diff mbox series

[V3,4/8] remoteproc: qcom: add hexagon based WCSS secure PIL driver

Message ID 20250107101647.2087358-5-quic_gokulsri@quicinc.com (mailing list archive)
State New
Headers show
Series Add new driver for WCSS secure PIL loading | expand

Commit Message

Gokul Sriram P Jan. 7, 2025, 10:16 a.m. UTC
From: Vignesh Viswanathan <quic_viswanat@quicinc.com>

Add support to bring up hexagon based WCSS secure PIL remoteproc.
IPQ5332, IPQ9574 supports secure PIL remoteproc.

Signed-off-by: Vignesh Viswanathan <quic_viswanat@quicinc.com>
Signed-off-by: Manikanta Mylavarapu <quic_mmanikan@quicinc.com>
Signed-off-by: Gokul Sriram Palanisamy <quic_gokulsri@quicinc.com>
---
 drivers/remoteproc/Kconfig              |  22 ++
 drivers/remoteproc/Makefile             |   1 +
 drivers/remoteproc/qcom_q6v5_wcss_sec.c | 406 ++++++++++++++++++++++++
 3 files changed, 429 insertions(+)
 create mode 100644 drivers/remoteproc/qcom_q6v5_wcss_sec.c

Comments

Bjorn Andersson Jan. 8, 2025, 4:09 a.m. UTC | #1
On Tue, Jan 07, 2025 at 03:46:43PM +0530, Gokul Sriram Palanisamy wrote:
> From: Vignesh Viswanathan <quic_viswanat@quicinc.com>
> 
> Add support to bring up hexagon based WCSS secure PIL remoteproc.
> IPQ5332, IPQ9574 supports secure PIL remoteproc.

I'd love for this to be extended with a short description of what the
WCSS secure subsystem is, the reason for a new drivers etc. Following
the style of
https://docs.kernel.org/process/submitting-patches.html#describe-your-changes

> 
> Signed-off-by: Vignesh Viswanathan <quic_viswanat@quicinc.com>
> Signed-off-by: Manikanta Mylavarapu <quic_mmanikan@quicinc.com>
> Signed-off-by: Gokul Sriram Palanisamy <quic_gokulsri@quicinc.com>
> ---
>  drivers/remoteproc/Kconfig              |  22 ++
>  drivers/remoteproc/Makefile             |   1 +
>  drivers/remoteproc/qcom_q6v5_wcss_sec.c | 406 ++++++++++++++++++++++++
>  3 files changed, 429 insertions(+)
>  create mode 100644 drivers/remoteproc/qcom_q6v5_wcss_sec.c
> 
> diff --git a/drivers/remoteproc/Kconfig b/drivers/remoteproc/Kconfig
> index 83962a114dc9..c4e94b15c538 100644
> --- a/drivers/remoteproc/Kconfig
> +++ b/drivers/remoteproc/Kconfig
> @@ -255,6 +255,28 @@ config QCOM_Q6V5_WCSS
>  	  Hexagon V5 based WCSS remote processors on e.g. IPQ8074.  This is
>  	  a non-TrustZone wireless subsystem.
>  
> +config QCOM_Q6V5_WCSS_SEC
> +	tristate "Qualcomm Hexagon based WCSS Secure Peripheral Image Loader"
> +	depends on OF && ARCH_QCOM
> +	depends on QCOM_SMEM
> +	depends on RPMSG_QCOM_SMD || RPMSG_QCOM_SMD=n
> +	depends on RPMSG_QCOM_GLINK_SMEM || RPMSG_QCOM_GLINK_SMEM=n
> +	depends on QCOM_SYSMON || QCOM_SYSMON=n
> +	depends on RPMSG_QCOM_GLINK || RPMSG_QCOM_GLINK=n
> +	depends on QCOM_AOSS_QMP || QCOM_AOSS_QMP=n

Please review these depends, did you inherit a few too many?

> +	select QCOM_MDT_LOADER
> +	select QCOM_PIL_INFO
> +	select QCOM_Q6V5_COMMON
> +	select QCOM_RPROC_COMMON
> +	select QCOM_SCM
> +	help
> +	  Say y here to support the Qualcomm Secure Peripheral Image Loader
> +	  for the Hexagon based remote processors on e.g. IPQ5332.
> +
> +	  This is TrustZone wireless subsystem. The firmware is
> +	  verified and booted with the help of the Peripheral Authentication
> +	  System (PAS) in TrustZone.
> +
>  config QCOM_SYSMON
>  	tristate "Qualcomm sysmon driver"
>  	depends on RPMSG
> diff --git a/drivers/remoteproc/Makefile b/drivers/remoteproc/Makefile
> index 5ff4e2fee4ab..d4971b672812 100644
> --- a/drivers/remoteproc/Makefile
> +++ b/drivers/remoteproc/Makefile
> @@ -28,6 +28,7 @@ obj-$(CONFIG_QCOM_Q6V5_ADSP)		+= qcom_q6v5_adsp.o
>  obj-$(CONFIG_QCOM_Q6V5_MSS)		+= qcom_q6v5_mss.o
>  obj-$(CONFIG_QCOM_Q6V5_PAS)		+= qcom_q6v5_pas.o
>  obj-$(CONFIG_QCOM_Q6V5_WCSS)		+= qcom_q6v5_wcss.o
> +obj-$(CONFIG_QCOM_Q6V5_WCSS_SEC)	+= qcom_q6v5_wcss_sec.o
>  obj-$(CONFIG_QCOM_SYSMON)		+= qcom_sysmon.o
>  obj-$(CONFIG_QCOM_WCNSS_PIL)		+= qcom_wcnss_pil.o
>  qcom_wcnss_pil-y			+= qcom_wcnss.o
> diff --git a/drivers/remoteproc/qcom_q6v5_wcss_sec.c b/drivers/remoteproc/qcom_q6v5_wcss_sec.c
> new file mode 100644
> index 000000000000..ef4e893e37c7
> --- /dev/null
> +++ b/drivers/remoteproc/qcom_q6v5_wcss_sec.c
> @@ -0,0 +1,406 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) 2016-2018 Linaro Ltd.
> + * Copyright (C) 2014 Sony Mobile Communications AB
> + * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
> + * Copyright (c) 2024-2025 Qualcomm Innovation Center, Inc. All rights reserved.
> + */
> +#include <linux/clk.h>
> +#include <linux/delay.h>

Please check that all these includes are required.

> +#include <linux/firmware/qcom/qcom_scm.h>
> +#include <linux/interrupt.h>
> +#include <linux/io.h>
> +#include <linux/iopoll.h>
> +#include <linux/kernel.h>
> +#include <linux/module.h>
> +#include <linux/of_address.h>
> +#include <linux/of_device.h>
> +#include <linux/of_reserved_mem.h>
> +#include <linux/platform_device.h>
> +#include <linux/reset.h>
> +#include <linux/soc/qcom/mdt_loader.h>
> +#include <linux/soc/qcom/smem.h>
> +#include <linux/soc/qcom/smem_state.h>
> +#include <linux/mailbox_client.h>
> +#include <linux/mailbox/tmelcom-qmp.h>

This will require mailbox maintainer to first accept the tmelcom mailbox
driver, and share a immutable branch with me (or we have to wait until
this include file trickles in).

Please ensure that mailbox maintainer is aware of this request.

> +#include "qcom_common.h"
> +#include "qcom_q6v5.h"
> +
> +#include "qcom_pil_info.h"
> +#include "remoteproc_internal.h"
> +
> +#define WCSS_CRASH_REASON		421
> +
> +#define WCSS_PAS_ID			0x6
> +#define MPD_WCSS_PAS_ID			0xD

I like lowercase hex digits.

> +
> +struct wcss_sec {
> +	struct device *dev;
> +	struct qcom_rproc_glink glink_subdev;
> +	struct qcom_rproc_ssr ssr_subdev;
> +	struct qcom_q6v5 q6;
> +	phys_addr_t mem_phys;
> +	phys_addr_t mem_reloc;
> +	void *mem_region;
> +	size_t mem_size;
> +	const struct wcss_data *desc;

Assigned but never used.

> +	const char *fw_name;

Assigned but never used.

> +
> +	struct clk *sleep_clk;

Assigned but never used.

> +
> +	struct mbox_client mbox_client;
> +	struct mbox_chan *mbox_chan;
> +	void *metadata;
> +	size_t metadata_len;
> +};
> +
> +struct wcss_data {
> +	u32 pasid;
> +	const struct rproc_ops *ops;
> +	bool auto_boot;
> +	bool tmelcom;
> +};
> +
> +static int wcss_sec_start(struct rproc *rproc)
> +{
> +	struct wcss_sec *wcss = rproc->priv;
> +	struct device *dev = wcss->dev;
> +	const struct wcss_data *desc = of_device_get_match_data(dev);

Please avoid "parsing" DT in runtime.

> +	struct tmel_sec_auth tsa;
> +	struct tmel_qmp_msg tqm;
> +	int ret;
> +
> +	qcom_q6v5_prepare(&wcss->q6);

It would be sensible to check the return value here.

