Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1827704lqm; Fri, 3 May 2024 07:39:57 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXlP+IxqE2UjxaKjfGqU1ZOjIBMkCk005SvEmbtj0hv+hwdUvXKfCnyhqYD2TpikUbh4u4FL220WD/tjLJYeu09lOG6bYUa9e4lyXl3YA== X-Google-Smtp-Source: AGHT+IEGsctFegxrPPKR3uaPOu0O8GuSZX51fIwiiB8ijMYVHCj8B5DdYmsO2tKOeKb2yQ+YZCZ/ X-Received: by 2002:a05:6a00:398d:b0:6f3:ea67:48c3 with SMTP id fi13-20020a056a00398d00b006f3ea6748c3mr3236546pfb.0.1714747196815; Fri, 03 May 2024 07:39:56 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714747196; cv=pass; d=google.com; s=arc-20160816; b=svFNfLc4gXIcILVZQg7iA8bIspZRgYIpC4S4HyklUW1bfIufkkuX1PXIg4rkC77snA Vc52EyzCyTrrdoa7dPRmoCr5SF6UPovSWh2llS2HKhPjBnnwP68nWXBwGwMUIQFLz+ob fKKpBfeXkRcIkGnFNaB4IGEjqO0VMobaVp4dCM/MIVxDGJo73UcmDxU/CPbDsijmjY4R F7RBK/N12Nvy6q582Wup1md9zDLQ4lTuyB4TCZGIcOd420wgs74woNsgo7qvAXMAYJW3 +Rp6e0RIuwcWfNHMhFufJ/R/B3NQzbivSmzO8KyBXvIi76BSGF4qSGIcd3LGUtrSFQEm 5SLw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:to:from:date:dkim-signature; bh=m5RxsVSA1iUt7Q90M0n+6muijdo6vcaLcsOIn83UVTg=; fh=I8HrMqQTkKl9bWVciC319zbIizBOqxvOhpad7KqKv4s=; b=D4sxiWCpT48trTnkx6RhX91uO60YLep8umqFKJOP4u6jAlgkZ5ba2XDtH50zLryyx0 NNcZy3lUnmhjtYqrC1XCmANjdr8WC2ajaKvZ2tafmFMhOryLkWYZJtTdcEfujAyr+6mM tWnglU+x/PgVVnsmlMpZczCP0PZZGWcTUjNs+2FmGwiqzrEFUcnitDXVuDA2Zx+4hvx2 Tw9ptFc3wkzkLlCWivap9oLEQO3xSH0ADjXmlUZE27ZXfbggM04b4yYpsqWbWlQmPo5C aAxEZCptnmyTzRazkwSzepBw2cnFPfZJieUBC5zNV7ZYLgwvQzVpWyJCdQz9hqhmGPFp mvsg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=MHtpp8aW; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-167781-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-167781-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id j62-20020a638041000000b0061dc9000e84si1035634pgd.683.2024.05.03.07.39.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 May 2024 07:39:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-167781-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=MHtpp8aW; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-167781-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-167781-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 1AD7CB209E8 for ; Fri, 3 May 2024 14:39:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3329F9445; Fri, 3 May 2024 14:39:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="MHtpp8aW" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54574168DA; Fri, 3 May 2024 14:39:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714747185; cv=none; b=EQCW2vshsQozWu+8o/UgIOoy6rreBHmXjUYbcHM9VzcLp8GfMQTs8hbBg4q0t026xkIuIK5dEvAaj6eAAzQGNnjPURooQRtalt/i58YKUj/T4lz8SUs5Cp7ijJPcVdr7HzNsKw4HWHbR8oH+LVHRHMjGJWhGv3EAs0g0yMz/kxs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714747185; c=relaxed/simple; bh=crmrWVWqDYe1RC0chX9UhqYvAe5bPNAEZ5pSMdrlJns=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=hkxCxxP5r2guGV1LlVYVWcSAtuGbTUo3uNpQhLOtkaQx1PsjU2xhrcOVxBrJV8Yc+WsP5mOCRE6QHj2fn1FO/v+zHJ9ltafXnh76D4NdBiHePQm+wDo98e+BqQpAkz0Tfkjoz51SIWyeqvTkNjCadNRGvjrjt2JMHMZ5FHr+plI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=MHtpp8aW; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id B3749C116B1; Fri, 3 May 2024 14:39:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1714747184; bh=crmrWVWqDYe1RC0chX9UhqYvAe5bPNAEZ5pSMdrlJns=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=MHtpp8aWu7z/uZkDA0XYRKCvCDCh/qTV7J2O/xkkETrfYkh52o+P+K/RseqapzLgc DWOKCly+UKNxtd7Mmj7heEFRdTtA5wU9wm5CkkgLBPqxDvWsb9JYPXy2qDuuFoGIJ5 95yJ3K14GQjNr7ZCylufH7pSWVczsZsBhysKK0RbOq0ip7eBRYwQe7ukOXyTBtfPnH GHD1qntB/Ou6DhQ9fdRRrVReVDeCCsxrBd3A1DtuxkjKmKheVij2HIelnuOyNzR3mx zRU9VKhA1pnoCAF9NTdEiwMRnIqHEej041B3uRpQQx27vDRuYcdFUWdmvXqd0ViAEL PQSdd30xUJ7DA== Date: Fri, 3 May 2024 15:39:38 +0100 From: Will Deacon To: Sebastian Ene Cc: catalin.marinas@arm.com, james.morse@arm.com, jean-philippe@linaro.org, maz@kernel.org, oliver.upton@linux.dev, qperret@google.com, qwandor@google.com, sudeep.holla@arm.com, suzuki.poulose@arm.com, tabba@google.com, yuzenghui@huawei.com, lpieralisi@kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH 1/4] KVM: arm64: Trap FFA_VERSION host call in pKVM Message-ID: <20240503143937.GA18656@willie-the-truck> References: <20240418163025.1193763-2-sebastianene@google.com> <20240418163025.1193763-3-sebastianene@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240418163025.1193763-3-sebastianene@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) Hi Seb, On Thu, Apr 18, 2024 at 04:30:23PM +0000, Sebastian Ene wrote: > The pKVM hypervisor initializes with FF-A version 1.0. Keep the > supported version inside the host structure and prevent the host > drivers from overwriting the FF-A version with an increased version. > Without trapping the call, the host drivers can negotiate a higher > version number with TEE which can result in a different memory layout > described during the memory sharing calls. > > Signed-off-by: Sebastian Ene > --- > arch/arm64/kvm/hyp/nvhe/ffa.c | 43 ++++++++++++++++++++++++++++++++--- > 1 file changed, 40 insertions(+), 3 deletions(-) > > diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c > index 320f2eaa14a9..023712e8beeb 100644 > --- a/arch/arm64/kvm/hyp/nvhe/ffa.c > +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c > @@ -58,6 +58,7 @@ struct kvm_ffa_buffers { > hyp_spinlock_t lock; > void *tx; > void *rx; > + u32 ffa_version; > }; Why should this be part of 'struct kvm_ffa_buffers'? The host, proxy and Secure side will end up using the same version, so a simple global variable would suffice, no? > /* > @@ -640,6 +641,39 @@ static bool do_ffa_features(struct arm_smccc_res *res, > return true; > } > > +static void do_ffa_version(struct arm_smccc_res *res, > + struct kvm_cpu_context *ctxt) > +{ > + DECLARE_REG(u32, ffa_req_version, ctxt, 1); > + u32 current_version; > + > + hyp_spin_lock(&host_buffers.lock); Why do you need to take the lock for this? > + current_version = host_buffers.ffa_version; > + if (FFA_MAJOR_VERSION(ffa_req_version) != FFA_MAJOR_VERSION(current_version)) { > + res->a0 = FFA_RET_NOT_SUPPORTED; > + goto unlock; > + } We won't have probed the proxy if the Secure side doesn't support 1.x so I think you should just do: if (FFA_MAJOR_VERSION(ffa_req_version) != 1) ... > + /* > + * If the client driver tries to downgrade the version, we need to ask > + * first if TEE supports it. > + */ > + if (FFA_MINOR_VERSION(ffa_req_version) < FFA_MINOR_VERSION(current_version)) { Similarly here, I don't think 'current_version' is what we should expose. Rather, we should be returning the highest version that the proxy supports in the host, which is 1.0 at this point in the patch series. > + arm_smccc_1_1_smc(FFA_VERSION, ffa_req_version, 0, > + 0, 0, 0, 0, 0, > + res); Hmm, I'm struggling to see how this is supposed to work per the spec. The FF-A spec says: | ... negotiation of the version must happen before an invocation of | any other FF-A ABI. and: | Once the caller invokes any FF-A ABI other than FFA_VERSION, the | version negotiation phase is complete. | | Once an FF-A version has been negotiated between a caller and a | callee, the version may not be changed for the lifetime of the | calling component. The callee must treat the negotiated version as | the only supported version for any subsequent interactions with the | caller. So by the time we get here, we've already settled on our version with the Secure side and the host cannot downgrade. That's a bit rubbish if you ask me, but I think it means we'll have to defer some of the proxy initialisation until the host calls FFA_VERSION, at which point we'll need to negotiate a common version between the host, the proxy and Secure. Once we've done that, our FFA_VERSION handler will just return that negotiated version. Will