[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH v8 02/22] xen/arm: tee: add a primitive FF-A mediator

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
  • Date: Thu, 4 May 2023 13:14:33 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=roH7IhSKNfhABtOeE1XmF3YdKI+Xv0DCyrgQ3HF6/MI=; b=UKvX6WVAagqDjeve7zt9i2EiLSdxUGZZo1AkM1623gIqzIIaSX8qz0pN35qWZwtVLaCFnubkTbDtAkWe0vU4dTm1GsHyuHVH9f0rBSAtZZMBCYPo7eKGHCdpX9JRHZZrlHr0wPS97x7AO58lNP/BDRTpSFFZJmqaGq2znr6FchCcIEB9qiUoP9PoUBozVqX+t9hKfyEB6210HW+nWZNTUO+9AINekwzlwyN+CGkNv1INloiHDnGWSNgzIcZl/+akbm8PozzuMAesZsWN23YFFkh1kptAqW0wockSoPbLYvu1gvsFrAk2Ywoik6yPF2G0Sh2QY6dpWuSWCVDUBussfw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EaUfYwiJc684TKhFtkWq6kGX71yD7YzPA5Nhi31uCuB5BuphFSD699gmbSebSW5Feag90DJEY8HvKd+jPnC8AWSLypruVVp0D20S2fpAW2DJ/Tme2TMNKu6lvOFHuhjPueKf/lNaM2YENq2lkW2xdMKIPoMv2B4tIg64Shp8RY4WL2JSUXKwJyoJg3PlG8NRxUfr42YLOjggrrnbOgT1pKif2LP8UiBrhuf2PE4DeFjsCVWut0SQgYwjl0OqAqAoKAWdm6basN0lNFolbgIDosGz9p7RxOrfgtu0TiZbbd/Af0N0uv8J4D0d/Z7LHxHf7Otz/AJ1ujV3oT02QxpHOg==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Julien Grall <julien@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Marc Bonnici <Marc.Bonnici@xxxxxxx>, Achin Gupta <Achin.Gupta@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Jens Wiklander <jens.wiklander@xxxxxxxxxx>
  • Delivery-date: Thu, 04 May 2023 13:15:08 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHZbdfHy/Y46nL9n0ej3opYe7XQ5q8pKpqAgAAQ9oCAAUdZgIAftheA
  • Thread-topic: [XEN PATCH v8 02/22] xen/arm: tee: add a primitive FF-A mediator
Hi Andrew,

> On 14 Apr 2023, at 10:58, Jens Wiklander <jens.wiklander@xxxxxxxxxx> wrote:
> 
> Hi,
> 
> On Thu, Apr 13, 2023 at 3:27 PM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> 
> wrote:
>> 
>> On 13/04/2023 1:26 pm, Julien Grall wrote:
>>>> +static int ffa_domain_init(struct domain *d)
>>>> +{
>>>> +    struct ffa_ctx *ctx;
>>>> +
>>>> +    if ( !ffa_version )
>>>> +        return -ENODEV;
>>>> +
>>>> +    ctx = xzalloc(struct ffa_ctx);
>>>> +    if ( !ctx )
>>>> +        return -ENOMEM;
>>>> +
>>>> +    d->arch.tee = ctx;
>>>> +
>>>> +    return 0;
>>>> +}
>>>> +
>>>> +/* This function is supposed to undo what ffa_domain_init() has done */
>>> 
>>> I think there is a problem in the TEE framework. The callback
>>> .relinquish_resources() will not be called if domain_create() failed.
>>> So this will result to a memory leak.
>>> 
>>> We also can't call .relinquish_resources() on early domain creation
>>> failure because relinquishing resources can take time and therefore
>>> needs to be preemptible.
>>> 
>>> So I think we need to introduce a new callback domain_free() that will
>>> be called arch_domain_destroy(). Is this something you can look at?
>> 
>> 
>> Cleanup of an early domain creation failure, however you do it, is at
>> most "the same amount of time again".  It cannot (absent of development
>> errors) take the same indefinite time periods of time that a full
>> domain_destroy() can.
>> 
>> The error path in domain_create() explicitly does call domain_teardown()
>> so we can (eventually) purge these duplicate cleanup paths.  There are
>> far too many easy errors to be made which occur from having split
>> cleanup, and we have had to issue XSAs in the past to address some of
>> them.  (Hence the effort to try and specifically change things, and
>> remove the ability to introduce the errors in the first place.)
>> 
>> 
>> Right now, it is specifically awkward to do this nicely because
>> domain_teardown() doesn't call into a suitable arch hook.
>> 
>> IMO the best option here is extend domain_teardown() with an
>> arch_domain_teardown() state/hook, and wire in the TEE cleanup path into
>> this too.
>> 
>> Anything else is explicitly adding to technical debt that I (or someone
>> else) is going to have to revert further down the line.
>> 
>> If you want, I am happy to prototype the arch_domain_teardown() bit of
>> the fix, but I will have to defer wiring in the TEE part to someone
>> capable of testing it.
> 
> You're more than welcome to prototype the fix, I can test it and add
> it to the next version of the patch set when we're happy with the
> result.


Could you tell us if you are still happy to work on the prototype for
arch_domain_teardown and when you would be able to give a first prototype ?

Regards
Bertrand

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.