diff mbox

[v2] firmware: qcom: scm: Peripheral Authentication Service

Message ID 1436986686-18304-1-git-send-email-bjorn.andersson@sonymobile.com (mailing list archive)
State Deferred, archived
Delegated to: Andy Gross
Headers show

Commit Message

Bjorn Andersson July 15, 2015, 6:58 p.m. UTC
This adds the Peripheral Authentication Service (PAS) interface to the
Qualcomm SCM interface. The API is used to authenticate and boot a range
of external processors in various Qualcomm platforms.

Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
---

Changes since v1:
- Big endian compatibility

 drivers/firmware/qcom_scm-32.c | 93 ++++++++++++++++++++++++++++++++++++++++++
 drivers/firmware/qcom_scm.c    | 78 +++++++++++++++++++++++++++++++++++
 drivers/firmware/qcom_scm.h    | 12 ++++++
 include/linux/qcom_scm.h       |  6 +++
 4 files changed, 189 insertions(+)

Comments

Andy Gross July 15, 2015, 9:33 p.m. UTC | #1
On Wed, Jul 15, 2015 at 11:58:06AM -0700, Bjorn Andersson wrote:

<snip>

> +int __qcom_scm_pas_init_image(u32 peripheral, const void *metadata, size_t size)
> +{
> +	dma_addr_t mdata_phys;
> +	void *mdata_buf;
> +	__le32 scm_ret;
> +	int ret;
> +	struct pas_init_image_req {
> +		__le32 proc;
> +		__le32 image_addr;
> +	} request;
> +
> +	/*
> +	 * During the scm call memory protection will be enabled for the meta
> +	 * data blob, so make sure it's physically contiguous, 4K aligned and
> +	 * non-cachable to avoid XPU violations.
> +	 */
> +	mdata_buf = dma_alloc_coherent(NULL, size, &mdata_phys, GFP_KERNEL);

It'd be nice to send in the dev so we can attribute the allocation correctly.
For 64 bit, we actually have to do this because NULL is not allowed right now.

> +	if (!mdata_buf) {
> +		pr_err("Allocation of metadata buffer failed.\n");
> +		return -ENOMEM;
> +	}
> +	memcpy(mdata_buf, metadata, size);
> +
> +	request.proc = cpu_to_le32(peripheral);
> +	request.image_addr = cpu_to_le32(mdata_phys);
> +
> +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_INIT_IMAGE_CMD,
> +			    &request, sizeof(request),
> +			    &scm_ret, sizeof(scm_ret));
> +
> +	dma_free_coherent(NULL, size, mdata_buf, mdata_phys);
> +
> +	return ret ? : le32_to_cpu(scm_ret);
> +}
> +

Otherwise, looks good.  Let me know if you plan to modify for the device above.
If you want me to do it later, thats fine.  But it means API change.
Stephen Boyd July 15, 2015, 11:43 p.m. UTC | #2
On 07/15, Bjorn Andersson wrote:
> This adds the Peripheral Authentication Service (PAS) interface to the
> Qualcomm SCM interface. The API is used to authenticate and boot a range
> of external processors in various Qualcomm platforms.
> 
> Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
> ---
> 
> Changes since v1:
> - Big endian compatibility

Did you try out a big endian kernel?

> diff --git a/drivers/firmware/qcom_scm-32.c b/drivers/firmware/qcom_scm-32.c
> index 1bd6f9c34331..81d9c59f3ccc 100644
> --- a/drivers/firmware/qcom_scm-32.c
> +++ b/drivers/firmware/qcom_scm-32.c
> @@ -501,3 +502,95 @@ int __qcom_scm_hdcp_req(struct qcom_scm_hdcp_req *req, u32 req_cnt, u32 *resp)
>  	return qcom_scm_call(QCOM_SCM_SVC_HDCP, QCOM_SCM_CMD_HDCP,
>  		req, req_cnt * sizeof(*req), resp, sizeof(*resp));
>  }
> +
> +bool __qcom_scm_pas_supported(u32 peripheral)
> +{
> +	u32 ret_val;

I guess we don't have to care about __le32 here because it's just
a zero or non-zero value?

> +	int ret;
> +
> +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_IS_SUPPORTED_CMD,
> +			    &peripheral, sizeof(peripheral),

Peripheral needs cpu_to_le32() treatment.

> +			    &ret_val, sizeof(ret_val));
> +
> +	return ret ? false : !!ret_val;
> +}
> +
> +int __qcom_scm_pas_init_image(u32 peripheral, const void *metadata, size_t size)
> +{
> +	dma_addr_t mdata_phys;
> +	void *mdata_buf;
> +	__le32 scm_ret;
> +	int ret;
> +	struct pas_init_image_req {
> +		__le32 proc;
> +		__le32 image_addr;
> +	} request;
> +
> +	/*
> +	 * During the scm call memory protection will be enabled for the meta
> +	 * data blob, so make sure it's physically contiguous, 4K aligned and
> +	 * non-cachable to avoid XPU violations.
> +	 */
> +	mdata_buf = dma_alloc_coherent(NULL, size, &mdata_phys, GFP_KERNEL);

This should pass a device pointer instead of NULL here. Please
make struct device an argument of this function and pass
something there besides NULL in the calling driver. Or we should
make SCM into a platform device driver with a node in DT (named
firmware?). Then if we need to do anything special for DMA to the
firmware, etc. we have a struct device that can describe that.

Also, dma_alloc_coherent() doesn't do enough to prevent XPU
violations because memory returned from that function on ARM is
not guaranteed to be device memory and so we could speculatively
access the locked down metadata region. This is why we added the
strongly ordered mapping property and pass that to
dma_alloc_attrs in the downstream code so we can change the page
table attributes of the mapping to be device memory. Not doing
this can lead to random crashes when some read speculates on the
metadata and the secure world intercepts it and shuts the system
down.

I was going to say we could try to use the carveout/reserved
memory code but that doesn't look fool proof. From what I can
tell CMA doesn't use the same page table attributes for the
mapping that dma-coherent does, so if we use dma-coherent it will
use ioremap and work but if we use CMA it won't (at least it
looks like bufferable memory there). Can we add a way to request
memory doesn't allow speculatioan through the DMA APIs?

> +	if (!mdata_buf) {
> +		pr_err("Allocation of metadata buffer failed.\n");
> +		return -ENOMEM;
> +	}
> +	memcpy(mdata_buf, metadata, size);
> +
> +	request.proc = cpu_to_le32(peripheral);
> +	request.image_addr = cpu_to_le32(mdata_phys);
> +
> +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_INIT_IMAGE_CMD,
> +			    &request, sizeof(request),
> +			    &scm_ret, sizeof(scm_ret));
> +
> +	dma_free_coherent(NULL, size, mdata_buf, mdata_phys);
> +
> +	return ret ? : le32_to_cpu(scm_ret);
> +}
> +
> +int __qcom_scm_pas_mem_setup(u32 peripheral, phys_addr_t addr, phys_addr_t size)
> +{
> +	__le32 scm_ret;
> +	int ret;
> +	struct pas_init_image_req {

I thought this was going to be an unnamed structure?

	struct {
		__le32 proc;
		__le32 addr;
		__le32 len;
	} cmd;

> +		__le32 proc;
> +		__le32 addr;
> +		__le32 len;
> +	} request;
> +
> +	request.proc = cpu_to_le32(peripheral);
> +	request.addr = cpu_to_le32(addr);
> +	request.len = cpu_to_le32(size);
> +
> +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_MEM_SETUP_CMD,
> +			    &request, sizeof(request),
> +			    &scm_ret, sizeof(scm_ret));
> +
> +	return ret ? : le32_to_cpu(scm_ret);
> +}
> +
> +int __qcom_scm_pas_auth_and_reset(u32 peripheral)
> +{
> +	__le32 scm_ret;
> +	int ret;
> +
> +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_AUTH_AND_RESET_CMD,
> +			    &peripheral, sizeof(peripheral),

peripheral needs cpu_to_le32() treatment.

> +			    &scm_ret, sizeof(scm_ret));
> +
> +	return ret ? : le32_to_cpu(scm_ret);
> +}
> +
> +int __qcom_scm_pas_shutdown(u32 peripheral)
> +{
> +	__le32 scm_ret;
> +	int ret;
> +
> +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_SHUTDOWN_CMD,
> +			    &peripheral, sizeof(peripheral),

peripheral needs cpu_to_le32() treatment.

> +			    &scm_ret, sizeof(scm_ret));
> +
> +	return ret ? : le32_to_cpu(scm_ret);
> +}
Bjorn Andersson July 16, 2015, 12:35 a.m. UTC | #3
On Wed 15 Jul 16:43 PDT 2015, Stephen Boyd wrote:

> On 07/15, Bjorn Andersson wrote:
> > This adds the Peripheral Authentication Service (PAS) interface to the
> > Qualcomm SCM interface. The API is used to authenticate and boot a range
> > of external processors in various Qualcomm platforms.
> > 
> > Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
> > ---
> > 
> > Changes since v1:
> > - Big endian compatibility
> 
> Did you try out a big endian kernel?
> 

No, you're still the only one.

