[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 10/10] xen/arm: ffa: Add indirect message support

  • To: Jens Wiklander <jens.wiklander@xxxxxxxxxx>
  • From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
  • Date: Thu, 24 Oct 2024 10:05:22 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rzVcn8qpvldPKrdGQcDtdcF9/RxDkXjuqpbYCo6Eikc=; b=p04O0mXmCptWv6PMyOcpF0ZcCmRDhmwAKAQxtina0sy9CB6tdG3Du6gOsZS6FAGXTYfoO5UFfBEhbb5hTbl1UWzuZqNT+Afo/ywk5HHDzmA0fHqW38ZLg4jEZV3b1HJ9K0xzKcQ5bNuQef1bCpc3Az/0o+P4xE6mpDNy+8qR7qtcjL8+YLvapy9qOrrVYX8pf6WEljp+VrVKy1lgsguAZ3msC+poqzT6HFxWwlrCzUXvwci67zIER+J8JpW3i6V1BchkJPnvuZ31UcCxQ0f/iC5rz12laFHN3/5fXnF8+Xq8C3n6b4kHUnFFhokZ7S08vTqkzlA81i+6ca6ia95EUw==
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rzVcn8qpvldPKrdGQcDtdcF9/RxDkXjuqpbYCo6Eikc=; b=mbk2GzL6s424WC1WBLbHfCT1FOCC5h2pw3VQpQhnOf45C4BvIZnc/Fa6WwjAeSSswNeWCSP6wabuvu1c78fYh42ZWwOmZbrvM//lzPO0di8evPJiSoc6CfnM4dze8w4FLPK7r8QZ4Z+qNs+VgfYjHERBkN7XU5eBsBJ93HLwFror9KMcjldpzL1aecJmczr4yvak/FjKL6Mb8fJ/4sJVAX553BWjqn3N5p1DSfhYtdgpul3SPe4vDxIGfYyDli35jDceQPy5R+evDKBsERKryySHpJ3SaVSGdigEDAXtjX8YhD4RVQ+T3hh0QXzC5QrFOkCULh39tl8xwuJwaVt4FQ==
  • Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=DADGkOHPSOC14fMMGc8KKsDMSfR1xb/QSq6mpItS9RczDPTLtckF/rUZhJ/TUFcUMXm9iP0PXhMm/IX/a3VnMdRJ9Xo0RjPgU8q/fE7saL/Y7kNqenbyM5CnpDKq2DA/Ry5+kTXfrAiP6iqe1uvejKfOBr/a5J5CtWa63P9xgKatJ/dvgzElGAUB+lh2CoHuQlKPz8CDrgPC3tiI2CmiR0O6sZI28E0tedFufEqgAr+8zFEUhnzQVJke4UtY5NDXBmlTWxDWHwuAQIkRjjHNu+N9YdeG+tvDFB70rwt92auvx8VToB6bKzf7IGe4FKY8vGYox0GTmiWIGNq7+HX04Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=P+DpsuQCDA2rMfOargvvJALHBBseszsye+Wqu8mOWQL+9YydU/tl+pNE/f42LlkKmuQoIH0vV0At1eoktR4gUckgQNjdxk7baM+QrPsxZPZqzYnRTeh5Z/4SEVcKusEVJK0MVTyT0+svu7BD42F+PB+ABKOLIyGnd0pkwrqZhdaA7ay/U7RNmynztGmk8VCHOJg+7AnT4EP84uwFMa6FBfksPMkilZAVSZ+KmH/9GyY8Sr6998dThMpWKiAjcSH1r+KLjDO14BgjdunhOXnusOLmE0+shJwyFMaOhGawrjicrugPVCqu4NqmWmbWu/uA6znZoTa5W0dK8wKDhXtMLQ==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>
  • Delivery-date: Thu, 24 Oct 2024 10:07:27 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHbH6X9IBo7HgFtxUejZCumPUt4kbKVpD+AgAAU4gA=
  • Thread-topic: [PATCH v2 10/10] xen/arm: ffa: Add indirect message support
Hi Jens,

