Xen project Mailing List

Re: [PATCH v2 06/10] xen/arm: ffa: Use bit 15 convention for SPs

To: Jens Wiklander <jens.wiklander@xxxxxxxxxx>

From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>

Date: Thu, 24 Oct 2024 07:56:21 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none

Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JnqOQXUyg5uSf4gYTBlGLyNmtlBemF3lVNNNgo8RtPk=; b=ne2V6zXf/YOH6VA1M+tRO0G6Wcmw9JhSUPtsjjC5rdAmc7pJe8mtuTVrIOYmPBEJyUNuo+PbXWNUTOrMUUYGyeA/yWD3D6Bwjg/UVMCVlgvT7F2mrWonYmFa34RaWmyStpFWa/WzWSF/4wf6No45ba3s/GvtQr0lD0BJgMPy/VQD/aQh8h21Jx1ttXNz980FDwAI1Sc5j3jEixdvc9viwq8PArvv+lF5mU5ccAAlBbp4BDJF2VtY+cLLzxnXNddg0eFuzuWKanv93i38cNOQnyb6SZJgUbYxeg1cw6+sL0Ez/lXijdqv91tGDcKcaoafKK73JMLcBXkXegT5w9OtIw==

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JnqOQXUyg5uSf4gYTBlGLyNmtlBemF3lVNNNgo8RtPk=; b=DIrqZR/B0+WoPK1k51G0IsnqzUsqNjp33UCxtYcXhG3b3hA/q7ZhruHyu5oklHiXWVxuXlJw9BowHcjNbHcWQ2dWp+Dw1mYSj7vhvbg/AQLHaD6qr42GjJUOKkuz65dVumGQpq+pkk/yp9YVjVmvaH4cnrpTzX9sx1FaZNrSyEKHtUjYEGfJlIdS3pHvcKKl+BDurddj5UcrmVAXggQnS1fBS51clNHvayd31UaZtK96w6R/bo0Ioja0g2qFbxIDIi5KKLkLFbHZiZoapinltFVwnf+3ydL8ylSz0eBIimVh+ve5QpXiQ/Y8JZfqTtuj1/00vlBE/4CDIhX1SYunuA==

Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=NE89wSw/8/kSFcL8bH0oH/1UAC5/RVzoF7ss0iEHiO3xZ38F/jCXILlr7wVA33D/v5rWYbDjfc1JmaBgusLI99OFub3xIV7uMbryuDAL4ZBjmGvXnxaN8yDUSbW+acyRvGIkFMSMf7eBqAXHcNUud8+eK6EsESZ2gHk259Biyi50V6xzIaa5v8YxPM70Kg87bJoe5dPsoouR/D2DHbhEyn/CZ+DhcqovGkBOwDqllwyJkbDJYKxZjLSYmOZG2cS37tbsrr+FVlrtKzO4H9/ZvNZTmH81F/Y4hbKVpYdLu8FcL4q/dDuoGxSZJP8P/z7oBkMnpozN9ts5ZGmSe0qgHg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=aQSOGVmO4xkz/MA+8bXRKhyzT4HuB5EzCA35UfUzq5pqaCVnige21U1lTR2jSRPLilfJHvbwqBGl8SpvUvpbZAWkUzpX3kXIomwU/jUbCT+7QKZrkUOjmiLziWxUyiJt0DWOL/K+lElwGCUuDjRRzjMSCfiJETu/TpSanoQMkLs6bVvG3DPYFYQT4LfKhbTNBld9LjVAuhGlSjuueJ8XR1/ztoD8EJI25iP9M1N1F/Ar5Bctt6ZFvd451CrOupmZIcMY13BXs+0quCPhA9pTpOOTlTlzo6T5xjvNrUemnXay53sNbe0l0k9G01GXcms7juMk+zSpVgj+QY/uGQxr9g==

Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>

Delivery-date: Thu, 24 Oct 2024 07:56:55 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Nodisclaimer: true

Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Thread-index: AQHbH6X4Kzq6WyYLgEicHYTh9yXtYLKUXBIAgAE5AgA=

