[Xen-devel] [PATCH v7 0/5] TEE mediator (and OP-TEE) support in XEN

[Xen-devel] [PATCH v7 0/5] TEE mediator (and OP-TEE) support in XEN

[Volodymyr Babchuk]

Hello community,

Please find new version of OP-TEE patch series. This is the kind of
follow-up for the previous version, as most of the patches of the
previous version were commited.

This series includes leftovers of the prev. version and three new patches.
One of the new patches adds a way to detect if OP-TEE were build
with virtualization support and two others bear cosmetic changes to
Kconfig files.

This patches also can  be pulled from [4]

==
Changes in v7:
 - 8 of 10 patches were commited
 - New patch "xen/arm: tee: place OP-TEE Kconfig option right after TEE"
   places options in menuconfig in more natural way
 - New patch "xen/arm: optee: check if OP-TEE is virtualization-aware"
   ensues that OP-TEE is virtualization-aware
 - New patch "xen/arm: optee: document OPTEE option in tee/Kconfig"
   add short description of OP-TEE mediator
 - Documentation in "tools/arm: tee: add "tee" option for xl.cfg"
   was updated

===
Changes in v6:
 - Series rebased to staging branch instead of master one.
 - OP-TEE protocol headers was taken from OP-TEE tree instead of
   Linux one
 - Added acked-by tags
 - Fixed (and tested) issue when XEN would not boot if it is build
   with CONFIG_TEE=n

====
Changes in v5:
 - Substantial rework of OP-TEE mediator. Now it tries to return meaningful
   error codes back to the guest.
 - OP-TEE mediator does not use struct cpu_user_regs as a storage for
   parameters and return values when calling OP-TEE. This makes it
   compatbile with requirement from SMCCC.
 - tee=native option replaced with tee=optee
 - Authorship and s-o-b tag reset to my EPAM mail address

====
Changes in v4:
 - Patch "arm: add tee_enabled flag to xen_arch_domainconfig" was
   squashed into "xen/arm: add generic TEE mediator framework"
 - I implemented more elaborate error repoting to a guest. Now guest
   will get meaningful error codes instead of generic
   ARM_SMCCC_ERR_UNKNOWN_FUNCTION.

====
Changes in v3:
 - Use domain flags insted of domctl interface to enable optee for guests
 - Remove patch "libxc: add xc_dom_tee_enable(...) function" because
   of previous change
 - Mediator now stores own context in arch part of struct domain, so
   I removed patch "optee: add domain contexts"

====
Changes in v2:

This is v2 of patch series for OP-TEE mediator support in XEN. Changes from v1:

 - Added domctl interface, so now xl decides what domain should work with TEE
 - Removed XSM support due to change described above
 - Patch with OP-TEE mediator was splited to 7 separate patches
 - Removed patch with call_smccc() function. Now this series depend on
   Julien Grall's series "xen/arm: SMCCC fixup and improvement" [3]

=====
v1:

This is follow for patch series [1]. There was lots of discussions
for that series and I tried to address all of them in this new patchset.

Currently, I had a working solution for OP-TEE virtualization and it is being
upstreamed right now ([2]). So, I think it is a good time to introduce support
in XEN as well.

This series include generic TEE mediator framework and full-scale OP-TEE mediator
which is working with mentioned chages in OP-TEE. So, multiple domains can
work simultaneously with OP-TEE.

I added XSM support, so now it is possible to control which domains can work
with TEEs. Also I changed way how TEE discovery is done. Now  it is very
generic and should support any platform.

[1] https://lists.xenproject.org/archives/html/xen-devel/2017-10/msg01451.html
[2] https://github.com/OP-TEE/optee_os/pull/2370
[3] https://lists.xenproject.org/archives/html/xen-devel/2018-08/msg02138.html
[4] https://github.com/lorc/xen/tree/optee_v7

Volodymyr Babchuk (5):
  tools/arm: tee: add "tee" option for xl.cfg
  tools/arm: optee: create optee firmware node in DT if tee=optee
  xen/arm: tee: place OP-TEE Kconfig option right after TEE
  xen/arm: optee: check if OP-TEE is virtualization-aware
  xen/arm: optee: document OPTEE option in tee/Kconfig

 docs/man/xl.cfg.5.pod.in    | 29 +++++++++++++++++++++++++
 tools/libxl/libxl.h         |  5 +++++
 tools/libxl/libxl_arm.c     | 42 +++++++++++++++++++++++++++++++++++++
 tools/libxl/libxl_types.idl |  6 ++++++
 tools/xl/xl_parse.c         |  9 ++++++++
 xen/arch/arm/Kconfig        |  4 ++--
 xen/arch/arm/tee/Kconfig    |  5 +++++
 xen/arch/arm/tee/optee.c    | 10 +++++++++
 8 files changed, 108 insertions(+), 2 deletions(-)

-- 
2.21.0

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH v7 1/5] tools/arm: tee: add "tee" option for xl.cfg

[Volodymyr Babchuk]

This enumeration controls TEE type for a domain. Currently there is
two possible options: either 'none' or 'optee'.

'none' is the default value and it basically disables TEE support at
all.

'optee' enables access to the OP-TEE running on a host machine. This
requires special OP-TEE build with virtualization support enabled.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>

---

 Changes from v6:
  - Updated documentation according to Julien Grall's suggestions,
    add link to OP-TEE documentation

 Changes from v5:
  - Replaced "native" with "optee" in the commit description.
  - Updated and extended documentation based on Julien Grall's
    and Ian Jackson's suggestions.

 Changes from v4:
  - "native" option was replaced with "optee"
  - "tee" property was moved from arch-specific section to the
     global one. Documentation moved inside "Devices" section.

 Changes from v3:
  - tee_enabled renamed to tee_type. Currently two types are supported
    as described in the commit message
  - Add LIBXL_HAVE_BUILDINFO_ARCH_ARM_TEE definition

 Changes from v2:
  - Use arch.tee_enabled instead of separate domctl
---
 docs/man/xl.cfg.5.pod.in    | 29 +++++++++++++++++++++++++++++
 tools/libxl/libxl.h         |  5 +++++
 tools/libxl/libxl_arm.c     | 13 +++++++++++++
 tools/libxl/libxl_types.idl |  6 ++++++
 tools/xl/xl_parse.c         |  9 +++++++++
 5 files changed, 62 insertions(+)

diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in
index c99d40307e..e71b3b411d 100644
--- a/docs/man/xl.cfg.5.pod.in
+++ b/docs/man/xl.cfg.5.pod.in
@@ -1544,6 +1544,35 @@ Set maximum height for pointer device.
 
 =back
 
+=item B<tee="STRING">
+
+B<Arm only.> Set TEE type for the guest. TEE is a Trusted Execution
+Environment -- separate secure OS found on some platforms. B<STRING> can be one of the:
+
+=over 4
+
+=item B<none>
+
+"Don't allow the guest to use TEE if present on the platform. This is
+the default value.
+
+=item B<optee>
+
+Allow a guest to access the host OP-TEE OS. Xen will mediate the
+access to OP-TEE and the resource isolation will be provided directly
+by OP-TEE. OP-TEE itself may limit the number of guests that can
+concurrently use it. This requires a virtualization-aware OP-TEE for
+this to work.
+
+You can refer to
+L<OP-TEE documentation|https://optee.readthedocs.io/architecture/virtualization.html>
+for more information about how to enable and configure virtualization support
+in OP-TEE.
+
+This feature is a B<technology preview>.
+
+=back
+
 =back
 
 =head2 Paravirtualised (PV) Guest Specific Options
diff --git a/tools/libxl/libxl.h b/tools/libxl/libxl.h
index 9bacfb97f0..1fe6ea2bd8 100644
--- a/tools/libxl/libxl.h
+++ b/tools/libxl/libxl.h
@@ -273,6 +273,11 @@
  */
 #define LIBXL_HAVE_BUILDINFO_ARM_GIC_VERSION 1
 
+/*
+ * libxl_domain_build_info has the arch_arm.tee field.
+ */
+#define LIBXL_HAVE_BUILDINFO_ARCH_ARM_TEE 1
+
 /*
  * LIBXL_HAVE_SOFT_RESET indicates that libxl supports performing
  * 'soft reset' for domains and there is 'soft_reset' shutdown reason
diff --git a/tools/libxl/libxl_arm.c b/tools/libxl/libxl_arm.c
index 141e159043..6b72c00960 100644
--- a/tools/libxl/libxl_arm.c
+++ b/tools/libxl/libxl_arm.c
@@ -89,6 +89,19 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc,
         return ERROR_FAIL;
     }
 
+    switch (d_config->b_info.tee) {
+    case LIBXL_TEE_TYPE_NONE:
+        config->arch.tee_type = XEN_DOMCTL_CONFIG_TEE_NONE;
+        break;
+    case LIBXL_TEE_TYPE_OPTEE:
+        config->arch.tee_type = XEN_DOMCTL_CONFIG_TEE_OPTEE;
+        break;
+    default:
+        LOG(ERROR, "Unknown TEE type %d",
+            d_config->b_info.tee);
+        return ERROR_FAIL;
+    }
+
     return 0;
 }
 
diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
index b61399ce36..fa5ee65463 100644
--- a/tools/libxl/libxl_types.idl
+++ b/tools/libxl/libxl_types.idl
@@ -460,6 +460,11 @@ libxl_gic_version = Enumeration("gic_version", [
     (0x30, "v3")
     ], init_val = "LIBXL_GIC_VERSION_DEFAULT")
 
+libxl_tee_type = Enumeration("tee_type", [
+    (0, "none"),
+    (1, "optee")
+    ], init_val = "LIBXL_TEE_TYPE_NONE")
+
 libxl_rdm_reserve = Struct("rdm_reserve", [
     ("strategy",    libxl_rdm_reserve_strategy),
     ("policy",      libxl_rdm_reserve_policy),
@@ -537,6 +542,7 @@ libxl_domain_build_info = Struct("domain_build_info",[
     ("nested_hvm",       libxl_defbool),
     ("apic",             libxl_defbool),
     ("dm_restrict",      libxl_defbool),
+    ("tee",              libxl_tee_type),
     ("u", KeyedUnion(None, libxl_domain_type, "type",
                 [("hvm", Struct(None, [("firmware",         string),
                                        ("bios",             libxl_bios_type),
diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c
index e105bda2bb..0604374ef3 100644
--- a/tools/xl/xl_parse.c
+++ b/tools/xl/xl_parse.c
@@ -2691,6 +2691,15 @@ skip_usbdev:
         }
     }
 
+    if (!xlu_cfg_get_string (config, "tee", &buf, 1)) {
+        e = libxl_tee_type_from_string(buf, &b_info->tee);
+        if (e) {
+            fprintf(stderr,
+                    "Unknown tee \"%s\" specified\n", buf);
+            exit(-ERROR_FAIL);
+        }
+    }
+
     parse_vkb_list(config, d_config);
 
     xlu_cfg_destroy(config);
-- 
2.21.0

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH v7 1/5] tools/arm: tee: add "tee" option for xl.cfg

[Volodymyr Babchuk]

Hello Ian,

Do you have a couple of minutes to check this and the following patches?

> This enumeration controls TEE type for a domain. Currently there is
> two possible options: either 'none' or 'optee'.
>
> 'none' is the default value and it basically disables TEE support at
> all.
>
> 'optee' enables access to the OP-TEE running on a host machine. This
> requires special OP-TEE build with virtualization support enabled.
>
> Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
>
> ---
>
>  Changes from v6:
>   - Updated documentation according to Julien Grall's suggestions,
>     add link to OP-TEE documentation
>
>  Changes from v5:
>   - Replaced "native" with "optee" in the commit description.
>   - Updated and extended documentation based on Julien Grall's
>     and Ian Jackson's suggestions.
>
>  Changes from v4:
>   - "native" option was replaced with "optee"
>   - "tee" property was moved from arch-specific section to the
>      global one. Documentation moved inside "Devices" section.
>
>  Changes from v3:
>   - tee_enabled renamed to tee_type. Currently two types are supported
>     as described in the commit message
>   - Add LIBXL_HAVE_BUILDINFO_ARCH_ARM_TEE definition
>
>  Changes from v2:
>   - Use arch.tee_enabled instead of separate domctl
> ---
>  docs/man/xl.cfg.5.pod.in    | 29 +++++++++++++++++++++++++++++
>  tools/libxl/libxl.h         |  5 +++++
>  tools/libxl/libxl_arm.c     | 13 +++++++++++++
>  tools/libxl/libxl_types.idl |  6 ++++++
>  tools/xl/xl_parse.c         |  9 +++++++++
>  5 files changed, 62 insertions(+)
>
> diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in
> index c99d40307e..e71b3b411d 100644
> --- a/docs/man/xl.cfg.5.pod.in
> +++ b/docs/man/xl.cfg.5.pod.in
> @@ -1544,6 +1544,35 @@ Set maximum height for pointer device.
>  
>  =back
>  
> +=item B<tee="STRING">
> +
> +B<Arm only.> Set TEE type for the guest. TEE is a Trusted Execution
> +Environment -- separate secure OS found on some platforms. B<STRING> can be one of the:
> +
> +=over 4
> +
> +=item B<none>
> +
> +"Don't allow the guest to use TEE if present on the platform. This is
> +the default value.
> +
> +=item B<optee>
> +
> +Allow a guest to access the host OP-TEE OS. Xen will mediate the
> +access to OP-TEE and the resource isolation will be provided directly
> +by OP-TEE. OP-TEE itself may limit the number of guests that can
> +concurrently use it. This requires a virtualization-aware OP-TEE for
> +this to work.
> +
> +You can refer to
> +L<OP-TEE documentation|https://optee.readthedocs.io/architecture/virtualization.html>
> +for more information about how to enable and configure virtualization support
> +in OP-TEE.
> +
> +This feature is a B<technology preview>.
> +
> +=back
> +
>  =back
>  
>  =head2 Paravirtualised (PV) Guest Specific Options
> diff --git a/tools/libxl/libxl.h b/tools/libxl/libxl.h
> index 9bacfb97f0..1fe6ea2bd8 100644
> --- a/tools/libxl/libxl.h
> +++ b/tools/libxl/libxl.h
> @@ -273,6 +273,11 @@
>   */
>  #define LIBXL_HAVE_BUILDINFO_ARM_GIC_VERSION 1
>  
> +/*
> + * libxl_domain_build_info has the arch_arm.tee field.
> + */
> +#define LIBXL_HAVE_BUILDINFO_ARCH_ARM_TEE 1
> +
>  /*
>   * LIBXL_HAVE_SOFT_RESET indicates that libxl supports performing
>   * 'soft reset' for domains and there is 'soft_reset' shutdown reason
> diff --git a/tools/libxl/libxl_arm.c b/tools/libxl/libxl_arm.c
> index 141e159043..6b72c00960 100644
> --- a/tools/libxl/libxl_arm.c
> +++ b/tools/libxl/libxl_arm.c
> @@ -89,6 +89,19 @@ int libxl__arch_domain_prepare_config(libxl__gc *gc,
>          return ERROR_FAIL;
>      }
>  
> +    switch (d_config->b_info.tee) {
> +    case LIBXL_TEE_TYPE_NONE:
> +        config->arch.tee_type = XEN_DOMCTL_CONFIG_TEE_NONE;
> +        break;
> +    case LIBXL_TEE_TYPE_OPTEE:
> +        config->arch.tee_type = XEN_DOMCTL_CONFIG_TEE_OPTEE;
> +        break;
> +    default:
> +        LOG(ERROR, "Unknown TEE type %d",
> +            d_config->b_info.tee);
> +        return ERROR_FAIL;
> +    }
> +
>      return 0;
>  }
>  
> diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
> index b61399ce36..fa5ee65463 100644
> --- a/tools/libxl/libxl_types.idl
> +++ b/tools/libxl/libxl_types.idl
> @@ -460,6 +460,11 @@ libxl_gic_version = Enumeration("gic_version", [
>      (0x30, "v3")
>      ], init_val = "LIBXL_GIC_VERSION_DEFAULT")
>  
> +libxl_tee_type = Enumeration("tee_type", [
> +    (0, "none"),
> +    (1, "optee")
> +    ], init_val = "LIBXL_TEE_TYPE_NONE")
> +
>  libxl_rdm_reserve = Struct("rdm_reserve", [
>      ("strategy",    libxl_rdm_reserve_strategy),
>      ("policy",      libxl_rdm_reserve_policy),
> @@ -537,6 +542,7 @@ libxl_domain_build_info = Struct("domain_build_info",[
>      ("nested_hvm",       libxl_defbool),
>      ("apic",             libxl_defbool),
>      ("dm_restrict",      libxl_defbool),
> +    ("tee",              libxl_tee_type),
>      ("u", KeyedUnion(None, libxl_domain_type, "type",
>                  [("hvm", Struct(None, [("firmware",         string),
>                                         ("bios",             libxl_bios_type),
> diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c
> index e105bda2bb..0604374ef3 100644
> --- a/tools/xl/xl_parse.c
> +++ b/tools/xl/xl_parse.c
> @@ -2691,6 +2691,15 @@ skip_usbdev:
>          }
>      }
>  
> +    if (!xlu_cfg_get_string (config, "tee", &buf, 1)) {
> +        e = libxl_tee_type_from_string(buf, &b_info->tee);
> +        if (e) {
> +            fprintf(stderr,
> +                    "Unknown tee \"%s\" specified\n", buf);
> +            exit(-ERROR_FAIL);
> +        }
> +    }
> +
>      parse_vkb_list(config, d_config);
>  
>      xlu_cfg_destroy(config);


