From: Hans de Goede <hdegoede@redhat.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH v2] ARM: bootm: Allow booting in secure mode on hyp capable systems
Date: Thu, 23 Oct 2014 11:37:19 +0200 [thread overview]
Message-ID: <5448CC4F.6060901@redhat.com> (raw)
In-Reply-To: <1414056656.19198.26.camel@hellion.org.uk>
Hi,
On 10/23/2014 11:30 AM, Ian Campbell wrote:
> On Thu, 2014-10-23 at 10:22 +0200, Hans de Goede wrote:
>> Hi Ian,
>>
>> On 10/22/2014 08:55 PM, Ian Campbell wrote:
>>> On Wed, 2014-10-22 at 15:45 +0200, Hans de Goede wrote:
>>>> if (!fake) {
>>>> #if defined(CONFIG_ARMV7_NONSEC) || defined(CONFIG_ARMV7_VIRT)
>>>> - armv7_init_nonsec();
>>>> - secure_ram_addr(_do_nonsec_entry)(kernel_entry,
>>>> - 0, machid, r2);
>>>> -#else
>>>> - kernel_entry(0, machid, r2);
>>>> + if (boot_nonsec()) {
>>>> + armv7_init_nonsec();
>>>> + secure_ram_addr(_do_nonsec_entry)(kernel_entry,
>>>> + 0, machid, r2);
>>>> + }
>>>> #endif
>>>> + kernel_entry(0, machid, r2);
>>>
>>> There's a subtle different here, which is that this final kernel_entry
>>> call used to be in the #else clause, and so emitted for the NONSEC ||
>>> VIRT case. So if the _do_nonsec_entry call were to fail (not currently
>>> possible) and return you'd end up trying again via the sec path.
>>>
>>> I'm not sure that's a bad thing, but it is a difference so it'd be good
>>> to know it was a deliberate choice (or not).
>>
>> I was under the assumption that do_nonsec_entry would never fail, and would
>> not return, which is why I wrote this code the way I wrote it.
>
> AFAICT in practice it can't fail today, but if it were somehow modified
> in the future to do so this would expose some slightly surprising
> behaviour.
>
>> I'm not sure
>> if retrying in secure mode meets the principle of least surprise, so I guess
>> the #if .. #endif block should probably get an "else" added before the #endif,
>> do you agree?
>
> Yes.
>
> BTW, if you put the #ifdef around boot_nonsec() instead and make the
> #else case #define boot_nonsec() (0) then does that end up looking
> cleaner here at the caller? Maybe that causes knockons with the
> prototypes for the unused functions in that case, in which case I doubt
> it is worth it.
The problem there is that do_nonsec_entry is not defined in that case, so
we really need an #ifdef there.
Regards,
Hans
prev parent reply other threads:[~2014-10-23 9:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-22 13:45 [U-Boot] [PATCH v2] ARM: bootm: Allow booting in secure mode on hyp capable systems Hans de Goede
2014-10-22 18:55 ` Ian Campbell
2014-10-23 8:22 ` Hans de Goede
2014-10-23 9:30 ` Ian Campbell
2014-10-23 9:37 ` Hans de Goede [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5448CC4F.6060901@redhat.com \
--to=hdegoede@redhat.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox