core: stm32_gpio: register firewall controllers for GPIO access rights #7102
Conversation
etienne-lms
force-pushed
the
stm32-gpio
branch
from
523c9ca to
d049439
Compare
|
Rebased to fix merge conflicts. CI / Code Style checkpatch reports are all false positive: |
|
7 first patches (device tree):
|
|
Comments on the 7 first commits addressed. CI / Code style reports false positive (trace message impl. exceeding 80char/line + use BIT() in DT binding header file). CI / make check (QEMUv8, Clang) failed on optee_rust_examples_ext-1.0 build: |
|
For commit ditto for following pinctrl commit For commits: For commit: |
etienne-lms
force-pushed
the
stm32-gpio
branch
from
0feb9c2 to
c3886b1
Compare
|
Rebased |
etienne-lms
force-pushed
the
stm32-gpio
branch
from
a063d7d to
31d7a49
Compare
|
@GseoC, may I squash the fixup commits and fix the commit messages as you suggested? |
Please do when addressing the comment above so that I can make another round, thanks! |
etienne-lms
force-pushed
the
stm32-gpio
branch
from
31d7a49 to
1cdf807
Compare
|
Fixup commits squashed and commits messages updated as per #7102 (comment) and #7102 (comment) review comments. |
etienne-lms
force-pushed
the
stm32-gpio
branch
from
1cdf807 to
ec60416
Compare
|
Rebased to solve merge conflicts. |
| id - STM32MP1_SHRES_GPIOZ(0), get_gpioz_nbpin()); | ||
| panic(); | ||
| } | ||
| panic("Deprecated registering of GPIOz resources"); |
There was a problem hiding this comment.
Could merge with PLL3 and specify only usage of deprecated shared resource
core/drivers/stm32_gpio.c
Outdated
| /* Resource can be accessed if CID1 is statically allowed */ | ||
| accessible = true; | ||
| } else if (stm32_rif_semaphore_enabled_and_ok(cidcfgr, RIF_CID1)) { | ||
| /* We must acquire the semaphore to access the resource */ |
There was a problem hiding this comment.
We should add a stm32_rif_semaphore_is_available_or_taken() to check if the current CID has already taken the semaphore. This will avoid some issue when acquiring the semaphore (spurious IAC). Maybe we can do this in another P-R. (I can take care of that)
There was a problem hiding this comment.
To prevent such issues when acquiring an already taken semaphore, I think we should rather fix stm32_rif_acquire_semaphore():
TEE_Result stm32_rif_acquire_semaphore(vaddr_t addr, unsigned int nb_cid_supp)
{
uint32_t scid_mask = get_scid_mask(nb_cid_supp);
- /* Take the semaphore */
- io_setbits32(addr, _SEMCR_MUTEX);
+ /* Take the semaphore is not already taken */
+ if (stm32_rif_semaphore_is_available(addr))
+ io_setbits32(addr, _SEMCR_MUTEX);
/* Check that the Cortex-A has the semaphore */
if (stm32_rif_semaphore_is_available(addr) ||
((io_read32(addr) & scid_mask) >> _CIDCFGR_SCID_SHIFT) != RIF_CID1)
return TEE_ERROR_ACCESS_DENIED;
return TEE_SUCCESS;
}There was a problem hiding this comment.
I've removed the acquisition of the semaphore here pin_is_accessible() and added it in stm32_pinctrl_conf_apply() and stm32_gpio_get_dt(). See the appended fixup commit.
