[PREVIEW] GM200/GM204 signed firmware for Nouveau

[PREVIEW] GM200/GM204 signed firmware for Nouveau

[Alexandre Courbot]

Hi everyone,

I know, it's about f**king time and I apologize for the time it took us 
to finally put this together. m(__)m

I have pushed two git branches which enable GM200 and GM204 (GM206 to 
follow soon) owners to finally load NVIDIA-provided signed firmware and 
start GR:

- https://github.com/Gnurou/linux-firmware/tree/secboot contains the 
signed firmware for GM200 and GM204 (they are mostly the same). For each 
chip, "gr" contains the signed firmware for GR, and "acr" the signed 
firmware loader. ACR stands for Access Controlled Regions and is a 
secure firmware that runs on the PMU and is responsible for setting up a 
write-protected (WPR) region in VRAM where the other signed firmware can 
be verified and loaded without anyone tampering it. The ACR itself is 
also signed and verified by the hardware. More details on the signed 
firmware loading process can be found at 
ftp://download.nvidia.com/open-gpu-doc/Falcon-Security/1/Falcon-Security.html 
.

This ACR binary is currently custom-built for Nouveau and allows to only 
load GR. This means that other falcons which require signed firmware 
(like PMU) cannot be used as of now. Our goal is to eventually have 
Nouveau use the same firmware as our own driver (RM), but this will take 
some more work. One of the obstacles being that since RM embeds the 
firmware, both can safely evolve in lockstep, while in the context of 
Nouveau we must make sure older kernels remain supported forever and 
either avoid incompatible changes or manage different firmware versions.

- https://github.com/Gnurou/nouveau/tree/secboot is a Nouveau branch 
capable of loading the signed firmware. The patches are mostly in good 
shape and I hope that they will be merged once we iron out the last 
details about the firmware format, hopefully in time for 4.6. I still 
have issues with suspend/resume (module unload/reload works fine though) 
but hope to sort this out soon.

To test this, checkout my linux-firmware secboot branch and copy it to 
/lib/firmware, then build Nouveau from the secboot branch of my repo and 
load it. If your console switches to nouveaufb and you don't see Nouveau 
complaining about ACR boot failing, congratulations! GR is now ready to 
work. You won't go much further though unless you can add support for 
Maxwell 2 into Mesa - but the changes for basic support are rather 
modest, and hopefully this pre-release will be enough to enable patches 
to land in Mesa.

An official submit to linux-firmware will happen once we agree on the 
final firmware format and the kernel code is good to go. For now, please 
consider these branches as work-in-progress and do not distribute them 
or embed them anywhere to avoid compatiblity issues. Also update both 
together I as will heavily rebase in the next few days.

So while we have still some work ahead, this at least unlocks a very 
unpleasant situation for everyone, and we will take further steps to 
keep improving it.

Please test, hack Mesa, and comment on the kernel code so that we can 
get all this in time for 4.6! :)

Cheers,
Alex.
_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

Re: [Nouveau] [PREVIEW] GM200/GM204 signed firmware for Nouveau

[Ben Skeggs]

[-- Attachment #1.1: Type: text/plain, Size: 3416 bytes --]

On 15 Feb 2016 18:40, "Alexandre Courbot" <acourbot@nvidia.com> wrote:
>
> Hi everyone,
>
> I know, it's about f**king time and I apologize for the time it took us
to finally put this together. m(__)m
>
> I have pushed two git branches which enable GM200 and GM204 (GM206 to
follow soon) owners to finally load NVIDIA-provided signed firmware and
start GR:
>
> - https://github.com/Gnurou/linux-firmware/tree/secboot contains the
signed firmware for GM200 and GM204 (they are mostly the same). For each
chip, "gr" contains the signed firmware for GR, and "acr" the signed
firmware loader. ACR stands for Access Controlled Regions and is a secure
firmware that runs on the PMU and is responsible for setting up a
write-protected (WPR) region in VRAM where the other signed firmware can be
verified and loaded without anyone tampering it. The ACR itself is also
signed and verified by the hardware. More details on the signed firmware
loading process can be found at
ftp://download.nvidia.com/open-gpu-doc/Falcon-Security/1/Falcon-Security.html
.
>
> This ACR binary is currently custom-built for Nouveau and allows to only
load GR. This means that other falcons which require signed firmware (like
PMU) cannot be used as of now. Our goal is to eventually have Nouveau use
the same firmware as our own driver (RM), but this will take some more
work. One of the obstacles being that since RM embeds the firmware, both
can safely evolve in lockstep, while in the context of Nouveau we must make
sure older kernels remain supported forever and either avoid incompatible
changes or manage different firmware versions.
>
> - https://github.com/Gnurou/nouveau/tree/secboot is a Nouveau branch
capable of loading the signed firmware. The patches are mostly in good
shape and I hope that they will be merged once we iron out the last details
about the firmware format, hopefully in time for 4.6. I still have issues
with suspend/resume (module unload/reload works fine though) but hope to
sort this out soon.
>
> To test this, checkout my linux-firmware secboot branch and copy it to
/lib/firmware, then build Nouveau from the secboot branch of my repo and
load it. If your console switches to nouveaufb and you don't see Nouveau
complaining about ACR boot failing, congratulations! GR is now ready to
work. You won't go much further though unless you can add support for
Maxwell 2 into Mesa - but the changes for basic support are rather modest,
and hopefully this pre-release will be enough to enable patches to land in
Mesa.
>
> An official submit to linux-firmware will happen once we agree on the
final firmware format and the kernel code is good to go. For now, please
consider these branches as work-in-progress and do not distribute them or
embed them anywhere to avoid compatiblity issues. Also update both together
I as will heavily rebase in the next few days.
>
> So while we have still some work ahead, this at least unlocks a very
unpleasant situation for everyone, and we will take further steps to keep
improving it.
>
> Please test, hack Mesa, and comment on the kernel code so that we can get
all this in time for 4.6! :)
Thanks for this Alex!

I'll attempt to post the Mesa patches tomorrow to get the ball rolling :)

Ben.

>
> Cheers,
> Alex.
> _______________________________________________
> Nouveau mailing list
> Nouveau@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/nouveau

[-- Attachment #1.2: Type: text/html, Size: 4144 bytes --]

[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel