Hi Raghu,

Howdy! CIL…

On 4 Jun 2020, at 16:21, Raghu K via Hafnium hafnium@lists.trustedfirmware.org wrote:

Hi Achin,

Would you mind elaborating more on why the SPM needs to determine the security state and why it is important to do this without trusting the SP? When you say SPM, it sounds like you are talking about the SPMD running in EL3 for ex., that is not a part of the SPMC which perhaps runs as S-EL2 and the SPMD may need to know this to figure out how to map a particular physical page. Is that the use case you are thinking about?

So this is in the context of PSA FF-A Memory management ABIs. Also, I have the S-EL2 SPMC case in mind. SPMD in EL3 does not participate in memory management in this case when it comes to managing any architectural state i.e. translation tables, control regs etc

Say, a SP0 invokes FFA_MEM_SHARE to share a single page A with SP1. The SPMC would need to map page A in SP’s stage 2 tables. To do this, it would need to determine whether the IPA of page A belongs to the Secure or Non-secure IPA space. This is under the assumption that some memory ranges in SP0’s IPA space will be Non-secure.

IMO, this information can be determined in one of the following ways:

1. Perform PTW in SW to determine whether IPA is mapped in the tables referenced by VSTTBR_EL2 or VTTBR_EL2. I am assuming the SPMC maintains separate S2 translations for the Secure and NS address spaces.

2. Through an internal data structure which tracks the attributes of a memory region assigned to a guest.

3. SP0 specifies the security state of page A in FFA_MEM_SHARE. The spec does not cover this currently. However, the SPMC cannot trust that the SP0 is providing the right security state and must verify this independently anyways.

1 seems clunky. 2 is not done in upstream Hf. 3 does not really help.

I think I had misunderstood that a AT* instruction could be used. There do not seem to be any in the Arm ARM that only perform a IPA to PA i.e. a S2 translation.

So I am wondering what can be done to solve this problem assuming we agree that this is a problem in the first place.

Hth,

Cheers, Achin

Thanks Raghu

On 6/4/20 3:07 AM, Achin Gupta via Hafnium wrote:

...

Hi All,

I am thinking of a scenario where a SP shares Non-secure memory with one or more SPs or VMs. The NS memory region could have been donated to the SP by a VM earlier (far fetched but possible).

The question is how does the SPM determine the security state of the memory region being shared by the SP.

It is especially important that the SPM does this without trusting the SP.

I don't think it should rely on the AT* instructions. The SP could change the security state of the region in S1. AFAIK, there are no AT* instructions that only do S2 walks with a IPA as an input.

So is the only option to perform a walk in both the Secure and Non-secure S2 tables to determine where is the address mapped.

This seems a bit clunky. So wondering if I am missing anything and there is an easier way to do this.

What do you reckon?

cheers, Achin

-- Hafnium mailing list Hafnium@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/hafnium