2015-10-21 16:34 GMT+02:00 James Morris <jmorris(a)namei.org>:
> On Wed, 21 Oct 2015, Benjamin Gaignard wrote:
>
>>
>> The outcome of the previous RFC about how do secure data path was the need
>> of a secure memory allocator (https://lkml.org/lkml/2015/5/5/551)
>>
>
> Have you addressed all the questions raised by Alan here:
>
> https://lkml.org/lkml/2015/5/8/629
SMAF create /dev/smaf where all allocations could be done and is the
owner of the dmabuf.
Secure module is called to check permissions before that the CPU could
access to the memory.
I hope this cover what Alan expected but I can't speak form him.
>
> Also, is there any application of this beyond DRM?
>
If you don't use the secure part you can consider that SMAF is a
central allocator with helpers to select
the best allocator for your hardware devices.
While SMAF doesn't rely on DRM concepts (crypto, CENC, keys etc...) we
can use it outside this context but obviously it that been first
designed for DRM uses cases.
>
> - James
> --
> James Morris
> <jmorris(a)namei.org>
>
--
Benjamin Gaignard
Graphic Working Group
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog
2015-10-21 16:32 GMT+02:00 James Morris <jmorris(a)namei.org>:
> On Wed, 21 Oct 2015, Benjamin Gaignard wrote:
>
>> Secure Memory Allocation Framework goal is to be able
>> to allocate memory that can be securing.
>> There is so much ways to allocate and securing memory that SMAF
>> doesn't do it by itself but need help of additional modules.
>> To be sure to use the correct allocation method SMAF implement
>> deferred allocation (i.e. allocate memory when only really needed)
>>
>> Allocation modules (smaf-alloctor.h):
>> SMAF could manage with multiple allocation modules at same time.
>> To select the good one SMAF call match() to be sure that a module
>> can allocate memory for a given list of devices. It is to the module
>> to check if the devices are compatible or not with it allocation
>> method.
>>
>> Securing module (smaf-secure.h):
>> The way of how securing memory it is done is platform specific.
>> Secure module is responsible of grant/revoke memory access.
>>
>
> This documentation is highly inadequate.
If you give hints I will try to complete it and make it acceptable.
>
> What does "allocate memory that can be securing" mean?
Maybe I could re-phrase it like that:
"Secure Memory Allocation Framework goal is to be able to allocate
memory that the platform can secure."
I'm trying to be generic here because each could have it own method to
secure buffers.
>
>
> --
> James Morris
> <jmorris(a)namei.org>
>
--
Benjamin Gaignard
Graphic Working Group
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog
version 5 changes:
- rebased on kernel 4.3-rc6
- rework locking schema and make handle status use an atomic_t
- add a fake secure module to allow performing tests without trusted
environment
version 4 changes:
- rebased on kernel 4.3-rc3
- fix missing EXPORT_SYMBOL for smaf_create_handle()
version 3 changes:
- Remove ioctl for allocator selection instead provide the name of
the targeted allocator with allocation request.
Selecting allocator from userland isn't the prefered way of working
but is needed when the first user of the buffer is a software component.
- Fix issues in case of error while creating smaf handle.
- Fix module license.
- Update libsmaf and tests to care of the SMAF API evolution
https://git.linaro.org/people/benjamin.gaignard/libsmaf.git
version 2 changes:
- Add one ioctl to allow allocator selection from userspace.
This is required for the uses case where the first user of
the buffer is a software IP which can't perform dma_buf attachement.
- Add name and ranking to allocator structure to be able to sort them.
- Create a tiny library to test SMAF:
https://git.linaro.org/people/benjamin.gaignard/libsmaf.git
- Fix one issue when try to secure buffer without secure module registered
The outcome of the previous RFC about how do secure data path was the need
of a secure memory allocator (https://lkml.org/lkml/2015/5/5/551)
SMAF goal is to provide a framework that allow allocating and securing
memory by using dma_buf. Each platform have it own way to perform those two
features so SMAF design allow to register helper modules to perform them.
To be sure to select the best allocation method for devices SMAF implement
deferred allocation mechanism: memory allocation is only done when the first
device effectively required it.
Allocator modules have to implement a match() to let SMAF know if they are
compatibles with devices needs.
This patch set provide an example of allocator module which use
dma_{alloc/free/mmap}_attrs() and check if at least one device have
coherent_dma_mask set to DMA_BIT_MASK(32) in match function.
I have named smaf-cma.c like it is done for drm_gem_cma_helper.c even if
a better name could be found for this file.
Secure modules are responsibles of granting and revoking devices access rights
on the memory. Secure module is also called to check if CPU map memory into
kernel and user address spaces.
An example of secure module implementation can be found here:
http://git.linaro.org/people/benjamin.gaignard/optee-sdp.git
This code isn't yet part of the patch set because it depends on generic TEE
which is still under discussion (https://lwn.net/Articles/644646/)
For allocation part of SMAF code I get inspirated by Sumit Semwal work about
constraint aware allocator.
Benjamin Gaignard (3):
create SMAF module
SMAF: add CMA allocator
SMAF: add fake secure module
drivers/Kconfig | 2 +
drivers/Makefile | 1 +
drivers/smaf/Kconfig | 17 +
drivers/smaf/Makefile | 3 +
drivers/smaf/smaf-cma.c | 200 +++++++++++
drivers/smaf/smaf-core.c | 753 +++++++++++++++++++++++++++++++++++++++++
drivers/smaf/smaf-fakesecure.c | 92 +++++
include/linux/smaf-allocator.h | 54 +++
include/linux/smaf-secure.h | 75 ++++
include/uapi/linux/smaf.h | 52 +++
10 files changed, 1249 insertions(+)
create mode 100644 drivers/smaf/Kconfig
create mode 100644 drivers/smaf/Makefile
create mode 100644 drivers/smaf/smaf-cma.c
create mode 100644 drivers/smaf/smaf-core.c
create mode 100644 drivers/smaf/smaf-fakesecure.c
create mode 100644 include/linux/smaf-allocator.h
create mode 100644 include/linux/smaf-secure.h
create mode 100644 include/uapi/linux/smaf.h
--
1.9.1
I have mind few uses cases:
- the basic one when an HW device need contiguous memory.
- I have a device that could not cross some memory boundaries so I
need a specific allocator for it.
- when allocating memory for security some platform have address
constraints or need to allocate memory in specific areas (most of the
time because of firewall limited capacities in terms of regions)
2015-10-06 4:07 GMT+02:00 Laura Abbott <labbott(a)redhat.com>:
> On 10/05/2015 03:11 AM, Benjamin Gaignard wrote:
>>
>> version 4 changes:
>> - rebased on kernel 4.3-rc3
>> - fix missing EXPORT_SYMBOL for smaf_create_handle()
>>
>> version 3 changes:
>> - Remove ioctl for allocator selection instead provide the name of
>> the targeted allocator with allocation request.
>> Selecting allocator from userland isn't the prefered way of working
>> but is needed when the first user of the buffer is a software
>> component.
>> - Fix issues in case of error while creating smaf handle.
>> - Fix module license.
>> - Update libsmaf and tests to care of the SMAF API evolution
>> https://git.linaro.org/people/benjamin.gaignard/libsmaf.git
>>
>> version 2 changes:
>> - Add one ioctl to allow allocator selection from userspace.
>> This is required for the uses case where the first user of
>> the buffer is a software IP which can't perform dma_buf attachement.
>> - Add name and ranking to allocator structure to be able to sort them.
>> - Create a tiny library to test SMAF:
>> https://git.linaro.org/people/benjamin.gaignard/libsmaf.git
>> - Fix one issue when try to secure buffer without secure module
>> registered
>>
>> The outcome of the previous RFC about how do secure data path was the need
>> of a secure memory allocator (https://lkml.org/lkml/2015/5/5/551)
>>
>> SMAF goal is to provide a framework that allow allocating and securing
>> memory by using dma_buf. Each platform have it own way to perform those
>> two
>> features so SMAF design allow to register helper modules to perform them.
>>
>> To be sure to select the best allocation method for devices SMAF implement
>> deferred allocation mechanism: memory allocation is only done when the
>> first
>> device effectively required it.
>> Allocator modules have to implement a match() to let SMAF know if they are
>> compatibles with devices needs.
>> This patch set provide an example of allocator module which use
>> dma_{alloc/free/mmap}_attrs() and check if at least one device have
>> coherent_dma_mask set to DMA_BIT_MASK(32) in match function.
>> I have named smaf-cma.c like it is done for drm_gem_cma_helper.c even if
>> a better name could be found for this file.
