[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v1 6/6] xsm: add tee access policy support

To: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, xen-devel@xxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
From: Julien Grall <julien.grall@xxxxxxx>
Date: Thu, 23 Aug 2018 15:08:13 +0100
Delivery-date: Thu, 23 Aug 2018 14:08:26 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>



On 08/23/2018 02:57 PM, Volodymyr Babchuk wrote:

Hi Julien,


Hi Volodymyr,

On 23.08.18 16:43, Julien Grall wrote:
I don't think we should use XSM to enforce the use of TEE. Thiscontradictory to your next patch where you let the user configureOP-TEE for a given guest.
IHMO, XSM should only be used to restrict usage of calls in a finegrain. For an overall control, that should be go through a DOMCTL tellXen to initialize OP-TEE for that domain.
Just to be sure. You are proposing to add flag "TEE_ENABLED" for adomain and set it during domain construction, based on configuration,right?

I am suggesting another field xen_arch_domainconfig to tell whether TEEneeds to be enabled.


What did you mean by "fine grain"?

XSM is mostly used to decided whether a given hypercall can be used by adomain. Here you use it to tell whether the whole TEE can be used for adomain.

You probably don't need any XSM for your use case here as you want theguest to access, if enabled, all the OP-TEE calls.


Cheers,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH v1 0/6] TEE mediator (and OP-TEE) support in XEN
  - From: Volodymyr Babchuk
- [Xen-devel] [PATCH v1 6/6] xsm: add tee access policy support
  - From: Volodymyr Babchuk
- Re: [Xen-devel] [PATCH v1 6/6] xsm: add tee access policy support
  - From: Julien Grall
- Re: [Xen-devel] [PATCH v1 6/6] xsm: add tee access policy support
  - From: Volodymyr Babchuk

Prev by Date: Re: [Xen-devel] [PATCH] xen/gntdev: fix up blockable calls to mn_invl_range_start
Next by Date: Re: [Xen-devel] [PATCH v2] qemu-trad: stop using the default IOREQ server
Previous by thread: Re: [Xen-devel] [PATCH v1 6/6] xsm: add tee access policy support
Next by thread: [Xen-devel] [PATCH 0/2] tools/libxl: Switch Arm guest type to PVH
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.