From: Pierrick Bouvier <pierrick.bouvier@linaro.org>
To: Tao Tang <tangtao1634@phytium.com.cn>,
eric.auger@redhat.com, Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-devel@nongnu.org, qemu-arm@nongnu.org,
"Chen Baozi" <chenbaozi@phytium.com.cn>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Jean-Philippe Brucker" <jean-philippe@linaro.org>,
"Mostafa Saleh" <smostafa@google.com>
Subject: Re: [RFC v3 18/21] hw/arm/smmuv3: Harden security checks in MMIO handlers
Date: Fri, 5 Dec 2025 09:23:19 -0800 [thread overview]
Message-ID: <52accf06-e75e-4649-a97b-45fa7e08459f@linaro.org> (raw)
In-Reply-To: <ab0edbd5-9556-424a-83ab-452801d617a8@phytium.com.cn>
On 12/5/25 2:36 AM, Tao Tang wrote:
> Hi Eric,
>
> On 2025/12/4 22:59, Eric Auger wrote:
>>
>> On 10/12/25 5:14 PM, Tao Tang wrote:
>>> This patch hardens the security validation within the main MMIO
>>> dispatcher functions (smmu_read_mmio and smmu_write_mmio).
>>>
>>> First, accesses to the secure register space are now correctly gated by
>>> whether the SECURE_IMPL feature is enabled in the model. This prevents
>>> guest software from accessing the secure programming interface when it is
>>> disabled, though some registers are exempt from this check as per the
>>> architecture.
>>>
>>> Second, the check for the input stream's security is made more robust.
>>> It now validates not only the legacy MemTxAttrs.secure bit, but also
>>> the .space field. This brings the SMMU's handling of security spaces
>>> into full alignment with the PE.
>>>
>>> Signed-off-by: Tao Tang <tangtao1634@phytium.com.cn>
>>> ---
>>> hw/arm/smmuv3.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++
>>> 1 file changed, 64 insertions(+)
>>>
>>> diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
>>> index 4ac7a2f3c7..c9c742c80b 100644
>>> --- a/hw/arm/smmuv3.c
>>> +++ b/hw/arm/smmuv3.c
>>> @@ -1458,6 +1458,12 @@ static bool smmu_eventq_irq_cfg_writable(SMMUv3State *s, SMMUSecSID sec_sid)
>>> return smmu_irq_ctl_evtq_irqen_disabled(s, sec_sid);
>>> }
>>>
>>> +/* Check if the SMMU hardware itself implements secure state features */
>>> +static inline bool smmu_hw_secure_implemented(SMMUv3State *s)
>>> +{
>>> + return FIELD_EX32(s->bank[SMMU_SEC_SID_S].idr[1], S_IDR1, SECURE_IMPL);
>>> +}
>>> +
>>> static int smmuv3_cmdq_consume(SMMUv3State *s, SMMUSecSID sec_sid)
>>> {
>>> SMMUState *bs = ARM_SMMU(s);
>>> @@ -1712,6 +1718,55 @@ static int smmuv3_cmdq_consume(SMMUv3State *s, SMMUSecSID sec_sid)
>>> return 0;
>>> }
>>>
>>> +/*
>>> + * Check if a register is exempt from the secure implementation check.
>>> + *
>>> + * The SMMU architecture specifies that certain secure registers, such as
>>> + * the secure Event Queue IRQ configuration registers, must be accessible
>>> + * even if the full secure hardware is not implemented. This function
>>> + * identifies those registers.
>>> + *
>>> + * Returns true if the register is exempt, false otherwise.
>>> + */
>>> +static bool is_secure_impl_exempt_reg(hwaddr offset)
>>> +{
>>> + switch (offset) {
>>> + case A_S_EVENTQ_IRQ_CFG0:
>>> + case A_S_EVENTQ_IRQ_CFG1:
>>> + case A_S_EVENTQ_IRQ_CFG2:
>>> + return true;
>>> + default:
>>> + return false;
>>> + }
>>> +}
>>> +
>>> +/* Helper function for Secure register access validation */
>> I think we shall improve the doc commennt for the function. I understand
>> @offset is a secure register offset and the function returns whether the
>> access to the secure register is possible. This requires a) the access
>> to be secure and in general secure state support exccet for few regs?
>>> +static bool smmu_check_secure_access(SMMUv3State *s, MemTxAttrs attrs,
>>> + hwaddr offset, bool is_read)
>>> +{ /* Check if the access is secure */
>>> + if (!(attrs.space == ARMSS_Secure ||
>>> + attrs.secure == 1)) {
>>> + qemu_log_mask(LOG_GUEST_ERROR,
>>> + "%s: Non-secure %s attempt at offset 0x%" PRIx64 " (%s)\n",
>>> + __func__, is_read ? "read" : "write", offset,
>>> + is_read ? "RAZ" : "WI");
>>> + return false;
>>> + }
>>> +
>>> + /*
>>> + * Check if the secure state is implemented. Some registers are exempted
>>> + * from this check.
