: |
core/drivers/stm32_gpio.c
Outdated
| @@ -753,7 +754,7 @@ static TEE_Result apply_rif_config(struct stm32_gpio_bank *bank) | |||
| panic(); | |||
|
|
|||
| for (i = 0; i < bank->ngpios; i++) { | |||
| if (!(BIT(i) & bank->rif_cfg->access_mask[0])) | |||
There was a problem hiding this comment.
Why is this removed? So that we allow reconfiguration of pins that we don't list in the DT RIF config at first place? It's not what we have at downstream
There was a problem hiding this comment.
Bits set in gpios_mask are also set in bank->rif_cfg->access_mask[0] (see caller functions) hence testing gpios_mask is enough IMHO. Maybe I should add an assertion at function entry?
assert(gpios_mask & bank->rif_cfg->access_mask[0] == gpios_mask);
| * Non RIF GPIO banks use TZPROT() bit mask (bits 0 to 15) | ||
| * and GPIO_STM32_NSEC bit flag in the DT bindings. | ||
| */ | ||
| gpios_mask = firewall->args[0] & GENMASK_32(15, 0); |
There was a problem hiding this comment.
In the non-RIF case, we allow multiple pin reconfiguration. We forbid that for RIF-capable banks. I think the function should have the same use, no?
There was a problem hiding this comment.
Do you mean that STM32MP1 DT bindings allow a single firewall config/query to confgure several GPIO pins whereas STM32 RIF DT bindings (STM32MP2 GPIO) require 1 config/query per GPIO pin?
If so, I intentionally made it that way to better conform with STM32 DT binding st,protreg that defines the default configuration of the GPIOs secure hardening. For STM32 RIF protected GPIOS, st,proret requires 1 DT 32bit cell per GPIO whereas in STM32MP1 protected GPIO, the DT binding allows to configure several GPIOs with a single 32bit DT cell.
There was a problem hiding this comment.
Yes this is what I meant. I think this should be mentionned in a comment somewhere
There was a problem hiding this comment.
Do you think the inline comment above (lines 1025/1026) is not enough?
| for (n = 0; n < pin_count; n++) { | ||
| struct stm32_gpio_bank *bank = stm32_gpio_get_bank(p[n].bank); | ||
|
|
||
| if (p[n].cfg.nsec == !pin_is_secure(bank, p[n].pin)) |
There was a problem hiding this comment.
I think:
if (pin_is_secure(bank, p[n].pin) && p[n].cfg.nsec)
continue;
is clearer
There was a problem hiding this comment.
There are 2 cases to consider:
if ((pin_is_secure(bank, p[n].pin) && !p[n].cfg.nsec) ||
(!pin_is_secure(bank, p[n].pin) && p[n].cfg.nsec))I though it would be simpler on a single line.
| @@ -113,19 +113,13 @@ static void register_secure_uart(struct stm32_uart_pdata *pd __maybe_unused) | |||
| { | |||
| #ifndef CFG_STM32MP25 | |||
| stm32mp_register_secure_periph_iomem(pd->base.pa); | |||
There was a problem hiding this comment.
looking at our static mapping, I don't think we need this as well, don't you agree?
There was a problem hiding this comment.
We don't, but let's address that is a specific series/P-R if you don't mind.
|
For commit ditto for following pinctrl commit For commits: For commit: |
core/drivers/stm32_gpio.c
Outdated
| @@ -753,7 +754,7 @@ static TEE_Result apply_rif_config(struct stm32_gpio_bank *bank) | |||
| panic(); | |||
|
|
|||
| for (i = 0; i < bank->ngpios; i++) { | |||
| if (!(BIT(i) & bank->rif_cfg->access_mask[0])) | |||
There was a problem hiding this comment.
Bits set in gpios_mask are also set in bank->rif_cfg->access_mask[0] (see caller functions) hence testing gpios_mask is enough IMHO. Maybe I should add an assertion at function entry?
assert(gpios_mask & bank->rif_cfg->access_mask[0] == gpios_mask);
| * Non RIF GPIO banks use TZPROT() bit mask (bits 0 to 15) | ||
| * and GPIO_STM32_NSEC bit flag in the DT bindings. | ||
| */ | ||
| gpios_mask = firewall->args[0] & GENMASK_32(15, 0); |
There was a problem hiding this comment.
Do you mean that STM32MP1 DT bindings allow a single firewall config/query to confgure several GPIO pins whereas STM32 RIF DT bindings (STM32MP2 GPIO) require 1 config/query per GPIO pin?
If so, I intentionally made it that way to better conform with STM32 DT binding st,protreg that defines the default configuration of the GPIOs secure hardening. For STM32 RIF protected GPIOS, st,proret requires 1 DT 32bit cell per GPIO whereas in STM32MP1 protected GPIO, the DT binding allows to configure several GPIOs with a single 32bit DT cell.
| for (n = 0; n < pin_count; n++) { | ||
| struct stm32_gpio_bank *bank = stm32_gpio_get_bank(p[n].bank); | ||
|
|
||
| if (p[n].cfg.nsec == !pin_is_secure(bank, p[n].pin)) |
There was a problem hiding this comment.
