subject:"\[Linaro\-acpi\] \[PATCH v5 18\/18\] Documentation\: ACPI for ARM64"

On Fri, Jan 09, 2015 at 10:55:51AM +, Arnd Bergmann wrote:
> On Friday 09 January 2015 10:33:07 Catalin Marinas wrote:
> > On Wed, Jan 07, 2015 at 07:48:48PM +, Arnd Bergmann wrote:
> 
> > > In other cases that's actually a good thing. One such example is the
> > > "Principles of ARM Memory Maps" document that tells hardware implementers
> > > to do a rather complex mapping "To support 36-bit x86 PAE compatible 
> > > operating
> > > systems, such as Linux." but makes life much harder in the process than
> > > any of the random mappings we have seen in the wild.
> > 
> > Unfortunately, with any significant amount of RAM (say 16GB), this
> > document becomes pretty useless. It basically forces you to have a very
> > sparse physical address map from 0 to over 40-bit. I wouldn't apply the
> > ARM memory maps doc to server systems.
> 
> Are you sure? I was under the impression that this document was targetted
> specifically at servers.

Ah, sorry for the confusion, I haven't read the latest (apparently from
2012) update which covers 44 and 48-bit memory maps.

The only downside is that for more than 32GB of RAM (up to 512GB) it
requires a 40-bit memory map. Given the sparseness, we can't use
3-levels of page table with 4KB pages which can only cover 39-bit.
Anyway, not a major issue.

-- 
Catalin
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-09 Thread Arnd Bergmann

On Friday 09 January 2015 10:33:07 Catalin Marinas wrote:
> On Wed, Jan 07, 2015 at 07:48:48PM +, Arnd Bergmann wrote:

> > In other cases that's actually a good thing. One such example is the
> > "Principles of ARM Memory Maps" document that tells hardware implementers
> > to do a rather complex mapping "To support 36-bit x86 PAE compatible 
> > operating
> > systems, such as Linux." but makes life much harder in the process than
> > any of the random mappings we have seen in the wild.
> 
> Unfortunately, with any significant amount of RAM (say 16GB), this
> document becomes pretty useless. It basically forces you to have a very
> sparse physical address map from 0 to over 40-bit. I wouldn't apply the
> ARM memory maps doc to server systems.

Are you sure? I was under the impression that this document was targetted
specifically at servers.

> >   It's also not just the CPU core, other components also get easily
> >   replaced, like a GICv3 that is not a strict superset of GICv2.
> 
> That's not a problem for Linux, we can describe them in DT or ACPI and
> have drivers. GICv3 has an optional GICv2 compatible mode, though
> vendors may decide not to implement it.

I'm aware that we can deal with it after we have the drivers. My point
was that we are unable to deal with this problem in general if we want
to run existing kernels on new hardware that contains e.g. a GICv4/5/6
that requires a new driver which has to first be written and then
backported into distro kernels.

Arnd
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wed, Jan 07, 2015 at 07:48:48PM +, Arnd Bergmann wrote:
> On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
> > I'm expecting to need new drivers for SoC IP blocks that are net new,
> > but generational differences between iterations of the same SoC should
> > be abstracted behind the firmware (and we are already seeing this with
> > at least one platform). Platform wise, it's nice to already see e.g.
> > mmconfig working to handle the specific ways a platform wires PCI.
> 
> Yes, the parts that are mandated by SBSA, like the way that PCI needs
> to be done are generally good. Unfortunately a lot of the hardware that
> I've seen has a rather lax interpretation of the spec, so just because
> something is mandated doesn't mean it's done that way ;-)
> 
> In other cases that's actually a good thing. One such example is the
> "Principles of ARM Memory Maps" document that tells hardware implementers
> to do a rather complex mapping "To support 36-bit x86 PAE compatible operating
> systems, such as Linux." but makes life much harder in the process than
> any of the random mappings we have seen in the wild.

Unfortunately, with any significant amount of RAM (say 16GB), this
document becomes pretty useless. It basically forces you to have a very
sparse physical address map from 0 to over 40-bit. I wouldn't apply the
ARM memory maps doc to server systems.

> * There is a general mindset about deprecating unwanted features
>   early. ARMv8 aarch32 bit mode removes support for older instructions
>   or makes them optional. Even the virtualization mode doesn't allow
>   to trap on architecture version specific differences, so you can't
>   completely emulate an older architecture level.
>   This is nice for implementers but not so much for users that rely
>   on old (mis-)features.

This mindset is (slowly) changing. There are, of course, instructions
like SWP that just can't always be implemented at the SoC level (not
necessarily CPU level; requiring bus locks) but others like CP15
barriers, I don't see why they should go away, it's just a decoder
problem.

>   It's also not just the CPU core, other components also get easily
>   replaced, like a GICv3 that is not a strict superset of GICv2.

That's not a problem for Linux, we can describe them in DT or ACPI and
have drivers. GICv3 has an optional GICv2 compatible mode, though
vendors may decide not to implement it.

-- 
Catalin
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Fri, Jan 09, 2015 at 10:55:51AM +, Arnd Bergmann wrote:
 On Friday 09 January 2015 10:33:07 Catalin Marinas wrote:
  On Wed, Jan 07, 2015 at 07:48:48PM +, Arnd Bergmann wrote:
 
   In other cases that's actually a good thing. One such example is the
   Principles of ARM Memory Maps document that tells hardware implementers
   to do a rather complex mapping To support 36-bit x86 PAE compatible 
   operating
   systems, such as Linux. but makes life much harder in the process than
   any of the random mappings we have seen in the wild.
  
  Unfortunately, with any significant amount of RAM (say 16GB), this
  document becomes pretty useless. It basically forces you to have a very
  sparse physical address map from 0 to over 40-bit. I wouldn't apply the
  ARM memory maps doc to server systems.
 
 Are you sure? I was under the impression that this document was targetted
 specifically at servers.

Ah, sorry for the confusion, I haven't read the latest (apparently from
2012) update which covers 44 and 48-bit memory maps.

The only downside is that for more than 32GB of RAM (up to 512GB) it
requires a 40-bit memory map. Given the sparseness, we can't use
3-levels of page table with 4KB pages which can only cover 39-bit.
Anyway, not a major issue.

-- 
Catalin
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-09 Thread Arnd Bergmann

On Friday 09 January 2015 10:33:07 Catalin Marinas wrote:
 On Wed, Jan 07, 2015 at 07:48:48PM +, Arnd Bergmann wrote:

  In other cases that's actually a good thing. One such example is the
  Principles of ARM Memory Maps document that tells hardware implementers
  to do a rather complex mapping To support 36-bit x86 PAE compatible 
  operating
  systems, such as Linux. but makes life much harder in the process than
  any of the random mappings we have seen in the wild.
 
 Unfortunately, with any significant amount of RAM (say 16GB), this
 document becomes pretty useless. It basically forces you to have a very
 sparse physical address map from 0 to over 40-bit. I wouldn't apply the
 ARM memory maps doc to server systems.

Are you sure? I was under the impression that this document was targetted
specifically at servers.

It's also not just the CPU core, other components also get easily
replaced, like a GICv3 that is not a strict superset of GICv2.
 
 That's not a problem for Linux, we can describe them in DT or ACPI and
 have drivers. GICv3 has an optional GICv2 compatible mode, though
 vendors may decide not to implement it.

I'm aware that we can deal with it after we have the drivers. My point
was that we are unable to deal with this problem in general if we want
to run existing kernels on new hardware that contains e.g. a GICv4/5/6
that requires a new driver which has to first be written and then
backported into distro kernels.

Arnd
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wed, Jan 07, 2015 at 07:48:48PM +, Arnd Bergmann wrote:
 On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
  I'm expecting to need new drivers for SoC IP blocks that are net new,
  but generational differences between iterations of the same SoC should
  be abstracted behind the firmware (and we are already seeing this with
  at least one platform). Platform wise, it's nice to already see e.g.
  mmconfig working to handle the specific ways a platform wires PCI.
 
 Yes, the parts that are mandated by SBSA, like the way that PCI needs
 to be done are generally good. Unfortunately a lot of the hardware that
 I've seen has a rather lax interpretation of the spec, so just because
 something is mandated doesn't mean it's done that way ;-)
 
 In other cases that's actually a good thing. One such example is the
 Principles of ARM Memory Maps document that tells hardware implementers
 to do a rather complex mapping To support 36-bit x86 PAE compatible operating
 systems, such as Linux. but makes life much harder in the process than
 any of the random mappings we have seen in the wild.

Unfortunately, with any significant amount of RAM (say 16GB), this
document becomes pretty useless. It basically forces you to have a very
sparse physical address map from 0 to over 40-bit. I wouldn't apply the
ARM memory maps doc to server systems.

 * There is a general mindset about deprecating unwanted features
   early. ARMv8 aarch32 bit mode removes support for older instructions
   or makes them optional. Even the virtualization mode doesn't allow
   to trap on architecture version specific differences, so you can't
   completely emulate an older architecture level.
   This is nice for implementers but not so much for users that rely
   on old (mis-)features.

This mindset is (slowly) changing. There are, of course, instructions
like SWP that just can't always be implemented at the SoC level (not
necessarily CPU level; requiring bus locks) but others like CP15
barriers, I don't see why they should go away, it's just a decoder
problem.

   It's also not just the CPU core, other components also get easily
   replaced, like a GICv3 that is not a strict superset of GICv2.

That's not a problem for Linux, we can describe them in DT or ACPI and
have drivers. GICv3 has an optional GICv2 compatible mode, though
vendors may decide not to implement it.

-- 
Catalin
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

RE: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-08 Thread Kangkang Shen

Security is a much big scale issue. The industry has all kind of solutions to 
deal with firmware security. In ARM system, the Firmware has been designed with 
higher privilege/security than OS. I will suggest we trust firmware security 
and focus on Linux itself.  

