[RFC 0/2] of: Add whitelist

[RFC 0/2] of: Add whitelist

[Alan Tull]

Here's a proposal for a whitelist to lock down the dynamic device tree.

For an overlay to be accepted, all of its targets are required to be
on a target node whitelist.

Currently the only way I have to get on the whitelist is calling a
function to add a node.  That works for fpga regions, but I think
other uses will need a way of having adding specific nodes from the
base device tree, such as by adding a property like 'allow-overlay;'
or 'allow-overlay = "okay";' If that is acceptable, I could use some
advice on where that particular code should go.

Alan

Alan Tull (2):
  of: overlay: add whitelist
  fpga: of region: add of-fpga-region to whitelist

 drivers/fpga/of-fpga-region.c |  9 ++++++
 drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
 include/linux/of.h            | 12 +++++++
 3 files changed, 94 insertions(+)

-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[RFC 1/2] of: overlay: add whitelist

[Alan Tull]

Add simple whitelist.  When an overlay is submitted, if any target in
the overlay is not in the whitelist, the overlay is rejected.  Drivers
that support dynamic configuration can register their device node with:

  int of_add_whitelist_node(struct device_node *np)

and remove themselves with:

  void of_remove_whitelist_node(struct device_node *np)

Signed-off-by: Alan Tull <atull@kernel.org>
---
 drivers/of/overlay.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/of.h   | 12 +++++++++
 2 files changed, 85 insertions(+)

diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
index c150abb..5f952a1 100644
--- a/drivers/of/overlay.c
+++ b/drivers/of/overlay.c
@@ -21,6 +21,7 @@
 #include <linux/slab.h>
 #include <linux/err.h>
 #include <linux/idr.h>
+#include <linux/spinlock.h>
 
 #include "of_private.h"
 
@@ -646,6 +647,74 @@ static void free_overlay_changeset(struct overlay_changeset *ovcs)
 	kfree(ovcs);
 }
 
+/* lock for adding/removing device nodes to the whitelist */
+static spinlock_t whitelist_lock;
+
+static struct list_head whitelist_list = LIST_HEAD_INIT(whitelist_list);
+
+struct dt_overlay_whitelist {
+	struct device_node *np;
+	struct list_head node;
+};
+
+int of_add_whitelist_node(struct device_node *np)
+{
+	unsigned long flags;
+	struct dt_overlay_whitelist *wln;
+
+	wln = kzalloc(sizeof(*wln), GFP_KERNEL);
+	if (!wln)
+		return -ENOMEM;
+
+	wln->np = np;
+
+	spin_lock_irqsave(&whitelist_lock, flags);
+	list_add(&wln->node, &whitelist_list);
+	spin_unlock_irqrestore(&whitelist_lock, flags);
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(of_add_whitelist_node);
+
+void of_remove_whitelist_node(struct device_node *np)
+{
+	struct dt_overlay_whitelist *wln;
+	unsigned long flags;
+
+	list_for_each_entry(wln, &whitelist_list, node) {
+		if (np == wln->np) {
+			spin_lock_irqsave(&whitelist_lock, flags);
+			list_del(&wln->node);
+			spin_unlock_irqrestore(&whitelist_lock, flags);
+			kfree(wln);
+			return;
+		}
+	}
+}
+EXPORT_SYMBOL_GPL(of_remove_whitelist_node);
+
+static int of_check_whitelist(struct overlay_changeset *ovcs)
+{
+	struct dt_overlay_whitelist *wln;
+	struct device_node *target;
+	int i;
+
+	for (i = 0; i < ovcs->count; i++) {
+		target = ovcs->fragments[i].target;
+		if (!of_node_cmp(target->name, "__symbols__"))
+			continue;
+
+		list_for_each_entry(wln, &whitelist_list, node)
+			if (target == wln->np)
+				break;
+
+		if (target != wln->np)
+			return -ENODEV;
+	}
+
+	return 0;
+}
+
 /**
  * of_overlay_apply() - Create and apply an overlay changeset
  * @tree:	Expanded overlay device tree
@@ -717,6 +786,10 @@ int of_overlay_apply(struct device_node *tree, int *ovcs_id)
 	if (ret)
 		goto err_free_overlay_changeset;
 
+	ret = of_check_whitelist(ovcs);
+	if (ret)
+		goto err_free_overlay_changeset;
+
 	ret = overlay_notify(ovcs, OF_OVERLAY_PRE_APPLY);
 	if (ret) {
 		pr_err("overlay changeset pre-apply notify error %d\n", ret);
diff --git a/include/linux/of.h b/include/linux/of.h
index d3dea1d..5bf652a1 100644
--- a/include/linux/of.h
+++ b/include/linux/of.h
@@ -1364,6 +1364,9 @@ int of_overlay_remove_all(void);
 int of_overlay_notifier_register(struct notifier_block *nb);
 int of_overlay_notifier_unregister(struct notifier_block *nb);
 
+int of_add_whitelist_node(struct device_node *np);
+void of_remove_whitelist_node(struct device_node *np);
+
 #else
 
 static inline int of_overlay_apply(struct device_node *tree, int *ovcs_id)
@@ -1391,6 +1394,15 @@ static inline int of_overlay_notifier_unregister(struct notifier_block *nb)
 	return 0;
 }
 
+static inline int of_add_whitelist_node(struct device_node *np)
+{
+	return 0;
+}
+
+static inline void of_remove_whitelist_node(struct device_node *np)
+{
+}
+
 #endif
 
 #endif /* _LINUX_OF_H */
-- 
2.7.4

Re: [RFC 1/2] of: overlay: add whitelist

[Rob Herring]

On Mon, Nov 27, 2017 at 02:58:03PM -0600, Alan Tull wrote:
> Add simple whitelist.  When an overlay is submitted, if any target in
> the overlay is not in the whitelist, the overlay is rejected.  Drivers
> that support dynamic configuration can register their device node with:
> 
>   int of_add_whitelist_node(struct device_node *np)
> 
> and remove themselves with:
> 
>   void of_remove_whitelist_node(struct device_node *np)

I think these should be named for what they do, not how it is 
implemented.

> 
> Signed-off-by: Alan Tull <atull@kernel.org>
> ---
>  drivers/of/overlay.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>  include/linux/of.h   | 12 +++++++++
>  2 files changed, 85 insertions(+)
> 
> diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
> index c150abb..5f952a1 100644
> --- a/drivers/of/overlay.c
> +++ b/drivers/of/overlay.c
> @@ -21,6 +21,7 @@
>  #include <linux/slab.h>
>  #include <linux/err.h>
>  #include <linux/idr.h>
> +#include <linux/spinlock.h>
>  
>  #include "of_private.h"
>  
> @@ -646,6 +647,74 @@ static void free_overlay_changeset(struct overlay_changeset *ovcs)
>  	kfree(ovcs);
>  }
>  
> +/* lock for adding/removing device nodes to the whitelist */
> +static spinlock_t whitelist_lock;
> +
> +static struct list_head whitelist_list = LIST_HEAD_INIT(whitelist_list);
> +
> +struct dt_overlay_whitelist {
> +	struct device_node *np;
> +	struct list_head node;
> +};

Can't we just add a flags bit in device_node.flags? That would be much 
simpler.

> +
> +int of_add_whitelist_node(struct device_node *np)
> +{
> +	unsigned long flags;
> +	struct dt_overlay_whitelist *wln;
> +
> +	wln = kzalloc(sizeof(*wln), GFP_KERNEL);
> +	if (!wln)
> +		return -ENOMEM;
> +
> +	wln->np = np;
> +
> +	spin_lock_irqsave(&whitelist_lock, flags);
> +	list_add(&wln->node, &whitelist_list);
> +	spin_unlock_irqrestore(&whitelist_lock, flags);
> +
> +	return 0;
> +}
> +EXPORT_SYMBOL_GPL(of_add_whitelist_node);
> +
> +void of_remove_whitelist_node(struct device_node *np)
> +{
> +	struct dt_overlay_whitelist *wln;
> +	unsigned long flags;
> +
> +	list_for_each_entry(wln, &whitelist_list, node) {
> +		if (np == wln->np) {
> +			spin_lock_irqsave(&whitelist_lock, flags);
> +			list_del(&wln->node);
> +			spin_unlock_irqrestore(&whitelist_lock, flags);
> +			kfree(wln);
> +			return;
> +		}
> +	}
> +}
> +EXPORT_SYMBOL_GPL(of_remove_whitelist_node);
> +
> +static int of_check_whitelist(struct overlay_changeset *ovcs)
> +{
> +	struct dt_overlay_whitelist *wln;
> +	struct device_node *target;
> +	int i;
> +
> +	for (i = 0; i < ovcs->count; i++) {
> +		target = ovcs->fragments[i].target;
> +		if (!of_node_cmp(target->name, "__symbols__"))
> +			continue;
> +
> +		list_for_each_entry(wln, &whitelist_list, node)
> +			if (target == wln->np)
> +				break;
> +
> +		if (target != wln->np)
> +			return -ENODEV;
> +	}
> +
> +	return 0;
> +}
> +
>  /**
>   * of_overlay_apply() - Create and apply an overlay changeset
>   * @tree:	Expanded overlay device tree
> @@ -717,6 +786,10 @@ int of_overlay_apply(struct device_node *tree, int *ovcs_id)
>  	if (ret)
>  		goto err_free_overlay_changeset;
>  
> +	ret = of_check_whitelist(ovcs);
> +	if (ret)
> +		goto err_free_overlay_changeset;

This will break you until the next patch and breaks any other users. I 
think this is now just the unittest as tilcdc overlay is getting 
removed.

You have to make this chunk the last patch in the series.

Rob

Re: [RFC 1/2] of: overlay: add whitelist

[Alan Tull]

On Tue, Nov 28, 2017 at 9:15 AM, Rob Herring <robh-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> On Mon, Nov 27, 2017 at 02:58:03PM -0600, Alan Tull wrote:
>> Add simple whitelist.  When an overlay is submitted, if any target in
>> the overlay is not in the whitelist, the overlay is rejected.  Drivers
>> that support dynamic configuration can register their device node with:
>>
>>   int of_add_whitelist_node(struct device_node *np)
>>
>> and remove themselves with:
>>
>>   void of_remove_whitelist_node(struct device_node *np)
>
> I think these should be named for what they do, not how it is
> implemented.

Sure, such as of_node_overlay_enable and of_node_overlay_disable?

>
>>
>> Signed-off-by: Alan Tull <atull-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
>> ---
>>  drivers/of/overlay.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>>  include/linux/of.h   | 12 +++++++++
>>  2 files changed, 85 insertions(+)
>>
>> diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
>> index c150abb..5f952a1 100644
>> --- a/drivers/of/overlay.c
>> +++ b/drivers/of/overlay.c
>> @@ -21,6 +21,7 @@
>>  #include <linux/slab.h>
>>  #include <linux/err.h>
>>  #include <linux/idr.h>
>> +#include <linux/spinlock.h>
>>
>>  #include "of_private.h"
>>
>> @@ -646,6 +647,74 @@ static void free_overlay_changeset(struct overlay_changeset *ovcs)
>>       kfree(ovcs);
>>  }
>>
>> +/* lock for adding/removing device nodes to the whitelist */
>> +static spinlock_t whitelist_lock;
>> +
>> +static struct list_head whitelist_list = LIST_HEAD_INIT(whitelist_list);
>> +
>> +struct dt_overlay_whitelist {
>> +     struct device_node *np;
>> +     struct list_head node;
>> +};
>
> Can't we just add a flags bit in device_node.flags? That would be much
> simpler.

Yes, much simpler.  Such as:

#define OF_OVERLAY_ENABLED     5 /* allow DT overlay targeting this node */

>
>> +
>> +int of_add_whitelist_node(struct device_node *np)
>> +{
>> +     unsigned long flags;
>> +     struct dt_overlay_whitelist *wln;
>> +
>> +     wln = kzalloc(sizeof(*wln), GFP_KERNEL);
>> +     if (!wln)
>> +             return -ENOMEM;
>> +
>> +     wln->np = np;
>> +
>> +     spin_lock_irqsave(&whitelist_lock, flags);
>> +     list_add(&wln->node, &whitelist_list);
>> +     spin_unlock_irqrestore(&whitelist_lock, flags);
>> +
>> +     return 0;
>> +}
>> +EXPORT_SYMBOL_GPL(of_add_whitelist_node);
>> +
>> +void of_remove_whitelist_node(struct device_node *np)
>> +{
>> +     struct dt_overlay_whitelist *wln;
>> +     unsigned long flags;
>> +
>> +     list_for_each_entry(wln, &whitelist_list, node) {
>> +             if (np == wln->np) {
>> +                     spin_lock_irqsave(&whitelist_lock, flags);
>> +                     list_del(&wln->node);
>> +                     spin_unlock_irqrestore(&whitelist_lock, flags);
>> +                     kfree(wln);
>> +                     return;
>> +             }
>> +     }
>> +}
>> +EXPORT_SYMBOL_GPL(of_remove_whitelist_node);
>> +
>> +static int of_check_whitelist(struct overlay_changeset *ovcs)
>> +{
>> +     struct dt_overlay_whitelist *wln;
>> +     struct device_node *target;
>> +     int i;
>> +
>> +     for (i = 0; i < ovcs->count; i++) {
>> +             target = ovcs->fragments[i].target;
>> +             if (!of_node_cmp(target->name, "__symbols__"))
>> +                     continue;
>> +
>> +             list_for_each_entry(wln, &whitelist_list, node)
>> +                     if (target == wln->np)
>> +                             break;
>> +
>> +             if (target != wln->np)
>> +                     return -ENODEV;
>> +     }
>> +
>> +     return 0;
>> +}
>> +
>>  /**
>>   * of_overlay_apply() - Create and apply an overlay changeset
>>   * @tree:    Expanded overlay device tree
>> @@ -717,6 +786,10 @@ int of_overlay_apply(struct device_node *tree, int *ovcs_id)
>>       if (ret)
>>               goto err_free_overlay_changeset;
>>
>> +     ret = of_check_whitelist(ovcs);
>> +     if (ret)
>> +             goto err_free_overlay_changeset;
>
> This will break you until the next patch and breaks any other users. I
> think this is now just the unittest as tilcdc overlay is getting
> removed.
>
> You have to make this chunk the last patch in the series.

I'd rather squash the two patches.  In either case, the contents of
second patch are dependent on stuff in char-misc-testing today, so it
won't be able to apply yet on linux-next or anywhere else.