> +
> +	tsa.data = wcss->metadata;

This looks broken.

wcss->metadata is assigned in wcss_sec_load() only if tmelcom, and in
that code path wcss_sec_load() invokes kfree() on the pointer.

So, as far as I can tell, you're either going to pass NULL here or a
pointer to a freed (and perhaps overwritten) buffer.

> +	tsa.size = wcss->metadata_len;
> +	tsa.pas_id = desc->pasid;
> +	tqm.msg = &tsa;
> +	tqm.msg_id = TMEL_MSG_UID_SECBOOT_SEC_AUTH;
> +
> +	if (desc->tmelcom) {

As I point out below, mbox_chan should probably only be assigned when
desc->tmelcom == true, so you wouldn't even need any additional state,
just check if mbox_chan is valid here.

> +		mbox_send_message(wcss->mbox_chan, (void *)&tqm);

This does return errors as well, perhaps worth checking that as well?

> +	} else {
> +		ret = qcom_scm_pas_auth_and_reset(desc->pasid);

Please confirm that you're not required to keep the metadata buffer
passed to PAS init_image during qcom_mdt_load() alive until this point -
as is required by all modern SDMs.

> +		if (ret) {
> +			dev_err(dev, "wcss_reset failed\n");
> +			return ret;
> +		}
> +	}
> +
> +	ret = qcom_q6v5_wait_for_start(&wcss->q6, 5 * HZ);
> +	if (ret == -ETIMEDOUT)
> +		dev_err(dev, "start timed out\n");

Don't you need to qcom_scm_pas_shutdown() here to have QHEEBSP release
the memory back to you?

> +
> +	return ret;
> +}
> +
> +static int wcss_sec_stop(struct rproc *rproc)
> +{
> +	struct wcss_sec *wcss = rproc->priv;
> +	struct device *dev = wcss->dev;
> +	const struct wcss_data *desc = of_device_get_match_data(dev);
> +	struct tmel_sec_auth tsa;
> +	struct tmel_qmp_msg tqm;
> +	int ret;
> +
> +	tsa.pas_id = desc->pasid;

tsa is passing a couple of random values over your mbox. Please
zero-initialize these.

Why is this filled in outside desc->tmelcom, when that's the only place
it's used?

> +	tqm.msg = &tsa;
> +	tqm.msg_id = TMEL_MSG_UID_SECBOOT_SS_TEAR_DOWN;
> +
> +	if (desc->tmelcom) {
> +		mbox_send_message(wcss->mbox_chan, (void *)&tqm);
> +	} else {
> +		ret = qcom_scm_pas_shutdown(desc->pasid);
> +		if (ret) {
> +			dev_err(dev, "not able to shutdown\n");
> +			return ret;
> +		}
> +	}
> +
> +	qcom_q6v5_unprepare(&wcss->q6);
> +
> +	return 0;
> +}
> +
> +static void *wcss_sec_da_to_va(struct rproc *rproc, u64 da, size_t len,
> +			       bool *is_iomem)
> +{
> +	struct wcss_sec *wcss = rproc->priv;
> +	int offset;
> +
> +	offset = da - wcss->mem_reloc;
> +	if (offset < 0 || offset + len > wcss->mem_size)
> +		return NULL;
> +
> +	return wcss->mem_region + offset;
> +}
> +
> +static int wcss_sec_load(struct rproc *rproc, const struct firmware *fw)
> +{
> +	struct wcss_sec *wcss = rproc->priv;
> +	struct device *dev = wcss->dev;
> +	const struct wcss_data *desc = of_device_get_match_data(dev);
> +	int ret;
> +
> +	if (desc->tmelcom) {
> +		wcss->metadata = qcom_mdt_read_metadata(fw, &wcss->metadata_len,
> +							rproc->firmware, wcss->dev);
> +		if (IS_ERR(wcss->metadata)) {
> +			ret = PTR_ERR(wcss->metadata);
> +			dev_err(wcss->dev, "error %d reading firmware %s metadata\n",
> +				ret, rproc->firmware);
> +			return ret;
> +		}
> +
> +		ret = qcom_mdt_load_no_init(wcss->dev, fw, rproc->firmware, desc->pasid,
> +					    wcss->mem_region, wcss->mem_phys, wcss->mem_size,
> +					    &wcss->mem_reloc);
> +		kfree(wcss->metadata);
> +	} else {
> +		ret = qcom_mdt_load(dev, fw, rproc->firmware, desc->pasid, wcss->mem_region,
> +				    wcss->mem_phys, wcss->mem_size, &wcss->mem_reloc);
> +	}
> +
> +	if (ret)
> +		return ret;
> +
> +	qcom_pil_info_store("wcss", wcss->mem_phys, wcss->mem_size);
> +
> +	return ret;

ret can't be anything but 0 here, so better just write that.

> +}
> +
> +static unsigned long wcss_sec_panic(struct rproc *rproc)
> +{
> +	struct wcss_sec *wcss = rproc->priv;
> +
> +	return qcom_q6v5_panic(&wcss->q6);
> +}
> +
> +static void wcss_sec_copy_segment(struct rproc *rproc,
> +				  struct rproc_dump_segment *segment,
> +				  void *dest, size_t offset, size_t size)
> +{
> +	struct wcss_sec *wcss = rproc->priv;
> +	struct device *dev = wcss->dev;
> +	void *ptr;
> +
> +	ptr = ioremap_wc(segment->da, segment->size);
> +	if (!ptr) {
> +		dev_err(dev, "Failed to ioremap segment %pad size %zx\n",

Make that %#zx to ensure that the base 16 size is prefixed with 0x

> +			&segment->da, segment->size);
> +		return;
> +	}
> +
> +	if (size <= segment->size - offset)

I'd prefer if the expression in the check and access are on the same
form. I.e. test offset + size vs segement->size

> +		memcpy(dest, ptr + offset, size);
> +	else
> +		dev_err(dev, "Copy size greater than segment size. Skipping\n");
> +	iounmap(ptr);
> +}
> +
> +static int wcss_sec_dump_segments(struct rproc *rproc,
> +				  const struct firmware *fw)
> +{
> +	struct device *dev = rproc->dev.parent;
> +	struct reserved_mem *rmem = NULL;
> +	struct device_node *node;
> +	int num_segs, index = 0;
> +	int ret;
> +
> +	/* Parse through additional reserved memory regions for the rproc

Leave first line in multiline comment blank, as the docs says.

> +	 * and add them to the coredump segments
> +	 */
> +	num_segs = of_count_phandle_with_args(dev->of_node,
> +					      "memory-region", NULL);
> +	while (index < num_segs) {

You're zero-initializing index above, checking index here and explicitly
increment it at the bottom of the loop. Why isn't this written as a for
loop?

> +		node = of_parse_phandle(dev->of_node,
> +					"memory-region", index);
> +		if (!node)
> +			return -EINVAL;
> +
> +		rmem = of_reserved_mem_lookup(node);
> +		of_node_put(node);
> +		if (!rmem) {
> +			dev_err(dev, "unable to acquire memory-region index %d num_segs %d\n",
> +				index, num_segs);
> +			return -EINVAL;
> +		}
> +
> +		dev_dbg(dev, "Adding segment 0x%pa size 0x%pa",
> +			&rmem->base, &rmem->size);
> +		ret = rproc_coredump_add_custom_segment(rproc,
> +							rmem->base,
> +							rmem->size,
> +							wcss_sec_copy_segment,
> +							NULL);
> +		if (ret)
> +			return ret;
> +
> +		index++;
> +	}
> +
> +	return 0;
> +}
> +
> +static const struct rproc_ops wcss_sec_ops = {
> +	.start = wcss_sec_start,
> +	.stop = wcss_sec_stop,
> +	.da_to_va = wcss_sec_da_to_va,
> +	.load = wcss_sec_load,
> +	.get_boot_addr = rproc_elf_get_boot_addr,
> +	.panic = wcss_sec_panic,
> +	.parse_fw = wcss_sec_dump_segments,
> +};
> +
> +static int wcss_sec_alloc_memory_region(struct wcss_sec *wcss)
> +{
> +	struct reserved_mem *rmem = NULL;
> +	struct device_node *node;
> +	struct device *dev = wcss->dev;
> +
> +	node = of_parse_phandle(dev->of_node, "memory-region", 0);
> +	if (!node) {
> +		dev_err(dev, "can't find phandle memory-region\n");
> +		return -EINVAL;
> +	}
> +
> +	rmem = of_reserved_mem_lookup(node);
> +	of_node_put(node);
> +
> +	if (!rmem) {
> +		dev_err(dev, "unable to acquire memory-region\n");
> +		return -EINVAL;
> +	}
> +
> +	wcss->mem_phys = rmem->base;
> +	wcss->mem_reloc = rmem->base;
> +	wcss->mem_size = rmem->size;
> +	wcss->mem_region = devm_ioremap_wc(dev, wcss->mem_phys, wcss->mem_size);
> +	if (!wcss->mem_region) {
> +		dev_err(dev, "unable to map memory region: %pa+%pa\n",
> +			&rmem->base, &rmem->size);
> +		return -ENOMEM;
> +	}
> +
> +	return 0;
> +}
> +
> +static int wcss_sec_probe(struct platform_device *pdev)
> +{
> +	struct wcss_sec *wcss;
> +	struct rproc *rproc;
> +	const char *fw_name = NULL;
> +	const struct wcss_data *desc = of_device_get_match_data(&pdev->dev);
> +	int ret;
> +
> +	if (!desc)
> +		return -EINVAL;

