| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMP5XgcCg+kB7tPwSYUcjfZqR_734cGEs_KX4st9SQOVLBV-Yw@mail.gmail.com> Date: Thu, 8 May 2025 08:45:01 -0700 From: Arve Hjønnevåg <arve@...roid.com> To: Sudeep Holla <sudeep.holla@....com> Cc: Marc Zyngier <maz@...nel.org>, Per Larsen <perl@...unant.com>, armellel@...gle.com, catalin.marinas@....com, kernel-team@...roid.com, kvmarm@...ts.linux.dev, linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org, qperret@...gle.com, sebastianene@...gle.com, will@...nel.org, yuzenghui@...wei.com, Per Larsen <perlarsen@...gle.com> Subject: Re: [PATCH 1/3] KVM: arm64: Restrict FF-A host version renegotiation On Thu, May 8, 2025 at 2:27 AM Sudeep Holla <sudeep.holla@....com> wrote: > > (just adding some additional info not particularly impacting the $subject > change implementation) > > On Thu, May 08, 2025 at 09:55:05AM +0100, Marc Zyngier wrote: > > On Tue, 06 May 2025 10:29:41 +0100, > > Per Larsen <perl@...unant.com> wrote: > > > > > [...] > > > > Asssuming we drop this patch from the series and apply the rest, the > > > hypervisor and host can negotiate FF-A 1.2. If the host then calls > > > FFA_VERSION a second time to request FF-A 1.1, the hypervisor would > > > return version 1.2 (without this patch). > > > > Why would it do that? Once a particular version has been negotiated, I > > expect to be immutable. > > > > Not suggesting that we need to support this, but it is technically possible > today by loading FF-A as a module—first inserting and removing a module with > v1.2 support, then loading one with v1.1 support. It can ever throw error > as not supported to keep it simple. > I'm not sure how what you are suggesting here is different from what this patch does. This patch does not alter what versions the host can negotiate. The hypervisor already disallows negotiating a different version once has_version_negotiated is set, the return code just doesn't always reflect this. If you try to load the 1.0 driver in the host after unloading the 1.1 driver similar to what you describe above, then this CL will let the 1.0 driver know that the hypervisor does not support 1.0 (I use 1.1 to 1.0 as the example here since this is an issue even without the next CL in this patch series that bumps the hypervisor supported version to 1.2). Without this CL, the 1.0 driver will now proceed making other ffa calls using 1.0 data structures that the hypervisor will incorrectly interpret as 1.1 data structures. With this CL, loading a 1.2 driver after the initial 1.1 driver will work as it did before by returning version 1.1 to the 1.2 driver to let it know that _it_ needs to downgrade to 1.1. if it wants to proceed. Loading the 1.0 driver after 1.1 will now fail at the version negotiation stage however. This will be clearer, and more correct, than getting FFA_RET_INVALID_PARAMETERS return codes from other ffa calls when passing valid 1.0 parameters to those calls. -- Arve Hjønnevåg
Powered by blists - more mailing lists