public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
@ 2020-06-23 17:57 Ard Biesheuvel
  2020-06-23 20:41 ` Laszlo Ersek
  0 siblings, 1 reply; 14+ messages in thread
From: Ard Biesheuvel @ 2020-06-23 17:57 UTC (permalink / raw)
  To: devel; +Cc: lersek, philmd, Ard Biesheuvel

Our UEFI guest firmware takes ownership of the emulated NOR flash in
order to support the variable runtime services, and it does not expect
the OS to interfere with the underlying storage directly. So disable
the NOR flash DT nodes as we discover them, in a way similar to how we
disable the PL031 RTC in the device tree when we attach our RTC runtime
driver to it.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
---
 ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
index 9b1d1184bdd3..c676039785be 100644
--- a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
+++ b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
@@ -86,6 +86,18 @@ NorFlashPlatformGetDevices (
       mNorFlashDevices[Num].BlockSize         = QEMU_NOR_BLOCK_SIZE;
       Num++;
     }
+
+    //
+    // UEFI takes ownership of the NOR flash, and exposes its functionality
+    // through the UEFI Runtime Services GetVariable, SetVariable, etc. This
+    // means we need to disable it in the device tree to prevent the OS from
+    // attaching its device driver as well.
+    //
+    Status = FdtClient->SetNodeProperty (FdtClient, Node, "status",
+                          "disabled", sizeof ("disabled"));
+    if (EFI_ERROR (Status)) {
+        DEBUG ((EFI_D_WARN, "Failed to set NOR flash status to 'disabled'\n"));
+    }
   }
 
   *NorFlashDescriptions = mNorFlashDevices;
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* Re: [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-23 17:57 [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery Ard Biesheuvel
@ 2020-06-23 20:41 ` Laszlo Ersek
  2020-06-24  7:19   ` Ard Biesheuvel
  0 siblings, 1 reply; 14+ messages in thread
From: Laszlo Ersek @ 2020-06-23 20:41 UTC (permalink / raw)
  To: Ard Biesheuvel, devel; +Cc: philmd

On 06/23/20 19:57, Ard Biesheuvel wrote:
> Our UEFI guest firmware takes ownership of the emulated NOR flash in
> order to support the variable runtime services, and it does not expect
> the OS to interfere with the underlying storage directly. So disable
> the NOR flash DT nodes as we discover them, in a way similar to how we
> disable the PL031 RTC in the device tree when we attach our RTC runtime
> driver to it.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
> ---
>  ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
>
> diff --git a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
> index 9b1d1184bdd3..c676039785be 100644
> --- a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
> +++ b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
> @@ -86,6 +86,18 @@ NorFlashPlatformGetDevices (
>        mNorFlashDevices[Num].BlockSize         = QEMU_NOR_BLOCK_SIZE;
>        Num++;
>      }
> +
> +    //
> +    // UEFI takes ownership of the NOR flash, and exposes its functionality
> +    // through the UEFI Runtime Services GetVariable, SetVariable, etc. This
> +    // means we need to disable it in the device tree to prevent the OS from
> +    // attaching its device driver as well.
> +    //
> +    Status = FdtClient->SetNodeProperty (FdtClient, Node, "status",
> +                          "disabled", sizeof ("disabled"));
> +    if (EFI_ERROR (Status)) {
> +        DEBUG ((EFI_D_WARN, "Failed to set NOR flash status to 'disabled'\n"));
> +    }
>    }
>
>    *NorFlashDescriptions = mNorFlashDevices;
>

Higher up we have (in the inner loop):

>       //
>       // Disregard any flash devices that overlap with the primary FV.
>       // The firmware is not updatable from inside the guest anyway.
>       //
>       if ((PcdGet64 (PcdFvBaseAddress) + PcdGet32 (PcdFvSize) > Base) &&
>           (Base + Size) > PcdGet64 (PcdFvBaseAddress)) {
>         continue;
>       }

(1) If we never append any (Base, Size) "reg" pair to "mNorFlashDevices"
for a particular cfi-flash node, should we still "own" that node?

How about something like (on top of your patch):

> diff --git a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
> index c676039785be..d063d69580e5 100644
> --- a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
> +++ b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
> @@ -42,6 +42,7 @@ NorFlashPlatformGetDevices (
>    UINT32                      Num;
>    UINT64                      Base;
>    UINT64                      Size;
> +  BOOLEAN                     FirmwareOwned;
>
>    Status = gBS->LocateProtocol (&gFdtClientProtocolGuid, NULL,
>                    (VOID **)&FdtClient);
> @@ -64,6 +65,7 @@ NorFlashPlatformGetDevices (
>
>      ASSERT ((PropSize % (4 * sizeof (UINT32))) == 0);
>
> +    FirmwareOwned = FALSE;
>      while (PropSize >= (4 * sizeof (UINT32)) && Num < MAX_FLASH_BANKS) {
>        Base = SwapBytes64 (ReadUnaligned64 ((VOID *)&Reg[0]));
>        Size = SwapBytes64 (ReadUnaligned64 ((VOID *)&Reg[2]));
> @@ -80,6 +82,7 @@ NorFlashPlatformGetDevices (
>          continue;
>        }
>
> +      FirmwareOwned = TRUE;
>        mNorFlashDevices[Num].DeviceBaseAddress = (UINTN)Base;
>        mNorFlashDevices[Num].RegionBaseAddress = (UINTN)Base;
>        mNorFlashDevices[Num].Size              = (UINTN)Size;
> @@ -87,6 +90,10 @@ NorFlashPlatformGetDevices (
>        Num++;
>      }
>
> +    if (!FirmwareOwned) {
> +      continue;
> +    }
> +
>      //
>      // UEFI takes ownership of the NOR flash, and exposes its functionality
>      // through the UEFI Runtime Services GetVariable, SetVariable, etc. This


(2) If this makes no difference in practice, then I'm fine with the
patch as posted, too:

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

Just wanted to raise the question.


(3) Hm... if we *deliberately* want to prevent the OS from attaching its
flash driver to the "code" flash chip too, then the logic is good as
posted, of course; but in that case, should the comment perhaps be more
generic than "UEFI Runtime Services GetVariable, SetVariable"? Because
then we "disable" flash nodes in the DT for two reasons: (a) varstore,
(b) fw executable.

If this is the case, then with a comment / commit message update:

Reviewed-by: Laszlo Ersek <lersek@redhat.com>


(4) Is there a particular guest kernel commit that exposes the issue? Or
maybe a CONFIG knob? Can we mention whichever applies, in the commit
message?

Thanks!
Laszlo


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-23 20:41 ` Laszlo Ersek
@ 2020-06-24  7:19   ` Ard Biesheuvel
  2020-06-24  9:00     ` Laszlo Ersek
  2020-06-24 11:20     ` [edk2-devel] " Laszlo Ersek
  0 siblings, 2 replies; 14+ messages in thread
From: Ard Biesheuvel @ 2020-06-24  7:19 UTC (permalink / raw)
  To: Laszlo Ersek, devel; +Cc: philmd

On 6/23/20 10:41 PM, Laszlo Ersek wrote:
> On 06/23/20 19:57, Ard Biesheuvel wrote:
>> Our UEFI guest firmware takes ownership of the emulated NOR flash in
>> order to support the variable runtime services, and it does not expect
>> the OS to interfere with the underlying storage directly. So disable
>> the NOR flash DT nodes as we discover them, in a way similar to how we
>> disable the PL031 RTC in the device tree when we attach our RTC runtime
>> driver to it.
>>
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
>> ---
>>   ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c | 12 ++++++++++++
>>   1 file changed, 12 insertions(+)
>>
>> diff --git a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>> index 9b1d1184bdd3..c676039785be 100644
>> --- a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>> +++ b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>> @@ -86,6 +86,18 @@ NorFlashPlatformGetDevices (
>>         mNorFlashDevices[Num].BlockSize         = QEMU_NOR_BLOCK_SIZE;
>>         Num++;
>>       }
>> +
>> +    //
>> +    // UEFI takes ownership of the NOR flash, and exposes its functionality
>> +    // through the UEFI Runtime Services GetVariable, SetVariable, etc. This
>> +    // means we need to disable it in the device tree to prevent the OS from
>> +    // attaching its device driver as well.
>> +    //
>> +    Status = FdtClient->SetNodeProperty (FdtClient, Node, "status",
>> +                          "disabled", sizeof ("disabled"));
>> +    if (EFI_ERROR (Status)) {
>> +        DEBUG ((EFI_D_WARN, "Failed to set NOR flash status to 'disabled'\n"));
>> +    }
>>     }
>>
>>     *NorFlashDescriptions = mNorFlashDevices;
>>
> 
> Higher up we have (in the inner loop):
> 
>>        //
>>        // Disregard any flash devices that overlap with the primary FV.
>>        // The firmware is not updatable from inside the guest anyway.
>>        //
>>        if ((PcdGet64 (PcdFvBaseAddress) + PcdGet32 (PcdFvSize) > Base) &&
>>            (Base + Size) > PcdGet64 (PcdFvBaseAddress)) {
>>          continue;
>>        }
> 
> (1) If we never append any (Base, Size) "reg" pair to "mNorFlashDevices"
> for a particular cfi-flash node, should we still "own" that node?
> 

It depends. In practice, we will always have two, of which one needs to 
be protected, and the other one is often backed in readonly mode, and so 
all the guest can do is read or execute from it.

So we might expose the FW one, as it would not interfere with the 
variable runtime services, but it is not that useful imo.

> How about something like (on top of your patch):
> 
>> diff --git a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>> index c676039785be..d063d69580e5 100644
>> --- a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>> +++ b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>> @@ -42,6 +42,7 @@ NorFlashPlatformGetDevices (
>>     UINT32                      Num;
>>     UINT64                      Base;
>>     UINT64                      Size;
>> +  BOOLEAN                     FirmwareOwned;
>>
>>     Status = gBS->LocateProtocol (&gFdtClientProtocolGuid, NULL,
>>                     (VOID **)&FdtClient);
>> @@ -64,6 +65,7 @@ NorFlashPlatformGetDevices (
>>
>>       ASSERT ((PropSize % (4 * sizeof (UINT32))) == 0);
>>
>> +    FirmwareOwned = FALSE;
>>       while (PropSize >= (4 * sizeof (UINT32)) && Num < MAX_FLASH_BANKS) {
>>         Base = SwapBytes64 (ReadUnaligned64 ((VOID *)&Reg[0]));
>>         Size = SwapBytes64 (ReadUnaligned64 ((VOID *)&Reg[2]));
>> @@ -80,6 +82,7 @@ NorFlashPlatformGetDevices (
>>           continue;
>>         }
>>
>> +      FirmwareOwned = TRUE;
>>         mNorFlashDevices[Num].DeviceBaseAddress = (UINTN)Base;
>>         mNorFlashDevices[Num].RegionBaseAddress = (UINTN)Base;
>>         mNorFlashDevices[Num].Size              = (UINTN)Size;
>> @@ -87,6 +90,10 @@ NorFlashPlatformGetDevices (
>>         Num++;
>>       }
>>
>> +    if (!FirmwareOwned) {
>> +      continue;
>> +    }
>> +
>>       //
>>       // UEFI takes ownership of the NOR flash, and exposes its functionality
>>       // through the UEFI Runtime Services GetVariable, SetVariable, etc. This
> 
> 
> (2) If this makes no difference in practice, then I'm fine with the
> patch as posted, too:
> 
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> 

Thanks

> Just wanted to raise the question.
> 
> 
> (3) Hm... if we *deliberately* want to prevent the OS from attaching its
> flash driver to the "code" flash chip too, then the logic is good as
> posted, of course; but in that case, should the comment perhaps be more
> generic than "UEFI Runtime Services GetVariable, SetVariable"? Because
> then we "disable" flash nodes in the DT for two reasons: (a) varstore,
> (b) fw executable.
> 
> If this is the case, then with a comment / commit message update:
> 
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> 
> 
> (4) Is there a particular guest kernel commit that exposes the issue? Or
> maybe a CONFIG knob? Can we mention whichever applies, in the commit
> message?
> 

The arm64 defconfig was recently updated with MTD support, and so the 
flash banks are now claimed by the CFI flash driver. I saw the same on 
32-bit ARM today, and I am not sure if it is a change there or whether 
it was always like that (for multi_v7_defconfig) but there is no good 
reason to keep supporting this.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24  7:19   ` Ard Biesheuvel
@ 2020-06-24  9:00     ` Laszlo Ersek
  2020-06-24  9:35       ` Philippe Mathieu-Daudé
  2020-06-24 11:20     ` [edk2-devel] " Laszlo Ersek
  1 sibling, 1 reply; 14+ messages in thread
From: Laszlo Ersek @ 2020-06-24  9:00 UTC (permalink / raw)
  To: Ard Biesheuvel, devel; +Cc: philmd

On 06/24/20 09:19, Ard Biesheuvel wrote:
> On 6/23/20 10:41 PM, Laszlo Ersek wrote:
>> On 06/23/20 19:57, Ard Biesheuvel wrote:
>>> Our UEFI guest firmware takes ownership of the emulated NOR flash in
>>> order to support the variable runtime services, and it does not expect
>>> the OS to interfere with the underlying storage directly. So disable
>>> the NOR flash DT nodes as we discover them, in a way similar to how we
>>> disable the PL031 RTC in the device tree when we attach our RTC runtime
>>> driver to it.
>>>
>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
>>> ---
>>>   ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c | 12 ++++++++++++
>>>   1 file changed, 12 insertions(+)
>>>
>>> diff --git a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>> b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>> index 9b1d1184bdd3..c676039785be 100644
>>> --- a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>> +++ b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>> @@ -86,6 +86,18 @@ NorFlashPlatformGetDevices (
>>>         mNorFlashDevices[Num].BlockSize         = QEMU_NOR_BLOCK_SIZE;
>>>         Num++;
>>>       }
>>> +
>>> +    //
>>> +    // UEFI takes ownership of the NOR flash, and exposes its
>>> functionality
>>> +    // through the UEFI Runtime Services GetVariable, SetVariable,
>>> etc. This
>>> +    // means we need to disable it in the device tree to prevent the
>>> OS from
>>> +    // attaching its device driver as well.
>>> +    //
>>> +    Status = FdtClient->SetNodeProperty (FdtClient, Node, "status",
>>> +                          "disabled", sizeof ("disabled"));
>>> +    if (EFI_ERROR (Status)) {
>>> +        DEBUG ((EFI_D_WARN, "Failed to set NOR flash status to
>>> 'disabled'\n"));
>>> +    }
>>>     }
>>>
>>>     *NorFlashDescriptions = mNorFlashDevices;
>>>
>>
>> Higher up we have (in the inner loop):
>>
>>>        //
>>>        // Disregard any flash devices that overlap with the primary FV.
>>>        // The firmware is not updatable from inside the guest anyway.
>>>        //
>>>        if ((PcdGet64 (PcdFvBaseAddress) + PcdGet32 (PcdFvSize) >
>>> Base) &&
>>>            (Base + Size) > PcdGet64 (PcdFvBaseAddress)) {
>>>          continue;
>>>        }
>>
>> (1) If we never append any (Base, Size) "reg" pair to "mNorFlashDevices"
>> for a particular cfi-flash node, should we still "own" that node?
>>
> 
> It depends. In practice, we will always have two, of which one needs to
> be protected, and the other one is often backed in readonly mode, and so
> all the guest can do is read or execute from it.
> 
> So we might expose the FW one, as it would not interfere with the
> variable runtime services, but it is not that useful imo.
> 
>> How about something like (on top of your patch):
>>
>>> diff --git a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>> b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>> index c676039785be..d063d69580e5 100644
>>> --- a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>> +++ b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>> @@ -42,6 +42,7 @@ NorFlashPlatformGetDevices (
>>>     UINT32                      Num;
>>>     UINT64                      Base;
>>>     UINT64                      Size;
>>> +  BOOLEAN                     FirmwareOwned;
>>>
>>>     Status = gBS->LocateProtocol (&gFdtClientProtocolGuid, NULL,
>>>                     (VOID **)&FdtClient);
>>> @@ -64,6 +65,7 @@ NorFlashPlatformGetDevices (
>>>
>>>       ASSERT ((PropSize % (4 * sizeof (UINT32))) == 0);
>>>
>>> +    FirmwareOwned = FALSE;
>>>       while (PropSize >= (4 * sizeof (UINT32)) && Num <
>>> MAX_FLASH_BANKS) {
>>>         Base = SwapBytes64 (ReadUnaligned64 ((VOID *)&Reg[0]));
>>>         Size = SwapBytes64 (ReadUnaligned64 ((VOID *)&Reg[2]));
>>> @@ -80,6 +82,7 @@ NorFlashPlatformGetDevices (
>>>           continue;
>>>         }
>>>
>>> +      FirmwareOwned = TRUE;
>>>         mNorFlashDevices[Num].DeviceBaseAddress = (UINTN)Base;
>>>         mNorFlashDevices[Num].RegionBaseAddress = (UINTN)Base;
>>>         mNorFlashDevices[Num].Size              = (UINTN)Size;
>>> @@ -87,6 +90,10 @@ NorFlashPlatformGetDevices (
>>>         Num++;
>>>       }
>>>
>>> +    if (!FirmwareOwned) {
>>> +      continue;
>>> +    }
>>> +
>>>       //
>>>       // UEFI takes ownership of the NOR flash, and exposes its
>>> functionality
>>>       // through the UEFI Runtime Services GetVariable, SetVariable,
>>> etc. This
>>
>>
>> (2) If this makes no difference in practice, then I'm fine with the
>> patch as posted, too:
>>
>> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
>>
> 
> Thanks
> 
>> Just wanted to raise the question.
>>
>>
>> (3) Hm... if we *deliberately* want to prevent the OS from attaching its
>> flash driver to the "code" flash chip too, then the logic is good as
>> posted, of course; but in that case, should the comment perhaps be more
>> generic than "UEFI Runtime Services GetVariable, SetVariable"? Because
>> then we "disable" flash nodes in the DT for two reasons: (a) varstore,
>> (b) fw executable.
>>
>> If this is the case, then with a comment / commit message update:
>>
>> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
>>
>>
>> (4) Is there a particular guest kernel commit that exposes the issue? Or
>> maybe a CONFIG knob? Can we mention whichever applies, in the commit
>> message?
>>
> 
> The arm64 defconfig was recently updated with MTD support, and so the
> flash banks are now claimed by the CFI flash driver.

