Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp973404rwb; Wed, 16 Nov 2022 10:05:37 -0800 (PST) X-Google-Smtp-Source: AA0mqf5i3XUj/AxC82ca/pquE4XqD6aY4Zib/KK6gxi5O19ve4Ru27y7OJVdHdl7jqXA8ZDWUdWV X-Received: by 2002:a17:906:52c6:b0:7ae:c2c:e55a with SMTP id w6-20020a17090652c600b007ae0c2ce55amr18322660ejn.214.1668621937491; Wed, 16 Nov 2022 10:05:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668621937; cv=none; d=google.com; s=arc-20160816; b=eqmzCLrv9UT2v6erX/F2HXkss3WkcFtKT7Dpop8AbEHcNsgOeI0BYCI3upoU8EIm8/ oU5FPHstJAttnH+w0HlyyE1zG8S2j+CRyNTP2UftQkFRoY7aUSOv/F+ga1B2jdEQ8+18 bWWReshxn1p6mJMuD0zWtzGA8RVjLvlHGDPgRXau1KlurXrEnE8DChhCZTRoE7tz34eO 71Yjb4PrGOTvZ41XW8VJ8YgAWBtlQqiT39nDji97XeBuq40Nl1wfEn8JRfDRPr/zM/14 7GKAHOFtrzY+2zulkwJFGSEJULTR90+lWMZakxF2TyqP24bMWYt5AfCECR0SdVIIGRls ECtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:dkim-signature:date; bh=XmW9WCvz+s/qLEawf6fSBFXtTILAUrT47yXR3/eJuXA=; b=jfp6h+TzXOQkkN+ea3a1DNSzrRBBBxhiA1hA+xXSpxJh9Y3r0DTbyC+7Bt73iNmzsq MtmabqggeJf2NPb1NZhujGTeVPIdjyjBxhKd/WyyhdOHXJCghnKZvtrUJhKdQd4+s43h pcE71bdE7pWUz+I1g29a/Es/h4N7aprqH3lLwKHRkii/wejlUb3tBtePtR16c6sJSJk3 XOx6HHerJF8UZ5GBeCLeMQK4+mpfueE1hCU5hL8S4N96C0s8z1x5G+muNZhVz/J/irBs dPqApBl4AId3rrvCWeS6GdUWG7Ng/iLO1tIo35DGLVJ0NZgvrIsW13j37lrAI+71YofC hc1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=gHOya6+i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gj21-20020a170906e11500b0078dd22dd569si11709395ejb.121.2022.11.16.10.05.15; Wed, 16 Nov 2022 10:05:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=gHOya6+i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232197AbiKPRsx (ORCPT + 90 others); Wed, 16 Nov 2022 12:48:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238755AbiKPRss (ORCPT ); Wed, 16 Nov 2022 12:48:48 -0500 Received: from out2.migadu.com (out2.migadu.com [188.165.223.204]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F1F9654C for ; Wed, 16 Nov 2022 09:48:48 -0800 (PST) Date: Wed, 16 Nov 2022 17:48:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1668620926; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=XmW9WCvz+s/qLEawf6fSBFXtTILAUrT47yXR3/eJuXA=; b=gHOya6+ikm8w73hzuv3v8gYs1nwKsVXAiDPYeHh25rYtsls8WnfmYPtLeNtJZoyISRHBLT ovYBecRu4QtPVPemAsppXx0Z0S/INA9VcgBZ5hzHUeeWV5EHNPl0dwzYNtsJmLU7qTKEeo S+Uoppf66b4Pw0ULuegq2accZeXeKQk= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Oliver Upton To: Quentin Perret Cc: Marc Zyngier , James Morse , Alexandru Elisei , Suzuki K Poulose , Catalin Marinas , Will Deacon , Sudeep Holla , Andrew Walbran , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH 03/12] KVM: arm64: Block unsafe FF-A calls from the host Message-ID: References: <20221116170335.2341003-1-qperret@google.com> <20221116170335.2341003-4-qperret@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221116170335.2341003-4-qperret@google.com> X-Migadu-Flow: FLOW_OUT X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Sorry, hit send a bit too early. Reviewing the patch itself: On Wed, Nov 16, 2022 at 05:03:26PM +0000, Quentin Perret wrote: [...] > +static bool ffa_call_unsupported(u64 func_id) > +{ > + switch (func_id) { > + /* Unsupported memory management calls */ > + case FFA_FN64_MEM_RETRIEVE_REQ: > + case FFA_MEM_RETRIEVE_RESP: > + case FFA_MEM_RELINQUISH: > + case FFA_MEM_OP_PAUSE: > + case FFA_MEM_OP_RESUME: > + case FFA_MEM_FRAG_RX: > + case FFA_FN64_MEM_DONATE: > + /* Indirect message passing via RX/TX buffers */ > + case FFA_MSG_SEND: > + case FFA_MSG_POLL: > + case FFA_MSG_WAIT: > + /* 32-bit variants of 64-bit calls */ > + case FFA_MSG_SEND_DIRECT_REQ: > + case FFA_MSG_SEND_DIRECT_RESP: > + case FFA_RXTX_MAP: > + case FFA_MEM_DONATE: > + case FFA_MEM_RETRIEVE_REQ: > + return true; > + } > + > + return false; > +} Wouldn't an allowlist behave better in this case? While unlikely, you wouldn't want EL3 implementing some FFA_BACKDOOR_PVM SMC that falls outside of the denylist and is passed through. > +bool kvm_host_ffa_handler(struct kvm_cpu_context *host_ctxt) > +{ > + DECLARE_REG(u64, func_id, host_ctxt, 0); > + struct arm_smccc_res res; > + > + if (!is_ffa_call(func_id)) > + return false; > + > + switch (func_id) { > + /* Memory management */ > + case FFA_FN64_RXTX_MAP: > + case FFA_RXTX_UNMAP: > + case FFA_MEM_SHARE: > + case FFA_FN64_MEM_SHARE: > + case FFA_MEM_LEND: > + case FFA_FN64_MEM_LEND: > + case FFA_MEM_RECLAIM: > + case FFA_MEM_FRAG_TX: > + break; > + } What is the purpose of this switch? > + > + if (!ffa_call_unsupported(func_id)) > + return false; /* Pass through */ Another (tiny) benefit of implementing an allowlist is that it avoids the use of double-negative logic like this. -- Thanks, Oliver