> > diff --git a/drivers/firmware/qcom_scm-32.c b/drivers/firmware/qcom_scm-32.c
> > index 1bd6f9c34331..81d9c59f3ccc 100644
> > --- a/drivers/firmware/qcom_scm-32.c
> > +++ b/drivers/firmware/qcom_scm-32.c
> > @@ -501,3 +502,95 @@ int __qcom_scm_hdcp_req(struct qcom_scm_hdcp_req *req, u32 req_cnt, u32 *resp)
> >  	return qcom_scm_call(QCOM_SCM_SVC_HDCP, QCOM_SCM_CMD_HDCP,
> >  		req, req_cnt * sizeof(*req), resp, sizeof(*resp));
> >  }
> > +
> > +bool __qcom_scm_pas_supported(u32 peripheral)
> > +{
> > +	u32 ret_val;
> 
> I guess we don't have to care about __le32 here because it's just
> a zero or non-zero value?
> 

Right, but could be fixed up for completeness.

> > +	int ret;
> > +
> > +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_IS_SUPPORTED_CMD,
> > +			    &peripheral, sizeof(peripheral),
> 
> Peripheral needs cpu_to_le32() treatment.
> 

Sorry, missed that one.

> > +			    &ret_val, sizeof(ret_val));
> > +
> > +	return ret ? false : !!ret_val;
> > +}
> > +
> > +int __qcom_scm_pas_init_image(u32 peripheral, const void *metadata, size_t size)
> > +{
> > +	dma_addr_t mdata_phys;
> > +	void *mdata_buf;
> > +	__le32 scm_ret;
> > +	int ret;
> > +	struct pas_init_image_req {
> > +		__le32 proc;
> > +		__le32 image_addr;
> > +	} request;
> > +
> > +	/*
> > +	 * During the scm call memory protection will be enabled for the meta
> > +	 * data blob, so make sure it's physically contiguous, 4K aligned and
> > +	 * non-cachable to avoid XPU violations.
> > +	 */
> > +	mdata_buf = dma_alloc_coherent(NULL, size, &mdata_phys, GFP_KERNEL);
> 
> This should pass a device pointer instead of NULL here. Please
> make struct device an argument of this function and pass
> something there besides NULL in the calling driver. Or we should
> make SCM into a platform device driver with a node in DT (named
> firmware?). Then if we need to do anything special for DMA to the
> firmware, etc. we have a struct device that can describe that.
> 

I think making scm into a platform driver seems very much overkill,
passing the callers device * sounds reasonable. My only concern would be
if associating this dma allocation with the client has any further
implications, but I'll have to read up a little bit on how that works.

> Also, dma_alloc_coherent() doesn't do enough to prevent XPU
> violations because memory returned from that function on ARM is
> not guaranteed to be device memory and so we could speculatively
> access the locked down metadata region. This is why we added the
> strongly ordered mapping property and pass that to
> dma_alloc_attrs in the downstream code so we can change the page
> table attributes of the mapping to be device memory. Not doing
> this can lead to random crashes when some read speculates on the
> metadata and the secure world intercepts it and shuts the system
> down.
> 

The code is taken verbatim from msm-3.4 and the comment is picked from
the git log, sorry to hear that this is not enough.

> I was going to say we could try to use the carveout/reserved
> memory code but that doesn't look fool proof. From what I can
> tell CMA doesn't use the same page table attributes for the
> mapping that dma-coherent does, so if we use dma-coherent it will
> use ioremap and work but if we use CMA it won't (at least it
> looks like bufferable memory there). Can we add a way to request
> memory doesn't allow speculatioan through the DMA APIs?
> 

I haven't looked enough at dma allocations, but this is what worries me
when using the clients dev pointer (I'm under the impression that these
choices follow the dev*).