> On 24 Oct 2024, at 10:50, Jens Wiklander <jens.wiklander@xxxxxxxxxx> wrote:
> 
> Hi Bertrand,
> 
> On Wed, Oct 16, 2024 at 10:32 AM Bertrand Marquis
> <bertrand.marquis@xxxxxxx> wrote:
>> 
>> Add support for FFA_MSG_SEND2 to send indirect messages from a VM to a
>> secure partition.
>> 
>> Signed-off-by: Bertrand Marquis <bertrand.marquis@xxxxxxx>
>> ---
>> Changes in v2:
>> - rebase
>> ---
>> xen/arch/arm/tee/ffa.c         |  5 ++++
>> xen/arch/arm/tee/ffa_msg.c     | 49 ++++++++++++++++++++++++++++++++++
>> xen/arch/arm/tee/ffa_private.h |  1 +
>> 3 files changed, 55 insertions(+)
>> 
>> diff --git a/xen/arch/arm/tee/ffa.c b/xen/arch/arm/tee/ffa.c
>> index 3a9525aa4598..21d41b452dc9 100644
>> --- a/xen/arch/arm/tee/ffa.c
>> +++ b/xen/arch/arm/tee/ffa.c
>> @@ -101,6 +101,7 @@ static const struct ffa_fw_abi ffa_fw_abi_needed[] = {
>>     FW_ABI(FFA_MEM_RECLAIM),
>>     FW_ABI(FFA_MSG_SEND_DIRECT_REQ_32),
>>     FW_ABI(FFA_MSG_SEND_DIRECT_REQ_64),
>> +    FW_ABI(FFA_MSG_SEND2),
>> };
>> 
>> /*
>> @@ -195,6 +196,7 @@ static void handle_features(struct cpu_user_regs *regs)
>>     case FFA_PARTITION_INFO_GET:
>>     case FFA_MSG_SEND_DIRECT_REQ_32:
>>     case FFA_MSG_SEND_DIRECT_REQ_64:
>> +    case FFA_MSG_SEND2:
>>         ffa_set_regs_success(regs, 0, 0);
>>         break;
>>     case FFA_MEM_SHARE_64:
>> @@ -275,6 +277,9 @@ static bool ffa_handle_call(struct cpu_user_regs *regs)
>>     case FFA_MSG_SEND_DIRECT_REQ_64:
>>         ffa_handle_msg_send_direct_req(regs, fid);
>>         return true;
>> +    case FFA_MSG_SEND2:
>> +        e = ffa_handle_msg_send2(regs);
>> +        break;
>>     case FFA_MEM_SHARE_32:
>>     case FFA_MEM_SHARE_64:
>>         ffa_handle_mem_share(regs);
>> diff --git a/xen/arch/arm/tee/ffa_msg.c b/xen/arch/arm/tee/ffa_msg.c
>> index ae263e54890e..335f246ba657 100644
>> --- a/xen/arch/arm/tee/ffa_msg.c
>> +++ b/xen/arch/arm/tee/ffa_msg.c
>> @@ -12,6 +12,15 @@
>> 
>> #include "ffa_private.h"
>> 
>> +/* Encoding of partition message in RX/TX buffer */
>> +struct ffa_part_msg_rxtx {
>> +    uint32_t flags;
>> +    uint32_t reserved;
>> +    uint32_t msg_offset;
>> +    uint32_t send_recv_id;
>> +    uint32_t msg_size;
>> +};
>> +
>> void ffa_handle_msg_send_direct_req(struct cpu_user_regs *regs, uint32_t fid)
>> {
>>     struct arm_smccc_1_2_regs arg = { .a0 = fid, };
>> @@ -78,3 +87,43 @@ out:
>>                  resp.a4 & mask, resp.a5 & mask, resp.a6 & mask,
>>                  resp.a7 & mask);
>> }
>> +
>> +int32_t ffa_handle_msg_send2(struct cpu_user_regs *regs)
>> +{
>> +    struct domain *src_d = current->domain;
>> +    struct ffa_ctx *src_ctx = src_d->arch.tee;
>> +    const struct ffa_part_msg_rxtx *src_msg;
>> +    uint16_t dst_id, src_id;
>> +    int32_t ret;
>> +
>> +    if ( !ffa_fw_supports_fid(FFA_MSG_SEND2) )
>> +        return FFA_RET_NOT_SUPPORTED;
>> +
>> +    if ( !spin_trylock(&src_ctx->tx_lock) )
>> +        return FFA_RET_BUSY;
>> +
>> +    src_msg = src_ctx->tx;
>> +    src_id = src_msg->send_recv_id >> 16;
>> +    dst_id = src_msg->send_recv_id & GENMASK(15,0);
>> +
>> +    if ( src_id != ffa_get_vm_id(src_d) || !FFA_ID_IS_SECURE(dst_id) )
>> +    {
>> +        ret = FFA_RET_INVALID_PARAMETERS;
>> +        goto out_unlock_tx;
>> +    }
>> +
>> +    /* check source message fits in buffer */
>> +    if ( src_ctx->page_count * FFA_PAGE_SIZE <
>> +         src_msg->msg_offset + src_msg->msg_size ||
>> +         src_msg->msg_offset < sizeof(struct ffa_part_msg_rxtx) )
>> +    {
>> +        ret = FFA_RET_INVALID_PARAMETERS;
>> +        goto out_unlock_tx;
>> +    }
> 
> The guest can change src_mst at any moment with another CPU so these
> tests are only sanity checks. The SPMC will also have to lock and do
> the same tests again. So the tests here will only in the best case (in
> case the guest is misbehaving) save us from entering the SPMC only to
> get an error back. The lock makes sense since we could have concurrent
> calls to FFA_MEM_SHARE. How about removing the tests?

I think we should still prevent to forward invalid requests to the SPMC as
much as we can to prevent a malicious guest from stilling CPU cycles by
doing invalid calls to the secure world.

I could put a comment in there saying that this is just protection but to be
fare the SPMC in secure will have the same issues: this can be changed
at any time by the caller on another core.

> 
>> +
>> +    ret = ffa_simple_call(FFA_MSG_SEND2, ((uint32_t)src_id) << 16, 0, 0, 0);
> 
> I'd rather use ffa_get_vm_id(src_d) instead of src_id.

src_id is a local variable and was checked to be equal to  ffa_get_vm_id(src_d)
upper so those 2 values are the same.
Why would you rather recall ffa_get_vm_id here ?

Cheers
Bertrand

> 
> Cheers,
> Jens
> 
>> +
>> +out_unlock_tx:
>> +    spin_unlock(&src_ctx->tx_lock);
>> +    return ret;
>> +}
>> diff --git a/xen/arch/arm/tee/ffa_private.h b/xen/arch/arm/tee/ffa_private.h
>> index 973ee55be09b..d441c0ca5598 100644
>> --- a/xen/arch/arm/tee/ffa_private.h
>> +++ b/xen/arch/arm/tee/ffa_private.h
>> @@ -359,6 +359,7 @@ void ffa_handle_notification_get(struct cpu_user_regs 
>> *regs);
>> int ffa_handle_notification_set(struct cpu_user_regs *regs);
>> 
>> void ffa_handle_msg_send_direct_req(struct cpu_user_regs *regs, uint32_t 
>> fid);
>> +int32_t ffa_handle_msg_send2(struct cpu_user_regs *regs);
>> 
>> static inline uint16_t ffa_get_vm_id(const struct domain *d)
>> {
>> --
>> 2.47.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.