Re: [PATCH v3 6/7] docs: gpio: Add GPIO Aggregator/Repeater documentation
From: Geert Uytterhoeven <geert@linux-m68k.org>
Date: 2020-01-06 08:07:08
Also in:
linux-doc, linux-gpio, linux-renesas-soc, lkml, qemu-devel
Hi Linus, On Sat, Jan 4, 2020 at 1:21 AM Linus Walleij [off-list ref] wrote:
On Thu, Dec 12, 2019 at 3:48 PM Geert Uytterhoeven [off-list ref] wrote:quoted
On Thu, Dec 12, 2019 at 3:42 PM Linus Walleij [off-list ref] wrote:quoted
On Wed, Nov 27, 2019 at 9:43 AM Geert Uytterhoeven [off-list ref] wrote:quoted
+The GPIO Aggregator allows access control for individual GPIOs, by aggregating +them into a new gpio_chip, which can be assigned to a group or user using +standard UNIX file ownership and permissions. Furthermore, this simplifies and +hardens exporting GPIOs to a virtual machine, as the VM can just grab the full +GPIO controller, and no longer needs to care about which GPIOs to grab and +which not, reducing the attack surface. + +Aggregated GPIO controllers are instantiated and destroyed by writing to +write-only attribute files in sysfs.I suppose virtual machines will have a lengthy config file where they specify which GPIO lines to pick and use for their GPIO aggregator, and that will all be fine, the VM starts and the aggregator is there and we can start executing. I would perhaps point out a weakness as with all sysfs and with the current gpio sysfs: if a process creates an aggregator device, and then that process crashes, what happens when you try to restart the process and run e.g. your VM again? Time for a hard reboot? Or should we add some design guidelines for these machines so that they can cleanly tear down aggregators previously created by the crashed VM?No, the VM does not create the aggregator. The idea is for the user to create one or more aggregators, set up permissions on /dev/gpiochipX, and launch the VM, passing the aggregated /dev/gpiochipX as parameters. If the VM crashes, just launch it again. Destroying the aggregators is a manual and independent process, after the VM has exited.I'm thinking about someone making some industrial application for some control of a machinery say a robotic arm. And do make sure this VM is only controlling these GPIOs related to this robotic arm, they create a GPIO aggregator. And we care about cases like that since we provide this security argument. Surely that machine will be rebooted. Surely they don't have a printed paper with all the commands lying at the console, and asking whoever powers it back on to manually type it all in again. That feels a bit 1981. So they will have a script for this I suppose. Possibly in some initscript so it is set up on boot. And this script echos stuff all over the place to set up the aggregator. Is this the use case you're thinking of?
Exactly. And they can configure that by echoing the GPIO specifiers to /sys/bus/platform/drivers/gpio-aggregator/new_device. If their system has DT, another option is to describe the device in DT, and add its compatible value to gpio_aggregator_dt_ids[], cfr. the frobnicator example.
I just like to have the whole picture here.
Sure. If anything is still unclear, please let me know!
Thanks!
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds