Enable dynamic SHM support

[lorc]

Hello.

There are last patches for dynamic SHM.

I'm not sure, if I did right thing, when created two patches with ABI changes, because 4e5d00d ("ABI change: add shared memory support") enables new capability and 30260ae ("ABI change: enable TMEM parameters with non-contiguous shm") extends it.

Probably I should squash those two patches into one, or create one additional patch for entry_fast.c, that enables OPTEE_SMC_SEC_CAP_DYNAMIC_SHM. What do you think?

[stuyoder]

Based on the mailing list discussion, we don't need both OPTEE_SMC_SEC_CAP_UNREGISTERED_SHM and OPTEE_SMC_SEC_CAP_DYNAMIC_SHM, right?

Jens had proposed changing the existing "UNREGISTERED_SHM" capability to this:

/*

• Secure world supports shared memory objects to represent
• physically non-contiguous memory and the commands
• "register/unregister shared memory object" for more efficient
• communication via physically non-contiguous memory.
  */
  #define OPTEE_SMC_SEC_CAP_NONCONTIG_SHM (1 << 1)

[lorc]

Hi, @stuyoder. I did exactly this. I decided not to touch existing OPTEE_SMC_SEC_CAP_UNREGISTERED_SHM. Instead I added new OPTEE_SMC_SEC_CAP_DYNAMIC_SHM. I think, that this name better describes this capability.

[etienne-lms]

Actually the UNREGISTERED_SHM relates the the so-called default shm (NSEC_SHM in the core). This shm is "negotiated" at core inits with nsec world (some SMCs allow to get/set the nsec_shm location, but core_mmu.c expects it from static config CFG_SHMEM_START/_SIZE). It happens to be physically contiguous and as a single memory chunk. That's its real attributes.

[stuyoder]

@etienne-lms, What do you mean with respect to "negotiated"? UNREGISTERED_SHM is unused as of now in both OP-TEE and Linux.

This is how the capabilities are defined today:

/* Secure world has reserved shared memory for normal world to use /
#define OPTEE_SMC_SEC_CAP_HAVE_RESERVED_SHM (1 << 0)
/ Secure world can communicate via previously unregistered shared memory */
#define OPTEE_SMC_SEC_CAP_UNREGISTERED_SHM (1 << 1)

It is HAVE_RESERVED_SHM that is referring to the physically contiguous static CFG_SHMEM_START/SIZE.

The question is what capabilities we need to refer to the new ability for OP-TEE to map arbitrary, non-contiguous physical addresses.

Do we need:
A). One capability that refers to the capability of OP-TEE to handle non-contiguous shared memory and the capability to handle the register/unregister core APIs?
or
B) . Two capabilities-- 1) one for the capability of OP-TEE to handle non-contiguous shared memory, and 2) one for the capability to handle the register/unregister core APIs.

Jens proposal on the mailing list was for option #A.

[stuyoder]

@lorc, what do the capabilities OPTEE_SMC_SEC_CAP_UNREGISTERED_SHM and OPTEE_SMC_SEC_CAP_DYNAMIC_SHM mean in your view? How are they different?

As I stated above, the first question is whether we need one capability or two capabilities. Once that is decided, we can decide what the best name is.

[jenswi-linaro]

I'd prefer only on capability as those two are so intertwined.

[lorc]

@stuyoder, I'm not using OPTEE_SMC_SEC_CAP_UNREGISTERED_SHM at all. I have leaved it as is. I use only OPTEE_SMC_SEC_CAP_DYNAMIC_SHM in my patch series.
I decided not to rename OPTEE_SMC_SEC_CAP_UNREGISTERED_SHM to OPTEE_SMC_SEC_CAP_DYNAMIC_SHM because that can add some confusion.
At this moment there are at least 30 free bits for capability flags, so I don't see why we need to reuse existing values.

[prime-zeng]

@lorc Do you have any plan to support user TA mapping for the dynamic SHM?

[jenswi-linaro]

Sorry I seem to have missed this. Here's my comments and then there's the comment by @stuyoder also.