-- 
Volodymyr Babchuk at EPAM
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH v7 1/5] tools/arm: tee: add "tee" option for xl.cfg

[Ian Jackson]

Volodymyr Babchuk writes ("[PATCH v7 1/5] tools/arm: tee: add "tee" option for xl.cfg"):
> This enumeration controls TEE type for a domain. Currently there is
> two possible options: either 'none' or 'optee'.
> 
> 'none' is the default value and it basically disables TEE support at
> all.
> 
> 'optee' enables access to the OP-TEE running on a host machine. This
> requires special OP-TEE build with virtualization support enabled.

Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH v7 2/5] tools/arm: optee: create optee firmware node in DT if tee=optee

[Volodymyr Babchuk]

If TEE support is enabled with "tee=optee" option in xl.cfg,
then we need to inform guest about available TEE, by creating
corresponding node in the guest's device tree.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

---
 This patch depends on patches to optee.c.

 Changes from v4:
  - "native" option replaced with "optee"

 Changes from v3:
  - "smc" method replaced with "hvc"
  - Coding style fixes
---
 tools/libxl/libxl_arm.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/tools/libxl/libxl_arm.c b/tools/libxl/libxl_arm.c
index 6b72c00960..bf31b9b3ca 100644
--- a/tools/libxl/libxl_arm.c
+++ b/tools/libxl/libxl_arm.c
@@ -420,6 +420,32 @@ static int make_psci_node(libxl__gc *gc, void *fdt)
     return 0;
 }
 
+static int make_optee_node(libxl__gc *gc, void *fdt)
+{
+    int res;
+    LOG(DEBUG, "Creating OP-TEE node in dtb");
+
+    res = fdt_begin_node(fdt, "firmware");
+    if (res) return res;
+
+    res = fdt_begin_node(fdt, "optee");
+    if (res) return res;
+
+    res = fdt_property_compat(gc, fdt, 1, "linaro,optee-tz");
+    if (res) return res;
+
+    res = fdt_property_string(fdt, "method", "hvc");
+    if (res) return res;
+
+    res = fdt_end_node(fdt);
+    if (res) return res;
+
+    res = fdt_end_node(fdt);
+    if (res) return res;
+
+    return 0;
+}
+
 static int make_memory_nodes(libxl__gc *gc, void *fdt,
                              const struct xc_dom_image *dom)
 {
@@ -933,6 +959,9 @@ next_resize:
         if (info->arch_arm.vuart == LIBXL_VUART_TYPE_SBSA_UART)
             FDT( make_vpl011_uart_node(gc, fdt, ainfo, dom) );
 
+        if (info->tee == LIBXL_TEE_TYPE_OPTEE)
+            FDT( make_optee_node(gc, fdt) );
+
         if (pfdt)
             FDT( copy_partial_fdt(gc, fdt, pfdt) );
 
-- 
2.21.0

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH v7 3/5] xen/arm: tee: place OP-TEE Kconfig option right after TEE

[Volodymyr Babchuk]

It is nicer, when options for particular TEE mediators (currently,
OP-TEE only) are following generic "Enable TEE mediators support"
option in the menuconfig:

 [*] Enable TEE mediators support
 [ ]   Enable OP-TEE mediator

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
---
 xen/arch/arm/Kconfig | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
index 04d399ffbf..c2db2a6953 100644
--- a/xen/arch/arm/Kconfig
+++ b/xen/arch/arm/Kconfig
@@ -113,6 +113,8 @@ config TEE
 	  This option enables generic TEE mediators support. It allows guests
 	  to access real TEE via one of TEE mediators implemented in XEN.
 
+source "arch/arm/tee/Kconfig"
+
 endmenu
 
 menu "ARM errata workaround via the alternative framework"
@@ -238,5 +240,3 @@ source "arch/arm/platforms/Kconfig"
 source "common/Kconfig"
 
 source "drivers/Kconfig"
-
-source "arch/arm/tee/Kconfig"
-- 
2.21.0

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH v7 3/5] xen/arm: tee: place OP-TEE Kconfig option right after TEE

[Julien Grall]

Hi Volodymyr,

On 6/19/19 6:54 PM, Volodymyr Babchuk wrote:
> It is nicer, when options for particular TEE mediators (currently,
> OP-TEE only) are following generic "Enable TEE mediators support"
> option in the menuconfig:
> 
>   [*] Enable TEE mediators support
>   [ ]   Enable OP-TEE mediator
> 
> Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>

Reviewed-by: Julien Grall <julien.grall@arm.com>

Cheers,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH v7 4/5] xen/arm: optee: check if OP-TEE is virtualization-aware

[Volodymyr Babchuk]

This is workaround for OP-TEE 3.5. This is the first OP-TEE release
which supports virtualization, but there is no way to tell if
OP-TEE was built with that support enabled. We can probe for it
by calling SMC that is available only when OP-TEE is built with
virtualization support.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
---
 xen/arch/arm/tee/optee.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c
index 28d34360fc..14381d6b2d 100644
--- a/xen/arch/arm/tee/optee.c
+++ b/xen/arch/arm/tee/optee.c
@@ -172,6 +172,16 @@ static bool optee_probe(void)
         return false;
     }
 
+    /*
+     * Workaround: OP-TEE 3.5 have no way to tell if it is build with
+     * virtualization support. But we can probe for OPTEE_SMC_VM_DESTROYED
+     * call. It will return OPTEE_SMC_RETURN_UNKNOWN_FUNCTION if
+     * OP-TEE have no virtualization support enabled.
+     */
+    arm_smccc_smc(OPTEE_SMC_VM_DESTROYED, 0, 0, 0, 0, 0, 0, 0, &resp);
+    if ( resp.a0 == OPTEE_SMC_RETURN_UNKNOWN_FUNCTION )
+        return false;
+
     return true;
 }
 
-- 
2.21.0

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH v7 4/5] xen/arm: optee: check if OP-TEE is virtualization-aware

[Julien Grall]

Hi Volodymyr,

On 6/19/19 6:54 PM, Volodymyr Babchuk wrote:
> This is workaround for OP-TEE 3.5. This is the first OP-TEE release
> which supports virtualization, but there is no way to tell if
> OP-TEE was built with that support enabled. We can probe for it
> by calling SMC that is available only when OP-TEE is built with
> virtualization support.
> 
> Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>

Acked-by: Julien Grall <julien.grall@arm.com>

Cheers,

> ---
>   xen/arch/arm/tee/optee.c | 10 ++++++++++
>   1 file changed, 10 insertions(+)
> 
> diff --git a/xen/arch/arm/tee/optee.c b/xen/arch/arm/tee/optee.c
> index 28d34360fc..14381d6b2d 100644
> --- a/xen/arch/arm/tee/optee.c
> +++ b/xen/arch/arm/tee/optee.c
> @@ -172,6 +172,16 @@ static bool optee_probe(void)
>           return false;
>       }
>   
> +    /*
> +     * Workaround: OP-TEE 3.5 have no way to tell if it is build with
> +     * virtualization support. But we can probe for OPTEE_SMC_VM_DESTROYED
> +     * call. It will return OPTEE_SMC_RETURN_UNKNOWN_FUNCTION if
> +     * OP-TEE have no virtualization support enabled.
> +     */
> +    arm_smccc_smc(OPTEE_SMC_VM_DESTROYED, 0, 0, 0, 0, 0, 0, 0, &resp);
> +    if ( resp.a0 == OPTEE_SMC_RETURN_UNKNOWN_FUNCTION )
> +        return false;
> +
>       return true;
>   }
>   
> 

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH v7 5/5] xen/arm: optee: document OPTEE option in tee/Kconfig

[Volodymyr Babchuk]

Add basic information about the OP-TEE mediator and note about
dependency on virtualization-aware OP-TEE.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
---
 xen/arch/arm/tee/Kconfig | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/xen/arch/arm/tee/Kconfig b/xen/arch/arm/tee/Kconfig
index 5b829db2e9..b4b6aa2610 100644
--- a/xen/arch/arm/tee/Kconfig
+++ b/xen/arch/arm/tee/Kconfig
@@ -2,3 +2,8 @@ config OPTEE
 	bool "Enable OP-TEE mediator"
 	default n
 	depends on TEE
+	help
+	  Enable experimental OP-TEE mediator. It allows guests to access
+	  OP-TEE running on your platform. This requires virtualization-enabled
+	  OP-TEE present. You can learn more about virtualization for OP-TEE
+	  at https://optee.readthedocs.io/architecture/virtualization.html
-- 
2.21.0

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH v7 5/5] xen/arm: optee: document OPTEE option in tee/Kconfig

[Julien Grall]

Hi Volodymyr,

On 6/19/19 6:54 PM, Volodymyr Babchuk wrote:
> Add basic information about the OP-TEE mediator and note about
> dependency on virtualization-aware OP-TEE.
> 
> Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>

Acked-by: Julien Grall <julien.grall@arm.com>

Cheers,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH v7 0/5] TEE mediator (and OP-TEE) support in XEN

[Julien Grall]

Hi,

On 19/06/2019 18:53, Volodymyr Babchuk wrote:
> Volodymyr Babchuk (5):
>    tools/arm: tee: add "tee" option for xl.cfg
>    tools/arm: optee: create optee firmware node in DT if tee=optee
>    xen/arm: tee: place OP-TEE Kconfig option right after TEE
>    xen/arm: optee: check if OP-TEE is virtualization-aware
>    xen/arm: optee: document OPTEE option in tee/Kconfig

This series is now fully committed. Thank you for the contribution!

Cheers,

> 
>   docs/man/xl.cfg.5.pod.in    | 29 +++++++++++++++++++++++++
>   tools/libxl/libxl.h         |  5 +++++
>   tools/libxl/libxl_arm.c     | 42 +++++++++++++++++++++++++++++++++++++
>   tools/libxl/libxl_types.idl |  6 ++++++
>   tools/xl/xl_parse.c         |  9 ++++++++
>   xen/arch/arm/Kconfig        |  4 ++--
>   xen/arch/arm/tee/Kconfig    |  5 +++++
>   xen/arch/arm/tee/optee.c    | 10 +++++++++
>   8 files changed, 108 insertions(+), 2 deletions(-)
> 

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel