Alexandre Courbot
2016-Feb-15 08:40 UTC
[Nouveau] [PREVIEW] GM200/GM204 signed firmware for Nouveau
Hi everyone, I know, it's about f**king time and I apologize for the time it took us to finally put this together. m(__)m I have pushed two git branches which enable GM200 and GM204 (GM206 to follow soon) owners to finally load NVIDIA-provided signed firmware and start GR: - https://github.com/Gnurou/linux-firmware/tree/secboot contains the signed firmware for GM200 and GM204 (they are mostly the same). For each chip, "gr" contains the signed firmware for GR, and "acr" the signed firmware loader. ACR stands for Access Controlled Regions and is a secure firmware that runs on the PMU and is responsible for setting up a write-protected (WPR) region in VRAM where the other signed firmware can be verified and loaded without anyone tampering it. The ACR itself is also signed and verified by the hardware. More details on the signed firmware loading process can be found at ftp://download.nvidia.com/open-gpu-doc/Falcon-Security/1/Falcon-Security.html . This ACR binary is currently custom-built for Nouveau and allows to only load GR. This means that other falcons which require signed firmware (like PMU) cannot be used as of now. Our goal is to eventually have Nouveau use the same firmware as our own driver (RM), but this will take some more work. One of the obstacles being that since RM embeds the firmware, both can safely evolve in lockstep, while in the context of Nouveau we must make sure older kernels remain supported forever and either avoid incompatible changes or manage different firmware versions. - https://github.com/Gnurou/nouveau/tree/secboot is a Nouveau branch capable of loading the signed firmware. The patches are mostly in good shape and I hope that they will be merged once we iron out the last details about the firmware format, hopefully in time for 4.6. I still have issues with suspend/resume (module unload/reload works fine though) but hope to sort this out soon. To test this, checkout my linux-firmware secboot branch and copy it to /lib/firmware, then build Nouveau from the secboot branch of my repo and load it. If your console switches to nouveaufb and you don't see Nouveau complaining about ACR boot failing, congratulations! GR is now ready to work. You won't go much further though unless you can add support for Maxwell 2 into Mesa - but the changes for basic support are rather modest, and hopefully this pre-release will be enough to enable patches to land in Mesa. An official submit to linux-firmware will happen once we agree on the final firmware format and the kernel code is good to go. For now, please consider these branches as work-in-progress and do not distribute them or embed them anywhere to avoid compatiblity issues. Also update both together I as will heavily rebase in the next few days. So while we have still some work ahead, this at least unlocks a very unpleasant situation for everyone, and we will take further steps to keep improving it. Please test, hack Mesa, and comment on the kernel code so that we can get all this in time for 4.6! :) Cheers, Alex.
Ben Skeggs
2016-Feb-15 09:59 UTC
[Nouveau] [PREVIEW] GM200/GM204 signed firmware for Nouveau
On 15 Feb 2016 18:40, "Alexandre Courbot" <acourbot at nvidia.com> wrote:> > Hi everyone, > > I know, it's about f**king time and I apologize for the time it took usto finally put this together. m(__)m> > I have pushed two git branches which enable GM200 and GM204 (GM206 tofollow soon) owners to finally load NVIDIA-provided signed firmware and start GR:> > - https://github.com/Gnurou/linux-firmware/tree/secboot contains thesigned firmware for GM200 and GM204 (they are mostly the same). For each chip, "gr" contains the signed firmware for GR, and "acr" the signed firmware loader. ACR stands for Access Controlled Regions and is a secure firmware that runs on the PMU and is responsible for setting up a write-protected (WPR) region in VRAM where the other signed firmware can be verified and loaded without anyone tampering it. The ACR itself is also signed and verified by the hardware. More details on the signed firmware loading process can be found at ftp://download.nvidia.com/open-gpu-doc/Falcon-Security/1/Falcon-Security.html .> > This ACR binary is currently custom-built for Nouveau and allows to onlyload GR. This means that other falcons which require signed firmware (like PMU) cannot be used as of now. Our goal is to eventually have Nouveau use the same firmware as our own driver (RM), but this will take some more work. One of the obstacles being that since RM embeds the firmware, both can safely evolve in lockstep, while in the context of Nouveau we must make sure older kernels remain supported forever and either avoid incompatible changes or manage different firmware versions.> > - https://github.com/Gnurou/nouveau/tree/secboot is a Nouveau branchcapable of loading the signed firmware. The patches are mostly in good shape and I hope that they will be merged once we iron out the last details about the firmware format, hopefully in time for 4.6. I still have issues with suspend/resume (module unload/reload works fine though) but hope to sort this out soon.> > To test this, checkout my linux-firmware secboot branch and copy it to/lib/firmware, then build Nouveau from the secboot branch of my repo and load it. If your console switches to nouveaufb and you don't see Nouveau complaining about ACR boot failing, congratulations! GR is now ready to work. You won't go much further though unless you can add support for Maxwell 2 into Mesa - but the changes for basic support are rather modest, and hopefully this pre-release will be enough to enable patches to land in Mesa.> > An official submit to linux-firmware will happen once we agree on thefinal firmware format and the kernel code is good to go. For now, please consider these branches as work-in-progress and do not distribute them or embed them anywhere to avoid compatiblity issues. Also update both together I as will heavily rebase in the next few days.> > So while we have still some work ahead, this at least unlocks a veryunpleasant situation for everyone, and we will take further steps to keep improving it.> > Please test, hack Mesa, and comment on the kernel code so that we can getall this in time for 4.6! :) Thanks for this Alex! I'll attempt to post the Mesa patches tomorrow to get the ball rolling :) Ben.> > Cheers, > Alex. > _______________________________________________ > Nouveau mailing list > Nouveau at lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/nouveau-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/nouveau/attachments/20160215/e37917a3/attachment.html>
Reasonably Related Threads
- [PATCH 0/8] Secure Boot refactoring
- [PATCH v3 00/11] nouveau: add secure boot support for dGPU and Tegra
- NVIDIA signed firmware release format
- [PATCH v4 0/33] Secure Boot refactoring / signed PMU firmware support for GM20B
- [PATCH v2 00/14] Secure Boot refactoring