diff mbox

[v5,18/18] Documentation: ACPI for ARM64

Message ID 1413553034-20956-19-git-send-email-hanjun.guo@linaro.org (mailing list archive)
State New, archived
Headers show

Commit Message

Hanjun Guo Oct. 17, 2014, 1:37 p.m. UTC
From: Graeme Gregory <graeme.gregory@linaro.org>

Add documentation for the guidelines of how to use ACPI
on ARM64.

Signed-off-by: Graeme Gregory <graeme.gregory@linaro.org>
Signed-off-by: Al Stone <al.stone@linaro.org>
Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org>
---
 Documentation/arm64/arm-acpi.txt |  323 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 323 insertions(+)
 create mode 100644 Documentation/arm64/arm-acpi.txt

Comments

Suravee Suthikulpanit Dec. 18, 2014, 8:01 p.m. UTC | #1
On 10/17/2014 8:37 AM, Hanjun Guo wrote:

> From: Graeme Gregory <graeme.gregory@linaro.org>
>
> Add documentation for the guidelines of how to use ACPI
> on ARM64.
>
> Signed-off-by: Graeme Gregory <graeme.gregory@linaro.org>
> Signed-off-by: Al Stone <al.stone@linaro.org>
> Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org>
> ---
>   Documentation/arm64/arm-acpi.txt |  323
> ++++++++++++++++++++++++++++++++++++++
>   1 file changed, 323 insertions(+)
>   create mode 100644 Documentation/arm64/arm-acpi.txt
>[...]

AMD has reviewed this document, and currently implements ACPI table in 
the firmware for AMD Seattle platform based on the documentation 
published here:

http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2012/10/Seattle_ACPI_Guide.pdf

Reviewed-by: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>

Thank you,

Suravee
Timur Tabi Dec. 18, 2014, 8:04 p.m. UTC | #2
On Fri, Oct 17, 2014 at 8:37 AM, Hanjun Guo <hanjun.guo@linaro.org> wrote:

> If acpi=force is used, the kernel
> +will ONLY use device configuration information contained in the ACPI tables.

Based on this statement, ...

> +In order for the kernel to load and use ACPI tables, the UEFI implementation
> +MUST set the ACPI_20_TABLE_GUID to point to the RSDP table (the table with
> +the ACPI signature "RSD PTR ").  If this pointer is incorrect and acpi=force
> +is used, the kernel will disable ACPI and try to use DT to boot.

wouldn't it be more correct to say "If this pointer is incorrect OR
acpi=force is used"?

> +Forum provides a mechanism for registering such bindings [URL TBD by ASWG]

Did you intend to replace the text in []?

> +so that they may be used on any operating system supporting ACPI.  Device
> +properties that have not been registered with the UEFI Forum should not be
> +used.

Blech.  I guess it's necessary, but the information needs to be documented here.

> +Drivers should look for device properties in the _DSD object ONLY; the _DSD
> +object is described in the ACPI specification section 6.2.5, but more
> +specifically, use the _DSD Device Properties UUID:
> +
> +   -- UUID: daffd814-6eba-4d8c-8a91-bc9bbf4aa301
> +
> +   -- http://www.uefi.org/sites/default/files/resources/_DSD-device-properties-UUID.pdf)

Extra ) here.

> +The kernel has an interface for looking up device properties in a manner
> +independent of whether DT or ACPI is being used and that interface should
> +be used; it can eliminate some duplication of code paths in driver probing
> +functions and discourage divergence between DT bindings and ACPI device
> +properties.

How about a pointer to the documentation for this method?

> +Such code in _PS? methods will of course be very platform specific.  But,

I would use _PSx instead of _PS? here.

> +this allows the driver to abstract out the interface for operating the device
> +and avoid having to read special non-standard values from ACPI tables. Further,
> +abstracting the use of these resources allows the hardware to change over time
> +without requiring updates to the driver.
> +
> +
> +Clocks
> +------
> +ACPI makes the assumption that clocks are initialized by the firmware --
> +UEFI, in this case -- to some working value before control is handed over
> +to the kernel.  This has implications for devices such as UARTs, or SoC
> +driven LCD displays, for example.

SOC-driven should be hyphenated.

> +When the kernel boots, the clock is assumed to be set to reasonable

to A reasonable

> +working value.  If for some reason the frequency needs to change -- e.g.,
> +throttling for power management -- the device driver should expect that
> +process to be abstracted out into some ACPI method that can be invoked
> +(please see the ACPI specification for further recommendations on standard
> +methods to be expected).  If is not, there is no direct way for ACPI to

If IT is not

> +control the clocks.
> +
> +
> +Driver Recommendations
> +----------------------
> +DO NOT remove any DT handling when adding ACPI support for a driver.  The
> +same device may be used on many different systems.
> +
> +DO try to structure the driver so that it is data driven.  That is, set up

data-driven
Hanjun Guo Dec. 19, 2014, 1:04 p.m. UTC | #3
On 2014?12?19? 04:01, Suravee Suthikulanit wrote:
> On 10/17/2014 8:37 AM, Hanjun Guo wrote:
>
>> From: Graeme Gregory <graeme.gregory@linaro.org>
>>
>> Add documentation for the guidelines of how to use ACPI
>> on ARM64.
>>
>> Signed-off-by: Graeme Gregory <graeme.gregory@linaro.org>
>> Signed-off-by: Al Stone <al.stone@linaro.org>
>> Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org>
>> ---
>>   Documentation/arm64/arm-acpi.txt |  323
>> ++++++++++++++++++++++++++++++++++++++
>>   1 file changed, 323 insertions(+)
>>   create mode 100644 Documentation/arm64/arm-acpi.txt
>> [...]
>
> AMD has reviewed this document, and currently implements ACPI table in
> the firmware for AMD Seattle platform based on the documentation
> published here:
>
> http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2012/10/Seattle_ACPI_Guide.pdf
>
>
> Reviewed-by: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>

Thank you very much, Suravee.

Hanjun
Hanjun Guo Dec. 19, 2014, 1:53 p.m. UTC | #4
Hi Timur,

On 2014?12?19? 04:04, Timur Tabi wrote:
> On Fri, Oct 17, 2014 at 8:37 AM, Hanjun Guo <hanjun.guo@linaro.org> wrote:
>
>> If acpi=force is used, the kernel
>> +will ONLY use device configuration information contained in the ACPI tables.
>
> Based on this statement, ...
>
>> +In order for the kernel to load and use ACPI tables, the UEFI implementation
>> +MUST set the ACPI_20_TABLE_GUID to point to the RSDP table (the table with
>> +the ACPI signature "RSD PTR ").  If this pointer is incorrect and acpi=force
>> +is used, the kernel will disable ACPI and try to use DT to boot.
>
> wouldn't it be more correct to say "If this pointer is incorrect OR
> acpi=force is used"?

Good catch, some inconsistency here. Actually it means if the pointer to
RSDP is incorrect, the ACPI code will catch that error, then ACPI will
be disabled and tries to boot with DT even if acpi=force is passed, I
think that makes sense.

I will fix the inconsistency anyway in next version.

>
>> +Forum provides a mechanism for registering such bindings [URL TBD by ASWG]
>
> Did you intend to replace the text in []?

Yes, it is TBD by ASWG, and we already agreed that the bindings will be
reviewed by ASWG which proposed by Al. the URL will be ready when next
version of ACPI spec is released.

>
>> +so that they may be used on any operating system supporting ACPI.  Device
>> +properties that have not been registered with the UEFI Forum should not be
>> +used.
>
> Blech.  I guess it's necessary, but the information needs to be documented here.
>
>> +Drivers should look for device properties in the _DSD object ONLY; the _DSD
>> +object is described in the ACPI specification section 6.2.5, but more
>> +specifically, use the _DSD Device Properties UUID:
>> +
>> +   -- UUID: daffd814-6eba-4d8c-8a91-bc9bbf4aa301
>> +
>> +   -- http://www.uefi.org/sites/default/files/resources/_DSD-device-properties-UUID.pdf)
>
> Extra ) here.

Good catch :)

>
>> +The kernel has an interface for looking up device properties in a manner
>> +independent of whether DT or ACPI is being used and that interface should
>> +be used; it can eliminate some duplication of code paths in driver probing
>> +functions and discourage divergence between DT bindings and ACPI device
>> +properties.
>
> How about a pointer to the documentation for this method?

This is a patch set posted by Rafael and goes into 3.19:
https://lkml.org/lkml/2014/10/21/762

No documentation as far as I know.

>
>> +Such code in _PS? methods will of course be very platform specific.  But,
>
> I would use _PSx instead of _PS? here.

I will update it.

>
>> +this allows the driver to abstract out the interface for operating the device
>> +and avoid having to read special non-standard values from ACPI tables. Further,
>> +abstracting the use of these resources allows the hardware to change over time
>> +without requiring updates to the driver.
>> +
>> +
>> +Clocks
>> +------
>> +ACPI makes the assumption that clocks are initialized by the firmware --
>> +UEFI, in this case -- to some working value before control is handed over
>> +to the kernel.  This has implications for devices such as UARTs, or SoC
>> +driven LCD displays, for example.
>
> SOC-driven should be hyphenated.
>
>> +When the kernel boots, the clock is assumed to be set to reasonable
>
> to A reasonable
>
>> +working value.  If for some reason the frequency needs to change -- e.g.,
>> +throttling for power management -- the device driver should expect that
>> +process to be abstracted out into some ACPI method that can be invoked
>> +(please see the ACPI specification for further recommendations on standard
>> +methods to be expected).  If is not, there is no direct way for ACPI to
>
> If IT is not
>
>> +control the clocks.
>> +
>> +
>> +Driver Recommendations
>> +----------------------
>> +DO NOT remove any DT handling when adding ACPI support for a driver.  The
>> +same device may be used on many different systems.
>> +
>> +DO try to structure the driver so that it is data driven.  That is, set up
>
> data-driven

I will update them.

Thanks a lot for your review!

Hanjun
Catalin Marinas Dec. 24, 2014, 5:18 p.m. UTC | #5
Hi,

Some thoughts before the end of the year. I won't be able to follow up
until around 5th of January though.

On Fri, Oct 17, 2014 at 02:37:14PM +0100, Hanjun Guo wrote:
> --- /dev/null
> +++ b/Documentation/arm64/arm-acpi.txt
> @@ -0,0 +1,323 @@
> +ACPI on ARMv8 Servers
> +---------------------
> +ACPI can be used for ARMv8 general purpose servers designed to follow
> +the ARM SBSA (Server Base System Architecture) specification, currently
> +available to those with an ARM login at http://silver.arm.com.

You should mention SBBR (Server Base Boot Requirements) here as well.
The arm-acpi.txt is complementary to arm-acpi.txt and longer term we
should aim to move parts of the Linux document into the more OS-agonstic
SBBR.

> +The ARMv8 kernel implements the reduced hardware model of ACPI version
> +5.1 and its corresponding errata.

I would say 5.1 or later to avoid updating this document every time we
get a new ACPI release.

> +If an ARMv8 system does not meet the requirements of the SBSA, or cannot
> +be described using the mechanisms defined in the required ACPI specifications,
> +then it is likely that Device Tree (DT) is more suitable than ACPI for the
> +hardware.

Based on some private discussions, I think we could drop some of the
references to DT in this document. It should specify the requirements
for ACPI support and, if not met, the alternative SoC support is
automatically DT for Linux. That's just to make it easier to move parts
of this doc into SBBR.

> +Relationship with Device Tree
> +-----------------------------

This section is fine, Linux specific and it will stay in this document.

> +ACPI support in drivers and subsystems for ARMv8 should never be mutually
> +exclusive with DT support at compile time.
> +
> +At boot time the kernel will only use one description method depending on
> +parameters passed from the bootloader (including kernel bootargs).
> +
> +Regardless of whether DT or ACPI is used, the kernel must always be capable
> +of booting with either scheme (in kernels with both schemes enabled at compile
> +time).
> +
> +When booting using ACPI tables, the /chosen node in DT will still be parsed
> +to extract the kernel command line and initrd path.  No other section of the
> +DT will be used.

I don't think this paragraph is needed. That's a kernel detail when how
the EFI_STUB passes the information to the rest of the kernel. We
mandate UEFI booting for ACPI support, so I wouldn't expect an
ACPI-aware U-Boot.

> +Booting using ACPI tables
> +-------------------------
> +The only defined method for passing ACPI tables to the kernel on ARMv8
> +is via the UEFI system configuration table.
> +
> +Processing of ACPI tables may be disabled by passing acpi=off on the kernel
> +command line; this is the default behavior.  If acpi=force is used, the kernel
> +will ONLY use device configuration information contained in the ACPI tables.

See my comments to Al around the defaults. I think if only ACPI tables
are present, we shouldn't panic the kernel if acpi=force is missing but
continue with ACPI. If both DT and ACPI tables are present, DT will be
the default. You could say "this is the default behaviour if both ACPI
and DT tables are present".

> +Device Enumeration
> +------------------
> +Device descriptions in ACPI should use standard recognized ACPI interfaces.
> +These can contain less information than is typically provided via a Device

s/can/may/ ? Not sure, it just sounds better to me (not a native English
speaker).

> +Tree description for the same device.  This is also one of the reasons that
> +ACPI can be useful -- the driver takes into account that it may have less
> +detailed information about the device and uses sensible defaults instead.
> +If done properly in the driver, the hardware can change and improve over
> +time without the driver having to change at all.
> +
> +Clocks provide an excellent example.  In DT, clocks need to be specified
> +and the drivers need to take them into account.  In ACPI, the assumption
> +is that UEFI will leave the device in a reasonable default state, including
> +any clock settings.  If for some reason the driver needs to change a clock
> +value, this can be done in an ACPI method; all the driver needs to do is
> +invoke the method and not concern itself with what the method needs to do
> +to change the clock.  Changing the hardware can then take place over time
> +by changing what the ACPI method does, and not the driver.
> +
> +ACPI drivers should only look at one specific ASL object -- the _DSD object
> +-- for device driver parameters (known in DT as "bindings", or "Device
> +Properties" in ACPI).  Not all DT bindings will be recognized. 

This last sentence kind of implies that many of the DT bindings will be
recognised. While it is useful to have some commonalities, I think this
gives the wrong message that _DSD is a copy of DT. We should avoid this.

> The UEFI
> +Forum provides a mechanism for registering such bindings [URL TBD by ASWG]

s/bindings/properties/ if we talk in the ACPI context.

> +so that they may be used on any operating system supporting ACPI.  Device
> +properties that have not been registered with the UEFI Forum should not be
> +used.

More about this further down.

> +Drivers should look for device properties in the _DSD object ONLY; the _DSD
> +object is described in the ACPI specification section 6.2.5, but more
> +specifically, use the _DSD Device Properties UUID:
> +
> +   -- UUID: daffd814-6eba-4d8c-8a91-bc9bbf4aa301
> +
> +   -- http://www.uefi.org/sites/default/files/resources/_DSD-device-properties-UUID.pdf)
> +
> +The kernel has an interface for looking up device properties in a manner
> +independent of whether DT or ACPI is being used and that interface should
> +be used;

I haven't followed the _DSD kernel support but does it provide a common
API to be shared with DT? I'm not entirely convinced it's a good idea.

> it can eliminate some duplication of code paths in driver probing
> +functions and discourage divergence between DT bindings and ACPI device
> +properties.

Given the current different mechanism of reviewing/approving bindings
between DT and ACPI (kernel community vs UEFI forum), I don't see how we
encourage convergence (unless we state that _DSD are Linux-only, Windows
should use a different mechanism like .inf files).

> +ACPI tables are described with a formal language called ASL, the ACPI
> +Source Language (section 19 of the specification).  This means that there
> +are always multiple ways to describe the same thing -- including device
> +properties.  For example, device properties could use an ASL construct
> +that looks like this: Name(KEY0, "value0").  An ACPI device driver would
> +then retrieve the value of the property by evaluating the KEY0 object.
> +However, using Name() this way has multiple problems: (1) ACPI limits
> +names ("KEY0") to four characters unlike DT; (2) there is no industry
> +wide registry that maintains a list of names, minimzing re-use; (3)
> +there is also no registry for the definition of property values ("value0"),
> +again making re-use difficult; and (4) how does one maintain backward
> +compatibility as new hardware comes out?  The _DSD method was created
> +to solve precisely these sorts of problems; Linux drivers should ALWAYS
> +use the _DSD method for device properties and nothing else.
> +
> +The _DSM object (ACPI Section 9.14.1) could also be used for conveying
> +device properties to a driver.  Linux drivers should only expect it to
> +be used if _DSD cannot represent the data required, and there is no way
> +to create a new UUID for the _DSD object.  Note that there is even less
> +regulation of the use of _DSM than there is of _DSD.  Drivers that depend
> +on the contents of _DSM objects will be more difficult to maintain over
> +time because of this.
> +
> +The _DSD object is a very flexible mechanism in ACPI, as are the registered
> +Device Properties.  This flexibility allows _DSD to cover more than just the
> +generic server case and care should be taken in device drivers not to expect
> +it to replicate highly specific embedded behaviour from DT.

While this is all good, we need to be more specific on what "embedded
behaviour" means. Maybe not for this document but the UEFI approval
process for new properties doesn't give any hint on what is and is not
sane (and I already disagree with some of the examples on uefi.org).

> +Both DT bindings and ACPI device properties for device drivers have review
> +processes.  Use them.  And, before creating new device properties, check to
> +be sure that they have not been defined before and either registered in the
> +Linux kernel documentation or the UEFI Forum.  If the device drivers supports
> +ACPI and DT, please make sure the device properties are consistent in both
> +places.

In the interest of progress, I think we need to *temporarily* ban the
use of _DSD on ARM platforms aimed at ACPI and state it clearly in this
document. Once we are happy with the UEFI forum review process, we'll
adjust the document accordingly.

My problems with _DSD:

a) no clear guidance on what a good property means, whether it covers
   just device specific information or it may include Linux behaviour
   (like "linux,default-trigger", I don't think it should)
b) the Linux kernel community does not seem to be involved in the UEFI
   forum _DSD review process. This means that we'll be faced with
   patches against drivers to support UEFI-published _DSD properties.
   I want to avoid such arguments, rejecting kernel code is too late
   after _DSD properties have been published

The alternative to _DSD would be to program the hardware to some sane
state. For example, I'm sure a MAC address can be written by firmware to
some register and the driver can read and store it locally (I'm not even
sure why we need MAC address in ACPI tables, this is not really a
property of the hardware but a configuration that could be done in
firmware).

> +Clocks
> +------
> +ACPI makes the assumption that clocks are initialized by the firmware --
> +UEFI, in this case -- to some working value before control is handed over
> +to the kernel.  This has implications for devices such as UARTs, or SoC
> +driven LCD displays, for example.
> +
> +When the kernel boots, the clock is assumed to be set to reasonable
> +working value.  If for some reason the frequency needs to change -- e.g.,
> +throttling for power management -- the device driver should expect that
> +process to be abstracted out into some ACPI method that can be invoked
> +(please see the ACPI specification for further recommendations on standard
> +methods to be expected).  If is not, there is no direct way for ACPI to
> +control the clocks.

I would emphasize that there is no way for _Linux_ to directly control the
clocks on an ACPI-enabled platform.

> +ASWG
> +----
> +The following areas are not yet fully defined for ARM in the 5.1 version
> +of the ACPI specification and are expected to be worked through in the
> +UEFI ACPI Specification Working Group (ASWG):
> +
> +   -- ACPI based CPU topology
> +   -- ACPI based Power management
> +   -- CPU idle control based on PSCI
> +   -- CPU performance control (CPPC)
> +   -- ACPI based SMMU
> +   -- ITS support for GIC in MADT

In addition to the above and _DSD requirements/banning, I would also add
some clear statements around:

_OSC: only global/published capabilities are allowed. For
device-specific _OSC we need a process or maybe we can ban them entirely
and rely on _DSD once we clarify the process.

_OSI: firmware must not check for certain _OSI strings. Here I'm not
sure what we would have to do for ARM Linux. Reporting "Windows" does
not make any sense but not reporting anything can, as Matthew Garrett
pointed out, can be interpreted by firmware as "Linux". In addition to
any statements in this document, I suggest you patch
drivers/acpi/acpica/utosi.c accordingly, maybe report "Linux" for ARM
and print a kernel warning so that we notice earlier.

ACPI_OS_NAME: this is globally defined as "Microsoft Windows NT". It
doesn't make much sense in the ARM context. Could we change it to
"Linux" when CONFIG_ARM64?

Compatibility with older kernels: ACPI firmware must work, even though
not fully optimal, with the earliest kernel version implementing the
targeted ACPI spec. There may be a need for new drivers but otherwise
adding things like CPU power management should not break older kernel
versions. In addition, the ACPI firmware must also work with the latest
kernel version.


I strongly consider that we need to be very strict with the Linux ACPI
firmware and hardware requirements to avoid the need for supporting
non-standard implementations as much as possible. This is, however, a
live document, so we can relax it as we see fit (e.g. _DSD process
clarified).

In the meantime, Merry Christmas ;). I'll follow up in January.
Jon Masters Dec. 24, 2014, 7:33 p.m. UTC | #6
Hi Catalin,

Good feedback. In particular, though we have only one example of _DSD (network parameters because the hardware might be reset post boot and some of it is not sophisticated enough to preserve programmed MAC and parameters such as PHy type that will require reloading, both because drivers might be reprobed or because we might reboot or kexec) it is reasonable not to pull support for that into upstream on a short term basis while some of the process is codified. Generally with _DSD I know nobody is implementing anything else in the medium term and have ensured the vendors concerned have had private conversations to ensure existing _DSD entries in DSDTs out there conform to those proposed and are all self consistent (and are supported in certain other kernels so far). But for now that can suffice until the process is codified to a level everyone is comfortable with - certainly we would not expect growth there in the short term and would absolutely not expect DT entries to be arbi
 trarily carried over.

Also, I agree with the sentiments around codifying into the SBBR. Upstream kernel docs should pertain to Linux, but ideally non OS specifics will live in the SBBR. As one of the original coauthors of the SBBR I know our intention is to grow that document into a more complete platform doc. With that in mind, I will be donating Red Hat's commercial hardware requirements (shared with vendors in separate discussions) as input into that process in 2015.

Jon.
Mark Brown Dec. 26, 2014, 1:23 p.m. UTC | #7
On Wed, Dec 24, 2014 at 05:18:15PM +0000, Catalin Marinas wrote:
> On Fri, Oct 17, 2014 at 02:37:14PM +0100, Hanjun Guo wrote:

> > +ACPI drivers should only look at one specific ASL object -- the _DSD object
> > +-- for device driver parameters (known in DT as "bindings", or "Device
> > +Properties" in ACPI).  Not all DT bindings will be recognized. 

> This last sentence kind of implies that many of the DT bindings will be
> recognised. While it is useful to have some commonalities, I think this
> gives the wrong message that _DSD is a copy of DT. We should avoid this.

> > +so that they may be used on any operating system supporting ACPI.  Device
> > +properties that have not been registered with the UEFI Forum should not be
> > +used.

> More about this further down.

Indeed...

> > +Drivers should look for device properties in the _DSD object ONLY; the _DSD
> > +object is described in the ACPI specification section 6.2.5, but more
> > +specifically, use the _DSD Device Properties UUID:

> > +   -- UUID: daffd814-6eba-4d8c-8a91-bc9bbf4aa301

> > +   -- http://www.uefi.org/sites/default/files/resources/_DSD-device-properties-UUID.pdf)

> > +The kernel has an interface for looking up device properties in a manner
> > +independent of whether DT or ACPI is being used and that interface should
> > +be used;

> I haven't followed the _DSD kernel support but does it provide a common
> API to be shared with DT? I'm not entirely convinced it's a good idea.

Yes, it does.  I'm not entirely convinced about that either but it
really meets the goals of some of the users.  Right now I'm seeing
several user communities:

 - x86 server
 - x86 laptop
 - x86 embedded 
 - ARM server

The _DSD/DT abstraction API is intended to meet the needs of the x86
embedded community, they are really only interested in Linux and just
want to be able to pick up Linux drivers that have been developed with
DT in mind and use them with the minimum fuss.  They are, to a good
approximation, not really interested in UEFI and ACPI per se.

> > it can eliminate some duplication of code paths in driver probing
> > +functions and discourage divergence between DT bindings and ACPI device
> > +properties.

> Given the current different mechanism of reviewing/approving bindings
> between DT and ACPI (kernel community vs UEFI forum), I don't see how we

Right now there is no real way of reviewing and approving bindings for
_DSD.

> encourage convergence (unless we state that _DSD are Linux-only, Windows
> should use a different mechanism like .inf files).

No, I don't think we want to encourage that.  It's what's happening
right now for the x86 laptop case and it's making things miserable for
people working with audio, what we end up with on the Linux side is
needing to have per-machine quirk tables which means that Linux has
little chance of working out of the box with unknown hardware.  It's bad
for users and not a lot of fun for developers.  What you're saying is
fine for the x86 embedded people but as soon as we want to run both
Windows and Linux on the same system we want to try to make sure that
the firmware itself describes the hardware.

Note also that there are already some non-_DSD ways of passing platform
data to ACPI devices (you can read at least integer properties easily)
so it's not just _DSD we have to consider here.

> > +The _DSD object is a very flexible mechanism in ACPI, as are the registered
> > +Device Properties.  This flexibility allows _DSD to cover more than just the
> > +generic server case and care should be taken in device drivers not to expect
> > +it to replicate highly specific embedded behaviour from DT.

> While this is all good, we need to be more specific on what "embedded
> behaviour" means. Maybe not for this document but the UEFI approval
> process for new properties doesn't give any hint on what is and is not
> sane (and I already disagree with some of the examples on uefi.org).

Right, though we also don't want the UEFI approval process to set down
standards that are too heavily tied to a specific view for ARM servers
since ARM servers are not the only users.

> My problems with _DSD:

> a) no clear guidance on what a good property means, whether it covers
>    just device specific information or it may include Linux behaviour
>    (like "linux,default-trigger", I don't think it should)

Right, though some people are going to want to do that.

> b) the Linux kernel community does not seem to be involved in the UEFI
>    forum _DSD review process. This means that we'll be faced with
>    patches against drivers to support UEFI-published _DSD properties.
>    I want to avoid such arguments, rejecting kernel code is too late
>    after _DSD properties have been published

I've been very concerned about this and chasing it up myself.  As far as
I have been able to tell there essentially is no UEFI forum _DSD review
process at this point, the brief bits that are there are essentially
placeholders rather than actual practical things which people expect to
be viable long term and were placed there in the interests of getting
the actual stuff that goes into the tables approved.  There was some
indication that there was an intention to have some discussion early
next year about doing it properly.

It'd certainly be good to get wider involvement from the kernel
community in that discussion, right now I'm a bit concerned that the
standardisation isn't going to be terribly effective in reaching
everyone it needs to or relevant to them.

Personally I'm mainly interested in making sure we can ideally
facilitate conversation with the Windows driver people and at worst can
set good practice standards for them which make life easier for Linux
when followed even if there's a degree of reverse engineerinng involved.

> The alternative to _DSD would be to program the hardware to some sane
> state. For example, I'm sure a MAC address can be written by firmware to
> some register and the driver can read and store it locally (I'm not even
> sure why we need MAC address in ACPI tables, this is not really a
> property of the hardware but a configuration that could be done in
> firmware).

On the other hand something like a MAC address is a useful placeholder
for discussion since there's no real debate about the technical aspects
of representing it allowing everyone to focus on the process.

> > +ASWG
> > +----
> > +The following areas are not yet fully defined for ARM in the 5.1 version
> > +of the ACPI specification and are expected to be worked through in the
> > +UEFI ACPI Specification Working Group (ASWG):

> > +   -- ACPI based CPU topology
> > +   -- ACPI based Power management
> > +   -- CPU idle control based on PSCI
> > +   -- CPU performance control (CPPC)
> > +   -- ACPI based SMMU
> > +   -- ITS support for GIC in MADT

> In addition to the above and _DSD requirements/banning, I would also add
> some clear statements around:

I'd not go that far with _DSD, I am unhappy with the current state of
the world but I'm not sure how relevant the process is going to be and
that anything more than a very strong disrecommendation is going to make
sense.

> Compatibility with older kernels: ACPI firmware must work, even though
> not fully optimal, with the earliest kernel version implementing the
> targeted ACPI spec. There may be a need for new drivers but otherwise
> adding things like CPU power management should not break older kernel
> versions. In addition, the ACPI firmware must also work with the latest
> kernel version.

The backwards compatibility thing sounds a bit strongly worded - I think
that's something the customers would probably sort out anyway to the
extent it's important.  It's obviously good to recommend that people
keep as much backwards compatibility as they can since if nothing else
it makes it easier for people to use their hardware but it doesn't seem
unreasonable to decide that supporting older kernels (or more to the
point older distro releases) isn't that interesting for whatever reason.

> I strongly consider that we need to be very strict with the Linux ACPI
> firmware and hardware requirements to avoid the need for supporting
> non-standard implementations as much as possible. This is, however, a
> live document, so we can relax it as we see fit (e.g. _DSD process
> clarified).

To the extent that it is specific to ARM server that should be fine,
however when it comes to actually enforcing standards for how the kernel
behaves then that's a different story - there are other communities with
different goals and interests.  This in turn means that there will be
things that actually practically work and that have become an ABI for
another community.  Once that happens I'm not sure it's constructive to
try to enforce not using them on ARM, and if people manage to ship
systems we care about it's game over anyway.

I don't know that it's reasonable to expect people to enforce this from
the kernel side - with my subsystem maintainer hat on I really don't
know that I care if some ACPI thing is being done for the benefit of an
ARM server or if it's being done for the benefit of an x86 embedded box
and I'm actually interested.
Hanjun Guo Dec. 30, 2014, 11:23 a.m. UTC | #8
Hi,

On 2014?12?25? 01:18, Catalin Marinas wrote:
> Hi,
>
> Some thoughts before the end of the year. I won't be able to follow up
> until around 5th of January though.
>
> On Fri, Oct 17, 2014 at 02:37:14PM +0100, Hanjun Guo wrote:
>> --- /dev/null
>> +++ b/Documentation/arm64/arm-acpi.txt
>> @@ -0,0 +1,323 @@
>> +ACPI on ARMv8 Servers
>> +---------------------
>> +ACPI can be used for ARMv8 general purpose servers designed to follow
>> +the ARM SBSA (Server Base System Architecture) specification, currently
>> +available to those with an ARM login at http://silver.arm.com.
>
> You should mention SBBR (Server Base Boot Requirements) here as well.
> The arm-acpi.txt is complementary to arm-acpi.txt and longer term we
> should aim to move parts of the Linux document into the more OS-agonstic
> SBBR.

ok, I will update the doc. and I agree that moving parts of this doc
into SBBR, actually part of the content is coming from SBBR, especially
section "Booting using ACPI tables" (not include the command line part).
please refer to section 4.2 ACPI Tables in SBBR.

>
>> +The ARMv8 kernel implements the reduced hardware model of ACPI version
>> +5.1 and its corresponding errata.
>
> I would say 5.1 or later to avoid updating this document every time we
> get a new ACPI release.

sure, will update it.

>
>> +If an ARMv8 system does not meet the requirements of the SBSA, or cannot
>> +be described using the mechanisms defined in the required ACPI specifications,
>> +then it is likely that Device Tree (DT) is more suitable than ACPI for the
>> +hardware.
>
> Based on some private discussions, I think we could drop some of the
> references to DT in this document. It should specify the requirements
> for ACPI support and, if not met, the alternative SoC support is
> automatically DT for Linux. That's just to make it easier to move parts
> of this doc into SBBR.
>
>> +Relationship with Device Tree
>> +-----------------------------
>
> This section is fine, Linux specific and it will stay in this document.
>
>> +ACPI support in drivers and subsystems for ARMv8 should never be mutually
>> +exclusive with DT support at compile time.
>> +
>> +At boot time the kernel will only use one description method depending on
>> +parameters passed from the bootloader (including kernel bootargs).
>> +
>> +Regardless of whether DT or ACPI is used, the kernel must always be capable
>> +of booting with either scheme (in kernels with both schemes enabled at compile
>> +time).
>> +
>> +When booting using ACPI tables, the /chosen node in DT will still be parsed
>> +to extract the kernel command line and initrd path.  No other section of the
>> +DT will be used.
>
> I don't think this paragraph is needed. That's a kernel detail when how
> the EFI_STUB passes the information to the rest of the kernel. We
> mandate UEFI booting for ACPI support, so I wouldn't expect an
> ACPI-aware U-Boot.

Agree, we can boot kernel ok without passing the dtb to kernel
in the command line if ACPI presents.

>
>> +Booting using ACPI tables
>> +-------------------------
>> +The only defined method for passing ACPI tables to the kernel on ARMv8
>> +is via the UEFI system configuration table.
>> +
>> +Processing of ACPI tables may be disabled by passing acpi=off on the kernel
>> +command line; this is the default behavior.  If acpi=force is used, the kernel
>> +will ONLY use device configuration information contained in the ACPI tables.
>
> See my comments to Al around the defaults. I think if only ACPI tables
> are present, we shouldn't panic the kernel if acpi=force is missing but
> continue with ACPI.

I think we need another patch to implement it, for this patch set,kernel
will panic if no dtb and acpi=off. since passing no DT tables to OS but
acpi=force is missing is a corner case, we can do a follow up patch to
fix that, does it make sense?

> If both DT and ACPI tables are present, DT will be
> the default. You could say "this is the default behaviour if both ACPI
> and DT tables are present".
>
>> +Device Enumeration
>> +------------------
>> +Device descriptions in ACPI should use standard recognized ACPI interfaces.
>> +These can contain less information than is typically provided via a Device
>
> s/can/may/ ? Not sure, it just sounds better to me (not a native English
> speaker).
>
>> +Tree description for the same device.  This is also one of the reasons that
>> +ACPI can be useful -- the driver takes into account that it may have less
>> +detailed information about the device and uses sensible defaults instead.
>> +If done properly in the driver, the hardware can change and improve over
>> +time without the driver having to change at all.
>> +
>> +Clocks provide an excellent example.  In DT, clocks need to be specified
>> +and the drivers need to take them into account.  In ACPI, the assumption
>> +is that UEFI will leave the device in a reasonable default state, including
>> +any clock settings.  If for some reason the driver needs to change a clock
>> +value, this can be done in an ACPI method; all the driver needs to do is
>> +invoke the method and not concern itself with what the method needs to do
>> +to change the clock.  Changing the hardware can then take place over time
>> +by changing what the ACPI method does, and not the driver.
>> +
>> +ACPI drivers should only look at one specific ASL object -- the _DSD object
>> +-- for device driver parameters (known in DT as "bindings", or "Device
>> +Properties" in ACPI).  Not all DT bindings will be recognized.
>
> This last sentence kind of implies that many of the DT bindings will be
> recognised. While it is useful to have some commonalities, I think this
> gives the wrong message that _DSD is a copy of DT. We should avoid this.
>
>> The UEFI
>> +Forum provides a mechanism for registering such bindings [URL TBD by ASWG]
>
> s/bindings/properties/ if we talk in the ACPI context.
>
>> +so that they may be used on any operating system supporting ACPI.  Device
>> +properties that have not been registered with the UEFI Forum should not be
>> +used.
>
> More about this further down.
>
>> +Drivers should look for device properties in the _DSD object ONLY; the _DSD
>> +object is described in the ACPI specification section 6.2.5, but more
>> +specifically, use the _DSD Device Properties UUID:
>> +
>> +   -- UUID: daffd814-6eba-4d8c-8a91-bc9bbf4aa301
>> +
>> +   -- http://www.uefi.org/sites/default/files/resources/_DSD-device-properties-UUID.pdf)
>> +
>> +The kernel has an interface for looking up device properties in a manner
>> +independent of whether DT or ACPI is being used and that interface should
>> +be used;
>
> I haven't followed the _DSD kernel support but does it provide a common
> API to be shared with DT? I'm not entirely convinced it's a good idea.
>
>> it can eliminate some duplication of code paths in driver probing
>> +functions and discourage divergence between DT bindings and ACPI device
>> +properties.
>
> Given the current different mechanism of reviewing/approving bindings
> between DT and ACPI (kernel community vs UEFI forum), I don't see how we
> encourage convergence (unless we state that _DSD are Linux-only, Windows
> should use a different mechanism like .inf files).
>
>> +ACPI tables are described with a formal language called ASL, the ACPI
>> +Source Language (section 19 of the specification).  This means that there
>> +are always multiple ways to describe the same thing -- including device
>> +properties.  For example, device properties could use an ASL construct
>> +that looks like this: Name(KEY0, "value0").  An ACPI device driver would
>> +then retrieve the value of the property by evaluating the KEY0 object.
>> +However, using Name() this way has multiple problems: (1) ACPI limits
>> +names ("KEY0") to four characters unlike DT; (2) there is no industry
>> +wide registry that maintains a list of names, minimzing re-use; (3)
>> +there is also no registry for the definition of property values ("value0"),
>> +again making re-use difficult; and (4) how does one maintain backward
>> +compatibility as new hardware comes out?  The _DSD method was created
>> +to solve precisely these sorts of problems; Linux drivers should ALWAYS
>> +use the _DSD method for device properties and nothing else.
>> +
>> +The _DSM object (ACPI Section 9.14.1) could also be used for conveying
>> +device properties to a driver.  Linux drivers should only expect it to
>> +be used if _DSD cannot represent the data required, and there is no way
>> +to create a new UUID for the _DSD object.  Note that there is even less
>> +regulation of the use of _DSM than there is of _DSD.  Drivers that depend
>> +on the contents of _DSM objects will be more difficult to maintain over
>> +time because of this.
>> +
>> +The _DSD object is a very flexible mechanism in ACPI, as are the registered
>> +Device Properties.  This flexibility allows _DSD to cover more than just the
>> +generic server case and care should be taken in device drivers not to expect
>> +it to replicate highly specific embedded behaviour from DT.
>
> While this is all good, we need to be more specific on what "embedded
> behaviour" means. Maybe not for this document but the UEFI approval
> process for new properties doesn't give any hint on what is and is not
> sane (and I already disagree with some of the examples on uefi.org).
>
>> +Both DT bindings and ACPI device properties for device drivers have review
>> +processes.  Use them.  And, before creating new device properties, check to
>> +be sure that they have not been defined before and either registered in the
>> +Linux kernel documentation or the UEFI Forum.  If the device drivers supports
>> +ACPI and DT, please make sure the device properties are consistent in both
>> +places.
>
> In the interest of progress, I think we need to *temporarily* ban the
> use of _DSD on ARM platforms aimed at ACPI and state it clearly in this
> document. Once we are happy with the UEFI forum review process, we'll
> adjust the document accordingly.
>
> My problems with _DSD:
>
> a) no clear guidance on what a good property means, whether it covers
>     just device specific information or it may include Linux behaviour
>     (like "linux,default-trigger", I don't think it should)
> b) the Linux kernel community does not seem to be involved in the UEFI
>     forum _DSD review process. This means that we'll be faced with
>     patches against drivers to support UEFI-published _DSD properties.
>     I want to avoid such arguments, rejecting kernel code is too late
>     after _DSD properties have been published
>
> The alternative to _DSD would be to program the hardware to some sane
> state. For example, I'm sure a MAC address can be written by firmware to
> some register and the driver can read and store it locally (I'm not even
> sure why we need MAC address in ACPI tables, this is not really a
> property of the hardware but a configuration that could be done in
> firmware).
>
>> +Clocks
>> +------
>> +ACPI makes the assumption that clocks are initialized by the firmware --
>> +UEFI, in this case -- to some working value before control is handed over
>> +to the kernel.  This has implications for devices such as UARTs, or SoC
>> +driven LCD displays, for example.
>> +
>> +When the kernel boots, the clock is assumed to be set to reasonable
>> +working value.  If for some reason the frequency needs to change -- e.g.,
>> +throttling for power management -- the device driver should expect that
>> +process to be abstracted out into some ACPI method that can be invoked
>> +(please see the ACPI specification for further recommendations on standard
>> +methods to be expected).  If is not, there is no direct way for ACPI to
>> +control the clocks.
>
> I would emphasize that there is no way for _Linux_ to directly control the
> clocks on an ACPI-enabled platform.
>
>> +ASWG
>> +----
>> +The following areas are not yet fully defined for ARM in the 5.1 version
>> +of the ACPI specification and are expected to be worked through in the
>> +UEFI ACPI Specification Working Group (ASWG):
>> +
>> +   -- ACPI based CPU topology
>> +   -- ACPI based Power management
>> +   -- CPU idle control based on PSCI
>> +   -- CPU performance control (CPPC)
>> +   -- ACPI based SMMU
>> +   -- ITS support for GIC in MADT
>
> In addition to the above and _DSD requirements/banning, I would also add
> some clear statements around:
>
> _OSC: only global/published capabilities are allowed. For
> device-specific _OSC we need a process or maybe we can ban them entirely
> and rely on _DSD once we clarify the process.
>
> _OSI: firmware must not check for certain _OSI strings. Here I'm not
> sure what we would have to do for ARM Linux. Reporting "Windows" does
> not make any sense but not reporting anything can, as Matthew Garrett
> pointed out, can be interpreted by firmware as "Linux". In addition to
> any statements in this document, I suggest you patch
> drivers/acpi/acpica/utosi.c accordingly, maybe report "Linux" for ARM
> and print a kernel warning so that we notice earlier.
>
> ACPI_OS_NAME: this is globally defined as "Microsoft Windows NT". It
> doesn't make much sense in the ARM context. Could we change it to
> "Linux" when CONFIG_ARM64?
>
> Compatibility with older kernels: ACPI firmware must work, even though
> not fully optimal, with the earliest kernel version implementing the
> targeted ACPI spec. There may be a need for new drivers but otherwise
> adding things like CPU power management should not break older kernel
> versions. In addition, the ACPI firmware must also work with the latest
> kernel version.
>
>
> I strongly consider that we need to be very strict with the Linux ACPI
> firmware and hardware requirements to avoid the need for supporting
> non-standard implementations as much as possible. This is, however, a
> live document, so we can relax it as we see fit (e.g. _DSD process
> clarified).
>
> In the meantime, Merry Christmas ;). I'll follow up in January.

I will send another version of patches based on 3.19-rc2, and I will
address some comments in that patch set, we can continue our discussion
here about doc for ACPI on ARM64.

Thanks
Hanjun
Ashwin Chaugule Dec. 30, 2014, 8:13 p.m. UTC | #9
Hi Hanjun,

Overall the document looks good to us. Some minor clarifications below.

> ---------- Forwarded message ----------
> From: Graeme Gregory <graeme.gregory@linaro.org>
>
> Add documentation for the guidelines of how to use ACPI
> on ARM64.
>
> Signed-off-by: Graeme Gregory <graeme.gregory@linaro.org>
> Signed-off-by: Al Stone <al.stone@linaro.org>
> Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org>
> ---
>  Documentation/arm64/arm-acpi.txt |  323
> ++++++++++++++++++++++++++++++++++++++
>  1 file changed, 323 insertions(+)
>  create mode 100644 Documentation/arm64/arm-acpi.txt
>

[..]

> +Relationship with Device Tree
> +-----------------------------

[..]

> +When booting using ACPI tables, the /chosen node in DT will still be
> parsed
> +to extract the kernel command line and initrd path.  No other section of
> the
> +DT will be used.

Is this still true?


> +Programmable Power Control Resources
> +------------------------------------
> +Programmable power control resources include such resources as
> voltage/current
> +providers (regulators) and clock sources.
> +
> +The kernel assumes that power control of these resources is represented
> with
> +Power Resource Objects (ACPI section 7.1).  The ACPI core will then
> handle
> +correctly enabling and disabling resources as they are needed.  In order
> to
> +get that to work, ACPI assumes each device has defined D-states and that
> these
> +can be controlled through the optional ACPI methods _PS0, _PS1, _PS2, and
> _PS3;
> +in ACPI, _PS0 is the method to invoke to turn a device full on, and _PS3
> is for
> +turning a device full off.
> +
> +The kernel ACPI code will also assume that the _PS? methods follow the
> normal
> +ACPI rules for such methods:
> +
> +   -- If either _PS0 or _PS3 is implemented, then the other method must
> also
> +      be implemented.
> +
> +   -- If a device requires usage or setup of a power resource when on,
> the ASL
> +      should organize that it is allocated/enabled using the _PS0 method.
> +
> +   -- Resources allocated or enabled in the _PS0 method should be
> disabled
> +      or de-allocated in the _PS3 method.
> +
> +   -- Firmware will leave the resources in a reasonable state before
> handing
> +      over control to the kernel.
> +

We found this section could be improved a bit by explicitly calling out
the options for handling device PM. Platform vendor has two choices.
Resources can be managed in _PSx routine which gets called on entry to Dx.
 Or they can be declared separately as power resources with their own _ON
and _OFF methods.  They are then tied back to D-states for a particular
device via _PRx which specifies which power resources a device needs to be
on while in Dx.  Kernel then tracks number of devices using a power
resource and calls _ON/_OFF as needed.

> +Such code in _PS? methods will of course be very platform specific.  But,
> +this allows the driver to abstract out the interface for operating the
> device
> +and avoid having to read special non-standard values from ACPI tables.
> Further,
> +abstracting the use of these resources allows the hardware to change over
> time
> +without requiring updates to the driver.
> +

I think its been mentioned in the past and you planned to add it here: we
should explicitly state that with ACPI, the kernel clock/vreg framework
are not expected to be used at all.

> +
> +Clocks
> +------
> +ACPI makes the assumption that clocks are initialized by the firmware --
> +UEFI, in this case -- to some working value before control is handed over
> +to the kernel.  This has implications for devices such as UARTs, or SoC
> +driven LCD displays, for example.
> +
> +When the kernel boots, the clock is assumed to be set to reasonable
> +working value.  If for some reason the frequency needs to change -- e.g.,
> +throttling for power management -- the device driver should expect that
> +process to be abstracted out into some ACPI method that can be invoked

Exception to this is CPU clocks where CPPC provides a much richer
interface than just blindly invoking some method.

> +(please see the ACPI specification for further recommendations on
> standard
> +methods to be expected).  If is not, there is no direct way for ACPI to
> +control the clocks.
> +
> +

[..]

> +ASWG
> +----
> +The following areas are not yet fully defined for ARM in the 5.1 version
> +of the ACPI specification and are expected to be worked through in the
> +UEFI ACPI Specification Working Group (ASWG):
> +
> +   -- ACPI based CPU topology
> +   -- ACPI based Power management

Should clarify this to idle management rather than generic power management.

> +   -- CPU idle control based on PSCI
> +   -- CPU performance control (CPPC)

There is no ongoing work on CPPC. Additional enhancements may be explored
in the future, but spec is viable as is.

Regards,
Ashwin

--
Qualcomm Innovation Center, Inc
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

--
Hanjun Guo Dec. 31, 2014, 8:34 a.m. UTC | #10
On 2014?12?31? 04:13, ashwinc@codeaurora.org wrote:
> Hi Hanjun,
>
> Overall the document looks good to us. Some minor clarifications below.
>
>> ---------- Forwarded message ----------
>> From: Graeme Gregory <graeme.gregory@linaro.org>
>>
>> Add documentation for the guidelines of how to use ACPI
>> on ARM64.
>>
>> Signed-off-by: Graeme Gregory <graeme.gregory@linaro.org>
>> Signed-off-by: Al Stone <al.stone@linaro.org>
>> Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org>
>> ---
>>   Documentation/arm64/arm-acpi.txt |  323
>> ++++++++++++++++++++++++++++++++++++++
>>   1 file changed, 323 insertions(+)
>>   create mode 100644 Documentation/arm64/arm-acpi.txt
>>
>
> [..]
>
>> +Relationship with Device Tree
>> +-----------------------------
>
> [..]
>
>> +When booting using ACPI tables, the /chosen node in DT will still be
>> parsed
>> +to extract the kernel command line and initrd path.  No other section of
>> the
>> +DT will be used.
>
> Is this still true?

No, we can booting the ACPI system in EFI stub without dtb. Catalin
also pointed out this issue, I will remove this paragraph.

>
>
>> +Programmable Power Control Resources
>> +------------------------------------
>> +Programmable power control resources include such resources as
>> voltage/current
>> +providers (regulators) and clock sources.
>> +
>> +The kernel assumes that power control of these resources is represented
>> with
>> +Power Resource Objects (ACPI section 7.1).  The ACPI core will then
>> handle
>> +correctly enabling and disabling resources as they are needed.  In order
>> to
>> +get that to work, ACPI assumes each device has defined D-states and that
>> these
>> +can be controlled through the optional ACPI methods _PS0, _PS1, _PS2, and
>> _PS3;
>> +in ACPI, _PS0 is the method to invoke to turn a device full on, and _PS3
>> is for
>> +turning a device full off.
>> +
>> +The kernel ACPI code will also assume that the _PS? methods follow the
>> normal
>> +ACPI rules for such methods:
>> +
>> +   -- If either _PS0 or _PS3 is implemented, then the other method must
>> also
>> +      be implemented.
>> +
>> +   -- If a device requires usage or setup of a power resource when on,
>> the ASL
>> +      should organize that it is allocated/enabled using the _PS0 method.
>> +
>> +   -- Resources allocated or enabled in the _PS0 method should be
>> disabled
>> +      or de-allocated in the _PS3 method.
>> +
>> +   -- Firmware will leave the resources in a reasonable state before
>> handing
>> +      over control to the kernel.
>> +
>
> We found this section could be improved a bit by explicitly calling out
> the options for handling device PM. Platform vendor has two choices.
> Resources can be managed in _PSx routine which gets called on entry to Dx.
>   Or they can be declared separately as power resources with their own _ON
> and _OFF methods.  They are then tied back to D-states for a particular
> device via _PRx which specifies which power resources a device needs to be
> on while in Dx.  Kernel then tracks number of devices using a power
> resource and calls _ON/_OFF as needed.

Good point, this exactly what ACPI spec says, we need to update this
paragraph a little bit.

>
>> +Such code in _PS? methods will of course be very platform specific.  But,
>> +this allows the driver to abstract out the interface for operating the
>> device
>> +and avoid having to read special non-standard values from ACPI tables.
>> Further,
>> +abstracting the use of these resources allows the hardware to change over
>> time
>> +without requiring updates to the driver.
>> +
>
> I think its been mentioned in the past and you planned to add it here: we
> should explicitly state that with ACPI, the kernel clock/vreg framework
> are not expected to be used at all.
>
>> +
>> +Clocks
>> +------
>> +ACPI makes the assumption that clocks are initialized by the firmware --
>> +UEFI, in this case -- to some working value before control is handed over
>> +to the kernel.  This has implications for devices such as UARTs, or SoC
>> +driven LCD displays, for example.
>> +
>> +When the kernel boots, the clock is assumed to be set to reasonable
>> +working value.  If for some reason the frequency needs to change -- e.g.,
>> +throttling for power management -- the device driver should expect that
>> +process to be abstracted out into some ACPI method that can be invoked
>
> Exception to this is CPU clocks where CPPC provides a much richer
> interface than just blindly invoking some method.
>
>> +(please see the ACPI specification for further recommendations on
>> standard
>> +methods to be expected).  If is not, there is no direct way for ACPI to
>> +control the clocks.
>> +
>> +
>
> [..]
>
>> +ASWG
>> +----
>> +The following areas are not yet fully defined for ARM in the 5.1 version
>> +of the ACPI specification and are expected to be worked through in the
>> +UEFI ACPI Specification Working Group (ASWG):
>> +
>> +   -- ACPI based CPU topology
>> +   -- ACPI based Power management
>
> Should clarify this to idle management rather than generic power management.

and I think it is CPU idle specific here, right?

>
>> +   -- CPU idle control based on PSCI
>> +   -- CPU performance control (CPPC)
>
> There is no ongoing work on CPPC. Additional enhancements may be explored
> in the future, but spec is viable as is.

will remove it.

Thanks for reviewing it!

Hanjun
Ashwin Chaugule Dec. 31, 2014, 3:08 p.m. UTC | #11
On 31 December 2014 at 03:34, Hanjun Guo <hanjun.guo@linaro.org> wrote:
> On 2014å¹´12æ??31æ?¥ 04:13, ashwinc@codeaurora.org wrote:
>> Hi Hanjun,
>>> +ASWG
>>> +----
>>> +The following areas are not yet fully defined for ARM in the 5.1
>>> version
>>> +of the ACPI specification and are expected to be worked through in the
>>> +UEFI ACPI Specification Working Group (ASWG):
>>> +
>>> +   -- ACPI based CPU topology
>>> +   -- ACPI based Power management
>>
>> Should clarify this to idle management rather than generic power
>> management.
>
> and I think it is CPU idle specific here, right?
>

Right.

Thanks,
Ashwin

--
Qualcomm Innovation Center, Inc
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

--
Graeme Gregory Jan. 1, 2015, 8:04 p.m. UTC | #12
On Wed, Dec 31, 2014 at 04:34:46PM +0800, Hanjun Guo wrote:
> On 2014?12?31? 04:13, ashwinc@codeaurora.org wrote:
> >Hi Hanjun,
> >
> >Overall the document looks good to us. Some minor clarifications below.
> >
> >>---------- Forwarded message ----------
> >>From: Graeme Gregory <graeme.gregory@linaro.org>
> >>
> >>Add documentation for the guidelines of how to use ACPI
> >>on ARM64.
> >>
> >>Signed-off-by: Graeme Gregory <graeme.gregory@linaro.org>
> >>Signed-off-by: Al Stone <al.stone@linaro.org>
> >>Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org>
> >>---
> >>  Documentation/arm64/arm-acpi.txt |  323
> >>++++++++++++++++++++++++++++++++++++++
> >>  1 file changed, 323 insertions(+)
> >>  create mode 100644 Documentation/arm64/arm-acpi.txt
> >>
> >
> >[..]
> >
> >>+Relationship with Device Tree
> >>+-----------------------------
> >
> >[..]
> >
> >>+When booting using ACPI tables, the /chosen node in DT will still be
> >>parsed
> >>+to extract the kernel command line and initrd path.  No other section of
> >>the
> >>+DT will be used.
> >
> >Is this still true?
> 
> No, we can booting the ACPI system in EFI stub without dtb. Catalin
> also pointed out this issue, I will remove this paragraph.
> 

The paragraph is still correct, the /chosen node is always present even
if nothing else is.

Graeme
Hanjun Guo Jan. 2, 2015, 9:28 a.m. UTC | #13
Hi Graeme,

On 2015?01?02? 04:04, Graeme Gregory wrote:
> On Wed, Dec 31, 2014 at 04:34:46PM +0800, Hanjun Guo wrote:
>> On 2014?12?31? 04:13, ashwinc@codeaurora.org wrote:
>>> Hi Hanjun,
>>>
>>> Overall the document looks good to us. Some minor clarifications below.
>>>
>>>> ---------- Forwarded message ----------
>>>> From: Graeme Gregory <graeme.gregory@linaro.org>
>>>>
>>>> Add documentation for the guidelines of how to use ACPI
>>>> on ARM64.
>>>>
>>>> Signed-off-by: Graeme Gregory <graeme.gregory@linaro.org>
>>>> Signed-off-by: Al Stone <al.stone@linaro.org>
>>>> Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org>
>>>> ---
>>>>   Documentation/arm64/arm-acpi.txt |  323
>>>> ++++++++++++++++++++++++++++++++++++++
>>>>   1 file changed, 323 insertions(+)
>>>>   create mode 100644 Documentation/arm64/arm-acpi.txt
>>>>
>>>
>>> [..]
>>>
>>>> +Relationship with Device Tree
>>>> +-----------------------------
>>>
>>> [..]
>>>
>>>> +When booting using ACPI tables, the /chosen node in DT will still be
>>>> parsed
>>>> +to extract the kernel command line and initrd path.  No other section of
>>>> the
>>>> +DT will be used.
>>>
>>> Is this still true?
>>
>> No, we can booting the ACPI system in EFI stub without dtb. Catalin
>> also pointed out this issue, I will remove this paragraph.
>>
>
> The paragraph is still correct, the /chosen node is always present even
> if nothing else is.

Sorry for the confusing, I mean no dtb needed for the command line if
ACPI tables are available.

efi will create a empty dtb if no dtb found, and add the cmd line into
the new created dtb, I'm just wondering, can we remove the limitation
for passing the cmd line in /chosen node in the future?

Thanks
Hanjun
Catalin Marinas Jan. 2, 2015, 4:47 p.m. UTC | #14
On 2 Jan 2015, at 09:28, Hanjun Guo <hanjun.guo@linaro.org> wrote:
>>> On 2015?01?02? 04:04, Graeme Gregory wrote:
>>>> On Wed, Dec 31, 2014 at 04:34:46PM +0800, Hanjun Guo wrote:
>>>> On 2014?12?31? 04:13, ashwinc@codeaurora.org wrote:
>>>> Hi Hanjun,
>>>> 
>>>> Overall the document looks good to us. Some minor clarifications below.
>>>> 
>>>>> ---------- Forwarded message ----------
>>>>> From: Graeme Gregory <graeme.gregory@linaro.org>
>>>>> 
>>>>> Add documentation for the guidelines of how to use ACPI
>>>>> on ARM64.
>>>>> 
>>>>> Signed-off-by: Graeme Gregory <graeme.gregory@linaro.org>
>>>>> Signed-off-by: Al Stone <al.stone@linaro.org>
>>>>> Signed-off-by: Hanjun Guo <hanjun.guo@linaro.org>
>>>>> ---
>>>>> Documentation/arm64/arm-acpi.txt |  323
>>>>> ++++++++++++++++++++++++++++++++++++++
>>>>> 1 file changed, 323 insertions(+)
>>>>> create mode 100644 Documentation/arm64/arm-acpi.txt
>>>> 
>>>> [..]
>>>> 
>>>>> +Relationship with Device Tree
>>>>> +-----------------------------
>>>> 
>>>> [..]
>>>> 
>>>>> +When booting using ACPI tables, the /chosen node in DT will still be
>>>>> parsed
>>>>> +to extract the kernel command line and initrd path.  No other section of
>>>>> the
>>>>> +DT will be used.
>>>> 
>>>> Is this still true?
>>> 
>>> No, we can booting the ACPI system in EFI stub without dtb. Catalin
>>> also pointed out this issue, I will remove this paragraph.
>> 
>> The paragraph is still correct, the /chosen node is always present even
>> if nothing else is.
> 
> Sorry for the confusing, I mean no dtb needed for the command line if
> ACPI tables are available.
> 
> efi will create a empty dtb if no dtb found, and add the cmd line into
> the new created dtb, I'm just wondering, can we remove the limitation
> for passing the cmd line in /chosen node in the future?

My point is that on an ACPI based system, we don't really care how EFI_STUB passes
the command line to the rest of the kernel. Since UEFI doesn't need to know about
such detail and since ACPI is only supported with EFI_STUB, we don't need to mention
the chosen node in this document. 

At some point we may even change the way EFI_STUB passes the command line to the 
kernel but this is still irrelevant to ACPI. 

Catalin
Hanjun Guo Jan. 4, 2015, 9:39 a.m. UTC | #15
On 2014?12?25? 01:18, Catalin Marinas wrote:
[...]
>
> In addition to the above and _DSD requirements/banning, I would also add
> some clear statements around:
>
> _OSC: only global/published capabilities are allowed. For
> device-specific _OSC we need a process or maybe we can ban them entirely
> and rely on _DSD once we clarify the process.
>
> _OSI: firmware must not check for certain _OSI strings. Here I'm not
> sure what we would have to do for ARM Linux. Reporting "Windows" does
> not make any sense but not reporting anything can, as Matthew Garrett
> pointed out, can be interpreted by firmware as "Linux". In addition to
> any statements in this document, I suggest you patch
> drivers/acpi/acpica/utosi.c accordingly, maybe report "Linux" for ARM
> and print a kernel warning so that we notice earlier.
>
> ACPI_OS_NAME: this is globally defined as "Microsoft Windows NT". It
> doesn't make much sense in the ARM context. Could we change it to
> "Linux" when CONFIG_ARM64?

We will work on this both on ASWG and linux ACPI driver side, as Dong
and Charles pointed out, _OSI things can be solved in ACPI spec, when
that is done, we can modify the kernel driver to fix the problems above.

>
> Compatibility with older kernels: ACPI firmware must work, even though
> not fully optimal, with the earliest kernel version implementing the
> targeted ACPI spec. There may be a need for new drivers but otherwise
> adding things like CPU power management should not break older kernel
> versions. In addition, the ACPI firmware must also work with the latest
> kernel version.

It should be, and I think that's why we need ACPI (or DT) here :)

Thanks
Hanjun
Catalin Marinas Jan. 5, 2015, 11:05 a.m. UTC | #16
On Sun, Jan 04, 2015 at 09:39:24AM +0000, Hanjun Guo wrote:
> On 2014?12?25? 01:18, Catalin Marinas wrote:
> [...]
> >
> > In addition to the above and _DSD requirements/banning, I would also add
> > some clear statements around:
> >
> > _OSC: only global/published capabilities are allowed. For
> > device-specific _OSC we need a process or maybe we can ban them entirely
> > and rely on _DSD once we clarify the process.
> >
> > _OSI: firmware must not check for certain _OSI strings. Here I'm not
> > sure what we would have to do for ARM Linux. Reporting "Windows" does
> > not make any sense but not reporting anything can, as Matthew Garrett
> > pointed out, can be interpreted by firmware as "Linux". In addition to
> > any statements in this document, I suggest you patch
> > drivers/acpi/acpica/utosi.c accordingly, maybe report "Linux" for ARM
> > and print a kernel warning so that we notice earlier.
> >
> > ACPI_OS_NAME: this is globally defined as "Microsoft Windows NT". It
> > doesn't make much sense in the ARM context. Could we change it to
> > "Linux" when CONFIG_ARM64?
> 
> We will work on this both on ASWG and linux ACPI driver side, as Dong
> and Charles pointed out, _OSI things can be solved in ACPI spec, when
> that is done, we can modify the kernel driver to fix the problems above.

Which driver?

What about ACPI_OS_NAME? Would you suggest it is fine to report
"Microsoft Windows NT" on an ARM system? That _OS_ not _OSI.
Catalin Marinas Jan. 5, 2015, 1:13 p.m. UTC | #17
On Tue, Dec 30, 2014 at 11:23:14AM +0000, Hanjun Guo wrote:
> On 2014?12?25? 01:18, Catalin Marinas wrote:
> > On Fri, Oct 17, 2014 at 02:37:14PM +0100, Hanjun Guo wrote:
> >> +Booting using ACPI tables
> >> +-------------------------
> >> +The only defined method for passing ACPI tables to the kernel on ARMv8
> >> +is via the UEFI system configuration table.
> >> +
> >> +Processing of ACPI tables may be disabled by passing acpi=off on the kernel
> >> +command line; this is the default behavior.  If acpi=force is used, the kernel
> >> +will ONLY use device configuration information contained in the ACPI tables.
> >
> > See my comments to Al around the defaults. I think if only ACPI tables
> > are present, we shouldn't panic the kernel if acpi=force is missing but
> > continue with ACPI.
> 
> I think we need another patch to implement it, for this patch set,kernel
> will panic if no dtb and acpi=off.

If no dtb and acpi=off on the kernel command line, I agree that the
kernel should panic as it doesn't have any way to get the platform
description.

> since passing no DT tables to OS but
> acpi=force is missing is a corner case, we can do a follow up patch to
> fix that, does it make sense?

Not entirely. Why would no dtb and no acpi=force be a corner case? I
thought this should be the default when only ACPI tables are passed, no
need for an additional acpi=force argument.
Arnd Bergmann Jan. 5, 2015, 8:16 p.m. UTC | #18
On Monday 05 January 2015 13:13:02 Catalin Marinas wrote:
> 
> > since passing no DT tables to OS but
> > acpi=force is missing is a corner case, we can do a follow up patch to
> > fix that, does it make sense?
> 
> Not entirely. Why would no dtb and no acpi=force be a corner case? I
> thought this should be the default when only ACPI tables are passed, no
> need for an additional acpi=force argument.

We don't really support the case of only ACPI tables for now. The expectation
is that you always have working DT support, at least for the next few years
as ACPI features are ramping up, and without acpi=force it should not try
to use ACPI at all.

	Arnd
Catalin Marinas Jan. 6, 2015, 11:20 a.m. UTC | #19
On Mon, Jan 05, 2015 at 08:16:30PM +0000, Arnd Bergmann wrote:
> On Monday 05 January 2015 13:13:02 Catalin Marinas wrote:
> > > since passing no DT tables to OS but
> > > acpi=force is missing is a corner case, we can do a follow up patch to
> > > fix that, does it make sense?
> > 
> > Not entirely. Why would no dtb and no acpi=force be a corner case? I
> > thought this should be the default when only ACPI tables are passed, no
> > need for an additional acpi=force argument.
> 
> We don't really support the case of only ACPI tables for now. The expectation
> is that you always have working DT support, at least for the next few years
> as ACPI features are ramping up, and without acpi=force it should not try
> to use ACPI at all.

So if both DT and ACPI are present, just use DT unless acpi=force is
passed. So far I think we agree but what I want to avoid is always
mandating acpi=force even when the DT tables are missing (in the long
run).

Now, what's preventing a vendor firmware from providing only ACPI
tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
that both DT and ACPI are supported, or at least that dts files are
merged in the kernel first?
Graeme Gregory Jan. 6, 2015, 1:51 p.m. UTC | #20
On 6 January 2015 at 11:20, Catalin Marinas <catalin.marinas@arm.com> wrote:
> On Mon, Jan 05, 2015 at 08:16:30PM +0000, Arnd Bergmann wrote:
>> On Monday 05 January 2015 13:13:02 Catalin Marinas wrote:
>> > > since passing no DT tables to OS but
>> > > acpi=force is missing is a corner case, we can do a follow up patch to
>> > > fix that, does it make sense?
>> >
>> > Not entirely. Why would no dtb and no acpi=force be a corner case? I
>> > thought this should be the default when only ACPI tables are passed, no
>> > need for an additional acpi=force argument.
>>
>> We don't really support the case of only ACPI tables for now. The expectation
>> is that you always have working DT support, at least for the next few years
>> as ACPI features are ramping up, and without acpi=force it should not try
>> to use ACPI at all.
>
> So if both DT and ACPI are present, just use DT unless acpi=force is
> passed. So far I think we agree but what I want to avoid is always
> mandating acpi=force even when the DT tables are missing (in the long
> run).
>
> Now, what's preventing a vendor firmware from providing only ACPI
> tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
> that both DT and ACPI are supported, or at least that dts files are
> merged in the kernel first?
>
How do we tell the difference between a DT passed purely for booting purposes
ie a skeleton DT. And one which actually has hardware description as this needs
to be done before unpacking the DT.

Graeme
Arnd Bergmann Jan. 6, 2015, 1:59 p.m. UTC | #21
On Tuesday 06 January 2015 11:20:01 Catalin Marinas wrote:
> On Mon, Jan 05, 2015 at 08:16:30PM +0000, Arnd Bergmann wrote:
> > On Monday 05 January 2015 13:13:02 Catalin Marinas wrote:
> > > > since passing no DT tables to OS but
> > > > acpi=force is missing is a corner case, we can do a follow up patch to
> > > > fix that, does it make sense?
> > > 
> > > Not entirely. Why would no dtb and no acpi=force be a corner case? I
> > > thought this should be the default when only ACPI tables are passed, no
> > > need for an additional acpi=force argument.
> > 
> > We don't really support the case of only ACPI tables for now. The expectation
> > is that you always have working DT support, at least for the next few years
> > as ACPI features are ramping up, and without acpi=force it should not try
> > to use ACPI at all.
> 
> So if both DT and ACPI are present, just use DT unless acpi=force is
> passed. So far I think we agree but what I want to avoid is always
> mandating acpi=force even when the DT tables are missing (in the long
> run).
> 
> Now, what's preventing a vendor firmware from providing only ACPI
> tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
> that both DT and ACPI are supported, or at least that dts files are
> merged in the kernel first?

We have no way of enforcing what a board vendor ships, so if they want
to have ACPI-only machines for MS Windows, they just won't work by
default on Linux. Once ACPI support is mature enough, we can also
have a whitelist or a different default for using it automatically
when no DT is present.

For drivers merged upstream, I would insist that every driver merged
for an ARM64 platform has a documented DT binding that is used in the
driver.

	Arnd
Catalin Marinas Jan. 6, 2015, 2:03 p.m. UTC | #22
On Tue, Jan 06, 2015 at 01:51:27PM +0000, G Gregory wrote:
> On 6 January 2015 at 11:20, Catalin Marinas <catalin.marinas@arm.com> wrote:
> > On Mon, Jan 05, 2015 at 08:16:30PM +0000, Arnd Bergmann wrote:
> >> On Monday 05 January 2015 13:13:02 Catalin Marinas wrote:
> >> > > since passing no DT tables to OS but
> >> > > acpi=force is missing is a corner case, we can do a follow up patch to
> >> > > fix that, does it make sense?
> >> >
> >> > Not entirely. Why would no dtb and no acpi=force be a corner case? I
> >> > thought this should be the default when only ACPI tables are passed, no
> >> > need for an additional acpi=force argument.
> >>
> >> We don't really support the case of only ACPI tables for now. The expectation
> >> is that you always have working DT support, at least for the next few years
> >> as ACPI features are ramping up, and without acpi=force it should not try
> >> to use ACPI at all.
> >
> > So if both DT and ACPI are present, just use DT unless acpi=force is
> > passed. So far I think we agree but what I want to avoid is always
> > mandating acpi=force even when the DT tables are missing (in the long
> > run).
> >
> > Now, what's preventing a vendor firmware from providing only ACPI
> > tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
> > that both DT and ACPI are supported, or at least that dts files are
> > merged in the kernel first?
>
> How do we tell the difference between a DT passed purely for booting purposes
> ie a skeleton DT. And one which actually has hardware description as this needs
> to be done before unpacking the DT.

You do the check in EFI_STUB (part of the kernel). An ACPI-only firmware
should never pass a DT to the kernel, not even for booting purposes
(EFI_STUB builds one on the fly to pass parameters to the kernel but
that's purely an internal kernel decision).

There are other ways as well, but if we decide to enforce this, I think
EFI_STUB is the best option.
Catalin Marinas Jan. 6, 2015, 2:11 p.m. UTC | #23
On Tue, Jan 06, 2015 at 01:59:27PM +0000, Arnd Bergmann wrote:
> On Tuesday 06 January 2015 11:20:01 Catalin Marinas wrote:
> > On Mon, Jan 05, 2015 at 08:16:30PM +0000, Arnd Bergmann wrote:
> > > On Monday 05 January 2015 13:13:02 Catalin Marinas wrote:
> > > > > since passing no DT tables to OS but
> > > > > acpi=force is missing is a corner case, we can do a follow up patch to
> > > > > fix that, does it make sense?
> > > > 
> > > > Not entirely. Why would no dtb and no acpi=force be a corner case? I
> > > > thought this should be the default when only ACPI tables are passed, no
> > > > need for an additional acpi=force argument.
> > > 
> > > We don't really support the case of only ACPI tables for now. The expectation
> > > is that you always have working DT support, at least for the next few years
> > > as ACPI features are ramping up, and without acpi=force it should not try
> > > to use ACPI at all.
> > 
> > So if both DT and ACPI are present, just use DT unless acpi=force is
> > passed. So far I think we agree but what I want to avoid is always
> > mandating acpi=force even when the DT tables are missing (in the long
> > run).
> > 
> > Now, what's preventing a vendor firmware from providing only ACPI
> > tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
> > that both DT and ACPI are supported, or at least that dts files are
> > merged in the kernel first?
> 
> We have no way of enforcing what a board vendor ships, so if they want
> to have ACPI-only machines for MS Windows, they just won't work by
> default on Linux.

What do you mean by "won't work by default on Linux"? Assuming no
additional drivers are needed (i.e. a few devices mentioned in SBSA and
the rest on a PCIe bus, using existing drivers without further
modifications), do you still want mainline to fail to boot on such
ACPI-only systems?

> Once ACPI support is mature enough, we can also have a whitelist or a
> different default for using it automatically when no DT is present.

Having a white-list requires some for of SoC identification. Does ACPI
provide such thing (like "model" or "compatible" strings in the top DT
node)?

> For drivers merged upstream, I would insist that every driver merged
> for an ARM64 platform has a documented DT binding that is used in the
> driver.

That's fine by me. I just hope that for hardware aimed at ACPI we won't
need many non-PCIe drivers.
Jon Masters Jan. 6, 2015, 4:24 p.m. UTC | #24
On 01/06/2015 06:20 AM, Catalin Marinas wrote:

> Now, what's preventing a vendor firmware from providing only ACPI
> tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
> that both DT and ACPI are supported, or at least that dts files are
> merged in the kernel first?

I know of some (server) firmware that will only provide ACPI in the
medium term, so this is coming.

Jon.
Arnd Bergmann Jan. 6, 2015, 7:21 p.m. UTC | #25
On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
> On 01/06/2015 06:20 AM, Catalin Marinas wrote:
> 
> > Now, what's preventing a vendor firmware from providing only ACPI
> > tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
> > that both DT and ACPI are supported, or at least that dts files are
> > merged in the kernel first?
> 
> I know of some (server) firmware that will only provide ACPI in the
> medium term, so this is coming.

Medium term is fine, as long as they are not expecting their hardware
to be supported by Linux before ACPI support is stable enough for
general consumption. I have no idea how long that will take, but my
guess is that we shouldn't plan on supporting ACPI-only platforms in
Linux for the next couple of years and just demand that all drivers
have DT support to let users add a valid DTB that can describe the
hardware.

That should always be possible using something like grub2 as an
intermediate that boots using the UEFI interfaces and loads the
kernel and DT from disk.

	Arnd
Arnd Bergmann Jan. 6, 2015, 7:30 p.m. UTC | #26
On Tuesday 06 January 2015 14:11:33 Catalin Marinas wrote:
> On Tue, Jan 06, 2015 at 01:59:27PM +0000, Arnd Bergmann wrote:
> > On Tuesday 06 January 2015 11:20:01 Catalin Marinas wrote:
> > > On Mon, Jan 05, 2015 at 08:16:30PM +0000, Arnd Bergmann wrote:
> > > > On Monday 05 January 2015 13:13:02 Catalin Marinas wrote:
> > > > > > since passing no DT tables to OS but
> > > > > > acpi=force is missing is a corner case, we can do a follow up patch to
> > > > > > fix that, does it make sense?
> > > > > 
> > > > > Not entirely. Why would no dtb and no acpi=force be a corner case? I
> > > > > thought this should be the default when only ACPI tables are passed, no
> > > > > need for an additional acpi=force argument.
> > > > 
> > > > We don't really support the case of only ACPI tables for now. The expectation
> > > > is that you always have working DT support, at least for the next few years
> > > > as ACPI features are ramping up, and without acpi=force it should not try
> > > > to use ACPI at all.
> > > 
> > > So if both DT and ACPI are present, just use DT unless acpi=force is
> > > passed. So far I think we agree but what I want to avoid is always
> > > mandating acpi=force even when the DT tables are missing (in the long
> > > run).
> > > 
> > > Now, what's preventing a vendor firmware from providing only ACPI
> > > tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
> > > that both DT and ACPI are supported, or at least that dts files are
> > > merged in the kernel first?
> > 
> > We have no way of enforcing what a board vendor ships, so if they want
> > to have ACPI-only machines for MS Windows, they just won't work by
> > default on Linux.
> 
> What do you mean by "won't work by default on Linux"? Assuming no
> additional drivers are needed (i.e. a few devices mentioned in SBSA and
> the rest on a PCIe bus, using existing drivers without further
> modifications), do you still want mainline to fail to boot on such
> ACPI-only systems?

I mean it won't work without acpi=force on the command line.

> > Once ACPI support is mature enough, we can also have a whitelist or a
> > different default for using it automatically when no DT is present.
> 
> Having a white-list requires some for of SoC identification. Does ACPI
> provide such thing (like "model" or "compatible" strings in the top DT
> node)?

This is independent of the SoC: All SoCs we support have DT drivers, so
machines like this would be board whose vendor doesn't care about Linux,
but happens to use a SoC that we support. What we would need here is
a whitelist of boards.

> > For drivers merged upstream, I would insist that every driver merged
> > for an ARM64 platform has a documented DT binding that is used in the
> > driver.
> 
> That's fine by me. I just hope that for hardware aimed at ACPI we won't
> need many non-PCIe drivers.

Yes, that is a reasonable assumption. Looking at the AMD patches that
were posted already, there are however a few devices that are not on
the PCI bus:

- pl011 uart
- pl022 spi
- pl061 gpio
- pl330 dma
- designware i2c
- custom 10gbit ethernet
- probably some I forgot

Most of these will likely just not be needed on servers (pl330) or
handled by AML (spi, i2c, gpio) transparently without needing a
driver, but we do need to support the ethernet port and the uart.
I expect that other SoCs come with different ethernet implementations
that are also not discoverable through PCI.

	Arnd
Jon Masters Jan. 6, 2015, 10:06 p.m. UTC | #27
Hi Arnd,

Happy New Year!

On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
> On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
>> On 01/06/2015 06:20 AM, Catalin Marinas wrote:
>>
>>> Now, what's preventing a vendor firmware from providing only ACPI
>>> tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
>>> that both DT and ACPI are supported, or at least that dts files are
>>> merged in the kernel first?
>>
>> I know of some (server) firmware that will only provide ACPI in the
>> medium term, so this is coming.
> 
> Medium term is fine, as long as they are not expecting their hardware
> to be supported by Linux before ACPI support is stable enough for
> general consumption.

To be clear, I think that's reasonable for upstream. I may love ACPI,
but vendors can always ship kernels with a config supporting ACPI only
platforms in the interim period if they have a commercial justification
and that doesn't have to be supported in terms of the upstream default.

But, perhaps there's a way to have it both ways, you could consider also
a CONFIG_EXPERT option that would allow you to build a kernel with ACPI
only support in the medium term. That way, if someone is running a
vendor kernel, but wants to track upstream development more closely,
they can do so on such hardware by enabling the expert config bit.

> I have no idea how long that will take, but my
> guess is that we shouldn't plan on supporting ACPI-only platforms in
> Linux for the next couple of years and just demand that all drivers
> have DT support to let users add a valid DTB that can describe the
> hardware.

I'm not opposed. It was particularly useful in the early days of ACPI to
be able to boot our internal systems (which now all default to ACPI on
by default) with acpi=off when there were glitches that needed to be
isolated to whether they were ACPI related. One reason I was very keen
for a DT UUID in UEFI early on was so that there was a clean way to
specify both sets of tables on a UEFI platform. Keeping them in sync is
not something we can rely on in the longer term, but during bringup
timeframe I suspect you'll continue to see many platforms with both sets
of tables. This is especially true for early silicon that might be
supporting both embedded and server environments - hence a platform that
appears to be a server might have a DT posted upstream anyway if such a
platform is also being used for unrelated embedded work.

> That should always be possible using something like grub2 as an
> intermediate that boots using the UEFI interfaces and loads the
> kernel and DT from disk.

This is another reason (but it's up to you, I understand your position)
why it may not be a huge problem if there are ACPI only systems, since
the "devicetree" directive in GRUB2 configs is always possible.

Jon.
Jon Masters Jan. 7, 2015, 4:55 a.m. UTC | #28
On 01/06/2015 05:06 PM, Jon Masters wrote:
> Hi Arnd,
> 
> Happy New Year!
> 
> On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
>> On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
>>> On 01/06/2015 06:20 AM, Catalin Marinas wrote:
>>>
>>>> Now, what's preventing a vendor firmware from providing only ACPI
>>>> tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
>>>> that both DT and ACPI are supported, or at least that dts files are
>>>> merged in the kernel first?
>>>
>>> I know of some (server) firmware that will only provide ACPI in the
>>> medium term, so this is coming.
>>
>> Medium term is fine, as long as they are not expecting their hardware
>> to be supported by Linux before ACPI support is stable enough for
>> general consumption.
> 
> To be clear, I think that's reasonable for upstream. I may love ACPI,
> but vendors can always ship kernels with a config supporting ACPI only
> platforms in the interim period if they have a commercial justification
> and that doesn't have to be supported in terms of the upstream default.
> 
> But, perhaps there's a way to have it both ways, you could consider also
> a CONFIG_EXPERT option that would allow you to build a kernel with ACPI
> only support in the medium term. That way, if someone is running a
> vendor kernel, but wants to track upstream development more closely,
> they can do so on such hardware by enabling the expert config bit.

Clarification: I'm suggesting that in the medium term the dependency
upon CONFIG_EXPERT either goes away or is replaced with requiring ACPI
and DTB in the non "expert" case and requiring "expert" selected to
allow a kernel that will boot with ACPI only. But only a suggestion.

Jon.
Arnd Bergmann Jan. 7, 2015, 10:36 a.m. UTC | #29
On Tuesday 06 January 2015 23:55:58 Jon Masters wrote:
> On 01/06/2015 05:06 PM, Jon Masters wrote:
> > Hi Arnd,
> > 
> > Happy New Year!
> > 
> > On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
> >> On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
> >>> On 01/06/2015 06:20 AM, Catalin Marinas wrote:
> >>>
> >>>> Now, what's preventing a vendor firmware from providing only ACPI
> >>>> tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
> >>>> that both DT and ACPI are supported, or at least that dts files are
> >>>> merged in the kernel first?
> >>>
> >>> I know of some (server) firmware that will only provide ACPI in the
> >>> medium term, so this is coming.
> >>
> >> Medium term is fine, as long as they are not expecting their hardware
> >> to be supported by Linux before ACPI support is stable enough for
> >> general consumption.
> > 
> > To be clear, I think that's reasonable for upstream. I may love ACPI,
> > but vendors can always ship kernels with a config supporting ACPI only
> > platforms in the interim period if they have a commercial justification
> > and that doesn't have to be supported in terms of the upstream default.

I would hope that none of the ACPI-only machines are meant to run Linux
as a primary operating system, that would be very sad.

Vendors that are interested in Linux support should instead work on getting
their hardware supported upstream so they don't need a private kernel to
match their private firmware.

> > But, perhaps there's a way to have it both ways, you could consider also
> > a CONFIG_EXPERT option that would allow you to build a kernel with ACPI
> > only support in the medium term. That way, if someone is running a
> > vendor kernel, but wants to track upstream development more closely,
> > they can do so on such hardware by enabling the expert config bit.

I don't see how this helps. The main point of requiring users to add
the option is to ensure that everyone understands the support is
experimental and not guaranteed to work across firmware releases or
kernel versions, until we have stopped making incompatible changes.

If someone is tracking the upstream kernel, they should know that they
have to get working DT support in first, and test both ways with the
same kernel anyway.

> Clarification: I'm suggesting that in the medium term the dependency
> upon CONFIG_EXPERT either goes away or is replaced with requiring ACPI
> and DTB in the non "expert" case

Sure, no debate on that.

> and requiring "expert" selected to allow a kernel that will boot with
> ACPI only. But only a suggestion.

This is a separate issue. I personally think we shouldn't bother with
this, as such a configuration would just break a lot of assumptions
we make today and removes hardware support, but it's something we
can discuss after we get to the point of having ACPI enabled by default.

	Arnd
Catalin Marinas Jan. 7, 2015, 11:50 a.m. UTC | #30
On Wed, Jan 07, 2015 at 10:36:13AM +0000, Arnd Bergmann wrote:
> On Tuesday 06 January 2015 23:55:58 Jon Masters wrote:
> > On 01/06/2015 05:06 PM, Jon Masters wrote:
> > > On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
> > >> On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
> > >>> On 01/06/2015 06:20 AM, Catalin Marinas wrote:
> > >>>
> > >>>> Now, what's preventing a vendor firmware from providing only ACPI
> > >>>> tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
> > >>>> that both DT and ACPI are supported, or at least that dts files are
> > >>>> merged in the kernel first?
> > >>>
> > >>> I know of some (server) firmware that will only provide ACPI in the
> > >>> medium term, so this is coming.
> > >>
> > >> Medium term is fine, as long as they are not expecting their hardware
> > >> to be supported by Linux before ACPI support is stable enough for
> > >> general consumption.
> > > 
> > > To be clear, I think that's reasonable for upstream. I may love ACPI,
> > > but vendors can always ship kernels with a config supporting ACPI only
> > > platforms in the interim period if they have a commercial justification
> > > and that doesn't have to be supported in terms of the upstream default.
> 
> I would hope that none of the ACPI-only machines are meant to run Linux
> as a primary operating system, that would be very sad.

I keep hearing different stories around this. I think this goes back to
the last point on Al's to-do list, the reason _why_ vendors need ACPI.
As you mentioned some time ago, I would also like to see a summary of
such reasons included in the cover letter for the arm64 ACPI patches. In
the meantime, we can assume that DT is required.

From what I gathered so far, the main reason for _some_ vendors is not
support for "other" OS but actually features that ACPI has and DT
doesn't (like AML; I deliberately ignore statements like "industry
standard"). _If_ such reasons are sound, maybe they have a case for
ACPI-only machines targeted primarily at Linux.

In theory, it may be beneficial to the kernel maintainers as such
ACPI-only machine would potentially require less kernel driver code
compared to DT. For example, no need for pin control, clocks or voltage
regulator drivers as they are handled in AML. Of course, the counter
argument is that it's harder to debug when problems appear but I would
expect on such ACPI-only machines that the hardware vendor is very
active on solving them (I'm more thinking for machines that sit in some
data centre and are actively maintained rather than some board I keep in
my house; for the latter, I definitely prefer DT and full control).

> Vendors that are interested in Linux support should instead work on getting
> their hardware supported upstream so they don't need a private kernel to
> match their private firmware.

I agree, irrespective of whether they target ACPI longer term or not.

As I said yesterday, at some point in the future, ACPI-only SoC support
may not require any new kernel code, just usual PCIe drivers that may
already be there. If we ever get to that stage (it's not a kernel
problem, it's more about SoC standardisation), vendors would be able to
run mainline kernels without additional driver code with a few SoC
differences handled by AML (e.g. clocks). At that point, I don't see any
incentive for them to upstream additional driver code (e.g. clocks) just
to support a DT-only kernel. We are probably still a long way, nothing
to worry about just yet ;).
Arnd Bergmann Jan. 7, 2015, 1:06 p.m. UTC | #31
On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> On Wed, Jan 07, 2015 at 10:36:13AM +0000, Arnd Bergmann wrote:
> > On Tuesday 06 January 2015 23:55:58 Jon Masters wrote:
> > > On 01/06/2015 05:06 PM, Jon Masters wrote:
> > > > On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
> > > >> On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
> > > >>> On 01/06/2015 06:20 AM, Catalin Marinas wrote:
> > > >>>
> > > >>>> Now, what's preventing a vendor firmware from providing only ACPI
> > > >>>> tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
> > > >>>> that both DT and ACPI are supported, or at least that dts files are
> > > >>>> merged in the kernel first?
> > > >>>
> > > >>> I know of some (server) firmware that will only provide ACPI in the
> > > >>> medium term, so this is coming.
> > > >>
> > > >> Medium term is fine, as long as they are not expecting their hardware
> > > >> to be supported by Linux before ACPI support is stable enough for
> > > >> general consumption.
> > > > 
> > > > To be clear, I think that's reasonable for upstream. I may love ACPI,
> > > > but vendors can always ship kernels with a config supporting ACPI only
> > > > platforms in the interim period if they have a commercial justification
> > > > and that doesn't have to be supported in terms of the upstream default.
> > 
> > I would hope that none of the ACPI-only machines are meant to run Linux
> > as a primary operating system, that would be very sad.
> 
> I keep hearing different stories around this. I think this goes back to
> the last point on Al's to-do list, the reason _why_ vendors need ACPI.
> As you mentioned some time ago, I would also like to see a summary of
> such reasons included in the cover letter for the arm64 ACPI patches. In
> the meantime, we can assume that DT is required.

Right, if we can finish the discussion about the reason for having ACPI,
we can skip a lot of pointless back-and-forth on the other issues.

> From what I gathered so far, the main reason for _some_ vendors is not
> support for "other" OS but actually features that ACPI has and DT
> doesn't (like AML; I deliberately ignore statements like "industry
> standard"). _If_ such reasons are sound, maybe they have a case for
> ACPI-only machines targeted primarily at Linux.

What I got from the replies from HP, Huawei and from earlier discussions
with Jon is that they all hope to get to the point of relying on AML
alone to bridge the differences between SoC families. However, I don't
see that happening with the limited hardware compatibility that the
existing SBSA provides:

> In theory, it may be beneficial to the kernel maintainers as such
> ACPI-only machine would potentially require less kernel driver code
> compared to DT. For example, no need for pin control, clocks or voltage
> regulator drivers as they are handled in AML. Of course, the counter
> argument is that it's harder to debug when problems appear but I would
> expect on such ACPI-only machines that the hardware vendor is very
> active on solving them (I'm more thinking for machines that sit in some
> data centre and are actively maintained rather than some board I keep in
> my house; for the latter, I definitely prefer DT and full control).

The main problem here is that can AML only cover part of the problem:
it can talk to a clock controller e.g. over I2C, SPI, GPIO, UART
or IPMI, but you still need a device driver in the kernel to talk to
those, and SBSA doesn't mandate a specific implementation so you can
expect every other SoC that is coming out to have a different one.

Similarly, SBSA is rather vague about some peripherals it mandates,
and if a new SoC has a slightly different AHCI variation, there is
nothing you can do about it in AML.

x86 gets around this problem by having an extreme level of hardware
backwards compatibility, so you don't even need AML for this and
can generally boot a (almost) full-featured Linux kernel with
acpi=off on the command line.

> > Vendors that are interested in Linux support should instead work on getting
> > their hardware supported upstream so they don't need a private kernel to
> > match their private firmware.
> 
> I agree, irrespective of whether they target ACPI longer term or not.
> 
> As I said yesterday, at some point in the future, ACPI-only SoC support
> may not require any new kernel code, just usual PCIe drivers that may
> already be there. If we ever get to that stage (it's not a kernel
> problem, it's more about SoC standardisation), vendors would be able to
> run mainline kernels without additional driver code with a few SoC
> differences handled by AML (e.g. clocks). At that point, I don't see any
> incentive for them to upstream additional driver code (e.g. clocks) just
> to support a DT-only kernel. We are probably still a long way, nothing
> to worry about just yet ;).

Agreed on all points, yes.

	Arnd
Mark Brown Jan. 7, 2015, 5:27 p.m. UTC | #32
On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:

> > From what I gathered so far, the main reason for _some_ vendors is not
> > support for "other" OS but actually features that ACPI has and DT
> > doesn't (like AML; I deliberately ignore statements like "industry
> > standard"). _If_ such reasons are sound, maybe they have a case for
> > ACPI-only machines targeted primarily at Linux.

> What I got from the replies from HP, Huawei and from earlier discussions
> with Jon is that they all hope to get to the point of relying on AML
> alone to bridge the differences between SoC families. However, I don't
> see that happening with the limited hardware compatibility that the
> existing SBSA provides:

I tend to agree with you that it's an overreach to think that this is
going to completely abstract away the differences between SoCs from
different vendors without substantial further standardization work.
However it does seem reasonable to expect that features like AML are
going to be more successful in handling board differences and
incremental revisions of SoCs - things like interactions with system
power controllers for example.  That seems like a useful win in and of
itself, and one that's worth supporting.

> The main problem here is that can AML only cover part of the problem:
> it can talk to a clock controller e.g. over I2C, SPI, GPIO, UART
> or IPMI, but you still need a device driver in the kernel to talk to
> those, and SBSA doesn't mandate a specific implementation so you can
> expect every other SoC that is coming out to have a different one.

> Similarly, SBSA is rather vague about some peripherals it mandates,
> and if a new SoC has a slightly different AHCI variation, there is
> nothing you can do about it in AML.

> x86 gets around this problem by having an extreme level of hardware
> backwards compatibility, so you don't even need AML for this and
> can generally boot a (almost) full-featured Linux kernel with
> acpi=off on the command line.

That level of hardware compatibility does partly come from the need to
run existing software.  I'd expect that similar effects will start to
come into play with ARMv8 ACPI systems if they become successful; people
will do things like ensure compatibility with common IPs that have
existing Linux drivers that distros tend to include as standard.
Jon Masters Jan. 7, 2015, 5:44 p.m. UTC | #33
On 01/07/2015 12:27 PM, Mark Brown wrote:
> On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
>> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> 
>>> From what I gathered so far, the main reason for _some_ vendors is not
>>> support for "other" OS but actually features that ACPI has and DT
>>> doesn't (like AML; I deliberately ignore statements like "industry
>>> standard"). _If_ such reasons are sound, maybe they have a case for
>>> ACPI-only machines targeted primarily at Linux.
> 
>> What I got from the replies from HP, Huawei and from earlier discussions
>> with Jon is that they all hope to get to the point of relying on AML
>> alone to bridge the differences between SoC families.

I'm expecting to need new drivers for SoC IP blocks that are net new,
but generational differences between iterations of the same SoC should
be abstracted behind the firmware (and we are already seeing this with
at least one platform). Platform wise, it's nice to already see e.g.
mmconfig working to handle the specific ways a platform wires PCI.

> I tend to agree with you that it's an overreach to think that this is
> going to completely abstract away the differences between SoCs from
> different vendors without substantial further standardization work.

(which we plan to do - I intend ultimately for us to have an answer to
the Windows Hardware Qualification guides for ARM server systems)

> However it does seem reasonable to expect that features like AML are
> going to be more successful in handling board differences and
> incremental revisions of SoCs - things like interactions with system
> power controllers for example.  That seems like a useful win in and of
> itself, and one that's worth supporting.

Indeed.

>> The main problem here is that can AML only cover part of the problem:
>> it can talk to a clock controller e.g. over I2C, SPI, GPIO, UART
>> or IPMI, but you still need a device driver in the kernel to talk to
>> those, and SBSA doesn't mandate a specific implementation so you can
>> expect every other SoC that is coming out to have a different one.
> 
>> Similarly, SBSA is rather vague about some peripherals it mandates,
>> and if a new SoC has a slightly different AHCI variation, there is
>> nothing you can do about it in AML.
> 
>> x86 gets around this problem by having an extreme level of hardware
>> backwards compatibility, so you don't even need AML for this and
>> can generally boot a (almost) full-featured Linux kernel with
>> acpi=off on the command line.
> 
> That level of hardware compatibility does partly come from the need to
> run existing software.  I'd expect that similar effects will start to
> come into play with ARMv8 ACPI systems if they become successful; people
> will do things like ensure compatibility with common IPs that have
> existing Linux drivers that distros tend to include as standard.

Agreed.

Jon.
Jason Cooper Jan. 7, 2015, 6:41 p.m. UTC | #34
On Wed, Jan 07, 2015 at 05:27:41PM +0000, Mark Brown wrote:
> On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
> > On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> 
> > > From what I gathered so far, the main reason for _some_ vendors is not
> > > support for "other" OS but actually features that ACPI has and DT
> > > doesn't (like AML; I deliberately ignore statements like "industry
> > > standard"). _If_ such reasons are sound, maybe they have a case for
> > > ACPI-only machines targeted primarily at Linux.
> 
> > What I got from the replies from HP, Huawei and from earlier discussions
> > with Jon is that they all hope to get to the point of relying on AML
> > alone to bridge the differences between SoC families. However, I don't
> > see that happening with the limited hardware compatibility that the
> > existing SBSA provides:
> 
> I tend to agree with you that it's an overreach to think that this is
> going to completely abstract away the differences between SoCs from
> different vendors without substantial further standardization work.
> However it does seem reasonable to expect that features like AML are
> going to be more successful in handling board differences and
> incremental revisions of SoCs - things like interactions with system
> power controllers for example.  That seems like a useful win in and of
> itself, and one that's worth supporting.

This piqued my interest, so I did a little research and found the
following to describe AML (second para under "What does this mean?")

  http://community.arm.com/groups/processors/blog/2014/05/01/let-s-talk-acpi-for-servers

iiuc, AML are basically drivers for some low-level functions provided as
binary blobs via the ACPI tables.  How does this work in a trusted boot
scenario?  Can the ACPI tables, and these binary blobs with it, be
updated from userspace?  If so, is there an authentication mechanism
(including for non-secure boot scenarios)?

One of the reasons I've really enjoyed working with ARM platforms and DT
is the absence of this type of 'feature'.  I honestly don't care whether
the kernel gets the board configuration info from DT or ACPI or FOO, as
long as we can avoid the security mistakes of the past:

  http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

"""
... The ANT developers have a clear preference for planting their
malicious code in so-called BIOS, software located on a computer's
motherboard that is the first thing to load when a computer is turned
on.

This has a number of valuable advantages: an infected PC or server
appears to be functioning normally, so the infection remains invisible
to virus protection and other security programs. And even if the hard
drive of an infected computer has been completely erased and a new
operating system is installed, the ANT malware can continue to function
and ensures that new spyware can once again be loaded onto what is
presumed to be a clean computer. ...
"""

I'm not advocating "throw out AML and ACPI with it!", rather I'd like to
see a serious, open, discussion about the security implications of a
convenience feature such as AML.

And wrt the kernel, we should ensure we can always provide a fallback
for users who prefer not to trust the binary blobs.  Which shouldn't be
too difficult as we aren't dependent on AML or similar atm.

thx,

Jason.
Arnd Bergmann Jan. 7, 2015, 7:48 p.m. UTC | #35
On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
> On 01/07/2015 12:27 PM, Mark Brown wrote:
> > On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
> >> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> > 
> >>> From what I gathered so far, the main reason for _some_ vendors is not
> >>> support for "other" OS but actually features that ACPI has and DT
> >>> doesn't (like AML; I deliberately ignore statements like "industry
> >>> standard"). _If_ such reasons are sound, maybe they have a case for
> >>> ACPI-only machines targeted primarily at Linux.
> > 
> >> What I got from the replies from HP, Huawei and from earlier discussions
> >> with Jon is that they all hope to get to the point of relying on AML
> >> alone to bridge the differences between SoC families.
> 
> I'm expecting to need new drivers for SoC IP blocks that are net new,
> but generational differences between iterations of the same SoC should
> be abstracted behind the firmware (and we are already seeing this with
> at least one platform). Platform wise, it's nice to already see e.g.
> mmconfig working to handle the specific ways a platform wires PCI.

Yes, the parts that are mandated by SBSA, like the way that PCI needs
to be done are generally good. Unfortunately a lot of the hardware that
I've seen has a rather lax interpretation of the spec, so just because
something is mandated doesn't mean it's done that way ;-)

In other cases that's actually a good thing. One such example is the
"Principles of ARM Memory Maps" document that tells hardware implementers
to do a rather complex mapping "To support 36-bit x86 PAE compatible operating
systems, such as Linux." but makes life much harder in the process than
any of the random mappings we have seen in the wild.

> > I tend to agree with you that it's an overreach to think that this is
> > going to completely abstract away the differences between SoCs from
> > different vendors without substantial further standardization work.
> 
> (which we plan to do - I intend ultimately for us to have an answer to
> the Windows Hardware Qualification guides for ARM server systems)

Ok, good.

> >> The main problem here is that can AML only cover part of the problem:
> >> it can talk to a clock controller e.g. over I2C, SPI, GPIO, UART
> >> or IPMI, but you still need a device driver in the kernel to talk to
> >> those, and SBSA doesn't mandate a specific implementation so you can
> >> expect every other SoC that is coming out to have a different one.
> > 
> >> Similarly, SBSA is rather vague about some peripherals it mandates,
> >> and if a new SoC has a slightly different AHCI variation, there is
> >> nothing you can do about it in AML.
> > 
> >> x86 gets around this problem by having an extreme level of hardware
> >> backwards compatibility, so you don't even need AML for this and
> >> can generally boot a (almost) full-featured Linux kernel with
> >> acpi=off on the command line.
> > 
> > That level of hardware compatibility does partly come from the need to
> > run existing software.  I'd expect that similar effects will start to
> > come into play with ARMv8 ACPI systems if they become successful; people
> > will do things like ensure compatibility with common IPs that have
> > existing Linux drivers that distros tend to include as standard.
> 
> Agreed.

There are two problems I see in trying to do the same thing on ARM:

* we don't have a single vendor that makes de-facto standards that
  everyone else has to copy in the way that the few remaining x86
  vendors copy everything that Intel does. In fact, we prefer to
  have a large number of independent vendors.

* There is a general mindset about deprecating unwanted features
  early. ARMv8 aarch32 bit mode removes support for older instructions
  or makes them optional. Even the virtualization mode doesn't allow
  to trap on architecture version specific differences, so you can't
  completely emulate an older architecture level.
  This is nice for implementers but not so much for users that rely
  on old (mis-)features. It's also not just the CPU core, other
  components also get easily replaced, like a GICv3 that is not
  a strict superset of GICv2.

	Arnd
Jon Masters Jan. 7, 2015, 7:58 p.m. UTC | #36
On 01/07/2015 01:41 PM, Jason Cooper wrote:
> On Wed, Jan 07, 2015 at 05:27:41PM +0000, Mark Brown wrote:
>> On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
>>> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
>>
>>>> From what I gathered so far, the main reason for _some_ vendors is not
>>>> support for "other" OS but actually features that ACPI has and DT
>>>> doesn't (like AML; I deliberately ignore statements like "industry
>>>> standard"). _If_ such reasons are sound, maybe they have a case for
>>>> ACPI-only machines targeted primarily at Linux.
>>
>>> What I got from the replies from HP, Huawei and from earlier discussions
>>> with Jon is that they all hope to get to the point of relying on AML
>>> alone to bridge the differences between SoC families. However, I don't
>>> see that happening with the limited hardware compatibility that the
>>> existing SBSA provides:
>>
>> I tend to agree with you that it's an overreach to think that this is
>> going to completely abstract away the differences between SoCs from
>> different vendors without substantial further standardization work.
>> However it does seem reasonable to expect that features like AML are
>> going to be more successful in handling board differences and
>> incremental revisions of SoCs - things like interactions with system
>> power controllers for example.  That seems like a useful win in and of
>> itself, and one that's worth supporting.
> 
> This piqued my interest, so I did a little research and found the
> following to describe AML (second para under "What does this mean?")
> 
>   http://community.arm.com/groups/processors/blog/2014/05/01/let-s-talk-acpi-for-servers
> 
> iiuc, AML are basically drivers for some low-level functions provided as
> binary blobs via the ACPI tables.

AML isn't a "driver" per se. Think of it as providing a couple of
methods for doing things like turning on a device, where the interpreted
code might cause e.g. a memory address to be written with a value that
causes a side effect (e.g. talking with a system configuration
co-processor hidden inside the SoC the adjusts the clocking, enables
power, configures PHY parameters, etc.). Most of the "AML" that you see
on servers is actually just informational, or methods that return data
describing the hardware installed.

> How does this work in a trusted boot scenario?

No different than on x86.

> Can the ACPI tables, and these binary blobs with it, be updated from userspace?

Tables are baked into the firmware and are updated as a result of normal
firmware updates (which already has a defined process). There are
secondary tables that can augment things like the primary DSDT but those
are also provided by the platform. There are only two ways the "OS"
might provide a DSDT, but only including here for pedantry:

1). If you compile a kernel specially with an embedded DSDT within the
image itself (nobody does this one any more AFAIK).

2). If you attach a special update test DSDT into your initramfs in a
particular way, in which case I believe secure boot already is disabled.

But these are all developer/debug things, not intended for users running
in a secure boot environment.

> If so, is there an authentication mechanism (including for non-secure boot scenarios)?

It's no different than scenarios on x86, which are well covered.

> One of the reasons I've really enjoyed working with ARM platforms and DT
> is the absence of this type of 'feature'.  I honestly don't care whether
> the kernel gets the board configuration info from DT or ACPI or FOO, as
> long as we can avoid the security mistakes of the past:
> 
>   http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

ACPI is not the great satan. I'm aware certain others in the community
have written missinformed blog posts and G+ rants equating ACPI with SMI
and even with various other system firmware. I can't force someone to
become informed on a topic, especially if it's politically useful to
them to hate on ACPI and use the security paranoia handwavy argument.

> I'm not advocating "throw out AML and ACPI with it!", rather I'd like to
> see a serious, open, discussion about the security implications of a
> convenience feature such as AML.

AML is in (almost) every server you're using today. What you want to be
worried about is hidden firmware, especially what might be running
inside a Trusted environment or inside an SMI context, or the radio
firmware on your phone that the NSA have backdoored. Once we've solved
every other issue, we can come back to whether the extremely limited
capabilities of AML are what the evil bad guys are using to infiltrate
our minds and make us think that we all want to use ACPI.

Jon.
Jon Masters Jan. 7, 2015, 8:05 p.m. UTC | #37
On 01/07/2015 02:58 PM, Jon Masters wrote:
> On 01/07/2015 01:41 PM, Jason Cooper wrote:

>> One of the reasons I've really enjoyed working with ARM platforms and DT
>> is the absence of this type of 'feature'.  I honestly don't care whether
>> the kernel gets the board configuration info from DT or ACPI or FOO, as
>> long as we can avoid the security mistakes of the past:
>>
>>   http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
> 
> ACPI is not the great satan. I'm aware certain others in the community
> have written missinformed blog posts and G+ rants equating ACPI with SMI
> and even with various other system firmware. I can't force someone to
> become informed on a topic, especially if it's politically useful to
> them to hate on ACPI and use the security paranoia handwavy argument.

To clarify, and this is not directed at you Jason, it is politically
useful to some who have written rants those business models are built
upon being paid to enable platforms. For those folks, standardized
platforms which allow a common OS approach are seen as threatening.

In the previous rants (which were really instigated as a result of the
above) ACPI was equated with SMM (System Management Mode), which is a
bit like the Secure/Trusted world on AArch64 in which you might run
another "Trusted" OS. These are the places where you want to watch out
to malware of the kind cited in your link, not in ACPI tables.

Jon.
Mark Brown Jan. 7, 2015, 8:05 p.m. UTC | #38
On Wed, Jan 07, 2015 at 08:48:48PM +0100, Arnd Bergmann wrote:
> On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
> > On 01/07/2015 12:27 PM, Mark Brown wrote:

> > > That level of hardware compatibility does partly come from the need to
> > > run existing software.  I'd expect that similar effects will start to
> > > come into play with ARMv8 ACPI systems if they become successful; people
> > > will do things like ensure compatibility with common IPs that have
> > > existing Linux drivers that distros tend to include as standard.

> > Agreed.

> There are two problems I see in trying to do the same thing on ARM:

> * we don't have a single vendor that makes de-facto standards that
>   everyone else has to copy in the way that the few remaining x86
>   vendors copy everything that Intel does. In fact, we prefer to
>   have a large number of independent vendors.

Right, I'd guess that (modulo any standards being defined and becoming
successful) it'll more be a case of vendors keeping compatibility with
their own stuff.  We *are* seeing greater reliance on off the shelf IPs
for more boring things like DMA and basic bus controllers but there's
plenty of other areas that still affect servers.

> * There is a general mindset about deprecating unwanted features
>   early. ARMv8 aarch32 bit mode removes support for older instructions
>   or makes them optional. Even the virtualization mode doesn't allow
>   to trap on architecture version specific differences, so you can't
>   completely emulate an older architecture level.
>   This is nice for implementers but not so much for users that rely
>   on old (mis-)features. It's also not just the CPU core, other
>   components also get easily replaced, like a GICv3 that is not
>   a strict superset of GICv2.

This is indeed worrying, though hopefully the fact that we're already
seeing negative impacts in the app ecosystem for Android will have
focused some minds - once you're talking about full system images it
gets even more fun.
Jon Masters Jan. 7, 2015, 8:14 p.m. UTC | #39
On 01/07/2015 03:05 PM, Mark Brown wrote:
> On Wed, Jan 07, 2015 at 08:48:48PM +0100, Arnd Bergmann wrote:
>> On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
>>> On 01/07/2015 12:27 PM, Mark Brown wrote:
> 
>>>> That level of hardware compatibility does partly come from the need to
>>>> run existing software.  I'd expect that similar effects will start to
>>>> come into play with ARMv8 ACPI systems if they become successful; people
>>>> will do things like ensure compatibility with common IPs that have
>>>> existing Linux drivers that distros tend to include as standard.
> 
>>> Agreed.
> 
>> There are two problems I see in trying to do the same thing on ARM:
> 
>> * we don't have a single vendor that makes de-facto standards that
>>   everyone else has to copy in the way that the few remaining x86
>>   vendors copy everything that Intel does. In fact, we prefer to
>>   have a large number of independent vendors.
> 
> Right, I'd guess that (modulo any standards being defined and becoming
> successful) it'll more be a case of vendors keeping compatibility with
> their own stuff.  We *are* seeing greater reliance on off the shelf IPs
> for more boring things like DMA and basic bus controllers but there's
> plenty of other areas that still affect servers.

I expect to see a greater level of standardization. SBBR is the
beginning, but it is far from the end. There will be a lot more as the
vendors come together and agree on common platform components. I've
spent a lot of time over the past few years with a large number of
vendors going over lots of these issues in lieu of more of a Windows
Hardware Qualification style guide. I intend to have one this year that
captures what Red Hat think an ARM server looks like, and to circulate
that among the broader ecosystem of vendors to feed into SBBR++.

>> * There is a general mindset about deprecating unwanted features
>>   early. ARMv8 aarch32 bit mode removes support for older instructions
>>   or makes them optional. Even the virtualization mode doesn't allow
>>   to trap on architecture version specific differences, so you can't
>>   completely emulate an older architecture level.
>>   This is nice for implementers but not so much for users that rely
>>   on old (mis-)features. It's also not just the CPU core, other
>>   components also get easily replaced, like a GICv3 that is not
>>   a strict superset of GICv2.
> 
> This is indeed worrying, though hopefully the fact that we're already
> seeing negative impacts in the app ecosystem for Android will have
> focused some minds - once you're talking about full system images it
> gets even more fun.

GICv2/3 was something a bunch of us discussed years ago. At the time we
debated whether there was a need to compel the superset option. It was
deemed early enough not to be a critical issue. But there have already
been other cases where we've pushed to ensure backward compatibility for
all time. And there will be more of those as the ecosystem develops out
into a world of existing Operating System images and apps that need to
run on these emerging platforms. Deprecating instructions and
formalizing other behaviors is an area where it's ephemeral - what made
sense in the past might not make sense in the future, and ARM know that.
Their architecture team features some of the smartest minds.

(on architecture revisions, Red Hat has stated in the past that we only
care about AArch64, not even running 32-bit code on 64-bit processors,
which is one reason I have pushed for some silicon designs not to
implement the 32-bit compatibility when it comes to servers)

Jon.
Jason Cooper Jan. 7, 2015, 9:40 p.m. UTC | #40
On Wed, Jan 07, 2015 at 02:58:42PM -0500, Jon Masters wrote:
> On 01/07/2015 01:41 PM, Jason Cooper wrote:
> > On Wed, Jan 07, 2015 at 05:27:41PM +0000, Mark Brown wrote:
> >> On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
> >>> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> >>
> >>>> From what I gathered so far, the main reason for _some_ vendors is not
> >>>> support for "other" OS but actually features that ACPI has and DT
> >>>> doesn't (like AML; I deliberately ignore statements like "industry
> >>>> standard"). _If_ such reasons are sound, maybe they have a case for
> >>>> ACPI-only machines targeted primarily at Linux.
> >>
> >>> What I got from the replies from HP, Huawei and from earlier discussions
> >>> with Jon is that they all hope to get to the point of relying on AML
> >>> alone to bridge the differences between SoC families. However, I don't
> >>> see that happening with the limited hardware compatibility that the
> >>> existing SBSA provides:
> >>
> >> I tend to agree with you that it's an overreach to think that this is
> >> going to completely abstract away the differences between SoCs from
> >> different vendors without substantial further standardization work.
> >> However it does seem reasonable to expect that features like AML are
> >> going to be more successful in handling board differences and
> >> incremental revisions of SoCs - things like interactions with system
> >> power controllers for example.  That seems like a useful win in and of
> >> itself, and one that's worth supporting.
> > 
> > This piqued my interest, so I did a little research and found the
> > following to describe AML (second para under "What does this mean?")
> > 
> >   http://community.arm.com/groups/processors/blog/2014/05/01/let-s-talk-acpi-for-servers
> > 
> > iiuc, AML are basically drivers for some low-level functions provided as
> > binary blobs via the ACPI tables.
> 
> AML isn't a "driver" per se. Think of it as providing a couple of
> methods for doing things like turning on a device, where the interpreted
> code might cause e.g. a memory address to be written with a value that
> causes a side effect (e.g. talking with a system configuration
> co-processor hidden inside the SoC the adjusts the clocking, enables
> power, configures PHY parameters, etc.). Most of the "AML" that you see
> on servers is actually just informational, or methods that return data
> describing the hardware installed.

So, similar in scope to an irqchip driver?  Because that's what I was
thinking when I said "driver", not alsa or drm...  Thanks for great
description.

> > How does this work in a trusted boot scenario?
> 
> No different than on x86.

Suprisingly, I don't do much with x86 development-wise.  The x86 boxes
are just tools to me.  So I'm not very familiar with the intricacies
there.  Do you have a pointer to ACPI update security
standards/protocols?

> > Can the ACPI tables, and these binary blobs with it, be updated from userspace?
> 
> Tables are baked into the firmware and are updated as a result of normal
> firmware updates (which already has a defined process). There are
> secondary tables that can augment things like the primary DSDT but those
> are also provided by the platform. There are only two ways the "OS"
> might provide a DSDT, but only including here for pedantry:
> 
> 1). If you compile a kernel specially with an embedded DSDT within the
> image itself (nobody does this one any more AFAIK).
> 
> 2). If you attach a special update test DSDT into your initramfs in a
> particular way, in which case I believe secure boot already is disabled.
> 
> But these are all developer/debug things, not intended for users running
> in a secure boot environment.

Right, I'm more concerned about the update process being the vector to
inject bad code.

> > If so, is there an authentication mechanism (including for non-secure boot scenarios)?
> 
> It's no different than scenarios on x86, which are well covered.
> 
> > One of the reasons I've really enjoyed working with ARM platforms and DT
> > is the absence of this type of 'feature'.  I honestly don't care whether
> > the kernel gets the board configuration info from DT or ACPI or FOO, as
> > long as we can avoid the security mistakes of the past:
> > 
> >   http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
> 
> ACPI is not the great satan.

Relax, I'm not saying, nor implying that. :)  I *am* saying that
upgradeable executable code not loaded from traditional OS storage
(harddisk, flash) is a valid security concern.

> I'm aware certain others in the community have written missinformed
> blog posts and G+ rants equating ACPI with SMI and even with various
> other system firmware.

You're in luck, I don't blog or do social media. :-P

> I can't force someone to become informed on a topic, especially if
> it's politically useful to them to hate on ACPI and use the security
> paranoia handwavy argument.

I'm not sure where you got that from.  I said very specifically, since
trimmed, that I don't care where the board configuration data comes
from, DT, ACPI, or FOO.

If ACPI works, is stable, and integrates with the community, I'd use it.
Right now, DT is the closest to that goal, so it's what I prefer.

> > I'm not advocating "throw out AML and ACPI with it!", rather I'd like to
> > see a serious, open, discussion about the security implications of a
> > convenience feature such as AML.
> 
> AML is in (almost) every server you're using today.

"It's already everywhere" is not a valid reason to dismiss a security
discussion.  It's *not* on ARM today, so AML on ARM is a significant
change to ecosystem.  I'd hope I'm not the only person who was taking
advantage of fewer firmware hiding spots that ARM provides. :)

> What you want to be worried about is hidden firmware, especially what
> might be running inside a Trusted environment or inside an SMI
> context, or the radio firmware on your phone that the NSA have
> backdoored.

These are all valid security concerns, but this thread was about
ACPI/AML on ARM, so I didn't mention them.  Just because there are three
other holes doesn't mean we should throw up our hands and not address the
one in front of us.

> Once we've solved every other issue, we can come back to whether the
> extremely limited capabilities of AML are what the evil bad guys are
> using to infiltrate our minds and make us think that we all want to
> use ACPI.

Umm, wow.  I was not implying that a malicious piece of code would call
AML in a bad way to do something nefarious.  I *am* concerned about a
malicious update to the ACPI tables hooking an innocent AML call so that
*any* malicious code could be run at boot time, or suspend/resume,
shutdown, etc.

Sorry to have plucked a nerve, but I am sincerely interested in having a
*rational* discussion about how this changes the ARM ecosystem.  fwiw,
if I didn't think this was going to hit mainline, I wouldn't've bothered
bringing it up. ;-)

thx,

Jason.
Jon Masters Jan. 7, 2015, 10:10 p.m. UTC | #41
Jason,

Will followup more later...was being a little sarcastic before...no raw nerve ;) but sarcasm translates badly so apologies. Will send a better reply when back online :) Good points!

Jon.
Jason Cooper Jan. 7, 2015, 10:59 p.m. UTC | #42
On Wed, Jan 07, 2015 at 03:05:14PM -0500, Jon Masters wrote:
> On 01/07/2015 02:58 PM, Jon Masters wrote:
> > On 01/07/2015 01:41 PM, Jason Cooper wrote:
> 
> >> One of the reasons I've really enjoyed working with ARM platforms and DT
> >> is the absence of this type of 'feature'.  I honestly don't care whether
> >> the kernel gets the board configuration info from DT or ACPI or FOO, as
> >> long as we can avoid the security mistakes of the past:
> >>
> >>   http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
> > 
> > ACPI is not the great satan. I'm aware certain others in the community
> > have written missinformed blog posts and G+ rants equating ACPI with SMI
> > and even with various other system firmware. I can't force someone to
> > become informed on a topic, especially if it's politically useful to
> > them to hate on ACPI and use the security paranoia handwavy argument.
> 
> To clarify, and this is not directed at you Jason, it is politically
> useful to some who have written rants those business models are built
> upon being paid to enable platforms. For those folks, standardized
> platforms which allow a common OS approach are seen as threatening.

