Introduce a FLAG for the restricted memory which means the memory is
protected by TEE or hypervisor, then it's inaccessiable for kernel.
Currently we don't use sg_dma_unmark_restricted, thus this interface
has not been added.
Signed-off-by: Yong Wu <yong.wu@mediatek.com>
---
include/linux/scatterlist.h | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h
index 77df3d7b18a6..a6ad9018eca0 100644
--- a/include/linux/scatterlist.h
+++ b/include/linux/scatterlist.h
@@ -282,6 +282,7 @@ static inline void sg_unmark_end(struct scatterlist *sg)
#define SG_DMA_BUS_ADDRESS (1 << 0)
#define SG_DMA_SWIOTLB (1 << 1)
+#define SG_DMA_RESTRICTED (2 << 1)
/**
* sg_dma_is_bus_address - Return whether a given segment was marked
@@ -352,6 +353,31 @@ static inline void sg_dma_mark_swiotlb(struct scatterlist *sg)
sg->dma_flags |= SG_DMA_SWIOTLB;
}
+/**
+ * sg_dma_mark_restricted - Mark the scatterlist for restricted buffer.
+ * @sg: SG entry
+ *
+ * Description:
+ * Marks a a scatterlist for the restricted buffer that may be inaccessiable
+ * in kernel if it is protected.
+ */
+static inline void sg_dma_mark_restricted(struct scatterlist *sg)
+{
+ sg->dma_flags |= SG_DMA_RESTRICTED;
+}
+
+/**
+ * sg_dma_is_restricted - Return whether the scatterlist was marked as restricted
+ * buffer.
+ * @sg: SG entry
+ *
+ * Description:
+ * Returns true if the scatterlist was marked as restricted buffer.
+ */
+static inline bool sg_dma_is_restricted(struct scatterlist *sg)
+{
+ return sg->dma_flags & SG_DMA_RESTRICTED;
+}
#else
static inline bool sg_dma_is_bus_address(struct scatterlist *sg)
@@ -372,6 +398,14 @@ static inline void sg_dma_mark_swiotlb(struct scatterlist *sg)
{
}
+static inline bool sg_dma_is_restricted(struct scatterlist *sg)
+{
+ return false;
+}
+
+static inline void sg_dma_mark_restrited(struct scatterlist *sg)
+{
+}
#endif /* CONFIG_NEED_SG_DMA_FLAGS */
/**
--
2.25.1
Il 15/05/24 13:23, Yong Wu ha scritto: > Introduce a FLAG for the restricted memory which means the memory is > protected by TEE or hypervisor, then it's inaccessiable for kernel. > > Currently we don't use sg_dma_unmark_restricted, thus this interface > has not been added. > > Signed-off-by: Yong Wu <yong.wu@mediatek.com> > --- > include/linux/scatterlist.h | 34 ++++++++++++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > > diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h > index 77df3d7b18a6..a6ad9018eca0 100644 > --- a/include/linux/scatterlist.h > +++ b/include/linux/scatterlist.h > @@ -282,6 +282,7 @@ static inline void sg_unmark_end(struct scatterlist *sg) > > #define SG_DMA_BUS_ADDRESS (1 << 0) > #define SG_DMA_SWIOTLB (1 << 1) > +#define SG_DMA_RESTRICTED (2 << 1) I think you wanted to write (1 << 2) here :-) Cheers, Angelo > > /** > * sg_dma_is_bus_address - Return whether a given segment was marked > @@ -352,6 +353,31 @@ static inline void sg_dma_mark_swiotlb(struct scatterlist *sg) > sg->dma_flags |= SG_DMA_SWIOTLB; > } > > +/** > + * sg_dma_mark_restricted - Mark the scatterlist for restricted buffer. > + * @sg: SG entry > + * > + * Description: > + * Marks a a scatterlist for the restricted buffer that may be inaccessiable > + * in kernel if it is protected. > + */ > +static inline void sg_dma_mark_restricted(struct scatterlist *sg) > +{ > + sg->dma_flags |= SG_DMA_RESTRICTED; > +} > + > +/** > + * sg_dma_is_restricted - Return whether the scatterlist was marked as restricted > + * buffer. > + * @sg: SG entry > + * > + * Description: > + * Returns true if the scatterlist was marked as restricted buffer. > + */ > +static inline bool sg_dma_is_restricted(struct scatterlist *sg) > +{ > + return sg->dma_flags & SG_DMA_RESTRICTED; > +} > #else > > static inline bool sg_dma_is_bus_address(struct scatterlist *sg) > @@ -372,6 +398,14 @@ static inline void sg_dma_mark_swiotlb(struct scatterlist *sg) > { > } > > +static inline bool sg_dma_is_restricted(struct scatterlist *sg) > +{ > + return false; > +} > + > +static inline void sg_dma_mark_restrited(struct scatterlist *sg) > +{ > +} > #endif /* CONFIG_NEED_SG_DMA_FLAGS */ > > /**
