Re: [PATCH 2/2] KVM: arm64: Allow only the specified FF-A calls to be forwarded to TZ
From: Sebastian Ene
Date: Thu Mar 28 2024 - 09:59:12 EST
On Tue, Mar 26, 2024 at 01:42:26AM -0700, Oliver Upton wrote:
> On Mon, Mar 25, 2024 at 11:29:39AM +0000, Sebastian Ene wrote:
> > On Fri, Mar 22, 2024 at 07:07:52PM -0700, Oliver Upton wrote:
> > > On Fri, Mar 22, 2024 at 12:43:03PM +0000, Sebastian Ene wrote:
> > > > The previous logic used a deny list to filter the FF-A calls. Because of
> > > > this, some of the calls escaped the check and they were forwarded by
> > > > default to Trustzone. (eg. FFA_MSG_SEND_DIRECT_REQ was denied but the 64
> > > > bit version of the call was not).
> > > > Modify the logic to use an allowlist and allow only the calls specified in
> > > > the filter function to be proxied to TZ from the hypervisor.
> >
> > Hi Oliver,
> >
> > >
> > > I had discussed this with Will back when the feature was upstreamed and
> > > he said there's a lot of off-label calls that necessitate a denylist
> > > implementation. Has anything changed to give us confidence that we can
> > > be restrictive, at least on the FF-A range?
> > >
> >
> > I remember your proposal for having an allowlist instead. The current change makes
> > sense if we have https://lore.kernel.org/kvmarm/20240322124303.309423-1-sebastianene@xxxxxxxxxx/
> > which opens the window for more FF-A calls to be forwarded to TZ.
>
> Got it. Last time I didn't catch the level of abuse we expect to endure
> from vendors, but now it seems we will not support non-conforming calls
> that appear in standardized SMC ranges.
>
> Adding mention of this to the changelog might be a good idea then.
>
That's a good point. I didn't create a changelog for this but I should
add one and specify this.
> --
> Thanks,
> Oliver
Thanks,
Sebastian