From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f74.google.com (mail-wr1-f74.google.com [209.85.221.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B1C03FBEB9 for ; Mon, 29 Jun 2026 09:36:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.74 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782725770; cv=none; b=q+eYbdgonWNK+b+Fjg2u//iVsH1u0odtrpJihhMKbJaiXIOuvT2x2W+UdNIrhQ2iUygO8B3SmKBUqJNdvZdlSYRa3OU9W9X/Izn/Mxt+YW87yte3nbvlKtNnQjA0dXEk5rvfB3doqzLM9zIDlgin2Xpy8SjghTz+MzwnFjsvY0k= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782725770; c=relaxed/simple; bh=oFOJUTx2nfOpIFyWPfBkdtIYQgL2sxElS5Z7XARaF2U=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=cgGNKv6ntmoVD9MwcnyTat8X/OPz2Iih3eUlZS6U8MhSJKMnqA8Nzi8eiTW1DhAwnmkYZCuTbNXT3IMwEUj5AdQTNILAqdEFhDBRKQcW4KKDwVXiTBbcUX9KDqU9/JJN++4Cejh1RsEPkQxQ4U0JOT2p+hI511gF9l7K0fpRJ88= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=WFOgaOu3; arc=none smtp.client-ip=209.85.221.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="WFOgaOu3" Received: by mail-wr1-f74.google.com with SMTP id ffacd0b85a97d-47416fc1674so375961f8f.3 for ; Mon, 29 Jun 2026 02:36:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1782725765; x=1783330565; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=wxpAfyKdQgVQrLozxDIkV2Sv+aNXarc/mWfTeStJk/U=; b=WFOgaOu3QIskWmY72lLQa03YmrmNvcLURnGhcwRMoHzU/9ds1bmPNgqFrPB5DaBUHN 9K6OBFNbKxm2sbZAx+8VawE4ZakPoHOzpKG947dxfHRze8kZQp0/qYxZHW9alJBuVhrN KLgXdkatd3jbuT9vJ8C0knJ4gB11tUDbZoIxy/Vk5xml3c15k5PNRf3Ufzpzt8nfF7lu PGL9ATc07F9+VywcW2PlIpy6egm1ouhnpdvObQwWP8/nKvZ1ag+aZKaTJJC/ukovt9Ji XkLHgOJ2Prdr5bd69xhsUB1ehewwvoGV0jVr+52k4TbtUFxMb2V3vCEDnovXwSurER9f U3oQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782725765; x=1783330565; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=wxpAfyKdQgVQrLozxDIkV2Sv+aNXarc/mWfTeStJk/U=; b=tHSGWyIMN4ZlEATP10ONpsajXBYbzk1whAhl0nCMESoSD440BCCReuvfh4Zddn6x6Q hshwSYhZT4yQza+kXMI0hKUIR9MKBP95TppHYZo22hECiTB6eDYOvaEAftjsYoKbbDY9 YtSFgbMx3QHzagfrdmmGZZSDOMSHAGORN2Ky8TqbYEbRGsOPZoDN0kPjaBQpqUDKS/OD TZkA+p8tQZMKN6HnQDG0zC9DaqeQtlmcHZhH4Tr2YklyX7s15DSkd/u1eF0oxfPsiSl3 5YZngktKveDU8cDbWuuKMrEaSC9UY026fraLfteBTbcw46I6ABX3BCXvSNsiKEqwcATS /ncg== X-Forwarded-Encrypted: i=1; AHgh+RrEu3W36N1vISDaicMmcmqYHY919bVFnbHR/PL25Gix9sg2Q5mjXF1A4katOREg1CmPJL7fL4hqkkgMjHA=@vger.kernel.org X-Gm-Message-State: AOJu0YyP4fFTk37QtH0yYBuxvEIjTPNK4V8qp3jQw1ajKq71lnLRe9MJ NSoO6c36xqvw/B/pz+we+JDE6VUZyCUDWJ6z5FWgARAzVx1s8aG1DojnoNRLxKzJ6UYW8hRmZ5g +0+LG4Q9FbqD5rmaaza6eRqdd+pGijA== X-Received: from wruk15.prod.google.com ([2002:a5d:628f:0:b0:461:ab57:c986]) (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6000:4289:b0:45e:f302:95b with SMTP id ffacd0b85a97d-46dc18a5a3amr27301738f8f.37.1782725765154; Mon, 29 Jun 2026 02:36:05 -0700 (PDT) Date: Mon, 29 Jun 2026 09:35:51 +0000 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.55.0.rc0.799.gd6f94ed593-goog Message-ID: <20260629093558.2425257-1-sebastianene@google.com> Subject: [PATCH v7 0/7] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone From: Sebastian Ene To: catalin.marinas@arm.com, maz@kernel.org, oupton@kernel.org, will@kernel.org Cc: joey.gouly@arm.com, korneld@google.com, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, android-kvm@google.com, mrigendra.chaubey@gmail.com, perlarsen@google.com, sebastianene@google.com, suzuki.poulose@arm.com, vdonnefort@google.com, yuzenghui@huawei.com Content-Type: text/plain; charset="UTF-8" Remove the FFA_NOTIFICATION* calls from the blocklist used by the pKVM FF-A proxy. This restriction was preventing the use of asynchronous signaling mechanisms defined by the Arm FF-A specification to communicate with the secure services. While these calls are markes as optional, there is no reason why the hypervisor proxy would block them because: 1. Host is the Sole Non-Secure Endpoint: The Host operates as the only Non-Secure VM ID (VM ID 0) recognized by the Secure World. Because all forwarded notifications are inherently attributed to the Host by the SPMC, there is no risk of VM ID spoofing originating from the Normal World. 2. No Memory Pointers or Addresses: The FFA_NOTIFICATION_* ABIs operate strictly via register-based parameters, passing only VM IDs, VCPU IDs, flags, and bitmaps. Because these calls do not contain memory addresses, offsets, or pointers, forwarding them doesn't pose a risk of memory-based confused deputy attack (e.g., tricking the SPMC into overwriting protected memory). While the pKVM proxy behaves as a relayer, it doesn't currently have its own FF-A ID(only the host has the ID 0). The behavior of the setup flow is covered by the spec in the: '10.9 Notification support without a Hypervisor'. --- Changes in v7: - rebased on 7.2-rc1 - collected the Ack from Will - check for major version as well when doing the SBZ/MBZ enforcement Changes in v6: - applied Will's feedback and re-ordered the patch series so that we apply the MBZ enforcement at the end of the series - update ffa_check_unused_args_sbz so that we take into account the FF-A version because the spec changed the list of unused parameter registers for 64-bit SMCs from v1.1 to v1.2 Changes in v5: - handle 32-bit smc variants correctly when doing the MBZ enforcement - add check for FFA_FEATURES - handle missing FFA_FN64_NOTIFICATION_INFO_GET - collected the Review tags from Vincent, thank you Changes in v4: - previous series(v3) had serious issues with the patch number and it appeared like it used a mixed bag from v2 as well. Resend this to restore the correct order of the patches. - fix strict check in ffa_check_unused_args_sbz and make it "<= 17" - check the receiver endpoint Id in FFA_NOTIFICATION_BIND/FFA_NOTIFICATION_UNBIND instead of the sender - use hyp_smccc_1_2_smc all along - check the receiver endpoit Id when doing FFA_NOTIFICATION_GET Changes in v3: - applied Will's suggestion to use the introduced method ffa_check_unused_args_sbz for existing calls and added a new patch in the beggining of the series to do this. - merged the handling of FFA_NOTIFICATION_BITMAP_CREATE/FFA_NOTIFICATION_BITMAP_DESTROY into one patch as Vincent suggested and create one handler for both. Changes in v2: - enforce the MBZ/SBZ fields - split the calls into separate patches - rebase on 7.1-rc7 Link to v5: https://lore.kernel.org/all/20260623115354.632361-1-sebastianene@google.com/ Link to v4: https://lore.kernel.org/all/20260616154149.2763214-1-sebastianene@google.com/ Link to v3: https://lore.kernel.org/all/20260616105417.2578670-1-sebastianene@google.com/ Link to v2: https://lore.kernel.org/all/20260608165549.1479409-1-sebastianene@google.com/ Link to v1: https://lore.kernel.org/all/20260501114447.2389222-2-sebastianene@google.com/ Sebastian Ene (7): KVM: arm64: Forward FFA_NOTIFICATION_BITMAP calls to Trustzone KVM: arm64: Support FFA_NOTIFICATION_BIND in host handler KVM: arm64: Support FFA_NOTIFICATION_UNBIND in host handler KVM: arm64: Support FFA_NOTIFICATION_SET in host handler KVM: arm64: Support FFA_NOTIFICATION_GET in host handler KVM: arm64: Support FFA_NOTIFICATION_INFO_GET in host handler KVM: arm64: Enforce strict SBZ checks in the FF-A proxy arch/arm64/kvm/hyp/nvhe/ffa.c | 220 ++++++++++++++++++++++++++++++++-- 1 file changed, 212 insertions(+), 8 deletions(-) -- 2.55.0.rc0.799.gd6f94ed593-goog