Thanks
Alan

>
> Rob
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 1/2] of: overlay: add whitelist

[Frank Rowand]

On 11/28/17 14:26, Alan Tull wrote:
> On Tue, Nov 28, 2017 at 9:15 AM, Rob Herring <robh@kernel.org> wrote:
>> On Mon, Nov 27, 2017 at 02:58:03PM -0600, Alan Tull wrote:
>>> Add simple whitelist.  When an overlay is submitted, if any target in
>>> the overlay is not in the whitelist, the overlay is rejected.  Drivers
>>> that support dynamic configuration can register their device node with:
>>>
>>>   int of_add_whitelist_node(struct device_node *np)
>>>
>>> and remove themselves with:
>>>
>>>   void of_remove_whitelist_node(struct device_node *np)
>>
>> I think these should be named for what they do, not how it is
>> implemented.
> 
> Sure, such as of_node_overlay_enable and of_node_overlay_disable?
of_allow_overlay_on_node(), of_disallow_overlay_on_node()?


> 
>>
>>>
>>> Signed-off-by: Alan Tull <atull@kernel.org>
>>> ---
>>>  drivers/of/overlay.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>  include/linux/of.h   | 12 +++++++++
>>>  2 files changed, 85 insertions(+)
>>>
>>> diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
>>> index c150abb..5f952a1 100644
>>> --- a/drivers/of/overlay.c
>>> +++ b/drivers/of/overlay.c
>>> @@ -21,6 +21,7 @@
>>>  #include <linux/slab.h>
>>>  #include <linux/err.h>
>>>  #include <linux/idr.h>
>>> +#include <linux/spinlock.h>
>>>
>>>  #include "of_private.h"
>>>
>>> @@ -646,6 +647,74 @@ static void free_overlay_changeset(struct overlay_changeset *ovcs)
>>>       kfree(ovcs);
>>>  }
>>>
>>> +/* lock for adding/removing device nodes to the whitelist */
>>> +static spinlock_t whitelist_lock;
>>> +
>>> +static struct list_head whitelist_list = LIST_HEAD_INIT(whitelist_list);
>>> +
>>> +struct dt_overlay_whitelist {
>>> +     struct device_node *np;
>>> +     struct list_head node;
>>> +};
>>
>> Can't we just add a flags bit in device_node.flags? That would be much
>> simpler.
> 
> Yes, much simpler.  Such as:
> 
> #define OF_OVERLAY_ENABLED     5 /* allow DT overlay targeting this node */
> 
>>
>>> +
>>> +int of_add_whitelist_node(struct device_node *np)
>>> +{
>>> +     unsigned long flags;
>>> +     struct dt_overlay_whitelist *wln;
>>> +
>>> +     wln = kzalloc(sizeof(*wln), GFP_KERNEL);
>>> +     if (!wln)
>>> +             return -ENOMEM;
>>> +
>>> +     wln->np = np;
>>> +
>>> +     spin_lock_irqsave(&whitelist_lock, flags);
>>> +     list_add(&wln->node, &whitelist_list);
>>> +     spin_unlock_irqrestore(&whitelist_lock, flags);
>>> +
>>> +     return 0;
>>> +}
>>> +EXPORT_SYMBOL_GPL(of_add_whitelist_node);
>>> +
>>> +void of_remove_whitelist_node(struct device_node *np)
>>> +{
>>> +     struct dt_overlay_whitelist *wln;
>>> +     unsigned long flags;
>>> +
>>> +     list_for_each_entry(wln, &whitelist_list, node) {
>>> +             if (np == wln->np) {
>>> +                     spin_lock_irqsave(&whitelist_lock, flags);
>>> +                     list_del(&wln->node);
>>> +                     spin_unlock_irqrestore(&whitelist_lock, flags);
>>> +                     kfree(wln);
>>> +                     return;
>>> +             }
>>> +     }
>>> +}
>>> +EXPORT_SYMBOL_GPL(of_remove_whitelist_node);
>>> +
>>> +static int of_check_whitelist(struct overlay_changeset *ovcs)
>>> +{
>>> +     struct dt_overlay_whitelist *wln;
>>> +     struct device_node *target;
>>> +     int i;
>>> +
>>> +     for (i = 0; i < ovcs->count; i++) {
>>> +             target = ovcs->fragments[i].target;
>>> +             if (!of_node_cmp(target->name, "__symbols__"))
>>> +                     continue;
>>> +
>>> +             list_for_each_entry(wln, &whitelist_list, node)
>>> +                     if (target == wln->np)
>>> +                             break;
>>> +
>>> +             if (target != wln->np)
>>> +                     return -ENODEV;
>>> +     }
>>> +
>>> +     return 0;
>>> +}
>>> +
>>>  /**
>>>   * of_overlay_apply() - Create and apply an overlay changeset
>>>   * @tree:    Expanded overlay device tree
>>> @@ -717,6 +786,10 @@ int of_overlay_apply(struct device_node *tree, int *ovcs_id)
>>>       if (ret)
>>>               goto err_free_overlay_changeset;
>>>
>>> +     ret = of_check_whitelist(ovcs);
>>> +     if (ret)
>>> +             goto err_free_overlay_changeset;
>>
>> This will break you until the next patch and breaks any other users. I
>> think this is now just the unittest as tilcdc overlay is getting
>> removed.
>>
>> You have to make this chunk the last patch in the series.
> 
> I'd rather squash the two patches.  In either case, the contents of
> second patch are dependent on stuff in char-misc-testing today, so it
> won't be able to apply yet on linux-next or anywhere else.
> 
> Thanks
> Alan
> 
>>
>> Rob
> 

[RFC 2/2] fpga: of region: add of-fpga-region to whitelist

[Alan Tull]

During each FPGA region's probe, add to whitelist.  Remove
during driver remove.

Signed-off-by: Alan Tull <atull@kernel.org>
---
 drivers/fpga/of-fpga-region.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/fpga/of-fpga-region.c b/drivers/fpga/of-fpga-region.c
index 7dfaa95..abb57a9 100644
--- a/drivers/fpga/of-fpga-region.c
+++ b/drivers/fpga/of-fpga-region.c
@@ -435,6 +435,10 @@ static int of_fpga_region_probe(struct platform_device *pdev)
 	/* Specify how to get bridges for this type of region. */
 	region->get_bridges = of_fpga_region_get_bridges;
 
+	ret = of_add_whitelist_node(np);
+	if (ret)
+		goto eprobe_wl_err;
+
 	ret = fpga_region_register(region);
 	if (ret)
 		goto eprobe_mgr_put;
@@ -447,6 +451,8 @@ static int of_fpga_region_probe(struct platform_device *pdev)
 	return 0;
 
 eprobe_mgr_put:
+	of_remove_whitelist_node(np);
+eprobe_wl_err:
 	fpga_mgr_put(mgr);
 	return ret;
 }
@@ -454,7 +460,10 @@ static int of_fpga_region_probe(struct platform_device *pdev)
 static int of_fpga_region_remove(struct platform_device *pdev)
 {
 	struct fpga_region *region = platform_get_drvdata(pdev);
+	struct device *dev = &pdev->dev;
+	struct device_node *np = dev->of_node;
 
+	of_remove_whitelist_node(np);
 	fpga_region_unregister(region);
 	fpga_mgr_put(region->mgr);
 
-- 
2.7.4

Re: [RFC 0/2] of: Add whitelist

[Frank Rowand]

On 11/27/17 15:58, Alan Tull wrote:
> Here's a proposal for a whitelist to lock down the dynamic device tree.
> 
> For an overlay to be accepted, all of its targets are required to be
> on a target node whitelist.
> 
> Currently the only way I have to get on the whitelist is calling a
> function to add a node.  That works for fpga regions, but I think
> other uses will need a way of having adding specific nodes from the
> base device tree, such as by adding a property like 'allow-overlay;'
> or 'allow-overlay = "okay";' If that is acceptable, I could use some
> advice on where that particular code should go.
> 
> Alan
> 
> Alan Tull (2):
>   of: overlay: add whitelist
>   fpga: of region: add of-fpga-region to whitelist
> 
>  drivers/fpga/of-fpga-region.c |  9 ++++++
>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>  include/linux/of.h            | 12 +++++++
>  3 files changed, 94 insertions(+)
> 

The plan was to use connectors to restrict where an overlay could be applied.
I would prefer not to have multiple methods for accomplishing the same thing
unless there is a compelling reason to do so.

-Frnank

Re: [RFC 0/2] of: Add whitelist

[Rob Herring]

On Wed, Nov 29, 2017 at 3:20 AM, Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On 11/27/17 15:58, Alan Tull wrote:
>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>
>> For an overlay to be accepted, all of its targets are required to be
>> on a target node whitelist.
>>
>> Currently the only way I have to get on the whitelist is calling a
>> function to add a node.  That works for fpga regions, but I think
>> other uses will need a way of having adding specific nodes from the
>> base device tree, such as by adding a property like 'allow-overlay;'
>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>> advice on where that particular code should go.
>>
>> Alan
>>
>> Alan Tull (2):
>>   of: overlay: add whitelist
>>   fpga: of region: add of-fpga-region to whitelist
>>
>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>  include/linux/of.h            | 12 +++++++
>>  3 files changed, 94 insertions(+)
>>
>
> The plan was to use connectors to restrict where an overlay could be applied.
> I would prefer not to have multiple methods for accomplishing the same thing
> unless there is a compelling reason to do so.

Connector nodes need a mechanism to enable themselves, too. I don't
think connector nodes are going to solve every usecase.

Rob
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 0/2] of: Add whitelist

[Alan Tull]

On Wed, Nov 29, 2017 at 7:31 AM, Rob Herring <robh+dt-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> On Wed, Nov 29, 2017 at 3:20 AM, Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>> On 11/27/17 15:58, Alan Tull wrote:
>>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>>
>>> For an overlay to be accepted, all of its targets are required to be
>>> on a target node whitelist.
>>>
>>> Currently the only way I have to get on the whitelist is calling a
>>> function to add a node.  That works for fpga regions, but I think
>>> other uses will need a way of having adding specific nodes from the
>>> base device tree, such as by adding a property like 'allow-overlay;'
>>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>>> advice on where that particular code should go.
>>>
>>> Alan
>>>
>>> Alan Tull (2):
>>>   of: overlay: add whitelist
>>>   fpga: of region: add of-fpga-region to whitelist
>>>
>>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>>  include/linux/of.h            | 12 +++++++
>>>  3 files changed, 94 insertions(+)
>>>
>>
>> The plan was to use connectors to restrict where an overlay could be applied.
>> I would prefer not to have multiple methods for accomplishing the same thing
>> unless there is a compelling reason to do so.
>
> Connector nodes need a mechanism to enable themselves, too. I don't
> think connector nodes are going to solve every usecase.
>
> Rob

The two methods I'm suggesting are intended to handle different cases.
  There will exist some drivers that by their nature will want every
instance to be enabled for overlays, such as fpga regions.  The other
case is where drivers could support overlays but that's not the
widespread use for them.  So no need to enable every instance of that
driver for overlays.  In that case the DT property provides some
granularity, only enabling overlays for specific instances of that
driver, leaving the rest of the DT locked down.

If we only want one method, I would choose having the DT property only
and not exporting the functions.  Users would have to add the property
for every FPGA region but that's not really painful.  This would have
the benefit of still keeping the DT locked down unless someone
specifically wanted to enable some regions for overlays for their
particular use.

Alan
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 0/2] of: Add whitelist

[Frank Rowand]

On 11/29/17 11:11, Alan Tull wrote:
> On Wed, Nov 29, 2017 at 7:31 AM, Rob Herring <robh+dt-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>> On Wed, Nov 29, 2017 at 3:20 AM, Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>> On 11/27/17 15:58, Alan Tull wrote:
>>>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>>>
>>>> For an overlay to be accepted, all of its targets are required to be
>>>> on a target node whitelist.
>>>>
>>>> Currently the only way I have to get on the whitelist is calling a
>>>> function to add a node.  That works for fpga regions, but I think
>>>> other uses will need a way of having adding specific nodes from the
>>>> base device tree, such as by adding a property like 'allow-overlay;'
>>>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>>>> advice on where that particular code should go.
>>>>
>>>> Alan
>>>>
>>>> Alan Tull (2):
>>>>   of: overlay: add whitelist
>>>>   fpga: of region: add of-fpga-region to whitelist
>>>>
>>>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>>>  include/linux/of.h            | 12 +++++++
>>>>  3 files changed, 94 insertions(+)
>>>>
>>>
>>> The plan was to use connectors to restrict where an overlay could be applied.
>>> I would prefer not to have multiple methods for accomplishing the same thing
>>> unless there is a compelling reason to do so.
>>
>> Connector nodes need a mechanism to enable themselves, too. I don't
>> think connector nodes are going to solve every usecase.
>>
>> Rob
> 
> The two methods I'm suggesting are intended to handle different cases.
>   There will exist some drivers that by their nature will want every
> instance to be enabled for overlays, such as fpga regions.  The other
> case is where drivers could support overlays but that's not the
> widespread use for them.  So no need to enable every instance of that
> driver for overlays.

I understand what the paragraph, to this point, means.  But I had to
read it several times to understand it because the way the concept is
phrased clashed with my mental model.

The device node is not an instance of a driver, which is why I was
getting confused.  (Yes, I do understand that the paragraph is talking
about multiple device nodes that are bound to the same driver, but
my mental model is tied to the device node, not to the driver.)

If each of the device nodes in question is a connector, then each of
the nodes will bind to a connector driver, based on the value of the
compatible property.  (This is of course a theoretical assumption on
my part since the connectors are not yet implemented.)

If the connector node is an fpga, or an fpga region (I may be getting
my terminology wrong here - please correct as needed) then an fpga
overlay could be applied to the node.

If I understand what you are saying, there will be some fpga connector
nodes for which the usage at a given moment might be programmed to
function in a manner that will not be described by an overlay, but
at a different moment in time may be programmed in a way that needs
to be described by an overlay.  So there may be some times that it
is valid to apply an overlay to the connector node and times that
it is not valid to apply an overlay to the connector node.

Is my understanding correct, or am I still confused?

-Frank

> In that case the DT property provides some
> granularity, only enabling overlays for specific instances of that
> driver, leaving the rest of the DT locked down.> 
> If we only want one method, I would choose having the DT property only
> and not exporting the functions.  Users would have to add the property
> for every FPGA region but that's not really painful.  This would have
> the benefit of still keeping the DT locked down unless someone
> specifically wanted to enable some regions for overlays for their
> particular use.
> 
> Alan
> 

--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 0/2] of: Add whitelist

[Alan Tull]

On Thu, Nov 30, 2017 at 6:46 AM, Frank Rowand <frowand.list@gmail.com> wrote:
> On 11/29/17 11:11, Alan Tull wrote:
>> On Wed, Nov 29, 2017 at 7:31 AM, Rob Herring <robh+dt@kernel.org> wrote:
>>> On Wed, Nov 29, 2017 at 3:20 AM, Frank Rowand <frowand.list@gmail.com> wrote:
>>>> On 11/27/17 15:58, Alan Tull wrote:
>>>>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>>>>
>>>>> For an overlay to be accepted, all of its targets are required to be
>>>>> on a target node whitelist.
>>>>>
>>>>> Currently the only way I have to get on the whitelist is calling a
>>>>> function to add a node.  That works for fpga regions, but I think
>>>>> other uses will need a way of having adding specific nodes from the
>>>>> base device tree, such as by adding a property like 'allow-overlay;'
>>>>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>>>>> advice on where that particular code should go.
>>>>>
>>>>> Alan
>>>>>
>>>>> Alan Tull (2):
>>>>>   of: overlay: add whitelist
>>>>>   fpga: of region: add of-fpga-region to whitelist
>>>>>
>>>>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>>>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>>>>  include/linux/of.h            | 12 +++++++
>>>>>  3 files changed, 94 insertions(+)
>>>>>
>>>>
>>>> The plan was to use connectors to restrict where an overlay could be applied.
>>>> I would prefer not to have multiple methods for accomplishing the same thing
>>>> unless there is a compelling reason to do so.
>>>
>>> Connector nodes need a mechanism to enable themselves, too. I don't
>>> think connector nodes are going to solve every usecase.
>>>
>>> Rob
>>
>> The two methods I'm suggesting are intended to handle different cases.
>>   There will exist some drivers that by their nature will want every
>> instance to be enabled for overlays, such as fpga regions.  The other
>> case is where drivers could support overlays but that's not the
>> widespread use for them.  So no need to enable every instance of that
>> driver for overlays.
>
> I understand what the paragraph, to this point, means.  But I had to
> read it several times to understand it because the way the concept is
> phrased clashed with my mental model.

Hi Frank,

I see where my explanation is confusing things.  I was talking about
two methods for marking a node as being a valid target for an overlay
(use a function or add a DT property).  I'll drop the idea of using a
DT property to enable a node for overlays and only focus on my
proposal of a function to enable nodes.

>
> The device node is not an instance of a driver, which is why I was
> getting confused.  (Yes, I do understand that the paragraph is talking
> about multiple device nodes that are bound to the same driver, but
> my mental model is tied to the device node, not to the driver.)
>
> If each of the device nodes in question is a connector, then each of
> the nodes will bind to a connector driver, based on the value of the
> compatible property.  (This is of course a theoretical assumption on
> my part since the connectors are not yet implemented.)
>
> If the connector node is an fpga, or an fpga region (I may be getting
> my terminology wrong here - please correct as needed) then an fpga
> overlay could be applied to the node.

We're still pre-connector currently, but yes I want to mark FPGA
regions as being valid targets.  Then I can use Pantelis' configfs
interface to apply overlays while leaving the rest of the DT locked
down.  That's the FPGA use of this patch in the pre-connector era of
things.

>
> If I understand what you are saying, there will be some fpga connector
> nodes for which the usage at a given moment might be programmed to
> function in a manner that will not be described by an overlay, but
> at a different moment in time may be programmed in a way that needs
> to be described by an overlay.  So there may be some times that it
> is valid to apply an overlay to the connector node and times that
> it is not valid to apply an overlay to the connector node.

I think connectors would likely always be valid targets (but I could
be wrong) and other nodes would not be valid targets.  The DT needs a
way to mark some nodes as valid targets, currently it doesn't have a
way of doing that.  Every connector driver's probe could use this code
to mark itself as a valid target.

>
> Is my understanding correct, or am I still confused?

Hope that helps, sorry for the muddled explanation earlier.

Alan

>
> -Frank
>
>> In that case the DT property provides some
>> granularity, only enabling overlays for specific instances of that
>> driver, leaving the rest of the DT locked down.>
>> If we only want one method, I would choose having the DT property only
>> and not exporting the functions.  Users would have to add the property
>> for every FPGA region but that's not really painful.  This would have
>> the benefit of still keeping the DT locked down unless someone
>> specifically wanted to enable some regions for overlays for their
>> particular use.
>>
>> Alan
>>
>

Re: [RFC 0/2] of: Add whitelist

[Frank Rowand]

On 12/05/17 11:33, Alan Tull wrote:
> On Thu, Nov 30, 2017 at 6:46 AM, Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>> On 11/29/17 11:11, Alan Tull wrote:
>>> On Wed, Nov 29, 2017 at 7:31 AM, Rob Herring <robh+dt-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>>>> On Wed, Nov 29, 2017 at 3:20 AM, Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>>> On 11/27/17 15:58, Alan Tull wrote:
>>>>>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>>>>>
>>>>>> For an overlay to be accepted, all of its targets are required to be
>>>>>> on a target node whitelist.
>>>>>>
>>>>>> Currently the only way I have to get on the whitelist is calling a
>>>>>> function to add a node.  That works for fpga regions, but I think
>>>>>> other uses will need a way of having adding specific nodes from the
>>>>>> base device tree, such as by adding a property like 'allow-overlay;'
>>>>>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>>>>>> advice on where that particular code should go.
>>>>>>
>>>>>> Alan
>>>>>>
>>>>>> Alan Tull (2):
>>>>>>   of: overlay: add whitelist
>>>>>>   fpga: of region: add of-fpga-region to whitelist
>>>>>>
>>>>>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>>>>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>>>>>  include/linux/of.h            | 12 +++++++
>>>>>>  3 files changed, 94 insertions(+)
>>>>>>
>>>>>
>>>>> The plan was to use connectors to restrict where an overlay could be applied.
>>>>> I would prefer not to have multiple methods for accomplishing the same thing
>>>>> unless there is a compelling reason to do so.
>>>>
>>>> Connector nodes need a mechanism to enable themselves, too. I don't
>>>> think connector nodes are going to solve every usecase.
>>>>
>>>> Rob
>>>
>>> The two methods I'm suggesting are intended to handle different cases.
>>>   There will exist some drivers that by their nature will want every
>>> instance to be enabled for overlays, such as fpga regions.  The other
>>> case is where drivers could support overlays but that's not the
>>> widespread use for them.  So no need to enable every instance of that
>>> driver for overlays.
>>
>> I understand what the paragraph, to this point, means.  But I had to
>> read it several times to understand it because the way the concept is
>> phrased clashed with my mental model.
> 
> Hi Frank,
> 
> I see where my explanation is confusing things.  I was talking about
> two methods for marking a node as being a valid target for an overlay
> (use a function or add a DT property).  I'll drop the idea of using a
> DT property to enable a node for overlays and only focus on my
> proposal of a function to enable nodes.
> 
>>
>> The device node is not an instance of a driver, which is why I was
>> getting confused.  (Yes, I do understand that the paragraph is talking
>> about multiple device nodes that are bound to the same driver, but
>> my mental model is tied to the device node, not to the driver.)
>>
>> If each of the device nodes in question is a connector, then each of
>> the nodes will bind to a connector driver, based on the value of the
>> compatible property.  (This is of course a theoretical assumption on
>> my part since the connectors are not yet implemented.)
>>
>> If the connector node is an fpga, or an fpga region (I may be getting
>> my terminology wrong here - please correct as needed) then an fpga
>> overlay could be applied to the node.
> 
> We're still pre-connector currently, but yes I want to mark FPGA
> regions as being valid targets.  Then I can use Pantelis' configfs
> interface to apply overlays while leaving the rest of the DT locked
> down.  That's the FPGA use of this patch in the pre-connector era of
> things.
> 
>>
>> If I understand what you are saying, there will be some fpga connector
>> nodes for which the usage at a given moment might be programmed to
>> function in a manner that will not be described by an overlay, but
>> at a different moment in time may be programmed in a way that needs
>> to be described by an overlay.  So there may be some times that it
>> is valid to apply an overlay to the connector node and times that
>> it is not valid to apply an overlay to the connector node.
> 
> I think connectors would likely always be valid targets (but I could
> be wrong) and other nodes would not be valid targets.  The DT needs a
> way to mark some nodes as valid targets, currently it doesn't have a
> way of doing that.  Every connector driver's probe could use this code
> to mark itself as a valid target.
> 
>>
>> Is my understanding correct, or am I still confused?
> 
> Hope that helps, sorry for the muddled explanation earlier.