[jenswi-linaro]

I would have formatted these two lines as:

        } else if (arg->params[0].attr == (OPTEE_MSG_ATTR_TYPE_TMEM_OUTPUT |
                                           OPTEE_MSG_ATTR_NONCONTIG)) {

but that's a matter of taste.

[jenswi-linaro]

These two lines are not relevant for a paged mobj so they should be moved into the if below.

[jenswi-linaro]

Align with ( on the line above.

[jenswi-linaro]

Align with ( on the line above.

[jenswi-linaro]

\n not needed.

[lorc]

Addressed comments.

@prime-zeng, I'm sorry. I didn't get what are you asking.
User TAs can use memory that was registered by CA, if this is what you asked.

[etienne-lms]

i need to review this again, seems but still unclear to me.

[etienne-lms]

typo /supporst/supports/
add empty line before comment.

[etienne-lms]

coudl you log on info level, it is not a error.

[etienne-lms]

s/unsecure/non secure/

[etienne-lms]

get_cmd_buffer() could handle both case. It would make tee_entry_std() more readable.

[lorc]

I prefer to leave it in current state. get_cmd_buffer() is responsible for buffers in MEM_AREA_NSEC_SHM which is already mapped in OP-TEE address space. map_cmd_buffer() maps buffers from MEM_AREA_RAM_NSEC. One task for one function.

As alternative I can create a third function that will choose to call get_cmd_buffer() or map_cmd_buffer().

[etienne-lms]

Actually the UNREGISTERED_SHM relates the the so-called default shm (NSEC_SHM in the core). This shm is "negotiated" at core inits with nsec world (some SMCs allow to get/set the nsec_shm location, but core_mmu.c expects it from static config CFG_SHMEM_START/_SIZE). It happens to be physically contiguous and as a single memory chunk. That's its real attributes.

[etienne-lms]

apology: could you add a space before the ? for consistency with below. (which could be rephrased some day).

[jforissier]

No space before ? in English...

[etienne-lms]

So we'll clean the other comments.

[lorc]

I added separate patch that does this.

[etienne-lms]

minor: useless parenthesis.

[etienne-lms]

@lorc Do you have any plan to support user TA mapping for the dynamic SHM?

@prime-zeng, I'm sorry. I didn't get what are you asking.
User TAs can use memory that was registered by CA, if this is what you asked.

I agree with @lorc. Since his work on the shm, the memref parameters of TA invocations are now handled through memory object mobj. These abstract to underlying memory when one operates on the referred memory (identification, mapping, address conversion, ...). The current implementation of the mapping of user TA memref parameters should be able to map the new mobj_reg_shm reference (registered, not physically contiguous) as well as the currently used mobj_shm reference (from the NSEC_SHM). Yet, let's see the tests, but it should get functional.

[etienne-lms]

I think we should reject noncontig attributes.
Non-contig reference are used only from register_[un]shm() std entries to register a reference related to the parameter type OPTEE_MSG_ATTR_RMEM_*.
Current function copy_in_params() is called from open/close_session() and and invoke_command(). It does not expect non-contig references, only value (with.. value), tmem (with its phys addr) and rmem (with its registered ref) types.

[jenswi-linaro]

You mean we should disable noncontig bufs as parameters to TA unless it's via already registered buffers? Why?
I think it could be useful for one-shot invokes etc.

[etienne-lms]

I think it could be useful for one-shot invokes etc.

You are right. It could be used.
So it would be allowed only for OPTEE_MSG_ATTR_TMEM_* types, as used in assign_mobj_to_param_mem().

But TEE Client API expects client to either use TEEC_AllocateSharedMemory() or TEE_RegisterSharedMemory(), do we really need to support here un-registered shm references ?

[jenswi-linaro]

There's the TEEC_MEMREF_TEMP_* also.

[prime-zeng]

@etienne-lms @lorc I mean to ask whether the User TAs can use the registered (not physically contiguous )memory. And i see the final User TAs mapping are created in the function set_pg_region ,but i think this functions can't deal with non-contiguous memory. Do i miss something?

