From: "Eliot Courtney" <ecourtney@nvidia.com>
To: "Alexandre Courbot" <acourbot@nvidia.com>,
"Danilo Krummrich" <dakr@kernel.org>,
"John Hubbard" <jhubbard@nvidia.com>
Cc: "Timur Tabi" <ttabi@nvidia.com>,
"Alistair Popple" <apopple@nvidia.com>,
"Eliot Courtney" <ecourtney@nvidia.com>,
"Shashank Sharma" <shashanks@nvidia.com>,
"Zhi Wang" <zhiw@nvidia.com>, "David Airlie" <airlied@gmail.com>,
"Simona Vetter" <simona@ffwll.ch>,
"Bjorn Helgaas" <bhelgaas@google.com>,
"Miguel Ojeda" <ojeda@kernel.org>, "Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
nova-gpu@lists.linux.dev, LKML <linux-kernel@vger.kernel.org>,
"Boqun Feng" <boqun@kernel.org>
Subject: Re: [PATCH v13 7/9] gpu: nova-core: Hopper/Blackwell: add GSP lockdown release polling
Date: Wed, 03 Jun 2026 20:53:41 +0900 [thread overview]
Message-ID: <DIZE6PDLOCHP.ITQSKNYRZ7H1@nvidia.com> (raw)
In-Reply-To: <DIZC53CCKAUY.2L04G0C2WSVQZ@nvidia.com>
On Wed Jun 3, 2026 at 7:17 PM JST, Alexandre Courbot wrote:
> On Wed Jun 3, 2026 at 4:30 PM JST, Alexandre Courbot wrote:
>> From: John Hubbard <jhubbard@nvidia.com>
>>
>> On Hopper and Blackwell, FSP boots GSP with hardware lockdown enabled.
>> After FSP Chain of Trust completes, the driver must poll for lockdown
>> release before proceeding with GSP initialization. Add the register
>> bit and helper functions needed for this polling.
>>
>> Signed-off-by: John Hubbard <jhubbard@nvidia.com>
>> Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
>> ---
>> drivers/gpu/nova-core/falcon/gsp.rs | 6 +++
>> drivers/gpu/nova-core/fsp.rs | 6 +++
>> drivers/gpu/nova-core/gsp/hal/gh100.rs | 88 +++++++++++++++++++++++++++++++++-
>> drivers/gpu/nova-core/regs.rs | 2 +
>> 4 files changed, 100 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/gpu/nova-core/falcon/gsp.rs b/drivers/gpu/nova-core/falcon/gsp.rs
>> index df6d5a382c7a..136d6b24103f 100644
>> --- a/drivers/gpu/nova-core/falcon/gsp.rs
>> +++ b/drivers/gpu/nova-core/falcon/gsp.rs
>> @@ -57,4 +57,10 @@ pub(crate) fn check_reload_completed(&self, bar: &Bar0, timeout: Delta) -> Resul
>> )
>> .map(|_| true)
>> }
>> +
>> + /// Returns whether the RISC-V branch privilege lockdown bit is set.
>> + pub(crate) fn riscv_branch_privilege_lockdown(&self, bar: &Bar0) -> bool {
>> + bar.read(regs::NV_PFALCON_FALCON_HWCFG2::of::<Gsp>())
>> + .riscv_br_priv_lockdown()
>> + }
>> }
>> diff --git a/drivers/gpu/nova-core/fsp.rs b/drivers/gpu/nova-core/fsp.rs
>> index 883ac4f8b811..872898ffe0a3 100644
>> --- a/drivers/gpu/nova-core/fsp.rs
>> +++ b/drivers/gpu/nova-core/fsp.rs
>> @@ -184,6 +184,12 @@ pub(crate) fn new(
>> resume,
>> })
>> }
>> +
>> + /// DMA address of the FMC boot parameters, needed after boot for lockdown
>> + /// release polling.
>> + pub(crate) fn boot_params_dma_handle(&self) -> u64 {
>> + self.fmc_boot_params.dma_handle()
>> + }
>> }
>>
>> /// FSP interface for Hopper/Blackwell GPUs.
>> diff --git a/drivers/gpu/nova-core/gsp/hal/gh100.rs b/drivers/gpu/nova-core/gsp/hal/gh100.rs
>> index f41f3fea15ff..def41745a30f 100644
>> --- a/drivers/gpu/nova-core/gsp/hal/gh100.rs
>> +++ b/drivers/gpu/nova-core/gsp/hal/gh100.rs
>> @@ -5,7 +5,9 @@
>>
>> use kernel::{
>> device,
>> - dma::Coherent, //
>> + dma::Coherent,
>> + io::poll::read_poll_timeout,
>> + time::Delta, //
>> };
>>
>> use crate::{
>> @@ -33,6 +35,86 @@
>> },
>> };
>>
>> +/// GSP lockdown pattern written by firmware to mbox0 while RISC-V branch privilege
>> +/// lockdown is active. The low byte varies, the upper 24 bits are fixed.
>> +const GSP_LOCKDOWN_PATTERN: u32 = 0xbadf_4100;
>> +const GSP_LOCKDOWN_MASK: u32 = 0xffff_ff00;
nit: these constants can be moved into impl GspMbox or made local to
`is_locked_down`
>> +
>> +/// GSP falcon mailbox state, used to track lockdown release status.
>> +struct GspMbox {
>> + mbox0: u32,
>> + mbox1: u32,
>> +}
>> +
>> +impl GspMbox {
>> + /// Reads both mailboxes from the GSP falcon.
>> + fn read(gsp_falcon: &Falcon<GspEngine>, bar: &Bar0) -> Self {
>> + Self {
>> + mbox0: gsp_falcon.read_mailbox0(bar),
>> + mbox1: gsp_falcon.read_mailbox1(bar),
>> + }
>> + }
>> +
>> + /// Returns `true` if the lockdown pattern is present in `mbox0`.
>> + fn is_locked_down(&self) -> bool {
>> + (self.mbox0 & GSP_LOCKDOWN_MASK) == GSP_LOCKDOWN_PATTERN
>> + }
>> +
>> + /// Combines mailbox0 and mailbox1 into a 64-bit address.
>> + fn combined_addr(&self) -> u64 {
>> + (u64::from(self.mbox1) << 32) | u64::from(self.mbox0)
>> + }
>> +
>> + /// Returns `true` if GSP lockdown has been released.
>> + ///
>> + /// Checks the lockdown pattern, validates the boot params address,
>> + /// and verifies the `HWCFG2` lockdown bit is clear.
>> + fn lockdown_released(
>> + &self,
>> + gsp_falcon: &Falcon<GspEngine>,
>> + bar: &Bar0,
>> + fmc_boot_params_addr: u64,
>> + ) -> bool {
>> + if self.is_locked_down() {
>> + return false;
>> + }
>> +
>> + if self.mbox0 != 0 && self.combined_addr() != fmc_boot_params_addr {
>> + return true;
>> + }
>
> This looks like a bug - if the mailboxes still contain the boot
> parameters address, we will keep going and might return true on the next
> line, which the caller will interpret as an error. OpenRM does the
> opposite check and has an additional test for `mailbox0 != 0`, which we
> can translate into this logic:
>
> if self.mbox0 != 0 {
> return self.combined_addr() != fmc_boot_params_addr;
> }
>
> I'll fix it and add a few comments explaining what the code does as it
> can be a bit convoluted.
Yeah, I agree. I think the logic openrm uses is like:
1. wait until HWCFG2 != 0 && (HWCFG2 & 0xffffff00) != 0xbadf4100
2. wait until mbox0 == 0 || addr != fmc_boot_params_addr
3. wait until riscv_br_priv_lockdown == 0 || mbox0 != 0
So several things are different to openrm (not sure if they are wrong
though):
1. `is_locked_down` is checking the wrong register (should check HWCFG2
AFAICT). I think we should name this more like
'gsp_mailboxes_readable' or something, since IIUC it is meant to test
when it's valid to read mboxs.
2. other logic is wrong as you mentioned.
Maybe we could structure lockdown_released like this:
// can't read the mailboxes yet (even though we already did but the
// result is actually not valid so maybe this should be restructured)
if !gsp_mailboxes_readable {
return false;
}
// we can read the registers and we are still waiting for mbox0 to
// be zero
if mbox0 != 0 && addr == fmc_boot_params_addr {
return false;
}
// either lockdown is released or some error happened
return riscv_br_priv_lockdown == 0 || mbox0 != 0
I think your suggested change w.r.t. if self.mbox0 != 0; is also
correct. I think we should update the comment on the function and the
function name too to say it returns true on lockdown release OR an error
happened.
I don't know if there's a simpler logic that will work, just commenting
on how it compares to openrm.
next prev parent reply other threads:[~2026-06-03 11:53 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 7:30 [PATCH v13 0/9] gpu: nova-core: Hopper/Blackwell support Alexandre Courbot
2026-06-03 7:30 ` [PATCH v13 1/9] gpu: nova-core: Hopper/Blackwell: add FSP falcon EMEM operations Alexandre Courbot
2026-06-03 10:49 ` Eliot Courtney
2026-06-03 7:30 ` [PATCH v13 2/9] gpu: nova-core: Hopper/Blackwell: add FSP message infrastructure Alexandre Courbot
2026-06-03 10:50 ` Eliot Courtney
2026-06-03 7:30 ` [PATCH v13 3/9] gpu: nova-core: add MCTP/NVDM protocol types for firmware communication Alexandre Courbot
2026-06-03 7:30 ` [PATCH v13 4/9] gpu: nova-core: Hopper/Blackwell: add FSP send/receive messaging Alexandre Courbot
2026-06-03 10:57 ` Eliot Courtney
2026-06-03 7:30 ` [PATCH v13 5/9] gpu: nova-core: Hopper/Blackwell: select FSP Chain of Trust version Alexandre Courbot
2026-06-03 7:30 ` [PATCH v13 6/9] gpu: nova-core: Hopper/Blackwell: add FSP Chain of Trust boot Alexandre Courbot
2026-06-03 12:47 ` Eliot Courtney
2026-06-03 13:35 ` Alexandre Courbot
2026-06-03 7:30 ` [PATCH v13 7/9] gpu: nova-core: Hopper/Blackwell: add GSP lockdown release polling Alexandre Courbot
2026-06-03 10:17 ` Alexandre Courbot
2026-06-03 11:53 ` Eliot Courtney [this message]
2026-06-03 14:53 ` Alexandre Courbot
2026-06-03 7:30 ` [PATCH v13 8/9] gpu: nova-core: add non-sec2 unload path Alexandre Courbot
2026-06-03 7:30 ` [PATCH v13 9/9] gpu: nova-core: gsp: enable FSP boot path Alexandre Courbot
2026-06-03 11:04 ` Eliot Courtney
2026-06-03 15:04 ` [PATCH v13 0/9] gpu: nova-core: Hopper/Blackwell support Alexandre Courbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DIZE6PDLOCHP.ITQSKNYRZ7H1@nvidia.com \
--to=ecourtney@nvidia.com \
--cc=a.hindborg@kernel.org \
--cc=acourbot@nvidia.com \
--cc=airlied@gmail.com \
--cc=aliceryhl@google.com \
--cc=apopple@nvidia.com \
--cc=bhelgaas@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun@kernel.org \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=jhubbard@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=nova-gpu@lists.linux.dev \
--cc=ojeda@kernel.org \
--cc=shashanks@nvidia.com \
--cc=simona@ffwll.ch \
--cc=tmgross@umich.edu \
--cc=ttabi@nvidia.com \
--cc=zhiw@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.