> > +	if (!mdata_buf) {
> > +		pr_err("Allocation of metadata buffer failed.\n");
> > +		return -ENOMEM;
> > +	}
> > +	memcpy(mdata_buf, metadata, size);
> > +
> > +	request.proc = cpu_to_le32(peripheral);
> > +	request.image_addr = cpu_to_le32(mdata_phys);
> > +
> > +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_INIT_IMAGE_CMD,
> > +			    &request, sizeof(request),
> > +			    &scm_ret, sizeof(scm_ret));
> > +
> > +	dma_free_coherent(NULL, size, mdata_buf, mdata_phys);
> > +
> > +	return ret ? : le32_to_cpu(scm_ret);
> > +}
> > +
> > +int __qcom_scm_pas_mem_setup(u32 peripheral, phys_addr_t addr, phys_addr_t size)
> > +{
> > +	__le32 scm_ret;
> > +	int ret;
> > +	struct pas_init_image_req {
> 
> I thought this was going to be an unnamed structure?
> 
> 	struct {
> 		__le32 proc;
> 		__le32 addr;
> 		__le32 len;
> 	} cmd;
> 

It was, sorry about that.

> > +		__le32 proc;
> > +		__le32 addr;
> > +		__le32 len;
> > +	} request;
> > +
> > +	request.proc = cpu_to_le32(peripheral);
> > +	request.addr = cpu_to_le32(addr);
> > +	request.len = cpu_to_le32(size);
> > +
> > +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_MEM_SETUP_CMD,
> > +			    &request, sizeof(request),
> > +			    &scm_ret, sizeof(scm_ret));
> > +
> > +	return ret ? : le32_to_cpu(scm_ret);
> > +}
> > +
> > +int __qcom_scm_pas_auth_and_reset(u32 peripheral)
> > +{
> > +	__le32 scm_ret;
> > +	int ret;
> > +
> > +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_AUTH_AND_RESET_CMD,
> > +			    &peripheral, sizeof(peripheral),
> 
> peripheral needs cpu_to_le32() treatment.
> 

Sorry, missed these.

> > +			    &scm_ret, sizeof(scm_ret));
> > +
> > +	return ret ? : le32_to_cpu(scm_ret);
> > +}
> > +
> > +int __qcom_scm_pas_shutdown(u32 peripheral)
> > +{
> > +	__le32 scm_ret;
> > +	int ret;
> > +
> > +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_SHUTDOWN_CMD,
> > +			    &peripheral, sizeof(peripheral),
> 
> peripheral needs cpu_to_le32() treatment.
> 

Ditto

> > +			    &scm_ret, sizeof(scm_ret));
> > +
> > +	return ret ? : le32_to_cpu(scm_ret);
> > +}

Regards,
Bjorn
--
To unsubscribe from this list: send the line "unsubscribe linux-arm-msm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Bjorn Andersson July 16, 2015, 12:39 a.m. UTC | #4
On Wed 15 Jul 14:33 PDT 2015, Andy Gross wrote:

> On Wed, Jul 15, 2015 at 11:58:06AM -0700, Bjorn Andersson wrote:
> 
> <snip>
> 
> > +int __qcom_scm_pas_init_image(u32 peripheral, const void *metadata, size_t size)
> > +{
> > +	dma_addr_t mdata_phys;
> > +	void *mdata_buf;
> > +	__le32 scm_ret;
> > +	int ret;
> > +	struct pas_init_image_req {
> > +		__le32 proc;
> > +		__le32 image_addr;
> > +	} request;
> > +
> > +	/*
> > +	 * During the scm call memory protection will be enabled for the meta
> > +	 * data blob, so make sure it's physically contiguous, 4K aligned and
> > +	 * non-cachable to avoid XPU violations.
> > +	 */
> > +	mdata_buf = dma_alloc_coherent(NULL, size, &mdata_phys, GFP_KERNEL);
> 
> It'd be nice to send in the dev so we can attribute the allocation correctly.
> For 64 bit, we actually have to do this because NULL is not allowed right now.
> 

As per Stephen's answer I need to respin this anyways, but I think I
need to read up a little bit more on the implications of passing e.g.
the PIL dev* down here.

> > +	if (!mdata_buf) {
> > +		pr_err("Allocation of metadata buffer failed.\n");
> > +		return -ENOMEM;
> > +	}
> > +	memcpy(mdata_buf, metadata, size);
> > +
> > +	request.proc = cpu_to_le32(peripheral);
> > +	request.image_addr = cpu_to_le32(mdata_phys);
> > +
> > +	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_INIT_IMAGE_CMD,
> > +			    &request, sizeof(request),
> > +			    &scm_ret, sizeof(scm_ret));
> > +
> > +	dma_free_coherent(NULL, size, mdata_buf, mdata_phys);
> > +
> > +	return ret ? : le32_to_cpu(scm_ret);
> > +}
> > +
> 
> Otherwise, looks good.  Let me know if you plan to modify for the device above.
> If you want me to do it later, thats fine.  But it means API change.
> 

I'll respin this in a bit, need to read up a little bit more on the dma
allocation. But most likely I'll just move the allocation to the common
code, pass the physical address here and expect a dev* in the public
api.

