From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
To: Tamas K Lengyel <tamas.k.lengyel@gmail.com>
Cc: "Edgar E. Iglesias" <edgar.iglesias@gmail.com>,
Julien Grall <julien.grall@arm.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Xen-devel <xen-devel@lists.xen.org>
Subject: Re: [RFC v2 3/6] xen/arm: Allow platform_hvc to handle guest SMC calls
Date: Wed, 8 Feb 2017 09:31:55 +0100 [thread overview]
Message-ID: <20170208083154.GZ12995@toto> (raw)
In-Reply-To: <CABfawhmS94FmiHUx11pWEAbnwqwBvDGjM-91t6Uhkmvrm+XO4A@mail.gmail.com>
On Tue, Feb 07, 2017 at 05:24:03PM -0700, Tamas K Lengyel wrote:
> On Tue, Feb 7, 2017 at 1:51 PM, Julien Grall <julien.grall@arm.com> wrote:
>
> > Hi Tamas,
> >
> > On 07/02/2017 20:38, Tamas K Lengyel wrote:
> >
> >>
> >>
> >> On Tue, Feb 7, 2017 at 12:42 PM, Edgar E. Iglesias
> >> <edgar.iglesias@gmail.com <mailto:edgar.iglesias@gmail.com>> wrote:
> >>
> >> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com
> >> <mailto:edgar.iglesias@xilinx.com>>
> >>
> >> Allow platform_hvc to handle guest SMC calls (as well as
> >> HVC calls) in a platform specific way.
> >>
> >> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com
> >> <mailto:edgar.iglesias@xilinx.com>>
> >> ---
> >> xen/arch/arm/traps.c | 5 +++++
> >> 1 file changed, 5 insertions(+)
> >>
> >> diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
> >> index 33950d9..1bedc6e 100644
> >> --- a/xen/arch/arm/traps.c
> >> +++ b/xen/arch/arm/traps.c
> >> @@ -2623,6 +2623,11 @@ static void do_trap_smc(struct cpu_user_regs
> >> *regs, const union hsr hsr)
> >> if ( current->domain->arch.monitor.privileged_call_enabled )
> >> rc = monitor_smc();
> >>
> >>
> >> I think you should check that rc is still 0 at this point as the vCPU
> >> might already be paused and the event forwarded to a monitor subscriber.
> >>
> >
> > SMC are used to access the secure firmware (e.g power management) and will
> > be used by the guest to access the secure firmware. Today, the code is
> > expecting all event to be trapped by the monitor app and software emulated.
> > However, some SMCs may be needed to be forwarded to the secure firmware,
> > how do you expect it to work together?
> >
> > It is something I already brought up when SMC trap was added and it is
> > probably time to figure out what to do because this will not be the first
> > series bringing the problem. For instance if you want to do video decoding
> > or even payment on Android you may need to access the secure firmware for
> > cryptography. At the same time, you also want to be able to monitor your
> > guest.
> >
>
>
> Hi Julien,
> monitoring SMCs using the monitor system should be incompatible with Xen
> routing the SMCs elsewhere. Since the monitor system is disabled by default
> I think this should be fine for everyone and not get in the way of people
> accessing the firmware in other usecases or routing SMCs elsewhere as
> needed.
>
> As for applications that want to use SMC monitoring but also access the
> firmware, it can be accomplished by the monitor application on behalf of
> the VM. While this adds a detour, this detour is by design as it adds a
> layer between untrusted VMs and the TZ so that any potential exploit
> targeting the TZ would first have to go through the monitor application
> (see https://www.sec.in.tum.de/publications/publication/322 for more info
> on the idea).
I considered this approach a bit but it has several problems IMO.
These may not be unsolvable or even problems for monitoring but
they do introduce complexity into the solution.
1. Some SMC calls may depend on the core they are issued from.
If taking a detour to dom0, this becomes messy to guarantee.
2. Overall complexity increases very significantly and it becomes
quite hard to follow/review how these calls get handled.
In particular once you consider solving #1.
3. There are certain calls that perhaps not even dom0 should have
direct access to. This means that Xen may need to filter some of
them anyway.
Some examples may be:
SMC calls:
* To directly turn off or suspend cores
* To turn off DDR or RAMs that Xen is using
* To a solution specific Trusted OS pinned to a specific core
* For PSCI
* Etc
I would prefer if we could find a way for monitoring to play nicely
with Xen implementing the SMC mediators.
Perhaps we could allow calls that Xen consumes to be monitored/inspected
but not modified. Or there might be other ways.
Best regards,
Edgar
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-02-08 8:31 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-07 19:41 [RFC v2 0/6] zynqmp: Add forwarding of platform specific firmware calls Edgar E. Iglesias
2017-02-07 19:42 ` [RFC v2 1/6] xen/arm: traps: Reorder early overwrite of FID Edgar E. Iglesias
2017-02-13 22:06 ` Stefano Stabellini
2017-02-07 19:42 ` [RFC v2 2/6] xen/arm: Introduce platform_hvc Edgar E. Iglesias
2017-02-13 22:08 ` Stefano Stabellini
2017-07-31 21:30 ` Edgar E. Iglesias
2017-02-07 19:42 ` [RFC v2 3/6] xen/arm: Allow platform_hvc to handle guest SMC calls Edgar E. Iglesias
2017-02-07 20:38 ` Tamas K Lengyel
2017-02-07 20:51 ` Julien Grall
2017-02-08 0:24 ` Tamas K Lengyel
2017-02-08 8:31 ` Edgar E. Iglesias [this message]
2017-02-08 16:40 ` Tamas K Lengyel
2017-02-08 16:58 ` Julien Grall
2017-02-08 17:21 ` Tamas K Lengyel
2017-02-08 17:29 ` Edgar E. Iglesias
2017-02-08 19:40 ` Edgar E. Iglesias
2017-02-08 20:15 ` Tamas K Lengyel
2017-02-08 22:04 ` Julien Grall
2017-02-08 23:28 ` Tamas K Lengyel
2017-02-09 0:08 ` Julien Grall
2017-02-09 1:20 ` Stefano Stabellini
2017-02-09 9:12 ` Edgar E. Iglesias
2017-02-09 9:27 ` Edgar E. Iglesias
2017-02-09 18:22 ` Stefano Stabellini
2017-02-09 18:25 ` Tamas K Lengyel
2017-02-09 18:43 ` Stefano Stabellini
2017-02-09 19:32 ` Tamas K Lengyel
2017-07-31 22:23 ` Edgar E. Iglesias
2017-08-01 10:37 ` Julien Grall
2017-08-01 11:40 ` Edgar E. Iglesias
2017-02-09 16:46 ` Volodymyr Babchuk
2017-02-09 18:11 ` Tamas K Lengyel
2017-02-09 18:39 ` Julien Grall
2017-02-09 19:42 ` Tamas K Lengyel
2017-02-09 20:01 ` Edgar E. Iglesias
2017-02-09 20:36 ` Tamas K Lengyel
2017-02-09 14:46 ` Edgar E. Iglesias
2017-02-07 19:42 ` [RFC v2 4/6] xen/arm: Introduce call_smcc64 Edgar E. Iglesias
2017-02-13 22:11 ` Stefano Stabellini
2017-02-07 19:42 ` [RFC v2 5/6] xen/arm: zynqmp: Forward plaform specific firmware calls Edgar E. Iglesias
2017-02-14 0:02 ` Stefano Stabellini
2017-02-17 18:47 ` Julien Grall
2017-02-07 19:42 ` [RFC v2 6/6] xen/arm: zynqmp: Remove blacklist of ZynqMP's PM node Edgar E. Iglesias
2017-02-14 0:03 ` Stefano Stabellini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170208083154.GZ12995@toto \
--to=edgar.iglesias@xilinx.com \
--cc=edgar.iglesias@gmail.com \
--cc=julien.grall@arm.com \
--cc=sstabellini@kernel.org \
--cc=tamas.k.lengyel@gmail.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.