There are 2 cases to consider:
if ((pin_is_secure(bank, p[n].pin) && !p[n].cfg.nsec) ||
(!pin_is_secure(bank, p[n].pin) && p[n].cfg.nsec))I though it would be simpler on a single line.
| @@ -113,19 +113,13 @@ static void register_secure_uart(struct stm32_uart_pdata *pd __maybe_unused) | |||
| { | |||
| #ifndef CFG_STM32MP25 | |||
| stm32mp_register_secure_periph_iomem(pd->base.pa); | |||
There was a problem hiding this comment.
We don't, but let's address that is a specific series/P-R if you don't mind.
etienne-lms
force-pushed
the
stm32-gpio
branch
from
0feb9c2
to
c3886b1
Compare
|
Rebased |
etienne-lms
force-pushed
the
stm32-gpio
branch
from
a063d7d
to
31d7a49
Compare
|
@GseoC, may I squash the fixup commits and fix the commit messages as you suggested? |
Please do when addressing the comment above so that I can make another round, thanks! |
etienne-lms
force-pushed
the
stm32-gpio
branch
from
31d7a49
to
1cdf807
Compare
|
Fixup commits squashed and commits messages updated as per #7102 (comment) and #7102 (comment) review comments. |
Define STM32 GPIO DT bindings bit flags for GPIOs that are to be used in non-secure state. Signed-off-by: Etienne Carriere <[email protected]>
Define stm32 pinctrl DT bindings bit flags for pins that are expected to be used in non-secure state. Signed-off-by: Etienne Carriere <[email protected]>
Add property #access-controller-cells to GPIO banks that register to the firewall framework. Signed-off-by: Etienne Carriere <[email protected]>
On STM32MP15 based devices, UART2/3/4/5/6/7/8 cannot be secured. Explicitly state that in the pinctrl nodes. This change ease the use of a non-secure UART for OP-TEE output console on STM32MP15 based boards. Signed-off-by: Etienne Carriere <[email protected]>
Explicitly state that legacy pinctrl phandles i2c4_pins_a and i2c4_sleep_pins_a refer to non-secure I2C4 pin muxing on STM32MP15 based platforms. Define secure I2C4 bus pinctrl states for boards that use the I2C4 bus in secure state on STM32MP15 SoCs. Signed-off-by: Etienne Carriere <[email protected]>
Explicitly state that legacy pinctrl phandles usart4_pins_a refer to non-secure USART4 pin muxing, used in STM32MP13 based boards for OP-TEE console using a non-secure UART bus. Signed-off-by: Etienne Carriere <[email protected]>
Explicitly state that legacy pinctrl phandles usart2_pins_a refer to non-secure USART2 pin muxing, used in STM32MP23 and STM32MP25 based boards for OP-TEE console using a non-secure UART bus. Define secure USART2 bus pinctrl states for board that needs to use the USART2 bus in secure state. Signed-off-by: Etienne Carriere <[email protected]>
Check that a GPIO requested by a consumer is not already consumed by another device. Signed-off-by: Etienne Carriere <[email protected]>
Change apply_rif_config() to be able to call it for a subset of pins in a GPIO bank. Signed-off-by: Etienne Carriere <[email protected]>
Register secure aware STM32 GPIO banks to the firewall framework as a firewall controller to allow GPIO and pinctrl consumer devices to load alternate configurations for pins. Signed-off-by: Etienne Carriere <[email protected]>
STM32 GPIO driver now verifies that any GPIO consumed by OP-TEE can be accessed and has the expected secure hardening configuration. If a driver attempts to consume a GPIO that cannot be accessed by OP-TEE, core panics. Use newly added GPIO_STM32_NSEC bindings macro in STM32 GPIO driver DT bindings header file as hint on whether GPIO is expected secure or shared with non-secure world. When a GPIO is used with an inappropriate configuration state, STM32 GPIO driver panics or prints an info level message, depending on CFG_INSECURE. Signed-off-by: Etienne Carriere <[email protected]>
STM32 GPIO driver now verifies that any pinctrl consumed by OP-TEE can be accessed and has the expected secure hardening configuration. If a driver attempts to consume a pinctrl with pins that cannot be accessed by OP-TEE, core panics. Non-secure pins must have the STM32_PIN_NSEC bit set in the pin handler argument unless what the pin is expected to be secure. The driver returns an error when the expected secure state of a pin does not match its effective secure state, unless CFG_INSECURE is enabled in which case the driver only prints an info level trace message. Signed-off-by: Etienne Carriere <[email protected]>
Remove management of GPIO and pinctrl secure state since this is now handled from STM32 ETZPC driver based through the firewall framework. Signed-off-by: Etienne Carriere <[email protected]>
Remove use of stm32_pinctrl_set_secure_cfg() to set the secure state of the pins of a pinctrl state since this is now handled from STM32 GPIO driver based on the firewall framework. Signed-off-by: Etienne Carriere <[email protected]>
Remove use of stm32_pinctrl_set_secure_cfg() to set the secure state of the pins of a pinctrl state since this is now handled from STM32 GPIO driver based on the firewall framework. Signed-off-by: Etienne Carriere <[email protected]>
Remove use of shared_resources platform driver to manage the secure state of the pins of a pinctrl state since this is now managed using the firewall framework. Signed-off-by: Etienne Carriere <[email protected]>
…ctrl Remove use of shared_resources platform driver in STM32MP15 PMIC driver to manage the secure state of the pins of a pinctrl state since this is now managed using the firewall framework. Signed-off-by: Etienne Carriere <[email protected]>
…tate Remove stm32_gpio_set_secure_cfg() and stm32_pinctrl_set_secure_cfg() functions that are no more used since the GPIO and pins secure state is defined by the st,protreg registers already handled from get_pinctrl_from_fdt() and stm32_gpio_get_dt() callback functions. Signed-off-by: Etienne Carriere <[email protected]>
Remove the pin and GPIO secure state management from shared_resources platform driver since this is now managed using the firewall framework. Signed-off-by: Etienne Carriere <[email protected]>
etienne-lms
force-pushed
the
stm32-gpio
branch
from
1cdf807
to
ec60416
Compare
|
Rebased to solve merge conflicts. |
| id - STM32MP1_SHRES_GPIOZ(0), get_gpioz_nbpin()); | ||
| panic(); | ||
| } | ||
| panic("Deprecated registering of GPIOz resources"); |
There was a problem hiding this comment.
Could merge with PLL3 and specify only usage of deprecated shared resource
| @@ -113,19 +113,13 @@ static void register_secure_uart(struct stm32_uart_pdata *pd __maybe_unused) | |||
| { | |||
| #ifndef CFG_STM32MP25 | |||
| stm32mp_register_secure_periph_iomem(pd->base.pa); | |||
| /* Resource can be accessed if CID1 is statically allowed */ | ||
| accessible = true; | ||
| } else if (stm32_rif_semaphore_enabled_and_ok(cidcfgr, RIF_CID1)) { | ||
| /* We must acquire the semaphore to access the resource */ |
There was a problem hiding this comment.
We should add a stm32_rif_semaphore_is_available_or_taken() to check if the current CID has already taken the semaphore. This will avoid some issue when acquiring the semaphore (spurious IAC). Maybe we can do this in another P-R. (I can take care of that)
There was a problem hiding this comment.
To prevent such issues when acquiring an already taken semaphore, I think we should rather fix stm32_rif_acquire_semaphore():
TEE_Result stm32_rif_acquire_semaphore(vaddr_t addr, unsigned int nb_cid_supp)
{
uint32_t scid_mask = get_scid_mask(nb_cid_supp);
- /* Take the semaphore */
- io_setbits32(addr, _SEMCR_MUTEX);
+ /* Take the semaphore is not already taken */
+ if (stm32_rif_semaphore_is_available(addr))
+ io_setbits32(addr, _SEMCR_MUTEX);
/* Check that the Cortex-A has the semaphore */
if (stm32_rif_semaphore_is_available(addr) ||
((io_read32(addr) & scid_mask) >> _CIDCFGR_SCID_SHIFT) != RIF_CID1)
return TEE_ERROR_ACCESS_DENIED;
return TEE_SUCCESS;
}| } | ||
| } | ||
|
|
||
| if (!pin_is_accessible(bank, gpio->pin)) { |
There was a problem hiding this comment.
Kind of the same fight here. I think we should "acquire" the access when consuming the GPIO. That probably is here or in each of the exposed APIs:
.get_direction = stm32_gpio_get_direction,
.set_direction = stm32_gpio_set_direction,
.get_value = stm32_gpio_get_level,
.set_value = stm32_gpio_set_level,
but we also need to release the access when we put the GPIO in stm32_gpio_put_gpio().
We don't have a pinctrl release
There was a problem hiding this comment.
I would expect GPIOs consumed by OP-TEE are only owned by OP-TEE. We have no current plan on stm32mpX platforms to share GPIOs at runtime.
| * Non RIF GPIO banks use TZPROT() bit mask (bits 0 to 15) | ||
| * and GPIO_STM32_NSEC bit flag in the DT bindings. | ||
| */ | ||
| gpios_mask = firewall->args[0] & GENMASK_32(15, 0); |
There was a problem hiding this comment.
Yes this is what I meant. I think this should be mentionned in a comment somewhere
This P-R makes stm32mp platforms to OP-TEE secure DTB to manage STM32 GPIO access rights. It tried to nicely split changes but it now spreads on almost 20 commits.
"dt-bindings: gpio: stm32mp: flags for non-secure GPIOs"
"dt-bindings: pinctrl: stm32mp: flags for non-secure pins"
"dts: stm32: ..."
"drivers: stm32_gpio: check GPIO is not already consumed"
"drivers: stm32_gpio: factorize apply_rif_config()"
"drivers: stm32_gpio: register to firewall framework"
"drivers: stm32_gpio: check secure state of consumed GPIOs"
"drivers: stm32_gpio: check secure state of pinctrl states"
"drivers: stm32_xxx: remove use of xxx() ..."
"plat-stm32mp1: remove use of xxx() ..."