No need to be sorry, I always value what you have to say, and usually
become more educated from reading what you write.

We still seem to be talking at cross purposes.  It seems that the model
that you are describing is driver centric.  My model is node centric.

Once we figure out what the connector implementation and architecture
are, it might be the case that each connector node has a driver bound
to it, and that driver is able to tell the devicetree core code that
the node that it is bound to is a valid place to apply an overlay.

But I currently think that the core infrastructure code is what
should recognize that a connector node is a valid place to apply
an overlay.  It _might_ even be the case the the connector
architecture does not result in a driver being bound to the
connector node.

I would really prefer to get the connector architecture (and
maybe also the implementation) before deciding how to handle
the question of how to determine what nodes overlays can be
appplied to.


> 
> Alan
> 
>>
>> -Frank
>>
>>> In that case the DT property provides some
>>> granularity, only enabling overlays for specific instances of that
>>> driver, leaving the rest of the DT locked down.>
>>> If we only want one method, I would choose having the DT property only
>>> and not exporting the functions.  Users would have to add the property
>>> for every FPGA region but that's not really painful.  This would have
>>> the benefit of still keeping the DT locked down unless someone
>>> specifically wanted to enable some regions for overlays for their
>>> particular use.
>>>
>>> Alan
>>>
>>
> 

--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 0/2] of: Add whitelist

[Alan Tull]

On Wed, Dec 6, 2017 at 5:56 AM, Frank Rowand <frowand.list@gmail.com> wrote:
> On 12/05/17 11:33, Alan Tull wrote:
>> On Thu, Nov 30, 2017 at 6:46 AM, Frank Rowand <frowand.list@gmail.com> wrote:
>>> On 11/29/17 11:11, Alan Tull wrote:
>>>> On Wed, Nov 29, 2017 at 7:31 AM, Rob Herring <robh+dt@kernel.org> wrote:
>>>>> On Wed, Nov 29, 2017 at 3:20 AM, Frank Rowand <frowand.list@gmail.com> wrote:
>>>>>> On 11/27/17 15:58, Alan Tull wrote:
>>>>>>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>>>>>>
>>>>>>> For an overlay to be accepted, all of its targets are required to be
>>>>>>> on a target node whitelist.
>>>>>>>
>>>>>>> Currently the only way I have to get on the whitelist is calling a
>>>>>>> function to add a node.  That works for fpga regions, but I think
>>>>>>> other uses will need a way of having adding specific nodes from the
>>>>>>> base device tree, such as by adding a property like 'allow-overlay;'
>>>>>>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>>>>>>> advice on where that particular code should go.
>>>>>>>
>>>>>>> Alan
>>>>>>>
>>>>>>> Alan Tull (2):
>>>>>>>   of: overlay: add whitelist
>>>>>>>   fpga: of region: add of-fpga-region to whitelist
>>>>>>>
>>>>>>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>>>>>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>>>>>>  include/linux/of.h            | 12 +++++++
>>>>>>>  3 files changed, 94 insertions(+)
>>>>>>>
>>>>>>
>>>>>> The plan was to use connectors to restrict where an overlay could be applied.
>>>>>> I would prefer not to have multiple methods for accomplishing the same thing
>>>>>> unless there is a compelling reason to do so.
>>>>>
>>>>> Connector nodes need a mechanism to enable themselves, too. I don't
>>>>> think connector nodes are going to solve every usecase.
>>>>>
>>>>> Rob
>>>>
>>>> The two methods I'm suggesting are intended to handle different cases.
>>>>   There will exist some drivers that by their nature will want every
>>>> instance to be enabled for overlays, such as fpga regions.  The other
>>>> case is where drivers could support overlays but that's not the
>>>> widespread use for them.  So no need to enable every instance of that
>>>> driver for overlays.
>>>
>>> I understand what the paragraph, to this point, means.  But I had to
>>> read it several times to understand it because the way the concept is
>>> phrased clashed with my mental model.
>>
>> Hi Frank,
>>
>> I see where my explanation is confusing things.  I was talking about
>> two methods for marking a node as being a valid target for an overlay
>> (use a function or add a DT property).  I'll drop the idea of using a
>> DT property to enable a node for overlays and only focus on my
>> proposal of a function to enable nodes.
>>
>>>
>>> The device node is not an instance of a driver, which is why I was
>>> getting confused.  (Yes, I do understand that the paragraph is talking
>>> about multiple device nodes that are bound to the same driver, but
>>> my mental model is tied to the device node, not to the driver.)
>>>
>>> If each of the device nodes in question is a connector, then each of
>>> the nodes will bind to a connector driver, based on the value of the
>>> compatible property.  (This is of course a theoretical assumption on
>>> my part since the connectors are not yet implemented.)
>>>
>>> If the connector node is an fpga, or an fpga region (I may be getting
>>> my terminology wrong here - please correct as needed) then an fpga
>>> overlay could be applied to the node.
>>
>> We're still pre-connector currently, but yes I want to mark FPGA
>> regions as being valid targets.  Then I can use Pantelis' configfs
>> interface to apply overlays while leaving the rest of the DT locked
>> down.  That's the FPGA use of this patch in the pre-connector era of
>> things.
>>
>>>
>>> If I understand what you are saying, there will be some fpga connector
>>> nodes for which the usage at a given moment might be programmed to
>>> function in a manner that will not be described by an overlay, but
>>> at a different moment in time may be programmed in a way that needs
>>> to be described by an overlay.  So there may be some times that it
>>> is valid to apply an overlay to the connector node and times that
>>> it is not valid to apply an overlay to the connector node.
>>
>> I think connectors would likely always be valid targets (but I could
>> be wrong) and other nodes would not be valid targets.  The DT needs a
>> way to mark some nodes as valid targets, currently it doesn't have a
>> way of doing that.  Every connector driver's probe could use this code
>> to mark itself as a valid target.
>>
>>>
>>> Is my understanding correct, or am I still confused?
>>
>> Hope that helps, sorry for the muddled explanation earlier.
>
> No need to be sorry, I always value what you have to say, and usually
> become more educated from reading what you write.
>
> We still seem to be talking at cross purposes.  It seems that the model
> that you are describing is driver centric.  My model is node centric.
>
> Once we figure out what the connector implementation and architecture
> are, it might be the case that each connector node has a driver bound
> to it, and that driver is able to tell the devicetree core code that
> the node that it is bound to is a valid place to apply an overlay.
>
> But I currently think that the core infrastructure code is what
> should recognize that a connector node is a valid place to apply
> an overlay.  It _might_ even be the case the the connector
> architecture does not result in a driver being bound to the
> connector node.
>
> I would really prefer to get the connector architecture (and
> maybe also the implementation) before deciding how to handle
> the question of how to determine what nodes overlays can be
> appplied to.

Hi Frank,

I understand that you would want to wait until it is clear how
connectors will be implemented.  So this method may work for
connectors or may not depending on how that all pans out.   Thanks for
the discussion!

