From: Vincent Donnefort <vdonnefort@google.com>
To: Sebastian Ene <sebastianene@google.com>
Cc: catalin.marinas@arm.com, maz@kernel.org, oupton@kernel.org,
will@kernel.org, joey.gouly@arm.com, korneld@google.com,
kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, android-kvm@google.com,
mrigendra.chaubey@gmail.com, perlarsen@google.com,
suzuki.poulose@arm.com, yuzenghui@huawei.com
Subject: Re: [PATCH v2 0/7] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone
Date: Wed, 10 Jun 2026 10:26:59 +0100 [thread overview]
Message-ID: <aikt44sVnpL3_dYi@google.com> (raw)
In-Reply-To: <20260608165549.1479409-1-sebastianene@google.com>
On Mon, Jun 08, 2026 at 04:55:42PM +0000, Sebastian Ene wrote:
> Remove the FFA_NOTIFICATION* calls from the blocklist used by the pKVM
> FF-A proxy. This restriction was preventing the use of asynchronous
> signaling mechanisms defined by the Arm FF-A specification to
> communicate with the secure services.
> While these calls are markes as optional, there is no reason why the
> hypervisor proxy would block them because:
>
> 1. Host is the Sole Non-Secure Endpoint: The Host operates as the
> only Non-Secure VM ID (VM ID 0) recognized by the Secure World.
> Because all forwarded notifications are inherently attributed to
> the Host by the SPMC, there is no risk of VM ID spoofing
> originating from the Normal World.
>
> 2. No Memory Pointers or Addresses: The FFA_NOTIFICATION_* ABIs
> operate strictly via register-based parameters, passing only
> VM IDs, VCPU IDs, flags, and bitmaps. Because these calls do
> not contain memory addresses, offsets, or pointers, forwarding
> them doesn't pose a risk of memory-based confused deputy attack
> (e.g., tricking the SPMC into overwriting protected memory).
>
> While the pKVM proxy behaves as a relayer, it doesn't currently have its
> own FF-A ID(only the host has the ID 0). The behavior of the setup
> flow is covered by the spec in the: '10.9 Notification support without
> a Hypervisor'.
As it is only a relayer. Is it really important to check SBZ arguments and
fields on behalf of Trustzone? It doesn't feel it brings any security. If the
host passes broken arguments, I don't believe this puts pKVM at risk. Does it?
>
> ---
> Changes in v2:
> - enforce the MBZ/SBZ fields
> - split the calls into separate patches
> - rebase on 7.1-rc7
>
> Link to v1:
> https://lore.kernel.org/all/20260501114447.2389222-2-sebastianene@google.com/
>
> Sebastian Ene (7):
> KVM: arm64: Support FFA_NOTIFICATION_BITMAP_CREATE in host handler
> KVM: arm64: Support FFA_NOTIFICATION_BITMAP_DESTROY in host handler
> KVM: arm64: Support FFA_NOTIFICATION_BIND in host handler
> KVM: arm64: Support FFA_NOTIFICATION_UNBIND in host handler
> KVM: arm64: Support FFA_NOTIFICATION_SET in host handler
> KVM: arm64: Support FFA_NOTIFICATION_GET in host handler
> KVM: arm64: Support FFA_NOTIFICATION_INFO_GET in host handler
>
> arch/arm64/kvm/hyp/nvhe/ffa.c | 190 ++++++++++++++++++++++++++++++++--
> 1 file changed, 182 insertions(+), 8 deletions(-)
>
> --
> 2.54.0.1064.gd145956f57-goog
>
next prev parent reply other threads:[~2026-06-10 9:27 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 16:55 [PATCH v2 0/7] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone Sebastian Ene
2026-06-08 16:55 ` [PATCH v2 1/7] KVM: arm64: Support FFA_NOTIFICATION_BITMAP_CREATE in host handler Sebastian Ene
2026-06-10 8:51 ` Vincent Donnefort
2026-06-10 11:59 ` Vincent Donnefort
2026-06-08 16:55 ` [PATCH v2 2/7] KVM: arm64: Support FFA_NOTIFICATION_BITMAP_DESTROY " Sebastian Ene
2026-06-10 8:53 ` Vincent Donnefort
2026-06-08 16:55 ` [PATCH v2 3/7] KVM: arm64: Support FFA_NOTIFICATION_BIND " Sebastian Ene
2026-06-10 9:03 ` Vincent Donnefort
2026-06-08 16:55 ` [PATCH v2 4/7] KVM: arm64: Support FFA_NOTIFICATION_UNBIND " Sebastian Ene
2026-06-08 16:55 ` [PATCH v2 5/7] KVM: arm64: Support FFA_NOTIFICATION_SET " Sebastian Ene
2026-06-08 16:55 ` [PATCH v2 6/7] KVM: arm64: Support FFA_NOTIFICATION_GET " Sebastian Ene
2026-06-08 16:55 ` [PATCH v2 7/7] KVM: arm64: Support FFA_NOTIFICATION_INFO_GET " Sebastian Ene
2026-06-10 9:26 ` Vincent Donnefort [this message]
2026-06-10 10:15 ` [PATCH v2 0/7] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone Will Deacon
2026-06-10 12:15 ` Vincent Donnefort
2026-06-10 12:23 ` Will Deacon
2026-06-10 13:56 ` Vincent Donnefort
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aikt44sVnpL3_dYi@google.com \
--to=vdonnefort@google.com \
--cc=android-kvm@google.com \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=korneld@google.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=mrigendra.chaubey@gmail.com \
--cc=oupton@kernel.org \
--cc=perlarsen@google.com \
--cc=sebastianene@google.com \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox