mbox series

[00/12] KVM: arm64: FF-A proxy for pKVM

Message ID 20221116170335.2341003-1-qperret@google.com (mailing list archive)
Headers show
Series KVM: arm64: FF-A proxy for pKVM | expand

Message

Quentin Perret Nov. 16, 2022, 5:03 p.m. UTC
Hi all,

pKVM's primary goal is to protect guest pages from a compromised host by
enforcing access control restrictions using stage-2 page-tables. Sadly,
this cannot prevent TrustZone from accessing non-secure memory, and a
compromised host could, for example, perform a 'confused deputy' attack
by asking TrustZone to use pages that have been donated to protected
guests. This would effectively allow the host to have TrustZone
exfiltrate guest secrets on its behalf, hence breaking the isolation
that pKVM intends to provide.

This series addresses this problem by providing pKVM with the ability to
monitor SMCs following the Arm FF-A protocol. FF-A provides (among other
things) a set of memory management APIs allowing the Normal World to
share, donate or lend pages with Secure. By monitoring these SMCs, pKVM
can ensure that the pages that are shared, lent or donated to Secure by
the host kernel are only pages that it owns.

It should be noted that the robustness of this approach relies on having
all Secure Software on the device use the FF-A protocol for memory
management transactions with the normal world, and not use
vendor-specific SMCs that pKVM is unable to parse. This is an important
software requirement to integrate pKVM correctly on a device. For the
record, this work is tractable in real world scenarios -- it was done
for the Pixel 7 and Pixel 7 Pro devices, both of which launched recently
with pKVM enabled.

This series introduces support for monitoring FF-A SMCs in the form of a
minimal proxy running in the EL2 hypervisor. This proxy aims to be
entirely 'transparent' to both the host kernel and TrustZone when the
system behaves correctly (the host is not compromised). The FF-A proxy
intercepts the SMCs coming from the host, and verifies that the pages
involved in the memory transition can be shared/lent/donated legally
before forwarding the SMC to Secure. The proxy also tracks which pages
have been made accessible to TrustZone at any point in time using
software bits in the stage-2 page-table of the host, to ensure they
can't be subsequently donated to guests.

The patch series is divided as follows:

 - patches 01-02 refactor existing FF-A header to allow code re-use;

 - patches 03-07 provide the initial infrastructure at EL2 to handle
   FF-A SMCs;

 - patches 08-12 use the previously introduced infrastructure to
   intercept the main memory management operations to share, reclaim and
   lend memory to/with Secure, and implement the core of the memory
   tracking logic.

Since this series depends on Will's recent pKVM series [1], it is based
on today's kvmarm/next:

    eb8be68e907e ("Merge branch kvm-arm64/misc-6.2 into kvmarm-master/next")

A branch with all the goodies applied can also be found here:

    https://android-kvm.googlesource.com/linux qperret/ffa-proxy

Feedback welcome!

Cheers,
Quentin

[1] https://lore.kernel.org/kvm/20221110190259.26861-1-will@kernel.org/

Fuad Tabba (1):
  KVM: arm64: Handle FFA_FEATURES call from the host

Quentin Perret (1):
  ANDROID: KVM: arm64: pkvm: Add support for fragmented FF-A descriptors

Will Deacon (10):
  firmware: arm_ffa: Move constants to header file
  firmware: arm_ffa: Move comment before the field it is documenting
  KVM: arm64: Block unsafe FF-A calls from the host
  KVM: arm64: Probe FF-A version and host/hyp partition ID during init
  KVM: arm64: Allocate pages for hypervisor FF-A mailboxes
  KVM: arm64: Handle FFA_RXTX_MAP and FFA_RXTX_UNMAP calls from the host
  KVM: arm64: Add FF-A helpers to share/unshare memory with secure world
  KVM: arm64: Handle FFA_MEM_SHARE calls from the host
  KVM: arm64: Handle FFA_MEM_RECLAIM calls from the host
  KVM: arm64: Handle FFA_MEM_LEND calls from the host

 arch/arm64/include/asm/kvm_host.h             |   1 +
 arch/arm64/include/asm/kvm_pkvm.h             |  21 +
 arch/arm64/kvm/arm.c                          |   1 +
 arch/arm64/kvm/hyp/include/nvhe/ffa.h         |  17 +
 arch/arm64/kvm/hyp/include/nvhe/mem_protect.h |   3 +
 arch/arm64/kvm/hyp/nvhe/Makefile              |   2 +-
 arch/arm64/kvm/hyp/nvhe/ffa.c                 | 741 ++++++++++++++++++
 arch/arm64/kvm/hyp/nvhe/hyp-main.c            |   3 +
 arch/arm64/kvm/hyp/nvhe/mem_protect.c         |  68 ++
 arch/arm64/kvm/hyp/nvhe/setup.c               |  11 +
 arch/arm64/kvm/pkvm.c                         |   1 +
 drivers/firmware/arm_ffa/driver.c             | 101 +--
 include/linux/arm_ffa.h                       |  93 ++-
 13 files changed, 970 insertions(+), 93 deletions(-)
 create mode 100644 arch/arm64/kvm/hyp/include/nvhe/ffa.h
 create mode 100644 arch/arm64/kvm/hyp/nvhe/ffa.c

Comments

Will Deacon Dec. 2, 2022, 11:17 a.m. UTC | #1
On Wed, 16 Nov 2022 17:03:23 +0000, Quentin Perret wrote:
> pKVM's primary goal is to protect guest pages from a compromised host by
> enforcing access control restrictions using stage-2 page-tables. Sadly,
> this cannot prevent TrustZone from accessing non-secure memory, and a
> compromised host could, for example, perform a 'confused deputy' attack
> by asking TrustZone to use pages that have been donated to protected
> guests. This would effectively allow the host to have TrustZone
> exfiltrate guest secrets on its behalf, hence breaking the isolation
> that pKVM intends to provide.
> 
> [...]

Applied first two cleanups to arm64 (for-next/ffa), thanks!

[01/12] firmware: arm_ffa: Move constants to header file
        https://git.kernel.org/arm64/c/229d58e31678
[02/12] firmware: arm_ffa: Move comment before the field it is documenting
        https://git.kernel.org/arm64/c/c8e320b00a2a

Cheers,