[PATCH v4 0/7] KVM: arm64: Forward FFA_NOTIFICATION* calls to TrustZone

Vincent Donnefort vdonnefort at google.com
Tue Jun 23 04:24:44 PDT 2026


On Tue, Jun 16, 2026 at 03:41:42PM +0000, Sebastian Ene wrote:
> Remove the FFA_NOTIFICATION* calls from the blocklist used by the pKVM
> FF-A proxy. This restriction was preventing the use of asynchronous
> signaling mechanisms defined by the Arm FF-A specification to
> communicate with the secure services.
> While these calls are markes as optional, there is no reason why the
> hypervisor proxy would block them because:
> 
> 1. Host is the Sole Non-Secure Endpoint: The Host operates as the
>    only Non-Secure VM ID (VM ID 0) recognized by the Secure World.
>    Because all forwarded notifications are inherently attributed to
>    the Host by the SPMC, there is no risk of VM ID spoofing
>    originating from the Normal World.
> 
> 2. No Memory Pointers or Addresses: The FFA_NOTIFICATION_* ABIs
>    operate strictly via register-based parameters, passing only
>    VM IDs, VCPU IDs, flags, and bitmaps. Because these calls do
>    not contain memory addresses, offsets, or pointers, forwarding
>    them doesn't pose a risk of memory-based confused deputy attack
>    (e.g., tricking the SPMC into overwriting protected memory).
> 
> While the pKVM proxy behaves as a relayer, it doesn't currently have its
> own FF-A ID(only the host has the ID 0). The behavior of the setup
> flow is covered by the spec in the: '10.9 Notification support without
> a Hypervisor'.

For the whole series:

Reviewed-by: Vincent Donnefort <vdonnefort at google.com>

> 
> ---
> Changes in v4:
> - previous series(v3) had serious issues with the patch number and it
>   appeared like it used a mixed bag from v2 as well. Resend this to
>   restore the correct order of the patches.
> - fix strict check in ffa_check_unused_args_sbz and make it "<= 17"
> - check the receiver endpoint Id in
>   FFA_NOTIFICATION_BIND/FFA_NOTIFICATION_UNBIND instead of the sender
> - use hyp_smccc_1_2_smc all along 
> - check the receiver endpoit Id when doing FFA_NOTIFICATION_GET  
> 
> Changes in v3:
> - applied Will's suggestion to use the introduced method
>   ffa_check_unused_args_sbz for existing calls and added a new
> patch in the beggining of the series to do this.
> - merged the handling of
>   FFA_NOTIFICATION_BITMAP_CREATE/FFA_NOTIFICATION_BITMAP_DESTROY into
> one patch as Vincent suggested and create one handler for both.
> 
> Changes in v2:
> - enforce the MBZ/SBZ fields
> - split the calls into separate patches
> - rebase on 7.1-rc7
> 
> Link to v3:
> https://lore.kernel.org/all/20260616105417.2578670-1-sebastianene@google.com/
> Link to v2:
> https://lore.kernel.org/all/20260608165549.1479409-1-sebastianene@google.com/
> Link to v1:
> https://lore.kernel.org/all/20260501114447.2389222-2-sebastianene@google.com/
> 
> Sebastian Ene (7):
>   KVM: arm64: Enforce strict SBZ checks in the FF-A proxy
>   KVM: arm64: Forward FFA_NOTIFICATION_BITMAP calls to Trustzone
>   KVM: arm64: Support FFA_NOTIFICATION_BIND in host handler
>   KVM: arm64: Support FFA_NOTIFICATION_UNBIND in host handler
>   KVM: arm64: Support FFA_NOTIFICATION_SET in host handler
>   KVM: arm64: Support FFA_NOTIFICATION_GET in host handler
>   KVM: arm64: Support FFA_NOTIFICATION_INFO_GET in host handler
> 
>  arch/arm64/kvm/hyp/nvhe/ffa.c | 211 ++++++++++++++++++++++++++++++++--
>  1 file changed, 203 insertions(+), 8 deletions(-)
> 
> -- 
> 2.54.0.1136.gdb2ca164c4-goog
> 



More information about the linux-arm-kernel mailing list