Regards,
Bjorn
--
To unsubscribe from this list: send the line "unsubscribe linux-arm-msm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Stephen Boyd July 16, 2015, 12:55 a.m. UTC | #5
On 07/15/2015 05:35 PM, Bjorn Andersson wrote:
> On Wed 15 Jul 16:43 PDT 2015, Stephen Boyd wrote:
>
>> On 07/15, Bjorn Andersson wrote:
>>> This adds the Peripheral Authentication Service (PAS) interface to the
>>> Qualcomm SCM interface. The API is used to authenticate and boot a range
>>> of external processors in various Qualcomm platforms.
>>>
>>> Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
>>> ---
>>>
>>> Changes since v1:
>>> - Big endian compatibility
>> Did you try out a big endian kernel?
>>
> No, you're still the only one.

:)

>>> +			    &ret_val, sizeof(ret_val));
>>> +
>>> +	return ret ? false : !!ret_val;
>>> +}
>>> +
>>> +int __qcom_scm_pas_init_image(u32 peripheral, const void *metadata, size_t size)
>>> +{
>>> +	dma_addr_t mdata_phys;
>>> +	void *mdata_buf;
>>> +	__le32 scm_ret;
>>> +	int ret;
>>> +	struct pas_init_image_req {
>>> +		__le32 proc;
>>> +		__le32 image_addr;
>>> +	} request;
>>> +
>>> +	/*
>>> +	 * During the scm call memory protection will be enabled for the meta
>>> +	 * data blob, so make sure it's physically contiguous, 4K aligned and
>>> +	 * non-cachable to avoid XPU violations.
>>> +	 */
>>> +	mdata_buf = dma_alloc_coherent(NULL, size, &mdata_phys, GFP_KERNEL);
>> This should pass a device pointer instead of NULL here. Please
>> make struct device an argument of this function and pass
>> something there besides NULL in the calling driver. Or we should
>> make SCM into a platform device driver with a node in DT (named
>> firmware?). Then if we need to do anything special for DMA to the
>> firmware, etc. we have a struct device that can describe that.
>>
> I think making scm into a platform driver seems very much overkill,
> passing the callers device * sounds reasonable. My only concern would be
> if associating this dma allocation with the client has any further
> implications, but I'll have to read up a little bit on how that works.
>
>> Also, dma_alloc_coherent() doesn't do enough to prevent XPU
>> violations because memory returned from that function on ARM is
>> not guaranteed to be device memory and so we could speculatively
>> access the locked down metadata region. This is why we added the
>> strongly ordered mapping property and pass that to
>> dma_alloc_attrs in the downstream code so we can change the page
>> table attributes of the mapping to be device memory. Not doing
>> this can lead to random crashes when some read speculates on the
>> metadata and the secure world intercepts it and shuts the system
>> down.
>>
> The code is taken verbatim from msm-3.4 and the comment is picked from
> the git log, sorry to hear that this is not enough.

Please move up to msm-3.14 or msm-3.10. Try to find the newest stuff if 
it's code like this that isn't specific for a particular SoC. Otherwise 
we're going to miss random bug fixes that haven't trickled down to trees 
for chips that are two to three years old.

>
>> I was going to say we could try to use the carveout/reserved
>> memory code but that doesn't look fool proof. From what I can
>> tell CMA doesn't use the same page table attributes for the
>> mapping that dma-coherent does, so if we use dma-coherent it will
>> use ioremap and work but if we use CMA it won't (at least it
>> looks like bufferable memory there). Can we add a way to request
>> memory doesn't allow speculatioan through the DMA APIs?
>>
> I haven't looked enough at dma allocations, but this is what worries me
> when using the clients dev pointer (I'm under the impression that these
> choices follow the dev*).

Yes it does. If the device is cache coherent (e.g. the video processor 
may be cache coherent) or even if we want to have two different regions 
of memory carved out for the device then using the client's dev pointer 
won't work well.

