All of lore.kernel.org
 help / color / mirror / Atom feed
From: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
To: Julien Grall <julien.grall@arm.com>
Cc: "tee-dev@lists.linaro.org" <tee-dev@lists.linaro.org>,
	"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
	Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>, Wei Liu <wl@xen.org>
Subject: Re: [Xen-devel] [PATCH v6 09/10] tools/arm: tee: add "tee" option for xl.cfg
Date: Tue, 18 Jun 2019 11:19:46 +0000	[thread overview]
Message-ID: <87v9x36sz1.fsf@epam.com> (raw)
In-Reply-To: <23dc2135-d9a2-2da1-f302-f53f84fd9cdb@arm.com>


Hi Julien,

Julien Grall writes:

> Hi Volodymyr,
>
> On 6/11/19 7:46 PM, Volodymyr Babchuk wrote:
>> This enumeration controls TEE type for a domain. Currently there is
>> two possible options: either 'none' or 'optee'.
>>
>> 'none' is the default value and it basically disables TEE support at
>> all.
>>
>> 'optee' enables access to the OP-TEE running on a host machine. This
>> requires special OP-TEE build with virtualization support enabled.
>>
>> Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
>>
>> ---
>>   All the patches to optee.c should be merged together. They were
>>   split to ease up review. But they depend heavily on each other.
>>
>>   Changes from v5:
>>    - Replaced "native" with "optee" in the commit description.
>>    - Updated and extended documentation based on Julien Grall's
>>      and Ian Jackson's suggestions.
>>
>>   Changes from v4:
>>    - "native" option was replaced with "optee"
>>    - "tee" property was moved from arch-specific section to the
>>       global one. Documentation moved inside "Devices" section.
>>
>>   Changes from v3:
>>    - tee_enabled renamed to tee_type. Currently two types are supported
>>      as described in the commit message
>>    - Add LIBXL_HAVE_BUILDINFO_ARCH_ARM_TEE definition
>>
>>   Changes from v2:
>>    - Use arch.tee_enabled instead of separate domctl
>> ---
>>   docs/man/xl.cfg.5.pod.in    | 21 +++++++++++++++++++++
>>   tools/libxl/libxl.h         |  5 +++++
>>   tools/libxl/libxl_arm.c     | 13 +++++++++++++
>>   tools/libxl/libxl_types.idl |  6 ++++++
>>   tools/xl/xl_parse.c         |  9 +++++++++
>>   5 files changed, 54 insertions(+)
>>
>> diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in
>> index c99d40307e..e65ab6111f 100644
>> --- a/docs/man/xl.cfg.5.pod.in
>> +++ b/docs/man/xl.cfg.5.pod.in
>> @@ -1544,6 +1544,27 @@ Set maximum height for pointer device.
>>     =back
>>   +=item B<tee="STRING">
>> +
>> +B<Arm only.> Set TEE type for the guest. TEE is a Trusted Execution
>> +Environment -- separate secure OS found on some platforms. B<STRING> can be one of the:
>> +
>> +=over 4
>> +
>> +=item B<none>
>> +
>> +Disable TEE support at all. This is the default value.
> How about "Don't allow the guest to use TEE if present on the
> platform. This is the default value.".
I'm perfectly fine with this.

>> +
>> +=item B<optee>
>> +
>> +Allow a guest to use OP-TEE. Note that a virtualization-aware OP-TEE
>> +is required for this. If this option is selected, guest will be able
>
> OOI, what happen if OP-TEE does not support virtualization. Will Xen
> forbid to use it?
Yes, Xen will get an error from OP-TEE during domain construction. This
will lead to domain creation failure.

>> +to access to the real OP-TEE OS running on the host. Guest creation
>
> s/real// it is redundant with the rest of the sentence. However, it
> does not really answer to the question regarding isolation.
Your assumption is correct - OP-TEE provides isolation on its side.

>
>> +will fail if OP-TEE have no resources for a new guest. Number of supported
>> +guests depends on OP-TEE configuration.
>
> How about the following description (correct me if my understanding is
> wrong):
>
> "Allow a guest to access the host OP-TEE OS. Xen will mediate the
> access to OP-TEE and the resource isolation will be provided directly
> by OP-TEE. OP-TEE itself may limit the number of guests that can
> concurrently use it. This requires a virtualization-aware OP-TEE for
> this to work.
>
> This feature is a B<technology preview>."
That's much better than my version. Thank you.

> How can a user know whether OP-TEE supports virtualization? Is it
> configurable at build?
Yes, there is a special configuration option CFG_VIRTUALIZATION. This is
covered in OP-TEE documentation at [1]

[1] https://optee.readthedocs.io/architecture/virtualization.html

-- 
Best regards,Volodymyr Babchuk
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  reply	other threads:[~2019-06-18 11:20 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-11 18:46 [Xen-devel] [PATCH v6 00/10] TEE mediator (and OP-TEE) support in XEN Volodymyr Babchuk
2019-06-11 18:46 ` [Xen-devel] [PATCH v6 01/10] xen/arm: add generic TEE mediator framework Volodymyr Babchuk
2019-06-17 16:11   ` Stefano Stabellini
2019-06-11 18:46 ` [Xen-devel] [PATCH v6 02/10] xen/arm: optee: add OP-TEE header files Volodymyr Babchuk
2019-06-15 18:39   ` Julien Grall
2019-06-17 15:24     ` Julien Grall
2019-06-17 16:28       ` Stefano Stabellini
2019-06-17 16:34         ` Julien Grall
2019-06-17 17:28           ` Stefano Stabellini
2019-06-19  8:20             ` Lars Kurth
2019-06-19 10:26               ` Julien Grall
2019-06-11 18:46 ` [Xen-devel] [PATCH v6 03/10] xen/arm: optee: add OP-TEE mediator skeleton Volodymyr Babchuk
2019-06-19 11:01   ` Julien Grall
2019-06-19 11:03     ` Julien Grall
2019-06-19 15:44       ` Volodymyr Babchuk
2019-06-11 18:46 ` [Xen-devel] [PATCH v6 04/10] xen/arm: optee: add fast calls handling Volodymyr Babchuk
2019-06-11 18:46 ` [Xen-devel] [PATCH v6 05/10] xen/arm: optee: add std call handling Volodymyr Babchuk
2019-06-11 18:46 ` [Xen-devel] [PATCH v6 06/10] xen/arm: optee: add support for RPC SHM buffers Volodymyr Babchuk
2019-06-11 18:46 ` [Xen-devel] [PATCH v6 07/10] xen/arm: optee: add support for arbitrary shared memory Volodymyr Babchuk
2019-06-11 18:46 ` [Xen-devel] [PATCH v6 08/10] xen/arm: optee: add support for RPC commands Volodymyr Babchuk
2019-06-11 18:46 ` [Xen-devel] [PATCH v6 09/10] tools/arm: tee: add "tee" option for xl.cfg Volodymyr Babchuk
2019-06-15 19:10   ` Julien Grall
2019-06-18 11:19     ` Volodymyr Babchuk [this message]
2019-06-18 12:49       ` Julien Grall
2019-06-18 14:30         ` Volodymyr Babchuk
2019-06-18 15:19           ` Julien Grall
2019-06-18 15:23             ` Volodymyr Babchuk
2019-06-19 10:30               ` Julien Grall
2019-06-11 18:46 ` [Xen-devel] [PATCH v6 10/10] tools/arm: optee: create optee firmware node in DT if tee=optee Volodymyr Babchuk
2019-06-19 11:08 ` [Xen-devel] [PATCH v6 00/10] TEE mediator (and OP-TEE) support in XEN Julien Grall

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87v9x36sz1.fsf@epam.com \
    --to=volodymyr_babchuk@epam.com \
    --cc=ian.jackson@eu.citrix.com \
    --cc=julien.grall@arm.com \
    --cc=tee-dev@lists.linaro.org \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.