Ahh, thanks for clarifying.

> In the previous rants (which were really instigated as a result of the
> above) ACPI was equated with SMM (System Management Mode), which is a
> bit like the Secure/Trusted world on AArch64 in which you might run
> another "Trusted" OS. These are the places where you want to watch out
> to malware of the kind cited in your link, not in ACPI tables.

fwiw, I *am* concerned about those spaces.  It seems we agree on their
vulnerability to attack (plus being meaty targets).

To more concisely state my other reply to you, wrt to AML, I'm primarily
concerned about a malicious update to the ACPI tables.  The ACPI tables
in the update would be otherwise normal, except for the AML blob that
contains some extra code.  The malicious payload.  Then, a routine call
into an AML (for pinctrl, say) executes the malicious code.

The plausibility and preventability of that style of attack is what I'm
hoping to nail down with this discussion.

thx,

Jason.
Arnd Bergmann Jan. 8, 2015, 11:26 a.m. UTC | #43
On Wednesday 07 January 2015 17:59:04 Jason Cooper wrote:
> On Wed, Jan 07, 2015 at 03:05:14PM -0500, Jon Masters wrote:
> > On 01/07/2015 02:58 PM, Jon Masters wrote:
> > > On 01/07/2015 01:41 PM, Jason Cooper wrote:
> > 
> > >> One of the reasons I've really enjoyed working with ARM platforms and DT
> > >> is the absence of this type of 'feature'.  I honestly don't care whether
> > >> the kernel gets the board configuration info from DT or ACPI or FOO, as
> > >> long as we can avoid the security mistakes of the past:
> > >>
> > >>   http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
> > > 
> > > ACPI is not the great satan. I'm aware certain others in the community
> > > have written missinformed blog posts and G+ rants equating ACPI with SMI
> > > and even with various other system firmware. I can't force someone to
> > > become informed on a topic, especially if it's politically useful to
> > > them to hate on ACPI and use the security paranoia handwavy argument.
> > 
> > To clarify, and this is not directed at you Jason, it is politically
> > useful to some who have written rants those business models are built
> > upon being paid to enable platforms. For those folks, standardized
> > platforms which allow a common OS approach are seen as threatening.
> 
> Ahh, thanks for clarifying.
> 
> > In the previous rants (which were really instigated as a result of the
> > above) ACPI was equated with SMM (System Management Mode), which is a
> > bit like the Secure/Trusted world on AArch64 in which you might run
> > another "Trusted" OS. These are the places where you want to watch out
> > to malware of the kind cited in your link, not in ACPI tables.
> 
> fwiw, I *am* concerned about those spaces.  It seems we agree on their
> vulnerability to attack (plus being meaty targets).
> 
> To more concisely state my other reply to you, wrt to AML, I'm primarily
> concerned about a malicious update to the ACPI tables.  The ACPI tables
> in the update would be otherwise normal, except for the AML blob that
> contains some extra code.  The malicious payload.  Then, a routine call
> into an AML (for pinctrl, say) executes the malicious code.
> 
> The plausibility and preventability of that style of attack is what I'm
> hoping to nail down with this discussion.

If you want to run hidden code through the firmware, then doing an attack
on Intel SMM or ARM TrustZone would be much harder to detect and as easy
to get in, as long as you have the ability to flash arbitrary firmware.
I think this has been shown to happen in the wild. That code could
go and manipulate the running kernel image to do something else.

Running code inside of the AML interpreter is fairly limited for the
purpose of an attack [*], but there might be bugs in the interpreter that
allow arbitrary code execution from malicious firmware. I think this
case would be similar to constructing a malicious DT blob that exploits
a bug in the DT parser for arbitrary code execution. The AML interpreter
is a relatively large chunk of code, but it's self-contained. In
comparison, the DT parser is much smaller, but has the additional
(theoretical) problem of potential buffer overflows in any drivers that
use it incorrectly (e.g. format string attacks on string properties).
Another difference is that the AML code is intended to not be
user-upgradable without a full firmware upgrade, while a DT blob is
meant to be easily replaced if necessary without flashing the firmware,
using the same permissions you need for updating the OS.

I'm deliberately not trying to draw conclusions regarding whether AML
is more or less secure than DT, but the above is my understanding of
the fundamental differences.

	Arnd

[*] I would assume you can get AML code to write to arbitrary physical
memory locations without much effort, but it has rather limited arithmetical
capabilities which makes it hard to know where to write to.
Kangkang Shen Jan. 8, 2015, 7:59 p.m. UTC | #44
Security is a much big scale issue. The industry has all kind of solutions to deal with firmware security. In ARM system, the Firmware has been designed with higher privilege/security than OS. I will suggest we trust firmware security and focus on Linux itself.  

-----Original Message-----
From: linaro-acpi-bounces@lists.linaro.org [mailto:linaro-acpi-bounces@lists.linaro.org] On Behalf Of Arnd Bergmann
Sent: Thursday, January 08, 2015 3:27 AM
To: Jason Cooper
Cc: Rob Herring; Daniel Lezcano; Robert Richter; linaro-acpi@lists.linaro.org; Marc Zyngier; Jon Masters; Randy Dunlap; Liviu Dudau; Robert Moore; Will Deacon; linux-kernel@vger.kernel.org; linux-acpi@vger.kernel.org; Mark Brown; Rafael J. Wysocki; Lv Zheng; Catalin Marinas; Bjorn Helgaas; linux-arm-kernel@lists.infradead.org; Olof Johansson
Subject: Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wednesday 07 January 2015 17:59:04 Jason Cooper wrote:
> On Wed, Jan 07, 2015 at 03:05:14PM -0500, Jon Masters wrote:
> > On 01/07/2015 02:58 PM, Jon Masters wrote:
> > > On 01/07/2015 01:41 PM, Jason Cooper wrote:
> > 
> > >> One of the reasons I've really enjoyed working with ARM platforms 
> > >> and DT is the absence of this type of 'feature'.  I honestly 
> > >> don't care whether the kernel gets the board configuration info 
> > >> from DT or ACPI or FOO, as long as we can avoid the security mistakes of the past:
> > >>
> > >>   
> > >> http://www.spiegel.de/international/world/catalog-reveals-nsa-has
> > >> -back-doors-for-numerous-devices-a-940994.html
> > > 
> > > ACPI is not the great satan. I'm aware certain others in the 
> > > community have written missinformed blog posts and G+ rants 
> > > equating ACPI with SMI and even with various other system 
> > > firmware. I can't force someone to become informed on a topic, 
> > > especially if it's politically useful to them to hate on ACPI and use the security paranoia handwavy argument.
> > 
> > To clarify, and this is not directed at you Jason, it is politically 
> > useful to some who have written rants those business models are 
> > built upon being paid to enable platforms. For those folks, 
> > standardized platforms which allow a common OS approach are seen as threatening.
> 
> Ahh, thanks for clarifying.
> 
> > In the previous rants (which were really instigated as a result of 
> > the
> > above) ACPI was equated with SMM (System Management Mode), which is 
> > a bit like the Secure/Trusted world on AArch64 in which you might 
> > run another "Trusted" OS. These are the places where you want to 
> > watch out to malware of the kind cited in your link, not in ACPI tables.
> 
> fwiw, I *am* concerned about those spaces.  It seems we agree on their 
> vulnerability to attack (plus being meaty targets).
> 
> To more concisely state my other reply to you, wrt to AML, I'm 
> primarily concerned about a malicious update to the ACPI tables.  The 
> ACPI tables in the update would be otherwise normal, except for the 
> AML blob that contains some extra code.  The malicious payload.  Then, 
> a routine call into an AML (for pinctrl, say) executes the malicious code.
> 
> The plausibility and preventability of that style of attack is what 
> I'm hoping to nail down with this discussion.

If you want to run hidden code through the firmware, then doing an attack on Intel SMM or ARM TrustZone would be much harder to detect and as easy to get in, as long as you have the ability to flash arbitrary firmware.
I think this has been shown to happen in the wild. That code could go and manipulate the running kernel image to do something else.

Running code inside of the AML interpreter is fairly limited for the purpose of an attack [*], but there might be bugs in the interpreter that allow arbitrary code execution from malicious firmware. I think this case would be similar to constructing a malicious DT blob that exploits a bug in the DT parser for arbitrary code execution. The AML interpreter is a relatively large chunk of code, but it's self-contained. In comparison, the DT parser is much smaller, but has the additional
(theoretical) problem of potential buffer overflows in any drivers that use it incorrectly (e.g. format string attacks on string properties).
Another difference is that the AML code is intended to not be user-upgradable without a full firmware upgrade, while a DT blob is meant to be easily replaced if necessary without flashing the firmware, using the same permissions you need for updating the OS.

I'm deliberately not trying to draw conclusions regarding whether AML is more or less secure than DT, but the above is my understanding of the fundamental differences.

	Arnd

[*] I would assume you can get AML code to write to arbitrary physical memory locations without much effort, but it has rather limited arithmetical capabilities which makes it hard to know where to write to.
Catalin Marinas Jan. 9, 2015, 10:33 a.m. UTC | #45
On Wed, Jan 07, 2015 at 07:48:48PM +0000, Arnd Bergmann wrote:
> On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
> > I'm expecting to need new drivers for SoC IP blocks that are net new,
> > but generational differences between iterations of the same SoC should
> > be abstracted behind the firmware (and we are already seeing this with
> > at least one platform). Platform wise, it's nice to already see e.g.
> > mmconfig working to handle the specific ways a platform wires PCI.
> 
> Yes, the parts that are mandated by SBSA, like the way that PCI needs
> to be done are generally good. Unfortunately a lot of the hardware that
> I've seen has a rather lax interpretation of the spec, so just because
> something is mandated doesn't mean it's done that way ;-)
> 
> In other cases that's actually a good thing. One such example is the
> "Principles of ARM Memory Maps" document that tells hardware implementers
> to do a rather complex mapping "To support 36-bit x86 PAE compatible operating
> systems, such as Linux." but makes life much harder in the process than
> any of the random mappings we have seen in the wild.

Unfortunately, with any significant amount of RAM (say 16GB), this
document becomes pretty useless. It basically forces you to have a very
sparse physical address map from 0 to over 40-bit. I wouldn't apply the
ARM memory maps doc to server systems.

> * There is a general mindset about deprecating unwanted features
>   early. ARMv8 aarch32 bit mode removes support for older instructions
>   or makes them optional. Even the virtualization mode doesn't allow
>   to trap on architecture version specific differences, so you can't
>   completely emulate an older architecture level.
>   This is nice for implementers but not so much for users that rely
>   on old (mis-)features.

This mindset is (slowly) changing. There are, of course, instructions
like SWP that just can't always be implemented at the SoC level (not
necessarily CPU level; requiring bus locks) but others like CP15
barriers, I don't see why they should go away, it's just a decoder
problem.

>   It's also not just the CPU core, other components also get easily
>   replaced, like a GICv3 that is not a strict superset of GICv2.

That's not a problem for Linux, we can describe them in DT or ACPI and
have drivers. GICv3 has an optional GICv2 compatible mode, though
vendors may decide not to implement it.
Arnd Bergmann Jan. 9, 2015, 10:55 a.m. UTC | #46
On Friday 09 January 2015 10:33:07 Catalin Marinas wrote:
> On Wed, Jan 07, 2015 at 07:48:48PM +0000, Arnd Bergmann wrote:

> > In other cases that's actually a good thing. One such example is the
> > "Principles of ARM Memory Maps" document that tells hardware implementers
> > to do a rather complex mapping "To support 36-bit x86 PAE compatible operating
> > systems, such as Linux." but makes life much harder in the process than
> > any of the random mappings we have seen in the wild.
> 
> Unfortunately, with any significant amount of RAM (say 16GB), this
> document becomes pretty useless. It basically forces you to have a very
> sparse physical address map from 0 to over 40-bit. I wouldn't apply the
> ARM memory maps doc to server systems.

Are you sure? I was under the impression that this document was targetted
specifically at servers.

> >   It's also not just the CPU core, other components also get easily
> >   replaced, like a GICv3 that is not a strict superset of GICv2.
> 
> That's not a problem for Linux, we can describe them in DT or ACPI and
> have drivers. GICv3 has an optional GICv2 compatible mode, though
> vendors may decide not to implement it.

I'm aware that we can deal with it after we have the drivers. My point
was that we are unable to deal with this problem in general if we want
to run existing kernels on new hardware that contains e.g. a GICv4/5/6
that requires a new driver which has to first be written and then
backported into distro kernels.

	Arnd
Catalin Marinas Jan. 9, 2015, 3:13 p.m. UTC | #47
On Fri, Jan 09, 2015 at 10:55:51AM +0000, Arnd Bergmann wrote:
> On Friday 09 January 2015 10:33:07 Catalin Marinas wrote:
> > On Wed, Jan 07, 2015 at 07:48:48PM +0000, Arnd Bergmann wrote:
> 
> > > In other cases that's actually a good thing. One such example is the
> > > "Principles of ARM Memory Maps" document that tells hardware implementers
> > > to do a rather complex mapping "To support 36-bit x86 PAE compatible operating
> > > systems, such as Linux." but makes life much harder in the process than
> > > any of the random mappings we have seen in the wild.
> > 
> > Unfortunately, with any significant amount of RAM (say 16GB), this
> > document becomes pretty useless. It basically forces you to have a very
> > sparse physical address map from 0 to over 40-bit. I wouldn't apply the
> > ARM memory maps doc to server systems.
> 
> Are you sure? I was under the impression that this document was targetted
> specifically at servers.

Ah, sorry for the confusion, I haven't read the latest (apparently from
2012) update which covers 44 and 48-bit memory maps.

The only downside is that for more than 32GB of RAM (up to 512GB) it
requires a 40-bit memory map. Given the sparseness, we can't use
3-levels of page table with 4KB pages which can only cover 39-bit.
Anyway, not a major issue.
Grant Likely Jan. 15, 2015, 2:10 p.m. UTC | #48
On Tue, Jan 6, 2015 at 1:59 PM, Arnd Bergmann <arnd@arndb.de> wrote:
> On Tuesday 06 January 2015 11:20:01 Catalin Marinas wrote:
>> On Mon, Jan 05, 2015 at 08:16:30PM +0000, Arnd Bergmann wrote:
>> > On Monday 05 January 2015 13:13:02 Catalin Marinas wrote:
>> > > > since passing no DT tables to OS but
>> > > > acpi=force is missing is a corner case, we can do a follow up patch to
>> > > > fix that, does it make sense?
>> > >
>> > > Not entirely. Why would no dtb and no acpi=force be a corner case? I
>> > > thought this should be the default when only ACPI tables are passed, no
>> > > need for an additional acpi=force argument.
>> >
>> > We don't really support the case of only ACPI tables for now. The expectation
>> > is that you always have working DT support, at least for the next few years
>> > as ACPI features are ramping up, and without acpi=force it should not try
>> > to use ACPI at all.
>>
>> So if both DT and ACPI are present, just use DT unless acpi=force is
>> passed. So far I think we agree but what I want to avoid is always
>> mandating acpi=force even when the DT tables are missing (in the long
>> run).
>>
>> Now, what's preventing a vendor firmware from providing only ACPI
>> tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
>> that both DT and ACPI are supported, or at least that dts files are
>> merged in the kernel first?
>
> We have no way of enforcing what a board vendor ships, so if they want
> to have ACPI-only machines for MS Windows, they just won't work by
> default on Linux. Once ACPI support is mature enough, we can also
> have a whitelist or a different default for using it automatically
> when no DT is present.
>
> For drivers merged upstream, I would insist that every driver merged
> for an ARM64 platform has a documented DT binding that is used in the
> driver.

That's a dumb rule. It will result in untested DT code paths being
thrown into drivers just too meet the rules rather than on whether or
not they will actually be used. It's fine to allow driver authors to
only implement the ACPI code path if that is what they are working
with. We can *always* add a DT path to the driver when it is needed.

As you say, wecannot insist that vendors implement DT as well as ACPI.
The most we can do is offer the recommendation that DT works now, but
ACPI is immature for ARM. If they choose to do ACPI only, that is
absolutely fine and they do so with the understanding that it will
take time to stabilize to the point that we're comfortable
guaranteeing support in mainline. However, that doesn't even remotely
block getting each of their drivers merged as they become ready.

g.
Jon Masters Jan. 15, 2015, 3:51 p.m. UTC | #49
On 01/15/2015 09:10 AM, Grant Likely wrote:
> On Tue, Jan 6, 2015 at 1:59 PM, Arnd Bergmann <arnd@arndb.de> wrote:
>> On Tuesday 06 January 2015 11:20:01 Catalin Marinas wrote:
>>> On Mon, Jan 05, 2015 at 08:16:30PM +0000, Arnd Bergmann wrote:
>>>> On Monday 05 January 2015 13:13:02 Catalin Marinas wrote:
>>>>>> since passing no DT tables to OS but
>>>>>> acpi=force is missing is a corner case, we can do a follow up patch to
>>>>>> fix that, does it make sense?
>>>>>
>>>>> Not entirely. Why would no dtb and no acpi=force be a corner case? I
>>>>> thought this should be the default when only ACPI tables are passed, no
>>>>> need for an additional acpi=force argument.
>>>>
>>>> We don't really support the case of only ACPI tables for now. The expectation
>>>> is that you always have working DT support, at least for the next few years
>>>> as ACPI features are ramping up, and without acpi=force it should not try
>>>> to use ACPI at all.
>>>
>>> So if both DT and ACPI are present, just use DT unless acpi=force is
>>> passed. So far I think we agree but what I want to avoid is always
>>> mandating acpi=force even when the DT tables are missing (in the long
>>> run).
>>>
>>> Now, what's preventing a vendor firmware from providing only ACPI
>>> tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
>>> that both DT and ACPI are supported, or at least that dts files are
>>> merged in the kernel first?
>>
>> We have no way of enforcing what a board vendor ships, so if they want
>> to have ACPI-only machines for MS Windows, they just won't work by
>> default on Linux. Once ACPI support is mature enough, we can also
>> have a whitelist or a different default for using it automatically
>> when no DT is present.
>>
>> For drivers merged upstream, I would insist that every driver merged
>> for an ARM64 platform has a documented DT binding that is used in the
>> driver.
> 
> That's a dumb rule. It will result in untested DT code paths being
> thrown into drivers just too meet the rules rather than on whether or
> not they will actually be used. It's fine to allow driver authors to
> only implement the ACPI code path if that is what they are working
> with. We can *always* add a DT path to the driver when it is needed.

It gets worse. There *will* be large numbers of ACPI only ARM servers
landing over the coming year. Not only would DT code be untested, but
insisting on keeping e.g. a DSDT and DT in sync is never going to work
anyway. Already we have early stage servers that contain a DT used for
bringup that is subsequently not being updated as often as the ACPI
tables (those systems are now booting exclusively in labs with ACPI).
Eventually, I am going to push for the DT data to be removed from these
systems rather than have out of date unmaintained DT data in firmware.

Jon.
Arnd Bergmann Jan. 15, 2015, 4:52 p.m. UTC | #50
On Thursday 15 January 2015 10:51:58 Jon Masters wrote:
> On 01/15/2015 09:10 AM, Grant Likely wrote:
> > On Tue, Jan 6, 2015 at 1:59 PM, Arnd Bergmann <arnd@arndb.de> wrote:
> >> For drivers merged upstream, I would insist that every driver merged
> >> for an ARM64 platform has a documented DT binding that is used in the
> >> driver.
> > 
> > That's a dumb rule. It will result in untested DT code paths being
> > thrown into drivers just too meet the rules rather than on whether or
> > not they will actually be used. It's fine to allow driver authors to
> > only implement the ACPI code path if that is what they are working
> > with. We can *always* add a DT path to the driver when it is needed.
> 
> It gets worse. There *will* be large numbers of ACPI only ARM servers
> landing over the coming year. Not only would DT code be untested, but
> insisting on keeping e.g. a DSDT and DT in sync is never going to work
> anyway. Already we have early stage servers that contain a DT used for
> bringup that is subsequently not being updated as often as the ACPI
> tables (those systems are now booting exclusively in labs with ACPI).
> Eventually, I am going to push for the DT data to be removed from these
> systems rather than have out of date unmaintained DT data in firmware.