etienne-lms
force-pushed
the
stm32-gpio
branch
from
68cc90a to
a68be58
Compare
|
Comments addressed. |
|
Commit : Commit Commit: |
|
Can you squash the commits so that I can do one last round please? |
Sorry niticking a bit but STM32MP15 flavors have GPIO banks that do not have "firewall" capabilities hence the "that area" wording I've used. Thanks for the other comments, I'll address them. |
etienne-lms
force-pushed
the
stm32-gpio
branch
from
a68be58 to
6b8f610
Compare
|
Comments addressed. |
|
|
Define STM32 GPIO DT bindings bit flags for GPIOs that are to be used in non-secure state. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Define stm32 pinctrl DT bindings bit flags for pins that are expected to be used in non-secure state. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Add property #access-controller-cells to GPIO banks that register to the firewall framework. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
On STM32MP15 based devices, UART2/3/4/5/6/7/8 cannot be secured. Explicitly state that in the pinctrl nodes. This change ease the use of a non-secure UART for OP-TEE output console on STM32MP15 based boards. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Explicitly state that legacy pinctrl phandles i2c4_pins_a and i2c4_sleep_pins_a refer to non-secure I2C4 pin muxing on STM32MP15 based platforms. Define secure I2C4 bus pinctrl states for boards that use the I2C4 bus in secure state on STM32MP15 SoCs. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Explicitly state that legacy pinctrl phandles usart4_pins_a refer to non-secure USART4 pin muxing, used in STM32MP13 based boards for OP-TEE console using a non-secure UART bus. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Explicitly state that legacy pinctrl phandles usart2_pins_a refer to non-secure USART2 pin muxing, used in STM32MP23 and STM32MP25 based boards for OP-TEE console using a non-secure UART bus. Define secure USART2 bus pinctrl states for board that needs to use the USART2 bus in secure state. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Check that a GPIO requested by a consumer is not already consumed by another device. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Change apply_rif_config() to be able to call it for a subset of pins in a GPIO bank. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Register secure aware STM32 GPIO banks to the firewall framework as a firewall controller to allow GPIO and pinctrl consumer devices to load alternate configurations for pins. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Release RIF semaphore taken at GPIO bank initialization and acquire them only when the GPIO or pinctrl is used or when a firewall configuration is requested. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
STM32 GPIO driver now verifies that any GPIO consumed by OP-TEE can be accessed and has the expected secure hardening configuration. If a driver attempts to consume a GPIO that cannot be accessed by OP-TEE, core panics. When a GPIO is used with an inappropriate secure configuration state, STM32 GPIO driver panics or prints an info level message, depending on CFG_INSECURE. This change is based on the recently added GPIO_STM32_NSEC bindings macro in STM32 GPIO driver DT bindings header file that is a hint on whether a consumed GPIO is expected secure or shared with non-secure world. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Make STM32 GPIO driver to verify that any all pins of applied pinctrl states be accessed and has the expected secure hardening configuration when used. Non-secure pins must have the STM32_PIN_NSEC bit set in the pin handler argument unless what the pin is expected to be secure. The driver returns an error when the expected secure state of a pin does not match its effective secure state or it cannot be accessed, unless CFG_INSECURE is enabled in which case the driver only prints an info level trace message. If a driver attempts to consume a pinctrl with pins that do not exist, core panics. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Remove management of GPIO and pinctrl secure state since this is now handled from STM32 ETZPC driver based through the firewall framework. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Remove use of stm32_pinctrl_set_secure_cfg() to set the secure state of the pins of a pinctrl state since this is now handled from STM32 GPIO driver based on the firewall framework. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Remove use of stm32_pinctrl_set_secure_cfg() to set the secure state of the pins of a pinctrl state since this is now handled from STM32 GPIO driver based on the firewall framework. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Remove use of shared_resources platform driver to manage the secure state of the pins of a pinctrl state since this is now managed using the firewall framework. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
…ctrl Remove use of shared_resources platform driver in STM32MP15 PMIC driver to manage the secure state of the pins of a pinctrl state since this is now managed using the firewall framework. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
…tate Remove stm32_gpio_set_secure_cfg() and stm32_pinctrl_set_secure_cfg() functions that are no more used since the STM32 GPIO and pins secure configurations are managed only through the firewall framework facilities. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
Remove the pin and GPIO secure state management from shared_resources platform driver since this is now managed using the firewall framework. Signed-off-by: Etienne Carriere <[email protected]> Reviewed-by: Gatien Chevallier <[email protected]>
etienne-lms
force-pushed
the
stm32-gpio
branch
from
314b668 to
b2a5f61
Compare
|
Fixup commits squashed and review tag applied. CI checkpatch will report the same false positive warnings stated in #7102 (comment). |
This P-R makes stm32mp platforms to OP-TEE secure DTB to manage STM32 GPIO access rights. It tried to nicely split changes but it now spreads on almost 20 commits.
"dt-bindings: gpio: stm32mp: flags for non-secure GPIOs"
"dt-bindings: pinctrl: stm32mp: flags for non-secure pins"
"dts: stm32: ..."
"drivers: stm32_gpio: check GPIO is not already consumed"
"drivers: stm32_gpio: factorize apply_rif_config()"
"drivers: stm32_gpio: register to firewall framework"
"drivers: stm32_gpio: check secure state of consumed GPIOs"
"drivers: stm32_gpio: check secure state of pinctrl states"
"drivers: stm32_xxx: remove use of xxx() ..."
"plat-stm32mp1: remove use of xxx() ..."