[PATCH 2/2] KVM: arm64: Allow only the specified FF-A calls to be forwarded to TZ
Oliver Upton
oliver.upton at linux.dev
Fri Mar 22 19:07:52 PDT 2024
On Fri, Mar 22, 2024 at 12:43:03PM +0000, Sebastian Ene wrote:
> The previous logic used a deny list to filter the FF-A calls. Because of
> this, some of the calls escaped the check and they were forwarded by
> default to Trustzone. (eg. FFA_MSG_SEND_DIRECT_REQ was denied but the 64
> bit version of the call was not).
> Modify the logic to use an allowlist and allow only the calls specified in
> the filter function to be proxied to TZ from the hypervisor.
I had discussed this with Will back when the feature was upstreamed and
he said there's a lot of off-label calls that necessitate a denylist
implementation. Has anything changed to give us confidence that we can
be restrictive, at least on the FF-A range?
--
Thanks,
Oliver
More information about the linux-arm-kernel
mailing list