On 2017-11-21 16:01, Lucian Raul Silistru wrote: > Hi everyone, > > Recently we've been running into an issue with the fact that Jailhouse sets > up HCR.TSC=1 (exception to EL2 if SMC is called from non-secure EL1). > In xilinx kernels Linux makes use of SMC calls for talking to the PMU (in the > zynqmp power management driver).
Yeah, just like UEFI firmware exists that export interfaces this way. Unfortunate because all that is non-standard and often not even analyzable proprietary code. > > In one of our use cases, interrogating a CAN interface on the board triggers > a PM event and therefore at least one SMC call which ends up crashing the > root cell. > > Is this setup (HCR.TSC=1) intended to stay? I can see the risks here (and > read something about the intentions in another thread here) but the PM driver > seems to be quite useful to have running nowadays. > While for us the exception only comes up for a random CAN ioctl, what about > other PM actions? > > For now we can disable CAN or PM. > How would one go about handling SMC call forwarding from the exception > context - I understand this happens already for ARM. > I'm not sure there's an easy way to get a list of SMC function ids to maybe > add to the cell configuration. As noted above, the problem is in the unpredictable nature of these APIs. You need to analyze each service and identify if it is safe to export to a potentially untrusted cell. If not, you have to install filters on top to ensure that only safe parameters are forwarded. For that reason, we can never safely allow direct access to SMC. You can enable it, though, for testing or hacking purposes. But we will continue to need interception and then likely also special parameter forwarding in order to handle PSCI in the hypervisor (rather than calling for the real service). Regarding power management, that is in fact a complex beast in itself, irrespective of the driver architecture (Linux-hosted or firmware-based). Often, PM controls can have system-wide effects and will therefore require intervention and moderation of the hypervisor. There is no generic answer to this yet. I hope hardware vendors will improve partitioning support also for power management interfaces. Currently, software filters need to be thrown at this problem, often SoC-specific ones. Jan -- Siemens AG, Corporate Technology, CT RDA ITP SES-DE Corporate Competence Center Embedded Linux -- You received this message because you are subscribed to the Google Groups "Jailhouse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
