From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 947E5C02192 for ; Wed, 5 Feb 2025 14:55:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=PkUPt9U05YjjPJxZ4JjPpNBEi2lRt9jVFobtXPea1ZQ=; b=AVZ0QMtAzQTuXUlQrRzq2Z5E6F bqLhXstdsCOa/7Nj64CXhRVZ1saBcZroVHTyP0/oyMOFlr3FSgeejY9U/C8WCkSLV4w6Uhj2v8dQn SrK5cFQjnTbo6eiAS/VPrEQZULmXTUpjHRNtD8gp9WgFEbM4GuRuvlAsb2fqjwLLkSYi89aARv/6x X+VlbqZdo847PutSwFDi5aBzxxBy22fcRGwRGkIYvPfQjA8Eyw3z5ZhnUIm9esokc/2EJyxqk5AHy N2eVm7Dvflsw/cszsYsj91QKj+IxymqsMkwJfWNDXT4bDC2zaRhCPOiE6EVFFfC540wg0E0yC0hPf 730/+GbA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tfgoO-00000003fmh-3SLK; Wed, 05 Feb 2025 14:55:32 +0000 Received: from nyc.source.kernel.org ([147.75.193.91]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1tfgmS-00000003fTE-1xpj; Wed, 05 Feb 2025 14:53:33 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id A53E7A436D4; Wed, 5 Feb 2025 14:51:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DDF1FC4CED1; Wed, 5 Feb 2025 14:53:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1738767211; bh=ly4tyRLO/ehfMN/FLCIRG16hKWOkEGsQKwgjdbw72Qs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bnE4QYFLfLaYNfccMdfqWT+RYN9yf+Gjxza7rzCut/1l9oMaUuiijDdd/DhaRbESZ XgFg6X3q4ifc0Xq8xBrBd3RLOXS/4Y33jlkUTNozgo2VcesBo2wJwSkQaRsQqJZa0a T67JDf8W1XRZNMD5C9zAXRKf4SEEAxGwkW8xeIPTCdscEvhIh30okn0Sv7Z9Jvpu3E PHUledK8RTCFdrv8PmcgPFa163+tjJbY8mwv5asDoBKS5o2hovBwjFoJP+EmXlJDXt 0al3PgvxiEK16LH5cWdsPOTO8FTFJ0qmea/GqbeiLRwUna6jGtHUrHA0uLaWFwRXQg MrFxL1PvPIaEA== Date: Wed, 5 Feb 2025 15:53:29 +0100 From: Maxime Ripard To: Nicolas Dufresne Cc: Florent Tomasin , Vinod Koul , Rob Herring , Krzysztof Kozlowski , Conor Dooley , Boris Brezillon , Steven Price , Liviu Dudau , Maarten Lankhorst , Thomas Zimmermann , David Airlie , Simona Vetter , Sumit Semwal , Benjamin Gaignard , Brian Starkey , John Stultz , "T . J . Mercier" , Christian =?utf-8?B?S8O2bmln?= , Matthias Brugger , AngeloGioacchino Del Regno , Yong Wu , dmaengine@vger.kernel.org, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-media@vger.kernel.org, linaro-mm-sig@lists.linaro.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, nd@arm.com, Akash Goel Subject: Re: [RFC PATCH 0/5] drm/panthor: Protected mode support for Mali CSF GPUs Message-ID: <20250205-robust-tall-parrot-69baf7@houat> References: <3ykaewmjjwkp3y2f3gf5jvqketicd4p2xqyajqtfnsxci36qlm@twidtyj2kgbw> <1a73c3acee34a86010ecd25d76958bca4f16d164.camel@ndufresne.ca> <9d0e381758c0e83882b57102fb09c5d3a36fbf57.camel@ndufresne.ca> <1f436caa-1c27-4bbd-9b43-a94dad0d89d0@arm.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha384; protocol="application/pgp-signature"; boundary="edrbb66pldmq62jz" Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250205_065332_649391_5B54B7BC X-CRM114-Status: GOOD ( 47.17 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org --edrbb66pldmq62jz Content-Type: text/plain; protected-headers=v1; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: [RFC PATCH 0/5] drm/panthor: Protected mode support for Mali CSF GPUs MIME-Version: 1.0 On Tue, Feb 04, 2025 at 01:22:58PM -0500, Nicolas Dufresne wrote: > Le lundi 03 f=E9vrier 2025 =E0 16:43 +0000, Florent Tomasin a =E9crit=A0: > > Hi Maxime, Nicolas > >=20 > > On 30/01/2025 17:47, Nicolas Dufresne wrote: > > > Le jeudi 30 janvier 2025 =E0 17:38 +0100, Maxime Ripard a =E9crit=A0: > > > > Hi Nicolas, > > > >=20 > > > > On Thu, Jan 30, 2025 at 10:59:56AM -0500, Nicolas Dufresne wrote: > > > > > Le jeudi 30 janvier 2025 =E0 14:46 +0100, Maxime Ripard a =E9crit= =A0: > > > > > > Hi, > > > > > >=20 > > > > > > I started to review it, but it's probably best to discuss it he= re. > > > > > >=20 > > > > > > On Thu, Jan 30, 2025 at 01:08:56PM +0000, Florent Tomasin wrote: > > > > > > > Hi, > > > > > > >=20 > > > > > > > This is a patch series covering the support for protected mod= e execution in > > > > > > > Mali Panthor CSF kernel driver. > > > > > > >=20 > > > > > > > The Mali CSF GPUs come with the support for protected mode ex= ecution at the > > > > > > > HW level. This feature requires two main changes in the kerne= l driver: > > > > > > >=20 > > > > > > > 1) Configure the GPU with a protected buffer. The system must= provide a DMA > > > > > > > heap from which the driver can allocate a protected buffer. > > > > > > > It can be a carved-out memory or dynamically allocated pro= tected memory region. > > > > > > > Some system includes a trusted FW which is in charge of th= e protected memory. > > > > > > > Since this problem is integration specific, the Mali Panth= or CSF kernel > > > > > > > driver must import the protected memory from a device spec= ific exporter. > > > > > >=20 > > > > > > Why do you need a heap for it in the first place? My understand= ing of > > > > > > your series is that you have a carved out memory region somewhe= re, and > > > > > > you want to allocate from that carved out memory region your bu= ffers. > > > > > >=20 > > > > > > How is that any different from using a reserved-memory region, = adding > > > > > > the reserved-memory property to the GPU device and doing all yo= ur > > > > > > allocation through the usual dma_alloc_* API? > > > > >=20 > > > > > How do you then multiplex this region so it can be shared between > > > > > GPU/Camera/Display/Codec drivers and also userspace ? > > > >=20 > > > > You could point all the devices to the same reserved memory region,= and > > > > they would all allocate from there, including for their userspace-f= acing > > > > allocations. > > >=20 > > > I get that using memory region is somewhat more of an HW description,= and > > > aligned with what a DT is supposed to describe. One of the challenge = is that > > > Mediatek heap proposal endup calling into their TEE, meaning knowing = the region > > > is not that useful. You actually need the TEE APP guid and its IPC pr= otocol. If > > > we can dell drivers to use a head instead, we can abstract that SoC s= pecific > > > complexity. I believe each allocated addressed has to be mapped to a = zone, and > > > that can only be done in the secure application. I can imagine simila= r needs > > > when the protection is done using some sort of a VM / hypervisor. > > >=20 > > > Nicolas > > >=20 > >=20 > > The idea in this design is to abstract the heap management from the > > Panthor kernel driver (which consumes a DMA buffer from it). > >=20 > > In a system, an integrator would have implemented a secure heap driver, > > and could be based on TEE or a carved-out memory with restricted access, > > or else. This heap driver would be responsible of implementing the > > logic to: allocate, free, refcount, etc. > >=20 > > The heap would be retrieved by the Panthor kernel driver in order to > > allocate protected memory to load the FW and allow the GPU to enter/exit > > protected mode. This memory would not belong to a user space process. > > The driver allocates it at the time of loading the FW and initialization > > of the GPU HW. This is a device globally owned protected memory. >=20 > This use case also applies well for codec. The Mediatek SCP firmware need= s to be > loaded with a restricted memory too, its a very similar scenario, plus Me= diatek > chips often include a Mali. On top of that, V4L2 codecs (in general) do n= eed to > allocate internal scratch buffer for the IP to write to for things like m= otion > vectors, reconstruction frames, entropy statistics, etc. The IP will only= be > able to write if the memory is restricted. BTW, in such a case, do the scratch buffers need to be protected/secure/whatever too, or would codecs be able to use any buffer as a scratch buffer? Maxime --edrbb66pldmq62jz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iJUEABMJAB0WIQTkHFbLp4ejekA/qfgnX84Zoj2+dgUCZ6N7aAAKCRAnX84Zoj2+ doTZAYC3KraTKaHat9Tiq3AbNilzp/uyB6OJohhC6KgS8ip7Em2xWpjYSTaqcm0i XDstePQBf2GNysp5QIxHwmbP32dTXWpJP67ChoVOCgGc+5xAqzvPeAGxw97hlfZf HYSF4lENtQ== =HDp7 -----END PGP SIGNATURE----- --edrbb66pldmq62jz--