Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1606908ybt; Mon, 15 Jun 2020 05:00:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxiHgfg841KotivqJ+lQTAYN9SywtNYKaYuvHKeYuLaH9q2Oe7jrbneaANLezXCJOTg6rgq X-Received: by 2002:a50:98c1:: with SMTP id j59mr24191738edb.120.1592222405082; Mon, 15 Jun 2020 05:00:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592222405; cv=none; d=google.com; s=arc-20160816; b=rW517dbAJMqZMHwsLXI8uiIJ6KPsldbeYCMaS28u543H8czS2I7Dw4Kkv64/MYbD+0 /S4asOjTwy5VqhttE7iKCNavP2LRsQ2VXeGZUDB/J0HgM3cu8dag0/uTw1nn7kdkHmiq bpS3kDP5Ri5qhuCx30wmGloEzvdG4mYtBPs8nHBs4NHk54Dkd0/EA7ZByxGiT0eWHiQv nXVL6pmmhtDpFVsaDs0FTqNA5Sx9rx8MfVJ41s2k+nh9crCLl+EsN19fAtttZzFBAwmh 9D6/Ebr1cdtaNnuTR0tta9QDe08FwK5BXykzR+r5Q77YrURIrTpAC69VdRDN4fyZpWUj rL8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=K+X0YsFQmcL6lRFjAwwc91lyB/ffvO5GBymr/Ozadao=; b=ZLc4hd6MQdZj53n+W+j5bSTQgnSEqExOzhwqcsIAPfZ3aNDPWdXFzj/1i/0G0onNcS yCxL1pOdEy3irNinw8sKB5i1aiHPRkftGWi1F1AC5Qv36qlLLYXe8UnY3n1qchrsc+f2 eFNaUP7XBeEr8pkdz1zJzZ+/IVV5zxAUz5/4aIbX51QALVnKp+Lf5xOsgLN2oDv99oWf p8DWzIIELkQBfy36qRpgJf2PKnylWuOQ6JfyozAaTMFju05p4KmYszPJx96++Sn2xlsV pF4WCoujnUj5e8FAeyrlyXNZMxX7wm8uuvnjhgnZd2vkbZnmen0WCi578rUxUMF8yW/r wtDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qvzQqPQA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dn18si9783105ejc.321.2020.06.15.04.59.42; Mon, 15 Jun 2020 05:00:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qvzQqPQA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729763AbgFOLz4 (ORCPT + 99 others); Mon, 15 Jun 2020 07:55:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:58256 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729630AbgFOLzz (ORCPT ); Mon, 15 Jun 2020 07:55:55 -0400 Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 10F7F20707; Mon, 15 Jun 2020 11:55:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592222154; bh=AO7AE4H28zPxTT7UHp3OpiQhDU8PH5d+mG1D/8R7SwA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=qvzQqPQA3BQ1OLRePjsqrdXDVTmCHirBImXPywATw+TELdMrEIE9m+qbuGqLkMtSI awSxXXgOxwAKHGYVeID31HizncxE8uNnVDdmjVGRdfvDS9FpPav4KTqnzQRK3W2Rbr ufdyXiqS8JkFdaMr+FFK+/vlwf9rTPYhSHlM5AhU= Date: Mon, 15 Jun 2020 12:55:49 +0100 From: Will Deacon To: Achin Gupta Cc: Rob Herring , Sudeep Holla , "devicetree@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , "linux-kernel@vger.kernel.org" , Marc Zyngier , nd Subject: Re: [RFC PATCH 1/3] dt-bindings: Add ARM PSA FF binding for non-secure VM partitions Message-ID: <20200615115549.GB2694@willie-the-truck> References: <20200601094512.50509-1-sudeep.holla@arm.com> <20200601094512.50509-2-sudeep.holla@arm.com> <20200609223551.GA1620273@bogus> <20200610074346.GB15939@willie-the-truck> <5B3F18A4-5DA4-411E-9E26-7D25DEE3D414@arm.com> <20200611171222.GB7725@willie-the-truck> <20200615091639.GD46361@C02TC1ARHF1T> <20200615095133.GA2477@willie-the-truck> <20200615114220.GE46361@C02TC1ARHF1T> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200615114220.GE46361@C02TC1ARHF1T> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 15, 2020 at 12:42:20PM +0100, Achin Gupta wrote: > On Mon, Jun 15, 2020 at 10:51:34AM +0100, Will Deacon wrote: > > On Mon, Jun 15, 2020 at 10:16:39AM +0100, Achin Gupta wrote: > > > Right! FFA_PARTITION_INFO_GET is meant to help the FF-A driver in the kernel to > > > determine partition properties. It assumes that EL2 SW has already read each > > > partition's manifest and will reply to this ABI. > > > > > > IIUC, with protected KVM, this information will have to be a part of the > > > manifest that the KVM host consumes. > > > > The host does not consume the manifest directly -- instead, the bootloader > > will use the manifest to populate these DT nodes. Again, these are *only* > > for non-secure virtual partitions which are to be managed by KVM. > > Yes. Understand and agree. Manifest is an overloaded term. I was using it to > describe the DT nodes that the host will consume. Hmm, I think that conflates two things though because only the partitions managed by KVM will have DT nodes. > > > Separate topic, protected KVM does not get dibs on the manifest and it relies on > > > the KVM host to specify the address ranges for each partition? Does this not > > > mean that the KVM host can control the physical address space each partition > > > sees. This seems contrary to the isolation guarantees that protected KVM must > > > provide? > > > > The host is trusted during early boot, and gives up this trust after > > initialising EL2 fully. So roughly speaking, we: > > > > * Boot at EL2 and install a shim > > * Drop down to EL2 and start the host kernel > > * Before some initialisation (DT parsing, SMP bringup, etc) > > * Init KVM by calling back up to EL2 to install the full hypervisor > > > > At that point, the EL1 host is no longer trusted and the last call > > effectively "locks it out" from EL2. > > Ok. Protected KVM (PKVM) must create S2 tables when asked to setup a partition > by the Host. My main concern is if PKVM must trust the Host to provide the > correct physical address space ranges for a partition? Yes, but that all happens as part of KVM initialisation: the host parses the DT nodes and memory reservations, and then passes this information up to EL2. > I guess your point is this is not a problem since PKVM can lock the Host out of > those address ranges in any case? It has to do this, regardless of how they are probed. Once KVM has initialised, the host will have a stage-2 which limits it to the memory that it is allowed to access. > It is a bit counter intuitive that the Host gets to see and potentially > manipulate information that was verified and extracted by the bootloader from > the partition's manifest. This hapens before PKVM sees the same > information. Can't put my finger on what could go wrong though. Depends upon the > threat model too! I think you're trying too hard to separate the host from the EL2 code during early boot. Don't forget -- this is all part of the same binary payload that is loaded and initially run at EL2. Having the host take care of early boot /significantly/ reduces the amount of code at EL2, which has a very clear security benefit. Will