On 13 Nov 2021, at 19:19, Jorge Pereira
Ok, is there any rationale for not allowing the guest to directly invoke the secure world?
This is a hardware feature supported by ARMv8 and I was wondering that unnecessary traps
will just bring more performance overhead. Is there any security concern?
The discussion hasn't really concluded on that yet, but the concern is that guest
VM's in terms of security are untrusted code that must be presumed malicious, so
they cannot be granted uncontrolled access to arbitrary high-privilege code (just because
that code tends to be vendor-provided does not mean it is of high quality or trustworthy).
This means the general mechanism should be conservative.
We could think about exceptions, but that should only be done once we know there is an
actual performance problem. Otherwise that would be a premature optimisation. So far it
looks like those calls are infrequent and mostly needed at boot time.