[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Tee-dev] TEE with XEN


  • To: Julien Grall <julien@xxxxxxx>
  • From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
  • Date: Fri, 19 Jun 2020 08:45:46 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=p8NAY2KUazQ/5vajcMbELbyEbERL6Tt41EYXFTZPD/A=; b=aOWPFYWQtbKNTbLxXA88dv2cJO5B06E1Z+ldsyGOoKAegTMSzWDGH+a/D9Ym0UxF1u9mgQKdJ8FsUCtOk0Ch33feWR0Hzin/qQklELD2582SJx31d4VhVKM3/nxrF9YN7Z4EGVIDHwQDwSywcYyzXNM6JsJTqKf3gAo2JNO7QfGc6Q2G5qeM63trQshQdR/XePoKZgAfNTKiZmp1gkvpk5K6/ixJKMoD5oWLijzDewL14tnCrLEaw0/WA2Wg9KuZxfm6uSaz82p8eyS87gpDxx+XDc7my4S+u4aVE3CBpXmY68yR/PyKf4w3g02umGWaxT7XIMUksqcwJCMSY1bCMw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UJgt2zU2wMTvI97b9VAk8zTcxWiZTzzx7iIxutQhUs2LBCiLHng2NdPXUgcOrQOIo7iHnSGuyCGpIRo3+7QsleA7ytCJCfaVVBRMVe6gEXRyjZ9R4Ht03qOM7azGqzDxPhXxEhoNTSnKDNZtGVDVjzQpSTylx7AGqP01ne9NkRh/Ttyz+h9kA1oNICI3UuKUQxnmM3jVzyBKhqiQV3hYsl940EJvY8klwR6oA/qMi2NLFrKEM0GHfHPngJR6iXFKmdJA19QAXTi8Ca4kBYd2ORXYGYM+2/X1FoAR0GWamnd0TOac6ys/mDD+yEzqwb1BKPceG5Ul//ugpzTOnVcUQA==
  • Authentication-results-original: xen.org; dkim=none (message not signed) header.d=none;xen.org; dmarc=none action=none header.from=arm.com;
  • Cc: Peng Fan <peng.fan@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>, Volodymyr Babchuk <vlad.babchuk@xxxxxxxxx>, "tee-dev@xxxxxxxxxxxxxxxx" <tee-dev@xxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, nd <nd@xxxxxxx>, Jens Wiklander <jens.wiklander@xxxxxxxxxx>, Stefano Babic <sbabic@xxxxxxx>
  • Delivery-date: Fri, 19 Jun 2020 08:46:00 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: xen.org; dkim=none (message not signed) header.d=none;xen.org; dmarc=none action=none header.from=arm.com;
  • Thread-index: AdZCuN8SyGfGPx9hRva/eeajiUtqpQAw/zsAAIeJWwAAHsEHgA==
  • Thread-topic: [Tee-dev] TEE with XEN

Hi,

> On 18 Jun 2020, at 19:05, Julien Grall <julien@xxxxxxx> wrote:
> 
> +Bertrand and Stefano
> 
> On 16/06/2020 02:24, Volodymyr Babchuk wrote:
>> Hi Peng,
>> On Mon, 15 Jun 2020 at 05:07, Peng Fan <peng.fan@xxxxxxx> wrote:
>>> 
>>> Hi All,
>>> 
>>> While enabling trusty os with xen, I took same approach as OP-TEE,
>>> with OP-TEE running in secure world. But I am also thinking this might
>>> introduce potential issue is that secure world OS communicate with DomU.
>>> If there are some misbehavior in secure world OS, it might let XEN
>>> hypervisor not work proper.
>>> 
>>> In my setup, trusty os sometimes panic in secure world, xen will not able
>>> to control the panic core anymore.
> 
> May I ask in which case Trusty is panicking?

In any case, optee should protect itself against this and it should be 
considered that optee is more priviledged then Xen.
So if optee is crashing we cannot expect that Xen can recover or fix it.

I would more consider this as a bug that optee needs to be robust against.

> 
>>> 
>>> So I am thinking whether we need to emulating secure world in a XEN VM
>>> which is the VM running DomU. Just like what ACRN did to run trusty
>>> os.
>> Well, it depends on whom you are trusting more. Both XEN and TEE are minimal
>> OS implementations with aim at security. I'm speaking about generic TEE OS, 
>> not
>> about particular OS like OP-TEE or Trusty. Problem is that, if TEE is
>> running inside
>> VM, it will be susceptible to a hypervisor misbehaviour. You need to 
>> understand
>> that Xen and privileged domain (dom0, mostly) can access memory of any guest.
>> At least, in default configuration. There are means to harden this
>> setup. But anyways,
>> Xen can't be stopped from reading TEE's secrets.
> 
> IIRC, we discussed this approach for OP-TEE in the past. There was other 
> potential pitfalls with it. For instance, you wouldn't be able to directly 
> access any secure device from that guest (it is running in non-secure world).
> 
> There are also issues in term of latency as you may have the following model:
> 
> domU -> Xen -> domU TEE -> (Xen -> host TEE -> Xen -> domU TEE) -> Xen -> 
> domU.
> 
> The bit in () is if you require to call the host TEE.
> 
> One possibility would be to use Secure-EL2 for your Trusty OS. But I don't 
> know whether your platform supports it.
> 
> Depending on whether you can modify Trusty OS, alternative would be to make 
> itvirtualization aware as OP-TEE did. The core would need to be resilient and 
> the panic only affect a given client.

I do not have right a clear idea of what is the status of optee and xen but in 
theory I would see 2 possible ways to handle this:
- without optee modification, something in a guest (Dom0 or an other 
priviledged one) needs to have access to optee and emulate optee access for 
others.
- with optee modifications, optee needs to have a concept of client and Xen 
would need to passthrough optee requests but being responsible of adding a 
“client” identifier. Maybe also informing Optee when a new client is 
created/removed.

The second scenario could then be somehow splitted in the previous one from 
Julien if some parts would need to be emulated somewhere in some kind of 
combination of the 2 models.

In any case i would always consider that anything running on optee (or in 
general in the secure world) is more trusted then Xen.

Regards
Bertrand


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.