We will of course be able to relax the rule once ACPI has stabilized on
ARM64. At the moment, we haven't even agreed on how to represent basic
devices, so things are in flux and there is no way for a BIOS writer
to ship an image that we will guarantee to support in the long run.

At some point after we are reasonably sure we are able to keep supporting
all existing systems that are working with that kernel, we can take
support for new systems without having DT by default, and also support
booting those without acpi=force, which is related to this question.

	Arnd
al.stone@linaro.org Jan. 15, 2015, 5:22 p.m. UTC | #51
On 01/15/2015 09:52 AM, Arnd Bergmann wrote:
> On Thursday 15 January 2015 10:51:58 Jon Masters wrote:
>> On 01/15/2015 09:10 AM, Grant Likely wrote:
>>> On Tue, Jan 6, 2015 at 1:59 PM, Arnd Bergmann <arnd@arndb.de> wrote:
>>>> For drivers merged upstream, I would insist that every driver merged
>>>> for an ARM64 platform has a documented DT binding that is used in the
>>>> driver.
>>>
>>> That's a dumb rule. It will result in untested DT code paths being
>>> thrown into drivers just too meet the rules rather than on whether or
>>> not they will actually be used. It's fine to allow driver authors to
>>> only implement the ACPI code path if that is what they are working
>>> with. We can *always* add a DT path to the driver when it is needed.
>>
>> It gets worse. There *will* be large numbers of ACPI only ARM servers
>> landing over the coming year. Not only would DT code be untested, but
>> insisting on keeping e.g. a DSDT and DT in sync is never going to work
>> anyway. Already we have early stage servers that contain a DT used for
>> bringup that is subsequently not being updated as often as the ACPI
>> tables (those systems are now booting exclusively in labs with ACPI).
>> Eventually, I am going to push for the DT data to be removed from these
>> systems rather than have out of date unmaintained DT data in firmware.
> 
> We will of course be able to relax the rule once ACPI has stabilized on
> ARM64. At the moment, we haven't even agreed on how to represent basic
> devices, so things are in flux and there is no way for a BIOS writer
> to ship an image that we will guarantee to support in the long run.
> 
> At some point after we are reasonably sure we are able to keep supporting
> all existing systems that are working with that kernel, we can take
> support for new systems without having DT by default, and also support
> booting those without acpi=force, which is related to this question.
> 
> 	Arnd
> 

Can I restate the position as I hear it, then?  I want to make sure
I'm understanding what's being said.

What I'm reading seems to say: if an ARMv8 vendor wants Linux support
in the upstream kernel, regardless of whether or not it is a mobile or
server product, they must submit DT-based patches until such time as
ACPI on arm64 is deemed "mature."  Do I have that correct?

That implies to me that if I want to build an ACPI-only product, there
is no way to predict when or if I can get Linux support.  And, that if
I do want Linux support, and need ACPI for my end-users, I have to
maintain both sets of firmware for some unknown time into the future.
Is that what was meant?

I'm not really trying to judge the position right this second, but I
am trying to make sure I understand it.  English is not really the most
precise of languages and I would prefer not to misinterpret.
Mark Brown Jan. 15, 2015, 6 p.m. UTC | #52
On Thu, Jan 15, 2015 at 05:52:31PM +0100, Arnd Bergmann wrote:
> On Thursday 15 January 2015 10:51:58 Jon Masters wrote:

> > It gets worse. There *will* be large numbers of ACPI only ARM servers
> > landing over the coming year. Not only would DT code be untested, but
> > insisting on keeping e.g. a DSDT and DT in sync is never going to work
> > anyway. Already we have early stage servers that contain a DT used for
> > bringup that is subsequently not being updated as often as the ACPI
> > tables (those systems are now booting exclusively in labs with ACPI).
> > Eventually, I am going to push for the DT data to be removed from these
> > systems rather than have out of date unmaintained DT data in firmware.

> We will of course be able to relax the rule once ACPI has stabilized on
> ARM64. At the moment, we haven't even agreed on how to represent basic
> devices, so things are in flux and there is no way for a BIOS writer
> to ship an image that we will guarantee to support in the long run.

> At some point after we are reasonably sure we are able to keep supporting
> all existing systems that are working with that kernel, we can take
> support for new systems without having DT by default, and also support
> booting those without acpi=force, which is related to this question.

Speaking with my subsystem maintainer hat on (admittedly not subsystems
affected too much by ARM servers so take this with a pinch of salt) this
just sounds like it's making more work for me - it means having to force
people to write DT code and bindings which I'm then going to have to
review and none of us really care about.  Realistically I'm just going
to take the code if a lack of a DT binding is the only option, I suspect
others will be similar.
Arnd Bergmann Jan. 16, 2015, 4:35 p.m. UTC | #53
On Thursday 15 January 2015 10:22:47 Al Stone wrote:
> 
> Can I restate the position as I hear it, then?  I want to make sure
> I'm understanding what's being said.
> 
> What I'm reading seems to say: if an ARMv8 vendor wants Linux support
> in the upstream kernel, regardless of whether or not it is a mobile or
> server product, they must submit DT-based patches until such time as
> ACPI on arm64 is deemed "mature."  Do I have that correct?

I was specifically referring to SoC specific device drivers here.
It's a bit unclear what a 'vendor' is in this context, but I'd hope
that as long as we have basic support for a SoC, other people can
build DT blobs for these machines and have them run Linux out of
the box.

> That implies to me that if I want to build an ACPI-only product, there
> is no way to predict when or if I can get Linux support.  And, that if
> I do want Linux support, and need ACPI for my end-users, I have to
> maintain both sets of firmware for some unknown time into the future.
> Is that what was meant?

The firmware is normally not written by the people that do the SoC,
and we have very little control over what someone puts in their
firmware. Shipping an ACPI-only firmware would still work, but has
the danger of breaking if we ever have to make incompatible changes
to the way we interpret the ACPI tables and we have to support users
that can't upgrade their firmware.

Hopefully we can quickly get to the point where we don't have to
make incompatible changes, but I don't think that is realistic
from the day we first merge ACPI support.

	Arnd
diff mbox

Patch

diff --git a/Documentation/arm64/arm-acpi.txt b/Documentation/arm64/arm-acpi.txt
new file mode 100644
index 0000000..17cf96d
--- /dev/null
+++ b/Documentation/arm64/arm-acpi.txt
@@ -0,0 +1,323 @@ 
+ACPI on ARMv8 Servers
+---------------------
+ACPI can be used for ARMv8 general purpose servers designed to follow
+the ARM SBSA (Server Base System Architecture) specification, currently 
+available to those with an ARM login at http://silver.arm.com.
+
+The ARMv8 kernel implements the reduced hardware model of ACPI version
+5.1 and its corresponding errata.  Links to the specification and all
+external documents it refers to are managed by the UEFI Forum.  The
+specification is available at http://www.uefi.org/specifications and
+external documents can be found via http://www.uefi.org/acpi.
+
+If an ARMv8 system does not meet the requirements of the SBSA, or cannot
+be described using the mechanisms defined in the required ACPI specifications,
+then it is likely that Device Tree (DT) is more suitable than ACPI for the
+hardware.
+
+
+Relationship with Device Tree
+-----------------------------
+ACPI support in drivers and subsystems for ARMv8 should never be mutually
+exclusive with DT support at compile time.
+
+At boot time the kernel will only use one description method depending on
+parameters passed from the bootloader (including kernel bootargs).
+
+Regardless of whether DT or ACPI is used, the kernel must always be capable
+of booting with either scheme (in kernels with both schemes enabled at compile
+time).
+
+When booting using ACPI tables, the /chosen node in DT will still be parsed
+to extract the kernel command line and initrd path.  No other section of the
+DT will be used.
+
+
+Booting using ACPI tables
+-------------------------
+The only defined method for passing ACPI tables to the kernel on ARMv8
+is via the UEFI system configuration table.
+
+Processing of ACPI tables may be disabled by passing acpi=off on the kernel
+command line; this is the default behavior.  If acpi=force is used, the kernel
+will ONLY use device configuration information contained in the ACPI tables.
+
+In order for the kernel to load and use ACPI tables, the UEFI implementation
+MUST set the ACPI_20_TABLE_GUID to point to the RSDP table (the table with
+the ACPI signature "RSD PTR ").  If this pointer is incorrect and acpi=force
+is used, the kernel will disable ACPI and try to use DT to boot.
+
+If the pointer to the RSDP table is correct, the table will be mapped into
+the kernel by the ACPI core, using the address provided by UEFI.
+
+The ACPI core will then locate and map in all other ACPI tables provided by
+using the addresses in the RSDP table to find the XSDT (eXtended System 
+Description Table).  The XSDT in turn provides the addresses to all other
+ACPI tables provided by the system firmware; the ACPI core will then traverse
+this table and map in the tables listed.
+
+The ACPI core will ignore any provided RSDT (Root System Description Table).
+RSDTs have been deprecated and are ignored on arm64 since they only allow 
+for 32-bit addresses.
+
+Further, the ACPI core will only use the 64-bit address fields in the FADT
+(Fixed ACPI Description Table).  Any 32-bit address fields in the FADT will
+be ignored on arm64.
+
+Hardware reduced mode (see Section 4.1 of the ACPI 5.1 specification) will
+be enforced by the ACPI core on arm64.  Doing so allows the ACPI core to
+run less complex code since it no longer has to provide support for legacy
+hardware from other architectures.
+
+For the ACPI core to operate properly, and in turn provide the information
+the kernel needs to configure devices, it expects to find the following
+tables (all section numbers refer to the ACPI 5.1 specfication):
+
+    -- RSDP (Root System Description Pointer), section 5.2.5
+
+    -- XSDT (eXtended System Description Table), section 5.2.8
+
+    -- FACS (Firmware ACPI Control Structure), section 5.2.10
+
+    -- FADT (Fixed ACPI Description Table), section 5.2.9
+
+    -- DSDT (Differentiated System Description Table), section
+       5.2.11.1
+
+    -- MADT (Multiple APIC Description Table), section 5.2.12
+
+    -- GTDT (Generic Timer Description Table), section 5.2.24
+
+    -- If PCI is supported, the MCFG (Memory mapped ConFiGuration
+       Table), section 5.2.6, specifically Table 5-31.
+
+If the above tables are not all present, the kernel may or may not be
+able to boot properly since it may not be able to configure all of the
+devices available.
+
+
+ACPI Detection
+--------------
+Drivers should determine their probe() type by checking for a null
+value for ACPI_HANDLE, or checking .of_node, or other information in
+the device structure.  This is detailed further in the "Driver 
+Recommendations" section.
+
+In non-driver code, if the presence of ACPI needs to be detected at
+runtime, then check the value of acpi_disabled. If CONFIG_ACPI is not
+set, acpi_disabled will always be 1.
+
+
+Device Enumeration
+------------------
+Device descriptions in ACPI should use standard recognized ACPI interfaces.
+These can contain less information than is typically provided via a Device
+Tree description for the same device.  This is also one of the reasons that
+ACPI can be useful -- the driver takes into account that it may have less
+detailed information about the device and uses sensible defaults instead.
+If done properly in the driver, the hardware can change and improve over
+time without the driver having to change at all.
+
+Clocks provide an excellent example.  In DT, clocks need to be specified
+and the drivers need to take them into account.  In ACPI, the assumption
+is that UEFI will leave the device in a reasonable default state, including
+any clock settings.  If for some reason the driver needs to change a clock
+value, this can be done in an ACPI method; all the driver needs to do is
+invoke the method and not concern itself with what the method needs to do
+to change the clock.  Changing the hardware can then take place over time
+by changing what the ACPI method does, and not the driver.
+
+ACPI drivers should only look at one specific ASL object -- the _DSD object
+-- for device driver parameters (known in DT as "bindings", or "Device 
+Properties" in ACPI).  Not all DT bindings will be recognized.  The UEFI
+Forum provides a mechanism for registering such bindings [URL TBD by ASWG]
+so that they may be used on any operating system supporting ACPI.  Device
+properties that have not been registered with the UEFI Forum should not be
+used.
+
+Drivers should look for device properties in the _DSD object ONLY; the _DSD
+object is described in the ACPI specification section 6.2.5, but more
+specifically, use the _DSD Device Properties UUID:
+
+   -- UUID: daffd814-6eba-4d8c-8a91-bc9bbf4aa301
+   
+   -- http://www.uefi.org/sites/default/files/resources/_DSD-device-properties-UUID.pdf)
+
+The kernel has an interface for looking up device properties in a manner 
+independent of whether DT or ACPI is being used and that interface should
+be used; it can eliminate some duplication of code paths in driver probing
+functions and discourage divergence between DT bindings and ACPI device
+properties.
+
+ACPI tables are described with a formal language called ASL, the ACPI
+Source Language (section 19 of the specification).  This means that there
+are always multiple ways to describe the same thing -- including device
+properties.  For example, device properties could use an ASL construct
+that looks like this: Name(KEY0, "value0").  An ACPI device driver would
+then retrieve the value of the property by evaluating the KEY0 object.
+However, using Name() this way has multiple problems: (1) ACPI limits
+names ("KEY0") to four characters unlike DT; (2) there is no industry
+wide registry that maintains a list of names, minimzing re-use; (3)
+there is also no registry for the definition of property values ("value0"),
+again making re-use difficult; and (4) how does one maintain backward
+compatibility as new hardware comes out?  The _DSD method was created
+to solve precisely these sorts of problems; Linux drivers should ALWAYS
+use the _DSD method for device properties and nothing else.
+
+The _DSM object (ACPI Section 9.14.1) could also be used for conveying
+device properties to a driver.  Linux drivers should only expect it to
+be used if _DSD cannot represent the data required, and there is no way
+to create a new UUID for the _DSD object.  Note that there is even less
+regulation of the use of _DSM than there is of _DSD.  Drivers that depend
+on the contents of _DSM objects will be more difficult to maintain over
+time because of this.
+
+The _DSD object is a very flexible mechanism in ACPI, as are the registered
+Device Properties.  This flexibility allows _DSD to cover more than just the
+generic server case and care should be taken in device drivers not to expect
+it to replicate highly specific embedded behaviour from DT.
+
+Both DT bindings and ACPI device properties for device drivers have review
+processes.  Use them.  And, before creating new device properties, check to
+be sure that they have not been defined before and either registered in the
+Linux kernel documentation or the UEFI Forum.  If the device drivers supports
+ACPI and DT, please make sure the device properties are consistent in both
+places.
+
+
+Programmable Power Control Resources
+------------------------------------
+Programmable power control resources include such resources as voltage/current
+providers (regulators) and clock sources.
+
+The kernel assumes that power control of these resources is represented with
+Power Resource Objects (ACPI section 7.1).  The ACPI core will then handle
+correctly enabling and disabling resources as they are needed.  In order to
+get that to work, ACPI assumes each device has defined D-states and that these
+can be controlled through the optional ACPI methods _PS0, _PS1, _PS2, and _PS3;
+in ACPI, _PS0 is the method to invoke to turn a device full on, and _PS3 is for
+turning a device full off.
+
+The kernel ACPI code will also assume that the _PS? methods follow the normal
+ACPI rules for such methods:
+
+   -- If either _PS0 or _PS3 is implemented, then the other method must also
+      be implemented.
+
+   -- If a device requires usage or setup of a power resource when on, the ASL
+      should organize that it is allocated/enabled using the _PS0 method.
+
+   -- Resources allocated or enabled in the _PS0 method should be disabled
+      or de-allocated in the _PS3 method.
+
+   -- Firmware will leave the resources in a reasonable state before handing
+      over control to the kernel.
+
+Such code in _PS? methods will of course be very platform specific.  But,
+this allows the driver to abstract out the interface for operating the device
+and avoid having to read special non-standard values from ACPI tables. Further,
+abstracting the use of these resources allows the hardware to change over time
+without requiring updates to the driver.
+
+
+Clocks
+------
+ACPI makes the assumption that clocks are initialized by the firmware -- 
+UEFI, in this case -- to some working value before control is handed over
+to the kernel.  This has implications for devices such as UARTs, or SoC
+driven LCD displays, for example.
+
+When the kernel boots, the clock is assumed to be set to reasonable
+working value.  If for some reason the frequency needs to change -- e.g.,
+throttling for power management -- the device driver should expect that 
+process to be abstracted out into some ACPI method that can be invoked 
+(please see the ACPI specification for further recommendations on standard
+methods to be expected).  If is not, there is no direct way for ACPI to
+control the clocks.
+
+
+Driver Recommendations
+----------------------
+DO NOT remove any DT handling when adding ACPI support for a driver.  The
+same device may be used on many different systems.
+
+DO try to structure the driver so that it is data driven.  That is, set up
+a struct containing internal per-device state based on defaults and whatever
+else must be discovered by the driver probe function.  Then, have the rest
+of the driver operate off of the contents of that struct.  Doing so should
+allow most divergence between ACPI and DT functionality to be kept local to
+the probe function instead of being scattered throughout the driver.  For
+example:
+
+static int device_probe_dt(struct platform_device *pdev)
+{
+	/* DT specific functionality */
+	...
+}
+
+static int device_probe_acpi(struct platform_device *pdev)
+{
+	/* ACPI specific functionality */
+	...
+}
+
+static int device_probe(stuct platform_device *pdev)
+{
+	...
+	struct device_node node = pdev->dev.of_node;
+	...
+
+	if (node)
+		ret = device_probe_dt(pdev);
+	else if (ACPI_HANDLE(&pdev->dev))
+		ret = device_probe_acpi(pdev);
+	else
+		/* other initialization */
+		...
+	/* Continue with any generic probe operations */
+	...
+}
+
+DO keep the MODULE_DEVICE_TABLE entries together in the driver to make it
+clear the different names the driver is probed for, both from DT and from
+ACPI:
+
+static struct of_device_id virtio_mmio_match[] = {
+        { .compatible = "virtio,mmio", },
+        { }
+};
+MODULE_DEVICE_TABLE(of, virtio_mmio_match);
+
+static const struct acpi_device_id virtio_mmio_acpi_match[] = {
+        { "LNRO0005", },
+        { }
+};
+MODULE_DEVICE_TABLE(acpi, virtio_mmio_acpi_match);
+
+
+ASWG
+----
+The following areas are not yet fully defined for ARM in the 5.1 version
+of the ACPI specification and are expected to be worked through in the 
+UEFI ACPI Specification Working Group (ASWG):
+
+   -- ACPI based CPU topology
+   -- ACPI based Power management
+   -- CPU idle control based on PSCI
+   -- CPU performance control (CPPC)
+   -- ACPI based SMMU
+   -- ITS support for GIC in MADT
+
+Participation in this group is open to all UEFI members.  Please see
+http://www.uefi.org/workinggroup for details on group membership.
+
+It is the intent of the ARMv8 ACPI kernel code to follow the ACPI specification
+as closely as possible, and to only implement functionality that complies with
+the released standards from UEFI ASWG.  As a practical matter, there will be
+vendors that provide bad ACPI tables or violate the standards in some way.
+If this is because of errors, quirks and fixups may be necessary, but will
+be avoided if possible.  If there are features missing from ACPI that preclude
+it from being used on a platform, ECRs (Engineering Change Requests) should be
+submitted to ASWG and go through the normal approval process; for those that
+are not UEFI members, many other members of the Linux community are and would
+likely be willing to assist in submitting ECRs.