[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Tee-dev] TEE with XEN

  • To: Stefano Stabellini <sstabellini@xxxxxxxxxx>
  • From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
  • Date: Fri, 19 Jun 2020 08:49:47 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MHuUM1caB3fKi1KJ4cB2DVD7ajRsxVL/D26k4TX4KkE=; b=hgZaTJUiOgkZO0y3i4vMiLNvyzrk6zcMThnL5pECsJCrAVRu1ld6q86/e6sZg3P8qBzPUXpX4tCgZEq2QF1MdFLll3nDHJ4uw4zeCP7/TGEPNZd0DXtai13eD9zN0ZX1dJPWAIJ6RM0wniGT4253LP483Y93CdykA4NNN7F19WkQRfLnMv+bewE08qMLKJgVBsjIDCQyQvk4mKa0CdXWzuxlwlHAVB44AlwTg2s4+y68JoKujg3WT92z7UsWYHpmccAkVjizFc6a3w2gC1GX2AOoJ0bdZdgtfIFr+Jhx9z/5jT8YGIsJRlIhm7hMNDMJCVDfbDaI4JpK+ElRQ9OXpg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JgvFZLRJ0hWo36N6UkfOlnIP+RMjnR5dz7pVkCkqVjkJz4Y/vD0YJv8kacDe+PA/N5QKV0stKybT9KD2KSidxi0YHMi2wbu7g8bWjV4zmSqUXJ9L4yhvENEZ5yMhTHljH6ID3VsMz3HZmamemz2fHCqdws7g9Zihhou+eTcSA3DawVA8srWAk1SnDwAZNLFA6b2Bk3EUe1Ik9m2sHqUAw9JHZs9wW3d9j8H+2pq0r8Nv91CRxkO7YzAJIz1FOJH91xkZxZOUx3s+864sLW6ql6BAyvvESYA1EGNBdkdfgiVlhUQM1OOqqmY1F4aZVK5/x027QDZdmv43Gr4vAegMdA==
  • Authentication-results-original: kernel.org; dkim=none (message not signed) header.d=none;kernel.org; dmarc=none action=none header.from=arm.com;
  • Cc: Peng Fan <peng.fan@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>, Volodymyr Babchuk <vlad.babchuk@xxxxxxxxx>, "tee-dev@xxxxxxxxxxxxxxxx" <tee-dev@xxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, nd <nd@xxxxxxx>, Jens Wiklander <jens.wiklander@xxxxxxxxxx>, Stefano Babic <sbabic@xxxxxxx>
  • Delivery-date: Fri, 19 Jun 2020 08:50:01 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: kernel.org; dkim=none (message not signed) header.d=none;kernel.org; dmarc=none action=none header.from=arm.com;
  • Thread-index: AdZCuN8SyGfGPx9hRva/eeajiUtqpQAw/zsAAIeJWwAACMx1AAAWGKGA
  • Thread-topic: [Tee-dev] TEE with XEN

> On 18 Jun 2020, at 23:17, Stefano Stabellini <sstabellini@xxxxxxxxxx> wrote:
> 
> On Thu, 18 Jun 2020, Julien Grall wrote:
>> +Bertrand and Stefano
> 
> Thanks for CC'ing me
> 
> 
>> On 16/06/2020 02:24, Volodymyr Babchuk wrote:
>>> Hi Peng,
>>> 
>>> On Mon, 15 Jun 2020 at 05:07, Peng Fan <peng.fan@xxxxxxx> wrote:
>>>> 
>>>> Hi All,
>>>> 
>>>> While enabling trusty os with xen, I took same approach as OP-TEE,
>>>> with OP-TEE running in secure world. But I am also thinking this might
>>>> introduce potential issue is that secure world OS communicate with DomU.
>>>> If there are some misbehavior in secure world OS, it might let XEN
>>>> hypervisor not work proper.
>>>> 
>>>> In my setup, trusty os sometimes panic in secure world, xen will not able
>>>> to control the panic core anymore.
>> 
>> May I ask in which case Trusty is panicking?
>> 
>>>> 
>>>> So I am thinking whether we need to emulating secure world in a XEN VM
>>>> which is the VM running DomU. Just like what ACRN did to run trusty
>>>> os.
>>> 
>>> Well, it depends on whom you are trusting more. Both XEN and TEE are minimal
>>> OS implementations with aim at security. I'm speaking about generic TEE OS,
>>> not
>>> about particular OS like OP-TEE or Trusty. Problem is that, if TEE is
>>> running inside
>>> VM, it will be susceptible to a hypervisor misbehaviour. You need to
>>> understand
>>> that Xen and privileged domain (dom0, mostly) can access memory of any
>>> guest.
>>> At least, in default configuration. There are means to harden this
>>> setup. But anyways,
>>> Xen can't be stopped from reading TEE's secrets.
>> 
>> IIRC, we discussed this approach for OP-TEE in the past. There was other
>> potential pitfalls with it. For instance, you wouldn't be able to directly
>> access any secure device from that guest (it is running in non-secure world).
> 
> Given that Secure World has access to Normal World but not vice versa,
> it is more natural to run Trusty in one of the Secure execution levels.
> The expectation is that Trusty has higher privilege, thus it is more
> "trusted" than anything running in Normal World, including Xen.
> 
> Of course no client should be able to crash Trusty, so the reality
> sometimes can be very different from the theory :-)
> 
> If I were you, I would consider running the TEE "inside" the VM only if
> the service that the TEE provides is strongly coupled with the VM and
> doesn't actually need a high level of privilege to function (i.e.
> doesn't access secure devices or at least not often.)
> 

I could see some scenarios where this would make sense if you trust one VM more 
then an other.
But this falls into a model of “virtualizing” optee using a VM where from the 
system point of view any usage of this VM from the functionality could not be 
more trusted then Xen And the VM providing the service.

> 
>> Depending on whether you can modify Trusty OS, alternative would be to make
>> itvirtualization aware as OP-TEE did. The core would need to be resilient and
>> the panic only affect a given client.
> 
> This would most probably be the best compromise.

Agree.

Bertrand

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.