[v1] xen/arm: ffa: Harden notifications and enable VM-to-VM delivery

[PATCH 0/6] xen/arm: ffa: Harden notifications and enable VM-to-VM delivery

Bertrand Marquis posted 6 patches 2 weeks ago

Diff against v2
Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://gitlab.com/xen-project/patchew/xen tags/patchew/cover.1776266307.git.bertrand.marquis@arm.com

There is a newer version of this series

xen/arch/arm/tee/ffa.c         |  24 +-
xen/arch/arm/tee/ffa_notif.c   | 407 +++++++++++++++++++++++++++------
xen/arch/arm/tee/ffa_private.h |  29 ++-
3 files changed, 385 insertions(+), 75 deletions(-)

Expand all Fold all

[PATCH 0/6] xen/arm: ffa: Harden notifications and enable VM-to-VM delivery

Posted by Bertrand Marquis 2 weeks ago

This series hardens FF-A notification handling in the Arm FF-A mediator
and completes local delivery for non-secure VM-to-VM notifications.

Hardening and state handling (Patches 1-4):
1) Fix notification pending interrupt delivery when vcpu0 is offline by
   reusing a common global NPI injection helper.
2) Replace the single hypervisor notification boolean with a protected
   HYP bitmap and keep bitmap lifecycle tied to the cached endpoint ID.
3) Tighten notification parameter validation so malformed BIND, UNBIND,
   GET, and SET requests are rejected consistently before reaching
   cached state or the SPMC.
4) Preserve the secure pending indication until secure notifications are
   retrieved, protect the secure pending latch with notif_lock,
   serialize SPMC INFO_GET polling, and keep INFO_GET return width
   consistent with the caller.

Local VM notification delivery (Patches 5-6):
1) Track non-secure VM notification bindings locally, promote pending
   state to a per-bit bitmap, and validate BIND/UNBIND requests
   against that state.
2) Deliver non-secure VM-to-VM notifications locally, track whether a
   local NPI is already armed, and only advertise notification support
   when firmware capabilities or CONFIG_FFA_VM_TO_VM actually provide
   it.

Backward compatibility: v1.0/v1.1 guests remain compatible. Valid
guest-visible notification behavior is preserved; the series only
tightens malformed-request handling and enables local non-secure
VM-to-VM delivery when CONFIG_FFA_VM_TO_VM is enabled.

Gitlab branch with patches:
https://gitlab.com/xen-project/people/bmarquis/xen-ffa/-/tree/vm-notif/v1?ref_type=heads
CI pass result:
https://gitlab.com/xen-project/people/bmarquis/xen-ffa/-/pipelines/2460589353

Bertrand Marquis (6):
  xen/arm: ffa: Fix NPI injection when vcpu0 is offline
  xen/arm: ffa: Track hypervisor notifications in a bitmap
  xen/arm: ffa: Tighten notification parameter validation
  xen/arm: ffa: Preserve secure notification state when polling SPMC
  xen/arm: ffa: Track VM notification bindings locally
  xen/arm: ffa: Deliver VM-to-VM notifications locally

 xen/arch/arm/tee/ffa.c         |  24 +-
 xen/arch/arm/tee/ffa_notif.c   | 407 +++++++++++++++++++++++++++------
 xen/arch/arm/tee/ffa_private.h |  29 ++-
 3 files changed, 385 insertions(+), 75 deletions(-)

-- 
2.53.0