Alan

>
>
>>
>> Alan
>>
>>>
>>> -Frank
>>>
>>>> In that case the DT property provides some
>>>> granularity, only enabling overlays for specific instances of that
>>>> driver, leaving the rest of the DT locked down.>
>>>> If we only want one method, I would choose having the DT property only
>>>> and not exporting the functions.  Users would have to add the property
>>>> for every FPGA region but that's not really painful.  This would have
>>>> the benefit of still keeping the DT locked down unless someone
>>>> specifically wanted to enable some regions for overlays for their
>>>> particular use.
>>>>
>>>> Alan
>>>>
>>>
>>
>

Re: [RFC 0/2] of: Add whitelist

[Frank Rowand]

On 11/29/17 08:31, Rob Herring wrote:
> On Wed, Nov 29, 2017 at 3:20 AM, Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>> On 11/27/17 15:58, Alan Tull wrote:
>>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>>
>>> For an overlay to be accepted, all of its targets are required to be
>>> on a target node whitelist.
>>>
>>> Currently the only way I have to get on the whitelist is calling a
>>> function to add a node.  That works for fpga regions, but I think
>>> other uses will need a way of having adding specific nodes from the
>>> base device tree, such as by adding a property like 'allow-overlay;'
>>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>>> advice on where that particular code should go.
>>>
>>> Alan
>>>
>>> Alan Tull (2):
>>>   of: overlay: add whitelist
>>>   fpga: of region: add of-fpga-region to whitelist
>>>
>>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>>  include/linux/of.h            | 12 +++++++
>>>  3 files changed, 94 insertions(+)
>>>
>>
>> The plan was to use connectors to restrict where an overlay could be applied.
>> I would prefer not to have multiple methods for accomplishing the same thing
>> unless there is a compelling reason to do so.
> 
> Connector nodes need a mechanism to enable themselves, too. I don't
> think connector nodes are going to solve every usecase.
> 
> Rob
> 

The overlay code related to connectors does not exist yet, so my comment
is going to be theoretical.

I would expect the overlay code to check that the target of the overlay
fragment is a connector node, so there is no need to explicitly "enable"
applying an overlay to a connector node.

-Frank
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 0/2] of: Add whitelist

[Alan Tull]

On Thu, Nov 30, 2017 at 6:18 AM, Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On 11/29/17 08:31, Rob Herring wrote:
>> On Wed, Nov 29, 2017 at 3:20 AM, Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>> On 11/27/17 15:58, Alan Tull wrote:
>>>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>>>
>>>> For an overlay to be accepted, all of its targets are required to be
>>>> on a target node whitelist.
>>>>
>>>> Currently the only way I have to get on the whitelist is calling a
>>>> function to add a node.  That works for fpga regions, but I think
>>>> other uses will need a way of having adding specific nodes from the
>>>> base device tree, such as by adding a property like 'allow-overlay;'
>>>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>>>> advice on where that particular code should go.
>>>>
>>>> Alan
>>>>
>>>> Alan Tull (2):
>>>>   of: overlay: add whitelist
>>>>   fpga: of region: add of-fpga-region to whitelist
>>>>
>>>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>>>  include/linux/of.h            | 12 +++++++
>>>>  3 files changed, 94 insertions(+)
>>>>
>>>
>>> The plan was to use connectors to restrict where an overlay could be applied.
>>> I would prefer not to have multiple methods for accomplishing the same thing
>>> unless there is a compelling reason to do so.
>>
>> Connector nodes need a mechanism to enable themselves, too. I don't
>> think connector nodes are going to solve every usecase.
>>
>> Rob
>>
>
> The overlay code related to connectors does not exist yet, so my comment
> is going to be theoretical.
>
> I would expect the overlay code to check that the target of the overlay
> fragment is a connector node, so there is no need to explicitly "enable"
> applying an overlay to a connector node.

This will depend on how connectors are implemented.  My proposal in v1
is that device nodes can have a flag bit.  If its not set, then an
overlay that contains fragments that target that node can't be
applied.  There's probably other ways a connector node could be marked
as different from other nodes, but a flag bit seems simple.  The
advantage to this scheme is that it gives me something I can use while
connectors don't exist yet and it will still will be useful later for
the implementation of connectors (giving connector drivers a way of
marking their device nodes as valid targets).

>
> -Frank
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 0/2] of: Add whitelist

[Frank Rowand]

On 12/05/17 11:55, Alan Tull wrote:
> On Thu, Nov 30, 2017 at 6:18 AM, Frank Rowand <frowand.list@gmail.com> wrote:
>> On 11/29/17 08:31, Rob Herring wrote:
>>> On Wed, Nov 29, 2017 at 3:20 AM, Frank Rowand <frowand.list@gmail.com> wrote:
>>>> On 11/27/17 15:58, Alan Tull wrote:
>>>>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>>>>
>>>>> For an overlay to be accepted, all of its targets are required to be
>>>>> on a target node whitelist.
>>>>>
>>>>> Currently the only way I have to get on the whitelist is calling a
>>>>> function to add a node.  That works for fpga regions, but I think
>>>>> other uses will need a way of having adding specific nodes from the
>>>>> base device tree, such as by adding a property like 'allow-overlay;'
>>>>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>>>>> advice on where that particular code should go.
>>>>>
>>>>> Alan
>>>>>
>>>>> Alan Tull (2):
>>>>>   of: overlay: add whitelist
>>>>>   fpga: of region: add of-fpga-region to whitelist
>>>>>
>>>>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>>>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>>>>  include/linux/of.h            | 12 +++++++
>>>>>  3 files changed, 94 insertions(+)
>>>>>
>>>>
>>>> The plan was to use connectors to restrict where an overlay could be applied.
>>>> I would prefer not to have multiple methods for accomplishing the same thing
>>>> unless there is a compelling reason to do so.
>>>
>>> Connector nodes need a mechanism to enable themselves, too. I don't
>>> think connector nodes are going to solve every usecase.
>>>
>>> Rob
>>>
>>
>> The overlay code related to connectors does not exist yet, so my comment
>> is going to be theoretical.
>>
>> I would expect the overlay code to check that the target of the overlay
>> fragment is a connector node, so there is no need to explicitly "enable"
>> applying an overlay to a connector node.
> 
> This will depend on how connectors are implemented.  My proposal in v1
> is that device nodes can have a flag bit.  If its not set, then an
> overlay that contains fragments that target that node can't be
> applied.  There's probably other ways a connector node could be marked
> as different from other nodes, but a flag bit seems simple.  The
> advantage to this scheme is that it gives me something I can use while
> connectors don't exist yet and it will still will be useful later for
> the implementation of connectors (giving connector drivers a way of
> marking their device nodes as valid targets).

I think it is premature to add this code to the kernel when we don't
have an agreed upon architecture for what we are trying to achieve.


> 
>>
>> -Frank
> 

Re: [RFC 0/2] of: Add whitelist

[Frank Rowand]

On 11/29/17 04:20, Frank Rowand wrote:
> On 11/27/17 15:58, Alan Tull wrote:
>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>
>> For an overlay to be accepted, all of its targets are required to be
>> on a target node whitelist.
>>
>> Currently the only way I have to get on the whitelist is calling a
>> function to add a node.  That works for fpga regions, but I think
>> other uses will need a way of having adding specific nodes from the
>> base device tree, such as by adding a property like 'allow-overlay;'
>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>> advice on where that particular code should go.
>>
>> Alan
>>
>> Alan Tull (2):
>>   of: overlay: add whitelist
>>   fpga: of region: add of-fpga-region to whitelist
>>
>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>  include/linux/of.h            | 12 +++++++
>>  3 files changed, 94 insertions(+)
>>
> 
> The plan was to use connectors to restrict where an overlay could be applied.
> I would prefer not to have multiple methods for accomplishing the same thing
> unless there is a compelling reason to do so.

