| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250508-condor-of-angelic-pleasure-bfb5c4@sudeepholla> Date: Thu, 8 May 2025 17:07:22 +0100 From: Sudeep Holla <sudeep.holla@....com> To: Arve Hjønnevåg <arve@...roid.com> Cc: Marc Zyngier <maz@...nel.org>, Per Larsen <perl@...unant.com>, Sudeep Holla <sudeep.holla@....com>, armellel@...gle.com, catalin.marinas@....com, kernel-team@...roid.com, kvmarm@...ts.linux.dev, linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org, qperret@...gle.com, sebastianene@...gle.com, will@...nel.org, yuzenghui@...wei.com, Per Larsen <perlarsen@...gle.com> Subject: Re: [PATCH 1/3] KVM: arm64: Restrict FF-A host version renegotiation On Thu, May 08, 2025 at 08:45:01AM -0700, Arve Hjønnevåg wrote: > On Thu, May 8, 2025 at 2:27 AM Sudeep Holla <sudeep.holla@....com> wrote: > > > > (just adding some additional info not particularly impacting the $subject > > change implementation) > > > > On Thu, May 08, 2025 at 09:55:05AM +0100, Marc Zyngier wrote: > > > On Tue, 06 May 2025 10:29:41 +0100, > > > Per Larsen <perl@...unant.com> wrote: > > > > > > > > [...] > > > > > > Asssuming we drop this patch from the series and apply the rest, the > > > > hypervisor and host can negotiate FF-A 1.2. If the host then calls > > > > FFA_VERSION a second time to request FF-A 1.1, the hypervisor would > > > > return version 1.2 (without this patch). > > > > > > Why would it do that? Once a particular version has been negotiated, I > > > expect to be immutable. > > > > > > > Not suggesting that we need to support this, but it is technically possible > > today by loading FF-A as a module—first inserting and removing a module with > > v1.2 support, then loading one with v1.1 support. It can ever throw error > > as not supported to keep it simple. > > > > I'm not sure how what you are suggesting here is different from what > this patch does. This patch does not alter what versions the host can > negotiate. The hypervisor already disallows negotiating a different > version once has_version_negotiated is set, the return code just > doesn't always reflect this. If you try to load the 1.0 driver in the > host after unloading the 1.1 driver similar to what you describe > above, then this CL will let the 1.0 driver know that the hypervisor > does not support 1.0 (I use 1.1 to 1.0 as the example here since this > is an issue even without the next CL in this patch series that bumps > the hypervisor supported version to 1.2). Without this CL, the 1.0 > driver will now proceed making other ffa calls using 1.0 data > structures that the hypervisor will incorrectly interpret as 1.1 data > structures. > > With this CL, loading a 1.2 driver after the initial 1.1 driver will > work as it did before by returning version 1.1 to the 1.2 driver to > let it know that _it_ needs to downgrade to 1.1. if it wants to > proceed. Loading the 1.0 driver after 1.1 will now fail at the version > negotiation stage however. This will be clearer, and more correct, > than getting FFA_RET_INVALID_PARAMETERS return codes from other ffa > calls when passing valid 1.0 parameters to those calls. > Thanks for the detailed explanation. Sorry I didn't look at the change itself and I might have made assumptions as I just read | If the host then calls FFA_VERSION a second time to request FF-A 1.1, | the hypervisor would return version 1.2 (without this patch). So, my point was just that it is OK to even report it as NOT_SUPPORTED if FF-A proxy doesn't want to deal with all the compatibility for simplicity. -- Regards, Sudeep
Powered by blists - more mailing lists