Thread-topic: [PATCH v2 06/10] xen/arm: ffa: Use bit 15 convention for SPs

Hi Jens, > On 23 Oct 2024, at 15:15, Jens Wiklander <jens.wiklander@xxxxxxxxxx> wrote: > > Hi Bertrand, > > On Wed, Oct 16, 2024 at 10:32 AM Bertrand Marquis > <bertrand.marquis@xxxxxxx> wrote: >> >> Make use and required to have bit 15 convention respected by secure >> world (having bit 15 of IDs set for secure endpoints and non-set for >> non-secure ones). >> If any secure partition has an ID with bit 15 not set, it will not be >> possible to contact or detect them. >> Print an error log during probe for each secure endpoint detected with >> bit 15 not set. >> >> We are switching to this convention because Xen is currently not using >> VMIDs with bit 15 set so we are sure that no VM will have it set (this >> is ensured by BUILD_BUG_ON in case this becomes false in the future). >> It is allowing to easily distinguish between secure and non-secure >> endpoints, preventing the need to store a list of secure endpoint IDs in >> Xen. >> >> Signed-off-by: Bertrand Marquis <bertrand.marquis@xxxxxxx> >> --- >> Changes in v2: >> - rebase >> --- >> xen/arch/arm/tee/ffa.c | 22 +++++++++++--- >> xen/arch/arm/tee/ffa_partinfo.c | 54 +++++++++++++++++++++++++-------- >> xen/arch/arm/tee/ffa_private.h | 7 +++++ >> xen/arch/arm/tee/ffa_shm.c | 12 +++++++- >> 4 files changed, 77 insertions(+), 18 deletions(-) >> >> diff --git a/xen/arch/arm/tee/ffa.c b/xen/arch/arm/tee/ffa.c >> index 4b55e8b48f01..a292003ca9fe 100644 >> --- a/xen/arch/arm/tee/ffa.c >> +++ b/xen/arch/arm/tee/ffa.c >> @@ -195,6 +195,14 @@ static void handle_msg_send_direct_req(struct >> cpu_user_regs *regs, uint32_t fid) >> goto out; >> } >> >> + /* we do not support direct messages to VMs */ >> + if ( !FFA_ID_IS_SECURE(src_dst & GENMASK(15,0)) ) >> + { >> + resp.a0 = FFA_ERROR; >> + resp.a2 = FFA_RET_NOT_SUPPORTED; >> + goto out; >> + } >> + >> arg.a1 = src_dst; >> arg.a2 = get_user_reg(regs, 2) & mask; >> arg.a3 = get_user_reg(regs, 3) & mask; >> @@ -391,11 +399,15 @@ static int ffa_domain_init(struct domain *d) >> >> if ( !ffa_fw_version ) >> return -ENODEV; >> - /* >> - * We can't use that last possible domain ID or ffa_get_vm_id() would >> - * cause an overflow. >> - */ >> - if ( d->domain_id >= UINT16_MAX) >> + /* >> + * We are using the domain_id + 1 as the FF-A ID for VMs as FF-A ID 0 is >> + * reserved for the hypervisor and we only support secure endpoints >> using >> + * FF-A IDs with BIT 15 set to 1 so make sure those are not used by Xen. >> + */ >> + BUILD_BUG_ON(DOMID_FIRST_RESERVED >= UINT16_MAX); >> + BUILD_BUG_ON((DOMID_MASK & BIT(15, U)) != 0); >> + >> + if ( d->domain_id >= DOMID_FIRST_RESERVED ) >> return -ERANGE; >> >> ctx = xzalloc(struct ffa_ctx); >> diff --git a/xen/arch/arm/tee/ffa_partinfo.c >> b/xen/arch/arm/tee/ffa_partinfo.c >> index 75a073d090e0..3cf801523296 100644 >> --- a/xen/arch/arm/tee/ffa_partinfo.c >> +++ b/xen/arch/arm/tee/ffa_partinfo.c >> @@ -169,14 +169,26 @@ void ffa_handle_partition_info_get(struct >> cpu_user_regs *regs) >> >> if ( ffa_sp_count > 0 ) >> { >> - uint32_t n; >> + uint32_t n, real_num = ffa_sp_count; > > Nit: how about n_limit instead of real_num? Sure i will change that in v3. > >> void *src_buf = ffa_rx; >> >> /* copy the secure partitions info */ >> - for ( n = 0; n < ffa_sp_count; n++ ) >> + for ( n = 0; n < real_num; n++ ) >> { >> - memcpy(dst_buf, src_buf, dst_size); >> - dst_buf += dst_size; >> + struct ffa_partition_info_1_1 *fpi = src_buf; >> + >> + /* filter out SP not following bit 15 convention if any */ >> + if ( FFA_ID_IS_SECURE(fpi->id) ) >> + { >> + memcpy(dst_buf, src_buf, dst_size); >> + dst_buf += dst_size; >> + } >> + else >> + { >> + printk(XENLOG_INFO "ffa: sp id 0x%04x skipped, bit 15 is >> 0\n", >> + fpi->id); > > We have already logged this in init_subscribers() below. Is there a > risk of flooding the logs with this? You are right, having it printed once is enough. I will remove this LOG. Cheers Bertrand > > Cheers, > Jens > >> + ffa_sp_count--; >> + } >> src_buf += src_size; >> } >> } >> @@ -276,10 +288,25 @@ static bool init_subscribers(uint16_t count, uint32_t >> fpi_size) >> { >> fpi = ffa_rx + n * fpi_size; >> >> - if ( fpi->partition_properties & FFA_PART_PROP_NOTIF_CREATED ) >> - subscr_vm_created_count++; >> - if ( fpi->partition_properties & FFA_PART_PROP_NOTIF_DESTROYED ) >> - subscr_vm_destroyed_count++; >> + /* >> + * We need to have secure partitions using bit 15 set convention for >> + * secure partition IDs. >> + * Inform the user with a log and discard giving created or destroy >> + * event to those IDs. >> + */ >> + if ( !FFA_ID_IS_SECURE(fpi->id) ) >> + { >> + printk(XENLOG_ERR "ffa: Firmware is not using bit 15 convention >> for IDs !!\n" >> + "ffa: Secure partition with id 0x%04x cannot >> be used\n", >> + fpi->id); >> + } >> + else >> + { >> + if ( fpi->partition_properties & FFA_PART_PROP_NOTIF_CREATED ) >> + subscr_vm_created_count++; >> + if ( fpi->partition_properties & FFA_PART_PROP_NOTIF_DESTROYED ) >> + subscr_vm_destroyed_count++; >> + } >> } >> >> if ( subscr_vm_created_count ) >> @@ -299,10 +326,13 @@ static bool init_subscribers(uint16_t count, uint32_t >> fpi_size) >> { >> fpi = ffa_rx + n * fpi_size; >> >> - if ( fpi->partition_properties & FFA_PART_PROP_NOTIF_CREATED ) >> - subscr_vm_created[c_pos++] = fpi->id; >> - if ( fpi->partition_properties & FFA_PART_PROP_NOTIF_DESTROYED ) >> - subscr_vm_destroyed[d_pos++] = fpi->id; >> + if ( FFA_ID_IS_SECURE(fpi->id) ) >> + { >> + if ( fpi->partition_properties & FFA_PART_PROP_NOTIF_CREATED ) >> + subscr_vm_created[c_pos++] = fpi->id; >> + if ( fpi->partition_properties & FFA_PART_PROP_NOTIF_DESTROYED ) >> + subscr_vm_destroyed[d_pos++] = fpi->id; >> + } >> } >> >> return true; >> diff --git a/xen/arch/arm/tee/ffa_private.h b/xen/arch/arm/tee/ffa_private.h >> index e5bc73f9039e..afe69b43dbef 100644 >> --- a/xen/arch/arm/tee/ffa_private.h >> +++ b/xen/arch/arm/tee/ffa_private.h >> @@ -108,6 +108,13 @@ >> */ >> #define FFA_CTX_TEARDOWN_DELAY SECONDS(1) >> >> +/* >> + * We rely on the convention suggested but not mandated by the FF-A >> + * specification that secure world endpoint identifiers have the bit 15 >> + * set and normal world have it set to 0. >> + */ >> +#define FFA_ID_IS_SECURE(id) ((id) & BIT(15, U)) >> + >> /* FF-A-1.1-REL0 section 10.9.2 Memory region handle, page 167 */ >> #define FFA_HANDLE_HYP_FLAG BIT(63, ULL) >> #define FFA_HANDLE_INVALID 0xffffffffffffffffULL >> diff --git a/xen/arch/arm/tee/ffa_shm.c b/xen/arch/arm/tee/ffa_shm.c >> index efa5b67db8e1..29675f9ba3f7 100644 >> --- a/xen/arch/arm/tee/ffa_shm.c >> +++ b/xen/arch/arm/tee/ffa_shm.c >> @@ -469,6 +469,7 @@ void ffa_handle_mem_share(struct cpu_user_regs *regs) >> int ret = FFA_RET_DENIED; >> uint32_t range_count; >> uint32_t region_offs; >> + uint16_t dst_id; >> >> if ( !ffa_fw_supports_fid(FFA_MEM_SHARE_64) ) >> { >> @@ -537,6 +538,15 @@ void ffa_handle_mem_share(struct cpu_user_regs *regs) >> goto out_unlock; >> >> mem_access = ctx->tx + trans.mem_access_offs; >> + >> + dst_id = ACCESS_ONCE(mem_access->access_perm.endpoint_id); >> + if ( !FFA_ID_IS_SECURE(dst_id) ) >> + { >> + /* we do not support sharing with VMs */ >> + ret = FFA_RET_NOT_SUPPORTED; >> + goto out_unlock; >> + } >> + >> if ( ACCESS_ONCE(mem_access->access_perm.perm) != FFA_MEM_ACC_RW ) >> { >> ret = FFA_RET_NOT_SUPPORTED; >> @@ -567,7 +577,7 @@ void ffa_handle_mem_share(struct cpu_user_regs *regs) >> goto out_unlock; >> } >> shm->sender_id = trans.sender_id; >> - shm->ep_id = ACCESS_ONCE(mem_access->access_perm.endpoint_id); >> + shm->ep_id = dst_id; >> >> /* >> * Check that the Composite memory region descriptor fits. >> -- >> 2.47.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.