search

riscv-non-isa / riscv-ap-tee

This repo holds the work area and revisions of the non-ISA specification created by the RISC-V AP-TEE TG. This specification defines the programming interfaces (ABI) to support the Confidential VM Extension (CoVE) confidential computing architecture for RISC-V application-processor platforms.
https://jira.riscv.org/browse/RVG-76
Creative Commons Attribution 4.0 International
49 stars 19 forks source link

[Qualcomm feedback] Chapter 5.1.4: Clarify caching behavior #57

Closed rsahita closed 6 months ago

rsahita commented 7 months ago

Reference: link

During confidential memory conversion or reclamation, the HW TCB and SW TCB (TSM) must enforce via memory-management fences that stale data is not accessible to the TVM (or the hosting OS/VMM). During confidential memory assignment to a TVM (or during conversion of confidential memory to shared), the TCB must enforce that stale translations may not be held to memory yielded by a TVM (and used by the host for another TVM or VM or the host). These properties are implemented by the TSM in conjunction with the HW (e.g. MTT cache invalidations) via the proposed COVH interface.

Why is stale data only concerns cached data or cached translations? how about stale data that is in actual memory? should there be a requirement dictating scrubbing of private data pre-conversion?

rsahita commented 7 months ago

(was answered in the PDF): If the TVM is shutdown, the TSM does the scrubbing, if the TVM is converting memory from confidential to non-confidential, then it's the TVM responsibility to scrub it (per sbi_covg_share_memory_region)

rsahita commented 6 months ago

Closing as addressed in PR #70 cc @ozkoyuncu