RE: [PATCH v2 5/5] soc: imx8: Add the SC SECVIO driver
> Subject: Re: [PATCH v2 5/5] soc: imx8: Add the SC SECVIO driver > > On Sun, Oct 18, 2020 at 05:21:28AM +, Aisheng Dong wrote: > > Not sure if EDAC could be a better place. > > e.g. > > drivers/edac/sifive_edac.c > > I don't see how this functionality has anything to do with EDAC. Yes, this has nothing related with EDAC > > > If not, maybe we can put in 'soc' first. > > Or drivers/misc/ I think drivers/soc/imx should be ok. Regards, Peng. > > -- > Regards/Gruss, > Boris. > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpeople > .kernel.org%2Ftglx%2Fnotes-about-netiquettedata=04%7C01%7Cpeng > .fan%40nxp.com%7C8d27c325ceb844ef09a608d87348a2d1%7C686ea1d3bc > 2b4c6fa92cd99c5c301635%7C0%7C0%7C637386103105628193%7CUnknow > n%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha > WwiLCJXVCI6Mn0%3D%7C1000sdata=q4m%2F65tyfJjf6nYrwgCKaw5M > NGNn3W%2BlYn3Kka1wpyE%3Dreserved=0
Re: [PATCH v2 5/5] soc: imx8: Add the SC SECVIO driver
On Sun, Oct 18, 2020 at 05:21:28AM +, Aisheng Dong wrote: > Not sure if EDAC could be a better place. > e.g. > drivers/edac/sifive_edac.c I don't see how this functionality has anything to do with EDAC. > If not, maybe we can put in 'soc' first. Or drivers/misc/ -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette
RE: [PATCH v2 5/5] soc: imx8: Add the SC SECVIO driver
> From: Shawn Guo > Sent: Wednesday, August 19, 2020 9:32 PM > > > > The SNVS is a hardware component in the imx8 SoC. One of its function > > is to detect hardware attacks, in which case it creates a SECurity > > VIOlation. > > > > This patch adds the support for the reception of these secvio and > > report it to the audit framework. > > > > It also gives the possibility to perform custom processing when a > > secvio is detected. > > > > Signed-off-by: Franck LENORMAND > > Reported-by: kernel test robot > > --- > > drivers/soc/imx/Kconfig | 10 + > > drivers/soc/imx/Makefile| 1 + > > drivers/soc/imx/secvio/Kconfig | 10 + > > drivers/soc/imx/secvio/Makefile | 3 + > > drivers/soc/imx/secvio/imx-secvio-audit.c | 39 ++ > > drivers/soc/imx/secvio/imx-secvio-debugfs.c | 379 > > drivers/soc/imx/secvio/imx-secvio-sc-int.h | 84 +++ > > drivers/soc/imx/secvio/imx-secvio-sc.c | 858 > > > include/soc/imx/imx-secvio-sc.h | 177 ++ > > 9 files changed, 1561 insertions(+) > > create mode 100644 drivers/soc/imx/secvio/Kconfig create mode 100644 > > drivers/soc/imx/secvio/Makefile create mode 100644 > > drivers/soc/imx/secvio/imx-secvio-audit.c > > create mode 100644 drivers/soc/imx/secvio/imx-secvio-debugfs.c > > create mode 100644 drivers/soc/imx/secvio/imx-secvio-sc-int.h > > create mode 100644 drivers/soc/imx/secvio/imx-secvio-sc.c > > create mode 100644 include/soc/imx/imx-secvio-sc.h > > Hi Arnd, > > Do we have any subsystem to accommodate this driver? Or 'soc' is just the > right place for it? > Not sure if EDAC could be a better place. e.g. drivers/edac/sifive_edac.c If not, maybe we can put in 'soc' first. Regards Aisheng > Shawn > > > > > diff --git a/drivers/soc/imx/Kconfig b/drivers/soc/imx/Kconfig index > > a9370f4..6c1bc78 100644 > > --- a/drivers/soc/imx/Kconfig > > +++ b/drivers/soc/imx/Kconfig > > @@ -19,4 +19,14 @@ config SOC_IMX8M > > support, it will provide the SoC info like SoC family, > > ID and revision etc. > > > > +config SECVIO_SC > > +tristate "NXP SC secvio support" > > +depends on IMX_SCU > > +help > > + If you say yes here you get support for the NXP SNVS security > > + violation module. It includes the possibility to read > > information > > + related to security violations and tampers. It also gives the > > + possibility to register user callbacks when a security violation > > + occurs. > > + > > endmenu > > diff --git a/drivers/soc/imx/Makefile b/drivers/soc/imx/Makefile index > > 078dc91..c91a499 100644 > > --- a/drivers/soc/imx/Makefile > > +++ b/drivers/soc/imx/Makefile > > @@ -5,3 +5,4 @@ endif > > obj-$(CONFIG_HAVE_IMX_GPC) += gpc.o > > obj-$(CONFIG_IMX_GPCV2_PM_DOMAINS) += gpcv2.o > > obj-$(CONFIG_SOC_IMX8M) += soc-imx8m.o > > +obj-${CONFIG_SECVIO_SC} += secvio/ > > diff --git a/drivers/soc/imx/secvio/Kconfig > > b/drivers/soc/imx/secvio/Kconfig new file mode 100644 index > > 000..dcfaea5 > > --- /dev/null > > +++ b/drivers/soc/imx/secvio/Kconfig > > @@ -0,0 +1,10 @@ > > +config SECVIO_SC > > +tristate "NXP SC secvio support" > > +depends on IMX_SCU > > +help > > + If you say yes here you get support for the NXP SNVS security > > + violation module. It includes the possibility to read > > information > > + related to security violations and tampers. It also gives the > > + possibility to register user callbacks when a security violation > > + occurs. > > + > > diff --git a/drivers/soc/imx/secvio/Makefile > > b/drivers/soc/imx/secvio/Makefile new file mode 100644 index > > 000..d5a89ba > > --- /dev/null > > +++ b/drivers/soc/imx/secvio/Makefile > > @@ -0,0 +1,3 @@ > > +obj-y += imx-secvio-sc.o > > +obj-$(CONFIG_DEBUG_FS) += imx-secvio-debugfs.o > > +obj-$(CONFIG_AUDIT) += imx-secvio-audit.o > > diff --git a/drivers/soc/imx/secvio/imx-secvio-audit.c > > b/drivers/soc/imx/secvio/imx-secvio-audit.c > > new file mode 100644 > > index 000..dc96e16 > > --- /dev/null > > +++ b/drivers/soc/imx/secvio/imx-secvio-audit.c > > @@ -0,0 +1,39 @@ > > +// SPDX-License-Identifier: GPL-2.0+ > > +/* > > + * Copyright 2019-2020 NXP > > + */ > > + > > +#include > > + > > +#include > > + > > +/** > > + * report_to_audit_notify() - Report secvio and tamper status to > > +audit FW > > + * > > + * This function can be chained in a notifier list > > + * > > + * @nb: notifier block > > + * @status: error code > > + * @notif_info: Pointer on secvio_sc_notifier_info structure > > + * > > + * Return: > > + * 0 - OK > > + * < 0 - error. > > + */ > > +int report_to_audit_notify(struct notifier_block *nb, unsigned long status, > > + void *notif_info) > > +{ > > + struct audit_buffer *ab; > > + struct secvio_sc_notifier_info *info = notif_info; > > + >
RE: [PATCH v2 5/5] soc: imx8: Add the SC SECVIO driver
Regards, Franck LENORMAND, STEC Engineer -Original Message- From: Shawn Guo Sent: Wednesday, August 19, 2020 3:32 PM To: Franck Lenormand (OSS) ; Arnd Bergmann Cc: s.ha...@pengutronix.de; feste...@gmail.com; ker...@pengutronix.de; linux-kernel@vger.kernel.org; linux-arm-ker...@lists.infradead.org; dl-linux-imx ; Aisheng Dong ; Abel Vesa ; Anson Huang ; li...@rempel-privat.de; Leonard Crestez ; Daniel Baluta ; Joakim Zhang ; Peng Fan Subject: Re: [PATCH v2 5/5] soc: imx8: Add the SC SECVIO driver On Tue, Jul 21, 2020 at 05:20:35PM +0200, franck.lenorm...@oss.nxp.com wrote: > From: Franck LENORMAND > > The SNVS is a hardware component in the imx8 SoC. One of its function > is to detect hardware attacks, in which case it creates a SECurity > VIOlation. > > This patch adds the support for the reception of these secvio and > report it to the audit framework. > > It also gives the possibility to perform custom processing when a > secvio is detected. > > Signed-off-by: Franck LENORMAND > Reported-by: kernel test robot > --- > drivers/soc/imx/Kconfig | 10 + > drivers/soc/imx/Makefile| 1 + > drivers/soc/imx/secvio/Kconfig | 10 + > drivers/soc/imx/secvio/Makefile | 3 + > drivers/soc/imx/secvio/imx-secvio-audit.c | 39 ++ > drivers/soc/imx/secvio/imx-secvio-debugfs.c | 379 > drivers/soc/imx/secvio/imx-secvio-sc-int.h | 84 +++ > drivers/soc/imx/secvio/imx-secvio-sc.c | 858 > > include/soc/imx/imx-secvio-sc.h | 177 ++ > 9 files changed, 1561 insertions(+) > create mode 100644 drivers/soc/imx/secvio/Kconfig create mode 100644 > drivers/soc/imx/secvio/Makefile create mode 100644 > drivers/soc/imx/secvio/imx-secvio-audit.c > create mode 100644 drivers/soc/imx/secvio/imx-secvio-debugfs.c > create mode 100644 drivers/soc/imx/secvio/imx-secvio-sc-int.h > create mode 100644 drivers/soc/imx/secvio/imx-secvio-sc.c > create mode 100644 include/soc/imx/imx-secvio-sc.h Hi Arnd, Do we have any subsystem to accommodate this driver? Or 'soc' is just the right place for it? [FL:] I was not able to find other devices which detects hardware intrusions so it seemed to be the best place for the driver. Shawn > > diff --git a/drivers/soc/imx/Kconfig b/drivers/soc/imx/Kconfig index > a9370f4..6c1bc78 100644 > --- a/drivers/soc/imx/Kconfig > +++ b/drivers/soc/imx/Kconfig > @@ -19,4 +19,14 @@ config SOC_IMX8M > support, it will provide the SoC info like SoC family, > ID and revision etc. > > +config SECVIO_SC > +tristate "NXP SC secvio support" > +depends on IMX_SCU > +help > + If you say yes here you get support for the NXP SNVS security > + violation module. It includes the possibility to read information > + related to security violations and tampers. It also gives the > + possibility to register user callbacks when a security violation > + occurs. > + > endmenu > diff --git a/drivers/soc/imx/Makefile b/drivers/soc/imx/Makefile index > 078dc91..c91a499 100644 > --- a/drivers/soc/imx/Makefile > +++ b/drivers/soc/imx/Makefile > @@ -5,3 +5,4 @@ endif > obj-$(CONFIG_HAVE_IMX_GPC) += gpc.o > obj-$(CONFIG_IMX_GPCV2_PM_DOMAINS) += gpcv2.o > obj-$(CONFIG_SOC_IMX8M) += soc-imx8m.o > +obj-${CONFIG_SECVIO_SC} += secvio/ > diff --git a/drivers/soc/imx/secvio/Kconfig > b/drivers/soc/imx/secvio/Kconfig new file mode 100644 index > 000..dcfaea5 > --- /dev/null > +++ b/drivers/soc/imx/secvio/Kconfig > @@ -0,0 +1,10 @@ > +config SECVIO_SC > +tristate "NXP SC secvio support" > +depends on IMX_SCU > +help > + If you say yes here you get support for the NXP SNVS security > + violation module. It includes the possibility to read information > + related to security violations and tampers. It also gives the > + possibility to register user callbacks when a security violation > + occurs. > + > diff --git a/drivers/soc/imx/secvio/Makefile > b/drivers/soc/imx/secvio/Makefile new file mode 100644 index > 000..d5a89ba > --- /dev/null > +++ b/drivers/soc/imx/secvio/Makefile > @@ -0,0 +1,3 @@ > +obj-y += imx-secvio-sc.o > +obj-$(CONFIG_DEBUG_FS) += imx-secvio-debugfs.o > +obj-$(CONFIG_AUDIT) += imx-secvio-audit.o > diff --git a/drivers/soc/imx/secvio/imx-secvio-audit.c > b/drivers/soc/imx/secvio/imx-secvio-audit.c > new file mode 100644 > index 000..dc96e16 > --- /dev/null > +++ b/drivers/soc/imx/secvio/imx-secvio-audit.c > @@ -0,0 +1,39 @@ > +// SPDX-License-Identifier: GPL-2.0+
Re: [PATCH v2 5/5] soc: imx8: Add the SC SECVIO driver
On Tue, Jul 21, 2020 at 05:20:35PM +0200, franck.lenorm...@oss.nxp.com wrote: > From: Franck LENORMAND > > The SNVS is a hardware component in the imx8 SoC. One of its > function is to detect hardware attacks, in which case it creates > a SECurity VIOlation. > > This patch adds the support for the reception of these secvio and > report it to the audit framework. > > It also gives the possibility to perform custom processing when a > secvio is detected. > > Signed-off-by: Franck LENORMAND > Reported-by: kernel test robot > --- > drivers/soc/imx/Kconfig | 10 + > drivers/soc/imx/Makefile| 1 + > drivers/soc/imx/secvio/Kconfig | 10 + > drivers/soc/imx/secvio/Makefile | 3 + > drivers/soc/imx/secvio/imx-secvio-audit.c | 39 ++ > drivers/soc/imx/secvio/imx-secvio-debugfs.c | 379 > drivers/soc/imx/secvio/imx-secvio-sc-int.h | 84 +++ > drivers/soc/imx/secvio/imx-secvio-sc.c | 858 > > include/soc/imx/imx-secvio-sc.h | 177 ++ > 9 files changed, 1561 insertions(+) > create mode 100644 drivers/soc/imx/secvio/Kconfig > create mode 100644 drivers/soc/imx/secvio/Makefile > create mode 100644 drivers/soc/imx/secvio/imx-secvio-audit.c > create mode 100644 drivers/soc/imx/secvio/imx-secvio-debugfs.c > create mode 100644 drivers/soc/imx/secvio/imx-secvio-sc-int.h > create mode 100644 drivers/soc/imx/secvio/imx-secvio-sc.c > create mode 100644 include/soc/imx/imx-secvio-sc.h Hi Arnd, Do we have any subsystem to accommodate this driver? Or 'soc' is just the right place for it? Shawn > > diff --git a/drivers/soc/imx/Kconfig b/drivers/soc/imx/Kconfig > index a9370f4..6c1bc78 100644 > --- a/drivers/soc/imx/Kconfig > +++ b/drivers/soc/imx/Kconfig > @@ -19,4 +19,14 @@ config SOC_IMX8M > support, it will provide the SoC info like SoC family, > ID and revision etc. > > +config SECVIO_SC > +tristate "NXP SC secvio support" > +depends on IMX_SCU > +help > + If you say yes here you get support for the NXP SNVS security > + violation module. It includes the possibility to read information > + related to security violations and tampers. It also gives the > + possibility to register user callbacks when a security violation > + occurs. > + > endmenu > diff --git a/drivers/soc/imx/Makefile b/drivers/soc/imx/Makefile > index 078dc91..c91a499 100644 > --- a/drivers/soc/imx/Makefile > +++ b/drivers/soc/imx/Makefile > @@ -5,3 +5,4 @@ endif > obj-$(CONFIG_HAVE_IMX_GPC) += gpc.o > obj-$(CONFIG_IMX_GPCV2_PM_DOMAINS) += gpcv2.o > obj-$(CONFIG_SOC_IMX8M) += soc-imx8m.o > +obj-${CONFIG_SECVIO_SC} += secvio/ > diff --git a/drivers/soc/imx/secvio/Kconfig b/drivers/soc/imx/secvio/Kconfig > new file mode 100644 > index 000..dcfaea5 > --- /dev/null > +++ b/drivers/soc/imx/secvio/Kconfig > @@ -0,0 +1,10 @@ > +config SECVIO_SC > +tristate "NXP SC secvio support" > +depends on IMX_SCU > +help > + If you say yes here you get support for the NXP SNVS security > + violation module. It includes the possibility to read information > + related to security violations and tampers. It also gives the > + possibility to register user callbacks when a security violation > + occurs. > + > diff --git a/drivers/soc/imx/secvio/Makefile b/drivers/soc/imx/secvio/Makefile > new file mode 100644 > index 000..d5a89ba > --- /dev/null > +++ b/drivers/soc/imx/secvio/Makefile > @@ -0,0 +1,3 @@ > +obj-y += imx-secvio-sc.o > +obj-$(CONFIG_DEBUG_FS) += imx-secvio-debugfs.o > +obj-$(CONFIG_AUDIT) += imx-secvio-audit.o > diff --git a/drivers/soc/imx/secvio/imx-secvio-audit.c > b/drivers/soc/imx/secvio/imx-secvio-audit.c > new file mode 100644 > index 000..dc96e16 > --- /dev/null > +++ b/drivers/soc/imx/secvio/imx-secvio-audit.c > @@ -0,0 +1,39 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/* > + * Copyright 2019-2020 NXP > + */ > + > +#include > + > +#include > + > +/** > + * report_to_audit_notify() - Report secvio and tamper status to audit FW > + * > + * This function can be chained in a notifier list > + * > + * @nb: notifier block > + * @status: error code > + * @notif_info: Pointer on secvio_sc_notifier_info structure > + * > + * Return: > + * 0 - OK > + * < 0 - error. > + */ > +int report_to_audit_notify(struct notifier_block *nb, unsigned long status, > +void *notif_info) > +{ > + struct audit_buffer *ab; > + struct secvio_sc_notifier_info *info = notif_info; > + > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_INTEGRITY_RULE); > + if (!ab) > + return -ENOMEM; > + > + audit_log_format(ab, " hpsvs=0x%.08x lps=0x%.08x lptds=0x%.08x", > + info->hpsvs, info->lps, info->lptds); > + audit_log_task_info(ab); > + audit_log_end(ab); > + > +