core: firewall: add dedicated firewall configuration APIs #6946
Conversation
Remove firewall checking APIs as the use case for checking a firewall controller for another entity seems unlikely. Signed-off-by: Gatien Chevallier <[email protected]>
Add dt_driver_count_devices() to count the number of elements referring to a provider in a property. Signed-off-by: Gatien Chevallier <[email protected]>
Add a firewall_conf structure to differentiate individual firewall queries from firewall configuration that groups inseparable firewall queries. A firewall configuration is expected to be set as a whole and could group queries to different firewall controllers. As a firewall configuration is composed of one or more queries: the "[conf_name]-access-conf" property relies on the same cells as "access-controllers". Signed-off-by: Gatien Chevallier <[email protected]>
| return TEE_ERROR_DEFER_DRIVER_INIT; | ||
|
|
||
| prv_cells = dt_driver_provider_cells(prv); | ||
| *nb_element += 1; |
There was a problem hiding this comment.
nitpicking: maybe (*nb_element)++
| #include <trace.h> | ||
|
|
||
| /* The firewall framework requires device tree support */ | ||
| static_assert(IS_ENABLED(CFG_DT)); | ||
|
|
||
| static TEE_Result firewall_get(struct dt_pargs *parg, void *data, | ||
| struct firewall_query **out_fw) | ||
| struct firewall_query *out_fw) |
There was a problem hiding this comment.
Changes in firewall_get()/firewall_dt_get_by_index() deserves a specific commit IMHO.
As for the main change, since it modifies existing firewall_set_configuration(), I think it should be stated in the commit log.
| /* | ||
| * In case of error, report it to the caller. Note that | ||
| * the firewall configurations may be partially loaded. In such | ||
| * case, it is the caller responsibility to decide what to do. |
There was a problem hiding this comment.
This description should be also found in firewall_set_configuration() inline description comment.
|
Keep alive (waiting for Linux feedback on the binding) |
|
This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
|
keep alive |
|
This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
Add a pattern property to allow a device to request an alternate access rights configuration to one or more firewall controllers. It allows run-time controller reconfiguration of access rights to an authorized entity as use in OP-TEE OS [1]. Signed-off-by: Gatien Chevallier <[email protected]> Link: OP-TEE/optee_os#6946 [1]
Add dedicated firewall device APIs for handling firewall configurations from the device tree. Firewall configurations are inseparable sets of one or more firewall queries.
These APIs are based on the ".*(?<=)-access-conf$" property. This property will be proposed in the Linux kernel.
While there, remove the check for foreign entities API as it seems unlikely it'll be used.
Edit: Link to kernel patch: https://lkml.org/lkml/2024/7/16/849