[PATCH 00/14] drm/amdgpu: introduce secure buffer object support (trusted memory zone)

Koenig, Christian Christian.Koenig at amd.com
Wed Sep 11 12:11:41 UTC 2019


Patches #1-#4, #8, #9 are Reviewed-by: Christian König 
<christian.koenig at amd.com>

Patches #10, #11 are Acked-by: Christian König <christian.koenig at amd.com>

Patches #7 and the resulting workaround in patch #13 are a clear NAK. 
The ttm_mem_reg can't be used like this to get back to the ttm_bo object.

Going to reply separately on patch #14 regarding this.

Regards,
Christian.

Am 11.09.19 um 13:50 schrieb Huang, Ray:
> Hi all,
>
> These series of patches introduce a feature to support secure buffer object.
> The Trusted Memory Zone (TMZ) is a method to protect the contents being written
> to and read from memory. We use TMZ hardware memory protection scheme to
> implement the secure buffer object support.
>
> TMZ is the page-level protection that hardware will detect the TMZ bit in the
> page table entry to set the current page is encrypted. With this hardware
> feature, we design a BO-level protection in kernel driver to provide a new flag
> AMDGPU_GEM_CREATE_ENCRYPTED to gem create ioctl to libdrm for the secure buffer
> allocation. And also provide the AMDGPU_CTX_ALLOC_FLAGS_SECURE to indicate the
> context is trusted or not. If the BO is secure, then the data is encrypted, only
> the trusted IP blocks such as gfx, sdma, vcn are able to decrypt. CPU as the
> un-trusted IP are unable to read the secure buffer.
>
> We will submit the new secure context interface later for libdrm, and create a
> new test suite to verify the security feature in the libdrm unit tests.
>
> Suite id = 11: Name 'Security Tests status: ENABLED'
> Test id 1: Name: 'allocate secure buffer test status: ENABLED'
> Test id 2: Name: 'graphics command submission under secure context status: ENABLED'
>
> Thanks,
> Ray
>
> Alex Deucher (4):
>    drm/amdgpu: add UAPI for creating encrypted buffers
>    drm/amdgpu: add UAPI for creating secure contexts (v2)
>    drm/amdgpu: define the TMZ bit for the PTE
>    drm/amdgpu: set TMZ bits in PTEs for secure bo (v2)
>
> Huang Rui (10):
>    drm/amdgpu: add tmz feature parameter (v2)
>    drm/amdgpu: add amdgpu_tmz data structure
>    drm/amdgpu: add function to check tmz capability (v4)
>    drm/ttm: add helper to get buffer object with ttm_mem_reg
>    drm/amdgpu: revise the function to allocate secure context (v2)
>    drm/amdgpu: add tmz bit in frame control packet
>    drm/amdgpu: expand the emit tmz interface with trusted flag
>    drm/amdgpu: expand the context control interface with trust flag
>    drm/amdgpu: set trusted mode while the job is under secure context
>      (v2)
>    drm/amdgpu: modify the method to use mem under buffer object for
>      amdgpu_ttm_tt_pte_flags
>
>   drivers/gpu/drm/amd/amdgpu/Makefile        |  2 +-
>   drivers/gpu/drm/amd/amdgpu/amdgpu.h        |  7 ++++-
>   drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c     |  1 +
>   drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c    | 19 +++++++++---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.h    |  1 +
>   drivers/gpu/drm/amd/amdgpu/amdgpu_device.c |  3 ++
>   drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c    | 11 +++++++
>   drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c    | 12 +++++++-
>   drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c     |  4 +--
>   drivers/gpu/drm/amd/amdgpu/amdgpu_job.h    |  2 ++
>   drivers/gpu/drm/amd/amdgpu/amdgpu_object.h | 10 ++++++
>   drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h   |  9 +++---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_tmz.c    | 49 ++++++++++++++++++++++++++++++
>   drivers/gpu/drm/amd/amdgpu/amdgpu_tmz.h    | 39 ++++++++++++++++++++++++
>   drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c    | 23 +++++++++-----
>   drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h     |  3 ++
>   drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c     | 20 +++++++++---
>   drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c      |  3 +-
>   drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c      |  3 +-
>   drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c      |  3 +-
>   drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c      | 16 +++++++---
>   drivers/gpu/drm/amd/amdgpu/nvd.h           |  1 +
>   drivers/gpu/drm/amd/amdgpu/soc15d.h        |  1 +
>   include/drm/ttm/ttm_bo_driver.h            | 13 ++++++++
>   include/uapi/drm/amdgpu_drm.h              |  9 +++++-
>   25 files changed, 230 insertions(+), 34 deletions(-)
>   create mode 100644 drivers/gpu/drm/amd/amdgpu/amdgpu_tmz.c
>   create mode 100644 drivers/gpu/drm/amd/amdgpu/amdgpu_tmz.h
>



More information about the dri-devel mailing list