From: Achin Gupta <achin.gupta@arm.com>
To: Will Deacon <will@kernel.org>
Cc: Rob Herring <robh@kernel.org>,
Sudeep Holla <Sudeep.Holla@arm.com>,
"devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Marc Zyngier <maz@kernel.org>, nd <nd@arm.com>
Subject: Re: [RFC PATCH 1/3] dt-bindings: Add ARM PSA FF binding for non-secure VM partitions
Date: Mon, 15 Jun 2020 17:48:14 +0100 [thread overview]
Message-ID: <20200615164814.GG46361@C02TC1ARHF1T> (raw)
In-Reply-To: <20200615115549.GB2694@willie-the-truck>
On Mon, Jun 15, 2020 at 12:55:49PM +0100, Will Deacon wrote:
> On Mon, Jun 15, 2020 at 12:42:20PM +0100, Achin Gupta wrote:
> > On Mon, Jun 15, 2020 at 10:51:34AM +0100, Will Deacon wrote:
> > > On Mon, Jun 15, 2020 at 10:16:39AM +0100, Achin Gupta wrote:
> > > > Right! FFA_PARTITION_INFO_GET is meant to help the FF-A driver in the kernel to
> > > > determine partition properties. It assumes that EL2 SW has already read each
> > > > partition's manifest and will reply to this ABI.
> > > >
> > > > IIUC, with protected KVM, this information will have to be a part of the
> > > > manifest that the KVM host consumes.
> > >
> > > The host does not consume the manifest directly -- instead, the bootloader
> > > will use the manifest to populate these DT nodes. Again, these are *only*
> > > for non-secure virtual partitions which are to be managed by KVM.
> >
> > Yes. Understand and agree. Manifest is an overloaded term. I was using it to
> > describe the DT nodes that the host will consume.
>
> Hmm, I think that conflates two things though because only the partitions
> managed by KVM will have DT nodes.
Sure. I am realising the need to maintain the distinction :o)
>
> > > > Separate topic, protected KVM does not get dibs on the manifest and it relies on
> > > > the KVM host to specify the address ranges for each partition? Does this not
> > > > mean that the KVM host can control the physical address space each partition
> > > > sees. This seems contrary to the isolation guarantees that protected KVM must
> > > > provide?
> > >
> > > The host is trusted during early boot, and gives up this trust after
> > > initialising EL2 fully. So roughly speaking, we:
> > >
> > > * Boot at EL2 and install a shim
> > > * Drop down to EL2 and start the host kernel
> > > * Before some initialisation (DT parsing, SMP bringup, etc)
> > > * Init KVM by calling back up to EL2 to install the full hypervisor
> > >
> > > At that point, the EL1 host is no longer trusted and the last call
> > > effectively "locks it out" from EL2.
> >
> > Ok. Protected KVM (PKVM) must create S2 tables when asked to setup a partition
> > by the Host. My main concern is if PKVM must trust the Host to provide the
> > correct physical address space ranges for a partition?
>
> Yes, but that all happens as part of KVM initialisation: the host parses
> the DT nodes and memory reservations, and then passes this information
> up to EL2.
Ok. Good to know this.
>
> > I guess your point is this is not a problem since PKVM can lock the Host out of
> > those address ranges in any case?
>
> It has to do this, regardless of how they are probed. Once KVM has
> initialised, the host will have a stage-2 which limits it to the memory that
> it is allowed to access.
Agree.
>
> > It is a bit counter intuitive that the Host gets to see and potentially
> > manipulate information that was verified and extracted by the bootloader from
> > the partition's manifest. This hapens before PKVM sees the same
> > information. Can't put my finger on what could go wrong though. Depends upon the
> > threat model too!
>
> I think you're trying too hard to separate the host from the EL2 code during
> early boot. Don't forget -- this is all part of the same binary payload that
> is loaded and initially run at EL2. Having the host take care of early boot
> /significantly/ reduces the amount of code at EL2, which has a very
> clear security benefit.
Fair point!
cheers,
Achin
>
> Will
next prev parent reply other threads:[~2020-06-15 16:48 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-01 9:45 [RFC PATCH 0/3] firmware: Add support for PSA FF-A interface Sudeep Holla
2020-06-01 9:45 ` [RFC PATCH 1/3] dt-bindings: Add ARM PSA FF binding for non-secure VM partitions Sudeep Holla
2020-06-09 22:35 ` Rob Herring
2020-06-10 7:43 ` Will Deacon
2020-06-10 13:56 ` Rob Herring
2020-06-11 15:46 ` Achin Gupta
2020-06-11 17:12 ` Will Deacon
2020-06-15 9:16 ` Achin Gupta
2020-06-15 9:51 ` Will Deacon
2020-06-15 11:42 ` Achin Gupta
2020-06-15 11:55 ` Will Deacon
2020-06-15 16:48 ` Achin Gupta [this message]
2020-06-10 8:32 ` Sudeep Holla
2020-06-01 9:45 ` [RFC PATCH 2/3] firmware: Add support for PSA FF-A transport for " Sudeep Holla
2020-07-09 22:15 ` Arve Hjønnevåg
2020-06-01 9:45 ` [RFC PATCH 3/3] firmware: Add example PSA FF-A non-secure VM partition Sudeep Holla
2020-06-04 13:37 ` [RFC PATCH 0/3] firmware: Add support for PSA FF-A interface Will Deacon
2020-06-09 17:41 ` Sudeep Holla
2020-06-10 7:57 ` Will Deacon
2020-06-10 8:10 ` Sudeep Holla
2020-06-15 11:38 ` Jens Wiklander
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200615164814.GG46361@C02TC1ARHF1T \
--to=achin.gupta@arm.com \
--cc=Sudeep.Holla@arm.com \
--cc=devicetree@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=nd@arm.com \
--cc=robh@kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).