It shouldn't be possible to get here with desc == NULL, so let the
person have an oops with a callstack to aid debugging. (I.e. remove the
check)

> +
> +	ret = of_property_read_string(pdev->dev.of_node, "firmware-name",
> +				      &fw_name);
> +	if (ret < 0)
> +		return ret;
> +
> +	rproc = devm_rproc_alloc(&pdev->dev, pdev->name, desc->ops, fw_name,
> +				 sizeof(*wcss));

Not sure how your system composition looks like, but please consider
something like b64b1266d619 ("remoteproc: qcom: pas: Make remoteproc
name human friendly"), to avoid the human-unfriendly pdev->name. (Only
if possible)

> +	if (!rproc) {
> +		dev_err(&pdev->dev, "failed to allocate rproc\n");
> +		return -ENOMEM;
> +	}
> +
> +	wcss = rproc->priv;
> +	wcss->dev = &pdev->dev;
> +	wcss->desc = desc;
> +	wcss->fw_name = fw_name;
> +
> +	ret = wcss_sec_alloc_memory_region(wcss);
> +	if (ret)
> +		return ret;
> +
> +	wcss->sleep_clk = devm_clk_get_optional_enabled(&pdev->dev, "sleep");
> +	if (IS_ERR(wcss->sleep_clk))
> +		return dev_err_probe(&pdev->dev, PTR_ERR(wcss->sleep_clk),
> +				     "Failed to get sleep clock\n");
> +
> +	ret = qcom_q6v5_init(&wcss->q6, pdev, rproc,
> +			     WCSS_CRASH_REASON, NULL, NULL);
> +	if (ret)
> +		return ret;
> +
> +	qcom_add_glink_subdev(rproc, &wcss->glink_subdev, "q6wcss");
> +	qcom_add_ssr_subdev(rproc, &wcss->ssr_subdev, pdev->name);
> +
> +	rproc->auto_boot = desc->auto_boot;
> +	rproc->dump_conf = RPROC_COREDUMP_INLINE;
> +	rproc_coredump_set_elf_info(rproc, ELFCLASS32, EM_NONE);
> +
> +	ret = devm_rproc_add(&pdev->dev, rproc);

In the event of auto_boot, I believe it should be possible to enter
wcss_sec_load() et al from this point onwards. So, it seems reasonable
to acquire mbox_chan prior to registering the remoteproc.

> +	if (ret)
> +		return ret;
> +
> +	platform_set_drvdata(pdev, rproc);
> +
> +	wcss->mbox_client.dev = wcss->dev;
> +	wcss->mbox_client.knows_txdone = true;
> +	wcss->mbox_client.tx_block = true;
> +	wcss->mbox_chan = mbox_request_channel(&wcss->mbox_client, 0);

"mboxes" is optional in binding, but seems to be required here, but then
mbox_chan is only accessed when tmelcom is true.

Should mbox_request_channel() be made conditional on tmelcom?

> +	if (IS_ERR(wcss->mbox_chan)) {
> +		dev_err(wcss->dev, "mbox chan for IPC is missing\n");
> +		return PTR_ERR(wcss->mbox_chan);
> +	}
> +
> +	return 0;

qcom_q6v5_pas.c was recently updated to clean up various things on
error, please do the same here.

> +}
> +
> +static void wcss_sec_remove(struct platform_device *pdev)
> +{
> +	struct rproc *rproc = platform_get_drvdata(pdev);
> +	struct wcss_sec *wcss = rproc->priv;
> +
> +	qcom_q6v5_deinit(&wcss->q6);
> +	qcom_remove_glink_subdev(rproc, &wcss->glink_subdev);
> +	qcom_remove_ssr_subdev(rproc, &wcss->ssr_subdev);

mbox_chan?

> +}
> +
> +static const struct wcss_data wcss_sec_ipq5332_res_init = {
> +	.pasid = MPD_WCSS_PAS_ID,
> +	.auto_boot = true,
> +	.ops = &wcss_sec_ops,

Please avoid unnecessary flexibility (i.e. ops is always wcss_sec_ops).

> +	.tmelcom = false,
> +};
> +
> +static const struct wcss_data wcss_sec_ipq9574_res_init = {
> +	.pasid = WCSS_PAS_ID,
> +	.auto_boot = true,
> +	.ops = &wcss_sec_ops,
> +	.tmelcom = false,
> +};
> +
> +static const struct wcss_data wcss_sec_ipq5424_res_init = {
> +	.pasid = MPD_WCSS_PAS_ID,
> +	.auto_boot = true,
> +	.ops = &wcss_sec_ops,
> +	.tmelcom = true,
> +};
> +
> +static const struct of_device_id wcss_sec_of_match[] = {
> +	{ .compatible = "qcom,ipq5332-wcss-sec-pil", .data = &wcss_sec_ipq5332_res_init },
> +	{ .compatible = "qcom,ipq9574-wcss-sec-pil", .data = &wcss_sec_ipq9574_res_init },
> +	{ .compatible = "qcom,ipq5424-wcss-sec-pil", .data = &wcss_sec_ipq5424_res_init },

Please sort alphabetically.

> +	{ },
> +};
> +MODULE_DEVICE_TABLE(of, wcss_sec_of_match);
> +

Regards,
Bjorn

> +static struct platform_driver wcss_sec_driver = {
> +	.probe = wcss_sec_probe,
> +	.remove = wcss_sec_remove,
> +	.driver = {
> +		.name = "qcom-wcss-secure-pil",
> +		.of_match_table = wcss_sec_of_match,
> +	},
> +};
> +module_platform_driver(wcss_sec_driver);
> +
> +MODULE_DESCRIPTION("Hexagon WCSS Secure Peripheral Image Loader");
> +MODULE_LICENSE("GPL");
> -- 
> 2.34.1
>
Sricharan Ramabadhran Jan. 8, 2025, 6:29 a.m. UTC | #2
[..]

>> +#include <linux/firmware/qcom/qcom_scm.h>
>> +#include <linux/interrupt.h>
>> +#include <linux/io.h>
>> +#include <linux/iopoll.h>
>> +#include <linux/kernel.h>
>> +#include <linux/module.h>
>> +#include <linux/of_address.h>
>> +#include <linux/of_device.h>
>> +#include <linux/of_reserved_mem.h>
>> +#include <linux/platform_device.h>
>> +#include <linux/reset.h>
>> +#include <linux/soc/qcom/mdt_loader.h>
>> +#include <linux/soc/qcom/smem.h>
>> +#include <linux/soc/qcom/smem_state.h>
>> +#include <linux/mailbox_client.h>
>> +#include <linux/mailbox/tmelcom-qmp.h>
> 
> This will require mailbox maintainer to first accept the tmelcom mailbox
> driver, and share a immutable branch with me (or we have to wait until
> this include file trickles in).
> 
> Please ensure that mailbox maintainer is aware of this request.

Hi Bjorn,
  The plan is, in the next spin of TMEL[V3], tmel driver will take care
  of routing the request to either SCM(or)TMEL, so that client drivers
  like rproc/crypto etc which requires those secure services can be
  abstract (ie) just do a mbox_send_message with a SCM cmd id. That way
  for adding any future secure services in client drivers, nothing
  extra needs to be done and this will avoid this header dependency
  as well. Is that approach fine ?

Regards,
Sricharan
Sricharan Ramabadhran Jan. 8, 2025, 6:42 a.m. UTC | #3
On 1/8/2025 11:59 AM, Sricharan Ramabadhran wrote:
> [..]
> 
>>> +#include <linux/firmware/qcom/qcom_scm.h>
>>> +#include <linux/interrupt.h>
>>> +#include <linux/io.h>
>>> +#include <linux/iopoll.h>
>>> +#include <linux/kernel.h>
>>> +#include <linux/module.h>
>>> +#include <linux/of_address.h>
>>> +#include <linux/of_device.h>
>>> +#include <linux/of_reserved_mem.h>
>>> +#include <linux/platform_device.h>
>>> +#include <linux/reset.h>
>>> +#include <linux/soc/qcom/mdt_loader.h>
>>> +#include <linux/soc/qcom/smem.h>
>>> +#include <linux/soc/qcom/smem_state.h>
>>> +#include <linux/mailbox_client.h>
>>> +#include <linux/mailbox/tmelcom-qmp.h>
>>
>> This will require mailbox maintainer to first accept the tmelcom mailbox
>> driver, and share a immutable branch with me (or we have to wait until
>> this include file trickles in).
>>
>> Please ensure that mailbox maintainer is aware of this request.
> 
> Hi Bjorn,
>   The plan is, in the next spin of TMEL[V3], tmel driver will take care
>   of routing the request to either SCM(or)TMEL, so that client drivers
>   like rproc/crypto etc which requires those secure services can be
>   abstract (ie) just do a mbox_send_message with a SCM cmd id. That way
>   for adding any future secure services in client drivers, nothing
>   extra needs to be done and this will avoid this header dependency
>   as well. Is that approach fine ?

