Re: [PATCH v7 5/5] KVM: arm64: Support FFA_MSG_SEND_DIRECT_REQ2 in host handler

["Arve Hjønnevåg" <arve@android.com>]

On Fri, Jul 18, 2025 at 6:53 AM Will Deacon <will@kernel.org> wrote:
>
> On Tue, Jul 01, 2025 at 10:06:38PM +0000, Per Larsen via B4 Relay wrote:
> > From: Per Larsen <perlarsen@google.com>
> >
> > FF-A 1.2 adds the DIRECT_REQ2 messaging interface which is similar to
> > the existing FFA_MSG_SEND_DIRECT_{REQ,RESP} functions except that it
> > uses the SMC calling convention v1.2 which allows calls to use x4-x17 as
> > argument and return registers. Add support for FFA_MSG_SEND_DIRECT_REQ2
> > in the host ffa handler.
> >
> > Signed-off-by: Per Larsen <perlarsen@google.com>
> > ---
> >  arch/arm64/kvm/hyp/nvhe/ffa.c | 24 +++++++++++++++++++++++-
> >  include/linux/arm_ffa.h       |  2 ++
> >  2 files changed, 25 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c
> > index 79d834120a3f3d26e17e9170c60012b60c6f5a5e..21225988a9365219ccfd69e8e599d7403b5cdf05 100644
> > --- a/arch/arm64/kvm/hyp/nvhe/ffa.c
> > +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c
> > @@ -679,7 +679,6 @@ static bool ffa_call_supported(u64 func_id)
> >       case FFA_NOTIFICATION_GET:
> >       case FFA_NOTIFICATION_INFO_GET:
> >       /* Optional interfaces added in FF-A 1.2 */
> > -     case FFA_MSG_SEND_DIRECT_REQ2:          /* Optional per 7.5.1 */
>
> I think that's the only change needed. In fact, maybe just don't add it
> in the earlier patch?
>
> >       case FFA_MSG_SEND_DIRECT_RESP2:         /* Optional per 7.5.1 */
> >       case FFA_CONSOLE_LOG:                   /* Optional per 13.1: not in Table 13.1 */
> >       case FFA_PARTITION_INFO_GET_REGS:       /* Optional for virtual instances per 13.1 */
> > @@ -862,6 +861,22 @@ static void do_ffa_part_get(struct arm_smccc_1_2_regs *res,
> >       hyp_spin_unlock(&host_buffers.lock);
> >  }
> >
> > +static void do_ffa_direct_msg2(struct arm_smccc_1_2_regs *regs,
> > +                            struct kvm_cpu_context *ctxt,
> > +                            u64 vm_handle)
> > +{
> > +     DECLARE_REG(u32, endp, ctxt, 1);
> > +
> > +     struct arm_smccc_1_2_regs *args = (void *)&ctxt->regs.regs[0];
> > +
> > +     if (FIELD_GET(FFA_SRC_ENDPOINT_MASK, endp) != vm_handle) {
> > +             ffa_to_smccc_error(regs, FFA_RET_INVALID_PARAMETERS);
> > +             return;
> > +     }
>
> Why do we care about checking the src id? We don't check that for
> FFA_MSG_SEND_DIRECT_REQ and I don't think we need to care about it here
> either.
>
> Will

I think not checking the src id for FFA_MSG_SEND_DIRECT_REQ is a bug
that should be fixed as well. The receiver expects the hypervisor to
have validated this. If the src id is not validated here then the host
can impersonate other VMs or even the hypervisor itself. This bug
might be minor at the moment since other VMs can't send messages at
the moment, but it is still a bug that needs to be fixed at some
point.

-- 
Arve Hjønnevåg