mbox series

[RESEND,0/2] Common protected-clocks implementation

Message ID 20200903040015.5627-1-samuel@sholland.org (mailing list archive)
Headers show
Series Common protected-clocks implementation | expand

Message

Samuel Holland Sept. 3, 2020, 4 a.m. UTC
Stephen, Maxime,

You previously asked me to implement the protected-clocks property in a
driver-independent way:

https://www.spinics.net/lists/arm-kernel/msg753832.html

I provided an implementation 6 months ago, which I am resending now:

https://patchwork.kernel.org/patch/11398629/

Do you have any comments on it?

Thanks,
Samuel

Samuel Holland (2):
  clk: Implement protected-clocks for all OF clock providers
  Revert "clk: qcom: Support 'protected-clocks' property"

 drivers/clk/clk-conf.c    | 54 +++++++++++++++++++++++++++++++++++++++
 drivers/clk/clk.c         | 31 ++++++++++++++++++++++
 drivers/clk/clk.h         |  2 ++
 drivers/clk/qcom/common.c | 18 -------------
 4 files changed, 87 insertions(+), 18 deletions(-)

Comments

Rasmus Villemoes March 9, 2021, 8:03 a.m. UTC | #1
On 03/09/2020 06.00, Samuel Holland wrote:
> Stephen, Maxime,
> 
> You previously asked me to implement the protected-clocks property in a
> driver-independent way:
> 
> https://www.spinics.net/lists/arm-kernel/msg753832.html
> 
> I provided an implementation 6 months ago, which I am resending now:
> 
> https://patchwork.kernel.org/patch/11398629/
> 
> Do you have any comments on it?

I'm also interested [1] in getting something like this supported in a
generic fashion - i.e., being able to mark a clock as
protected/critical/whatnot by just adding an appropriate property in the
clock provider's DT node, but without modifying the driver to opt-in to
handling it.

Now, as to this implementation, the commit 48d7f160b1 which added the
common protected-clocks binding says

  For example, on some Qualcomm firmwares reading or writing certain clk
  registers causes the entire system to reboot,

so I'm not sure handling protected-clocks by translating it to
CLK_CRITICAL and thus calling prepare/enable on it is the right thing to
do - clks that behave like above are truly "hands off, kernel", so the
current driver-specific implementation of simply not registering those
clocks seems to be the right thing to do - or at least the clk framework
would need to be taught to not actually call any methods on such
protected clocks.

For my use case, either "hands off kernel" or "make sure this clock is
enabled" would work since the bootloader anyway enables the clock.

Rasmus

[1]
https://lore.kernel.org/lkml/20210226141411.2517368-1-linux@rasmusvillemoes.dk/
Maxime Ripard March 10, 2021, 8:56 a.m. UTC | #2
Hi,

On Tue, Mar 09, 2021 at 09:03:14AM +0100, Rasmus Villemoes wrote:
> On 03/09/2020 06.00, Samuel Holland wrote:
> > Stephen, Maxime,
> > 
> > You previously asked me to implement the protected-clocks property in a
> > driver-independent way:
> > 
> > https://www.spinics.net/lists/arm-kernel/msg753832.html
> > 
> > I provided an implementation 6 months ago, which I am resending now:
> > 
> > https://patchwork.kernel.org/patch/11398629/
> > 
> > Do you have any comments on it?
> 
> I'm also interested [1] in getting something like this supported in a
> generic fashion - i.e., being able to mark a clock as
> protected/critical/whatnot by just adding an appropriate property in the
> clock provider's DT node, but without modifying the driver to opt-in to
> handling it.
> 
> Now, as to this implementation, the commit 48d7f160b1 which added the
> common protected-clocks binding says
> 
>   For example, on some Qualcomm firmwares reading or writing certain clk
>   registers causes the entire system to reboot,
> 
> so I'm not sure handling protected-clocks by translating it to
> CLK_CRITICAL and thus calling prepare/enable on it is the right thing to
> do - clks that behave like above are truly "hands off, kernel", so the
> current driver-specific implementation of simply not registering those
> clocks seems to be the right thing to do - or at least the clk framework
> would need to be taught to not actually call any methods on such
> protected clocks.

The idea to use CLK_CRITICAL was also there to allow any clock to be
marked as protected, and not just the root ones. Indeed, by just
ignoring that clock, the parent clock could end up in a situation where
it doesn't have any (registered) child and thus would be disabled,
disabling the ignored clock as well. Reparenting could cause the same
issue.

Calling clk_prepare_enable just allows the kernel to track that it (and
thus its parent) should never be disabled, ever.

> For my use case, either "hands off kernel" or "make sure this clock is
> enabled" would work since the bootloader anyway enables the clock.

The current protected clocks semantics have been that the clock
shouldn't be disabled by the kernel, but "hands off kernel" clocks imply
a slightly different one. I would expect that the bootloader in this
case wouldn't expect any parent or rate (or phase, or any other
parameter really) change, while it might be ok for some other use cases
(like the one Samuel was trying to address for example).

And even if we wanted the kernel to behave that way (making sure there's
no way to change the rate, parents, phase, etc.), the kernel would have
to have knowledge of it to also propagate that restriction to the whole
chain of parents.

Maxim
Samuel Holland March 10, 2021, 2:12 p.m. UTC | #3
On 3/10/21 2:56 AM, Maxime Ripard wrote:
> Hi,
> 
> On Tue, Mar 09, 2021 at 09:03:14AM +0100, Rasmus Villemoes wrote:
>> On 03/09/2020 06.00, Samuel Holland wrote:
>>> Stephen, Maxime,
>>>
>>> You previously asked me to implement the protected-clocks property in a
>>> driver-independent way:
>>>
>>> https://www.spinics.net/lists/arm-kernel/msg753832.html
>>>
>>> I provided an implementation 6 months ago, which I am resending now:
>>>
>>> https://patchwork.kernel.org/patch/11398629/
>>>
>>> Do you have any comments on it?
>>
>> I'm also interested [1] in getting something like this supported in a
>> generic fashion - i.e., being able to mark a clock as
>> protected/critical/whatnot by just adding an appropriate property in the
>> clock provider's DT node, but without modifying the driver to opt-in to
>> handling it.
>>
>> Now, as to this implementation, the commit 48d7f160b1 which added the
>> common protected-clocks binding says
>>
>>   For example, on some Qualcomm firmwares reading or writing certain clk
>>   registers causes the entire system to reboot,
>>
>> so I'm not sure handling protected-clocks by translating it to
>> CLK_CRITICAL and thus calling prepare/enable on it is the right thing to
>> do - clks that behave like above are truly "hands off, kernel", so the
>> current driver-specific implementation of simply not registering those
>> clocks seems to be the right thing to do - or at least the clk framework
>> would need to be taught to not actually call any methods on such
>> protected clocks.
> 
> The idea to use CLK_CRITICAL was also there to allow any clock to be
> marked as protected, and not just the root ones. Indeed, by just
> ignoring that clock, the parent clock could end up in a situation where
> it doesn't have any (registered) child and thus would be disabled,
> disabling the ignored clock as well. Reparenting could cause the same
> issue.
> 
> Calling clk_prepare_enable just allows the kernel to track that it (and
> thus its parent) should never be disabled, ever.
> 
>> For my use case, either "hands off kernel" or "make sure this clock is
>> enabled" would work since the bootloader anyway enables the clock.
> 
> The current protected clocks semantics have been that the clock
> shouldn't be disabled by the kernel, but "hands off kernel" clocks imply
> a slightly different one. I would expect that the bootloader in this
> case wouldn't expect any parent or rate (or phase, or any other
> parameter really) change, while it might be ok for some other use cases
> (like the one Samuel was trying to address for example).

Right. In my scenario, the clock is needed for MMIO access to a low-speed
peripheral. I don't care what the clock rate is as long as it keeps running.

When writing the patch, I initially protected the rate as well, but that had the
unintended effect of protecting the rate of every ancestor clock. Maybe you need
rate protection for a "hands off, kernel" type of clock? If so, ignoring the
clock at probe time does not work, because the kernel does not know to protect
its parent rate.

So it sounds like the Qualcomm case is less about "don't touch the clock output"
as it is "don't touch the clock control registers".

> And even if we wanted the kernel to behave that way (making sure there's
> no way to change the rate, parents, phase, etc.), the kernel would have
> to have knowledge of it to also propagate that restriction to the whole
> chain of parents.

Yes, you can set additional flags in __clk_protect() to achieve that:
CLK_SET_RATE_GATE, CLK_SET_PARENT_GATE. This is a bit of a trick; it relies on
CLK_IS_CRITICAL preventing the clock from ever being gated.

Cheers,
Samuel
Bjorn Andersson March 10, 2021, 8:13 p.m. UTC | #4
On Tue 09 Mar 02:03 CST 2021, Rasmus Villemoes wrote:

> On 03/09/2020 06.00, Samuel Holland wrote:
> > Stephen, Maxime,
> > 
> > You previously asked me to implement the protected-clocks property in a
> > driver-independent way:
> > 
> > https://www.spinics.net/lists/arm-kernel/msg753832.html
> > 
> > I provided an implementation 6 months ago, which I am resending now:
> > 
> > https://patchwork.kernel.org/patch/11398629/
> > 
> > Do you have any comments on it?
> 
> I'm also interested [1] in getting something like this supported in a
> generic fashion - i.e., being able to mark a clock as
> protected/critical/whatnot by just adding an appropriate property in the
> clock provider's DT node, but without modifying the driver to opt-in to
> handling it.
> 
> Now, as to this implementation, the commit 48d7f160b1 which added the
> common protected-clocks binding says
> 
>   For example, on some Qualcomm firmwares reading or writing certain clk
>   registers causes the entire system to reboot,
> 
> so I'm not sure handling protected-clocks by translating it to
> CLK_CRITICAL and thus calling prepare/enable on it is the right thing to
> do - clks that behave like above are truly "hands off, kernel", so the
> current driver-specific implementation of simply not registering those
> clocks seems to be the right thing to do - or at least the clk framework
> would need to be taught to not actually call any methods on such
> protected clocks.
> 

I can confirm that this is the case. Marking the clocks as critical does
not prevent the kernel from touching these registers so the boards where
this is used doesn't boot with the two patches applied.

> For my use case, either "hands off kernel" or "make sure this clock is
> enabled" would work since the bootloader anyway enables the clock.
> 

Our use case is that depending on firmware these platform might handle
some specific clocks in firmware or in the kernel, and in the prior case
security permissions are set up such that these registers are off limit
for the kernel.

Regards,
Bjorn

> Rasmus
> 
> [1]
> https://lore.kernel.org/lkml/20210226141411.2517368-1-linux@rasmusvillemoes.dk/
>