[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC v2 3/6] xen/arm: Allow platform_hvc to handle guest SMC calls

Hi Tamas,

On 02/09/2017 06:11 PM, Tamas K Lengyel wrote:
On Wed, Feb 8, 2017 at 5:08 PM, Julien Grall <julien.grall@xxxxxxx> wrote:
On 08/02/2017 23:28, Tamas K Lengyel wrote:
On Wed, Feb 8, 2017 at 3:04 PM, Julien Grall <julien.grall@xxxxxxx> wrote:
You haven't understood my point. Xen is currently emulating PSCI call for
the guest to allow powering up and down the CPUs and other stuff. If you
decide to trap all the SMCs, you would have to handle them.

Sure, it's more work on the monitor side, but other then that, what's
the problem?

Because you will have to introduce hypercalls to get all the necessary information from Xen that will not be available from outside.

Given that SMC has been designed to target different services (PSCI, Trusted OS...) it would be normal to have monitor app only monitoring a certain set of SMC call. You cannot deny a such use case as it would avoid an monitor app to handle every single call that would be consumed by XEN but not forwarded to the secure firmware.

And yes it is emulation as you don't seem to be willing passing those SMC to
the firmware or even back to Xen. If we expect a VM to emulate a trusted
firmware, then you have a security problem. Some hardware may be only
accessible through the secure world and I doubt some trusted app vendor will
be willing to move cryptography stuff in non secure world. I would highly
recommend to skim through the OP-TEE thread, it will provide you some
insights of the constraints.

The firmware is not hardware, it's just a piece of code that has been
baked into the board in some manner. Emulation in my book is doing in
software what hardware is supposed to do. I don't expect all vendors
to be happy to move their proprietary whatever to a VM. Again, this is
an experimental setup with no real world applications at the moment.
As for certain hardware being only accessible from the TZ, in that
case the monitor application would have to call into the firmware. My
setup doesn't prohibit using the TZ, it just prohibits it being
accessible from untrusted guests directly.

To be honest, I am not here to criticize your project or else. I am just trying to explain you there are other potential use cases and we should not ignore them.

I am also not expecting none of the person involved in the thread to write the code now. However, it is always good to have a full view and get a direction how it should go.


Julien Grall

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.