From: Vincent Donnefort <vdonnefort@google.com>
To: Sebastian Ene <sebastianene@google.com>
Cc: catalin.marinas@arm.com, maz@kernel.org, oupton@kernel.org,
will@kernel.org, joey.gouly@arm.com, korneld@google.com,
kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, android-kvm@google.com,
mrigendra.chaubey@gmail.com, perlarsen@google.com,
suzuki.poulose@arm.com, yuzenghui@huawei.com
Subject: Re: [PATCH v2 0/7] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone
Date: Wed, 10 Jun 2026 10:26:59 +0100 [thread overview]
Message-ID: <aikt44sVnpL3_dYi@google.com> (raw)
In-Reply-To: <20260608165549.1479409-1-sebastianene@google.com>
On Mon, Jun 08, 2026 at 04:55:42PM +0000, Sebastian Ene wrote:
> Remove the FFA_NOTIFICATION* calls from the blocklist used by the pKVM
> FF-A proxy. This restriction was preventing the use of asynchronous
> signaling mechanisms defined by the Arm FF-A specification to
> communicate with the secure services.
> While these calls are markes as optional, there is no reason why the
> hypervisor proxy would block them because:
>
> 1. Host is the Sole Non-Secure Endpoint: The Host operates as the
> only Non-Secure VM ID (VM ID 0) recognized by the Secure World.
> Because all forwarded notifications are inherently attributed to
> the Host by the SPMC, there is no risk of VM ID spoofing
> originating from the Normal World.
>
> 2. No Memory Pointers or Addresses: The FFA_NOTIFICATION_* ABIs
> operate strictly via register-based parameters, passing only
> VM IDs, VCPU IDs, flags, and bitmaps. Because these calls do
> not contain memory addresses, offsets, or pointers, forwarding
> them doesn't pose a risk of memory-based confused deputy attack
> (e.g., tricking the SPMC into overwriting protected memory).
>
> While the pKVM proxy behaves as a relayer, it doesn't currently have its
> own FF-A ID(only the host has the ID 0). The behavior of the setup
> flow is covered by the spec in the: '10.9 Notification support without
> a Hypervisor'.
As it is only a relayer. Is it really important to check SBZ arguments and
fields on behalf of Trustzone? It doesn't feel it brings any security. If the
host passes broken arguments, I don't believe this puts pKVM at risk. Does it?
>
> ---
> Changes in v2:
> - enforce the MBZ/SBZ fields
> - split the calls into separate patches
> - rebase on 7.1-rc7
>
> Link to v1:
> https://lore.kernel.org/all/20260501114447.2389222-2-sebastianene@google.com/
>
> Sebastian Ene (7):
> KVM: arm64: Support FFA_NOTIFICATION_BITMAP_CREATE in host handler
> KVM: arm64: Support FFA_NOTIFICATION_BITMAP_DESTROY in host handler
> KVM: arm64: Support FFA_NOTIFICATION_BIND in host handler
> KVM: arm64: Support FFA_NOTIFICATION_UNBIND in host handler
> KVM: arm64: Support FFA_NOTIFICATION_SET in host handler
> KVM: arm64: Support FFA_NOTIFICATION_GET in host handler
> KVM: arm64: Support FFA_NOTIFICATION_INFO_GET in host handler
>
> arch/arm64/kvm/hyp/nvhe/ffa.c | 190 ++++++++++++++++++++++++++++++++--
> 1 file changed, 182 insertions(+), 8 deletions(-)
>
> --
> 2.54.0.1064.gd145956f57-goog
>
next prev parent reply other threads:[~2026-06-10 9:27 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 16:55 [PATCH v2 0/7] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone Sebastian Ene
2026-06-08 16:55 ` [PATCH v2 1/7] KVM: arm64: Support FFA_NOTIFICATION_BITMAP_CREATE in host handler Sebastian Ene
2026-06-10 8:51 ` Vincent Donnefort
2026-06-10 11:59 ` Vincent Donnefort
2026-06-08 16:55 ` [PATCH v2 2/7] KVM: arm64: Support FFA_NOTIFICATION_BITMAP_DESTROY " Sebastian Ene
2026-06-10 8:53 ` Vincent Donnefort
2026-06-08 16:55 ` [PATCH v2 3/7] KVM: arm64: Support FFA_NOTIFICATION_BIND " Sebastian Ene
2026-06-10 9:03 ` Vincent Donnefort
2026-06-08 16:55 ` [PATCH v2 4/7] KVM: arm64: Support FFA_NOTIFICATION_UNBIND " Sebastian Ene
2026-06-08 16:55 ` [PATCH v2 5/7] KVM: arm64: Support FFA_NOTIFICATION_SET " Sebastian Ene
2026-06-08 16:55 ` [PATCH v2 6/7] KVM: arm64: Support FFA_NOTIFICATION_GET " Sebastian Ene
2026-06-08 16:55 ` [PATCH v2 7/7] KVM: arm64: Support FFA_NOTIFICATION_INFO_GET " Sebastian Ene
2026-06-10 9:26 ` Vincent Donnefort [this message]
2026-06-10 10:15 ` [PATCH v2 0/7] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone Will Deacon
2026-06-10 12:15 ` Vincent Donnefort
2026-06-10 12:23 ` Will Deacon
2026-06-10 13:56 ` Vincent Donnefort
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aikt44sVnpL3_dYi@google.com \
--to=vdonnefort@google.com \
--cc=android-kvm@google.com \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=korneld@google.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=mrigendra.chaubey@gmail.com \
--cc=oupton@kernel.org \
--cc=perlarsen@google.com \
--cc=sebastianene@google.com \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.