Going back one level in my thinking, I don't think that having a driver mark
a node as a location where an overlay fragment can be applied is serving a
useful purpose.  Any driver, including any driver loaded as a module,
could mark a node as ok.  I don't see how this is providing any meaningful
restriction on where an overlay fragment can be applied.

-Frank
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC 0/2] of: Add whitelist

[Frank Rowand]

On 11/29/17 04:20, Frank Rowand wrote:
> On 11/27/17 15:58, Alan Tull wrote:
>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>
>> For an overlay to be accepted, all of its targets are required to be
>> on a target node whitelist.
>>
>> Currently the only way I have to get on the whitelist is calling a
>> function to add a node.  That works for fpga regions, but I think
>> other uses will need a way of having adding specific nodes from the
>> base device tree, such as by adding a property like 'allow-overlay;'
>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>> advice on where that particular code should go.
>>
>> Alan
>>
>> Alan Tull (2):
>>   of: overlay: add whitelist
>>   fpga: of region: add of-fpga-region to whitelist
>>
>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>  include/linux/of.h            | 12 +++++++
>>  3 files changed, 94 insertions(+)
>>
> 
> The plan was to use connectors to restrict where an overlay could be applied.
> I would prefer not to have multiple methods for accomplishing the same thing
> unless there is a compelling reason to do so.

Going back one level in my thinking, I don't think that having a driver mark
a node as a location where an overlay fragment can be applied is serving a
useful purpose.  Any driver, including any driver loaded as a module,
could mark a node as ok.  I don't see how this is providing any meaningful
restriction on where an overlay fragment can be applied.

-Frank

Re: [RFC 0/2] of: Add whitelist

[Rob Herring]

On Wed, Nov 29, 2017 at 4:47 PM, Frank Rowand <frowand.list@gmail.com> wrote:
> On 11/29/17 04:20, Frank Rowand wrote:
>> On 11/27/17 15:58, Alan Tull wrote:
>>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>>
>>> For an overlay to be accepted, all of its targets are required to be
>>> on a target node whitelist.
>>>
>>> Currently the only way I have to get on the whitelist is calling a
>>> function to add a node.  That works for fpga regions, but I think
>>> other uses will need a way of having adding specific nodes from the
>>> base device tree, such as by adding a property like 'allow-overlay;'
>>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>>> advice on where that particular code should go.
>>>
>>> Alan
>>>
>>> Alan Tull (2):
>>>   of: overlay: add whitelist
>>>   fpga: of region: add of-fpga-region to whitelist
>>>
>>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>>  include/linux/of.h            | 12 +++++++
>>>  3 files changed, 94 insertions(+)
>>>
>>
>> The plan was to use connectors to restrict where an overlay could be applied.
>> I would prefer not to have multiple methods for accomplishing the same thing
>> unless there is a compelling reason to do so.
>
> Going back one level in my thinking, I don't think that having a driver mark
> a node as a location where an overlay fragment can be applied is serving a
> useful purpose.  Any driver, including any driver loaded as a module,
> could mark a node as ok.  I don't see how this is providing any meaningful
> restriction on where an overlay fragment can be applied.

It serves to separate the setting of which nodes overlays can be
applied to and the mechanism to apply them (checking permissions). The
former can't be centralized and the latter can be. For example,
something in the kernel enables overlays on a node or nodes, then the
overlay is applied with configfs interface and no board specific code
involved.

My concern is not whether any kernel component can enable applying of
overlays, but userspace. If it is a kernel component, then it is
explicit. And an OOT kernel module doesn't count because there's no
ABI guarantee there.

I agree that this patch series alone is not all that useful with only
in kernel users. It is only really interesting when we have a
userspace interface. However, an implementation with a flag bit is so
little code, I'm fine taking it now and not having to update all in
kernel users when adding a userspace interface.

Rob

Re: [RFC 0/2] of: Add whitelist

[Frank Rowand]

On 11/30/17 09:39, Rob Herring wrote:
> On Wed, Nov 29, 2017 at 4:47 PM, Frank Rowand <frowand.list-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>> On 11/29/17 04:20, Frank Rowand wrote:
>>> On 11/27/17 15:58, Alan Tull wrote:
>>>> Here's a proposal for a whitelist to lock down the dynamic device tree.
>>>>
>>>> For an overlay to be accepted, all of its targets are required to be
>>>> on a target node whitelist.
>>>>
>>>> Currently the only way I have to get on the whitelist is calling a
>>>> function to add a node.  That works for fpga regions, but I think
>>>> other uses will need a way of having adding specific nodes from the
>>>> base device tree, such as by adding a property like 'allow-overlay;'
>>>> or 'allow-overlay = "okay";' If that is acceptable, I could use some
>>>> advice on where that particular code should go.
>>>>
>>>> Alan
>>>>
>>>> Alan Tull (2):
>>>>   of: overlay: add whitelist
>>>>   fpga: of region: add of-fpga-region to whitelist
>>>>
>>>>  drivers/fpga/of-fpga-region.c |  9 ++++++
>>>>  drivers/of/overlay.c          | 73 +++++++++++++++++++++++++++++++++++++++++++
>>>>  include/linux/of.h            | 12 +++++++
>>>>  3 files changed, 94 insertions(+)
>>>>
>>>
>>> The plan was to use connectors to restrict where an overlay could be applied.
>>> I would prefer not to have multiple methods for accomplishing the same thing
>>> unless there is a compelling reason to do so.
>>
>> Going back one level in my thinking, I don't think that having a driver mark
>> a node as a location where an overlay fragment can be applied is serving a
>> useful purpose.  Any driver, including any driver loaded as a module,
>> could mark a node as ok.  I don't see how this is providing any meaningful
>> restriction on where an overlay fragment can be applied.
> 
> It serves to separate the setting of which nodes overlays can be
> applied to and the mechanism to apply them (checking permissions). The
> former can't be centralized

My expectation is that determining which nodes overlays can be applied
to can and _should_ be centralized, at least to begin with.  If we
loosen the restrictions on valid overlay application nodes then we
_might_ find that we have to provide additional non-centralized permission
granting.

I think that the core devicetree code is the place (for initial implementation)
that determining which nodes an overlay can be applied to.  My expectation
is that it will be implicitly obvious to the core devicetree code which
nodes are connector nodes.  Given that there have been several different
proposals for connector implementation, my expectation may be completely
wrong.  So I am sure I will revisit my expectations the actual
implementation of connectors arrives.

Since the architecture and implementation of connectors is still so
uncertain, I think it is premature to accept the changes proposed in
the patch set, and the next patch set that has been proposed in
response to the conversation in this thread.


> and the latter can be. For example,
> something in the kernel enables overlays on a node or nodes, then the
> overlay is applied with configfs interface and no board specific code
> involved.

I agree that the permission checking should not need to involve board
specific code.


> My concern is not whether any kernel component can enable applying of
> overlays, but userspace. If it is a kernel component, then it is
> explicit. And an OOT kernel module doesn't count because there's no
> ABI guarantee there.
> 
> I agree that this patch series alone is not all that useful with only
> in kernel users. It is only really interesting when we have a
> userspace interface. However, an implementation with a flag bit is so
> little code, I'm fine taking it now and not having to update all in
> kernel users when adding a userspace interface.

I think the concept of an API called by a driver, instead of the
devicetree core code determining which nodes an overlay can be
applied to is premature, since there is no direct need for it,
and given that it is little code it can easily be added when it
is needed, and we better understand how it will be used.

> 
> Rob
> 

--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html