[PATCH] platform: generic: renesas: rzfive: Configure the Local memory regions as part of root domain

Palmer Dabbelt palmer at dabbelt.com
Wed Jan 11 12:02:26 PST 2023 

On Wed, 11 Jan 2023 11:49:08 PST (-0800), prabhakar.csengg at gmail.com wrote:
> Hi Palmer,
>
> Just to give a brief, as there wasn't any way the ILM/DLM be disabled
> so the only thing we came across is the Physical Memory Protection
> Unit Configuration & Address Registers block on the Andes Core (and I
> believe all the RISC-V cores have it)
>
> The PMP Configuration Registers (pmpcfg0 and pmpcfg2 0x3A0 and 0x3A2)
> allow regions to be configured with permissions, hence this approach
> is being currently used to disallow any sort of access (M/S/U modes)
> to the local memory regions.
>
> Is there a better approach which I am not aware of?

Nothing I can think of, but I don't know a lot about the processor -- I 
hadn't even thought to check that the PMPs can trigger when the VA 
checks aren't ;)

> On Wed, Jan 11, 2023 at 7:18 PM Palmer Dabbelt <palmer at dabbelt.com> wrote:
>>
>> On Wed, 11 Jan 2023 02:15:11 PST (-0800), prabhakar.mahadev-lad.rj at bp.renesas.com wrote:
>> > Renesas RZ/Five RISC-V SoC has Instruction local memory and Data local
>> > memory (ILM & DLM) mapped between region 0x30000 - 0x4FFFF. When a
>> > virtual address falls within this range, the MMU doesn't trigger a page
>> > fault; it assumes the virtual address is a physical address which can
>> > cause undesired behaviours for statically linked applications/libraries.
>> >
>> > To avoid this, add the ILM/DLM memory regions to the root domain region
>> > of the PMPU with permissions set to 0x0 so that any access to these
>> > regions gets blocked.
>> >
>> > Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj at bp.renesas.com>
>> > ---
>> >  platform/generic/renesas/rzfive/rzfive.c | 18 ++++++++++++++++++
>> >  1 file changed, 18 insertions(+)
>> >
>> > diff --git a/platform/generic/renesas/rzfive/rzfive.c b/platform/generic/renesas/rzfive/rzfive.c
>> > index ca182e3..76f2d3a 100644
>> > --- a/platform/generic/renesas/rzfive/rzfive.c
>> > +++ b/platform/generic/renesas/rzfive/rzfive.c
>> > @@ -5,8 +5,25 @@
>> >   */
>> >
>> >  #include <platform_override.h>
>> > +#include <sbi/sbi_domain.h>
>>
>> I can't find sbi_domain, do you have pointer to whatever this depends
>> on?
>>
> https://github.com/riscv-software-src/opensbi/blob/master/docs/domain_support.md#root-domain
> https://github.com/riscv-software-src/opensbi/blob/master/include/sbi/sbi_domain.h#L236

Thanks, I hadn't been looking closely enough and thought this was Linux 
code... oops!

>> >  #include <sbi_utils/fdt/fdt_helper.h>
>> >
>> > +int renesas_rzfive_early_init(bool cold_boot, const struct fdt_match *match)
>> > +{
>> > +     /*
>> > +      * Renesas RZ/Five RISC-V SoC has Instruction local memory and
>> > +      * Data local memory (ILM & DLM) mapped between region 0x30000
>> > +      * to 0x4FFFF. When a virtual address falls within this range,
>> > +      * the MMU doesn't trigger a page fault; it assumes the virtual
>> > +      * address is a physical address which can cause undesired
>> > +      * behaviours for statically linked applications/libraries. To
>> > +      * avoid this, add the ILM/DLM memory regions to the root domain
>> > +      * region of the PMPU with permissions set to 0x0 so that any
>> > +      * access to these regions gets blocked.
>>
>> "blocked" means it traps with an invalid access exception?  If so we
>> just need to make sure that somehow gets plumbed back in to userspace.
>>
> Yes it traps with invalid exception something like below:
>
> [   30.269199] do_trap: 3 callbacks suppressed
> [   30.269223] security[160]: unhandled signal 11 code 0x2 at
> 0x00000000000105bc in security[10000+1000]
> [   30.282791] CPU: 0 PID: 160 Comm: security Not tainted
> 6.2.0-rc1-00124-g11313d81178f-dirty #286
> [   30.291498] Hardware name: Renesas SMARC EVK based on r9a07g043f01 (DT)
> [   30.298111] epc : 00000000000105bc ra : 000000000001076e sp :
> 0000003fc5c40a00
> [   30.305328]  gp : 0000000000012800 tp : 0000003f9265f200 t0 :
> 0000000000000844
> [   30.312543]  t1 : 0000003f92574f5a t2 : 00000000000124a0 s0 :
> 0000003fc5c40a30
> [   30.319757]  s1 : 00000000000107ee a0 : 0000000000000000 a1 :
> 0000003fc5c40bb8
> [   30.326972]  a2 : 0000003fc5c40bd0 a3 : 0000000000000000 a4 :
> 0000000000000000
> [   30.334186]  a5 : 0000000000030000 a6 : 0000003f92659d18 a7 :
> 0000000000000000
> [   30.341400]  s2 : 0000002ac4b1ef60 s3 : 0000003fb1cde918 s4 :
> 0000000000000000
> [   30.348615]  s5 : 0000002ac4b1ed90 s6 : 0000002ac4b1eac0 s7 :
> 0000002ac4b1eea0
> [   30.355829]  s8 : 0000002ac4b1eee0 s9 : 0000000000000000 s10:
> 0000002ac4adb584
> [   30.363043]  s11: 0000000000000000 t3 : 000000000001ff5a t4 :
> 0000000000000002
> [   30.370266]  t5 : 0000000000000002 t6 : 0000000000000040
> [   30.375579] status: 8000000200006020 badaddr: 0000000000030000
> cause: 0000000000000007
> [   30.393931] audit: type=1701 audit(1673013990.143:11):
> auid=4294967295 uid=0 gid=0 ses=4294967295 pid=160 comm="security"
> exe="/home/root/security" sig=11 res=1
> Segmentation fault
>
> Even statically compiled applications will now fail with signal trap 11.

Awesome!  That should go a long way towards making this thing actually 
usable.

>> > +      */
>> > +     return sbi_domain_root_add_memrange(0x30000, 0x20000, 0x1000, 0x0);
>>
>> Since I couldn't find the code, does this also hook into something
>> (maybe memblock?) to prevent allocating this region?  Nothing we can do
>> if userspace asks for the VAs specifically via mmap(), but we should at
>> least avoid allocating them when we can do so.
>>
> It just creates nodes on reserved-memory something like below:
>
> => fdt list /reserved-memory/mmode_resv0
> mmode_resv0 at 30000 {
>         reg = <0x00000000 0x00030000 0x00000000 0x00010000>;
> };
> => fdt list /reserved-memory/mmode_resv1
> mmode_resv1 at 40000 {
>         reg = <0x00000000 0x00040000 0x00000000 0x00010000>;
> };
>
> We could add a no-map property to hint the kernel to carveout the
> local memory regions maybe?
>
> As we have no use case for ILM/DLM in Linux even mmap() access will be
> blocked to this region with this patch.

Having the no-map seems reasonable to me.  If someone figures out a use 
case for these we can always do something to make it work later, but 
that'll keep userspace from ending up with these regions mapped.

>
> Cheers,
> Prabhakar

More information about the opensbi mailing list