I think for this sort of allocation it makes sense to make SCM into a 
platform driver/device so that we can assign the right attributes to a 
memory carveout associated with it. It will also help when we need to 
max out crypto clocks and bus bandwidth or other things that are 
strictly related to what the firmware needs and not the remote 
processor. The trouble is probe defer, so we may need to have some sort 
of get/put API that returns EPROBE_DEFER so that client drivers can 
figure out when they need to wait for SCM to be ready.
Bjorn Andersson July 16, 2015, 1:22 a.m. UTC | #6
On Wed 15 Jul 17:55 PDT 2015, Stephen Boyd wrote:

> On 07/15/2015 05:35 PM, Bjorn Andersson wrote:
> >On Wed 15 Jul 16:43 PDT 2015, Stephen Boyd wrote:
> >
> >>On 07/15, Bjorn Andersson wrote:
[..]
> >>Also, dma_alloc_coherent() doesn't do enough to prevent XPU
> >>violations because memory returned from that function on ARM is
> >>not guaranteed to be device memory and so we could speculatively
> >>access the locked down metadata region. This is why we added the
> >>strongly ordered mapping property and pass that to
> >>dma_alloc_attrs in the downstream code so we can change the page
> >>table attributes of the mapping to be device memory. Not doing
> >>this can lead to random crashes when some read speculates on the
> >>metadata and the secure world intercepts it and shuts the system
> >>down.
> >>
> >The code is taken verbatim from msm-3.4 and the comment is picked from
> >the git log, sorry to hear that this is not enough.
> 
> Please move up to msm-3.14 or msm-3.10. Try to find the newest stuff if it's
> code like this that isn't specific for a particular SoC. Otherwise we're
> going to miss random bug fixes that haven't trickled down to trees for chips
> that are two to three years old.
> 

Right, with the introduction of the 64 bit platforms this code was
altered to specify the strictly ordered attribute. I have to look at how
this should be done in mainline, as I'm moving this out to the common
code.

> >
> >>I was going to say we could try to use the carveout/reserved
> >>memory code but that doesn't look fool proof. From what I can
> >>tell CMA doesn't use the same page table attributes for the
> >>mapping that dma-coherent does, so if we use dma-coherent it will
> >>use ioremap and work but if we use CMA it won't (at least it
> >>looks like bufferable memory there). Can we add a way to request
> >>memory doesn't allow speculatioan through the DMA APIs?
> >>
> >I haven't looked enough at dma allocations, but this is what worries me
> >when using the clients dev pointer (I'm under the impression that these
> >choices follow the dev*).
> 
> Yes it does. If the device is cache coherent (e.g. the video processor may
> be cache coherent) or even if we want to have two different regions of
> memory carved out for the device then using the client's dev pointer won't
> work well.
> 

I would like to allocate the peripheral memory in PIL from CMA, if so I
guess we have this issue ;)

> I think for this sort of allocation it makes sense to make SCM into a
> platform driver/device so that we can assign the right attributes to a
> memory carveout associated with it. It will also help when we need to max
> out crypto clocks and bus bandwidth or other things that are strictly
> related to what the firmware needs and not the remote processor. The trouble
> is probe defer, so we may need to have some sort of get/put API that returns
> EPROBE_DEFER so that client drivers can figure out when they need to wait
> for SCM to be ready.
> 

Right, it would definitely clarify the ownership and handling of the
crypto clocks.

Regards,
Bjorn
--
To unsubscribe from this list: send the line "unsubscribe linux-arm-msm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/firmware/qcom_scm-32.c b/drivers/firmware/qcom_scm-32.c
index 1bd6f9c34331..81d9c59f3ccc 100644
--- a/drivers/firmware/qcom_scm-32.c
+++ b/drivers/firmware/qcom_scm-32.c
@@ -23,6 +23,7 @@ 
 #include <linux/errno.h>
 #include <linux/err.h>
 #include <linux/qcom_scm.h>
+#include <linux/dma-mapping.h>
 
