Xen project Mailing List

Re: [PATCH v1 3/5] xen/arm: platforms: Add NXP S32CC platform code

To: Andrei Cherechesu <andrei.cherechesu@xxxxxxxxxxx>

From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>

Date: Thu, 12 Sep 2024 06:46:14 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none

Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cGFUlgp5aeB02UooOTDR1oOsQaKtMODKc3eycQxhWao=; b=TskfqZwzOZtDadsrHLuNv1+g+YbKb8sZ//Q1PkMutH9gNxc0ZBKnJT20YshpIKArVtAmTDdKQiFEKe/UFLc5NkDJ5dJ2M9xVZOYr9AQ8dkyFrHCkONBgaxC4QQobb9KUCID3EQ6QAOiByuPw340lhy6x/tcdH2HTcvlV3LaLiuhHlKcz4FLSZXmmowImOzvKPZ/sDZ6xYWXcaxOKV9R0V+aqF3x/4NjrNizJPTtTKnP7hPxoU5+T3FuguNeb+kFAreiX36k178Qi/5RtSU2y4YgWODTO4URVli1tYW1Kr7CLVu6GcgRYNez+VW5kLFIpIIS3hxU+fJpXQU9vbybToQ==

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cGFUlgp5aeB02UooOTDR1oOsQaKtMODKc3eycQxhWao=; b=LI5ey0mYQGef2aeDbDieSaN//i2ZTfRirOW85N3Y7nWRkxCFmidKy1EVcmuXO1ljJrGQTyrxk2CKRoVgihr9Uy3Q0Lt8cyvnxLAom2aCyQbnrg7w1Lvmp9DP/QlxFOEPBS+vjDXQc2vSCHnTNScRSnnPL6eo8a5xJuwrpmhCSKZQaZnOR3hVAM0y84tnAQIDswp64ptj6KdYPUwghTBuFQKjTpwmfByCcCBxbkmDCePO5t80XQI1SU1DUROtqHry/5J8MK5VoOK4Vq+fPrnvAlsAVfjMPmnoyHYbkP3nCmGb6RwT4131hWHfpx9EPlGt0otRyGlDLjqst4CinavJyg==

Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=NisGigYWN4DP3Dt/466eP79go8Gy6Sresa936kwoCxNrwSKskTics/ZuLuBb0R1mHYl2BQdM94kh6CtMqxhFO2LxXTlHhb64XzBKvohWj117G7bUezml3vvIirZ9jRHJHn584UIhuUTQGhEZj2IX+25We5s1kGGF9ah5Wmd6XDGStx1tXACJOgIToVNZKgMJu9zxvnf2Wc5x2QHXVrijD7noEtsRL20dVFspvpzN/oPtp4a0WMVRBEZQ2FL2AQFWDFUhHwAfd2V3QRX0JpRlgU/ulObkPVq1uh82P8QTVdb9enuzRAPzNLoE2r26KPYRD94npUdyjw/qtywdXHOjzQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ggGibXEVrAujEzS1ZC9GwGazpOeZ7AMn8fFKrdCAz+xnVJzyQ3qo1UEr0wQg0r0dcb2dWEpFSUJEi48tSMkvVzmwNuNbb5f9gUM+K3S9igbtmyySOtopUV6FnWi/hwhcNEK6mFqyqtimEvrq2hIeb5o2Gf2e89Teu4RP2MNIkn2T+bGFcTguWl5NwOGakI8saM1yi0FJGsE3CJTe/sGgJ9UqA7QqbZFQOh/dpMJCt5Pga6BWVaFhgRNJEWYlBgQl/NRcgxEBolFxfxkZbpoQIVCk1ODZiB2sRKQfgWnxRLIRjxloOgvm4qUTt4uoAAT7DJAvSNPz/FDGtEAAcd0ZPw==

Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "S32@xxxxxxx" <S32@xxxxxxx>, Andrei Cherechesu <andrei.cherechesu@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

Delivery-date: Thu, 12 Sep 2024 06:47:51 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Nodisclaimer: true

Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Thread-index: AQHbA46dlEAxnG1h+0mUvBXT+IC3wbJRlCCAgAB5N4CAAQgmgIAAokSA

Thread-topic: [PATCH v1 3/5] xen/arm: platforms: Add NXP S32CC platform code

Hi Andrei, > On 11 Sep 2024, at 23:05, Andrei Cherechesu <andrei.cherechesu@xxxxxxxxxxx> > wrote: > > Hi Julien, Stefano, > On 11/09/2024 08:19, Stefano Stabellini wrote: >> On Tue, 10 Sep 2024, Julien Grall wrote: >> >>> Hi, >>> >>> On 10/09/2024 15:34, Andrei Cherechesu (OSS) wrote: >>> >>>> From: Andrei Cherechesu <andrei.cherechesu@xxxxxxx> >>>> >>>> Added support for NXP S32CC platforms (S32G2, S32G3, S32R45), >>>> which need SCMI over SMC calls forwarded to the firmware >>>> running at EL3 (TF-A). Linux relies on the SCMI Platform >>>> for system services such as clocking, reset, etc. >>>> >>> Is it SMCI as in the Arm spec? If so, this should not be platform specific. > Yes, it is SCMI as defined by Arm. I agree it shouldn't be platform specific. >> >>> >>> Furthermore, I was under the impression that we can't blindly forward >>> everything from a domain to the firmware. While it might be okayish for >>> dom0, >>> you also seem to give access to all the domains on the system is it >>> intended? > In our case, only Dom0 has access to the SCMI mailbox. Hence, the other > unprivileged domains are not aware of SCMI and do not make any SCMI requests > to FW. >> >>> >>> Anyway, there is a series on the ML to add a mediator for SCMI in Xen (see >>> [1]). I think it would be preferable to focus on getting it merged as it >>> would >>> >>> benefit everyone and increase the security posture (we could restrict >>> access). > I also asked a few months ago on the ML in a virtio related thread if there > are any updates regarding > SCMI awareness for Xen and guests, then Stefano CCed Bertrand, but he did not > comment [0]. > I'm curious why the SCMI mediator patch series did not progress. > [0] > https://lore.kernel.org/xen-devel/alpine.DEB.2.22.394.2401111627360.3675@ubuntu-linux-20-04-desktop/ Sorry it seems i missed that one. There are several initiatives ongoing to investigate the global problem of clock handling and more specifically SCMI "sharing". The SCMI protocol contains some features to have virtual channels and the question is how to make a transport that is hypervisor agnostic to prevent to require the hypervisors to have to "decode" SCMI messages. Virtio-scmi is not really used for clock management per say at the moment and more specifically I do not think it is a good solution to manage clocks of non virtio devices. In Soafee and in Linaro people are looking at using FF-A as a tansport for SCMI. The idea would be that the hypervisor is configuring the virtual SCMI channels using FF-A as a transport and then VMs are using FF-A to communicate with an SCMI server (probably sitting in secure world, at least as a proxy). This is an investigation for now. Requiring Xen to act as a mediator is also a solution but might require a lot of platform specific code which i think we should prevent. For now having a solution in Xen where SCMI calls through SMC are only allowed by Dom0 is the only short term solution I think. Cheers Bertrand >> >> Hi Andrei, Julien, >> >> SCMI is very flexible and can be configured in a number of ways. In >> general, Julien has a point that typically forwarding to firmware all >> SCMI requests from Xen domains is not the desired behavior. >> >> An an example, imagine the case where device1 is assigned to domain1 and >> device2 is assigned to domain2. Now imagine that they both share a >> clock. Domain1 and domain2 could fight over the clock frequency settings >> using SCMI to change it, without being aware of each other activities. >> It is likely that the system would malfunction. > I completely agree and we are aware of the possible resource contention. > Another (simpler?) scenario where access control is needed, besides the one > you described, is when Domain1 would directly try to perform some requests > for some resources that affect Device2 (owned by Domain2). If Domain1 knows > the clock IDs used by Device2, for example, without any access control it > could perform a SCMI clock request affecting Device2's clocks, which should > be out of his control. >> >> If this kind of situations can happen on NXP S32CC platforms, then this >> patch might not be a good idea. As Julien suggested, you might want to >> have a look at Oleksii's approach. We could probably allow Dom0 to make >> all SCMI calls. If you think that is OK, you need to add a >> (is_hardware_domain(d)) check. >> On the other hand, if your SCMI server implementation has a way to >> prevent possible harmful activities from happening, or maybe all clocks >> are fixed-clocks so there are actually no SCMI operations to control the >> clocks, then it could be possible that this patch might be fine. I admit >> it is unlikely because there is a number of ways SCMI could be used by >> one domain to hurt another domain. >> >> Can you please give us a brief overview on how SCMI is expected to work >> on NXP S32CC? > Well, we normally rely on most SCMI protocols to access system-level > resources from agents: Base, Power Domain, System Power, Performance Domain, > Clock, Reset Domain. Linux jumps to EL3 via SMC carrying an SCMI message, and > FW running at EL3 decides how to handle it. Basically, Linux cannot directly > control most system-level resources. > > With Xen, we currently don't allow unprivileged Domains to do SCMI requests. > The SMCs are of course trapped at EL2 and that's why we enabled forwarding to > EL3 without any access control, knowing it shouldn't break anything, and to > let everything function as normal. In some passthrough scenarios the > unprivileged domains rely on settings already made by firmware (for clocks, > pins, etc) that their assigned devices require, and in DT we replace them > with e.g. fixed-clock for clocks. > > An "is_hardware_domain(d)" check should be enough for the moment to harden > the code, but I agree that this should not be something platform-specific in > the future, and the handling must be done in a generic way. > So I would proceed with this approach for this patch series, if that's ok for > you, and I will also take a look at Oleksii's approach. > > Regards, > Andrei C > > > >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.