|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v6 09/10] tools/arm: tee: add "tee" option for xl.cfg
Julien Grall writes: > On 6/18/19 3:30 PM, Volodymyr Babchuk wrote: >> >> >> Julien Grall writes: >> >>> On 18/06/2019 12:19, Volodymyr Babchuk wrote: >>>> >>>> Hi Julien, >>> >>> Hi, >>> >>>> >>>> Julien Grall writes: >>>>>> + >>>>>> +=item B<optee> >>>>>> + >>>>>> +Allow a guest to use OP-TEE. Note that a virtualization-aware OP-TEE >>>>>> +is required for this. If this option is selected, guest will be able >>>>> >>>>> OOI, what happen if OP-TEE does not support virtualization. Will Xen >>>>> forbid to use it? >>>> Yes, Xen will get an error from OP-TEE during domain construction. This >>>> will lead to domain creation failure. >>> >>> This is a bit odd. It means we have no way to know in advance whether >>> OP-TEE will be able to create a client. >> Yes. There can be at least two reasons for this: >> 1. OP-TEE is built without virtualization support at all >> 2. OP-TEE have no resources for a new guest >> >>> In other word, when the >>> mediator is built in Xen, all existing setup with OP-TEE (and >>> no-virtualization) will fail. >> Right. If user provides DTB with 'optee' node, but OP-TEE is build without >> virtualization support, Dom0 will not be created. This can be fixed by >> adding new capability flag into OP-TEE, that tells Xen about >> virtualization support. For some reason I missed this when I implemented >> VM support in OP-TEE :( >> >>> My expectation is Xen should be able to know whether the mediator can be >>> used. >> I need to implement additional capability flag in the OP-TEE. This is >> not so hard, but it will be available only in the next release. For now, >> we can document this limitation somewhere. > > Is OP-TEE already released with virtualization? If not, when will it be? Yes, OP-TEE 3.5.0 was released on 26 April 2019 and it includes virtualization support. >> >>>> >>>>>> +to access to the real OP-TEE OS running on the host. Guest creation >>>>> >>>>> s/real// it is redundant with the rest of the sentence. However, it >>>>> does not really answer to the question regarding isolation. >>>> Your assumption is correct - OP-TEE provides isolation on its side. >>>> >>>>> >>>>>> +will fail if OP-TEE have no resources for a new guest. Number of >>>>>> supported >>>>>> +guests depends on OP-TEE configuration. >>>>> >>>>> How about the following description (correct me if my understanding is >>>>> wrong): >>>>> >>>>> "Allow a guest to access the host OP-TEE OS. Xen will mediate the >>>>> access to OP-TEE and the resource isolation will be provided directly >>>>> by OP-TEE. OP-TEE itself may limit the number of guests that can >>>>> concurrently use it. This requires a virtualization-aware OP-TEE for >>>>> this to work. >>>>> >>>>> This feature is a B<technology preview>." >>>> That's much better than my version. Thank you. >>>> >>>>> How can a user know whether OP-TEE supports virtualization? Is it >>>>> configurable at build? >>>> Yes, there is a special configuration option CFG_VIRTUALIZATION. This is >>>> covered in OP-TEE documentation at [1] >>>> >>>> [1] https://optee.readthedocs.io/architecture/virtualization.html >>> >>> Do we expect the link to be stable? If so, then I think a link in the >>> documentation would be useful. >> This is the official OP-TEE documentation. So, yes, it should be stable. >> I can put this link into the code somewhere. > > I would add the link in the xl documentation and also in the commit > message of patch #2. I can do the later on commit. It would be great. Thank you. -- Best regards,Volodymyr Babchuk _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |