Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
ichrin
/
kernel_samsung_msm8974
Pridať medzi pozorované 1
Hviezda 0
Fork 0
Súbory Issues 0 Pull requesty 0 Wiki
Strom: af8e0b9326
Branche Tagy
kernel_samsu...
/
Documentation
/
arm
/
msm
/
pil.txt

pil.txt 10 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268 
  1. Introduction
    2. 

  2. ============
    3. 

  3. 

  4. The PIL (Peripheral Image Loader) driver loads peripheral images into memory
    5. 

  5. and interfaces with the Peripheral Authentication Service (PAS) to
    6. 

  6. authenticate and reset peripherals embedded in the SoC.
    7. 

  7. 

  8. The PAS could either be running under secure mode in the application
    9. 

  9. processor (secure boot support) or be running as a non-secure kernel driver
    10. 

  10. (non-secure boot support).
    11. 

  11. 

  12. The PIL driver also does housekeeping to handle cases where more than one
    13. 

  13. client driver is using the same peripheral.
    14. 

  14. 

  15. Some examples of peripherals are modem, DSP and sensors.
    16. 

  16. 

  17. Hardware description
    18. 

  18. ====================
    19. 

  19. 

  20. The memory used by the peripherals for code and data storage will be
    21. 

  21. accessible as normal memory to the application processor.
    22. 

  22. 

  23. The non-secure code (Linux kernel) will have read/write permissions to the
    24. 

  24. peripheral memory by default.
    25. 

  25. 

  26. The PAS will have access to a MPU (memory protection unit) that can lock away
    27. 

  27. the pages of memory from the Linux kernel. It will also have access to
    28. 

  28. registers that can reset each peripheral.
    29. 

  29. 

  30. Software description
    31. 

  31. ====================
    32. 

  32. 

  33. The PAS provides the following three APIs:
    34. 

  34. 

  35. * Init image - Takes as input the peripheral id and firmware metadata and
    36. 

  36.   returns a status indicating the authenticity of the firmware metadata.  The
    37. 

  37.   firmware metadata consists of a standard ELF32 header followed by a program
    38. 

  38.   header table and an optional blob of data used to authenticate the metadata
    39. 

  39.   and the rest of the firmware.
    40. 

  40. 

  41. * Verify segment - Takes as input the firmware segment id and the length of
    42. 

  42.   the segment. Authenticates whatever amount (specified by the "length"
    43. 

  43.   parameter) of the firmware segment that has been loaded and removes
    44. 

  44.   non-secure mode read/write permissions for the pages belonging to the
    45. 

  45.   firmware segment. Allows multiple calls for the same firmware segment to
    46. 

  46.   allow partial loading and authentication.
    47. 

  47. 

  48. * Auth and Reset - Verifies all the necessary firmware segments have been
    49. 

  49.   loaded and authenticated and then resets the peripheral.
    50. 

  50. 

  51. The user space is expected to provide the firmware metadata and firmware
    52. 

  52. segments as separate files on persistent storage. See "Interface" section for
    53. 

  53. further details.
    54. 

  54. 

  55. The PIL driver will use the request_firmware API provided by the Linux kernel
    56. 

  56. to read the firmware and firmware metadata from persistent storage.
    57. 

  57. 

  58. When a client driver requests for a peripheral to be enabled, the PIL driver
    59. 

  59. increments the reference count for that peripheral, loads the firmware
    60. 

  60. metadata and calls the PAS Init Image API that initializes the authentication
    61. 

  61. state machine using the firmware metadata.
    62. 

  62. 

  63. If the initialization succeeds, the PIL driver loads the appropriate firmware
    64. 

  64. segments into their respective memory locations and call the PAS Verify
    65. 

  65. segment API on each of the loaded segments to authenticate and lock it.
    66. 

  66. 

  67. After all the firmware segments have been successfully loaded and
    68. 

  68. authenticated, the PAS Auth and Reset API is called to reset the peripheral
    69. 

  69. and initiate its boot sequence.
    70. 

  70. 

  71. A peripheral enable request to the PIL driver will block until it succeeds
    72. 

  72. (or fails) to initiate the peripheral boot sequence but will NOT block until
    73. 

  73. the peripheral is ready. It is not possible to block until a peripheral is
    74. 

  74. ready since the semantics of "ready" is subjective to the caller.
    75. 

  75. 

  76. The PIL driver will maintain a reference count for each of the peripherals.
    77. 

  77. So, if a peripheral is already under use and another client driver requests
    78. 

  78. for the peripheral to be enabled, the PIL driver will immediately return a
    79. 

  79. value to indicate success.
    80. 

  80. 

  81. When all the client drivers of a particular peripheral no longer need the
    82. 

  82. peripheral and the reference count reaches zero, the PIL driver can cleanly
    83. 

  83. shut down the peripheral. Since a lot of drivers in their current state can't
    84. 

  84. handle a peripheral restart, the PIL driver will never let the reference
    85. 

  85. count go back to zero.
    86. 

  86. 

  87. All information about a peripheral, like firmware filenames, peripheral ID
    88. 

  88. passed to PAS, etc, will be hard coded in the PIL driver.
    89. 

  89. 

  90. All the PIL APIs will execute in the context of the caller. This includes
    91. 

  91. calls from the PIL driver to the PAS driver. The PAS driver might decide to
    92. 

  92. switch into secure mode from a separate workqueue or in the same context as
    93. 

  93. the caller, but that shouldn't have any implications for the PIL API callers
    94. 

  94. since all the PIL APIs are blocking calls.
    95. 

  95. 

  96. Dependencies:
    97. 

  97. -------------
    98. 

  98. * Firmware class (CONFIG_FW_LOADER) for using the request_firmware API to
    99. 

  99.   load firmware from persistent storage.
    100. 

  100. * PAS to authenticate firmware and bring a peripheral out of reset.
    101. 

  101. 

  102. Error cases:
    103. 

  103. ------------
    104. 

  104. The PIL driver could fail to enable a peripheral for several reasons like not
    105. 

  105. having enough memory to load firmware and metadata, being unable to
    106. 

  106. communicate with the PAS, the PAS returning with an error, etc. For all
    107. 

  107. possible error cases, the PIL driver does not perform any retries and returns
    108. 

  108. an appropriate error code. The client drivers should always check for success
    109. 

  109. before trying to access the peripheral.
    110. 

  110. 

  111. Design
    112. 

  112. ======
    113. 

  113. 

  114. Design goals:
    115. 

  115. -------------
    116. 

  116. * The PIL driver must be agnostic to the actual format and method used to
    117. 

  117.   authenticate the firmware.
    118. 

  118. * Allow for future expansion to support demand loading of parts of firmware
    119. 

  119.   for each peripheral.
    120. 

  120. * Move most of the work into the preprocessing/building stage of the firmware.
    121. 

  121. * Provide an API to the client drivers that absolves them from having to know
    122. 

  122.   the structure or names of the firmware in persistent storage.
    123. 

  123. * Handle multiple client drivers wanting to enable the same peripheral.
    124. 

  124. 

  125. 

  126. Design reasons:
    127. 

  127. ---------------
    128. 

  128. The user space is expected to provide the firmware metadata and segments as
    129. 

  129. separate files for the following reasons:
    130. 

  130. * Don't need to load the whole ELF file if the authentication info is
    131. 

  131.   invalid.
    132. 

  132. * Works better during low memory conditions since the amount of memory used
    133. 

  133.   at any given instant when loading one segment at a time is smaller than
    134. 

  134.   loading the whole ELF file.
    135. 

  135. * Since an ELF segment in memory can be much bigger than on file, having a
    136. 

  136.   flat binary would waste a lot of space due to zero-fills.
    137. 

  137. * Allows for future enhancements to the loading procedure.
    138. 

  138. 

  139. Design tradeoffs:
    140. 

  140. -----------------
    141. 

  141. * With appropriate changes to the request_firmware API, the firmware blobs
    142. 

  142.   could be directly loaded into the right memory location. But due to the
    143. 

  143.   additional work and community approval that would be needed for modifying
    144. 

  144.   the request_firmware API, we load the firmware blobs into kernel memory and
    145. 

  145.   then copy them into the appropriate locations.
    146. 

  146. 

  147. Alternate designs:
    148. 

  148. ------------------
    149. 

  149. One of the alternate designs that were considered required the firmware to be
    150. 

  150. a flat binary. Although this design would simplify the PIL driver, it would
    151. 

  151. result in the waste of a lot of persistent storage space (due to large
    152. 

  152. zero-fills), prevent demand loading of segments in the future and use a lot
    153. 

  153. more memory while loading the firmware.
    154. 

  154. 

  155. Software layering:
    156. 

  156. ------------------
    157. 

  157. The peripheral authentication, reset and shutdown implementation is factored
    158. 

  158. away into a Peripheral Authentication Service driver to allow the PIL driver
    159. 

  159. to be agnostic of secure vs. non-secure boot and the mechanisms needed for
    160. 

  160. communicating with any code that might be running in secure mode.
    161. 

  161. 

  162. Power Management
    163. 

  163. ================
    164. 

