Re: [PATCH 00/15] Add CMDQ secure driver for SVP

From: Jason-JH Lin (林睿祥)
Date: Thu Sep 21 2023 - 13:06:56 EST


Hi CK,

On Wed, 2023-09-20 at 03:08 +0000, CK Hu (胡俊光) wrote:
> Hi, Jason:
>
> On Tue, 2023-09-19 at 03:21 +0800, Jason-JH.Lin wrote:
> > For the Secure Video Path (SVP) feature, inculding the memory
> > stored
> > secure video content, the registers of display HW pipeline and the
> > HW configure operations are required to execute in the secure
> > world.
> >
> > So using a CMDQ secure driver to make all display HW registers
> > configuration secure DRAM access permision settings execute by GCE
> > secure thread in the secure world.
> >
> > We are landing this feature on mt8188 and mt8195 currently.
>
> I'm doubt that GCE could be secure enough. Hacker would try any way
> to
> hack TEE. If the interface is simple, it's easy to check in the
> interface entry. But GCE command has enormous combination, how to
> check
> it's not hacked? One example is that hacker could use
> cmdq_pkt_read_s()
> and cmdq_pkt_write_s() to do memory copy and send this packet to
> secure
> GCE. Could this memory copy touch secure memory? Or don't worry
> about
> this, once hacker find a way to break this, just find a way to fix
> it?

We have put a lot protection mechanism in the secure world to avoid the
secure video content reveal from our SoC.

The hackers may try to add some commands in to cmdq secure pkt, but
we'll check all the commands in secure world for every secure pkt and
find out the invalid one with whitelist registers checking, DAPC HW
protection for write instruction to DRAM with configuring WDMA, larb
secure protection for read secure DRAM from normal world, checking
read_s instructions for memory copy to an invalid DRAM addr,etc.

Maybe hackers would find the way to break the video playback, but they
can not find the way to steal the secure video content by adding a
commands into secure cmdq pkt.

Regards,
Jason-JH.Lin
>
> >
> > Jason-JH.Lin (15):
> > dt-bindings: mailbox: Add property for CMDQ secure driver
> > dt-bindings: gce: mt8195: Add CMDQ_SYNC_TOKEN_SECURE_THR_EOF
> > event
> > id
> > soc: mailbox: Add SPR definition for GCE
> > soc: mailbox: Add cmdq_pkt_logic_command to support math
> > operation
> > mailbox: mediatek: Add cmdq_pkt_write_s_reg_value to CMDQ driver
> > mailbox: mediatek: Add cmdq_mbox_stop to disable GCE thread
> > mailbox: mediatek: Add loop pkt flag and irq handling for loop
> > command
> > soc: mediatek: Add cmdq_pkt_finalize_loop to CMDQ driver
> > mailbox: mediatek: Add secure CMDQ driver support for CMDQ driver
> > mailbox: mediatek: Add CMDQ secure mailbox driver
> > soc: mediatek: Add cmdq_insert_backup_cookie before EOC for
> > secure
> > pkt
> > mailbox: mediatek: Add CMDQ driver support for mt8188
> > mailbox: mediatek: Add mt8188 support for CMDQ secure driver
> > mailbox: mediatek: Add mt8195 support for CMDQ secure driver
> > arm64: dts: mediatek: mt8195: Add CMDQ secure driver support for
> > gce0
> >
> > .../mailbox/mediatek,gce-mailbox.yaml | 30 +-
> > arch/arm64/boot/dts/mediatek/mt8195.dtsi | 2 +
> > drivers/mailbox/Makefile | 2 +-
> > drivers/mailbox/mtk-cmdq-mailbox.c | 67 +-
> > drivers/mailbox/mtk-cmdq-sec-mailbox.c | 1103
> > +++++++++++++++++
> > drivers/mailbox/mtk-cmdq-sec-tee.c | 202 +++
> > drivers/soc/mediatek/mtk-cmdq-helper.c | 81 ++
> > include/dt-bindings/gce/mt8195-gce.h | 6 +
> > include/linux/mailbox/mtk-cmdq-mailbox.h | 15 +
> > .../linux/mailbox/mtk-cmdq-sec-iwc-common.h | 293 +++++
> > include/linux/mailbox/mtk-cmdq-sec-mailbox.h | 83 ++
> > include/linux/mailbox/mtk-cmdq-sec-tee.h | 31 +
> > include/linux/soc/mediatek/mtk-cmdq.h | 65 +
> > 13 files changed, 1971 insertions(+), 9 deletions(-)
> > create mode 100644 drivers/mailbox/mtk-cmdq-sec-mailbox.c
> > create mode 100644 drivers/mailbox/mtk-cmdq-sec-tee.c
> > create mode 100644 include/linux/mailbox/mtk-cmdq-sec-iwc-common.h
> > create mode 100644 include/linux/mailbox/mtk-cmdq-sec-mailbox.h
> > create mode 100644 include/linux/mailbox/mtk-cmdq-sec-tee.h
> >