-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: firewall: add firewall framework #6837
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @GseoC,
Some comments below, mostly cosmetic. Thanks!
Updated with comments applied |
7fe0a03
to
977993c
Compare
Updated with comments addressed. I also modified a bit more some comments. I can squash the commits on-demand. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some last comments. I'm fine with the proposed API. As for me, I can you squash all fixup commits.
977993c
to
c9b153f
Compare
Updated with review commits squashed and comments applied |
c9b153f
to
eff90e8
Compare
Updated with @etienne-lms last suggetion |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The API look good to me. last comment on trace messages. With that addressed,
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Add a generic firewall controller framework. The goal of this framework is to offer access control and configuration APIs, that are implemented in the firewall controllers drivers, to the firewall consumers. This framework requires an embedded device tree. A firewall controller is an access controller [1]. It should register itself as a provider to the framework. Firewall controllers have the possibility to populate their bus according to defined firewall accesses defined in the "access-controllers" property in each of the device's node. Any device that consumes one or more firewall should refer it/them in their "access-controllers" property. Arguments can be passed along with the phandle of the firewall controller(s). Link: https://patchwork.kernel.org/project/linux-media/patch/20240105130404.301172-2-gatien.chevallier@foss.st.com/ [1] Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com> Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
eff90e8
to
3c172f9
Compare
Updated with last comments and review tag applied, thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The need for such framework arises from the fact that there are multiple hardware firewalls implemented across multiple products. When it comes to firewalls, the purpose mostly stays the same: protect and filter hardware resources.
Add a firewall framework that offers:
Firewall device consumers APIs to check, acquire accesses against firewall controllers and firewall reconfiguration as there are cases when a firewall configuration could be dynamic.
Firewall controllers APIs to register/unregister to the framework and populate their bus.
This firewall framework relies on the access-controllers device tree binding that was acked in the Linux kernel and is present in the Linux-next branch.
How the arguments passed along with this property and how they're used by the controllers to filter the accesses or set configurations is platform-specific AND specific to the firewall controller. Meaning that all the filtering logic should be present in the firewall controller drivers. Firewall consumers do not have the knowledge on the controller and should rely on the device API.