From: Marc Zyngier <maz@kernel.org>
To: Sebastian Ene <sebastianene@google.com>
Cc: catalin.marinas@arm.com, oupton@kernel.org, will@kernel.org,
joey.gouly@arm.com, korneld@google.com, kvmarm@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, android-kvm@google.com,
mrigendra.chaubey@gmail.com, perlarsen@google.com,
suzuki.poulose@arm.com, vdonnefort@google.com,
yuzenghui@huawei.com, Sudeep Holla <sudeep.holla@kernel.org>
Subject: Re: [PATCH] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone
Date: Thu, 07 May 2026 14:36:46 +0100 [thread overview]
Message-ID: <86se83xrwx.wl-maz@kernel.org> (raw)
In-Reply-To: <afxuDpecPCVA56cL@google.com>
On Thu, 07 May 2026 11:48:46 +0100,
Sebastian Ene <sebastianene@google.com> wrote:
>
> On Wed, May 06, 2026 at 05:29:22PM +0100, Marc Zyngier wrote:
>
> Hello Marc,
>
> > [+ Sudeep]
> >
> > On Fri, 01 May 2026 12:44:48 +0100,
> > Sebastian Ene <sebastianene@google.com> wrote:
> > >
> > > Remove the FFA_NOTIFICATION* calls from the blocklist used by the pKVM
> > > FF-A proxy. This restriction was preventing the use of asynchronous
> > > signaling mechanisms defined by the Arm FF-A specification to
> > > communicate with the secure services.
> > > While these calls are markes as optional, there is no reason why the
> > > hypervisor proxy would block them because:
> > >
> > > 1. Host is the Sole Non-Secure Endpoint: The Host operates as the
> > > only Non-Secure VM ID (VM ID 0) recognized by the Secure World.
> >
> > Where is this enforced?
> >
>
> There is no enforcement in place in the hypervisor since we don't proxy
> FF-A from guest VMs, there is only one non-secure user of this which is the host.
And again: what makes that VM ID 0? Why can't the host pick VM ID 32
and use that?
> > > Because all forwarded notifications are inherently attributed to
> > > the Host by the SPMC, there is no risk of VM ID spoofing
> > > originating from the Normal World.
> >
> > I don't understand: either the host is always using VM ID 0, and we
> > have ways to check and enforce this (how?), or the simple fact that
> > the request comes from NS is a guarantee that the SPMC will treat the
> > VM ID as 0.
> >
> > Which one is it?
>
> My understanding is that when the hypervisor doesn't handle the allocation of
> the non-secure IDs (through FFA_ID_GET), everything that comes from non-secure
> is treated as having the VM ID 0 by the SPMC.
This looks terribly fragile. I'd rather you *enforce* these things
rather than allowing any random stuff from the host and relying on
the EL3 firmware to get it right (odds are that it won't).
This also ties into this:
> > > diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c
> > > index 1af722771178..a82d0cd22a17 100644
> > > --- a/arch/arm64/kvm/hyp/nvhe/ffa.c
> > > +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c
> > > @@ -675,14 +675,6 @@ static bool ffa_call_supported(u64 func_id)
> > > case FFA_RXTX_MAP:
> > > case FFA_MEM_DONATE:
> > > case FFA_MEM_RETRIEVE_REQ:
> > > - /* Optional notification interfaces added in FF-A 1.1 */
> > > - case FFA_NOTIFICATION_BITMAP_CREATE:
> > > - case FFA_NOTIFICATION_BITMAP_DESTROY:
> > > - case FFA_NOTIFICATION_BIND:
> > > - case FFA_NOTIFICATION_UNBIND:
> > > - case FFA_NOTIFICATION_SET:
> > > - case FFA_NOTIFICATION_GET:
> > > - case FFA_NOTIFICATION_INFO_GET:
> > > /* Optional interfaces added in FF-A 1.2 */
> > > case FFA_MSG_SEND_DIRECT_REQ2: /* Optional per 7.5.1 */
> > > case FFA_MSG_SEND_DIRECT_RESP2: /* Optional per 7.5.1 */
> >
> > Shouldn't these be sanitised in a way? A bunch of registers are SBZ in
> > the spec, and I'd expect this to be enforced.
which still remains unanswered.
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2026-05-07 13:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260501114447.2389222-2-sebastianene@google.com>
2026-05-06 16:29 ` [PATCH] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone Marc Zyngier
2026-05-07 10:48 ` Sebastian Ene
2026-05-07 13:36 ` Marc Zyngier [this message]
2026-05-07 14:13 ` Sebastian Ene
2026-05-07 14:21 ` Marc Zyngier
2026-05-08 13:04 ` Sebastian Ene
2026-05-08 16:57 ` Sudeep Holla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86se83xrwx.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=android-kvm@google.com \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=korneld@google.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mrigendra.chaubey@gmail.com \
--cc=oupton@kernel.org \
--cc=perlarsen@google.com \
--cc=sebastianene@google.com \
--cc=sudeep.holla@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=vdonnefort@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox