Xen project Mailing List

Re: [XEN PATCH v8 02/22] xen/arm: tee: add a primitive FF-A mediator

To: Julien Grall <julien@xxxxxxx>, Jens Wiklander <jens.wiklander@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 13 Apr 2023 14:26:59 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r0MfYP8Wrn/gvQc3A35Iu17mJutW0KFbhur4W7xAmNM=; b=MFYoaOr44U5Tv+WUjELtd3dPFqpEm+n8qQHTymMZwZdz5y2xFibSG2evltvFv7UhmnlHAj+Oi1fKd0mhsVK2H7BN3YCxDrVU4NMcOvQlDddT+i6ssVCigxwa/GABQNnkZAbewb/d1TGdPblwrpDgfs0drwDLsa3gc68M6NT8TMYP9If4ikpgb1qw26gv6Hfriwo6VkJFq5qnoDVYUbSHJu9yhztWbeUWYKSVCMqt7PVmgLj/tXdy0XRv0pCjJEVugGcZIdUfb0ALIc6uAUEul/KHzthrZdjxdK7BUiI1v2uugqBzJd62/bR2xOXH0aiBhjuG+VivXoInwCu2sT0i8g==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QO6Th7zRZ0WB+3rGUrGuuNyAAHYVJEkq9dwKT3jO7oRF2yazjnozjrW/j8+bC+3A/4KM2xTJmugDViFjEQSah+gKhkkA9dkfMh+crHuxbr+fZuj4/kS0egO5eLZMPRpolKdjXy9nqe9lRWwBeYJJLKlxACWamhPPvY4NTbYI1NvEOA2zNrolecIBCnXRCIBU99qogvpxuIz/eL+hEj/2emB+K3xUZub/R+Futc2j61clxx3vIh+95OeGWJixI8Z6xL2IjoyPYl8yydXXtm5ikLYvDfywz4ZSScrmAF0pgOrtKd7R3+MFFiVvkUXGZ30gScc6awQRPOlt5uWP3EXisQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Bertrand.Marquis@xxxxxxx, Marc Bonnici <marc.bonnici@xxxxxxx>, Achin Gupta <achin.gupta@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

Delivery-date: Thu, 13 Apr 2023 13:27:30 +0000

Ironport-data: A9a23:vxB5BqsS+zR+cMMd6AaLjVNTSufnVP5fMUV32f8akzHdYApBsoF/q tZmKWmEM/eLa2L9eNonYd+yoEJV6pTVnNBiTQRtr3hhEH5H+JbJXdiXEBz9bniYRiHhoOCLz O1FM4Wdc5pkJpP4jk3wWlQ0hSAkjclkfpKlVKiffHg3HVQ+IMsYoUoLs/YjhYJ1isSODQqIu Nfjy+XSI1bg0DNvWo4uw/vrRChH4bKj6Vv0gnRkPaoQ5AOHzCFPZH4iDfrZw0XQE9E88tGSH 44v/JnhlkvF8hEkDM+Sk7qTWiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JFAatjsB2bnsgZ9 Tl4ncfYpTHFnEH7sL91vxFwS0mSNEDdkVPNCSDXXce7lyUqf5ZwqhnH4Y5f0YAwo45K7W9yG fMwERIVdAqq3uGNwLPiYLlXwcZ8EO62I9ZK0p1g5Wmx4fcOZ7nmGv2PwOACmTA6i4ZJAOrUY NcfZXx3dhPcbhZTO1ARTpUjgOOvgXq5eDpdwL6XjfNvvy6Pk0osjf60aIq9lt+iHK25mm6xo G7c8nu/KRYdLNGFkhKO8262h/+JliT+MG4XPOTgqqc00AfJnwT/DjUKUluLjMW1inehUo5wA GAV9CUfk4cboRnDot7VGkfQTGS/lhwBX9tdFcUq5QfLzbDbiy6bC24fCCFAa9gvssM7XxQu1 1mAhdSvAiZg2JWFRHTY+rqKoDeaPSkOMXREdSICVREC4dTovMc0lB2nZvxuCrKvh9v5XxT52 SmXrTMWjq8Wy8UM0s2T+FndiHSmoZ7PTwU0zgzNWySu6QYRTIeuZ42ur1fG9epJBI+DSx+Ku 31ss9OF8OkEAJWJlSqMaOYABrek47CCKjK0qWBoG54t5jG84UmJdIpb4Cx9DEpxO8NCcjjsC HI/oitU7Z5XeX61N6l+ZtvpD9xwlPCwU9P4SvrTc9xCJIBrcxOK9z1vYkjW2H3xlE8rkuc0P pLznduQMEv2wJ9PlFKeL9rxG5d3rszi7Qs/nazG8ik=

Ironport-hdrordr: A9a23:znOweqjue/whnwXg5HKdHYKPvHBQX1B13DAbv31ZSRFFG/FwyP rCoB1L73XJYWgqM03IwerwQ5VpQRvnhP1ICPoqTM2ftWjdySOVxeRZgbcKrAeQfBEWmtQ96U 4kSdkHNDSSNykwsS+Z2njfLz9I+rDun86VbKXlvg5QpGpRGsNdBnJCe2Km+zpNNWx77PQCdK a0145inX6NaH4XZsO0Cj0uRO7YveDGk5rgfFovGwMnwBPmt0Lk1JfKVzyjmjsOWTJGxrkvtU LflRbi26mlu/anjjfBym7o6YhMkteJ8KoOOCXMsLlbFtzfsHfoWG1TYczDgNnzmpDt1L8eqq iDn/7nBbUw15qeRBDxnfKn4Xic7N9n0Q6f9bbfuwqonSWxfkNEN+NRwY1eaRfX8EwmoZV117 9KxXuQs95NAQrHhzmV3am+a/hGrDvAnZMZq59ms1VPFY8FLLNBp40W+01YVJ8GASLh8YgiVO 1jFtvV6vpaeU6TKymxhBgn/PW8GnAoWhuWSEkLvcKYlzBQgXBi1kMdgMgShG0J+p4xQ4RNo+ 7ELqNrnrdTSdJ+V9MKOM4RBc+sTmDdSxPFN2yfZVzhCaEcInrI74X65b0kjdvaCqDgDKFC66 gpfGkoxVLaIXied/Fm9Kc7gyzwfA==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 13/04/2023 1:26 pm, Julien Grall wrote: >> +static int ffa_domain_init(struct domain *d) >> +{ >> + struct ffa_ctx *ctx; >> + >> + if ( !ffa_version ) >> + return -ENODEV; >> + >> + ctx = xzalloc(struct ffa_ctx); >> + if ( !ctx ) >> + return -ENOMEM; >> + >> + d->arch.tee = ctx; >> + >> + return 0; >> +} >> + >> +/* This function is supposed to undo what ffa_domain_init() has done */ > > I think there is a problem in the TEE framework. The callback > .relinquish_resources() will not be called if domain_create() failed. > So this will result to a memory leak. > > We also can't call .relinquish_resources() on early domain creation > failure because relinquishing resources can take time and therefore > needs to be preemptible. > > So I think we need to introduce a new callback domain_free() that will > be called arch_domain_destroy(). Is this something you can look at? Cleanup of an early domain creation failure, however you do it, is at most "the same amount of time again". It cannot (absent of development errors) take the same indefinite time periods of time that a full domain_destroy() can. The error path in domain_create() explicitly does call domain_teardown() so we can (eventually) purge these duplicate cleanup paths. There are far too many easy errors to be made which occur from having split cleanup, and we have had to issue XSAs in the past to address some of them. (Hence the effort to try and specifically change things, and remove the ability to introduce the errors in the first place.) Right now, it is specifically awkward to do this nicely because domain_teardown() doesn't call into a suitable arch hook. IMO the best option here is extend domain_teardown() with an arch_domain_teardown() state/hook, and wire in the TEE cleanup path into this too. Anything else is explicitly adding to technical debt that I (or someone else) is going to have to revert further down the line. If you want, I am happy to prototype the arch_domain_teardown() bit of the fix, but I will have to defer wiring in the TEE part to someone capable of testing it. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.