[etienne-lms]

set_pg_region() ,but i think this functions can't deal with non-contiguous memory. Do i miss something?

As of current implementation, yes, the function set_pg_region() may not fully handle the non-contiguous references. But it is already based on a loop that maps page per page and relies on mobj_get_pa() to retrieve each page physical address. So I think it is a matter of debugging to insure non-contiguous memory references are properly handled, if not already supported.

[prime-zeng]

@etienne-lms i got it, thank you, so i think maybe the problem now is how to fix the set_pg_region() to support non-contiguous memory, and this is another issue.

[lorc]

@prime-zeng , actually, one of the changes makes set_pg_region() (at [1]) to support non-contiguous memory. I especially tested this case.

@etienne-lms, I have addressed your comments.

[1] https://github.com/OP-TEE/optee_os/pull/1631/files#diff-21c5a372f38c092a429fd2b7e8f71ef3R1060

[jenswi-linaro]

I'd like to run some tests with this, which driver and client branch did you use?
Also we need to be happy about especially the driver changes before we commit to this new ABI.

[lorc]

Hi @jenswi-linaro, you will need kernel patches from this PR: linaro-swg/linux#29
And client library patches from this PR: OP-TEE/optee_client#72

[jenswi-linaro]

This works very well. The ABI provided to normal world is flexible enough to handle all use cases and I'm pretty sure it will survive a review on the kernel mailing lists without incompatible changes.

I'd like to wrap this up and merge it as soon as possible. We should do the same for linaro-swg/linux#29 and OP-TEE/optee_client#72. When it comes to upstreaming the kernel changes I'd be grateful I you posted the patches @lorc, in order to drive the process on the kernel mailing lists.

[etienne-lms]

Some late minor comments.
Looks ok to me: Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

[etienne-lms]

minor: s/configured/defined/. This code does not really configure anything.
Same below.

[etienne-lms]

minor: s/belongs/Belongs/

[etienne-lms]

minor: s/belongs/Belongs/

[jenswi-linaro]

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

[jforissier]

@lorc could you please squash/rebase the patches and apply the Reviewed-by: tags?

Can this safely be merged without the linux and optee_client patches? I'm concerned by the "ABI change:" text. Assuming the changes are compatible, I'd suggest changing the subject of two commits as follows:

• "ABI change: add shared memory support" would become "core: add support for dynamic registration of shared memory"
• "ABI change: enable TMEM parameters with non-contiguous shm" would become "core: allow non-contiguous shared memory in temporary memory references"

Did I get this right?

[lorc]

Hello.

I have squashed, rebased and applied tags to this patch series.
But there is one new patch, that was born during kernel part rework: core: enable TMEM parameters with non-contiguous shm (eb3e932). I didn't applied tags to it, because it wasn't reviewed. I don't know what to do with it. Will you review it as a part of this series, or should I post it as a separate PR?

[jenswi-linaro]

You can add:
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
to "core: enable TMEM parameters with non-contiguous shm"

[lorc]

Thank you, @jenswi-linaro , I added your R-b tag and repushed patches.

[jforissier]

Sorry to bother, but I'm still not happy with the commit subject: "core: add shared memory support". OP-TEE already supports shared memory so it doesn't make sense. Say waht you are really adding.

Same goes with "core: enable TMEM parameters with non-contiguous shm". What is TMEM? This acronym appears absolutely nowhere, not even in that patch.

[etienne-lms]

• still late comments....

Commit " entry_std.c: comment fixes: "

• can you change 1st line to "core: fix comments in entry_std.c"

Comment of commit "entry_std: save parameters attributes into local memory"

• s/poses/pose/
• s/parameter attribute/parameter attributes/.

[etienne-lms]

Can you cross check that there is no issue when this cleanup from get_open_session_meta(). num_meta may not be inited ?

[lorc]

On my side, I feel ok with the feature being disable when platform doest not register nsec physical area(s).

Yeah, I thought about this. But, it does not eliminate unused code and also, strictly speaking, defined nsec region is not equal to enabled SHM. Yes, defined nsec memory region is prerequisite for dynamic SHM, but It can have other uses...

[jforissier]

@lorc I think your CFG_DBG_DISABLE_DYN_SHM_CAP approach is good enough. At least, it fit my testing needs and is not too intrusive.

@etienne-lms relying on register_nsec_ddr() is not strictly correct as said above, and is also not convenient because it cannot be controlled from the command line (test environment...).
So I think we should stick to the simple CFG_ approach in this PR, which has been discussed quite a lot already! And do further changes in a separate PR if needed.

That being said... for simplicity, I would recommend CFG_DYN_SHM_CAP ?= y and #if defined(CFG_DYN_SHM_CAP). That is, reverse the logic and drop the useless _DBG.
Note also: s/nevertheles/nevertheless/

With that, commit "build: disable..." is:
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

[etienne-lms]

Actually, the last change (introduces CFG_...) does not remove dynamic shm support from the optee kernel, it only drop the capability flag. Hence even disabled, the REE can still register and use dyn-shm. It is the expected behaviour?

[lorc]

Yep. I have pointed this in comments to config.mk:

 +# Note that you can disable this feature for debug purposes. OP-TEE will not
 +# report to Normal World that it support dynamic SHM. But, nevertheles it
 +# will accept dynamic SHM buffers.

[etienne-lms]

:) i should have read further. Well, so this is the expected behaviour.
Thanks.

[jforissier]

@etienne-lms yes and it's enough to exercise the usual shm pool on a platform that otherwise supports the dyn shm. make CFG_DYN_SHM_CAP=n, run xtest and you're done.

[lorc]

@jforissier I did as you asked. That was trivial change, so I did it in place, if you don't mind. Also I added your A-b

[jforissier]

@lorc thanks but you forgot to update the commit subject ;-)

[lorc]

@jforissier oops :) Should be fine now. I also elaborated commit message a bit.

[lorc]

Tested-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> (Rcar M3) with #1871
and with CFG_UNWIND=n (see #1872)

[jforissier]

Shippable fails due to checkpatch warnings that can easily be fixed.

[jenswi-linaro]

Together with #1874
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno with and without pager)

[lorc]

@jforissier, should I fix this one?

WARNING: line over 80 characters
#95: FILE: core/arch/arm/tee/entry_fast.c:112:
+		IMSG("No NS DDR defined for the platform. Disabling dynamic SHM");

Kernel coding style recommends leave long text constants as is even if they are longer than 80 characters to ease up grepping:

However, never break user-visible strings such as
printk messages, because that breaks the ability to grep for them.

[jforissier]

What about this (we want the message even when CFG_DYN_SHM_CAP is disabled):

        bool dshm_en = false;

#ifdef CFG_DYN_SHM_CAP
        dhsm_en = core_mmu_nsec_ddr_is_defined();
        if (dhsm_en)
                args->a1 |= OPTEE_SMC_SEC_CAP_DYNAMIC_SHM;
#endif
        IMSG("Dynamic shared memory is %sabled", dhsm_en ? "en" : "dis");

[lorc]

Okay, will do in this way.

[lorc]

Reworked tee_entry_exchange_capabilities() and also added new T-b tags.

[jforissier]

Thanks to all the contributors in this thread, @lorc good job! 👍
I'm merging this PR now.

[lorc]

Wow, I can't believe that it is done! Thank you to all of you guys for your support and help. I learned much while working on this feature.
BTW, I already tested it with Xen and it allowed me to call OP-TEE from Dom0 without dirty hacks in the hypervisor. I'm going to upstream needed patches to Xen, so Dom0<->OP-TEE interaction will be a standard feature.
Next big task is to add virtualization support in OP-TEE: tag sessions, shared memory, loaded TAs with virtual machine ID, check accesses and so on.

[etienne-lms]

congratulations @lorc (and all contribs) for this. took a while, thanks for your patience.