[PATCH v2 01/10] KVM: arm64: Block unsafe FF-A calls from the host
Oliver Upton
oliver.upton at linux.dev
Wed May 10 12:08:01 PDT 2023
Hi Will,
On Wed, Apr 19, 2023 at 01:20:42PM +0100, Will Deacon wrote:
[...]
> +/*
> + * Is a given FFA function supported, either by forwarding on directly
> + * or by handling at EL2?
> + */
> +static bool ffa_call_supported(u64 func_id)
> +{
> + switch (func_id) {
> + /* Unsupported memory management calls */
> + case FFA_FN64_MEM_RETRIEVE_REQ:
> + case FFA_MEM_RETRIEVE_RESP:
> + case FFA_MEM_RELINQUISH:
> + case FFA_MEM_OP_PAUSE:
> + case FFA_MEM_OP_RESUME:
> + case FFA_MEM_FRAG_RX:
> + case FFA_FN64_MEM_DONATE:
> + /* Indirect message passing via RX/TX buffers */
> + case FFA_MSG_SEND:
> + case FFA_MSG_POLL:
> + case FFA_MSG_WAIT:
> + /* 32-bit variants of 64-bit calls */
> + case FFA_MSG_SEND_DIRECT_REQ:
> + case FFA_MSG_SEND_DIRECT_RESP:
> + case FFA_RXTX_MAP:
> + case FFA_MEM_DONATE:
> + case FFA_MEM_RETRIEVE_REQ:
> + /* Don't advertise any features just yet */
> + case FFA_FEATURES:
> + return false;
> + }
> +
> + return true;
> +}
Apologies for rehashing something we dicussed in v1...
Enforcing the pKVM policy as a denylist rather than an allowlist
deserves a bit more elaboration, at least in the form of a comment. I
understand that we must trust EL3 by construction, but it is fuzzy why
it gets extended to what EL1 might do with FF-A calls that are unknown
to pKVM.
Broadening the scope for a moment, is my understanding correct that
limiting 'unknown' SMCs from host EL1 are an explicit non-goal of pKVM's
security model? Assuming a well-intentioned EL3, I'm just a bit worried
about any vendor-specific junkware that could be used by a malicious
EL1.
--
Thanks,
Oliver
More information about the linux-arm-kernel
mailing list