All of lore.kernel.org
 help / color / mirror / Atom feed
From: Julien Grall <julien.grall@arm.com>
To: Volodymyr Babchuk <volodymyr_babchuk@epam.com>,
	xen-devel@lists.xen.org,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>,
	Jan Beulich <jbeulich@suse.com>,
	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Tim Deegan <tim@xen.org>, Wei Liu <wei.liu2@citrix.com>,
	Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [PATCH v1 6/6] xsm: add tee access policy support
Date: Thu, 23 Aug 2018 15:08:13 +0100	[thread overview]
Message-ID: <8fc6c862-c9bc-933b-1e56-913af1792bd2@arm.com> (raw)
In-Reply-To: <6165364e-f6ed-01e9-5106-b731362e6d3a@epam.com>



On 08/23/2018 02:57 PM, Volodymyr Babchuk wrote:
> Hi Julien,

Hi Volodymyr,


> On 23.08.18 16:43, Julien Grall wrote:
> 
>>
>> I don't think we should use XSM to enforce the use of TEE. This 
>> contradictory to your next patch where you let the user configure 
>> OP-TEE for a given guest.
>>
>> IHMO, XSM should only be used to restrict usage of calls in a fine 
>> grain. For an overall control, that should be go through a DOMCTL tell 
>> Xen to initialize OP-TEE for that domain.
> 
> Just to be sure. You are proposing to add flag "TEE_ENABLED" for a 
> domain and set it during domain construction, based on configuration, 
> right?

I am suggesting another field xen_arch_domainconfig to tell whether TEE 
needs to be enabled.

> 
> What did you mean by "fine grain"?

XSM is mostly used to decided whether a given hypercall can be used by a 
domain. Here you use it to tell whether the whole TEE can be used for a 
domain.

You probably don't need any XSM for your use case here as you want the 
guest to access, if enabled, all the OP-TEE calls.

Cheers,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  reply	other threads:[~2018-08-23 14:08 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-22 14:11 [PATCH v1 0/6] TEE mediator (and OP-TEE) support in XEN Volodymyr Babchuk
2018-08-22 14:11 ` [PATCH v1 1/6] arm: add SMC wrapper that is compatible with SMCCC Volodymyr Babchuk
2018-08-22 16:46   ` Julien Grall
2018-08-23 14:35     ` Volodymyr Babchuk
2018-08-23 14:45       ` Julien Grall
2018-08-23 15:16         ` Volodymyr Babchuk
2018-08-23 15:31           ` Julien Grall
2018-08-30 14:48     ` Volodymyr Babchuk
2018-08-30 16:43       ` Julien Grall
2018-08-27  6:44   ` Jan Beulich
2018-08-27 19:24     ` Volodymyr Babchuk
2018-08-27 20:19       ` Julien Grall
2018-08-28  6:09       ` Jan Beulich
2018-08-22 14:11 ` [PATCH v1 2/6] arm: add generic TEE mediator framework Volodymyr Babchuk
2018-08-22 17:03   ` Julien Grall
2018-08-27 19:09     ` Volodymyr Babchuk
2018-08-28 11:14       ` Julien Grall
2018-08-22 14:11 ` [PATCH v1 3/6] arm: tee: add OP-TEE header files Volodymyr Babchuk
2018-08-22 14:11 ` [PATCH v1 4/6] optee: add OP-TEE mediator Volodymyr Babchuk
2018-08-22 17:28   ` Julien Grall
2018-08-23 14:27     ` Volodymyr Babchuk
2018-08-23 15:28       ` Julien Grall
2018-08-22 14:11 ` [PATCH v1 5/6] libxl: create DTS node for OP-TEE if it is enabled Volodymyr Babchuk
2018-08-22 17:03   ` Wei Liu
2018-08-22 17:32   ` Julien Grall
2018-08-23 14:03     ` Volodymyr Babchuk
2018-08-23 14:11       ` Julien Grall
2018-08-23 14:16         ` Volodymyr Babchuk
2018-08-22 14:11 ` [PATCH v1 6/6] xsm: add tee access policy support Volodymyr Babchuk
2018-08-23 13:43   ` Julien Grall
2018-08-23 13:57     ` Volodymyr Babchuk
2018-08-23 14:08       ` Julien Grall [this message]
2018-08-22 22:44 DeGraaf, Daniel G
2018-08-23 13:32 ` Volodymyr Babchuk
2018-08-23 17:53   ` Daniel De Graaf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8fc6c862-c9bc-933b-1e56-913af1792bd2@arm.com \
    --to=julien.grall@arm.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=dgdegra@tycho.nsa.gov \
    --cc=ian.jackson@eu.citrix.com \
    --cc=jbeulich@suse.com \
    --cc=konrad.wilk@oracle.com \
    --cc=sstabellini@kernel.org \
    --cc=tim@xen.org \
    --cc=volodymyr_babchuk@epam.com \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.