[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] [RFC v2 3/6] xen/arm: Allow platform_hvc to handle guest SMC calls
On Wed, Feb 8, 2017 at 9:58 AM, Julien Grall <julien.grall@xxxxxxx> wrote:
It is not intended to work with just any TrustZone. In the proposed system the TZ is specifically designed to minimize the codebase that is running at that privilege level. We mostly envisioned critical integrity and security checks to be in the TZ while all "normal" TZ applications would be delegated to VMs - still protected from the untrusted guest, but a potential exploit would just land the attacker in another VM rather then the TZ. At the moment it is just an experimental setup, so I don't expect it to be a drop-in solution for off-the-shelf phones in the near future.
I don't see an issue with the monitor application modifying register values on a trapped SMC. The issue I have is if the SMC is still forwarded to the firmware by Xen afterwards. In the usecase I described the firmware should under no situation be accessible from an untrusted guest directly.
Just modifying registers would not really accomplish filtering. We could introduce a vm_event response flag so the monitor application would be able to tell Xen whether it's OK to forward the SMC to the firmware or not. That is an option, even if I don't have a usecase for it.
_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
Lists.xenproject.org is hosted with RackSpace, monitoring our