That seems to suggest commit ce693fc2a877 ("arm64: defconfig: Enable
flash device drivers for QorIQ boards", 2020-03-16).

> I saw the same on
> 32-bit ARM today, and I am not sure if it is a change there or whether
> it was always like that (for multi_v7_defconfig)

Seems to come from commit 5f068190cc10 ("ARM: multi_v7_defconfig: Enable
support for CFI NOR FLASH", 2019-04-03) -- also quite recent.

> but there is no good reason to keep supporting this.

I agree -- I'm asking because backporting your edk2 patch to downstreams
could depend on the presence of these kernel commits in the guests those
downstreams support. So mentioning the kernel commits can help
downstreams evaluate the edk2 backport.

Thanks!
Laszlo


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24  9:00     ` Laszlo Ersek
@ 2020-06-24  9:35       ` Philippe Mathieu-Daudé
  0 siblings, 0 replies; 14+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-24  9:35 UTC (permalink / raw)
  To: Laszlo Ersek, Ard Biesheuvel, devel

On 6/24/20 11:00 AM, Laszlo Ersek wrote:
> On 06/24/20 09:19, Ard Biesheuvel wrote:
>> On 6/23/20 10:41 PM, Laszlo Ersek wrote:
>>> On 06/23/20 19:57, Ard Biesheuvel wrote:
>>>> Our UEFI guest firmware takes ownership of the emulated NOR flash in
>>>> order to support the variable runtime services, and it does not expect
>>>> the OS to interfere with the underlying storage directly. So disable
>>>> the NOR flash DT nodes as we discover them, in a way similar to how we
>>>> disable the PL031 RTC in the device tree when we attach our RTC runtime
>>>> driver to it.
>>>>
>>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
>>>> ---
>>>>   ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c | 12 ++++++++++++
>>>>   1 file changed, 12 insertions(+)
>>>>
>>>> diff --git a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>>> b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>>> index 9b1d1184bdd3..c676039785be 100644
>>>> --- a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>>> +++ b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>>> @@ -86,6 +86,18 @@ NorFlashPlatformGetDevices (
>>>>         mNorFlashDevices[Num].BlockSize         = QEMU_NOR_BLOCK_SIZE;
>>>>         Num++;
>>>>       }
>>>> +
>>>> +    //
>>>> +    // UEFI takes ownership of the NOR flash, and exposes its
>>>> functionality
>>>> +    // through the UEFI Runtime Services GetVariable, SetVariable,
>>>> etc. This
>>>> +    // means we need to disable it in the device tree to prevent the
>>>> OS from
>>>> +    // attaching its device driver as well.
>>>> +    //
>>>> +    Status = FdtClient->SetNodeProperty (FdtClient, Node, "status",
>>>> +                          "disabled", sizeof ("disabled"));
>>>> +    if (EFI_ERROR (Status)) {
>>>> +        DEBUG ((EFI_D_WARN, "Failed to set NOR flash status to
>>>> 'disabled'\n"));
>>>> +    }
>>>>     }
>>>>
>>>>     *NorFlashDescriptions = mNorFlashDevices;
>>>>
>>>
>>> Higher up we have (in the inner loop):
>>>
>>>>        //
>>>>        // Disregard any flash devices that overlap with the primary FV.
>>>>        // The firmware is not updatable from inside the guest anyway.
>>>>        //
>>>>        if ((PcdGet64 (PcdFvBaseAddress) + PcdGet32 (PcdFvSize) >
>>>> Base) &&
>>>>            (Base + Size) > PcdGet64 (PcdFvBaseAddress)) {
>>>>          continue;
>>>>        }
>>>
>>> (1) If we never append any (Base, Size) "reg" pair to "mNorFlashDevices"
>>> for a particular cfi-flash node, should we still "own" that node?
>>>
>>
>> It depends. In practice, we will always have two, of which one needs to
>> be protected, and the other one is often backed in readonly mode, and so
>> all the guest can do is read or execute from it.
>>
>> So we might expose the FW one, as it would not interfere with the
>> variable runtime services, but it is not that useful imo.
>>
>>> How about something like (on top of your patch):
>>>
>>>> diff --git a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>>> b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>>> index c676039785be..d063d69580e5 100644
>>>> --- a/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>>> +++ b/ArmVirtPkg/Library/NorFlashQemuLib/NorFlashQemuLib.c
>>>> @@ -42,6 +42,7 @@ NorFlashPlatformGetDevices (
>>>>     UINT32                      Num;
>>>>     UINT64                      Base;
>>>>     UINT64                      Size;
>>>> +  BOOLEAN                     FirmwareOwned;
>>>>
>>>>     Status = gBS->LocateProtocol (&gFdtClientProtocolGuid, NULL,
>>>>                     (VOID **)&FdtClient);
>>>> @@ -64,6 +65,7 @@ NorFlashPlatformGetDevices (
>>>>
>>>>       ASSERT ((PropSize % (4 * sizeof (UINT32))) == 0);
>>>>
>>>> +    FirmwareOwned = FALSE;
>>>>       while (PropSize >= (4 * sizeof (UINT32)) && Num <
>>>> MAX_FLASH_BANKS) {
>>>>         Base = SwapBytes64 (ReadUnaligned64 ((VOID *)&Reg[0]));
>>>>         Size = SwapBytes64 (ReadUnaligned64 ((VOID *)&Reg[2]));
>>>> @@ -80,6 +82,7 @@ NorFlashPlatformGetDevices (
>>>>           continue;
>>>>         }
>>>>
>>>> +      FirmwareOwned = TRUE;
>>>>         mNorFlashDevices[Num].DeviceBaseAddress = (UINTN)Base;
>>>>         mNorFlashDevices[Num].RegionBaseAddress = (UINTN)Base;
>>>>         mNorFlashDevices[Num].Size              = (UINTN)Size;
>>>> @@ -87,6 +90,10 @@ NorFlashPlatformGetDevices (
>>>>         Num++;
>>>>       }
>>>>
>>>> +    if (!FirmwareOwned) {
>>>> +      continue;
>>>> +    }
>>>> +
>>>>       //
>>>>       // UEFI takes ownership of the NOR flash, and exposes its
>>>> functionality
>>>>       // through the UEFI Runtime Services GetVariable, SetVariable,
>>>> etc. This
>>>
>>>
>>> (2) If this makes no difference in practice, then I'm fine with the
>>> patch as posted, too:
>>>
>>> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
>>>
>>
>> Thanks
>>
>>> Just wanted to raise the question.
>>>
>>>
>>> (3) Hm... if we *deliberately* want to prevent the OS from attaching its
>>> flash driver to the "code" flash chip too, then the logic is good as
>>> posted, of course; but in that case, should the comment perhaps be more
>>> generic than "UEFI Runtime Services GetVariable, SetVariable"? Because
>>> then we "disable" flash nodes in the DT for two reasons: (a) varstore,
>>> (b) fw executable.
>>>
>>> If this is the case, then with a comment / commit message update:
>>>
>>> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
>>>
>>>
>>> (4) Is there a particular guest kernel commit that exposes the issue? Or
>>> maybe a CONFIG knob? Can we mention whichever applies, in the commit
>>> message?
>>>
>>
>> The arm64 defconfig was recently updated with MTD support, and so the
>> flash banks are now claimed by the CFI flash driver.
> 
> That seems to suggest commit ce693fc2a877 ("arm64: defconfig: Enable
> flash device drivers for QorIQ boards", 2020-03-16).
> 
>> I saw the same on
>> 32-bit ARM today, and I am not sure if it is a change there or whether
>> it was always like that (for multi_v7_defconfig)
> 
> Seems to come from commit 5f068190cc10 ("ARM: multi_v7_defconfig: Enable
> support for CFI NOR FLASH", 2019-04-03) -- also quite recent.
> 
>> but there is no good reason to keep supporting this.

Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>

> 
> I agree -- I'm asking because backporting your edk2 patch to downstreams
> could depend on the presence of these kernel commits in the guests those
> downstreams support. So mentioning the kernel commits can help
> downstreams evaluate the edk2 backport.
> 
> Thanks!
> Laszlo
> 


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [edk2-devel] [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24  7:19   ` Ard Biesheuvel
  2020-06-24  9:00     ` Laszlo Ersek
@ 2020-06-24 11:20     ` Laszlo Ersek
  2020-06-24 11:43       ` Ard Biesheuvel
  1 sibling, 1 reply; 14+ messages in thread
From: Laszlo Ersek @ 2020-06-24 11:20 UTC (permalink / raw)
  To: ard.biesheuvel; +Cc: devel, Philippe Mathieu-Daudé, Drew Jones, Eric Auger

(CC Drew, Eric)

On 06/24/20 09:19, Ard Biesheuvel wrote:

> The arm64 defconfig was recently updated with MTD support, and so the
> flash banks are now claimed by the CFI flash driver. I saw the same on
> 32-bit ARM today, and I am not sure if it is a change there or whether
> it was always like that (for multi_v7_defconfig) but there is no good
> reason to keep supporting this.

Can the same (problematic) kernel driver binding occur via the ACPI
DSDT?

In this fw patch we hide the flash chip(s) from the guest kernel via
Device Tree only.

There isn't much I guess we can (or should) do about ACPI in the
firmware, but it would still be a conflict between the fw driver and the
kernel driver -- we might have to address that in QEMU (hide the pflash
in the ACPI generator when UEFI is used as guest firmware).

IIRC, in QEMU, we use "arm_boot_info.firmware_loaded", from
<include/hw/arm/boot.h>, to represent UEFI:

>     /* Boot firmware has been loaded, typically at address 0, with -bios or
>      * -pflash. It also implies that fw_cfg_find() will succeed.
>      */
>     bool firmware_loaded;

And we already seem to have this exact kind of distinction in QEMU; see
for example "hw/arm/virt.c":

>     if (has_ged && aarch64 && firmware_loaded && virt_is_acpi_enabled(vms)) {
>         vms->acpi_dev = create_acpi_ged(vms);
>     } else {
>         create_gpio(vms);
>     }

coming from commit cff51ac978c4 ("hw/arm/virt: Enable device memory
cold/hot plug with ACPI boot", 2019-10-05).

And (same file):

>         if (!vms->bootinfo.firmware_loaded || !virt_is_acpi_enabled(vms)) {
>             return HOTPLUG_HANDLER(machine);
>         }

coming from commit 70e89132c9e6 ("hw/arm/virt: Add the virtio-iommu
device tree mappings", 2020-02-27).

... Ah, I think I've found it [hw/arm/virt-acpi-build.c]:

> /* DSDT */
> static void
> build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
> {
>     Aml *scope, *dsdt;
>     MachineState *ms = MACHINE(vms);
>     const MemMapEntry *memmap = vms->memmap;
>     const int *irqmap = vms->irqmap;
>
>     dsdt = init_aml_allocator();
>     /* Reserve space for header */
>     acpi_data_push(dsdt->buf, sizeof(AcpiTableHeader));
>
>     /* When booting the VM with UEFI, UEFI takes ownership of the RTC hardware.
>      * While UEFI can use libfdt to disable the RTC device node in the DTB that
>      * it passes to the OS, it cannot modify AML. Therefore, we won't generate
>      * the RTC ACPI device at all when using UEFI.
>      */
>     scope = aml_scope("\\_SB");
>     acpi_dsdt_add_cpus(scope, vms->smp_cpus);
>     acpi_dsdt_add_uart(scope, &memmap[VIRT_UART],
>                        (irqmap[VIRT_UART] + ARM_SPI_BASE));
>     acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);

The ACPI generator already takes the RTC into account; see QEMU commit
67736a25f865 ("ARM: virt: Don't generate RTC ACPI device when using
UEFI", 2016-01-15).

Should we do the same for the acpi_dsdt_add_flash() call, now?

(This also suggests that my consideration of "firmware_loaded" above is
irrelevant, if we end up modifying the build_dsdt() function -- on
AARCH64, ACPI is only defined in UEFI terms (namely, as a UEFI system
config table), so in this function, the presence of UEFI can be assumed
"yes".)

Thanks!
Laszlo


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [edk2-devel] [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24 11:20     ` [edk2-devel] " Laszlo Ersek
@ 2020-06-24 11:43       ` Ard Biesheuvel
  2020-06-24 13:02         ` Philippe Mathieu-Daudé
  0 siblings, 1 reply; 14+ messages in thread
From: Ard Biesheuvel @ 2020-06-24 11:43 UTC (permalink / raw)
  To: devel, lersek; +Cc: Philippe Mathieu-Daudé, Drew Jones, Eric Auger

On 6/24/20 1:20 PM, Laszlo Ersek via groups.io wrote:
> (CC Drew, Eric)
> 
> On 06/24/20 09:19, Ard Biesheuvel wrote:
> 
>> The arm64 defconfig was recently updated with MTD support, and so the
>> flash banks are now claimed by the CFI flash driver. I saw the same on
>> 32-bit ARM today, and I am not sure if it is a change there or whether
>> it was always like that (for multi_v7_defconfig) but there is no good
>> reason to keep supporting this.
> 
> Can the same (problematic) kernel driver binding occur via the ACPI
> DSDT?
> 
> In this fw patch we hide the flash chip(s) from the guest kernel via
> Device Tree only.
> 
> There isn't much I guess we can (or should) do about ACPI in the
> firmware, but it would still be a conflict between the fw driver and the
> kernel driver -- we might have to address that in QEMU (hide the pflash
> in the ACPI generator when UEFI is used as guest firmware).
> 
> IIRC, in QEMU, we use "arm_boot_info.firmware_loaded", from
> <include/hw/arm/boot.h>, to represent UEFI:
> 
>>      /* Boot firmware has been loaded, typically at address 0, with -bios or
>>       * -pflash. It also implies that fw_cfg_find() will succeed.
>>       */
>>      bool firmware_loaded;
> 
> And we already seem to have this exact kind of distinction in QEMU; see
> for example "hw/arm/virt.c":
> 
>>      if (has_ged && aarch64 && firmware_loaded && virt_is_acpi_enabled(vms)) {
>>          vms->acpi_dev = create_acpi_ged(vms);
>>      } else {
>>          create_gpio(vms);
>>      }
> 
> coming from commit cff51ac978c4 ("hw/arm/virt: Enable device memory
> cold/hot plug with ACPI boot", 2019-10-05).
> 
> And (same file):
> 
>>          if (!vms->bootinfo.firmware_loaded || !virt_is_acpi_enabled(vms)) {
>>              return HOTPLUG_HANDLER(machine);
>>          }
> 
> coming from commit 70e89132c9e6 ("hw/arm/virt: Add the virtio-iommu
> device tree mappings", 2020-02-27).
> 
> ... Ah, I think I've found it [hw/arm/virt-acpi-build.c]:
> 
>> /* DSDT */
>> static void
>> build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
>> {
>>      Aml *scope, *dsdt;
>>      MachineState *ms = MACHINE(vms);
>>      const MemMapEntry *memmap = vms->memmap;
>>      const int *irqmap = vms->irqmap;
>>
>>      dsdt = init_aml_allocator();
>>      /* Reserve space for header */
>>      acpi_data_push(dsdt->buf, sizeof(AcpiTableHeader));
>>
>>      /* When booting the VM with UEFI, UEFI takes ownership of the RTC hardware.
>>       * While UEFI can use libfdt to disable the RTC device node in the DTB that
>>       * it passes to the OS, it cannot modify AML. Therefore, we won't generate
>>       * the RTC ACPI device at all when using UEFI.
>>       */
>>      scope = aml_scope("\\_SB");
>>      acpi_dsdt_add_cpus(scope, vms->smp_cpus);
>>      acpi_dsdt_add_uart(scope, &memmap[VIRT_UART],
>>                         (irqmap[VIRT_UART] + ARM_SPI_BASE));
>>      acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);
> 
> The ACPI generator already takes the RTC into account; see QEMU commit
> 67736a25f865 ("ARM: virt: Don't generate RTC ACPI device when using
> UEFI", 2016-01-15).
> 
> Should we do the same for the acpi_dsdt_add_flash() call, now?
> 
> (This also suggests that my consideration of "firmware_loaded" above is
> irrelevant, if we end up modifying the build_dsdt() function -- on
> AARCH64, ACPI is only defined in UEFI terms (namely, as a UEFI system
> config table), so in this function, the presence of UEFI can be assumed
> "yes".)
> 

I wasn't aware that we even expose the flash in the DSDT. In any case, 
no driver exists in Linux today that claims the LNRO0015 _HID, and so I 
agree we should simply remove it entirely.

However, I am no longer able to contribute to QEMU, so I was hoping you 
or Phil could take the action?

Thanks,
Ard.




^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [edk2-devel] [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24 11:43       ` Ard Biesheuvel
@ 2020-06-24 13:02         ` Philippe Mathieu-Daudé
  2020-06-24 13:41           ` Andrew Jones
  0 siblings, 1 reply; 14+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-24 13:02 UTC (permalink / raw)
  To: Ard Biesheuvel, devel, lersek; +Cc: Drew Jones, Eric Auger

On 6/24/20 1:43 PM, Ard Biesheuvel wrote:
> On 6/24/20 1:20 PM, Laszlo Ersek via groups.io wrote:
>> (CC Drew, Eric)
>>
>> On 06/24/20 09:19, Ard Biesheuvel wrote:
>>
>>> The arm64 defconfig was recently updated with MTD support, and so the
>>> flash banks are now claimed by the CFI flash driver. I saw the same on
>>> 32-bit ARM today, and I am not sure if it is a change there or whether
>>> it was always like that (for multi_v7_defconfig) but there is no good
>>> reason to keep supporting this.
>>
>> Can the same (problematic) kernel driver binding occur via the ACPI
>> DSDT?
>>
>> In this fw patch we hide the flash chip(s) from the guest kernel via
>> Device Tree only.
>>
>> There isn't much I guess we can (or should) do about ACPI in the
>> firmware, but it would still be a conflict between the fw driver and the
>> kernel driver -- we might have to address that in QEMU (hide the pflash
>> in the ACPI generator when UEFI is used as guest firmware).
>>
>> IIRC, in QEMU, we use "arm_boot_info.firmware_loaded", from
>> <include/hw/arm/boot.h>, to represent UEFI:
>>
>>>      /* Boot firmware has been loaded, typically at address 0, with
>>> -bios or
>>>       * -pflash. It also implies that fw_cfg_find() will succeed.
>>>       */
>>>      bool firmware_loaded;
>>
>> And we already seem to have this exact kind of distinction in QEMU; see
>> for example "hw/arm/virt.c":
>>
>>>      if (has_ged && aarch64 && firmware_loaded &&
>>> virt_is_acpi_enabled(vms)) {
>>>          vms->acpi_dev = create_acpi_ged(vms);
>>>      } else {
>>>          create_gpio(vms);
>>>      }
>>
>> coming from commit cff51ac978c4 ("hw/arm/virt: Enable device memory
>> cold/hot plug with ACPI boot", 2019-10-05).
>>
>> And (same file):
>>
>>>          if (!vms->bootinfo.firmware_loaded ||
>>> !virt_is_acpi_enabled(vms)) {
>>>              return HOTPLUG_HANDLER(machine);
>>>          }
>>
>> coming from commit 70e89132c9e6 ("hw/arm/virt: Add the virtio-iommu
>> device tree mappings", 2020-02-27).
>>
>> ... Ah, I think I've found it [hw/arm/virt-acpi-build.c]:
>>
>>> /* DSDT */
>>> static void
>>> build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState
>>> *vms)
>>> {
>>>      Aml *scope, *dsdt;
>>>      MachineState *ms = MACHINE(vms);
>>>      const MemMapEntry *memmap = vms->memmap;
>>>      const int *irqmap = vms->irqmap;
>>>
>>>      dsdt = init_aml_allocator();
>>>      /* Reserve space for header */
>>>      acpi_data_push(dsdt->buf, sizeof(AcpiTableHeader));
>>>
>>>      /* When booting the VM with UEFI, UEFI takes ownership of the
>>> RTC hardware.
>>>       * While UEFI can use libfdt to disable the RTC device node in
>>> the DTB that
>>>       * it passes to the OS, it cannot modify AML. Therefore, we
>>> won't generate
>>>       * the RTC ACPI device at all when using UEFI.
>>>       */
>>>      scope = aml_scope("\\_SB");
>>>      acpi_dsdt_add_cpus(scope, vms->smp_cpus);
>>>      acpi_dsdt_add_uart(scope, &memmap[VIRT_UART],
>>>                         (irqmap[VIRT_UART] + ARM_SPI_BASE));
>>>      acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);
>>
>> The ACPI generator already takes the RTC into account; see QEMU commit
>> 67736a25f865 ("ARM: virt: Don't generate RTC ACPI device when using
>> UEFI", 2016-01-15).
>>
>> Should we do the same for the acpi_dsdt_add_flash() call, now?
>>
>> (This also suggests that my consideration of "firmware_loaded" above is
>> irrelevant, if we end up modifying the build_dsdt() function -- on
>> AARCH64, ACPI is only defined in UEFI terms (namely, as a UEFI system
>> config table), so in this function, the presence of UEFI can be assumed
>> "yes".)
>>
> 
> I wasn't aware that we even expose the flash in the DSDT. In any case,
> no driver exists in Linux today that claims the LNRO0015 _HID, and so I
> agree we should simply remove it entirely.
> 
> However, I am no longer able to contribute to QEMU, so I was hoping you
> or Phil could take the action?

I try to stay as far as possible from ACPI, but here it seems
fair I assign myself to this (except if Drew/Eric prefer to
do it, of course!).

> 
> Thanks,
> Ard.
> 
> 
> 


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [edk2-devel] [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24 13:02         ` Philippe Mathieu-Daudé
@ 2020-06-24 13:41           ` Andrew Jones
  2020-06-24 13:45             ` Philippe Mathieu-Daudé
  2020-06-24 13:48             ` Ard Biesheuvel
  0 siblings, 2 replies; 14+ messages in thread
From: Andrew Jones @ 2020-06-24 13:41 UTC (permalink / raw)
  To: Philippe Mathieu-Daudé; +Cc: Ard Biesheuvel, devel, lersek, Eric Auger