>>
>> Secure modules are responsibles of granting and revoking devices access
>> rights
>> on the memory. Secure module is also called to check if CPU map memory
>> into
>> kernel and user address spaces.
>> An example of secure module implementation can be found here:
>> http://git.linaro.org/people/benjamin.gaignard/optee-sdp.git
>> This code isn't yet part of the patch set because it depends on generic
>> TEE
>> which is still under discussion (https://lwn.net/Articles/644646/)
>>
>> For allocation part of SMAF code I get inspirated by Sumit Semwal work
>> about
>> constraint aware allocator.
>>
>
> Overall I like the abstraction. Do you have a use case in mind right now for
> the best allocation method? Some of the classic examples (mmu vs. no mmu)
> are gradually becoming less relevant as the systems have evolved. I was
> discussing constraints with Sumit w.r.t. Ion at plumbers so I'm curious
> about
> your uses.
>
> Thanks,
> Laura
>
>
--
Benjamin Gaignard
Graphic Working Group
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog
version 4 changes:
- rebased on kernel 4.3-rc3
- fix missing EXPORT_SYMBOL for smaf_create_handle()
version 3 changes:
- Remove ioctl for allocator selection instead provide the name of
the targeted allocator with allocation request.
Selecting allocator from userland isn't the prefered way of working
but is needed when the first user of the buffer is a software component.
- Fix issues in case of error while creating smaf handle.
- Fix module license.
- Update libsmaf and tests to care of the SMAF API evolution
https://git.linaro.org/people/benjamin.gaignard/libsmaf.git
version 2 changes:
- Add one ioctl to allow allocator selection from userspace.
This is required for the uses case where the first user of
the buffer is a software IP which can't perform dma_buf attachement.
- Add name and ranking to allocator structure to be able to sort them.
- Create a tiny library to test SMAF:
https://git.linaro.org/people/benjamin.gaignard/libsmaf.git
- Fix one issue when try to secure buffer without secure module registered
The outcome of the previous RFC about how do secure data path was the need
of a secure memory allocator (https://lkml.org/lkml/2015/5/5/551)
SMAF goal is to provide a framework that allow allocating and securing
memory by using dma_buf. Each platform have it own way to perform those two
features so SMAF design allow to register helper modules to perform them.
To be sure to select the best allocation method for devices SMAF implement
deferred allocation mechanism: memory allocation is only done when the first
device effectively required it.
Allocator modules have to implement a match() to let SMAF know if they are
compatibles with devices needs.
This patch set provide an example of allocator module which use
dma_{alloc/free/mmap}_attrs() and check if at least one device have
coherent_dma_mask set to DMA_BIT_MASK(32) in match function.
I have named smaf-cma.c like it is done for drm_gem_cma_helper.c even if
a better name could be found for this file.
Secure modules are responsibles of granting and revoking devices access rights
on the memory. Secure module is also called to check if CPU map memory into
kernel and user address spaces.
An example of secure module implementation can be found here:
http://git.linaro.org/people/benjamin.gaignard/optee-sdp.git
This code isn't yet part of the patch set because it depends on generic TEE
which is still under discussion (https://lwn.net/Articles/644646/)
For allocation part of SMAF code I get inspirated by Sumit Semwal work about
constraint aware allocator.
Benjamin Gaignard (2):
create SMAF module
SMAF: add CMA allocator
drivers/Kconfig | 2 +
drivers/Makefile | 1 +
drivers/smaf/Kconfig | 11 +
drivers/smaf/Makefile | 2 +
drivers/smaf/smaf-cma.c | 200 +++++++++++
drivers/smaf/smaf-core.c | 736 +++++++++++++++++++++++++++++++++++++++++
include/linux/smaf-allocator.h | 54 +++
include/linux/smaf-secure.h | 72 ++++
include/uapi/linux/smaf.h | 52 +++
9 files changed, 1130 insertions(+)
create mode 100644 drivers/smaf/Kconfig
create mode 100644 drivers/smaf/Makefile
create mode 100644 drivers/smaf/smaf-cma.c
create mode 100644 drivers/smaf/smaf-core.c
create mode 100644 include/linux/smaf-allocator.h
create mode 100644 include/linux/smaf-secure.h
create mode 100644 include/uapi/linux/smaf.h
--
1.9.1