Hi Jassi, > Subject: Re: [PATCH V6 1/2] dt-bindings: mailbox: add binding doc for the > ARM SMC/HVC mailbox > > On Tue, Sep 17, 2019 at 12:31 PM Andre Przywara > <andre.przywara@xxxxxxx> wrote: > > > > On Mon, 16 Sep 2019 09:44:37 +0000 > > Peng Fan <peng.fan@xxxxxxx> wrote: > > > > Hi, > > > > > From: Peng Fan <peng.fan@xxxxxxx> > > > > > > The ARM SMC/HVC mailbox binding describes a firmware interface to > > > trigger actions in software layers running in the EL2 or EL3 exception > levels. > > > The term "ARM" here relates to the SMC instruction as part of the > > > ARM instruction set, not as a standard endorsed by ARM Ltd. > > > > > > Signed-off-by: Peng Fan <peng.fan@xxxxxxx> > > > --- > > > .../devicetree/bindings/mailbox/arm-smc.yaml | 96 > ++++++++++++++++++++++ > > > 1 file changed, 96 insertions(+) > > > create mode 100644 > > > Documentation/devicetree/bindings/mailbox/arm-smc.yaml > > > > > > diff --git a/Documentation/devicetree/bindings/mailbox/arm-smc.yaml > > > b/Documentation/devicetree/bindings/mailbox/arm-smc.yaml > > > new file mode 100644 > > > index 000000000000..bf01bec035fc > > > --- /dev/null > > > +++ b/Documentation/devicetree/bindings/mailbox/arm-smc.yaml > > > @@ -0,0 +1,96 @@ > > > +# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause) %YAML 1.2 > > > +--- > > > +$id: > > > +https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fde > > > > +vicetree.org%2Fschemas%2Fmailbox%2Farm-smc.yaml%23&data=02% > 7C01 > > > > +%7Cpeng.fan%40nxp.com%7Cf8065d24dd474238baf008d73bf8dc7a%7C686 > ea1d3 > > > > +bc2b4c6fa92cd99c5c301635%7C0%7C1%7C637043812342903260&sd > ata=vC3 > > > > +S8hvYDxDhNbIQoC44hpO5bw1yYZdBwu%2B%2Fp8mV0hI%3D&reserv > ed=0 > > > +$schema: > > > +https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fde > > > > +vicetree.org%2Fmeta-schemas%2Fcore.yaml%23&data=02%7C01%7C > peng. > > > > +fan%40nxp.com%7Cf8065d24dd474238baf008d73bf8dc7a%7C686ea1d3bc2 > b4c6f > > > > +a92cd99c5c301635%7C0%7C1%7C637043812342903260&sdata=IDHd > vf1Mgw1 > > > +BR%2Bo4XJ%2BjQS%2Bx1pSBzADnW44B2hZLzKw%3D&reserved=0 > > > + > > > +title: ARM SMC Mailbox Interface > > > + > > > +maintainers: > > > + - Peng Fan <peng.fan@xxxxxxx> > > > + > > > +description: | > > > + This mailbox uses the ARM smc (secure monitor call) and hvc > > > +(hypervisor > > > > I think "or" instead of "and" is less confusing. > > > > > + call) instruction to trigger a mailbox-connected activity in > > > + firmware, executing on the very same core as the caller. The > > > + value of r0/w0/x0 the firmware returns after the smc call is > > > + delivered as a received message to the mailbox framework, so > > > + synchronous communication can be established. The exact meaning > > > + of the action the mailbox triggers as well as the return value is > > > + defined by their users and is not subject to this binding. > > > + > > > + One use case of this mailbox is the SCMI interface, which uses > > > + shared > > > > One example use case of this mailbox ... > > (to make it more obvious that it's not restricted to this) > > > > > + memory to transfer commands and parameters, and a mailbox to > > > + trigger a function call. This allows SoCs without a separate > > > + management processor (or when such a processor is not available > > > + or used) to use this standardized interface anyway. > > > + > > > + This binding describes no hardware, but establishes a firmware > interface. > > > + Upon receiving an SMC using one of the described SMC function > > > + identifiers, > > > > ... the described SMC function > > identifier, > > > > > + the firmware is expected to trigger some mailbox connected > functionality. > > > + The communication follows the ARM SMC calling convention. > > > + Firmware expects an SMC function identifier in r0 or w0. The > > > + supported identifiers are passed from consumers, > > > > identifier > > > > "passed from consumers": How? Where? > > But I want to repeat: We should not allow this. > > This is a binding