On Wed, Jun 24, 2020 at 03:02:49PM +0200, Philippe Mathieu-Daudé wrote:
> On 6/24/20 1:43 PM, Ard Biesheuvel wrote:
> > On 6/24/20 1:20 PM, Laszlo Ersek via groups.io wrote:
> >> (CC Drew, Eric)
> >>
> >> On 06/24/20 09:19, Ard Biesheuvel wrote:
> >>
> >>> The arm64 defconfig was recently updated with MTD support, and so the
> >>> flash banks are now claimed by the CFI flash driver. I saw the same on
> >>> 32-bit ARM today, and I am not sure if it is a change there or whether
> >>> it was always like that (for multi_v7_defconfig) but there is no good
> >>> reason to keep supporting this.
> >>
> >> Can the same (problematic) kernel driver binding occur via the ACPI
> >> DSDT?
> >>
> >> In this fw patch we hide the flash chip(s) from the guest kernel via
> >> Device Tree only.
> >>
> >> There isn't much I guess we can (or should) do about ACPI in the
> >> firmware, but it would still be a conflict between the fw driver and the
> >> kernel driver -- we might have to address that in QEMU (hide the pflash
> >> in the ACPI generator when UEFI is used as guest firmware).
> >>
> >> IIRC, in QEMU, we use "arm_boot_info.firmware_loaded", from
> >> <include/hw/arm/boot.h>, to represent UEFI:
> >>
> >>>      /* Boot firmware has been loaded, typically at address 0, with
> >>> -bios or
> >>>       * -pflash. It also implies that fw_cfg_find() will succeed.
> >>>       */
> >>>      bool firmware_loaded;
> >>
> >> And we already seem to have this exact kind of distinction in QEMU; see
> >> for example "hw/arm/virt.c":
> >>
> >>>      if (has_ged && aarch64 && firmware_loaded &&
> >>> virt_is_acpi_enabled(vms)) {
> >>>          vms->acpi_dev = create_acpi_ged(vms);
> >>>      } else {
> >>>          create_gpio(vms);
> >>>      }
> >>
> >> coming from commit cff51ac978c4 ("hw/arm/virt: Enable device memory
> >> cold/hot plug with ACPI boot", 2019-10-05).
> >>
> >> And (same file):
> >>
> >>>          if (!vms->bootinfo.firmware_loaded ||
> >>> !virt_is_acpi_enabled(vms)) {
> >>>              return HOTPLUG_HANDLER(machine);
> >>>          }
> >>
> >> coming from commit 70e89132c9e6 ("hw/arm/virt: Add the virtio-iommu
> >> device tree mappings", 2020-02-27).
> >>
> >> ... Ah, I think I've found it [hw/arm/virt-acpi-build.c]:
> >>
> >>> /* DSDT */
> >>> static void
> >>> build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState
> >>> *vms)
> >>> {
> >>>      Aml *scope, *dsdt;
> >>>      MachineState *ms = MACHINE(vms);
> >>>      const MemMapEntry *memmap = vms->memmap;
> >>>      const int *irqmap = vms->irqmap;
> >>>
> >>>      dsdt = init_aml_allocator();
> >>>      /* Reserve space for header */
> >>>      acpi_data_push(dsdt->buf, sizeof(AcpiTableHeader));
> >>>
> >>>      /* When booting the VM with UEFI, UEFI takes ownership of the
> >>> RTC hardware.
> >>>       * While UEFI can use libfdt to disable the RTC device node in
> >>> the DTB that
> >>>       * it passes to the OS, it cannot modify AML. Therefore, we
> >>> won't generate
> >>>       * the RTC ACPI device at all when using UEFI.
> >>>       */
> >>>      scope = aml_scope("\\_SB");
> >>>      acpi_dsdt_add_cpus(scope, vms->smp_cpus);
> >>>      acpi_dsdt_add_uart(scope, &memmap[VIRT_UART],
> >>>                         (irqmap[VIRT_UART] + ARM_SPI_BASE));
> >>>      acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);
> >>
> >> The ACPI generator already takes the RTC into account; see QEMU commit
> >> 67736a25f865 ("ARM: virt: Don't generate RTC ACPI device when using
> >> UEFI", 2016-01-15).
> >>
> >> Should we do the same for the acpi_dsdt_add_flash() call, now?
> >>
> >> (This also suggests that my consideration of "firmware_loaded" above is
> >> irrelevant, if we end up modifying the build_dsdt() function -- on
> >> AARCH64, ACPI is only defined in UEFI terms (namely, as a UEFI system
> >> config table), so in this function, the presence of UEFI can be assumed
> >> "yes".)
> >>
> > 
> > I wasn't aware that we even expose the flash in the DSDT. In any case,
> > no driver exists in Linux today that claims the LNRO0015 _HID, and so I
> > agree we should simply remove it entirely.
> > 
> > However, I am no longer able to contribute to QEMU, so I was hoping you
> > or Phil could take the action?
> 
> I try to stay as far as possible from ACPI, but here it seems
> fair I assign myself to this (except if Drew/Eric prefer to
> do it, of course!).

I don't mind doing it. IIUC, all we need to do is remove the flash device
from the DSDT to "hide" it from the guest. Of course we'll need some
compat code too in order to only do this for machine types 5.1 and later,
and that means that running guest kernels which want to bind the flash on
5.0 and older machine types will still have the problem.

Also, it seems a bit odd to hide hardware from the guest OS. Wouldn't it
be better to somehow flag that the hardare may be in use by firmware,
and therefore is only safe to use if runtime services are not used? I'm
not sure ACPI supports that for table entries like these, but maybe some
_STA value indicates something like it. I'll take a look at the spec.

Thanks,
drew


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [edk2-devel] [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24 13:41           ` Andrew Jones
@ 2020-06-24 13:45             ` Philippe Mathieu-Daudé
  2020-06-24 13:48             ` Ard Biesheuvel
  1 sibling, 0 replies; 14+ messages in thread
From: Philippe Mathieu-Daudé @ 2020-06-24 13:45 UTC (permalink / raw)
  To: Andrew Jones
  Cc: Ard Biesheuvel, edk2-devel-groups-io, Laszlo Ersek, Eric Auger