On Thu, 2024-05-16 at 11:59 +0200, AngeloGioacchino Del Regno wrote: > Il 15/05/24 13:23, Yong Wu ha scritto: > > Introduce a FLAG for the restricted memory which means the memory > > is > > protected by TEE or hypervisor, then it's inaccessiable for kernel. > > > > Currently we don't use sg_dma_unmark_restricted, thus this > > interface > > has not been added. > > > > Signed-off-by: Yong Wu <yong.wu@mediatek.com> > > --- > > include/linux/scatterlist.h | 34 > > ++++++++++++++++++++++++++++++++++ > > 1 file changed, 34 insertions(+) > > > > diff --git a/include/linux/scatterlist.h > > b/include/linux/scatterlist.h > > index 77df3d7b18a6..a6ad9018eca0 100644 > > --- a/include/linux/scatterlist.h > > +++ b/include/linux/scatterlist.h > > @@ -282,6 +282,7 @@ static inline void sg_unmark_end(struct > > scatterlist *sg) > > > > #define SG_DMA_BUS_ADDRESS (1 << 0) > > #define SG_DMA_SWIOTLB (1 << 1) > > +#define SG_DMA_RESTRICTED (2 << 1) > > I think you wanted to write (1 << 2) here :-) Apparently, you are right:) Thanks. > > Cheers, > Angelo
Am 15.05.24 um 13:23 schrieb Yong Wu: > Introduce a FLAG for the restricted memory which means the memory is > protected by TEE or hypervisor, then it's inaccessiable for kernel. > > Currently we don't use sg_dma_unmark_restricted, thus this interface > has not been added. Why should that be part of the scatterlist? It doesn't seem to affect any of it's functionality. As far as I can see the scatterlist shouldn't be the transport of this kind of information. Regards, Christian. > > Signed-off-by: Yong Wu <yong.wu@mediatek.com> > --- > include/linux/scatterlist.h | 34 ++++++++++++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > > diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h > index 77df3d7b18a6..a6ad9018eca0 100644 > --- a/include/linux/scatterlist.h > +++ b/include/linux/scatterlist.h > @@ -282,6 +282,7 @@ static inline void sg_unmark_end(struct scatterlist *sg) > > #define SG_DMA_BUS_ADDRESS (1 << 0) > #define SG_DMA_SWIOTLB (1 << 1) > +#define SG_DMA_RESTRICTED (2 << 1) > > /** > * sg_dma_is_bus_address - Return whether a given segment was marked > @@ -352,6 +353,31 @@ static inline void sg_dma_mark_swiotlb(struct scatterlist *sg) > sg->dma_flags |= SG_DMA_SWIOTLB; > } > > +/** > + * sg_dma_mark_restricted - Mark the scatterlist for restricted buffer. > + * @sg: SG entry > + * > + * Description: > + * Marks a a scatterlist for the restricted buffer that may be inaccessiable > + * in kernel if it is protected. > + */ > +static inline void sg_dma_mark_restricted(struct scatterlist *sg) > +{ > + sg->dma_flags |= SG_DMA_RESTRICTED; > +} > + > +/** > + * sg_dma_is_restricted - Return whether the scatterlist was marked as restricted > + * buffer. > + * @sg: SG entry > + * > + * Description: > + * Returns true if the scatterlist was marked as restricted buffer. > + */ > +static inline bool sg_dma_is_restricted(struct scatterlist *sg) > +{ > + return sg->dma_flags & SG_DMA_RESTRICTED; > +} > #else > > static inline bool sg_dma_is_bus_address(struct scatterlist *sg) > @@ -372,6 +398,14 @@ static inline void sg_dma_mark_swiotlb(struct scatterlist *sg) > { > } > > +static inline bool sg_dma_is_restricted(struct scatterlist *sg) > +{ > + return false; > +} > + > +static inline void sg_dma_mark_restrited(struct scatterlist *sg) > +{ > +} > #endif /* CONFIG_NEED_SG_DMA_FLAGS */ > > /**
On Thu, 2024-05-16 at 10:17 +0200, Christian König wrote: > > External email : Please do not click links or open attachments until > you have verified the sender or the content. > Am 15.05.24 um 13:23 schrieb Yong Wu: > > Introduce a FLAG for the restricted memory which means the memory > is > > protected by TEE or hypervisor, then it's inaccessiable for kernel. > > > > Currently we don't use sg_dma_unmark_restricted, thus this > interface > > has not been added. > > Why should that be part of the scatterlist? It doesn't seem to > affect > any of it's functionality. > > As far as I can see the scatterlist shouldn't be the transport of > this > kind of information. Thanks for the review. I will remove this. In our user scenario, DRM will import these buffers and check if this is a restricted buffer. If yes, it will use secure GCE takes over. If this judgment is not suitable to be placed in scatterlist. I don't know if it is ok to limit this inside dma-buf. Adding such an interface: static bool dma_buf_is_restricted(struct dma_buf *dmabuf) { return !strncmp(dmabuf->exp_name, "restricted", 10); } Thanks. > > Regards, > Christian. > > > > > Signed-off-by: Yong Wu <yong.wu@mediatek.com> > > --- > > include/linux/scatterlist.h | 34 > ++++++++++++++++++++++++++++++++++ > > 1 file changed, 34 insertions(+) > > > > diff --git a/include/linux/scatterlist.h > b/include/linux/scatterlist.h > > index 77df3d7b18a6..a6ad9018eca0 100644 > > --- a/include/linux/scatterlist.h > > +++ b/include/linux/scatterlist.h > > @@ -282,6 +282,7 @@ static inline void sg_unmark_end(struct > scatterlist *sg) > > > > #define SG_DMA_BUS_ADDRESS(1 << 0) > > #define SG_DMA_SWIOTLB(1 << 1) > > +#define SG_DMA_RESTRICTED(2 << 1) > > > > /** > > * sg_dma_is_bus_address - Return whether a given segment was > marked > > @@ -352,6 +353,31 @@ static inline void sg_dma_mark_swiotlb(struct > scatterlist *sg) > > sg->dma_flags |= SG_DMA_SWIOTLB; > > } > > > > +/** > > + * sg_dma_mark_restricted - Mark the scatterlist for restricted > buffer. > > + * @sg:SG entry > > + * > > + * Description: > > + * Marks a a scatterlist for the restricted buffer that may be > inaccessiable > > + * in kernel if it is protected. > > + */ > > +static inline void sg_dma_mark_restricted(struct scatterlist *sg) > > +{ > > +sg->dma_flags |= SG_DMA_RESTRICTED; > > +} > > + > > +/** > > + * sg_dma_is_restricted - Return whether the scatterlist was > marked as restricted > > + * buffer. > > + * @sg:SG entry > > + * > > + * Description: > > + * Returns true if the scatterlist was marked as restricted > buffer. > > + */ > > +static inline bool sg_dma_is_restricted(struct scatterlist *sg) > > +{ > > +return sg->dma_flags & SG_DMA_RESTRICTED; > > +} > > #else > > > > static inline bool sg_dma_is_bus_address(struct scatterlist *sg) > > @@ -372,6 +398,14 @@ static inline void sg_dma_mark_swiotlb(struct > scatterlist *sg) > > { > > } > > > > +static inline bool sg_dma_is_restricted(struct scatterlist *sg) > > +{ > > +return false; > > +} > > + > > +static inline void sg_dma_mark_restrited(struct scatterlist *sg) > > +{ > > +} > > #endif/* CONFIG_NEED_SG_DMA_FLAGS */ > > > > /** > >
Am 20.05.24 um 09:58 schrieb Yong Wu (吴勇): > On Thu, 2024-05-16 at 10:17 +0200, Christian König wrote: >> >> External email : Please do not click links or open attachments until >> you have verified the sender or the content. >> Am 15.05.24 um 13:23 schrieb Yong Wu: >>> Introduce a FLAG for the restricted memory which means the memory >> is >>> protected by TEE or hypervisor, then it's inaccessiable for kernel. >>> >>> Currently we don't use sg_dma_unmark_restricted, thus this >> interface >>> has not been added. >> Why should that be part of the scatterlist? It doesn't seem to >> affect >> any of it's functionality. >> >> As far as I can see the scatterlist shouldn't be the transport of >> this >> kind of information. > Thanks for the review. I will remove this. > > In our user scenario, DRM will import these buffers and check if this > is a restricted buffer. If yes, it will use secure GCE takes over. > > If this judgment is not suitable to be placed in scatterlist. I don't > know if it is ok to limit this inside dma-buf. Adding such an > interface: > > static bool dma_buf_is_restricted(struct dma_buf *dmabuf) > { > return !strncmp(dmabuf->exp_name, "restricted", 10); > } No, usually stuff like that doesn't belong into DMA buf either. Question here really is who controls the security status of the memory backing the buffer? In other words who tells the exporter that it should allocate and fill a buffer with encrypted data? If that is userspace then that is part of the format information and it is also userspace who should tell the importer that it needs to work with encrypted data. The kernel is intentionally not involved in stuff like that. Regards, Christian. > > Thanks. > >> Regards, >> Christian. >> >>> Signed-off-by: Yong Wu <yong.wu@mediatek.com> >>> --- >>> include/linux/scatterlist.h | 34 >> ++++++++++++++++++++++++++++++++++ >>> 1 file changed, 34 insertions(+) >>> >>> diff --git a/include/linux/scatterlist.h >> b/include/linux/scatterlist.h >>> index 77df3d7b18a6..a6ad9018eca0 100644 >>> --- a/include/linux/scatterlist.h >>> +++ b/include/linux/scatterlist.h >>> @@ -282,6 +282,7 @@ static inline void sg_unmark_end(struct >> scatterlist *sg) >>> >>> #define SG_DMA_BUS_ADDRESS(1 << 0) >>> #define SG_DMA_SWIOTLB(1 << 1) >>> +#define SG_DMA_RESTRICTED(2 << 1) >>> >>> /** >>> * sg_dma_is_bus_address - Return whether a given segment was >> marked >>> @@ -352,6 +353,31 @@ static inline void sg_dma_mark_swiotlb(struct >> scatterlist *sg) >>> sg->dma_flags |= SG_DMA_SWIOTLB; >>> } >>> >>> +/** >>> + * sg_dma_mark_restricted - Mark the scatterlist for restricted >> buffer. >>> + * @sg:SG entry >>> + * >>> + * Description: >>> + * Marks a a scatterlist for the restricted buffer that may be >> inaccessiable >>> + * in kernel if it is protected. >>> + */ >>> +static inline void sg_dma_mark_restricted(struct scatterlist *sg) >>> +{ >>> +sg->dma_flags |= SG_DMA_RESTRICTED; >>> +} >>> + >>> +/** >>> + * sg_dma_is_restricted - Return whether the scatterlist was >> marked as restricted >>> + * buffer. >>> + * @sg:SG entry >>> + * >>> + * Description: >>> + * Returns true if the scatterlist was marked as restricted >> buffer. >>> + */ >>> +static inline bool sg_dma_is_restricted(struct scatterlist *sg) >>> +{ >>> +return sg->dma_flags & SG_DMA_RESTRICTED; >>> +} >>> #else >>> >>> static inline bool sg_dma_is_bus_address(struct scatterlist *sg) >>> @@ -372,6 +398,14 @@ static inline void sg_dma_mark_swiotlb(struct >> scatterlist *sg) >>> { >>> } >>> >>> +static inline bool sg_dma_is_restricted(struct scatterlist *sg) >>> +{ >>> +return false; >>> +} >>> + >>> +static inline void sg_dma_mark_restrited(struct scatterlist *sg) >>> +{ >>> +} >>> #endif/* CONFIG_NEED_SG_DMA_FLAGS */ >>> >>> /** >>