-Original Message-
From: linaro-acpi-boun...@lists.linaro.org 
[mailto:linaro-acpi-boun...@lists.linaro.org] On Behalf Of Arnd Bergmann
Sent: Thursday, January 08, 2015 3:27 AM
To: Jason Cooper
Cc: Rob Herring; Daniel Lezcano; Robert Richter; linaro-a...@lists.linaro.org; 
Marc Zyngier; Jon Masters; Randy Dunlap; Liviu Dudau; Robert Moore; Will 
Deacon; linux-kernel@vger.kernel.org; linux-a...@vger.kernel.org; Mark Brown; 
Rafael J. Wysocki; Lv Zheng; Catalin Marinas; Bjorn Helgaas; 
linux-arm-ker...@lists.infradead.org; Olof Johansson
Subject: Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wednesday 07 January 2015 17:59:04 Jason Cooper wrote:
> On Wed, Jan 07, 2015 at 03:05:14PM -0500, Jon Masters wrote:
> > On 01/07/2015 02:58 PM, Jon Masters wrote:
> > > On 01/07/2015 01:41 PM, Jason Cooper wrote:
> > 
> > >> One of the reasons I've really enjoyed working with ARM platforms 
> > >> and DT is the absence of this type of 'feature'.  I honestly 
> > >> don't care whether the kernel gets the board configuration info 
> > >> from DT or ACPI or FOO, as long as we can avoid the security mistakes of 
> > >> the past:
> > >>
> > >>   
> > >> http://www.spiegel.de/international/world/catalog-reveals-nsa-has
> > >> -back-doors-for-numerous-devices-a-940994.html
> > > 
> > > ACPI is not the great satan. I'm aware certain others in the 
> > > community have written missinformed blog posts and G+ rants 
> > > equating ACPI with SMI and even with various other system 
> > > firmware. I can't force someone to become informed on a topic, 
> > > especially if it's politically useful to them to hate on ACPI and use the 
> > > security paranoia handwavy argument.
> > 
> > To clarify, and this is not directed at you Jason, it is politically 
> > useful to some who have written rants those business models are 
> > built upon being paid to enable platforms. For those folks, 
> > standardized platforms which allow a common OS approach are seen as 
> > threatening.
> 
> Ahh, thanks for clarifying.
> 
> > In the previous rants (which were really instigated as a result of 
> > the
> > above) ACPI was equated with SMM (System Management Mode), which is 
> > a bit like the Secure/Trusted world on AArch64 in which you might 
> > run another "Trusted" OS. These are the places where you want to 
> > watch out to malware of the kind cited in your link, not in ACPI tables.
> 
> fwiw, I *am* concerned about those spaces.  It seems we agree on their 
> vulnerability to attack (plus being meaty targets).
> 
> To more concisely state my other reply to you, wrt to AML, I'm 
> primarily concerned about a malicious update to the ACPI tables.  The 
> ACPI tables in the update would be otherwise normal, except for the 
> AML blob that contains some extra code.  The malicious payload.  Then, 
> a routine call into an AML (for pinctrl, say) executes the malicious code.
> 
> The plausibility and preventability of that style of attack is what 
> I'm hoping to nail down with this discussion.

If you want to run hidden code through the firmware, then doing an attack on 
Intel SMM or ARM TrustZone would be much harder to detect and as easy to get 
in, as long as you have the ability to flash arbitrary firmware.
I think this has been shown to happen in the wild. That code could go and 
manipulate the running kernel image to do something else.

Running code inside of the AML interpreter is fairly limited for the purpose of 
an attack [*], but there might be bugs in the interpreter that allow arbitrary 
code execution from malicious firmware. I think this case would be similar to 
constructing a malicious DT blob that exploits a bug in the DT parser for 
arbitrary code execution. The AML interpreter is a relatively large chunk of 
code, but it's self-contained. In comparison, the DT parser is much smaller, 
but has the additional
(theoretical) problem of potential buffer overflows in any drivers that use it 
incorrectly (e.g. format string attacks on string properties).
Another difference is that the AML code is intended to not be user-upgradable 
without a full firmware upgrade, while a DT blob is meant to be easily replaced 
if necessary without flashing the firmware, using the same permissions you need 
for updating the OS.

I'm deliberately not trying to draw conclusions regarding whether AM

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-08 Thread Arnd Bergmann

On Wednesday 07 January 2015 17:59:04 Jason Cooper wrote:
> On Wed, Jan 07, 2015 at 03:05:14PM -0500, Jon Masters wrote:
> > On 01/07/2015 02:58 PM, Jon Masters wrote:
> > > On 01/07/2015 01:41 PM, Jason Cooper wrote:
> > 
> > >> One of the reasons I've really enjoyed working with ARM platforms and DT
> > >> is the absence of this type of 'feature'.  I honestly don't care whether
> > >> the kernel gets the board configuration info from DT or ACPI or FOO, as
> > >> long as we can avoid the security mistakes of the past:
> > >>
> > >>   
> > >> http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
> > > 
> > > ACPI is not the great satan. I'm aware certain others in the community
> > > have written missinformed blog posts and G+ rants equating ACPI with SMI
> > > and even with various other system firmware. I can't force someone to
> > > become informed on a topic, especially if it's politically useful to
> > > them to hate on ACPI and use the security paranoia handwavy argument.
> > 
> > To clarify, and this is not directed at you Jason, it is politically
> > useful to some who have written rants those business models are built
> > upon being paid to enable platforms. For those folks, standardized
> > platforms which allow a common OS approach are seen as threatening.
> 
> Ahh, thanks for clarifying.
> 
> > In the previous rants (which were really instigated as a result of the
> > above) ACPI was equated with SMM (System Management Mode), which is a
> > bit like the Secure/Trusted world on AArch64 in which you might run
> > another "Trusted" OS. These are the places where you want to watch out
> > to malware of the kind cited in your link, not in ACPI tables.
> 
> fwiw, I *am* concerned about those spaces.  It seems we agree on their
> vulnerability to attack (plus being meaty targets).
> 
> To more concisely state my other reply to you, wrt to AML, I'm primarily
> concerned about a malicious update to the ACPI tables.  The ACPI tables
> in the update would be otherwise normal, except for the AML blob that
> contains some extra code.  The malicious payload.  Then, a routine call
> into an AML (for pinctrl, say) executes the malicious code.
> 
> The plausibility and preventability of that style of attack is what I'm
> hoping to nail down with this discussion.

If you want to run hidden code through the firmware, then doing an attack
on Intel SMM or ARM TrustZone would be much harder to detect and as easy
to get in, as long as you have the ability to flash arbitrary firmware.
I think this has been shown to happen in the wild. That code could
go and manipulate the running kernel image to do something else.

Running code inside of the AML interpreter is fairly limited for the
purpose of an attack [*], but there might be bugs in the interpreter that
allow arbitrary code execution from malicious firmware. I think this
case would be similar to constructing a malicious DT blob that exploits
a bug in the DT parser for arbitrary code execution. The AML interpreter
is a relatively large chunk of code, but it's self-contained. In
comparison, the DT parser is much smaller, but has the additional
(theoretical) problem of potential buffer overflows in any drivers that
use it incorrectly (e.g. format string attacks on string properties).
Another difference is that the AML code is intended to not be
user-upgradable without a full firmware upgrade, while a DT blob is
meant to be easily replaced if necessary without flashing the firmware,
using the same permissions you need for updating the OS.

I'm deliberately not trying to draw conclusions regarding whether AML
is more or less secure than DT, but the above is my understanding of
the fundamental differences.

Arnd

[*] I would assume you can get AML code to write to arbitrary physical
memory locations without much effort, but it has rather limited arithmetical
capabilities which makes it hard to know where to write to.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-08 Thread Arnd Bergmann

On Wednesday 07 January 2015 17:59:04 Jason Cooper wrote:
On Wed, Jan 07, 2015 at 03:05:14PM -0500, Jon Masters wrote:
On 01/07/2015 02:58 PM, Jon Masters wrote:
On 01/07/2015 01:41 PM, Jason Cooper wrote:

One of the reasons I've really enjoyed working with ARM platforms and DT
is the absence of this type of 'feature'. I honestly don't care whether
the kernel gets the board configuration info from DT or ACPI or FOO, as
long as we can avoid the security mistakes of the past:

http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

ACPI is not the great satan. I'm aware certain others in the community
have written missinformed blog posts and G+ rants equating ACPI with SMI
and even with various other system firmware. I can't force someone to
become informed on a topic, especially if it's politically useful to
them to hate on ACPI and use the security paranoia handwavy argument.

To clarify, and this is not directed at you Jason, it is politically
useful to some who have written rants those business models are built
upon being paid to enable platforms. For those folks, standardized
platforms which allow a common OS approach are seen as threatening.

Ahh, thanks for clarifying.

In the previous rants (which were really instigated as a result of the
above) ACPI was equated with SMM (System Management Mode), which is a
bit like the Secure/Trusted world on AArch64 in which you might run
another Trusted OS. These are the places where you want to watch out
to malware of the kind cited in your link, not in ACPI tables.

fwiw, I *am* concerned about those spaces. It seems we agree on their
vulnerability to attack (plus being meaty targets).

To more concisely state my other reply to you, wrt to AML, I'm primarily
concerned about a malicious update to the ACPI tables. The ACPI tables
in the update would be otherwise normal, except for the AML blob that
contains some extra code. The malicious payload. Then, a routine call
into an AML (for pinctrl, say) executes the malicious code.

The plausibility and preventability of that style of attack is what I'm
hoping to nail down with this discussion.

If you want to run hidden code through the firmware, then doing an attack
on Intel SMM or ARM TrustZone would be much harder to detect and as easy
to get in, as long as you have the ability to flash arbitrary firmware.
I think this has been shown to happen in the wild. That code could
go and manipulate the running kernel image to do something else.

Running code inside of the AML interpreter is fairly limited for the
purpose of an attack [*], but there might be bugs in the interpreter that
allow arbitrary code execution from malicious firmware. I think this
case would be similar to constructing a malicious DT blob that exploits
a bug in the DT parser for arbitrary code execution. The AML interpreter
is a relatively large chunk of code, but it's self-contained. In
comparison, the DT parser is much smaller, but has the additional
(theoretical) problem of potential buffer overflows in any drivers that
use it incorrectly (e.g. format string attacks on string properties).
Another difference is that the AML code is intended to not be
user-upgradable without a full firmware upgrade, while a DT blob is
meant to be easily replaced if necessary without flashing the firmware,
using the same permissions you need for updating the OS.

I'm deliberately not trying to draw conclusions regarding whether AML
is more or less secure than DT, but the above is my understanding of
the fundamental differences.

Arnd

[*] I would assume you can get AML code to write to arbitrary physical
memory locations without much effort, but it has rather limited arithmetical
capabilities which makes it hard to know where to write to.
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

RE: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-08 Thread Kangkang Shen

Security is a much big scale issue. The industry has all kind of solutions to 
deal with firmware security. In ARM system, the Firmware has been designed with 
higher privilege/security than OS. I will suggest we trust firmware security 
and focus on Linux itself.  

-Original Message-
From: linaro-acpi-boun...@lists.linaro.org 
[mailto:linaro-acpi-boun...@lists.linaro.org] On Behalf Of Arnd Bergmann
Sent: Thursday, January 08, 2015 3:27 AM
To: Jason Cooper
Cc: Rob Herring; Daniel Lezcano; Robert Richter; linaro-a...@lists.linaro.org; 
Marc Zyngier; Jon Masters; Randy Dunlap; Liviu Dudau; Robert Moore; Will 
Deacon; linux-kernel@vger.kernel.org; linux-a...@vger.kernel.org; Mark Brown; 
Rafael J. Wysocki; Lv Zheng; Catalin Marinas; Bjorn Helgaas; 
linux-arm-ker...@lists.infradead.org; Olof Johansson
Subject: Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wednesday 07 January 2015 17:59:04 Jason Cooper wrote:
 On Wed, Jan 07, 2015 at 03:05:14PM -0500, Jon Masters wrote:
  On 01/07/2015 02:58 PM, Jon Masters wrote:
   On 01/07/2015 01:41 PM, Jason Cooper wrote:

   One of the reasons I've really enjoyed working with ARM platforms 
   and DT is the absence of this type of 'feature'.  I honestly 
   don't care whether the kernel gets the board configuration info 
   from DT or ACPI or FOO, as long as we can avoid the security mistakes of 
   the past:

   http://www.spiegel.de/international/world/catalog-reveals-nsa-has
   -back-doors-for-numerous-devices-a-940994.html

   ACPI is not the great satan. I'm aware certain others in the 
   community have written missinformed blog posts and G+ rants 
   equating ACPI with SMI and even with various other system 
   firmware. I can't force someone to become informed on a topic, 
   especially if it's politically useful to them to hate on ACPI and use the 
   security paranoia handwavy argument.

  To clarify, and this is not directed at you Jason, it is politically 
  useful to some who have written rants those business models are 
  built upon being paid to enable platforms. For those folks, 
  standardized platforms which allow a common OS approach are seen as 
  threatening.

 Ahh, thanks for clarifying.

  In the previous rants (which were really instigated as a result of 
  the
  above) ACPI was equated with SMM (System Management Mode), which is 
  a bit like the Secure/Trusted world on AArch64 in which you might 
  run another Trusted OS. These are the places where you want to 
  watch out to malware of the kind cited in your link, not in ACPI tables.

 fwiw, I *am* concerned about those spaces.  It seems we agree on their 
 vulnerability to attack (plus being meaty targets).

 To more concisely state my other reply to you, wrt to AML, I'm 
 primarily concerned about a malicious update to the ACPI tables.  The 
 ACPI tables in the update would be otherwise normal, except for the 
 AML blob that contains some extra code.  The malicious payload.  Then, 
 a routine call into an AML (for pinctrl, say) executes the malicious code.

 The plausibility and preventability of that style of attack is what 
 I'm hoping to nail down with this discussion.

If you want to run hidden code through the firmware, then doing an attack on 
Intel SMM or ARM TrustZone would be much harder to detect and as easy to get 
in, as long as you have the ability to flash arbitrary firmware.
I think this has been shown to happen in the wild. That code could go and 
manipulate the running kernel image to do something else.

Running code inside of the AML interpreter is fairly limited for the purpose of 
an attack [*], but there might be bugs in the interpreter that allow arbitrary 
code execution from malicious firmware. I think this case would be similar to 
constructing a malicious DT blob that exploits a bug in the DT parser for 
arbitrary code execution. The AML interpreter is a relatively large chunk of 
code, but it's self-contained. In comparison, the DT parser is much smaller, 
but has the additional
(theoretical) problem of potential buffer overflows in any drivers that use it 
incorrectly (e.g. format string attacks on string properties).
Another difference is that the AML code is intended to not be user-upgradable 
without a full firmware upgrade, while a DT blob is meant to be easily replaced 
if necessary without flashing the firmware, using the same permissions you need 
for updating the OS.

I'm deliberately not trying to draw conclusions regarding whether AML is more 
or less secure than DT, but the above is my understanding of the fundamental 
differences.

Arnd

[*] I would assume you can get AML code to write to arbitrary physical memory 
locations without much effort, but it has rather limited arithmetical 
capabilities which makes it hard to know where to write to.

___
Linaro-acpi mailing list
linaro-a...@lists.linaro.org
http://lists.linaro.org/mailman/listinfo/linaro

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wed, Jan 07, 2015 at 03:05:14PM -0500, Jon Masters wrote:
> On 01/07/2015 02:58 PM, Jon Masters wrote:
> > On 01/07/2015 01:41 PM, Jason Cooper wrote:
> 
> >> One of the reasons I've really enjoyed working with ARM platforms and DT
> >> is the absence of this type of 'feature'.  I honestly don't care whether
> >> the kernel gets the board configuration info from DT or ACPI or FOO, as
> >> long as we can avoid the security mistakes of the past:
> >>
> >>   
> >> http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
> > 
> > ACPI is not the great satan. I'm aware certain others in the community
> > have written missinformed blog posts and G+ rants equating ACPI with SMI
> > and even with various other system firmware. I can't force someone to
> > become informed on a topic, especially if it's politically useful to
> > them to hate on ACPI and use the security paranoia handwavy argument.
> 
> To clarify, and this is not directed at you Jason, it is politically
> useful to some who have written rants those business models are built
> upon being paid to enable platforms. For those folks, standardized
> platforms which allow a common OS approach are seen as threatening.

Ahh, thanks for clarifying.

> In the previous rants (which were really instigated as a result of the
> above) ACPI was equated with SMM (System Management Mode), which is a
> bit like the Secure/Trusted world on AArch64 in which you might run
> another "Trusted" OS. These are the places where you want to watch out
> to malware of the kind cited in your link, not in ACPI tables.

fwiw, I *am* concerned about those spaces.  It seems we agree on their
vulnerability to attack (plus being meaty targets).

To more concisely state my other reply to you, wrt to AML, I'm primarily
concerned about a malicious update to the ACPI tables.  The ACPI tables
in the update would be otherwise normal, except for the AML blob that
contains some extra code.  The malicious payload.  Then, a routine call
into an AML (for pinctrl, say) executes the malicious code.

The plausibility and preventability of that style of attack is what I'm
hoping to nail down with this discussion.

thx,

Jason.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

Jason,

Will followup more later...was being a little sarcastic before...no raw nerve 
;) but sarcasm translates badly so apologies. Will send a better reply when 
back online :) Good points!

Jon.

-- 
Computer Architect | Sent from my #ARM Powered Mobile Device

On Jan 7, 2015 4:41 PM, Jason Cooper  wrote:
>
> On Wed, Jan 07, 2015 at 02:58:42PM -0500, Jon Masters wrote: 
> > On 01/07/2015 01:41 PM, Jason Cooper wrote: 
On Wed, Jan 07, 2015 at 02:58:42PM -0500, Jon Masters wrote:
> On 01/07/2015 01:41 PM, Jason Cooper wrote:
> > On Wed, Jan 07, 2015 at 05:27:41PM +, Mark Brown wrote:
> >> On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
> >>> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> >>
>  From what I gathered so far, the main reason for _some_ vendors is not
>  support for "other" OS but actually features that ACPI has and DT
>  doesn't (like AML; I deliberately ignore statements like "industry
>  standard"). _If_ such reasons are sound, maybe they have a case for
>  ACPI-only machines targeted primarily at Linux.
> >>
> >>> What I got from the replies from HP, Huawei and from earlier discussions
> >>> with Jon is that they all hope to get to the point of relying on AML
> >>> alone to bridge the differences between SoC families. However, I don't
> >>> see that happening with the limited hardware compatibility that the
> >>> existing SBSA provides:
> >>
> >> I tend to agree with you that it's an overreach to think that this is
> >> going to completely abstract away the differences between SoCs from
> >> different vendors without substantial further standardization work.
> >> However it does seem reasonable to expect that features like AML are
> >> going to be more successful in handling board differences and
> >> incremental revisions of SoCs - things like interactions with system
> >> power controllers for example.  That seems like a useful win in and of
> >> itself, and one that's worth supporting.
> > 
> > This piqued my interest, so I did a little research and found the
> > following to describe AML (second para under "What does this mean?")
> > 
> >   
> > http://community.arm.com/groups/processors/blog/2014/05/01/let-s-talk-acpi-for-servers
> > 
> > iiuc, AML are basically drivers for some low-level functions provided as
> > binary blobs via the ACPI tables.
> 
> AML isn't a "driver" per se. Think of it as providing a couple of
> methods for doing things like turning on a device, where the interpreted
> code might cause e.g. a memory address to be written with a value that
> causes a side effect (e.g. talking with a system configuration
> co-processor hidden inside the SoC the adjusts the clocking, enables
> power, configures PHY parameters, etc.). Most of the "AML" that you see
> on servers is actually just informational, or methods that return data
> describing the hardware installed.

So, similar in scope to an irqchip driver?  Because that's what I was
thinking when I said "driver", not alsa or drm...  Thanks for great
description.

> > How does this work in a trusted boot scenario?
> 
> No different than on x86.

Suprisingly, I don't do much with x86 development-wise.  The x86 boxes
are just tools to me.  So I'm not very familiar with the intricacies
there.  Do you have a pointer to ACPI update security
standards/protocols?

> > Can the ACPI tables, and these binary blobs with it, be updated from 
> > userspace?
> 
> Tables are baked into the firmware and are updated as a result of normal
> firmware updates (which already has a defined process). There are
> secondary tables that can augment things like the primary DSDT but those
> are also provided by the platform. There are only two ways the "OS"
> might provide a DSDT, but only including here for pedantry:
> 
> 1). If you compile a kernel specially with an embedded DSDT within the
> image itself (nobody does this one any more AFAIK).
> 
> 2). If you attach a special update test DSDT into your initramfs in a
> particular way, in which case I believe secure boot already is disabled.
> 
> But these are all developer/debug things, not intended for users running
> in a secure boot environment.

Right, I'm more concerned about the update process being the vector to
inject bad code.

> > If so, is there an authentication mechanism (including for non-secure boot 
> > scenarios)?
> 
> It's no different than scenarios on x86, which are well covered.
> 
> > One of the reasons I've really enjoyed working with ARM platforms and DT
> > is the absence of this type of 'feature'.  I honestly don't care whether
> > the kernel gets the board configuration info from DT or ACPI or FOO, as
> > long as we can avoid the security mistakes of the past:
> > 
> >   
> > http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
> 
> ACPI is not the great satan.

Relax, I'm not saying, nor implying that. :)  I *am* saying that
upgradeable executable code not

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wed, Jan 07, 2015 at 02:58:42PM -0500, Jon Masters wrote:
> On 01/07/2015 01:41 PM, Jason Cooper wrote:
> > On Wed, Jan 07, 2015 at 05:27:41PM +, Mark Brown wrote:
> >> On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
> >>> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> >>
>  From what I gathered so far, the main reason for _some_ vendors is not
>  support for "other" OS but actually features that ACPI has and DT
>  doesn't (like AML; I deliberately ignore statements like "industry
>  standard"). _If_ such reasons are sound, maybe they have a case for
>  ACPI-only machines targeted primarily at Linux.
> >>
> >>> What I got from the replies from HP, Huawei and from earlier discussions
> >>> with Jon is that they all hope to get to the point of relying on AML
> >>> alone to bridge the differences between SoC families. However, I don't
> >>> see that happening with the limited hardware compatibility that the
> >>> existing SBSA provides:
> >>
> >> I tend to agree with you that it's an overreach to think that this is
> >> going to completely abstract away the differences between SoCs from
> >> different vendors without substantial further standardization work.
> >> However it does seem reasonable to expect that features like AML are
> >> going to be more successful in handling board differences and
> >> incremental revisions of SoCs - things like interactions with system
> >> power controllers for example.  That seems like a useful win in and of
> >> itself, and one that's worth supporting.
> > 
> > This piqued my interest, so I did a little research and found the
> > following to describe AML (second para under "What does this mean?")
> > 
> >   
> > http://community.arm.com/groups/processors/blog/2014/05/01/let-s-talk-acpi-for-servers
> > 
> > iiuc, AML are basically drivers for some low-level functions provided as
> > binary blobs via the ACPI tables.
> 
> AML isn't a "driver" per se. Think of it as providing a couple of
> methods for doing things like turning on a device, where the interpreted
> code might cause e.g. a memory address to be written with a value that
> causes a side effect (e.g. talking with a system configuration
> co-processor hidden inside the SoC the adjusts the clocking, enables
> power, configures PHY parameters, etc.). Most of the "AML" that you see
> on servers is actually just informational, or methods that return data
> describing the hardware installed.

So, similar in scope to an irqchip driver?  Because that's what I was
thinking when I said "driver", not alsa or drm...  Thanks for great
description.

> > How does this work in a trusted boot scenario?
> 
> No different than on x86.

Suprisingly, I don't do much with x86 development-wise.  The x86 boxes
are just tools to me.  So I'm not very familiar with the intricacies
there.  Do you have a pointer to ACPI update security
standards/protocols?

> > Can the ACPI tables, and these binary blobs with it, be updated from 
> > userspace?
> 
> Tables are baked into the firmware and are updated as a result of normal
> firmware updates (which already has a defined process). There are
> secondary tables that can augment things like the primary DSDT but those
> are also provided by the platform. There are only two ways the "OS"
> might provide a DSDT, but only including here for pedantry:
> 
> 1). If you compile a kernel specially with an embedded DSDT within the
> image itself (nobody does this one any more AFAIK).
> 
> 2). If you attach a special update test DSDT into your initramfs in a
> particular way, in which case I believe secure boot already is disabled.
> 
> But these are all developer/debug things, not intended for users running
> in a secure boot environment.

Right, I'm more concerned about the update process being the vector to
inject bad code.

> > If so, is there an authentication mechanism (including for non-secure boot 
> > scenarios)?
> 
> It's no different than scenarios on x86, which are well covered.
> 
> > One of the reasons I've really enjoyed working with ARM platforms and DT
> > is the absence of this type of 'feature'.  I honestly don't care whether
> > the kernel gets the board configuration info from DT or ACPI or FOO, as
> > long as we can avoid the security mistakes of the past:
> > 
> >   
> > http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
> 
> ACPI is not the great satan.

Relax, I'm not saying, nor implying that. :)  I *am* saying that
upgradeable executable code not loaded from traditional OS storage
(harddisk, flash) is a valid security concern.

> I'm aware certain others in the community have written missinformed
> blog posts and G+ rants equating ACPI with SMI and even with various
> other system firmware.

You're in luck, I don't blog or do social media. :-P

> I can't force someone to become informed on a topic, especially if
> it's politically useful to them to hate on ACPI and

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On 01/07/2015 03:05 PM, Mark Brown wrote:
> On Wed, Jan 07, 2015 at 08:48:48PM +0100, Arnd Bergmann wrote:
>> On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
>>> On 01/07/2015 12:27 PM, Mark Brown wrote:
> 
 That level of hardware compatibility does partly come from the need to
 run existing software.  I'd expect that similar effects will start to
 come into play with ARMv8 ACPI systems if they become successful; people
 will do things like ensure compatibility with common IPs that have
 existing Linux drivers that distros tend to include as standard.
> 
>>> Agreed.
> 
>> There are two problems I see in trying to do the same thing on ARM:
> 
>> * we don't have a single vendor that makes de-facto standards that
>>   everyone else has to copy in the way that the few remaining x86
>>   vendors copy everything that Intel does. In fact, we prefer to
>>   have a large number of independent vendors.
> 
> Right, I'd guess that (modulo any standards being defined and becoming
> successful) it'll more be a case of vendors keeping compatibility with
> their own stuff.  We *are* seeing greater reliance on off the shelf IPs
> for more boring things like DMA and basic bus controllers but there's
> plenty of other areas that still affect servers.

I expect to see a greater level of standardization. SBBR is the
beginning, but it is far from the end. There will be a lot more as the
vendors come together and agree on common platform components. I've
spent a lot of time over the past few years with a large number of
vendors going over lots of these issues in lieu of more of a Windows
Hardware Qualification style guide. I intend to have one this year that
captures what Red Hat think an ARM server looks like, and to circulate
that among the broader ecosystem of vendors to feed into SBBR++.

>> * There is a general mindset about deprecating unwanted features
>>   early. ARMv8 aarch32 bit mode removes support for older instructions
>>   or makes them optional. Even the virtualization mode doesn't allow
>>   to trap on architecture version specific differences, so you can't
>>   completely emulate an older architecture level.
>>   This is nice for implementers but not so much for users that rely
>>   on old (mis-)features. It's also not just the CPU core, other
>>   components also get easily replaced, like a GICv3 that is not
>>   a strict superset of GICv2.
> 
> This is indeed worrying, though hopefully the fact that we're already
> seeing negative impacts in the app ecosystem for Android will have
> focused some minds - once you're talking about full system images it
> gets even more fun.

GICv2/3 was something a bunch of us discussed years ago. At the time we
debated whether there was a need to compel the superset option. It was
deemed early enough not to be a critical issue. But there have already
been other cases where we've pushed to ensure backward compatibility for
all time. And there will be more of those as the ecosystem develops out
into a world of existing Operating System images and apps that need to
run on these emerging platforms. Deprecating instructions and
formalizing other behaviors is an area where it's ephemeral - what made
sense in the past might not make sense in the future, and ARM know that.
Their architecture team features some of the smartest minds.

(on architecture revisions, Red Hat has stated in the past that we only
care about AArch64, not even running 32-bit code on 64-bit processors,
which is one reason I have pushed for some silicon designs not to
implement the 32-bit compatibility when it comes to servers)

Jon.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On 01/07/2015 02:58 PM, Jon Masters wrote:
> On 01/07/2015 01:41 PM, Jason Cooper wrote:

>> One of the reasons I've really enjoyed working with ARM platforms and DT
>> is the absence of this type of 'feature'.  I honestly don't care whether
>> the kernel gets the board configuration info from DT or ACPI or FOO, as
>> long as we can avoid the security mistakes of the past:
>>
>>   
>> http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
> 
> ACPI is not the great satan. I'm aware certain others in the community
> have written missinformed blog posts and G+ rants equating ACPI with SMI
> and even with various other system firmware. I can't force someone to
> become informed on a topic, especially if it's politically useful to
> them to hate on ACPI and use the security paranoia handwavy argument.

To clarify, and this is not directed at you Jason, it is politically
useful to some who have written rants those business models are built
upon being paid to enable platforms. For those folks, standardized
platforms which allow a common OS approach are seen as threatening.

In the previous rants (which were really instigated as a result of the
above) ACPI was equated with SMM (System Management Mode), which is a
bit like the Secure/Trusted world on AArch64 in which you might run
another "Trusted" OS. These are the places where you want to watch out
to malware of the kind cited in your link, not in ACPI tables.

Jon.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-07 Thread Mark Brown

On Wed, Jan 07, 2015 at 08:48:48PM +0100, Arnd Bergmann wrote:
> On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
> > On 01/07/2015 12:27 PM, Mark Brown wrote:

> > > That level of hardware compatibility does partly come from the need to
> > > run existing software.  I'd expect that similar effects will start to
> > > come into play with ARMv8 ACPI systems if they become successful; people
> > > will do things like ensure compatibility with common IPs that have
> > > existing Linux drivers that distros tend to include as standard.

> > Agreed.

> There are two problems I see in trying to do the same thing on ARM:

> * we don't have a single vendor that makes de-facto standards that
>   everyone else has to copy in the way that the few remaining x86
>   vendors copy everything that Intel does. In fact, we prefer to
>   have a large number of independent vendors.

Right, I'd guess that (modulo any standards being defined and becoming
successful) it'll more be a case of vendors keeping compatibility with
their own stuff.  We *are* seeing greater reliance on off the shelf IPs
for more boring things like DMA and basic bus controllers but there's
plenty of other areas that still affect servers.

> * There is a general mindset about deprecating unwanted features
>   early. ARMv8 aarch32 bit mode removes support for older instructions
>   or makes them optional. Even the virtualization mode doesn't allow
>   to trap on architecture version specific differences, so you can't
>   completely emulate an older architecture level.
>   This is nice for implementers but not so much for users that rely
>   on old (mis-)features. It's also not just the CPU core, other
>   components also get easily replaced, like a GICv3 that is not
>   a strict superset of GICv2.

This is indeed worrying, though hopefully the fact that we're already
seeing negative impacts in the app ecosystem for Android will have
focused some minds - once you're talking about full system images it
gets even more fun.


signature.asc
Description: Digital signature

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On 01/07/2015 01:41 PM, Jason Cooper wrote:
> On Wed, Jan 07, 2015 at 05:27:41PM +, Mark Brown wrote:
>> On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
>>> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
>>
 From what I gathered so far, the main reason for _some_ vendors is not
 support for "other" OS but actually features that ACPI has and DT
 doesn't (like AML; I deliberately ignore statements like "industry
 standard"). _If_ such reasons are sound, maybe they have a case for
 ACPI-only machines targeted primarily at Linux.
>>
>>> What I got from the replies from HP, Huawei and from earlier discussions
>>> with Jon is that they all hope to get to the point of relying on AML
>>> alone to bridge the differences between SoC families. However, I don't
>>> see that happening with the limited hardware compatibility that the
>>> existing SBSA provides:
>>
>> I tend to agree with you that it's an overreach to think that this is
>> going to completely abstract away the differences between SoCs from
>> different vendors without substantial further standardization work.
>> However it does seem reasonable to expect that features like AML are
>> going to be more successful in handling board differences and
>> incremental revisions of SoCs - things like interactions with system
>> power controllers for example.  That seems like a useful win in and of
>> itself, and one that's worth supporting.
> 
> This piqued my interest, so I did a little research and found the
> following to describe AML (second para under "What does this mean?")
> 
>   
> http://community.arm.com/groups/processors/blog/2014/05/01/let-s-talk-acpi-for-servers
> 
> iiuc, AML are basically drivers for some low-level functions provided as
> binary blobs via the ACPI tables.

AML isn't a "driver" per se. Think of it as providing a couple of
methods for doing things like turning on a device, where the interpreted
code might cause e.g. a memory address to be written with a value that
causes a side effect (e.g. talking with a system configuration
co-processor hidden inside the SoC the adjusts the clocking, enables
power, configures PHY parameters, etc.). Most of the "AML" that you see
on servers is actually just informational, or methods that return data
describing the hardware installed.

> How does this work in a trusted boot scenario?

No different than on x86.

> Can the ACPI tables, and these binary blobs with it, be updated from 
> userspace?

Tables are baked into the firmware and are updated as a result of normal
firmware updates (which already has a defined process). There are
secondary tables that can augment things like the primary DSDT but those
are also provided by the platform. There are only two ways the "OS"
might provide a DSDT, but only including here for pedantry:

1). If you compile a kernel specially with an embedded DSDT within the
image itself (nobody does this one any more AFAIK).

2). If you attach a special update test DSDT into your initramfs in a
particular way, in which case I believe secure boot already is disabled.

But these are all developer/debug things, not intended for users running
in a secure boot environment.

> If so, is there an authentication mechanism (including for non-secure boot 
> scenarios)?

It's no different than scenarios on x86, which are well covered.