On Wed, Jun 24, 2020 at 3:42 PM Andrew Jones <drjones@redhat.com> wrote:
> On Wed, Jun 24, 2020 at 03:02:49PM +0200, Philippe Mathieu-Daudé wrote:
> > On 6/24/20 1:43 PM, Ard Biesheuvel wrote:
> > > On 6/24/20 1:20 PM, Laszlo Ersek via groups.io wrote:
> > >> (CC Drew, Eric)
> > >>
> > >> On 06/24/20 09:19, Ard Biesheuvel wrote:
> > >>
> > >>> The arm64 defconfig was recently updated with MTD support, and so the
> > >>> flash banks are now claimed by the CFI flash driver. I saw the same on
> > >>> 32-bit ARM today, and I am not sure if it is a change there or whether
> > >>> it was always like that (for multi_v7_defconfig) but there is no good
> > >>> reason to keep supporting this.
> > >>
> > >> Can the same (problematic) kernel driver binding occur via the ACPI
> > >> DSDT?
> > >>
> > >> In this fw patch we hide the flash chip(s) from the guest kernel via
> > >> Device Tree only.
> > >>
> > >> There isn't much I guess we can (or should) do about ACPI in the
> > >> firmware, but it would still be a conflict between the fw driver and the
> > >> kernel driver -- we might have to address that in QEMU (hide the pflash
> > >> in the ACPI generator when UEFI is used as guest firmware).
> > >>
> > >> IIRC, in QEMU, we use "arm_boot_info.firmware_loaded", from
> > >> <include/hw/arm/boot.h>, to represent UEFI:
> > >>
> > >>>      /* Boot firmware has been loaded, typically at address 0, with
> > >>> -bios or
> > >>>       * -pflash. It also implies that fw_cfg_find() will succeed.
> > >>>       */
> > >>>      bool firmware_loaded;
> > >>
> > >> And we already seem to have this exact kind of distinction in QEMU; see
> > >> for example "hw/arm/virt.c":
> > >>
> > >>>      if (has_ged && aarch64 && firmware_loaded &&
> > >>> virt_is_acpi_enabled(vms)) {
> > >>>          vms->acpi_dev = create_acpi_ged(vms);
> > >>>      } else {
> > >>>          create_gpio(vms);
> > >>>      }
> > >>
> > >> coming from commit cff51ac978c4 ("hw/arm/virt: Enable device memory
> > >> cold/hot plug with ACPI boot", 2019-10-05).
> > >>
> > >> And (same file):
> > >>
> > >>>          if (!vms->bootinfo.firmware_loaded ||
> > >>> !virt_is_acpi_enabled(vms)) {
> > >>>              return HOTPLUG_HANDLER(machine);
> > >>>          }
> > >>
> > >> coming from commit 70e89132c9e6 ("hw/arm/virt: Add the virtio-iommu
> > >> device tree mappings", 2020-02-27).
> > >>
> > >> ... Ah, I think I've found it [hw/arm/virt-acpi-build.c]:
> > >>
> > >>> /* DSDT */
> > >>> static void
> > >>> build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState
> > >>> *vms)
> > >>> {
> > >>>      Aml *scope, *dsdt;
> > >>>      MachineState *ms = MACHINE(vms);
> > >>>      const MemMapEntry *memmap = vms->memmap;
> > >>>      const int *irqmap = vms->irqmap;
> > >>>
> > >>>      dsdt = init_aml_allocator();
> > >>>      /* Reserve space for header */
> > >>>      acpi_data_push(dsdt->buf, sizeof(AcpiTableHeader));
> > >>>
> > >>>      /* When booting the VM with UEFI, UEFI takes ownership of the
> > >>> RTC hardware.
> > >>>       * While UEFI can use libfdt to disable the RTC device node in
> > >>> the DTB that
> > >>>       * it passes to the OS, it cannot modify AML. Therefore, we
> > >>> won't generate
> > >>>       * the RTC ACPI device at all when using UEFI.
> > >>>       */
> > >>>      scope = aml_scope("\\_SB");
> > >>>      acpi_dsdt_add_cpus(scope, vms->smp_cpus);
> > >>>      acpi_dsdt_add_uart(scope, &memmap[VIRT_UART],
> > >>>                         (irqmap[VIRT_UART] + ARM_SPI_BASE));
> > >>>      acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);
> > >>
> > >> The ACPI generator already takes the RTC into account; see QEMU commit
> > >> 67736a25f865 ("ARM: virt: Don't generate RTC ACPI device when using
> > >> UEFI", 2016-01-15).
> > >>
> > >> Should we do the same for the acpi_dsdt_add_flash() call, now?
> > >>
> > >> (This also suggests that my consideration of "firmware_loaded" above is
> > >> irrelevant, if we end up modifying the build_dsdt() function -- on
> > >> AARCH64, ACPI is only defined in UEFI terms (namely, as a UEFI system
> > >> config table), so in this function, the presence of UEFI can be assumed
> > >> "yes".)
> > >>
> > >
> > > I wasn't aware that we even expose the flash in the DSDT. In any case,
> > > no driver exists in Linux today that claims the LNRO0015 _HID, and so I
> > > agree we should simply remove it entirely.
> > >
> > > However, I am no longer able to contribute to QEMU, so I was hoping you
> > > or Phil could take the action?
> >
> > I try to stay as far as possible from ACPI, but here it seems
> > fair I assign myself to this (except if Drew/Eric prefer to
> > do it, of course!).
>
> I don't mind doing it. IIUC, all we need to do is remove the flash device
> from the DSDT to "hide" it from the guest. Of course we'll need some
> compat code too in order to only do this for machine types 5.1 and later,
> and that means that running guest kernels which want to bind the flash on
> 5.0 and older machine types will still have the problem.
>
> Also, it seems a bit odd to hide hardware from the guest OS. Wouldn't it
> be better to somehow flag that the hardare may be in use by firmware,
> and therefore is only safe to use if runtime services are not used? I'm
> not sure ACPI supports that for table entries like these, but maybe some
> _STA value indicates something like it. I'll take a look at the spec.

Thank you! You'll certainly send a clearer/better patch than me on this topic :)


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [edk2-devel] [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24 13:41           ` Andrew Jones
  2020-06-24 13:45             ` Philippe Mathieu-Daudé
@ 2020-06-24 13:48             ` Ard Biesheuvel
  2020-06-24 14:37               ` Andrew Jones
  1 sibling, 1 reply; 14+ messages in thread
From: Ard Biesheuvel @ 2020-06-24 13:48 UTC (permalink / raw)
  To: Andrew Jones, Philippe Mathieu-Daudé; +Cc: devel, lersek, Eric Auger

On 6/24/20 3:41 PM, Andrew Jones wrote:
> On Wed, Jun 24, 2020 at 03:02:49PM +0200, Philippe Mathieu-Daudé wrote:
>> On 6/24/20 1:43 PM, Ard Biesheuvel wrote:
...
>>> I wasn't aware that we even expose the flash in the DSDT. In any case,
>>> no driver exists in Linux today that claims the LNRO0015 _HID, and so I
>>> agree we should simply remove it entirely.
>>>
>>> However, I am no longer able to contribute to QEMU, so I was hoping you
>>> or Phil could take the action?
>>
>> I try to stay as far as possible from ACPI, but here it seems
>> fair I assign myself to this (except if Drew/Eric prefer to
>> do it, of course!).
> 
> I don't mind doing it. IIUC, all we need to do is remove the flash device
> from the DSDT to "hide" it from the guest. Of course we'll need some
> compat code too in order to only do this for machine types 5.1 and later,
> and that means that running guest kernels which want to bind the flash on
> 5.0 and older machine types will still have the problem.
> 

Do you think that is really necessary? LNRO0015 never had a driver in 
Linux to begin with, and I doubt other ACPI capable arm64 OSes would be 
any different.

> Also, it seems a bit odd to hide hardware from the guest OS. Wouldn't it
> be better to somehow flag that the hardare may be in use by firmware,
> and therefore is only safe to use if runtime services are not used? I'm
> not sure ACPI supports that for table entries like these, but maybe some
> _STA value indicates something like it. I'll take a look at the spec.
> 

We could do either, but a _STA indicating that the device is not present 
or not ready amounts to the same afaik. Ultimately, the OS could still 
access the physical range if it wanted to (e.g., via /dev/mem), so not 
exposing it in the first place seems more robust to me.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [edk2-devel] [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24 13:48             ` Ard Biesheuvel
@ 2020-06-24 14:37               ` Andrew Jones
  2020-06-24 18:43                 ` Laszlo Ersek
  0 siblings, 1 reply; 14+ messages in thread
From: Andrew Jones @ 2020-06-24 14:37 UTC (permalink / raw)
  To: Ard Biesheuvel; +Cc: Philippe Mathieu-Daudé, devel, lersek, Eric Auger

On Wed, Jun 24, 2020 at 03:48:46PM +0200, Ard Biesheuvel wrote:
> On 6/24/20 3:41 PM, Andrew Jones wrote:
> > On Wed, Jun 24, 2020 at 03:02:49PM +0200, Philippe Mathieu-Daudé wrote:
> > > On 6/24/20 1:43 PM, Ard Biesheuvel wrote:
> ...
> > > > I wasn't aware that we even expose the flash in the DSDT. In any case,
> > > > no driver exists in Linux today that claims the LNRO0015 _HID, and so I
> > > > agree we should simply remove it entirely.
> > > > 
> > > > However, I am no longer able to contribute to QEMU, so I was hoping you
> > > > or Phil could take the action?
> > > 
> > > I try to stay as far as possible from ACPI, but here it seems
> > > fair I assign myself to this (except if Drew/Eric prefer to
> > > do it, of course!).
> > 
> > I don't mind doing it. IIUC, all we need to do is remove the flash device
> > from the DSDT to "hide" it from the guest. Of course we'll need some
> > compat code too in order to only do this for machine types 5.1 and later,
> > and that means that running guest kernels which want to bind the flash on
> > 5.0 and older machine types will still have the problem.
> > 
> 
> Do you think that is really necessary? LNRO0015 never had a driver in Linux
> to begin with, and I doubt other ACPI capable arm64 OSes would be any
> different.

I'd rather not add/remove hardware in older machine types. While it's
unlikely anybody would notice, we can't be sure that there's nothing
out there which would break.

> 
> > Also, it seems a bit odd to hide hardware from the guest OS. Wouldn't it
> > be better to somehow flag that the hardare may be in use by firmware,
> > and therefore is only safe to use if runtime services are not used? I'm
> > not sure ACPI supports that for table entries like these, but maybe some
> > _STA value indicates something like it. I'll take a look at the spec.
> > 
> 
> We could do either, but a _STA indicating that the device is not present or
> not ready amounts to the same afaik. Ultimately, the OS could still access
> the physical range if it wanted to (e.g., via /dev/mem), so not exposing it
> in the first place seems more robust to me.
> 

If there's no _STA state that says the device is here and works, but it's
not available, then I agree removing it is the same. And, thinking about
it some more, this flash device is really only for our host-controlled
firmware. Since we don't give the guest any control over the firmware,
then the device the firmware lives on should probably not even exist as
far as the guest is concerned.