for a mailbox controller driver, not a generic firmware > backdoor. > > > Exactly. The mailbox controller here is the SMC/HVC instruction, which > needs 9 arguments to work. The fact that the fist argument is always going to > be same on a platform is just the way we use this instruction. > > > We should be as strict as possible to avoid any security issues. > > > Any example of such a security issue? > > > The firmware certainly knows the function ID it implements. The firmware > controls the DT. So it is straight-forward to put the ID into the DT. The > firmware could even do this at boot time, dynamically, before passing on the > DT to the non-secure world (bootloader or kernel). > > > > What would be the use case of this functionality? > > > At least for flexibility and consistency. > > > > or listed in the the arm,func-ids > > > > arm,func-id > > > > > + properties as described below. The firmware can return one value > > > + in > > > > property > > > > > + the first SMC result register, it is expected to be an error > > > + value, which shall be propagated to the mailbox client. > > > + > > > + Any core which supports the SMC or HVC instruction can be used, > > > + as long as a firmware component running in EL3 or EL2 is handling > these calls. > > > + > > > +properties: > > > + compatible: > > > + oneOf: > > > + - description: > > > + For implementations using ARM SMC instruction. > > > + const: arm,smc-mbox > > > + > > > + - description: > > > + For implementations using ARM HVC instruction. > > > + const: arm,hvc-mbox > > > > I am not particularly happy with this, but well ... > > > > > + > > > + "#mbox-cells": > > > + const: 1 > > > > Why is this "1"? What is this number used for? It used to be the channel ID, > but since you are describing a single channel controller only, this should be 0 > now. > > > Yes. I overlooked it and actually queued the patch for pull request. In Documentation/devicetree/bindings/mailbox/mailbox.txt #mbox-cells: Must be at least 1. So I use 1 here, 0 not work. Because of_mbox_index_xlate expect at least 1 here. So I need modify Documentation/devicetree/bindings/mailbox/mailbox.txt and add xlate for smc mailbox? Thanks, Peng. > But I think the bindings should not carry a 'fix' patch later. Also I realise this > revision of binding hasn't been reviewed by Rob. Maybe I should drop the > patch for now. > > > > + > > > + arm,func-id: > > > + description: | > > > + An 32-bit value specifying the function ID used by the mailbox. > > > > A single 32-bit value ... > > > > > + The function ID follow the ARM SMC calling convention standard > [1]. > > > > follows > > > > > + $ref: /schemas/types.yaml#/definitions/uint32 > > > + > > > +required: > > > + - compatible > > > + - "#mbox-cells" > > > + > > > +examples: > > > + - | > > > + sram@93f000 { > > > + compatible = "mmio-sram"; > > > + reg = <0x0 0x93f000 0x0 0x1000>; > > > + #address-cells = <1>; > > > + #size-cells = <1>; > > > + ranges = <0x0 0x93f000 0x1000>; > > > + > > > + cpu_scp_lpri: scp-shmem@0 { > > > + compatible = "arm,scmi-shmem"; > > > + reg = <0x0 0x200>; > > > + }; > > > + }; > > > + > > > + smc_tx_mbox: tx_mbox { > > > + #mbox-cells = <1>; > > > > As mentioned above, should be 0. > > > > > + compatible = "arm,smc-mbox"; > > > + /* optional */ > > > > First: having "optional" in a specific example is not helpful, just confusing. > > Second: It is actually *not* optional in this case, as there is no other way of > propagating the function ID. The SCMI driver as the mailbox client has > certainly no clue about this. > > I think I said this previously: Relying on the mailbox client to pass the > function ID sounds broken, as this is a property of the mailbox controller driver. > The mailbox client does not care about this mailbox communication detail, it > just wants to trigger the mailbox. > > > Again, the mailbox controller here is the SMC/HVC _instruction_, which > doesn't care what value the first argument carry. > > Cheers!
