From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.1 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 004E9C47255 for ; Mon, 11 May 2020 10:27:21 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C1F312082E for ; Mon, 11 May 2020 10:27:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=xen.org header.i=@xen.org header.b="3xgzBAkO" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C1F312082E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=xen.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1jY5e8-0004X6-PN; Mon, 11 May 2020 10:26:52 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1jY5e7-0004X1-Sg for xen-devel@lists.xenproject.org; Mon, 11 May 2020 10:26:51 +0000 X-Inumbo-ID: ed4ef032-9371-11ea-9887-bc764e2007e4 Received: from mail.xenproject.org (unknown [104.130.215.37]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id ed4ef032-9371-11ea-9887-bc764e2007e4; Mon, 11 May 2020 10:26:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GoavD/MUgf+PSwDniYE0pGVYwTzzjpu0yCLvKrwJIPM=; b=3xgzBAkOl6QCdU6GL3H0sdgjht W0wNbGQpmK7lOgAB9d0pULooLFtqPGe+GBIbwhl+ICacyIxrTVkL2foC7X2fn5fpIbqoW1LgPZoMN 1qK4qD6xH25nkYL/WAMRkcibTXaIY5HNow9vYOPexdr2RxBQZq0NmTwhQJNUqBne6XtQ=; Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1jY5e6-0003DG-Ga; Mon, 11 May 2020 10:26:50 +0000 Received: from [54.239.6.186] (helo=a483e7b01a66.ant.amazon.com) by xenbits.xenproject.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1jY5e6-0000cZ-5E; Mon, 11 May 2020 10:26:50 +0000 Subject: Re: [PATCH] optee: immediately free buffers that are released by OP-TEE To: Andrew Cooper , Volodymyr Babchuk , "xen-devel@lists.xenproject.org" References: <20200506014246.3397490-1-volodymyr_babchuk@epam.com> <51b8c855-5e94-2829-a703-d43c84948120@xen.org> From: Julien Grall Message-ID: Date: Mon, 11 May 2020 11:26:48 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 8bit X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: "tee-dev@lists.linaro.org" , Stefano Stabellini Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Hi Andrew, On 11/05/2020 11:10, Andrew Cooper wrote: > On 11/05/2020 10:34, Julien Grall wrote: >> Hi Volodymyr, >> >> On 06/05/2020 02:44, Volodymyr Babchuk wrote: >>> Normal World can share buffer with OP-TEE for two reasons: >>> 1. Some client application wants to exchange data with TA >>> 2. OP-TEE asks for shared buffer for internal needs >>> >>> The second case was handle more strictly than necessary: >>> >>> 1. In RPC request OP-TEE asks for buffer >>> 2. NW allocates buffer and provides it via RPC response >>> 3. Xen pins pages and translates data >>> 4. Xen provides buffer to OP-TEE >>> 5. OP-TEE uses it >>> 6. OP-TEE sends request to free the buffer >>> 7. NW frees the buffer and sends the RPC response >>> 8. Xen unpins pages and forgets about the buffer >>> >>> The problem is that Xen should forget about buffer in between stages 6 >>> and 7. I.e. the right flow should be like this: >>> >>> 6. OP-TEE sends request to free the buffer >>> 7. Xen unpins pages and forgets about the buffer >>> 8. NW frees the buffer and sends the RPC response >>> >>> This is because OP-TEE internally frees the buffer before sending the >>> "free SHM buffer" request. So we have no reason to hold reference for >>> this buffer anymore. Moreover, in multiprocessor systems NW have time >>> to reuse buffer cookie for another buffer. Xen complained about this >>> and denied the new buffer registration. I have seen this issue while >>> running tests on iMX SoC. >>> >>> So, this patch basically corrects that behavior by freeing the buffer >>> earlier, when handling RPC return from OP-TEE. >>> >>> Signed-off-by: Volodymyr Babchuk >>> --- >>>   xen/arch/arm/tee/optee.c | 24 ++++++++++++++++++++---- >>>   1 file changed, 20 insertions(+), 4 deletions(-) >>> >>> diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c >>> index 6a035355db..af19fc31f8 100644 >>> --- a/xen/arch/arm/tee/optee.c >>> +++ b/xen/arch/arm/tee/optee.c >>> @@ -1099,6 +1099,26 @@ static int handle_rpc_return(struct >>> optee_domain *ctx, >>>           if ( shm_rpc->xen_arg->cmd == OPTEE_RPC_CMD_SHM_ALLOC ) >>>               call->rpc_buffer_type = >>> shm_rpc->xen_arg->params[0].u.value.a; >>>   +        /* >>> +         * OP-TEE signals that it frees the buffer that it requested >>> +         * before. This is the right for us to do the same. >>> +         */ >>> +        if ( shm_rpc->xen_arg->cmd == OPTEE_RPC_CMD_SHM_FREE ) >>> +        { >>> +            uint64_t cookie = shm_rpc->xen_arg->params[0].u.value.b; >>> + >>> +            free_optee_shm_buf(ctx, cookie); >>> + >>> +            /* >>> +             * This should never happen. We have a bug either in the >>> +             * OP-TEE or in the mediator. >>> +             */ >>> +            if ( call->rpc_data_cookie && call->rpc_data_cookie != >>> cookie ) >>> +                gprintk(XENLOG_ERR, >>> +                        "Saved RPC cookie does not corresponds to >>> OP-TEE's (%"PRIx64" != %"PRIx64")\n", >> >> s/corresponds/correspond/ >> >>> +                        call->rpc_data_cookie, cookie); >> >> IIUC, if you free the wrong SHM buffer then your guest is likely to be >> running incorrectly afterwards. So shouldn't we crash the guest to >> avoid further issue? > > No - crashing the guest prohibits testing of the interface, and/or the > guest realising it screwed up and dumping enough state to usefully debug > what is going on. The comment in the code suggests it is a bug in the OP-TEE/mediator: /* * This should never happen. We have a bug either in the * OP-TEE or in the mediator. */ So I am not sure why this would be the guest fault here. > > Furthermore, if userspace could trigger this path, we'd have to issue an > XSA. Why so? We don't issue XSAs for hypercalls issued through privcmd. While this is not hypercalls but close enough as this is using smc (Supervisor Mode Call) and hvc. Both are only accessible from kernel mode. > > Crashing the guest is almost never the right thing to do, and definitely > not appropriate for a bad parameter. AFAICT, the bad parameter is not from the guest but OP-TEE firmware (or mediator) itself. If OP-TEE/mediator is returning buggy value, then it may mean you break the isolation. So I don't think simply printing a message and continue is the right thing to do. Cheers, -- Julien Grall