Ok, with more thought, i guess this approach will not work. Will stick
to what you are suggesting, just use mbox->chan available in client
itself to take the decision.

Regards,
  Sricharan
Gokul Sriram P Jan. 9, 2025, 12:18 p.m. UTC | #4
On 1/8/2025 9:39 AM, Bjorn Andersson wrote:
> On Tue, Jan 07, 2025 at 03:46:43PM +0530, Gokul Sriram Palanisamy wrote:
>> From: Vignesh Viswanathan <quic_viswanat@quicinc.com>
>>
>> Add support to bring up hexagon based WCSS secure PIL remoteproc.
>> IPQ5332, IPQ9574 supports secure PIL remoteproc.
> 
> I'd love for this to be extended with a short description of what the
> WCSS secure subsystem is, the reason for a new drivers etc. Following
> the style of
> https://docs.kernel.org/process/submitting-patches.html#describe-your-changes
> 

Sure. Bjorn. Will add it here.

>>
>> Signed-off-by: Vignesh Viswanathan <quic_viswanat@quicinc.com>
>> Signed-off-by: Manikanta Mylavarapu <quic_mmanikan@quicinc.com>
>> Signed-off-by: Gokul Sriram Palanisamy <quic_gokulsri@quicinc.com>
>> ---
>>  drivers/remoteproc/Kconfig              |  22 ++
>>  drivers/remoteproc/Makefile             |   1 +
>>  drivers/remoteproc/qcom_q6v5_wcss_sec.c | 406 ++++++++++++++++++++++++
>>  3 files changed, 429 insertions(+)
>>  create mode 100644 drivers/remoteproc/qcom_q6v5_wcss_sec.c
>>
>> diff --git a/drivers/remoteproc/Kconfig b/drivers/remoteproc/Kconfig
>> index 83962a114dc9..c4e94b15c538 100644
>> --- a/drivers/remoteproc/Kconfig
>> +++ b/drivers/remoteproc/Kconfig
>> @@ -255,6 +255,28 @@ config QCOM_Q6V5_WCSS
>>  	  Hexagon V5 based WCSS remote processors on e.g. IPQ8074.  This is
>>  	  a non-TrustZone wireless subsystem.
>>  
>> +config QCOM_Q6V5_WCSS_SEC
>> +	tristate "Qualcomm Hexagon based WCSS Secure Peripheral Image Loader"
>> +	depends on OF && ARCH_QCOM
>> +	depends on QCOM_SMEM
>> +	depends on RPMSG_QCOM_SMD || RPMSG_QCOM_SMD=n
>> +	depends on RPMSG_QCOM_GLINK_SMEM || RPMSG_QCOM_GLINK_SMEM=n
>> +	depends on QCOM_SYSMON || QCOM_SYSMON=n
>> +	depends on RPMSG_QCOM_GLINK || RPMSG_QCOM_GLINK=n
>> +	depends on QCOM_AOSS_QMP || QCOM_AOSS_QMP=n
> 
> Please review these depends, did you inherit a few too many?

sure. Will address.

> 
>> +	select QCOM_MDT_LOADER
>> +	select QCOM_PIL_INFO
>> +	select QCOM_Q6V5_COMMON
>> +	select QCOM_RPROC_COMMON
>> +	select QCOM_SCM
>> +	help
>> +	  Say y here to support the Qualcomm Secure Peripheral Image Loader
>> +	  for the Hexagon based remote processors on e.g. IPQ5332.
>> +
>> +	  This is TrustZone wireless subsystem. The firmware is
>> +	  verified and booted with the help of the Peripheral Authentication
>> +	  System (PAS) in TrustZone.
>> +
>>  config QCOM_SYSMON
>>  	tristate "Qualcomm sysmon driver"
>>  	depends on RPMSG
>> diff --git a/drivers/remoteproc/Makefile b/drivers/remoteproc/Makefile
>> index 5ff4e2fee4ab..d4971b672812 100644
>> --- a/drivers/remoteproc/Makefile
>> +++ b/drivers/remoteproc/Makefile
>> @@ -28,6 +28,7 @@ obj-$(CONFIG_QCOM_Q6V5_ADSP)		+= qcom_q6v5_adsp.o
>>  obj-$(CONFIG_QCOM_Q6V5_MSS)		+= qcom_q6v5_mss.o
>>  obj-$(CONFIG_QCOM_Q6V5_PAS)		+= qcom_q6v5_pas.o
>>  obj-$(CONFIG_QCOM_Q6V5_WCSS)		+= qcom_q6v5_wcss.o
>> +obj-$(CONFIG_QCOM_Q6V5_WCSS_SEC)	+= qcom_q6v5_wcss_sec.o
>>  obj-$(CONFIG_QCOM_SYSMON)		+= qcom_sysmon.o
>>  obj-$(CONFIG_QCOM_WCNSS_PIL)		+= qcom_wcnss_pil.o
>>  qcom_wcnss_pil-y			+= qcom_wcnss.o
>> diff --git a/drivers/remoteproc/qcom_q6v5_wcss_sec.c b/drivers/remoteproc/qcom_q6v5_wcss_sec.c
>> new file mode 100644
>> index 000000000000..ef4e893e37c7
>> --- /dev/null
>> +++ b/drivers/remoteproc/qcom_q6v5_wcss_sec.c
>> @@ -0,0 +1,406 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/*
>> + * Copyright (C) 2016-2018 Linaro Ltd.
>> + * Copyright (C) 2014 Sony Mobile Communications AB
>> + * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
>> + * Copyright (c) 2024-2025 Qualcomm Innovation Center, Inc. All rights reserved.
>> + */
>> +#include <linux/clk.h>
>> +#include <linux/delay.h>
> 
> Please check that all these includes are required.
> 

sure. will address.

>> +#include <linux/firmware/qcom/qcom_scm.h>
>> +#include <linux/interrupt.h>
>> +#include <linux/io.h>
>> +#include <linux/iopoll.h>
>> +#include <linux/kernel.h>
>> +#include <linux/module.h>
>> +#include <linux/of_address.h>
>> +#include <linux/of_device.h>
>> +#include <linux/of_reserved_mem.h>
>> +#include <linux/platform_device.h>
>> +#include <linux/reset.h>
>> +#include <linux/soc/qcom/mdt_loader.h>
>> +#include <linux/soc/qcom/smem.h>
>> +#include <linux/soc/qcom/smem_state.h>
>> +#include <linux/mailbox_client.h>
>> +#include <linux/mailbox/tmelcom-qmp.h>
> 
> This will require mailbox maintainer to first accept the tmelcom mailbox
> driver, and share a immutable branch with me (or we have to wait until
> this include file trickles in).
> 
> Please ensure that mailbox maintainer is aware of this request.
> 

understood.

>> +#include "qcom_common.h"
>> +#include "qcom_q6v5.h"
>> +

sure.

>> +#include "qcom_pil_info.h"
>> +#include "remoteproc_internal.h"
>> +
>> +#define WCSS_CRASH_REASON		421
>> +
>> +#define WCSS_PAS_ID			0x6
>> +#define MPD_WCSS_PAS_ID			0xD
> 
> I like lowercase hex digits.
> 
>> +
>> +struct wcss_sec {
>> +	struct device *dev;
>> +	struct qcom_rproc_glink glink_subdev;
>> +	struct qcom_rproc_ssr ssr_subdev;
>> +	struct qcom_q6v5 q6;
>> +	phys_addr_t mem_phys;
>> +	phys_addr_t mem_reloc;
>> +	void *mem_region;
>> +	size_t mem_size;
>> +	const struct wcss_data *desc;
> 
> Assigned but never used.
> 
>> +	const char *fw_name;
> 
> Assigned but never used.
> 
>> +
>> +	struct clk *sleep_clk;
> 
> Assigned but never used.
> 

will remove. Thanks

>> +
>> +	struct mbox_client mbox_client;
>> +	struct mbox_chan *mbox_chan;
>> +	void *metadata;
>> +	size_t metadata_len;
>> +};
>> +
>> +struct wcss_data {
>> +	u32 pasid;
>> +	const struct rproc_ops *ops;
>> +	bool auto_boot;
>> +	bool tmelcom;
>> +};
>> +
>> +static int wcss_sec_start(struct rproc *rproc)
>> +{
>> +	struct wcss_sec *wcss = rproc->priv;
>> +	struct device *dev = wcss->dev;
>> +	const struct wcss_data *desc = of_device_get_match_data(dev);
> 
> Please avoid "parsing" DT in runtime.