  164. 

  165. Some of the peripherals might support being turned off when not in use.
    166. 

  166. Support for this might be disabled in the initial implementation of the PIL
    167. 

  167. driver since many of the existing drivers can not handle peripheral restart.
    168. 

  168. 

  169. SMP/multi-core
    170. 

  170. ==============
    171. 

  171. 

  172. Will use mutexes to protected data that might be shared (reference count,
    173. 

  173. etc).
    174. 

  174. 

  175. Security
    176. 

  176. ========
    177. 

  177. 

  178. The PIL driver must validate the physical memory addresses specified in the
    179. 

  179. ELF and program header table before loading firmware segments to make sure
    180. 

  180. it's not overwriting any memory used by the kernel and possibly PMEM regions
    181. 

  181. (if it can be done without being an ugly hack). The PIL driver might need to
    182. 

  182. maintain a white list or black list of physical memory address ranges to
    183. 

  183. perform the address validation.
    184. 

  184. 

  185. Performance
    186. 

  186. ===========
    187. 

  187. 

  188. As mentioned in the design section, the loading of firmware segments is not
    189. 

  189. optimal and has room for improvement.
    190. 

  190. 

  191. Interface
    192. 

  192. =========
    193. 

  193. 

  194. In kernel APIs:
    195. 

  195. void * pil_get(char *peripheral_name)
    196. 

  196. 	- Enables (if not already enabled) a peripheral and returns a handle
    197. 

  197. 	  that can be used to disable the peripheral at a later time. If
    198. 

  198. 	  peripheral can't be enabled successfully, then returns an error
    199. 

  199. 	  (use IS_ERR) indicating the reason.
    200. 

  200. 

  201. void pil_put(void *peripheral_handle)
    202. 

  202. 	- Inform PIL that this client no longer needs the peripheral to be
    203. 

  203. 	  active. Does not necessarily mean that the peripheral would be
    204. 

  204. 	  disabled or powered off.
    205. 

  205. 

  206. 

  207. User space APIs:
    208. 

  208. All firmware must be located in the path that is expected by the hotplug (or
    209. 

  209. compatible) daemon. A hotplug (or compatible) daemon should be running and be
    210. 

  210. able to handle events from the kernel requesting for a firmware file.
    211. 

  211. 

  212. The basename of the firmware files will depend on the peripheral. For a given
    213. 

  213. peripheral, the metadata filename should end with a ".mdt" and the firmware
    214. 

  214. segment files should end with ".bXX" where XX denotes the index of the
    215. 

  215. firmware segment starting from 0.
    216. 

  216. 

  217. Android hotplug compatible daemon expects the firmware files to be under
    218. 

  218. /etc/firmware.
    219. 

  219. 

  220. Driver parameters
    221. 

  221. =================
    222. 

  222. 

  223. No module or kernel command line parameters supported.
    224. 

  224. 

  225. Config options
    226. 

  226. ==============
    227. 

  227. 

  228. This driver is enabled using the MSM_PIL kernel config option and will
    229. 

  229. depend on the CONFIG_FW_LOADER being available.
    230. 

  230. 

  231. Dependencies
    232. 

  232. ============
    233. 

  233. 

  234. Depends on firmware class module for the request_firmware API.
    235. 

  235. 

  236. Interacts with the PAS to authenticate the firmware and to initiate the boot
    237. 

  237. sequence of a peripheral.
    238. 

  238. 

  239. Doesn't communicate with other processors since the secure code, if any, will
    240. 

  240. be running on the application processor cores.
    241. 

  241. 

  242. User space utilities
    243. 

  243. ====================
    244. 

  244. 

  245. None.
    246. 

  246. 

  247. Other
    248. 

  248. =====
    249. 

  249. 

  250. The firmware_class driver might be changed in the future to directly load the
    251. 

  251. firmware into memory locations provided by the caller of request_firmware().
    252. 

  252. 

  253. Known issues
    254. 

  254. ============
    255. 

  255. 

  256. Since support for cleanly shutting down peripherals is yet to be added, the
    257. 

  257. reference count of peripherals will never be allowed to go to zero once it
    258. 

  258. becomes non-zero.
    259. 

  259. 

  260. To do
    261. 

  261. =====
    262. 

  262. 

  263. * Add support for turning off peripherals when they are not in use.
    264. 

  264. * Modify request_firmware() to directly copy firmware blobs into the
    265. 

  265.   appropriate memory locations.
    266. 

  266. * Add support for demand loading of firmware segments.
    267. 

  267. * Add support for forced peripheral restarts.
    268. 

  268.