core: dt: Make it possible to alter device mapping #5603
Conversation
|
This is split from PR #5350 as we could not re-open that. Also decided to split the commits to own PRs. |
core/kernel/dt.c
Outdated
| @@ -125,6 +125,39 @@ int dt_map_dev(const void *fdt, int offs, vaddr_t *base, size_t *size) | |||
| return 0; | |||
| } | |||
|
|
|||
| int dt_map_secure_dev(const void *fdt, int offs, vaddr_t *base, size_t *size) | |||
There was a problem hiding this comment.
This duplicates most of the code in dt_map_dev(). Would it be possible to refactor the two functions to use a common helper function or something?
There was a problem hiding this comment.
Maybe add a hint argument to dt_map_dev():
enum map_dev_directive { MAP_FROM_NODE_STATUS, MAP_SECURE, MAP_NON_SECURE };
There was a problem hiding this comment.
I can try the proposed method.
core/kernel/dt.c
Outdated
| return -1; | ||
| sz = _fdt_reg_size(fdt, offs); | ||
| if (sz == DT_INFO_INVALID_REG_SIZE) | ||
| return -1; |
There was a problem hiding this comment.
The err_code(-1) returned by different exception branches. Maybe inconvenient for debug.
But returning to -1 seems to be the norm in this file. :)
There was a problem hiding this comment.
Right. This is legacy and could move to TEE_Result return value.
There was a problem hiding this comment.
dt_map_dev() maps with ns=0 when secure-status = "okay" & status = "disabled". @vesajaaskelainen, you don't want to rely on this scheme? You need an API function that enforces the secure state?
core/kernel/dt.c
Outdated
| return -1; | ||
| sz = _fdt_reg_size(fdt, offs); | ||
| if (sz == DT_INFO_INVALID_REG_SIZE) | ||
| return -1; |
There was a problem hiding this comment.
Right. This is legacy and could move to TEE_Result return value.
The problem here is that the real device tree would be: Eg. part of the registers are accessible for Linux kernel drivers and full set is available for OP-TEE driver. If you do this the MMU mapping will be non-secure resulting non-secure access in FPGA side and we cannot access the TZ protected registers. |
|
Alternative for this function would be I suppose:
|
There was a problem hiding this comment.
invent new device tree keyword
I don't think it is the preferred way...
re-work logic when both statuses are enabled so that actual mapping is secure. But don't know what that would break.
That would be sowhat more consistent IMO. There are impacted drivers, we should get an Acked-by from them.
core/kernel/dt.c
Outdated
| @@ -125,6 +125,39 @@ int dt_map_dev(const void *fdt, int offs, vaddr_t *base, size_t *size) | |||
| return 0; | |||
| } | |||
|
|
|||
| int dt_map_secure_dev(const void *fdt, int offs, vaddr_t *base, size_t *size) | |||
There was a problem hiding this comment.
Maybe add a hint argument to dt_map_dev():
enum map_dev_directive { MAP_FROM_NODE_STATUS, MAP_SECURE, MAP_NON_SECURE };
vesajaaskelainen
force-pushed
the
map-device-as-secure
branch
from
996ad84
to
a951b4a
Compare
core/include/kernel/dt.h
Outdated
| * DT_MAP_NON_SECURE: Force mapping for device to be non-secure. | ||
| */ | ||
| enum dt_map_dev_directive { | ||
| DT_MAP_FROM_NODE_STATUS, |
There was a problem hiding this comment.
Was thinking should this be DT_MAP_AUTO or so.
There was a problem hiding this comment.
Yes, that's a good name.
There was a problem hiding this comment.
I wait a bit if there are other comments and then go with this (needs a change in quite a many places 😓)
There was a problem hiding this comment.
FWIW... DT_MAP_AUTO sounds good to me too
|
Now I have updated the PR based on comments. Please check it out if it matches your ideas. |
vesajaaskelainen
changed the title
|
Please change the prefix in the commit subject from kernel to core. |
OK |
vesajaaskelainen
force-pushed
the
map-device-as-secure
branch
from
a951b4a
to
3834a1b
Compare
vesajaaskelainen
changed the title
|
Updated the PR based on comments. |
|
|
vesajaaskelainen
force-pushed
the
map-device-as-secure
branch
from
3834a1b
to
1a927de
Compare
Thanks for the review! Applied tag. |
In case where IP core device is TrustZone aware and is used by both REE and TEE dt_map_dev() would normally cause non-secure mapping for the device. When selected registers in IP core are only accessible by TrustZone device needs to be mapped with MEM_AREA_IO_SEC to cause actual AXI memory access be made with AWPROT[1] and ARPROT[1] bits configured properly. This adds new argument for dt_map_dev() to enable forcing mapping to be secure or non-secure. Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
vesajaaskelainen
force-pushed
the
map-device-as-secure
branch
from
1a927de
to
dee2f84
Compare
Thanks for the review! Applied tags. |
|
About failed checks. These passed nicely on my github fork's actions. So some transient failure somewhere else? |
Possible. Or perhaps there is a race condition somewhere -- |
In case where IP core device is TrustZone aware and is used by both REE
and TEE dt_map_dev() would normally cause non-secure mapping for the
device.
When selected registers in IP core are only accessible by TrustZone device
needs to be mapped with MEM_AREA_IO_SEC to cause actual AXI memory access
be made with AWPROT[1] and ARPROT[1] bits configured properly.
This adds new argument for dt_map_dev() to enable forcing mapping to be
secure or non-secure.
Signed-off-by: Vesa Jääskeläinen vesa.jaaskelainen@vaisala.com