I didn't underatand this.

> 
>> +	struct tmel_sec_auth tsa;
>> +	struct tmel_qmp_msg tqm;
>> +	int ret;
>> +
>> +	qcom_q6v5_prepare(&wcss->q6);
> 
> It would be sensible to check the return value here.
> 

sure. Will address.

>> +
>> +	tsa.data = wcss->metadata;
> 
> This looks broken.
> 
> wcss->metadata is assigned in wcss_sec_load() only if tmelcom, and in
> that code path wcss_sec_load() invokes kfree() on the pointer.
> 
> So, as far as I can tell, you're either going to pass NULL here or a
> pointer to a freed (and perhaps overwritten) buffer.
> 

got it. will fix.

>> +	tsa.size = wcss->metadata_len;
>> +	tsa.pas_id = desc->pasid;
>> +	tqm.msg = &tsa;
>> +	tqm.msg_id = TMEL_MSG_UID_SECBOOT_SEC_AUTH;
>> +
>> +	if (desc->tmelcom) {
> 
> As I point out below, mbox_chan should probably only be assigned when
> desc->tmelcom == true, so you wouldn't even need any additional state,
> just check if mbox_chan is valid here.
> 
>> +		mbox_send_message(wcss->mbox_chan, (void *)&tqm);
> 
> This does return errors as well, perhaps worth checking that as well?
> 
>> +	} else {
>> +		ret = qcom_scm_pas_auth_and_reset(desc->pasid);
> 
> Please confirm that you're not required to keep the metadata buffer
> passed to PAS init_image during qcom_mdt_load() alive until this point -
> as is required by all modern SDMs.
> 

will address.

>> +		if (ret) {
>> +			dev_err(dev, "wcss_reset failed\n");
>> +			return ret;
>> +		}
>> +	}
>> +
>> +	ret = qcom_q6v5_wait_for_start(&wcss->q6, 5 * HZ);
>> +	if (ret == -ETIMEDOUT)
>> +		dev_err(dev, "start timed out\n");
> 
> Don't you need to qcom_scm_pas_shutdown() here to have QHEEBSP release
> the memory back to you?
> 

yes. Will need. Will fix.

>> +
>> +	return ret;
>> +}
>> +
>> +static int wcss_sec_stop(struct rproc *rproc)
>> +{
>> +	struct wcss_sec *wcss = rproc->priv;
>> +	struct device *dev = wcss->dev;
>> +	const struct wcss_data *desc = of_device_get_match_data(dev);
>> +	struct tmel_sec_auth tsa;
>> +	struct tmel_qmp_msg tqm;
>> +	int ret;
>> +
>> +	tsa.pas_id = desc->pasid;
> 
> tsa is passing a couple of random values over your mbox. Please
> zero-initialize these.
> 
> Why is this filled in outside desc->tmelcom, when that's the only place
> it's used?
> 

will address.

>> +	tqm.msg = &tsa;
>> +	tqm.msg_id = TMEL_MSG_UID_SECBOOT_SS_TEAR_DOWN;
>> +
>> +	if (desc->tmelcom) {
>> +		mbox_send_message(wcss->mbox_chan, (void *)&tqm);
>> +	} else {
>> +		ret = qcom_scm_pas_shutdown(desc->pasid);
>> +		if (ret) {
>> +			dev_err(dev, "not able to shutdown\n");
>> +			return ret;
>> +		}
>> +	}
>> +
>> +	qcom_q6v5_unprepare(&wcss->q6);
>> +
>> +	return 0;
>> +}
>> +
>> +static void *wcss_sec_da_to_va(struct rproc *rproc, u64 da, size_t len,
>> +			       bool *is_iomem)
>> +{
>> +	struct wcss_sec *wcss = rproc->priv;
>> +	int offset;
>> +
>> +	offset = da - wcss->mem_reloc;
>> +	if (offset < 0 || offset + len > wcss->mem_size)
>> +		return NULL;
>> +
>> +	return wcss->mem_region + offset;
>> +}
>> +
>> +static int wcss_sec_load(struct rproc *rproc, const struct firmware *fw)
>> +{
>> +	struct wcss_sec *wcss = rproc->priv;
>> +	struct device *dev = wcss->dev;
>> +	const struct wcss_data *desc = of_device_get_match_data(dev);
>> +	int ret;
>> +
>> +	if (desc->tmelcom) {
>> +		wcss->metadata = qcom_mdt_read_metadata(fw, &wcss->metadata_len,
>> +							rproc->firmware, wcss->dev);
>> +		if (IS_ERR(wcss->metadata)) {
>> +			ret = PTR_ERR(wcss->metadata);
>> +			dev_err(wcss->dev, "error %d reading firmware %s metadata\n",
>> +				ret, rproc->firmware);
>> +			return ret;
>> +		}
>> +
>> +		ret = qcom_mdt_load_no_init(wcss->dev, fw, rproc->firmware, desc->pasid,
>> +					    wcss->mem_region, wcss->mem_phys, wcss->mem_size,
>> +					    &wcss->mem_reloc);
>> +		kfree(wcss->metadata);
>> +	} else {
>> +		ret = qcom_mdt_load(dev, fw, rproc->firmware, desc->pasid, wcss->mem_region,
>> +				    wcss->mem_phys, wcss->mem_size, &wcss->mem_reloc);
>> +	}
>> +
>> +	if (ret)
>> +		return ret;
>> +
>> +	qcom_pil_info_store("wcss", wcss->mem_phys, wcss->mem_size);
>> +
>> +	return ret;
> 
> ret can't be anything but 0 here, so better just write that.
> 

right. Will fix.

>> +}
>> +
>> +static unsigned long wcss_sec_panic(struct rproc *rproc)
>> +{
>> +	struct wcss_sec *wcss = rproc->priv;
>> +
>> +	return qcom_q6v5_panic(&wcss->q6);
>> +}
>> +
>> +static void wcss_sec_copy_segment(struct rproc *rproc,
>> +				  struct rproc_dump_segment *segment,
>> +				  void *dest, size_t offset, size_t size)
>> +{
>> +	struct wcss_sec *wcss = rproc->priv;
>> +	struct device *dev = wcss->dev;
>> +	void *ptr;
>> +
>> +	ptr = ioremap_wc(segment->da, segment->size);
>> +	if (!ptr) {
>> +		dev_err(dev, "Failed to ioremap segment %pad size %zx\n",
> 
> Make that %#zx to ensure that the base 16 size is prefixed with 0x
> 

will do.

>> +			&segment->da, segment->size);
>> +		return;
>> +	}
>> +
>> +	if (size <= segment->size - offset)
> 
> I'd prefer if the expression in the check and access are on the same
> form. I.e. test offset + size vs segement->size

oh, sure. got it.

> 
>> +		memcpy(dest, ptr + offset, size);
>> +	else
>> +		dev_err(dev, "Copy size greater than segment size. Skipping\n");
>> +	iounmap(ptr);
>> +}
>> +
>> +static int wcss_sec_dump_segments(struct rproc *rproc,
>> +				  const struct firmware *fw)
>> +{
>> +	struct device *dev = rproc->dev.parent;
>> +	struct reserved_mem *rmem = NULL;
>> +	struct device_node *node;
>> +	int num_segs, index = 0;
>> +	int ret;
>> +
>> +	/* Parse through additional reserved memory regions for the rproc
> 
> Leave first line in multiline comment blank, as the docs says.
> 

Got it.

>> +	 * and add them to the coredump segments
>> +	 */
>> +	num_segs = of_count_phandle_with_args(dev->of_node,
>> +					      "memory-region", NULL);
>> +	while (index < num_segs) {
> 
> You're zero-initializing index above, checking index here and explicitly
> increment it at the bottom of the loop. Why isn't this written as a for
> loop?

Right. for loop looks appropriate. Will fix.

