Re: [PATCH] arm64: dts: qcom: sdm845-mtp: Relocate remoteproc firmware

From: Jeffrey Hugo
Date: Wed Mar 25 2020 - 17:54:40 EST


On Wed, Mar 25, 2020 at 3:13 PM Arnd Bergmann <arnd@xxxxxxxx> wrote:
>
> On Mon, Mar 2, 2020 at 3:09 AM Bjorn Andersson
> <bjorn.andersson@xxxxxxxxxx> wrote:
> >
> > Update the firmware-name of the remoteproc nodes to mimic the firmware
> > structure on other 845 devices.
> >
> > Signed-off-by: Bjorn Andersson <bjorn.andersson@xxxxxxxxxx>
> > ---
> > arch/arm64/boot/dts/qcom/sdm845-mtp.dts | 7 +++++++
> > 1 file changed, 7 insertions(+)
>
> Hi Bjorn,
>
> Sorry for the late reply, I only came across this one while going
> through the pull requests
> that we had failed to pick up earlier.
>
> I really dislike the idea of hardcoding a firmware name in the
> devicetree, we had long
> discussions about this a few years ago and basically concluded that the firmware
> name needs to be generated by the driver after identifying the hardware itself.
>
> The problem is that the firmware generally needs to match both the device driver
> and the hardware, so when there is a firmware update that changes the behavior
> (intentionally or not) in a way the driver needs to know about, then
> the driver should
> be able to request a particular firmware file based on information
> that the owner
> of the dtb may not have.

Interesting, this intersects some work I plan on doing.

What level information did this discussion assume that the device
driver had? Do you have a reference to the discussion handy?

Please correct me if I am wrong, but this seems to assume that for
device X, there is one firmware at a specific version that the driver
is then knowledgeable about, and the driver can query the device
hardware in some way to determine what is appropriate. It seems like
this assumption is believed to hold true, no matter what system X is
included in.

I think we have the problem where likely impossible that the driver
will know what firmware is valid.

Qualcomm, for better or worse, has a signing process for their images.
This establishes a root a trust which is enforced by hardware. For
example, the Modem subsystem (the part of the SoC that talks to cell
towers and such) will not run an image which is not properly signed.
The valid signature is burned into the chip.

"Surely there is one signed image for a particular modem on a specific SoC?"
Sadly, no. The OEM is allowed to provide their own key. This may be
a key which is specific to the device (Ie the Brand XYZ Model 123
phone). Therefore, that device will only run the firmware that
contains that OEM's signature, even if the actual code happens to be
identical to what every other OEM has.

For some SoCs which go into multiple products, there seem to be
several OEMs which are willing to allow the firmware to be included in
the linux-firmware project. Therefore, it is likely that there will
be multiple copies of the Modem image for the 845 SoC (for example) in
/lib/firmware. In this case, it seems like your recommendation is
that the driver should somehow detect that it is running on device 123
and not device 456, and therefore be able to request the device 123
specific firmware.

I don't know how the device driver is supposed to make that
determination, and its my opinion that the driver shouldn't be. Other
than the need to have the correct firmware, which is tied to the
specific device, I'm not aware of an instance where a driver cares
about anything more than the hardware revision of the block it drives.