[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Does Xen ARM utilize Trustzone somehow?



Yes, that's correct. Xen needs to run in hypervisor mode, unavailable in
secure mode.
However if the trustzone firmware exports some functionalities via SMC
calls, it is possible to use them from Xen or Dom0.

One way to do that would be allowing only the hypervisor to make SMC
calls and then "proxy" any calls via Xen that Dom0 (or other guests)
need to make.
This way you can check in Xen what you want to allow the guest to
call. Also multiple guests, not just dom0, can access those services.

Sorry for the late reply, but I was on holiday.

On Mon, 23 Dec 2013, karim.allah.ahmed@xxxxxxxxx wrote:
> Hi Andrei,
> 
> I think Xen ARM doesn't utilize Trustzone and you can't run Dom0 in secure 
> mode. In a trustzone environment that supports
> virtualization, the hypevisor as well as all its guests will be running in 
> the non-secure mode.
> 
> "The virtualization features accessible only at PL2 are implemented only in 
> Non-secure state. Secure state has only two privilege
> levels, PL0 and PL1." ~ ARMv7 TRM.
> Things like VTTBR aren't banked and are only available in non-secure. This 
> register is currently used for MMU virtualization for
> guests.
> 
> 
> 
> 
> On Mon, Dec 23, 2013 at 12:01 PM, Andrei Zakharov <z-andrew@xxxxxxxxx> wrote:
>       Hi,
> 
>       Does Xen ARM utilize Trustzone somehow? Can Dom0 be in Trustzone?
>       On 
> http://wiki.xenproject.org/wiki/Xen_ARM_with_Virtualization_Extensions/Arndale
>  I read 'The bootloader provided
>       with the Arndale does not let Xen boot in hypervisor mode, so we will 
> use the u-boot provided by Linaro.'
>       Confusing moment...
> 
>       Thanks.
>       Andrei.
> 
>       _______________________________________________
>       Xen-devel mailing list
>       Xen-devel@xxxxxxxxxxxxx
>       http://lists.xen.org/xen-devel
> 
> 
> 
> 
> --
> Karim Allah Ahmed.
> LinkedIn
> 
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.