> One of the reasons I've really enjoyed working with ARM platforms and DT
> is the absence of this type of 'feature'.  I honestly don't care whether
> the kernel gets the board configuration info from DT or ACPI or FOO, as
> long as we can avoid the security mistakes of the past:
> 
>   
> http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

ACPI is not the great satan. I'm aware certain others in the community
have written missinformed blog posts and G+ rants equating ACPI with SMI
and even with various other system firmware. I can't force someone to
become informed on a topic, especially if it's politically useful to
them to hate on ACPI and use the security paranoia handwavy argument.

> I'm not advocating "throw out AML and ACPI with it!", rather I'd like to
> see a serious, open, discussion about the security implications of a
> convenience feature such as AML.

AML is in (almost) every server you're using today. What you want to be
worried about is hidden firmware, especially what might be running
inside a Trusted environment or inside an SMI context, or the radio
firmware on your phone that the NSA have backdoored. Once we've solved
every other issue, we can come back to whether the extremely limited
capabilities of AML are what the evil bad guys are using to infiltrate
our minds and make us think that we all want to use ACPI.

Jon.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
> On 01/07/2015 12:27 PM, Mark Brown wrote:
> > On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
> >> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> > 
> >>> From what I gathered so far, the main reason for _some_ vendors is not
> >>> support for "other" OS but actually features that ACPI has and DT
> >>> doesn't (like AML; I deliberately ignore statements like "industry
> >>> standard"). _If_ such reasons are sound, maybe they have a case for
> >>> ACPI-only machines targeted primarily at Linux.
> > 
> >> What I got from the replies from HP, Huawei and from earlier discussions
> >> with Jon is that they all hope to get to the point of relying on AML
> >> alone to bridge the differences between SoC families.
> 
> I'm expecting to need new drivers for SoC IP blocks that are net new,
> but generational differences between iterations of the same SoC should
> be abstracted behind the firmware (and we are already seeing this with
> at least one platform). Platform wise, it's nice to already see e.g.
> mmconfig working to handle the specific ways a platform wires PCI.

Yes, the parts that are mandated by SBSA, like the way that PCI needs
to be done are generally good. Unfortunately a lot of the hardware that
I've seen has a rather lax interpretation of the spec, so just because
something is mandated doesn't mean it's done that way ;-)

In other cases that's actually a good thing. One such example is the
"Principles of ARM Memory Maps" document that tells hardware implementers
to do a rather complex mapping "To support 36-bit x86 PAE compatible operating
systems, such as Linux." but makes life much harder in the process than
any of the random mappings we have seen in the wild.

> > I tend to agree with you that it's an overreach to think that this is
> > going to completely abstract away the differences between SoCs from
> > different vendors without substantial further standardization work.
> 
> (which we plan to do - I intend ultimately for us to have an answer to
> the Windows Hardware Qualification guides for ARM server systems)

Ok, good.

> >> The main problem here is that can AML only cover part of the problem:
> >> it can talk to a clock controller e.g. over I2C, SPI, GPIO, UART
> >> or IPMI, but you still need a device driver in the kernel to talk to
> >> those, and SBSA doesn't mandate a specific implementation so you can
> >> expect every other SoC that is coming out to have a different one.
> > 
> >> Similarly, SBSA is rather vague about some peripherals it mandates,
> >> and if a new SoC has a slightly different AHCI variation, there is
> >> nothing you can do about it in AML.
> > 
> >> x86 gets around this problem by having an extreme level of hardware
> >> backwards compatibility, so you don't even need AML for this and
> >> can generally boot a (almost) full-featured Linux kernel with
> >> acpi=off on the command line.
> > 
> > That level of hardware compatibility does partly come from the need to
> > run existing software.  I'd expect that similar effects will start to
> > come into play with ARMv8 ACPI systems if they become successful; people
> > will do things like ensure compatibility with common IPs that have
> > existing Linux drivers that distros tend to include as standard.
> 
> Agreed.

There are two problems I see in trying to do the same thing on ARM:

* we don't have a single vendor that makes de-facto standards that
  everyone else has to copy in the way that the few remaining x86
  vendors copy everything that Intel does. In fact, we prefer to
  have a large number of independent vendors.

* There is a general mindset about deprecating unwanted features
  early. ARMv8 aarch32 bit mode removes support for older instructions
  or makes them optional. Even the virtualization mode doesn't allow
  to trap on architecture version specific differences, so you can't
  completely emulate an older architecture level.
  This is nice for implementers but not so much for users that rely
  on old (mis-)features. It's also not just the CPU core, other
  components also get easily replaced, like a GICv3 that is not
  a strict superset of GICv2.

Arnd
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wed, Jan 07, 2015 at 05:27:41PM +, Mark Brown wrote:
> On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
> > On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> 
> > > From what I gathered so far, the main reason for _some_ vendors is not
> > > support for "other" OS but actually features that ACPI has and DT
> > > doesn't (like AML; I deliberately ignore statements like "industry
> > > standard"). _If_ such reasons are sound, maybe they have a case for
> > > ACPI-only machines targeted primarily at Linux.
> 
> > What I got from the replies from HP, Huawei and from earlier discussions
> > with Jon is that they all hope to get to the point of relying on AML
> > alone to bridge the differences between SoC families. However, I don't
> > see that happening with the limited hardware compatibility that the
> > existing SBSA provides:
> 
> I tend to agree with you that it's an overreach to think that this is
> going to completely abstract away the differences between SoCs from
> different vendors without substantial further standardization work.
> However it does seem reasonable to expect that features like AML are
> going to be more successful in handling board differences and
> incremental revisions of SoCs - things like interactions with system
> power controllers for example.  That seems like a useful win in and of
> itself, and one that's worth supporting.

This piqued my interest, so I did a little research and found the
following to describe AML (second para under "What does this mean?")

http://community.arm.com/groups/processors/blog/2014/05/01/let-s-talk-acpi-for-servers

iiuc, AML are basically drivers for some low-level functions provided as
binary blobs via the ACPI tables.  How does this work in a trusted boot
scenario?  Can the ACPI tables, and these binary blobs with it, be
updated from userspace?  If so, is there an authentication mechanism
(including for non-secure boot scenarios)?

One of the reasons I've really enjoyed working with ARM platforms and DT
is the absence of this type of 'feature'.  I honestly don't care whether
the kernel gets the board configuration info from DT or ACPI or FOO, as
long as we can avoid the security mistakes of the past:

http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

"""
... The ANT developers have a clear preference for planting their
malicious code in so-called BIOS, software located on a computer's
motherboard that is the first thing to load when a computer is turned
on.

This has a number of valuable advantages: an infected PC or server
appears to be functioning normally, so the infection remains invisible
to virus protection and other security programs. And even if the hard
drive of an infected computer has been completely erased and a new
operating system is installed, the ANT malware can continue to function
and ensures that new spyware can once again be loaded onto what is
presumed to be a clean computer. ...
"""

I'm not advocating "throw out AML and ACPI with it!", rather I'd like to
see a serious, open, discussion about the security implications of a
convenience feature such as AML.

And wrt the kernel, we should ensure we can always provide a fallback
for users who prefer not to trust the binary blobs.  Which shouldn't be
too difficult as we aren't dependent on AML or similar atm.

thx,

Jason.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On 01/07/2015 12:27 PM, Mark Brown wrote:
> On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
>> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> 
>>> From what I gathered so far, the main reason for _some_ vendors is not
>>> support for "other" OS but actually features that ACPI has and DT
>>> doesn't (like AML; I deliberately ignore statements like "industry
>>> standard"). _If_ such reasons are sound, maybe they have a case for
>>> ACPI-only machines targeted primarily at Linux.
> 
>> What I got from the replies from HP, Huawei and from earlier discussions
>> with Jon is that they all hope to get to the point of relying on AML
>> alone to bridge the differences between SoC families.

I'm expecting to need new drivers for SoC IP blocks that are net new,
but generational differences between iterations of the same SoC should
be abstracted behind the firmware (and we are already seeing this with
at least one platform). Platform wise, it's nice to already see e.g.
mmconfig working to handle the specific ways a platform wires PCI.

> I tend to agree with you that it's an overreach to think that this is
> going to completely abstract away the differences between SoCs from
> different vendors without substantial further standardization work.

(which we plan to do - I intend ultimately for us to have an answer to
the Windows Hardware Qualification guides for ARM server systems)

> However it does seem reasonable to expect that features like AML are
> going to be more successful in handling board differences and
> incremental revisions of SoCs - things like interactions with system
> power controllers for example.  That seems like a useful win in and of
> itself, and one that's worth supporting.

Indeed.

>> The main problem here is that can AML only cover part of the problem:
>> it can talk to a clock controller e.g. over I2C, SPI, GPIO, UART
>> or IPMI, but you still need a device driver in the kernel to talk to
>> those, and SBSA doesn't mandate a specific implementation so you can
>> expect every other SoC that is coming out to have a different one.
> 
>> Similarly, SBSA is rather vague about some peripherals it mandates,
>> and if a new SoC has a slightly different AHCI variation, there is
>> nothing you can do about it in AML.
> 
>> x86 gets around this problem by having an extreme level of hardware
>> backwards compatibility, so you don't even need AML for this and
>> can generally boot a (almost) full-featured Linux kernel with
>> acpi=off on the command line.
> 
> That level of hardware compatibility does partly come from the need to
> run existing software.  I'd expect that similar effects will start to
> come into play with ARMv8 ACPI systems if they become successful; people
> will do things like ensure compatibility with common IPs that have
> existing Linux drivers that distros tend to include as standard.

Agreed.

Jon.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-07 Thread Mark Brown

On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
> On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:

> > From what I gathered so far, the main reason for _some_ vendors is not
> > support for "other" OS but actually features that ACPI has and DT
> > doesn't (like AML; I deliberately ignore statements like "industry
> > standard"). _If_ such reasons are sound, maybe they have a case for
> > ACPI-only machines targeted primarily at Linux.

> What I got from the replies from HP, Huawei and from earlier discussions
> with Jon is that they all hope to get to the point of relying on AML
> alone to bridge the differences between SoC families. However, I don't
> see that happening with the limited hardware compatibility that the
> existing SBSA provides:

I tend to agree with you that it's an overreach to think that this is
going to completely abstract away the differences between SoCs from
different vendors without substantial further standardization work.
However it does seem reasonable to expect that features like AML are
going to be more successful in handling board differences and
incremental revisions of SoCs - things like interactions with system
power controllers for example.  That seems like a useful win in and of
itself, and one that's worth supporting.

> The main problem here is that can AML only cover part of the problem:
> it can talk to a clock controller e.g. over I2C, SPI, GPIO, UART
> or IPMI, but you still need a device driver in the kernel to talk to
> those, and SBSA doesn't mandate a specific implementation so you can
> expect every other SoC that is coming out to have a different one.

> Similarly, SBSA is rather vague about some peripherals it mandates,
> and if a new SoC has a slightly different AHCI variation, there is
> nothing you can do about it in AML.

> x86 gets around this problem by having an extreme level of hardware
> backwards compatibility, so you don't even need AML for this and
> can generally boot a (almost) full-featured Linux kernel with
> acpi=off on the command line.

