[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v1 4/6] optee: add OP-TEE mediator

To: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>, xen-devel@xxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Jens Wiklander <jens.wiklander@xxxxxxxxxx>
From: Julien Grall <julien.grall@xxxxxxx>
Date: Thu, 23 Aug 2018 16:28:27 +0100
Cc: tee-dev@xxxxxxxxxxxxxxxx
Delivery-date: Thu, 23 Aug 2018 15:28:44 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>



On 08/23/2018 03:27 PM, Volodymyr Babchuk wrote:

Hi,

Hi,

On 22.08.18 20:28, Julien Grall wrote:
Hi,
Please only CC relevant people to the patches. This could be doneeasily using the new script add_maintainers.pl.
Oh, I'm sorry. I used get_maintainers.pl.
On 22/08/18 15:11, Volodymyr Babchuk wrote:
Add OP-TEE mediator, so guests can access OP-TEE services.

OP-TEE mediator support address translation for DomUs.
It tracks execution of STD calls, correctly handles memory-related RPC
requests, tracks buffer allocated for RPCs.

With this patch OP-TEE sucessfully passes own tests, while client is
running in DomU.

Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>
---

  Changes from "RFC":
  - Removed special case for Dom0/HwDOM
  - No more support for plain OP-TEE (only OP-TEE with virtualization
    config enabled is supported)
  - Multiple domains is now supported
  - Pages that are shared between OP-TEE and domain are now pinned
  - Renamed CONFIG_ARM_OPTEE to CONFIG_OPTEE
  - Command buffers from domain are now shadowed by XEN
  - Mediator now filters out unknown capabilities and requests
  - call contexts, shared memory object now stored per-domain

  xen/arch/arm/tee/Kconfig            |   4 +
  xen/arch/arm/tee/Makefile           |   1 +
xen/arch/arm/tee/optee.c | 972++++++++++++++++++++++++++++++++++++
This patch is far to big to get a proper review with understanding ofthe code. Can you split it in smaller ones with appropriate commitmessage?
Yes, it is a quite big. But this is a complete feature. I can't removeanything from it, because it will not work.I can split it into series of patches, that will add various pieces ofcode... But this will lead to patches with not-working code until thefinal one. Is this okay?

This is a new feature so it does not matter if it does not work untilthe end. Although, ideally, this should not break the rest of features.

What I want to avoid is a 900 lines complex patch with very little tounderstand what is done.

From a quick look at it, I would like to understand how the memoryallocated in Xen is bounded for a given guest? Same question for thetime.
I store references to allocated pages in per-domain context. But theyare not accounted as a domain memory. This pages are needed by XEN toconceal real PAs from guest. I'm not sure it they should be accounted asa memory allocated by domain.

Xen heap can be quite limited. As the memory can stay around for a longtime, would it be possible for a guest to exhaust that pool?


And what about a time? Did you mean time accounting?

Xen only supports voluntary preemption. This means that long lastingoperation in Xen may block other vCPUs to run.

Call such p2m_lookup are not cheap to use as it requires to walk thepage-table is software. From a look at the code, the number of call willbe bound by guest-controlled parameter.

I can't see anything in the hypervisor sanitizing those values, so theguest can control how long the call will take and also the memory"reserved" in the hypervisor even if OP-TEE fails afterwards.

I am interested in a normal case but also in the case where someonemalicious is using that API. How much damage can it do to the hypervisor?
Every standard (long-lasting) call requires small amount of memory tostore context. Every shared buffer requires enough memory to storereferences to shared pages.OP-TEE has limited resources, so it will not allow you to create, say,100 calls and couple of GBs of shared memory. I expect that it willlimit caller in memory overuse.


Do you mean per Client instance? Or for OP-TEE in general?

In any case, Xen memory allocation is always done before OP-TEE iscalled. So there is still a window where the domain book-keep a bigchunk of memory that will be release at the end of the call.

Apart from that I can't imagine how malicious user can damage thehypervisor.

See above. I think they are a lot of room for a guest to attack Xen.Most likely you want to limit the number of call done in parallel andalso the shared memory mapped around.


Cheers,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH v1 0/6] TEE mediator (and OP-TEE) support in XEN
  - From: Volodymyr Babchuk
- [Xen-devel] [PATCH v1 4/6] optee: add OP-TEE mediator
  - From: Volodymyr Babchuk
- Re: [Xen-devel] [PATCH v1 4/6] optee: add OP-TEE mediator
  - From: Julien Grall
- Re: [Xen-devel] [PATCH v1 4/6] optee: add OP-TEE mediator
  - From: Volodymyr Babchuk

Prev by Date: Re: [Xen-devel] [PATCH v1 1/6] arm: add SMC wrapper that is compatible with SMCCC
Next by Date: Re: [Xen-devel] [PATCH v1 1/6] arm: add SMC wrapper that is compatible with SMCCC
Previous by thread: Re: [Xen-devel] [PATCH v1 4/6] optee: add OP-TEE mediator
Next by thread: [Xen-devel] [PATCH v1 5/6] libxl: create DTS node for OP-TEE if it is enabled
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.