>>> + */
>>> + if (!is_secure_impl_exempt_reg(offset) && !smmu_hw_secure_implemented(s)) {
>>> + qemu_log_mask(LOG_GUEST_ERROR,
>>> + "%s: Secure %s attempt at offset 0x%" PRIx64 ". But Secure state "
>>> + "is not implemented (RES0)\n",
>>> + __func__, is_read ? "read" : "write", offset);
>>> + return false;
>>> + }
>>> + return true;
>>> +}
>>> +
>>> static MemTxResult smmu_writell(SMMUv3State *s, hwaddr offset,
>>> uint64_t data, MemTxAttrs attrs,
>>> SMMUSecSID reg_sec_sid)
>>> @@ -2058,6 +2113,10 @@ static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
>>> * statement to handle those specific security states.
>>> */
>>> if (offset >= SMMU_SECURE_REG_START) {
>>> + if (!smmu_check_secure_access(s, attrs, offset, false)) {
>>> + trace_smmuv3_write_mmio(offset, data, size, MEMTX_OK);
>>> + return MEMTX_OK;
>> so the access to @offset is not permitted and we return MEMTX_OK? I am
>> confused
>>> + }
>>> reg_sec_sid = SMMU_SEC_SID_S;
>>> }
>>>
>>> @@ -2248,6 +2307,11 @@ static MemTxResult smmu_read_mmio(void *opaque, hwaddr offset, uint64_t *data,
>>> offset &= ~0x10000;
>>> SMMUSecSID reg_sec_sid = SMMU_SEC_SID_NS;
>>> if (offset >= SMMU_SECURE_REG_START) {
>>> + if (!smmu_check_secure_access(s, attrs, offset, true)) {
>>> + *data = 0;
>>> + trace_smmuv3_read_mmio(offset, *data, size, MEMTX_OK);
>>> + return MEMTX_OK;
>> same here?
>>> + }
>>> reg_sec_sid = SMMU_SEC_SID_S;
>>> }
>>>
>> Thanks
>>
>> Eric
>
>
> Thanks for the review and for calling out the confusion around this helper.
>
>
> The function `smmu_check_secure_access` and `return MEMTX_OK` statement
> after smmu_check_secure_access returned false is trying to follow the
> SECURE_IMPL rules from the architecture spec:
>
> ARM IHI 0070 G.b , 6.2 Register overview
>
> - When SMMU_S_IDR1.SECURE_IMPL == 1, SMMU_S_* registers are RAZ/WI to
> Non-secure access. See section 3.11 Reset, Enable and initialization
> regarding Non-secure access to SMMU_S_INIT. All other registers are
> accessible to both Secure and Non-secure accesses.
> - When SMMU_S_IDR1.SECURE_IMPL == 0, SMMU_S_* registers are RES0.
>
May be worth to add a comment quoting the spec, we have been two people
to ask the same thing. It definitely looks like a mistake when reading
for the first time.
>
> So the MEMTX_OK in the MMIO handlers is deliberate: we are acknowledging
> the bus transaction while applying the architectural RAZ/WI/RES0
> semantics at the register level, rather than modelling a bus abort. Also
> there was another discussion about this issue [1] in V1 series.
>
> [1]
> https://lore.kernel.org/qemu-devel/a5154459-a632-42b0-b599-d5dff85b5dd2@phytium.com.cn/
>
>
> I'll add these needed details and parameters introduction as comment
> in `smmu_check_secure_access` and `return MEMTX_OK`. How do you think
> about it?
>
>
> Thanks again for the feedback,
>
> Tao
>
next prev parent reply other threads:[~2025-12-05 17:23 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-12 15:06 [RFC v3 00/21] hw/arm/smmuv3: Add initial support for Secure State Tao Tang
2025-10-12 15:06 ` [RFC v3 01/21] hw/arm/smmuv3: Fix incorrect reserved mask for SMMU CR0 register Tao Tang
2025-10-12 15:06 ` [RFC v3 02/21] hw/arm/smmuv3: Correct SMMUEN field name in CR0 Tao Tang
2025-10-12 15:06 ` [RFC v3 03/21] hw/arm/smmuv3: Introduce secure registers Tao Tang
2025-11-21 12:47 ` Eric Auger
2025-10-12 15:06 ` [RFC v3 04/21] refactor: Move ARMSecuritySpace to a common header Tao Tang
2025-11-21 12:49 ` Eric Auger
2025-10-12 15:06 ` [RFC v3 05/21] hw/arm/smmuv3: Introduce banked registers for SMMUv3 state Tao Tang
2025-11-21 13:02 ` Eric Auger
2025-11-23 9:28 ` [RESEND RFC " Tao Tang
2025-10-12 15:06 ` [RFC v3 06/21] hw/arm/smmuv3: Thread SEC_SID through helper APIs Tao Tang
2025-11-21 13:13 ` Eric Auger
2025-10-12 15:06 ` [RFC v3 07/21] hw/arm/smmuv3: Track SEC_SID in configs and events Tao Tang
2025-12-02 11:05 ` Eric Auger
2025-10-12 15:06 ` [RFC v3 08/21] hw/arm/smmuv3: Add separate address space for secure SMMU accesses Tao Tang
2025-12-02 13:53 ` Eric Auger
2025-12-03 13:50 ` Tao Tang
2025-12-11 22:12 ` Pierrick Bouvier
2025-12-11 22:19 ` Pierrick Bouvier
2025-10-12 15:06 ` [RFC v3 09/21] hw/arm/smmuv3: Plumb transaction attributes into config helpers Tao Tang
2025-12-02 14:03 ` Eric Auger
2025-12-03 14:03 ` Tao Tang
2025-10-12 15:06 ` [RFC v3 10/21] hw/arm/smmu-common: Key configuration cache on SMMUDevice and SEC_SID Tao Tang
2025-12-02 14:18 ` Eric Auger
2025-10-12 15:06 ` [RFC v3 11/21] hw/arm/smmuv3: Decode security attributes from descriptors Tao Tang
2025-12-02 15:19 ` Eric Auger
2025-12-03 14:30 ` Tao Tang
2025-10-12 15:12 ` [RFC v3 12/21] hw/arm/smmu-common: Implement secure state handling in ptw Tao Tang
2025-12-02 15:53 ` Eric Auger
2025-12-03 15:10 ` Tao Tang
2025-10-12 15:12 ` [RFC v3 13/21] hw/arm/smmuv3: Tag IOTLB cache keys with SEC_SID Tao Tang
2025-12-02 16:08 ` Eric Auger
2025-12-03 15:28 ` Tao Tang
2025-10-12 15:13 ` [RFC v3 14/21] hw/arm/smmuv3: Add access checks for MMIO registers Tao Tang
2025-12-02 16:31 ` Eric Auger
2025-12-03 15:32 ` Tao Tang
2025-10-12 15:13 ` [RFC v3 15/21] hw/arm/smmuv3: Determine register bank from MMIO offset Tao Tang
2025-10-14 23:31 ` Pierrick Bouvier
2025-12-04 14:21 ` Eric Auger
2025-12-05 6:31 ` Tao Tang
2025-10-12 15:13 ` [RFC v3 16/21] hw/arm/smmuv3: Implement SMMU_S_INIT register Tao Tang
2025-12-04 14:33 ` Eric Auger
2025-12-05 8:23 ` Tao Tang
2025-10-12 15:14 ` [RFC v3 17/21] hw/arm/smmuv3: Pass security state to command queue and IRQ logic Tao Tang
2025-12-04 14:46 ` Eric Auger
2025-12-05 9:42 ` Tao Tang
2025-10-12 15:14 ` [RFC v3 18/21] hw/arm/smmuv3: Harden security checks in MMIO handlers Tao Tang
2025-12-04 14:59 ` Eric Auger
2025-12-05 10:36 ` Tao Tang
2025-12-05 17:23 ` Pierrick Bouvier [this message]
2025-10-12 15:15 ` [RFC v3 19/21] hw/arm/smmuv3: Use iommu_index to represent the security context Tao Tang
2025-10-15 0:02 ` Pierrick Bouvier
2025-10-16 6:37 ` Tao Tang
2025-10-16 7:04 ` Pierrick Bouvier
2025-10-20 8:44 ` Tao Tang
2025-10-20 22:55 ` Pierrick Bouvier
2025-10-21 3:51 ` Tao Tang
2025-10-22 21:23 ` Pierrick Bouvier
2025-10-23 9:02 ` Tao Tang
2025-12-04 15:05 ` Eric Auger
2025-12-05 10:54 ` Tao Tang
2025-10-12 15:15 ` [RFC v3 20/21] hw/arm/smmuv3: Initialize the secure register bank Tao Tang
2025-12-02 16:36 ` Eric Auger
2025-12-03 15:48 ` Tao Tang
2025-10-12 15:16 ` [RFC v3 21/21] hw/arm/smmuv3: Add secure migration and enable secure state Tao Tang
2025-12-02 16:39 ` Eric Auger
2025-12-03 15:54 ` Tao Tang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52accf06-e75e-4649-a97b-45fa7e08459f@linaro.org \
--to=pierrick.bouvier@linaro.org \
--cc=chenbaozi@phytium.com.cn \
--cc=eric.auger@redhat.com \
--cc=jean-philippe@linaro.org \
--cc=peter.maydell@linaro.org \
--cc=philmd@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=smostafa@google.com \
--cc=tangtao1634@phytium.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).