RE: [RFC] firmware: arm_scmi: clock: add fixed clock attribute support
From: Peng Fan
Date: Tue Oct 10 2023 - 04:08:11 EST
> Subject: Re: [RFC] firmware: arm_scmi: clock: add fixed clock attribute
> support
>
> On Tue, Oct 10, 2023 at 10:29:11AM +0800, Peng Fan (OSS) wrote:
> > From: Peng Fan <peng.fan@xxxxxxx>
> >
> > There are clocks:
> > system critical, not allow linux to disable, change rate allow linux
> > to get rate, because some periphals will use the frequency to
> > configure periphals.
> >
> > So introduce an attribute to indicated FIXED clock
> >
>
> Hi,
>
> (CCed souvik.chakravarty@xxxxxxx)
>
> so AFAIU here you are describing a clock that really is NOT fixed in general, it
> is just that the Linux SCMI Agent cannot touch it, but other SCMI agents on
> the system CAN change it and so, on one side, you keep the ability for the
> Linux agent to read back the current rate with
> recalc_rate() and remove all the Clk frameworks callbacks needed to modify
> its state, am I right ?
Right.
>
> In this scenario, it is really the SCMI platform fw (server) that has to
> implement the checks and simply DENY the requests coming from an agent
> that is not supposed to touch that clock, while allowing the current rate to be
> retrieved.
Linux will try to enable, get rate, runtime disable the clock.
But the server does not allow enable/disable the clock, so the driver probe
will fail.
The SCMI server could bypass enable/disable and only allow get rate,
But this introduces heavy RPC, so just wanna whether it is ok to register
fixed clock and avoid RPC.
>
> JUNO/SCP is an example of how the CPUs clocks are visible to Linux BUT
> cannot be touched directly via Clock protocol by Linux since in the SCMI
> world you are supposed to use the Perf protocol instead to change the OPPs
> when you want to modify the performance level of the runnning CPU.
>
> This kind of server-side permissions checks, meant to filter access to resources
> based on the requesting agent, are part of the SCMI declared aim to push the
> responsibility of such controls out of the kernel into the platform fw in order
> to avoid attacks like CLOCK_SCREW by letting the SCMI firmware be the one
> and only final arbiter on the requests coming from the agents; you can ask
> teh server whatever you like as an agent but your request can be DENIED or
> silently ignored (in case of shared resources) at the will of the platform which
> has the final say and it is implemented in a physically distinct code-base.
>
> It seems to me that this patch and the possible associated SCMI specification
> change would give back the control to the Linux agent and could allow the
> implementation of an SCMI Server that does NOT perform any of these
> permission checks.
>
> So, IMO, while this change, on one side, could be certainly useful by removing
> a bunch of unused/uneeded callbacks from the CLK SCMI driver when a fixed
> clock is identified, it could open the door to a bad implementation like the
> one mentioned above which does NOT perform any agent-based permission
> check.
Thanks for detailed information, let me check whether our SCMI firmware
could do more on the permission side. But if RPC could be removed,
it could save some time.
Thanks,
Peng.
>
> Maybe Sudeep or Souvik think differently.
>
> Thanks,
> Cristian
>
>
> > Signed-off-by: Peng Fan <peng.fan@xxxxxxx>
> > ---
> > drivers/clk/clk-scmi.c | 6 ++++++
> > drivers/firmware/arm_scmi/clock.c | 5 ++++-
> > include/linux/scmi_protocol.h | 1 +
> > 3 files changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/clk/clk-scmi.c b/drivers/clk/clk-scmi.c index
> > 8cbe24789c24..a539a35bd45a 100644
> > --- a/drivers/clk/clk-scmi.c
> > +++ b/drivers/clk/clk-scmi.c
> > @@ -182,6 +182,10 @@ static const struct clk_ops scmi_clk_ops = {
> > .determine_rate = scmi_clk_determine_rate, };
> >
> > +static const struct clk_ops scmi_fixed_rate_clk_ops = {
> > + .recalc_rate = scmi_clk_recalc_rate, };
> > +
> > static const struct clk_ops scmi_atomic_clk_ops = {
> > .recalc_rate = scmi_clk_recalc_rate,
> > .round_rate = scmi_clk_round_rate,
> > @@ -293,6 +297,8 @@ static int scmi_clocks_probe(struct scmi_device
> *sdev)
> > if (is_atomic &&
> > sclk->info->enable_latency <= atomic_threshold)
> > scmi_ops = &scmi_atomic_clk_ops;
> > + else if (sclk->info->rate_fixed)
> > + scmi_ops = &scmi_fixed_rate_clk_ops;
> > else
> > scmi_ops = &scmi_clk_ops;
> >
> > diff --git a/drivers/firmware/arm_scmi/clock.c
> > b/drivers/firmware/arm_scmi/clock.c
> > index ddaef34cd88b..8c52db539e54 100644
> > --- a/drivers/firmware/arm_scmi/clock.c
> > +++ b/drivers/firmware/arm_scmi/clock.c
> > @@ -46,6 +46,7 @@ struct scmi_msg_resp_clock_attributes {
> > #define SUPPORTS_RATE_CHANGE_REQUESTED_NOTIF(x) ((x) &
> BIT(30))
> > #define SUPPORTS_EXTENDED_NAMES(x) ((x) & BIT(29))
> > #define SUPPORTS_PARENT_CLOCK(x) ((x) & BIT(28))
> > +#define SUPPORTS_FIXED_RATE_CLOCK(x) ((x) & BIT(27))
> > u8 name[SCMI_SHORT_NAME_MAX_SIZE];
> > __le32 clock_enable_latency;
> > };
> > @@ -326,7 +327,9 @@ static int scmi_clock_attributes_get(const struct
> scmi_protocol_handle *ph,
> > clk->rate_changed_notifications = true;
> > if (SUPPORTS_RATE_CHANGE_REQUESTED_NOTIF(attributes))
> > clk->rate_change_requested_notifications = true;
> > - if (SUPPORTS_PARENT_CLOCK(attributes))
> > + if (SUPPORTS_FIXED_RATE_CLOCK(attributes))
> > + clk->rate_fixed = true;
> > + else if (SUPPORTS_PARENT_CLOCK(attributes))
> > scmi_clock_possible_parents(ph, clk_id, clk);
> > }
> >
> > diff --git a/include/linux/scmi_protocol.h
> > b/include/linux/scmi_protocol.h index f2f05fb42d28..e068004c151a
> > 100644
> > --- a/include/linux/scmi_protocol.h
> > +++ b/include/linux/scmi_protocol.h
> > @@ -47,6 +47,7 @@ struct scmi_clock_info {
> > bool rate_discrete;
> > bool rate_changed_notifications;
> > bool rate_change_requested_notifications;
> > + bool rate_fixed;
> > union {
> > struct {
> > int num_rates;
> > --
> > 2.37.1
> >