 #include <asm/outercache.h>
 #include <asm/cacheflush.h>
@@ -501,3 +502,95 @@  int __qcom_scm_hdcp_req(struct qcom_scm_hdcp_req *req, u32 req_cnt, u32 *resp)
 	return qcom_scm_call(QCOM_SCM_SVC_HDCP, QCOM_SCM_CMD_HDCP,
 		req, req_cnt * sizeof(*req), resp, sizeof(*resp));
 }
+
+bool __qcom_scm_pas_supported(u32 peripheral)
+{
+	u32 ret_val;
+	int ret;
+
+	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_IS_SUPPORTED_CMD,
+			    &peripheral, sizeof(peripheral),
+			    &ret_val, sizeof(ret_val));
+
+	return ret ? false : !!ret_val;
+}
+
+int __qcom_scm_pas_init_image(u32 peripheral, const void *metadata, size_t size)
+{
+	dma_addr_t mdata_phys;
+	void *mdata_buf;
+	__le32 scm_ret;
+	int ret;
+	struct pas_init_image_req {
+		__le32 proc;
+		__le32 image_addr;
+	} request;
+
+	/*
+	 * During the scm call memory protection will be enabled for the meta
+	 * data blob, so make sure it's physically contiguous, 4K aligned and
+	 * non-cachable to avoid XPU violations.
+	 */
+	mdata_buf = dma_alloc_coherent(NULL, size, &mdata_phys, GFP_KERNEL);
+	if (!mdata_buf) {
+		pr_err("Allocation of metadata buffer failed.\n");
+		return -ENOMEM;
+	}
+	memcpy(mdata_buf, metadata, size);
+
+	request.proc = cpu_to_le32(peripheral);
+	request.image_addr = cpu_to_le32(mdata_phys);
+
+	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_INIT_IMAGE_CMD,
+			    &request, sizeof(request),
+			    &scm_ret, sizeof(scm_ret));
+
+	dma_free_coherent(NULL, size, mdata_buf, mdata_phys);
+
+	return ret ? : le32_to_cpu(scm_ret);
+}
+
+int __qcom_scm_pas_mem_setup(u32 peripheral, phys_addr_t addr, phys_addr_t size)
+{
+	__le32 scm_ret;
+	int ret;
+	struct pas_init_image_req {
+		__le32 proc;
+		__le32 addr;
+		__le32 len;
+	} request;
+
+	request.proc = cpu_to_le32(peripheral);
+	request.addr = cpu_to_le32(addr);
+	request.len = cpu_to_le32(size);
+
+	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_MEM_SETUP_CMD,
+			    &request, sizeof(request),
+			    &scm_ret, sizeof(scm_ret));
+
+	return ret ? : le32_to_cpu(scm_ret);
+}
+
+int __qcom_scm_pas_auth_and_reset(u32 peripheral)
+{
+	__le32 scm_ret;
+	int ret;
+
+	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_AUTH_AND_RESET_CMD,
+			    &peripheral, sizeof(peripheral),
+			    &scm_ret, sizeof(scm_ret));
+
+	return ret ? : le32_to_cpu(scm_ret);
+}
+
+int __qcom_scm_pas_shutdown(u32 peripheral)
+{
+	__le32 scm_ret;
+	int ret;
+
+	ret = qcom_scm_call(QCOM_SCM_SVC_PIL, QCOM_SCM_PAS_SHUTDOWN_CMD,
+			    &peripheral, sizeof(peripheral),
+			    &scm_ret, sizeof(scm_ret));
+
+	return ret ? : le32_to_cpu(scm_ret);
+}
diff --git a/drivers/firmware/qcom_scm.c b/drivers/firmware/qcom_scm.c
index 45c008d68891..ee7150d93b29 100644
--- a/drivers/firmware/qcom_scm.c
+++ b/drivers/firmware/qcom_scm.c
@@ -94,3 +94,81 @@  int qcom_scm_hdcp_req(struct qcom_scm_hdcp_req *req, u32 req_cnt, u32 *resp)
 	return __qcom_scm_hdcp_req(req, req_cnt, resp);
 }
 EXPORT_SYMBOL(qcom_scm_hdcp_req);
+
+/**
+ * qcom_scm_pas_supported() - Check if the peripheral authentication service is
+ *			      available for the given peripherial
+ * @peripheral:	peripheral id
+ *
+ * Returns true if PAS is supported for this peripheral, otherwise false.
+ */
+bool qcom_scm_pas_supported(u32 peripheral)
+{
+	int ret;
+
+	ret = __qcom_scm_is_call_available(QCOM_SCM_SVC_PIL,
+					   QCOM_SCM_PAS_IS_SUPPORTED_CMD);
+	if (ret <= 0)
+		return false;
+
+	return __qcom_scm_pas_supported(peripheral);
+}
+EXPORT_SYMBOL(qcom_scm_pas_supported);
+
+/**
+ * qcom_scm_pas_init_image() - Initialize peripheral authentication service
+ *			       state machine for a given peripheral, using the
+ *			       metadata
+ * @peripheral: peripheral id
+ * @metadata:	pointer to memory containing ELF header, program header table
+ *		and optional blob of data used for authenticating the metadata
+ *		and the rest of the firmware
+ * @size:	size of the metadata
+ *
+ * Returns 0 on success.
+ */
+int qcom_scm_pas_init_image(u32 peripheral, const void *metadata, size_t size)
+{
+	return __qcom_scm_pas_init_image(peripheral, metadata, size);
+}
+EXPORT_SYMBOL(qcom_scm_pas_init_image);
+
+/**
+ * qcom_scm_pas_mem_setup() - Prepare the memory related to a given peripheral
+ *			      for firmware loading
+ * @peripheral:	peripheral id
+ * @addr:	start address of memory area to prepare
+ * @size:	size of the memory area to prepare
+ *
+ * Returns 0 on success.
+ */
+int qcom_scm_pas_mem_setup(u32 peripheral, phys_addr_t addr, phys_addr_t size)
+{
+	return __qcom_scm_pas_mem_setup(peripheral, addr, size);
+}
+EXPORT_SYMBOL(qcom_scm_pas_mem_setup);
+
+/**
+ * qcom_scm_pas_auth_and_reset() - Authenticate the given peripheral firmware
+ *				   and reset the remote processor
+ * @peripheral:	peripheral id
+ *
+ * Return 0 on success.
+ */
+int qcom_scm_pas_auth_and_reset(u32 peripheral)
+{
+	return __qcom_scm_pas_auth_and_reset(peripheral);
+}
+EXPORT_SYMBOL(qcom_scm_pas_auth_and_reset);
+
+/**
+ * qcom_scm_pas_shutdown() - Shut down the remote processor
+ * @peripheral: peripheral id
+ *
+ * Returns 0 on success.
+ */
+int qcom_scm_pas_shutdown(u32 peripheral)
+{
+	return __qcom_scm_pas_shutdown(peripheral);
+}
+EXPORT_SYMBOL(qcom_scm_pas_shutdown);
diff --git a/drivers/firmware/qcom_scm.h b/drivers/firmware/qcom_scm.h
index 2cce75c08b99..c0700590193a 100644
--- a/drivers/firmware/qcom_scm.h
+++ b/drivers/firmware/qcom_scm.h
@@ -36,6 +36,18 @@  extern int __qcom_scm_is_call_available(u32 svc_id, u32 cmd_id);
 extern int __qcom_scm_hdcp_req(struct qcom_scm_hdcp_req *req, u32 req_cnt,
 		u32 *resp);
 
+#define QCOM_SCM_SVC_PIL		0x2
+#define QCOM_SCM_PAS_INIT_IMAGE_CMD	0x1
+#define QCOM_SCM_PAS_MEM_SETUP_CMD	0x2
+#define QCOM_SCM_PAS_AUTH_AND_RESET_CMD	0x5
+#define QCOM_SCM_PAS_SHUTDOWN_CMD	0x6
+#define QCOM_SCM_PAS_IS_SUPPORTED_CMD	0x7
+extern bool __qcom_scm_pas_supported(u32 peripheral);
+extern int  __qcom_scm_pas_init_image(u32 peripheral, const void *metadata, size_t size);
+extern int  __qcom_scm_pas_mem_setup(u32 peripheral, phys_addr_t addr, phys_addr_t size);
+extern int  __qcom_scm_pas_auth_and_reset(u32 peripheral);
+extern int  __qcom_scm_pas_shutdown(u32 peripheral);
+
 /* common error codes */
 #define QCOM_SCM_ENOMEM		-5
 #define QCOM_SCM_EOPNOTSUPP	-4
diff --git a/include/linux/qcom_scm.h b/include/linux/qcom_scm.h
index 6e7d5ec65838..46d41e44d432 100644
--- a/include/linux/qcom_scm.h
+++ b/include/linux/qcom_scm.h
@@ -27,6 +27,12 @@  extern bool qcom_scm_hdcp_available(void);
 extern int qcom_scm_hdcp_req(struct qcom_scm_hdcp_req *req, u32 req_cnt,
 		u32 *resp);
 
+extern bool qcom_scm_pas_supported(u32 peripheral);
+extern int qcom_scm_pas_init_image(u32 peripheral, const void *metadata, size_t size);
+extern int qcom_scm_pas_mem_setup(u32 peripheral, phys_addr_t addr, phys_addr_t size);
+extern int qcom_scm_pas_auth_and_reset(u32 peripheral);
+extern int qcom_scm_pas_shutdown(u32 peripheral);
+
 #define QCOM_SCM_CPU_PWR_DOWN_L2_ON	0x0
 #define QCOM_SCM_CPU_PWR_DOWN_L2_OFF	0x1