[PATCH 09/12] xen/arm: ffa: Fix SEND2 SP support gating

Tue, 03 Feb 2026 09:47:48 -0800 

Xen only maps a VM RX/TX buffer into the SPMC when firmware supports
FFA_RX_ACQUIRE. Without that mapping, the SPMC cannot access the VM TX
buffer to relay FFA_MSG_SEND2 to a secure partition.

Advertise FFA_MSG_SEND2 to guests only when VM-to-VM is enabled or when
the firmware supports both FFA_MSG_SEND2 and FFA_RX_ACQUIRE, and reject
SEND2 to a secure partition otherwise. Add comments to document the
mapping/ownership dependency.

Functional impact: SEND2 to a secure partition is reported as
NOT_SUPPORTED when FFA_RX_ACQUIRE is absent.

Signed-off-by: Bertrand Marquis <[email protected]>
---
 xen/arch/arm/tee/ffa.c     |  8 +++++++-
 xen/arch/arm/tee/ffa_msg.c | 11 +++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/xen/arch/arm/tee/ffa.c b/xen/arch/arm/tee/ffa.c
index e9e020bb0cb3..a46c6e5e67f1 100644
--- a/xen/arch/arm/tee/ffa.c
+++ b/xen/arch/arm/tee/ffa.c
@@ -292,7 +292,13 @@ static void handle_features(struct cpu_user_regs *regs)
             ffa_set_regs_error(regs, FFA_RET_NOT_SUPPORTED);
         break;
     case FFA_MSG_SEND2:
-        if ( ffa_fw_supports_fid(a1) || IS_ENABLED(CONFIG_FFA_VM_TO_VM) )
+        /*
+         * Forwarding SEND2 to an SP requires the SPMC to see the VM TX buffer.
+         * We only map VM RX/TX into the SPMC when RX_ACQUIRE is supported.
+         */
+        if ( IS_ENABLED(CONFIG_FFA_VM_TO_VM) ||
+             (ffa_fw_supports_fid(FFA_MSG_SEND2) &&
+              ffa_fw_supports_fid(FFA_RX_ACQUIRE)) )
             ffa_set_regs_success(regs, 0, 0);
         else
             ffa_set_regs_error(regs, FFA_RET_NOT_SUPPORTED);
diff --git a/xen/arch/arm/tee/ffa_msg.c b/xen/arch/arm/tee/ffa_msg.c
index 10856fddcbc4..928f269f6c3a 100644
--- a/xen/arch/arm/tee/ffa_msg.c
+++ b/xen/arch/arm/tee/ffa_msg.c
@@ -274,6 +274,17 @@ int32_t ffa_handle_msg_send2(struct cpu_user_regs *regs)
             ret = FFA_RET_NOT_SUPPORTED;
             goto out;
         }
+        /*
+         * The SPMC needs access to the VM TX buffer to relay SEND2.
+         * We only map VM RX/TX into the SPMC when RX_ACQUIRE is supported.
+         */
+        if ( !ffa_fw_supports_fid(FFA_RX_ACQUIRE) )
+        {
+            ret = FFA_RET_NOT_SUPPORTED;
+            gdprintk(XENLOG_DEBUG,
+                     "ffa: msg_send2 to SP requires RX_ACQUIRE\n");
+            goto out;
+        }
 
         ret = ffa_simple_call(FFA_MSG_SEND2,
                               ((uint32_t)ffa_get_vm_id(src_d)) << 16, 0, 0, 0);
-- 
2.50.1 (Apple Git-155)

Reply via email to