That level of hardware compatibility does partly come from the need to
run existing software.  I'd expect that similar effects will start to
come into play with ARMv8 ACPI systems if they become successful; people
will do things like ensure compatibility with common IPs that have
existing Linux drivers that distros tend to include as standard.

signature.asc
Description: Digital signature

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
> On Wed, Jan 07, 2015 at 10:36:13AM +, Arnd Bergmann wrote:
> > On Tuesday 06 January 2015 23:55:58 Jon Masters wrote:
> > > On 01/06/2015 05:06 PM, Jon Masters wrote:
> > > > On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
> > > >> On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
> > > >>> On 01/06/2015 06:20 AM, Catalin Marinas wrote:
> > > >>>
> > >  Now, what's preventing a vendor firmware from providing only ACPI
> > >  tables? Do we enforce it in some way (arm-acpi.txt, kernel warning 
> > >  etc.)
> > >  that both DT and ACPI are supported, or at least that dts files are
> > >  merged in the kernel first?
> > > >>>
> > > >>> I know of some (server) firmware that will only provide ACPI in the
> > > >>> medium term, so this is coming.
> > > >>
> > > >> Medium term is fine, as long as they are not expecting their hardware
> > > >> to be supported by Linux before ACPI support is stable enough for
> > > >> general consumption.
> > > > 
> > > > To be clear, I think that's reasonable for upstream. I may love ACPI,
> > > > but vendors can always ship kernels with a config supporting ACPI only
> > > > platforms in the interim period if they have a commercial justification
> > > > and that doesn't have to be supported in terms of the upstream default.
> > 
> > I would hope that none of the ACPI-only machines are meant to run Linux
> > as a primary operating system, that would be very sad.
> 
> I keep hearing different stories around this. I think this goes back to
> the last point on Al's to-do list, the reason _why_ vendors need ACPI.
> As you mentioned some time ago, I would also like to see a summary of
> such reasons included in the cover letter for the arm64 ACPI patches. In
> the meantime, we can assume that DT is required.

Right, if we can finish the discussion about the reason for having ACPI,
we can skip a lot of pointless back-and-forth on the other issues.

> From what I gathered so far, the main reason for _some_ vendors is not
> support for "other" OS but actually features that ACPI has and DT
> doesn't (like AML; I deliberately ignore statements like "industry
> standard"). _If_ such reasons are sound, maybe they have a case for
> ACPI-only machines targeted primarily at Linux.

What I got from the replies from HP, Huawei and from earlier discussions
with Jon is that they all hope to get to the point of relying on AML
alone to bridge the differences between SoC families. However, I don't
see that happening with the limited hardware compatibility that the
existing SBSA provides:

> In theory, it may be beneficial to the kernel maintainers as such
> ACPI-only machine would potentially require less kernel driver code
> compared to DT. For example, no need for pin control, clocks or voltage
> regulator drivers as they are handled in AML. Of course, the counter
> argument is that it's harder to debug when problems appear but I would
> expect on such ACPI-only machines that the hardware vendor is very
> active on solving them (I'm more thinking for machines that sit in some
> data centre and are actively maintained rather than some board I keep in
> my house; for the latter, I definitely prefer DT and full control).

The main problem here is that can AML only cover part of the problem:
it can talk to a clock controller e.g. over I2C, SPI, GPIO, UART
or IPMI, but you still need a device driver in the kernel to talk to
those, and SBSA doesn't mandate a specific implementation so you can
expect every other SoC that is coming out to have a different one.

Similarly, SBSA is rather vague about some peripherals it mandates,
and if a new SoC has a slightly different AHCI variation, there is
nothing you can do about it in AML.

x86 gets around this problem by having an extreme level of hardware
backwards compatibility, so you don't even need AML for this and
can generally boot a (almost) full-featured Linux kernel with
acpi=off on the command line.

> > Vendors that are interested in Linux support should instead work on getting
> > their hardware supported upstream so they don't need a private kernel to
> > match their private firmware.
> 
> I agree, irrespective of whether they target ACPI longer term or not.
> 
> As I said yesterday, at some point in the future, ACPI-only SoC support
> may not require any new kernel code, just usual PCIe drivers that may
> already be there. If we ever get to that stage (it's not a kernel
> problem, it's more about SoC standardisation), vendors would be able to
> run mainline kernels without additional driver code with a few SoC
> differences handled by AML (e.g. clocks). At that point, I don't see any
> incentive for them to upstream additional driver code (e.g. clocks) just
> to support a DT-only kernel. We are probably still a long way, nothing
> to worry about just yet ;).

Agreed on all points, yes.

Arnd
--
To unsubscribe from this list: send the line "unsubscribe

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-07 Thread Catalin Marinas

On Wed, Jan 07, 2015 at 10:36:13AM +, Arnd Bergmann wrote:
> On Tuesday 06 January 2015 23:55:58 Jon Masters wrote:
> > On 01/06/2015 05:06 PM, Jon Masters wrote:
> > > On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
> > >> On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
> > >>> On 01/06/2015 06:20 AM, Catalin Marinas wrote:
> > >>>
> >  Now, what's preventing a vendor firmware from providing only ACPI
> >  tables? Do we enforce it in some way (arm-acpi.txt, kernel warning 
> >  etc.)
> >  that both DT and ACPI are supported, or at least that dts files are
> >  merged in the kernel first?
> > >>>
> > >>> I know of some (server) firmware that will only provide ACPI in the
> > >>> medium term, so this is coming.
> > >>
> > >> Medium term is fine, as long as they are not expecting their hardware
> > >> to be supported by Linux before ACPI support is stable enough for
> > >> general consumption.
> > > 
> > > To be clear, I think that's reasonable for upstream. I may love ACPI,
> > > but vendors can always ship kernels with a config supporting ACPI only
> > > platforms in the interim period if they have a commercial justification
> > > and that doesn't have to be supported in terms of the upstream default.
> 
> I would hope that none of the ACPI-only machines are meant to run Linux
> as a primary operating system, that would be very sad.

I keep hearing different stories around this. I think this goes back to
the last point on Al's to-do list, the reason _why_ vendors need ACPI.
As you mentioned some time ago, I would also like to see a summary of
such reasons included in the cover letter for the arm64 ACPI patches. In
the meantime, we can assume that DT is required.

>From what I gathered so far, the main reason for _some_ vendors is not
support for "other" OS but actually features that ACPI has and DT
doesn't (like AML; I deliberately ignore statements like "industry
standard"). _If_ such reasons are sound, maybe they have a case for
ACPI-only machines targeted primarily at Linux.

In theory, it may be beneficial to the kernel maintainers as such
ACPI-only machine would potentially require less kernel driver code
compared to DT. For example, no need for pin control, clocks or voltage
regulator drivers as they are handled in AML. Of course, the counter
argument is that it's harder to debug when problems appear but I would
expect on such ACPI-only machines that the hardware vendor is very
active on solving them (I'm more thinking for machines that sit in some
data centre and are actively maintained rather than some board I keep in
my house; for the latter, I definitely prefer DT and full control).

> Vendors that are interested in Linux support should instead work on getting
> their hardware supported upstream so they don't need a private kernel to
> match their private firmware.

I agree, irrespective of whether they target ACPI longer term or not.

As I said yesterday, at some point in the future, ACPI-only SoC support
may not require any new kernel code, just usual PCIe drivers that may
already be there. If we ever get to that stage (it's not a kernel
problem, it's more about SoC standardisation), vendors would be able to
run mainline kernels without additional driver code with a few SoC
differences handled by AML (e.g. clocks). At that point, I don't see any
incentive for them to upstream additional driver code (e.g. clocks) just
to support a DT-only kernel. We are probably still a long way, nothing
to worry about just yet ;).

-- 
Catalin
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Tuesday 06 January 2015 23:55:58 Jon Masters wrote:
> On 01/06/2015 05:06 PM, Jon Masters wrote:
> > Hi Arnd,
> > 
> > Happy New Year!
> > 
> > On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
> >> On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
> >>> On 01/06/2015 06:20 AM, Catalin Marinas wrote:
> >>>
>  Now, what's preventing a vendor firmware from providing only ACPI
>  tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
>  that both DT and ACPI are supported, or at least that dts files are
>  merged in the kernel first?
> >>>
> >>> I know of some (server) firmware that will only provide ACPI in the
> >>> medium term, so this is coming.
> >>
> >> Medium term is fine, as long as they are not expecting their hardware
> >> to be supported by Linux before ACPI support is stable enough for
> >> general consumption.
> > 
> > To be clear, I think that's reasonable for upstream. I may love ACPI,
> > but vendors can always ship kernels with a config supporting ACPI only
> > platforms in the interim period if they have a commercial justification
> > and that doesn't have to be supported in terms of the upstream default.

I would hope that none of the ACPI-only machines are meant to run Linux
as a primary operating system, that would be very sad.

Vendors that are interested in Linux support should instead work on getting
their hardware supported upstream so they don't need a private kernel to
match their private firmware.

> > But, perhaps there's a way to have it both ways, you could consider also
> > a CONFIG_EXPERT option that would allow you to build a kernel with ACPI
> > only support in the medium term. That way, if someone is running a
> > vendor kernel, but wants to track upstream development more closely,
> > they can do so on such hardware by enabling the expert config bit.

I don't see how this helps. The main point of requiring users to add
the option is to ensure that everyone understands the support is
experimental and not guaranteed to work across firmware releases or
kernel versions, until we have stopped making incompatible changes.

If someone is tracking the upstream kernel, they should know that they
have to get working DT support in first, and test both ways with the
same kernel anyway.

> Clarification: I'm suggesting that in the medium term the dependency
> upon CONFIG_EXPERT either goes away or is replaced with requiring ACPI
> and DTB in the non "expert" case

Sure, no debate on that.

> and requiring "expert" selected to allow a kernel that will boot with
> ACPI only. But only a suggestion.

This is a separate issue. I personally think we shouldn't bother with
this, as such a configuration would just break a lot of assumptions
we make today and removes hardware support, but it's something we
can discuss after we get to the point of having ACPI enabled by default.

Arnd
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Tuesday 06 January 2015 23:55:58 Jon Masters wrote:
 On 01/06/2015 05:06 PM, Jon Masters wrote:
  Hi Arnd,
  
  Happy New Year!
  
  On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
  On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
  On 01/06/2015 06:20 AM, Catalin Marinas wrote:
 
  Now, what's preventing a vendor firmware from providing only ACPI
  tables? Do we enforce it in some way (arm-acpi.txt, kernel warning etc.)
  that both DT and ACPI are supported, or at least that dts files are
  merged in the kernel first?
 
  I know of some (server) firmware that will only provide ACPI in the
  medium term, so this is coming.
 
  Medium term is fine, as long as they are not expecting their hardware
  to be supported by Linux before ACPI support is stable enough for
  general consumption.
  
  To be clear, I think that's reasonable for upstream. I may love ACPI,
  but vendors can always ship kernels with a config supporting ACPI only
  platforms in the interim period if they have a commercial justification
  and that doesn't have to be supported in terms of the upstream default.

I would hope that none of the ACPI-only machines are meant to run Linux
as a primary operating system, that would be very sad.

Vendors that are interested in Linux support should instead work on getting
their hardware supported upstream so they don't need a private kernel to
match their private firmware.

  But, perhaps there's a way to have it both ways, you could consider also
  a CONFIG_EXPERT option that would allow you to build a kernel with ACPI
  only support in the medium term. That way, if someone is running a
  vendor kernel, but wants to track upstream development more closely,
  they can do so on such hardware by enabling the expert config bit.

I don't see how this helps. The main point of requiring users to add
the option is to ensure that everyone understands the support is
experimental and not guaranteed to work across firmware releases or
kernel versions, until we have stopped making incompatible changes.

If someone is tracking the upstream kernel, they should know that they
have to get working DT support in first, and test both ways with the
same kernel anyway.

 Clarification: I'm suggesting that in the medium term the dependency
 upon CONFIG_EXPERT either goes away or is replaced with requiring ACPI
 and DTB in the non expert case

Sure, no debate on that.

 and requiring expert selected to allow a kernel that will boot with
 ACPI only. But only a suggestion.

This is a separate issue. I personally think we shouldn't bother with
this, as such a configuration would just break a lot of assumptions
we make today and removes hardware support, but it's something we
can discuss after we get to the point of having ACPI enabled by default.

Arnd
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-07 Thread Catalin Marinas

On Wed, Jan 07, 2015 at 10:36:13AM +, Arnd Bergmann wrote:
 On Tuesday 06 January 2015 23:55:58 Jon Masters wrote:
  On 01/06/2015 05:06 PM, Jon Masters wrote:
   On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
   On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
   On 01/06/2015 06:20 AM, Catalin Marinas wrote:
  
   Now, what's preventing a vendor firmware from providing only ACPI
   tables? Do we enforce it in some way (arm-acpi.txt, kernel warning 
   etc.)
   that both DT and ACPI are supported, or at least that dts files are
   merged in the kernel first?
  
   I know of some (server) firmware that will only provide ACPI in the
   medium term, so this is coming.
  
   Medium term is fine, as long as they are not expecting their hardware
   to be supported by Linux before ACPI support is stable enough for
   general consumption.
   
   To be clear, I think that's reasonable for upstream. I may love ACPI,
   but vendors can always ship kernels with a config supporting ACPI only
   platforms in the interim period if they have a commercial justification
   and that doesn't have to be supported in terms of the upstream default.
 
 I would hope that none of the ACPI-only machines are meant to run Linux
 as a primary operating system, that would be very sad.

I keep hearing different stories around this. I think this goes back to
the last point on Al's to-do list, the reason _why_ vendors need ACPI.
As you mentioned some time ago, I would also like to see a summary of
such reasons included in the cover letter for the arm64 ACPI patches. In
the meantime, we can assume that DT is required.

From what I gathered so far, the main reason for _some_ vendors is not
support for other OS but actually features that ACPI has and DT
doesn't (like AML; I deliberately ignore statements like industry
standard). _If_ such reasons are sound, maybe they have a case for
ACPI-only machines targeted primarily at Linux.

In theory, it may be beneficial to the kernel maintainers as such
ACPI-only machine would potentially require less kernel driver code
compared to DT. For example, no need for pin control, clocks or voltage
regulator drivers as they are handled in AML. Of course, the counter
argument is that it's harder to debug when problems appear but I would
expect on such ACPI-only machines that the hardware vendor is very
active on solving them (I'm more thinking for machines that sit in some
data centre and are actively maintained rather than some board I keep in
my house; for the latter, I definitely prefer DT and full control).

 Vendors that are interested in Linux support should instead work on getting
 their hardware supported upstream so they don't need a private kernel to
 match their private firmware.

I agree, irrespective of whether they target ACPI longer term or not.

As I said yesterday, at some point in the future, ACPI-only SoC support
may not require any new kernel code, just usual PCIe drivers that may
already be there. If we ever get to that stage (it's not a kernel
problem, it's more about SoC standardisation), vendors would be able to
run mainline kernels without additional driver code with a few SoC
differences handled by AML (e.g. clocks). At that point, I don't see any
incentive for them to upstream additional driver code (e.g. clocks) just
to support a DT-only kernel. We are probably still a long way, nothing
to worry about just yet ;).

-- 
Catalin
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
 On Wed, Jan 07, 2015 at 10:36:13AM +, Arnd Bergmann wrote:
  On Tuesday 06 January 2015 23:55:58 Jon Masters wrote:
   On 01/06/2015 05:06 PM, Jon Masters wrote:
On 01/06/2015 02:21 PM, Arnd Bergmann wrote:
On Tuesday 06 January 2015 11:24:43 Jon Masters wrote:
On 01/06/2015 06:20 AM, Catalin Marinas wrote:
   
Now, what's preventing a vendor firmware from providing only ACPI
tables? Do we enforce it in some way (arm-acpi.txt, kernel warning 
etc.)
that both DT and ACPI are supported, or at least that dts files are
merged in the kernel first?
   
I know of some (server) firmware that will only provide ACPI in the
medium term, so this is coming.
   
Medium term is fine, as long as they are not expecting their hardware
to be supported by Linux before ACPI support is stable enough for
general consumption.

To be clear, I think that's reasonable for upstream. I may love ACPI,
but vendors can always ship kernels with a config supporting ACPI only
platforms in the interim period if they have a commercial justification
and that doesn't have to be supported in terms of the upstream default.
  
  I would hope that none of the ACPI-only machines are meant to run Linux
  as a primary operating system, that would be very sad.
 
 I keep hearing different stories around this. I think this goes back to
 the last point on Al's to-do list, the reason _why_ vendors need ACPI.
 As you mentioned some time ago, I would also like to see a summary of
 such reasons included in the cover letter for the arm64 ACPI patches. In
 the meantime, we can assume that DT is required.

Right, if we can finish the discussion about the reason for having ACPI,
we can skip a lot of pointless back-and-forth on the other issues.

 From what I gathered so far, the main reason for _some_ vendors is not
 support for other OS but actually features that ACPI has and DT
 doesn't (like AML; I deliberately ignore statements like industry
 standard). _If_ such reasons are sound, maybe they have a case for
 ACPI-only machines targeted primarily at Linux.

What I got from the replies from HP, Huawei and from earlier discussions
with Jon is that they all hope to get to the point of relying on AML
alone to bridge the differences between SoC families. However, I don't
see that happening with the limited hardware compatibility that the
existing SBSA provides:

 In theory, it may be beneficial to the kernel maintainers as such
 ACPI-only machine would potentially require less kernel driver code
 compared to DT. For example, no need for pin control, clocks or voltage
 regulator drivers as they are handled in AML. Of course, the counter
 argument is that it's harder to debug when problems appear but I would
 expect on such ACPI-only machines that the hardware vendor is very
 active on solving them (I'm more thinking for machines that sit in some
 data centre and are actively maintained rather than some board I keep in
 my house; for the latter, I definitely prefer DT and full control).

The main problem here is that can AML only cover part of the problem:
it can talk to a clock controller e.g. over I2C, SPI, GPIO, UART
or IPMI, but you still need a device driver in the kernel to talk to
those, and SBSA doesn't mandate a specific implementation so you can
expect every other SoC that is coming out to have a different one.

Similarly, SBSA is rather vague about some peripherals it mandates,
and if a new SoC has a slightly different AHCI variation, there is
nothing you can do about it in AML.

x86 gets around this problem by having an extreme level of hardware
backwards compatibility, so you don't even need AML for this and
can generally boot a (almost) full-featured Linux kernel with
acpi=off on the command line.

  Vendors that are interested in Linux support should instead work on getting
  their hardware supported upstream so they don't need a private kernel to
  match their private firmware.
 
 I agree, irrespective of whether they target ACPI longer term or not.
 
 As I said yesterday, at some point in the future, ACPI-only SoC support
 may not require any new kernel code, just usual PCIe drivers that may
 already be there. If we ever get to that stage (it's not a kernel
 problem, it's more about SoC standardisation), vendors would be able to
 run mainline kernels without additional driver code with a few SoC
 differences handled by AML (e.g. clocks). At that point, I don't see any
 incentive for them to upstream additional driver code (e.g. clocks) just
 to support a DT-only kernel. We are probably still a long way, nothing
 to worry about just yet ;).

Agreed on all points, yes.

Arnd
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wed, Jan 07, 2015 at 03:05:14PM -0500, Jon Masters wrote:
On 01/07/2015 02:58 PM, Jon Masters wrote:
On 01/07/2015 01:41 PM, Jason Cooper wrote:

http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

Ahh, thanks for clarifying.

fwiw, I *am* concerned about those spaces. It seems we agree on their
vulnerability to attack (plus being meaty targets).

The plausibility and preventability of that style of attack is what I'm
hoping to nail down with this discussion.

thx,

Jason.
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
 On 01/07/2015 12:27 PM, Mark Brown wrote:
  On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
  On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:
  
  From what I gathered so far, the main reason for _some_ vendors is not
  support for other OS but actually features that ACPI has and DT
  doesn't (like AML; I deliberately ignore statements like industry
  standard). _If_ such reasons are sound, maybe they have a case for
  ACPI-only machines targeted primarily at Linux.
  
  What I got from the replies from HP, Huawei and from earlier discussions
  with Jon is that they all hope to get to the point of relying on AML
  alone to bridge the differences between SoC families.
 
 I'm expecting to need new drivers for SoC IP blocks that are net new,
 but generational differences between iterations of the same SoC should
 be abstracted behind the firmware (and we are already seeing this with
 at least one platform). Platform wise, it's nice to already see e.g.
 mmconfig working to handle the specific ways a platform wires PCI.

Yes, the parts that are mandated by SBSA, like the way that PCI needs
to be done are generally good. Unfortunately a lot of the hardware that
I've seen has a rather lax interpretation of the spec, so just because
something is mandated doesn't mean it's done that way ;-)

In other cases that's actually a good thing. One such example is the
Principles of ARM Memory Maps document that tells hardware implementers
to do a rather complex mapping To support 36-bit x86 PAE compatible operating
systems, such as Linux. but makes life much harder in the process than
any of the random mappings we have seen in the wild.

  I tend to agree with you that it's an overreach to think that this is
  going to completely abstract away the differences between SoCs from
  different vendors without substantial further standardization work.
 
 (which we plan to do - I intend ultimately for us to have an answer to
 the Windows Hardware Qualification guides for ARM server systems)

Ok, good.

  The main problem here is that can AML only cover part of the problem:
  it can talk to a clock controller e.g. over I2C, SPI, GPIO, UART
  or IPMI, but you still need a device driver in the kernel to talk to
  those, and SBSA doesn't mandate a specific implementation so you can
  expect every other SoC that is coming out to have a different one.
  
  Similarly, SBSA is rather vague about some peripherals it mandates,
  and if a new SoC has a slightly different AHCI variation, there is
  nothing you can do about it in AML.
  
  x86 gets around this problem by having an extreme level of hardware
  backwards compatibility, so you don't even need AML for this and
  can generally boot a (almost) full-featured Linux kernel with
  acpi=off on the command line.
  
  That level of hardware compatibility does partly come from the need to
  run existing software.  I'd expect that similar effects will start to
  come into play with ARMv8 ACPI systems if they become successful; people
  will do things like ensure compatibility with common IPs that have
  existing Linux drivers that distros tend to include as standard.
 
 Agreed.

There are two problems I see in trying to do the same thing on ARM:

* we don't have a single vendor that makes de-facto standards that
  everyone else has to copy in the way that the few remaining x86
  vendors copy everything that Intel does. In fact, we prefer to
  have a large number of independent vendors.

* There is a general mindset about deprecating unwanted features
  early. ARMv8 aarch32 bit mode removes support for older instructions
  or makes them optional. Even the virtualization mode doesn't allow
  to trap on architecture version specific differences, so you can't
  completely emulate an older architecture level.
  This is nice for implementers but not so much for users that rely
  on old (mis-)features. It's also not just the CPU core, other
  components also get easily replaced, like a GICv3 that is not
  a strict superset of GICv2.

Arnd
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On 01/07/2015 02:58 PM, Jon Masters wrote:
On 01/07/2015 01:41 PM, Jason Cooper wrote:

http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

Jon.

--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On 01/07/2015 03:05 PM, Mark Brown wrote:
 On Wed, Jan 07, 2015 at 08:48:48PM +0100, Arnd Bergmann wrote:
 On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
 On 01/07/2015 12:27 PM, Mark Brown wrote:
 
 That level of hardware compatibility does partly come from the need to
 run existing software.  I'd expect that similar effects will start to
 come into play with ARMv8 ACPI systems if they become successful; people
 will do things like ensure compatibility with common IPs that have
 existing Linux drivers that distros tend to include as standard.
 
 Agreed.
 
 There are two problems I see in trying to do the same thing on ARM:
 
 * we don't have a single vendor that makes de-facto standards that
   everyone else has to copy in the way that the few remaining x86
   vendors copy everything that Intel does. In fact, we prefer to
   have a large number of independent vendors.
 
 Right, I'd guess that (modulo any standards being defined and becoming
 successful) it'll more be a case of vendors keeping compatibility with
 their own stuff.  We *are* seeing greater reliance on off the shelf IPs
 for more boring things like DMA and basic bus controllers but there's
 plenty of other areas that still affect servers.

I expect to see a greater level of standardization. SBBR is the
beginning, but it is far from the end. There will be a lot more as the
vendors come together and agree on common platform components. I've
spent a lot of time over the past few years with a large number of
vendors going over lots of these issues in lieu of more of a Windows
Hardware Qualification style guide. I intend to have one this year that
captures what Red Hat think an ARM server looks like, and to circulate
that among the broader ecosystem of vendors to feed into SBBR++.

 * There is a general mindset about deprecating unwanted features
   early. ARMv8 aarch32 bit mode removes support for older instructions
   or makes them optional. Even the virtualization mode doesn't allow
   to trap on architecture version specific differences, so you can't
   completely emulate an older architecture level.
   This is nice for implementers but not so much for users that rely
   on old (mis-)features. It's also not just the CPU core, other
   components also get easily replaced, like a GICv3 that is not
   a strict superset of GICv2.
 
 This is indeed worrying, though hopefully the fact that we're already
 seeing negative impacts in the app ecosystem for Android will have
 focused some minds - once you're talking about full system images it
 gets even more fun.

GICv2/3 was something a bunch of us discussed years ago. At the time we
debated whether there was a need to compel the superset option. It was
deemed early enough not to be a critical issue. But there have already
been other cases where we've pushed to ensure backward compatibility for
all time. And there will be more of those as the ecosystem develops out
into a world of existing Operating System images and apps that need to
run on these emerging platforms. Deprecating instructions and
formalizing other behaviors is an area where it's ephemeral - what made
sense in the past might not make sense in the future, and ARM know that.
Their architecture team features some of the smartest minds.

(on architecture revisions, Red Hat has stated in the past that we only
care about AArch64, not even running 32-bit code on 64-bit processors,
which is one reason I have pushed for some silicon designs not to
implement the 32-bit compatibility when it comes to servers)

Jon.

--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

2015-01-07 Thread Mark Brown

On Wed, Jan 07, 2015 at 08:48:48PM +0100, Arnd Bergmann wrote:
 On Wednesday 07 January 2015 12:44:56 Jon Masters wrote:
  On 01/07/2015 12:27 PM, Mark Brown wrote:

   That level of hardware compatibility does partly come from the need to
   run existing software.  I'd expect that similar effects will start to
   come into play with ARMv8 ACPI systems if they become successful; people
   will do things like ensure compatibility with common IPs that have
   existing Linux drivers that distros tend to include as standard.

  Agreed.

 There are two problems I see in trying to do the same thing on ARM:

 * we don't have a single vendor that makes de-facto standards that
   everyone else has to copy in the way that the few remaining x86
   vendors copy everything that Intel does. In fact, we prefer to
   have a large number of independent vendors.

Right, I'd guess that (modulo any standards being defined and becoming
successful) it'll more be a case of vendors keeping compatibility with
their own stuff.  We *are* seeing greater reliance on off the shelf IPs
for more boring things like DMA and basic bus controllers but there's
plenty of other areas that still affect servers.

 * There is a general mindset about deprecating unwanted features
   early. ARMv8 aarch32 bit mode removes support for older instructions
   or makes them optional. Even the virtualization mode doesn't allow
   to trap on architecture version specific differences, so you can't
   completely emulate an older architecture level.
   This is nice for implementers but not so much for users that rely
   on old (mis-)features. It's also not just the CPU core, other
   components also get easily replaced, like a GICv3 that is not
   a strict superset of GICv2.

This is indeed worrying, though hopefully the fact that we're already
seeing negative impacts in the app ecosystem for Android will have
focused some minds - once you're talking about full system images it
gets even more fun.


signature.asc
Description: Digital signature

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

On 01/07/2015 01:41 PM, Jason Cooper wrote:
On Wed, Jan 07, 2015 at 05:27:41PM +, Mark Brown wrote:
On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:

From what I gathered so far, the main reason for _some_ vendors is not
support for other OS but actually features that ACPI has and DT
doesn't (like AML; I deliberately ignore statements like industry
standard). _If_ such reasons are sound, maybe they have a case for
ACPI-only machines targeted primarily at Linux.

What I got from the replies from HP, Huawei and from earlier discussions
with Jon is that they all hope to get to the point of relying on AML
alone to bridge the differences between SoC families. However, I don't
see that happening with the limited hardware compatibility that the
existing SBSA provides:

I tend to agree with you that it's an overreach to think that this is
going to completely abstract away the differences between SoCs from
different vendors without substantial further standardization work.
However it does seem reasonable to expect that features like AML are
going to be more successful in handling board differences and
incremental revisions of SoCs - things like interactions with system
power controllers for example. That seems like a useful win in and of
itself, and one that's worth supporting.

This piqued my interest, so I did a little research and found the
following to describe AML (second para under What does this mean?)

http://community.arm.com/groups/processors/blog/2014/05/01/let-s-talk-acpi-for-servers

iiuc, AML are basically drivers for some low-level functions provided as
binary blobs via the ACPI tables.

AML isn't a driver per se. Think of it as providing a couple of
methods for doing things like turning on a device, where the interpreted
code might cause e.g. a memory address to be written with a value that
causes a side effect (e.g. talking with a system configuration
co-processor hidden inside the SoC the adjusts the clocking, enables
power, configures PHY parameters, etc.). Most of the AML that you see
on servers is actually just informational, or methods that return data
describing the hardware installed.

How does this work in a trusted boot scenario?

No different than on x86.

Can the ACPI tables, and these binary blobs with it, be updated from
userspace?

Tables are baked into the firmware and are updated as a result of normal
firmware updates (which already has a defined process). There are
secondary tables that can augment things like the primary DSDT but those
are also provided by the platform. There are only two ways the OS
might provide a DSDT, but only including here for pedantry:

1). If you compile a kernel specially with an embedded DSDT within the
image itself (nobody does this one any more AFAIK).

2). If you attach a special update test DSDT into your initramfs in a
particular way, in which case I believe secure boot already is disabled.

But these are all developer/debug things, not intended for users running
in a secure boot environment.

If so, is there an authentication mechanism (including for non-secure boot
scenarios)?

It's no different than scenarios on x86, which are well covered.

http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

I'm not advocating throw out AML and ACPI with it!, rather I'd like to
see a serious, open, discussion about the security implications of a
convenience feature such as AML.

AML is in (almost) every server you're using today. What you want to be
worried about is hidden firmware, especially what might be running
inside a Trusted environment or inside an SMI context, or the radio
firmware on your phone that the NSA have backdoored. Once we've solved
every other issue, we can come back to whether the extremely limited
capabilities of AML are what the evil bad guys are using to infiltrate
our minds and make us think that we all want to use ACPI.

Jon.

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64

Jason,

Will followup more later...was being a little sarcastic before...no raw nerve
;) but sarcasm translates badly so apologies. Will send a better reply when
back online :) Good points!

Jon.

--
Computer Architect | Sent from my #ARM Powered Mobile Device

On Jan 7, 2015 4:41 PM, Jason Cooper ja...@lakedaemon.net wrote:

On Wed, Jan 07, 2015 at 02:58:42PM -0500, Jon Masters wrote:
On 01/07/2015 01:41 PM, Jason Cooper wrote:
On Wed, Jan 07, 2015 at 02:58:42PM -0500, Jon Masters wrote:
On 01/07/2015 01:41 PM, Jason Cooper wrote:
On Wed, Jan 07, 2015 at 05:27:41PM +, Mark Brown wrote:
On Wed, Jan 07, 2015 at 02:06:28PM +0100, Arnd Bergmann wrote:
On Wednesday 07 January 2015 11:50:39 Catalin Marinas wrote:

This piqued my interest, so I did a little research and found the
following to describe AML (second para under What does this mean?)

http://community.arm.com/groups/processors/blog/2014/05/01/let-s-talk-acpi-for-servers

iiuc, AML are basically drivers for some low-level functions provided as
binary blobs via the ACPI tables.

So, similar in scope to an irqchip driver? Because that's what I was
thinking when I said driver, not alsa or drm... Thanks for great
description.

How does this work in a trusted boot scenario?

No different than on x86.

Suprisingly, I don't do much with x86 development-wise. The x86 boxes
are just tools to me. So I'm not very familiar with the intricacies
there. Do you have a pointer to ACPI update security
standards/protocols?

Can the ACPI tables, and these binary blobs with it, be updated from
userspace?

1). If you compile a kernel specially with an embedded DSDT within the
image itself (nobody does this one any more AFAIK).

2). If you attach a special update test DSDT into your initramfs in a
particular way, in which case I believe secure boot already is disabled.

But these are all developer/debug things, not intended for users running
in a secure boot environment.

Right, I'm more concerned about the update process being the vector to
inject bad code.

If so, is there an authentication mechanism (including for non-secure boot
scenarios)?

It's no different than scenarios on x86, which are well covered.

http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

ACPI is not the great satan.

Relax, I'm not saying, nor implying that. :) I *am* saying that
upgradeable executable code not loaded from traditional OS storage
(harddisk, flash) is a valid security concern.

I'm aware certain others in the community have written missinformed
blog

Re: [Linaro-acpi] [PATCH v5 18/18] Documentation: ACPI for ARM64