Thanks,
drew


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [edk2-devel] [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24 14:37               ` Andrew Jones
@ 2020-06-24 18:43                 ` Laszlo Ersek
  2020-06-24 18:46                   ` Laszlo Ersek
  0 siblings, 1 reply; 14+ messages in thread
From: Laszlo Ersek @ 2020-06-24 18:43 UTC (permalink / raw)
  To: Andrew Jones, Ard Biesheuvel
  Cc: Philippe Mathieu-Daudé, devel, Eric Auger

On 06/24/20 16:37, Andrew Jones wrote:
> On Wed, Jun 24, 2020 at 03:48:46PM +0200, Ard Biesheuvel wrote:
>> On 6/24/20 3:41 PM, Andrew Jones wrote:
>>> On Wed, Jun 24, 2020 at 03:02:49PM +0200, Philippe Mathieu-Daudé wrote:
>>>> On 6/24/20 1:43 PM, Ard Biesheuvel wrote:
>> ...
>>>>> I wasn't aware that we even expose the flash in the DSDT. In any case,
>>>>> no driver exists in Linux today that claims the LNRO0015 _HID, and so I
>>>>> agree we should simply remove it entirely.
>>>>>
>>>>> However, I am no longer able to contribute to QEMU, so I was hoping you
>>>>> or Phil could take the action?
>>>>
>>>> I try to stay as far as possible from ACPI, but here it seems
>>>> fair I assign myself to this (except if Drew/Eric prefer to
>>>> do it, of course!).
>>>
>>> I don't mind doing it. IIUC, all we need to do is remove the flash device
>>> from the DSDT to "hide" it from the guest. Of course we'll need some
>>> compat code too in order to only do this for machine types 5.1 and later,
>>> and that means that running guest kernels which want to bind the flash on
>>> 5.0 and older machine types will still have the problem.
>>>
>>
>> Do you think that is really necessary? LNRO0015 never had a driver in Linux
>> to begin with, and I doubt other ACPI capable arm64 OSes would be any
>> different.
> 
> I'd rather not add/remove hardware in older machine types. While it's
> unlikely anybody would notice, we can't be sure that there's nothing
> out there which would break.

I agree.

>>
>>> Also, it seems a bit odd to hide hardware from the guest OS. Wouldn't it
>>> be better to somehow flag that the hardare may be in use by firmware,
>>> and therefore is only safe to use if runtime services are not used? I'm
>>> not sure ACPI supports that for table entries like these, but maybe some
>>> _STA value indicates something like it. I'll take a look at the spec.
>>>
>>
>> We could do either, but a _STA indicating that the device is not present or
>> not ready amounts to the same afaik. Ultimately, the OS could still access
>> the physical range if it wanted to (e.g., via /dev/mem), so not exposing it
>> in the first place seems more robust to me.
>>
> 
> If there's no _STA state that says the device is here and works, but it's
> not available, then I agree removing it is the same. And, thinking about
> it some more, this flash device is really only for our host-controlled
> firmware. Since we don't give the guest any control over the firmware,
> then the device the firmware lives on should probably not even exist as
> far as the guest is concerned.

I think it's safest to remove the object from the DSDT; at least x86
Windows used to be really picky about _STA in Device Manager. Best to
avoid yellow triangles (or whatever) there (assuming Device Manager is a
thing on aarch64 Windows -- I don't know).

Drew, when you remove the flash addition function call, please replace
it with a comment that's similar to the one we have about the RTC. That
way, we can run "git blame" on the comment. (Pure deletions tend to
impede "git blame", as no code lines remain on which git-blame could
report a "latest commit".)

Thank you very much!
Laszlo


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [edk2-devel] [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery
  2020-06-24 18:43                 ` Laszlo Ersek
@ 2020-06-24 18:46                   ` Laszlo Ersek
  0 siblings, 0 replies; 14+ messages in thread
From: Laszlo Ersek @ 2020-06-24 18:46 UTC (permalink / raw)
  To: Andrew Jones, Ard Biesheuvel
  Cc: Philippe Mathieu-Daudé, devel, Eric Auger

On 06/24/20 20:43, Laszlo Ersek wrote:
> On 06/24/20 16:37, Andrew Jones wrote:
>> On Wed, Jun 24, 2020 at 03:48:46PM +0200, Ard Biesheuvel wrote:
>>> On 6/24/20 3:41 PM, Andrew Jones wrote:
>>>> On Wed, Jun 24, 2020 at 03:02:49PM +0200, Philippe Mathieu-Daudé wrote:
>>>>> On 6/24/20 1:43 PM, Ard Biesheuvel wrote:
>>> ...
>>>>>> I wasn't aware that we even expose the flash in the DSDT. In any case,
>>>>>> no driver exists in Linux today that claims the LNRO0015 _HID, and so I
>>>>>> agree we should simply remove it entirely.
>>>>>>
>>>>>> However, I am no longer able to contribute to QEMU, so I was hoping you
>>>>>> or Phil could take the action?
>>>>>
>>>>> I try to stay as far as possible from ACPI, but here it seems
>>>>> fair I assign myself to this (except if Drew/Eric prefer to
>>>>> do it, of course!).
>>>>
>>>> I don't mind doing it. IIUC, all we need to do is remove the flash device
>>>> from the DSDT to "hide" it from the guest. Of course we'll need some
>>>> compat code too in order to only do this for machine types 5.1 and later,
>>>> and that means that running guest kernels which want to bind the flash on
>>>> 5.0 and older machine types will still have the problem.
>>>>
>>>
>>> Do you think that is really necessary? LNRO0015 never had a driver in Linux
>>> to begin with, and I doubt other ACPI capable arm64 OSes would be any
>>> different.
>>
>> I'd rather not add/remove hardware in older machine types. While it's
>> unlikely anybody would notice, we can't be sure that there's nothing
>> out there which would break.
> 
> I agree.
> 
>>>
>>>> Also, it seems a bit odd to hide hardware from the guest OS. Wouldn't it
>>>> be better to somehow flag that the hardare may be in use by firmware,
>>>> and therefore is only safe to use if runtime services are not used? I'm
>>>> not sure ACPI supports that for table entries like these, but maybe some
>>>> _STA value indicates something like it. I'll take a look at the spec.
>>>>
>>>
>>> We could do either, but a _STA indicating that the device is not present or
>>> not ready amounts to the same afaik. Ultimately, the OS could still access
>>> the physical range if it wanted to (e.g., via /dev/mem), so not exposing it
>>> in the first place seems more robust to me.
>>>
>>
>> If there's no _STA state that says the device is here and works, but it's
>> not available, then I agree removing it is the same. And, thinking about
>> it some more, this flash device is really only for our host-controlled
>> firmware. Since we don't give the guest any control over the firmware,
>> then the device the firmware lives on should probably not even exist as
>> far as the guest is concerned.
> 
> I think it's safest to remove the object from the DSDT; at least x86
> Windows used to be really picky about _STA in Device Manager. Best to
> avoid yellow triangles (or whatever) there (assuming Device Manager is a
> thing on aarch64 Windows -- I don't know).
> 
> Drew, when you remove the flash addition function call, please replace
> it with a comment that's similar to the one we have about the RTC. That
> way, we can run "git blame" on the comment. (Pure deletions tend to
> impede "git blame", as no code lines remain on which git-blame could
> report a "latest commit".)

oops, sorry, dumb request -- this isn't going to be a pure removal; the
flash addition will remain, it will only be made conditional on a new
machine type property. So there's going to be *something* to run
git-blame on. Apologies for my mistake.

Laszlo


^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2020-06-24 18:46 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-23 17:57 [PATCH] ArmVirtPkg/NorFlashQemuLib: disable NOR flash DT nodes upon discovery Ard Biesheuvel
2020-06-23 20:41 ` Laszlo Ersek
2020-06-24  7:19   ` Ard Biesheuvel
2020-06-24  9:00     ` Laszlo Ersek
2020-06-24  9:35       ` Philippe Mathieu-Daudé
2020-06-24 11:20     ` [edk2-devel] " Laszlo Ersek
2020-06-24 11:43       ` Ard Biesheuvel
2020-06-24 13:02         ` Philippe Mathieu-Daudé
2020-06-24 13:41           ` Andrew Jones
2020-06-24 13:45             ` Philippe Mathieu-Daudé
2020-06-24 13:48             ` Ard Biesheuvel
2020-06-24 14:37               ` Andrew Jones
2020-06-24 18:43                 ` Laszlo Ersek
2020-06-24 18:46                   ` Laszlo Ersek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox