On 13 Nov 2021, at 19:19, Jorge Pereira mailto:jorge@ssrc.tii.ae> wrote:
Ok, is there any rationale for not allowing the guest to directly invoke the secure world? This is a hardware feature supported by ARMv8 and I was wondering that unnecessary traps will just bring more performance overhead. Is there any security concern?
The discussion hasn't really concluded on that yet, but the concern is that guest VM's in terms of security are untrusted code that must be presumed malicious, so they cannot be granted uncontrolled access to arbitrary high-privilege code (just because that code tends to be vendor-provided does not mean it is of high quality or trustworthy). This means the general mechanism should be conservative.
We could think about exceptions, but that should only be done once we know there is an actual performance problem. Otherwise that would be a premature optimisation. So far it looks like those calls are infrequent and mostly needed at boot time.
Cheers,
Gerwin