Hi Christian, On Tue, 2024-05-21 at 20:36 +0200, Christian König wrote: > Am 20.05.24 um 09:58 schrieb Yong Wu (吴勇): > > On Thu, 2024-05-16 at 10:17 +0200, Christian König wrote: > > > > > > External email : Please do not click links or open attachments > > > until > > > you have verified the sender or the content. > > > Am 15.05.24 um 13:23 schrieb Yong Wu: > > > > Introduce a FLAG for the restricted memory which means the > > > > memory > > > > > > is > > > > protected by TEE or hypervisor, then it's inaccessiable for > > > > kernel. > > > > > > > > Currently we don't use sg_dma_unmark_restricted, thus this > > > > > > interface > > > > has not been added. > > > > > > Why should that be part of the scatterlist? It doesn't seem to > > > affect > > > any of it's functionality. > > > > > > As far as I can see the scatterlist shouldn't be the transport of > > > this > > > kind of information. > > > > Thanks for the review. I will remove this. > > > > In our user scenario, DRM will import these buffers and check if > > this > > is a restricted buffer. If yes, it will use secure GCE takes over. > > > > If this judgment is not suitable to be placed in scatterlist. I > > don't > > know if it is ok to limit this inside dma-buf. Adding such an > > interface: > > > > static bool dma_buf_is_restricted(struct dma_buf *dmabuf) > > { > > return !strncmp(dmabuf->exp_name, "restricted", 10); > > } > > No, usually stuff like that doesn't belong into DMA buf either. > > Question here really is who controls the security status of the > memory > backing the buffer? > > In other words who tells the exporter that it should allocate and > fill a > buffer with encrypted data? > > If that is userspace then that is part of the format information and > it > is also userspace who should tell the importer that it needs to work > with encrypted data. > > The kernel is intentionally not involved in stuff like that. > Here is the expected protected content buffer flow in DRM: 1) userspace allocates a dma-buf FD from the "restricted_mtk_cma" by DMA_HEAP_IOCTL_ALLOC. 2) userspace imports that dma-buf into the device using prime for the drm_file. 3) userspace uses the already implemented driver import code for the special cases of protected content buffer. In the step 3), we need to verify the dma-buf is allocated from "restricted_mtk_cma", but there is no way to pass the secure flag or private data from userspace to the import interface in DRM driver. So I can only verify it like this now: struct drm_gem_object *mtk_gem_prime_import_sg_table(struct drm_device *dev, struct dma_buf_attachment *attach, struct sg_table *sg) { struct mtk_gem_obj *mtk_gem; /* check if the entries in the sg_table are contiguous */ if (drm_prime_get_contiguous_size(sg) < attach->dmabuf->size) { DRM_ERROR("sg_table is not contiguous"); return ERR_PTR(-EINVAL); } mtk_gem = mtk_gem_init(dev, attach->dmabuf->size); if (IS_ERR(mtk_gem)) return ERR_CAST(mtk_gem); + mtk_gem->secure = (!strncmp(attach->dmabuf->exp_name, "restricted", 10)); mtk_gem->dma_addr = sg_dma_address(sg->sgl); mtk_gem->size = attach->dmabuf->size; mtk_gem->sg = sg; return &mtk_gem->base; } I think I have the same problem as the ECC_FLAG mention in: https://lore.kernel.org/linux-media/20240515-dma-buf-ecc-heap-v1-0-54cbbd049511@kernel.org/ I think it would be better to have the user configurable private information in dma-buf, so all the drivers who have the same requirement can get their private information from dma-buf directly and no need to change or add the interface. What's your opinion in this point? Regards, Jason-JH.Lin > Regards, > Christian.
© 2016 - 2024 Red Hat, Inc.