> 
>> +		node = of_parse_phandle(dev->of_node,
>> +					"memory-region", index);
>> +		if (!node)
>> +			return -EINVAL;
>> +
>> +		rmem = of_reserved_mem_lookup(node);
>> +		of_node_put(node);
>> +		if (!rmem) {
>> +			dev_err(dev, "unable to acquire memory-region index %d num_segs %d\n",
>> +				index, num_segs);
>> +			return -EINVAL;
>> +		}
>> +
>> +		dev_dbg(dev, "Adding segment 0x%pa size 0x%pa",
>> +			&rmem->base, &rmem->size);
>> +		ret = rproc_coredump_add_custom_segment(rproc,
>> +							rmem->base,
>> +							rmem->size,
>> +							wcss_sec_copy_segment,
>> +							NULL);
>> +		if (ret)
>> +			return ret;
>> +
>> +		index++;
>> +	}
>> +
>> +	return 0;
>> +}
>> +
>> +static const struct rproc_ops wcss_sec_ops = {
>> +	.start = wcss_sec_start,
>> +	.stop = wcss_sec_stop,
>> +	.da_to_va = wcss_sec_da_to_va,
>> +	.load = wcss_sec_load,
>> +	.get_boot_addr = rproc_elf_get_boot_addr,
>> +	.panic = wcss_sec_panic,
>> +	.parse_fw = wcss_sec_dump_segments,
>> +};
>> +
>> +static int wcss_sec_alloc_memory_region(struct wcss_sec *wcss)
>> +{
>> +	struct reserved_mem *rmem = NULL;
>> +	struct device_node *node;
>> +	struct device *dev = wcss->dev;
>> +
>> +	node = of_parse_phandle(dev->of_node, "memory-region", 0);
>> +	if (!node) {
>> +		dev_err(dev, "can't find phandle memory-region\n");
>> +		return -EINVAL;
>> +	}
>> +
>> +	rmem = of_reserved_mem_lookup(node);
>> +	of_node_put(node);
>> +
>> +	if (!rmem) {
>> +		dev_err(dev, "unable to acquire memory-region\n");
>> +		return -EINVAL;
>> +	}
>> +
>> +	wcss->mem_phys = rmem->base;
>> +	wcss->mem_reloc = rmem->base;
>> +	wcss->mem_size = rmem->size;
>> +	wcss->mem_region = devm_ioremap_wc(dev, wcss->mem_phys, wcss->mem_size);
>> +	if (!wcss->mem_region) {
>> +		dev_err(dev, "unable to map memory region: %pa+%pa\n",
>> +			&rmem->base, &rmem->size);
>> +		return -ENOMEM;
>> +	}
>> +
>> +	return 0;
>> +}
>> +
>> +static int wcss_sec_probe(struct platform_device *pdev)
>> +{
>> +	struct wcss_sec *wcss;
>> +	struct rproc *rproc;
>> +	const char *fw_name = NULL;
>> +	const struct wcss_data *desc = of_device_get_match_data(&pdev->dev);
>> +	int ret;
>> +
>> +	if (!desc)
>> +		return -EINVAL;
> 
> It shouldn't be possible to get here with desc == NULL, so let the
> person have an oops with a callstack to aid debugging. (I.e. remove the
> check)
> 

ok, will do.

>> +
>> +	ret = of_property_read_string(pdev->dev.of_node, "firmware-name",
>> +				      &fw_name);
>> +	if (ret < 0)
>> +		return ret;
>> +
>> +	rproc = devm_rproc_alloc(&pdev->dev, pdev->name, desc->ops, fw_name,
>> +				 sizeof(*wcss));
> 
> Not sure how your system composition looks like, but please consider
> something like b64b1266d619 ("remoteproc: qcom: pas: Make remoteproc
> name human friendly"), to avoid the human-unfriendly pdev->name. (Only
> if possible)
> 

sure. will check.

>> +	if (!rproc) {
>> +		dev_err(&pdev->dev, "failed to allocate rproc\n");
>> +		return -ENOMEM;
>> +	}
>> +
>> +	wcss = rproc->priv;
>> +	wcss->dev = &pdev->dev;
>> +	wcss->desc = desc;
>> +	wcss->fw_name = fw_name;
>> +
>> +	ret = wcss_sec_alloc_memory_region(wcss);
>> +	if (ret)
>> +		return ret;
>> +
>> +	wcss->sleep_clk = devm_clk_get_optional_enabled(&pdev->dev, "sleep");
>> +	if (IS_ERR(wcss->sleep_clk))
>> +		return dev_err_probe(&pdev->dev, PTR_ERR(wcss->sleep_clk),
>> +				     "Failed to get sleep clock\n");
>> +
>> +	ret = qcom_q6v5_init(&wcss->q6, pdev, rproc,
>> +			     WCSS_CRASH_REASON, NULL, NULL);
>> +	if (ret)
>> +		return ret;
>> +
>> +	qcom_add_glink_subdev(rproc, &wcss->glink_subdev, "q6wcss");
>> +	qcom_add_ssr_subdev(rproc, &wcss->ssr_subdev, pdev->name);
>> +
>> +	rproc->auto_boot = desc->auto_boot;
>> +	rproc->dump_conf = RPROC_COREDUMP_INLINE;
>> +	rproc_coredump_set_elf_info(rproc, ELFCLASS32, EM_NONE);
>> +
>> +	ret = devm_rproc_add(&pdev->dev, rproc);
> 
> In the event of auto_boot, I believe it should be possible to enter
> wcss_sec_load() et al from this point onwards. So, it seems reasonable
> to acquire mbox_chan prior to registering the remoteproc.
> 

ok. sure. will move mbox request channel to the beginning  of probe.

>> +	if (ret)
>> +		return ret;
>> +
>> +	platform_set_drvdata(pdev, rproc);
>> +
>> +	wcss->mbox_client.dev = wcss->dev;
>> +	wcss->mbox_client.knows_txdone = true;
>> +	wcss->mbox_client.tx_block = true;
>> +	wcss->mbox_chan = mbox_request_channel(&wcss->mbox_client, 0);
> 
> "mboxes" is optional in binding, but seems to be required here, but then
> mbox_chan is only accessed when tmelcom is true.
> 
> Should mbox_request_channel() be made conditional on tmelcom?

Yeah, infact, as you suggested in the beginning, will make tmelcom
based on mbox chan availability. So that way, if mbox chan registered,
then client uses mbox_send else scm_send. So will remove the below
return on error for mbox_chan since its optional.

> 
>> +	if (IS_ERR(wcss->mbox_chan)) {
>> +		dev_err(wcss->dev, "mbox chan for IPC is missing\n");
>> +		return PTR_ERR(wcss->mbox_chan);
>> +	}
>> +
>> +	return 0;
> 
> qcom_q6v5_pas.c was recently updated to clean up various things on
> error, please do the same here.
> 
ok, will do.

>> +}
>> +
>> +static void wcss_sec_remove(struct platform_device *pdev)
>> +{
>> +	struct rproc *rproc = platform_get_drvdata(pdev);
>> +	struct wcss_sec *wcss = rproc->priv;
>> +
>> +	qcom_q6v5_deinit(&wcss->q6);
>> +	qcom_remove_glink_subdev(rproc, &wcss->glink_subdev);
>> +	qcom_remove_ssr_subdev(rproc, &wcss->ssr_subdev);
> 
> mbox_chan?
> 
yes, will add.

>> +}
>> +
>> +static const struct wcss_data wcss_sec_ipq5332_res_init = {
>> +	.pasid = MPD_WCSS_PAS_ID,
>> +	.auto_boot = true,
>> +	.ops = &wcss_sec_ops,
> 
> Please avoid unnecessary flexibility (i.e. ops is always wcss_sec_ops).
> 
>> +	.tmelcom = false,
>> +};
>> +
>> +static const struct wcss_data wcss_sec_ipq9574_res_init = {
>> +	.pasid = WCSS_PAS_ID,
>> +	.auto_boot = true,
>> +	.ops = &wcss_sec_ops,
>> +	.tmelcom = false,
>> +};
>> +
>> +static const struct wcss_data wcss_sec_ipq5424_res_init = {
>> +	.pasid = MPD_WCSS_PAS_ID,
>> +	.auto_boot = true,
>> +	.ops = &wcss_sec_ops,
>> +	.tmelcom = true,
>> +};
>> +
>> +static const struct of_device_id wcss_sec_of_match[] = {
>> +	{ .compatible = "qcom,ipq5332-wcss-sec-pil", .data = &wcss_sec_ipq5332_res_init },
>> +	{ .compatible = "qcom,ipq9574-wcss-sec-pil", .data = &wcss_sec_ipq9574_res_init },
>> +	{ .compatible = "qcom,ipq5424-wcss-sec-pil", .data = &wcss_sec_ipq5424_res_init },
> 
> Please sort alphabetically.
> 
ok, will do.

Thanks,
Gokul

>> +	{ },
>> +};
>> +MODULE_DEVICE_TABLE(of, wcss_sec_of_match);
>> +
> 
> Regards,
> Bjorn
> 
>> +static struct platform_driver wcss_sec_driver = {
>> +	.probe = wcss_sec_probe,
>> +	.remove = wcss_sec_remove,
>> +	.driver = {
>> +		.name = "qcom-wcss-secure-pil",
>> +		.of_match_table = wcss_sec_of_match,
>> +	},
>> +};
>> +module_platform_driver(wcss_sec_driver);
>> +
>> +MODULE_DESCRIPTION("Hexagon WCSS Secure Peripheral Image Loader");
>> +MODULE_LICENSE("GPL");
>> -- 
>> 2.34.1
>>
Kathiravan Thirumoorthy Jan. 11, 2025, 1:46 p.m. UTC | #5
>>> +static int wcss_sec_start(struct rproc *rproc)
>>> +{
>>> +	struct wcss_sec *wcss = rproc->priv;
>>> +	struct device *dev = wcss->dev;
>>> +	const struct wcss_data *desc = of_device_get_match_data(dev);
>>
>> Please avoid "parsing" DT in runtime.
> 
> I didn't underatand this.
> 

IIUC, you should handle this in probe (one time) rather than for every 
wcss_sec_start() call. In probe, you are already fetching this data. So 
you can re-use the wcss->desc instead of parsing it again.
diff mbox series

Patch

diff --git a/drivers/remoteproc/Kconfig b/drivers/remoteproc/Kconfig
index 83962a114dc9..c4e94b15c538 100644
--- a/drivers/remoteproc/Kconfig
+++ b/drivers/remoteproc/Kconfig
@@ -255,6 +255,28 @@  config QCOM_Q6V5_WCSS
 	  Hexagon V5 based WCSS remote processors on e.g. IPQ8074.  This is
 	  a non-TrustZone wireless subsystem.
 
+config QCOM_Q6V5_WCSS_SEC
+	tristate "Qualcomm Hexagon based WCSS Secure Peripheral Image Loader"
+	depends on OF && ARCH_QCOM
+	depends on QCOM_SMEM
+	depends on RPMSG_QCOM_SMD || RPMSG_QCOM_SMD=n
+	depends on RPMSG_QCOM_GLINK_SMEM || RPMSG_QCOM_GLINK_SMEM=n
+	depends on QCOM_SYSMON || QCOM_SYSMON=n
+	depends on RPMSG_QCOM_GLINK || RPMSG_QCOM_GLINK=n
+	depends on QCOM_AOSS_QMP || QCOM_AOSS_QMP=n
+	select QCOM_MDT_LOADER
+	select QCOM_PIL_INFO
+	select QCOM_Q6V5_COMMON
+	select QCOM_RPROC_COMMON
+	select QCOM_SCM
+	help
+	  Say y here to support the Qualcomm Secure Peripheral Image Loader
+	  for the Hexagon based remote processors on e.g. IPQ5332.
+
+	  This is TrustZone wireless subsystem. The firmware is
+	  verified and booted with the help of the Peripheral Authentication
+	  System (PAS) in TrustZone.
+
 config QCOM_SYSMON
 	tristate "Qualcomm sysmon driver"
 	depends on RPMSG
diff --git a/drivers/remoteproc/Makefile b/drivers/remoteproc/Makefile
index 5ff4e2fee4ab..d4971b672812 100644
--- a/drivers/remoteproc/Makefile
+++ b/drivers/remoteproc/Makefile
@@ -28,6 +28,7 @@  obj-$(CONFIG_QCOM_Q6V5_ADSP)		+= qcom_q6v5_adsp.o
 obj-$(CONFIG_QCOM_Q6V5_MSS)		+= qcom_q6v5_mss.o
 obj-$(CONFIG_QCOM_Q6V5_PAS)		+= qcom_q6v5_pas.o
 obj-$(CONFIG_QCOM_Q6V5_WCSS)		+= qcom_q6v5_wcss.o
+obj-$(CONFIG_QCOM_Q6V5_WCSS_SEC)	+= qcom_q6v5_wcss_sec.o
 obj-$(CONFIG_QCOM_SYSMON)		+= qcom_sysmon.o
 obj-$(CONFIG_QCOM_WCNSS_PIL)		+= qcom_wcnss_pil.o
 qcom_wcnss_pil-y			+= qcom_wcnss.o
diff --git a/drivers/remoteproc/qcom_q6v5_wcss_sec.c b/drivers/remoteproc/qcom_q6v5_wcss_sec.c
new file mode 100644
index 000000000000..ef4e893e37c7
--- /dev/null
+++ b/drivers/remoteproc/qcom_q6v5_wcss_sec.c
@@ -0,0 +1,406 @@ 
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2016-2018 Linaro Ltd.
+ * Copyright (C) 2014 Sony Mobile Communications AB
+ * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2024-2025 Qualcomm Innovation Center, Inc. All rights reserved.
+ */
+#include <linux/clk.h>
+#include <linux/delay.h>
+#include <linux/firmware/qcom/qcom_scm.h>
+#include <linux/interrupt.h>
+#include <linux/io.h>
+#include <linux/iopoll.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/of_address.h>
+#include <linux/of_device.h>
+#include <linux/of_reserved_mem.h>
+#include <linux/platform_device.h>
+#include <linux/reset.h>
+#include <linux/soc/qcom/mdt_loader.h>
+#include <linux/soc/qcom/smem.h>
+#include <linux/soc/qcom/smem_state.h>
+#include <linux/mailbox_client.h>
+#include <linux/mailbox/tmelcom-qmp.h>
+#include "qcom_common.h"
+#include "qcom_q6v5.h"
+
+#include "qcom_pil_info.h"
+#include "remoteproc_internal.h"
+
+#define WCSS_CRASH_REASON		421
+
+#define WCSS_PAS_ID			0x6
+#define MPD_WCSS_PAS_ID			0xD
+
+struct wcss_sec {
+	struct device *dev;
+	struct qcom_rproc_glink glink_subdev;
+	struct qcom_rproc_ssr ssr_subdev;
+	struct qcom_q6v5 q6;
+	phys_addr_t mem_phys;
+	phys_addr_t mem_reloc;
+	void *mem_region;
+	size_t mem_size;
+	const struct wcss_data *desc;
+	const char *fw_name;
+
+	struct clk *sleep_clk;
+
+	struct mbox_client mbox_client;
+	struct mbox_chan *mbox_chan;
+	void *metadata;
+	size_t metadata_len;
+};
+
+struct wcss_data {
+	u32 pasid;
+	const struct rproc_ops *ops;
+	bool auto_boot;
+	bool tmelcom;
+};
+
+static int wcss_sec_start(struct rproc *rproc)
+{
+	struct wcss_sec *wcss = rproc->priv;
+	struct device *dev = wcss->dev;
+	const struct wcss_data *desc = of_device_get_match_data(dev);
+	struct tmel_sec_auth tsa;
+	struct tmel_qmp_msg tqm;
+	int ret;
+
+	qcom_q6v5_prepare(&wcss->q6);
+
+	tsa.data = wcss->metadata;
+	tsa.size = wcss->metadata_len;
+	tsa.pas_id = desc->pasid;
+	tqm.msg = &tsa;
+	tqm.msg_id = TMEL_MSG_UID_SECBOOT_SEC_AUTH;
+
+	if (desc->tmelcom) {
+		mbox_send_message(wcss->mbox_chan, (void *)&tqm);
+	} else {
+		ret = qcom_scm_pas_auth_and_reset(desc->pasid);
+		if (ret) {
+			dev_err(dev, "wcss_reset failed\n");
+			return ret;
+		}
+	}
+
+	ret = qcom_q6v5_wait_for_start(&wcss->q6, 5 * HZ);
+	if (ret == -ETIMEDOUT)
+		dev_err(dev, "start timed out\n");
+
+	return ret;
+}
+
+static int wcss_sec_stop(struct rproc *rproc)
+{
+	struct wcss_sec *wcss = rproc->priv;
+	struct device *dev = wcss->dev;
+	const struct wcss_data *desc = of_device_get_match_data(dev);
+	struct tmel_sec_auth tsa;
+	struct tmel_qmp_msg tqm;
+	int ret;
+
+	tsa.pas_id = desc->pasid;
+	tqm.msg = &tsa;
+	tqm.msg_id = TMEL_MSG_UID_SECBOOT_SS_TEAR_DOWN;
+
+	if (desc->tmelcom) {
+		mbox_send_message(wcss->mbox_chan, (void *)&tqm);
+	} else {
+		ret = qcom_scm_pas_shutdown(desc->pasid);
+		if (ret) {
+			dev_err(dev, "not able to shutdown\n");
+			return ret;
+		}
+	}
+
+	qcom_q6v5_unprepare(&wcss->q6);
+
+	return 0;
+}
+
+static void *wcss_sec_da_to_va(struct rproc *rproc, u64 da, size_t len,
+			       bool *is_iomem)
+{
+	struct wcss_sec *wcss = rproc->priv;
+	int offset;
+
+	offset = da - wcss->mem_reloc;
+	if (offset < 0 || offset + len > wcss->mem_size)
+		return NULL;
+
+	return wcss->mem_region + offset;
+}
+
+static int wcss_sec_load(struct rproc *rproc, const struct firmware *fw)
+{
+	struct wcss_sec *wcss = rproc->priv;
+	struct device *dev = wcss->dev;
+	const struct wcss_data *desc = of_device_get_match_data(dev);
+	int ret;
+
+	if (desc->tmelcom) {
+		wcss->metadata = qcom_mdt_read_metadata(fw, &wcss->metadata_len,
+							rproc->firmware, wcss->dev);
+		if (IS_ERR(wcss->metadata)) {
+			ret = PTR_ERR(wcss->metadata);
+			dev_err(wcss->dev, "error %d reading firmware %s metadata\n",
+				ret, rproc->firmware);
+			return ret;
+		}
+
+		ret = qcom_mdt_load_no_init(wcss->dev, fw, rproc->firmware, desc->pasid,
+					    wcss->mem_region, wcss->mem_phys, wcss->mem_size,
+					    &wcss->mem_reloc);
+		kfree(wcss->metadata);
+	} else {
+		ret = qcom_mdt_load(dev, fw, rproc->firmware, desc->pasid, wcss->mem_region,
+				    wcss->mem_phys, wcss->mem_size, &wcss->mem_reloc);
+	}
+
+	if (ret)
+		return ret;
+
+	qcom_pil_info_store("wcss", wcss->mem_phys, wcss->mem_size);
+
+	return ret;
+}
+
+static unsigned long wcss_sec_panic(struct rproc *rproc)
+{
+	struct wcss_sec *wcss = rproc->priv;
+
+	return qcom_q6v5_panic(&wcss->q6);
+}
+
+static void wcss_sec_copy_segment(struct rproc *rproc,
+				  struct rproc_dump_segment *segment,
+				  void *dest, size_t offset, size_t size)
+{
+	struct wcss_sec *wcss = rproc->priv;
+	struct device *dev = wcss->dev;
+	void *ptr;
+
+	ptr = ioremap_wc(segment->da, segment->size);
+	if (!ptr) {
+		dev_err(dev, "Failed to ioremap segment %pad size %zx\n",
+			&segment->da, segment->size);
+		return;
+	}
+
+	if (size <= segment->size - offset)
+		memcpy(dest, ptr + offset, size);
+	else
+		dev_err(dev, "Copy size greater than segment size. Skipping\n");
+	iounmap(ptr);
+}
+
+static int wcss_sec_dump_segments(struct rproc *rproc,
+				  const struct firmware *fw)
+{
+	struct device *dev = rproc->dev.parent;
+	struct reserved_mem *rmem = NULL;
+	struct device_node *node;
+	int num_segs, index = 0;
+	int ret;
+
+	/* Parse through additional reserved memory regions for the rproc
+	 * and add them to the coredump segments
+	 */
+	num_segs = of_count_phandle_with_args(dev->of_node,
+					      "memory-region", NULL);
+	while (index < num_segs) {
+		node = of_parse_phandle(dev->of_node,
+					"memory-region", index);
+		if (!node)
+			return -EINVAL;
+
+		rmem = of_reserved_mem_lookup(node);
+		of_node_put(node);
+		if (!rmem) {
+			dev_err(dev, "unable to acquire memory-region index %d num_segs %d\n",
+				index, num_segs);
+			return -EINVAL;
+		}
+
+		dev_dbg(dev, "Adding segment 0x%pa size 0x%pa",
+			&rmem->base, &rmem->size);
+		ret = rproc_coredump_add_custom_segment(rproc,
+							rmem->base,
+							rmem->size,
+							wcss_sec_copy_segment,
+							NULL);
+		if (ret)
+			return ret;
+
+		index++;
+	}
+
+	return 0;
+}
+
+static const struct rproc_ops wcss_sec_ops = {
+	.start = wcss_sec_start,
+	.stop = wcss_sec_stop,
+	.da_to_va = wcss_sec_da_to_va,
+	.load = wcss_sec_load,
+	.get_boot_addr = rproc_elf_get_boot_addr,
+	.panic = wcss_sec_panic,
+	.parse_fw = wcss_sec_dump_segments,
+};
+
+static int wcss_sec_alloc_memory_region(struct wcss_sec *wcss)
+{
+	struct reserved_mem *rmem = NULL;
+	struct device_node *node;
+	struct device *dev = wcss->dev;
+
+	node = of_parse_phandle(dev->of_node, "memory-region", 0);
+	if (!node) {
+		dev_err(dev, "can't find phandle memory-region\n");
+		return -EINVAL;
+	}
+
+	rmem = of_reserved_mem_lookup(node);
+	of_node_put(node);
+
+	if (!rmem) {
+		dev_err(dev, "unable to acquire memory-region\n");
+		return -EINVAL;
+	}
+
+	wcss->mem_phys = rmem->base;
+	wcss->mem_reloc = rmem->base;
+	wcss->mem_size = rmem->size;
+	wcss->mem_region = devm_ioremap_wc(dev, wcss->mem_phys, wcss->mem_size);
+	if (!wcss->mem_region) {
+		dev_err(dev, "unable to map memory region: %pa+%pa\n",
+			&rmem->base, &rmem->size);
+		return -ENOMEM;
+	}
+
+	return 0;
+}
+
+static int wcss_sec_probe(struct platform_device *pdev)
+{
+	struct wcss_sec *wcss;
+	struct rproc *rproc;
+	const char *fw_name = NULL;
+	const struct wcss_data *desc = of_device_get_match_data(&pdev->dev);
+	int ret;
+
+	if (!desc)
+		return -EINVAL;
+
+	ret = of_property_read_string(pdev->dev.of_node, "firmware-name",
+				      &fw_name);
+	if (ret < 0)
+		return ret;
+
+	rproc = devm_rproc_alloc(&pdev->dev, pdev->name, desc->ops, fw_name,
+				 sizeof(*wcss));
+	if (!rproc) {
+		dev_err(&pdev->dev, "failed to allocate rproc\n");
+		return -ENOMEM;
+	}
+
+	wcss = rproc->priv;
+	wcss->dev = &pdev->dev;
+	wcss->desc = desc;
+	wcss->fw_name = fw_name;
+
+	ret = wcss_sec_alloc_memory_region(wcss);
+	if (ret)
+		return ret;
+
+	wcss->sleep_clk = devm_clk_get_optional_enabled(&pdev->dev, "sleep");
+	if (IS_ERR(wcss->sleep_clk))
+		return dev_err_probe(&pdev->dev, PTR_ERR(wcss->sleep_clk),
+				     "Failed to get sleep clock\n");
+
+	ret = qcom_q6v5_init(&wcss->q6, pdev, rproc,
+			     WCSS_CRASH_REASON, NULL, NULL);
+	if (ret)
+		return ret;
+
+	qcom_add_glink_subdev(rproc, &wcss->glink_subdev, "q6wcss");
+	qcom_add_ssr_subdev(rproc, &wcss->ssr_subdev, pdev->name);
+
+	rproc->auto_boot = desc->auto_boot;
+	rproc->dump_conf = RPROC_COREDUMP_INLINE;
+	rproc_coredump_set_elf_info(rproc, ELFCLASS32, EM_NONE);
+
+	ret = devm_rproc_add(&pdev->dev, rproc);
+	if (ret)
+		return ret;
+
+	platform_set_drvdata(pdev, rproc);
+
+	wcss->mbox_client.dev = wcss->dev;
+	wcss->mbox_client.knows_txdone = true;
+	wcss->mbox_client.tx_block = true;
+	wcss->mbox_chan = mbox_request_channel(&wcss->mbox_client, 0);
+	if (IS_ERR(wcss->mbox_chan)) {
+		dev_err(wcss->dev, "mbox chan for IPC is missing\n");
+		return PTR_ERR(wcss->mbox_chan);
+	}
+
+	return 0;
+}
+
+static void wcss_sec_remove(struct platform_device *pdev)
+{
+	struct rproc *rproc = platform_get_drvdata(pdev);
+	struct wcss_sec *wcss = rproc->priv;
+
+	qcom_q6v5_deinit(&wcss->q6);
+	qcom_remove_glink_subdev(rproc, &wcss->glink_subdev);
+	qcom_remove_ssr_subdev(rproc, &wcss->ssr_subdev);
+}
+
+static const struct wcss_data wcss_sec_ipq5332_res_init = {
+	.pasid = MPD_WCSS_PAS_ID,
+	.auto_boot = true,
+	.ops = &wcss_sec_ops,
+	.tmelcom = false,
+};
+
+static const struct wcss_data wcss_sec_ipq9574_res_init = {
+	.pasid = WCSS_PAS_ID,
+	.auto_boot = true,
+	.ops = &wcss_sec_ops,
+	.tmelcom = false,
+};
+
+static const struct wcss_data wcss_sec_ipq5424_res_init = {
+	.pasid = MPD_WCSS_PAS_ID,
+	.auto_boot = true,
+	.ops = &wcss_sec_ops,
+	.tmelcom = true,
+};
+
+static const struct of_device_id wcss_sec_of_match[] = {
+	{ .compatible = "qcom,ipq5332-wcss-sec-pil", .data = &wcss_sec_ipq5332_res_init },
+	{ .compatible = "qcom,ipq9574-wcss-sec-pil", .data = &wcss_sec_ipq9574_res_init },
+	{ .compatible = "qcom,ipq5424-wcss-sec-pil", .data = &wcss_sec_ipq5424_res_init },
+	{ },
+};
+MODULE_DEVICE_TABLE(of, wcss_sec_of_match);
+
+static struct platform_driver wcss_sec_driver = {
+	.probe = wcss_sec_probe,
+	.remove = wcss_sec_remove,
+	.driver = {
+		.name = "qcom-wcss-secure-pil",
+		.of_match_table = wcss_sec_of_match,
+	},
+};
+module_platform_driver(wcss_sec_driver);
+
+MODULE_DESCRIPTION("Hexagon WCSS Secure Peripheral Image Loader");
+MODULE_LICENSE("GPL");