| Message ID | 20221116170335.2341003-1-qperret@google.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | KVM: arm64: FF-A proxy for pKVM | expand |
On Wed, 16 Nov 2022 17:03:23 +0000, Quentin Perret wrote: > pKVM's primary goal is to protect guest pages from a compromised host by > enforcing access control restrictions using stage-2 page-tables. Sadly, > this cannot prevent TrustZone from accessing non-secure memory, and a > compromised host could, for example, perform a 'confused deputy' attack > by asking TrustZone to use pages that have been donated to protected > guests. This would effectively allow the host to have TrustZone > exfiltrate guest secrets on its behalf, hence breaking the isolation > that pKVM intends to provide. > > [...] Applied first two cleanups to arm64 (for-next/ffa), thanks! [01/12] firmware: arm_ffa: Move constants to header file https://git.kernel.org/arm64/c/229d58e31678 [02/12] firmware: arm_ffa: Move comment before the field it is documenting https://git.kernel.org/arm64/c/c8e320b00a2a Cheers,
Hi all, pKVM's primary goal is to protect guest pages from a compromised host by enforcing access control restrictions using stage-2 page-tables. Sadly, this cannot prevent TrustZone from accessing non-secure memory, and a compromised host could, for example, perform a 'confused deputy' attack by asking TrustZone to use pages that have been donated to protected guests. This would effectively allow the host to have TrustZone exfiltrate guest secrets on its behalf, hence breaking the isolation that pKVM intends to provide. This series addresses this problem by providing pKVM with the ability to monitor SMCs following the Arm FF-A protocol. FF-A provides (among other things) a set of memory management APIs allowing the Normal World to share, donate or lend pages with Secure. By monitoring these SMCs, pKVM can ensure that the pages that are shared, lent or donated to Secure by the host kernel are only pages that it owns. It should be noted that the robustness of this approach relies on having all Secure Software on the device use the FF-A protocol for memory management transactions with the normal world, and not use vendor-specific SMCs that pKVM is unable to parse. This is an important software requirement to integrate pKVM correctly on a device. For the record, this work is tractable in real world scenarios -- it was done for the Pixel 7 and Pixel 7 Pro devices, both of which launched recently with pKVM enabled. This series introduces support for monitoring FF-A SMCs in the form of a minimal proxy running in the EL2 hypervisor. This proxy aims to be entirely 'transparent' to both the host kernel and TrustZone when the system behaves correctly (the host is not compromised). The FF-A proxy intercepts the SMCs coming from the host, and verifies that the pages involved in the memory transition can be shared/lent/donated legally before forwarding the SMC to Secure. The proxy also tracks which pages have been made accessible to TrustZone at any point in time using software bits in the stage-2 page-table of the host, to ensure they can't be subsequently donated to guests. The patch series is divided as follows: - patches 01-02 refactor existing FF-A header to allow code re-use; - patches 03-07 provide the initial infrastructure at EL2 to handle FF-A SMCs; - patches 08-12 use the previously introduced infrastructure to intercept the main memory management operations to share, reclaim and lend memory to/with Secure, and implement the core of the memory tracking logic. Since this series depends on Will's recent pKVM series [1], it is based on today's kvmarm/next: eb8be68e907e ("Merge branch kvm-arm64/misc-6.2 into kvmarm-master/next") A branch with all the goodies applied can also be found here: https://android-kvm.googlesource.com/linux qperret/ffa-proxy Feedback welcome! Cheers, Quentin [1] https://lore.kernel.org/kvm/20221110190259.26861-1-will@kernel.org/ Fuad Tabba (1): KVM: arm64: Handle FFA_FEATURES call from the host Quentin Perret (1): ANDROID: KVM: arm64: pkvm: Add support for fragmented FF-A descriptors Will Deacon (10): firmware: arm_ffa: Move constants to header file firmware: arm_ffa: Move comment before the field it is documenting KVM: arm64: Block unsafe FF-A calls from the host KVM: arm64: Probe FF-A version and host/hyp partition ID during init KVM: arm64: Allocate pages for hypervisor FF-A mailboxes KVM: arm64: Handle FFA_RXTX_MAP and FFA_RXTX_UNMAP calls from the host KVM: arm64: Add FF-A helpers to share/unshare memory with secure world KVM: arm64: Handle FFA_MEM_SHARE calls from the host KVM: arm64: Handle FFA_MEM_RECLAIM calls from the host KVM: arm64: Handle FFA_MEM_LEND calls from the host arch/arm64/include/asm/kvm_host.h | 1 + arch/arm64/include/asm/kvm_pkvm.h | 21 + arch/arm64/kvm/arm.c | 1 + arch/arm64/kvm/hyp/include/nvhe/ffa.h | 17 + arch/arm64/kvm/hyp/include/nvhe/mem_protect.h | 3 + arch/arm64/kvm/hyp/nvhe/Makefile | 2 +- arch/arm64/kvm/hyp/nvhe/ffa.c | 741 ++++++++++++++++++ arch/arm64/kvm/hyp/nvhe/hyp-main.c | 3 + arch/arm64/kvm/hyp/nvhe/mem_protect.c | 68 ++ arch/arm64/kvm/hyp/nvhe/setup.c | 11 + arch/arm64/kvm/pkvm.c | 1 + drivers/firmware/arm_ffa/driver.c | 101 +-- include/linux/arm_ffa.h | 93 ++- 13 files changed, 970 insertions(+), 93 deletions(-) create mode 100644 arch/arm64/kvm/hyp/include/nvhe/ffa.h create mode 100644 arch/arm64/kvm/hyp/nvhe/ffa.c