Hello,
In the configuration makefile mk/config.mk there are following lines:
# Enable support for detected undefined behavior in C
# Uses a lot of memory, can't be enabled by default
CFG_CORE_SANITIZE_UNDEFINED ?= n
I've read the sources of the conditionally compiled ubsan.c and, IIUC,
how UBSAN is working (mostly by adding simple checks), I don't understand,
why UBSAN is marked as using a lot of memory.
Is this comment still valid?
Thank you.
Hi,
Cc the OP-TEE mailing list, as I sense this might be more of an OP-TEE (/ OPTEED) design question than TF-A generic.
I agree with Manish/Achin the best way to eliminate the return by NS interrupt while OP-TEE kernel runs handling a PSCI request is to mask interrupts globally in the GIC e.g. from within opteed_system_reset?
Additional questions:
On https://github.com/ARM-software/arm-trusted-firmware/blob/master/lib/psci/p…
The PSCI layer calls into OP-TEE SPD and then resumes OP-TEE to handle the PSCI call in a platform defined manner.
As suggested here https://github.com/ARM-software/arm-trusted-firmware/blob/master/services/s… , it looks this invocation is not supposed to return into TF-A?
Did you redefine the weak psci_system_reset function within OP-TEE for your platform?
Is this function designed to end up in a loop and never returns to TF-A?
As a side question, is this an issue that the TF-A's PSCI platform hook is possibly never called https://github.com/ARM-software/arm-trusted-firmware/blob/master/lib/psci/p… ?
Regards,
Olivier.
________________________________
From: Neely, Brian via TF-A <tf-a(a)lists.trustedfirmware.org>
Sent: 13 November 2023 19:01
To: Manish Pandey2 <Manish.Pandey2(a)arm.com>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; Ethridge, Caleb <Caleb.Ethridge(a)analog.com>
Subject: [TF-A] Re: Handling of normal world interrupts with BL31 PSCI handler
Hi Manish,
Just following up on your comment below. Are you planning to provide guidance as to which PSCI calls should have NS interrupts masked? Are these changes that should go in the mainline TF-A repo, or do you believe they are specific to our use case?
Thanks,
Brian
From: Manish Pandey2 via TF-A <tf-a(a)lists.trustedfirmware.org>
Sent: Friday, November 10, 2023 11:31 AM
To: tf-a(a)lists.trustedfirmware.org; Ethridge, Caleb <Caleb.Ethridge(a)analog.com>
Subject: [TF-A] Re: Handling of normal world interrupts with BL31 PSCI handler
[External]
Hi Caleb,
The quick answer to your query is to mask the NS interrupts in BL31 (option a), You should not remove the callback to OPTEE as it may need to do its own state maintained before system RESET.
There are other scenarios in PSCI (e.g. CPU power down) path which need to consider disabling NS interrupts before invoking Secure world hooks, will provide further analysis on those later.
Thanks
Manish Pandey
________________________________
From: Caleb Ethridge via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>>
Sent: 10 November 2023 15:12
To: tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>>
Subject: [TF-A] Handling of normal world interrupts with BL31 PSCI handler
Hello,
If normal world interrupts are received while invoking TF-A's PSCI reset handler, we have observed that the reset can be aborted.
In TF-A's PSCI reset handler, a call out to OP-TEE is made before performing the platform-specific reset:
https://github.com/ARM-software/arm-trusted-firmware/blob/master/lib/psci/p…<https://urldefense.com/v3/__https:/github.com/ARM-software/arm-trusted-firm…>
https://github.com/ARM-software/arm-trusted-firmware/blob/master/services/s…<https://urldefense.com/v3/__https:/github.com/ARM-software/arm-trusted-firm…>
When OP-TEE is entered, it is possible to receive foreign (normal world) interrupts, which invokes the procedure described here: https://optee.readthedocs.io/en/3.16.0/architecture/core.html#deliver-non-s…<https://urldefense.com/v3/__https:/optee.readthedocs.io/en/3.16.0/architect…>
When the SMC call is aborted as described above, this results in the reboot failing. Linux does not retry the PSCI reset (https://github.com/torvalds/linux/blob/master/drivers/firmware/psci/psci.c#…<https://urldefense.com/v3/__https:/github.com/torvalds/linux/blob/master/dr…>). This makes sense because it is not expecting the SMC call to fail (it expected to make an uninterruptable SMC call into the secure monitor, not a call into OP-TEE).
If OP-TEE itself is setup to handle PSCI reset calls, it also handles them in (uninterruptable) SMC context:
https://github.com/OP-TEE/optee_os/blob/master/core/arch/arm/sm/psci.c#L140<https://urldefense.com/v3/__https:/github.com/OP-TEE/optee_os/blob/master/c…>
https://github.com/OP-TEE/optee_os/blob/master/core/arch/arm/sm/sm_a32.S#L96<https://urldefense.com/v3/__https:/github.com/OP-TEE/optee_os/blob/master/c…>
Based on this, we see two possible solutions:
a) Masking the non-secure interrupts in BL31 while we are doing a reset
b) Removing the call to OPTEE in the reset handler so that we never leave the SMC context
Which option do you suggest? Or are we missing an important detail here?
Thanks,
Caleb
--
TF-A mailing list -- tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>
To unsubscribe send an email to tf-a-leave(a)lists.trustedfirmware.org<mailto:tf-a-leave@lists.trustedfirmware.org>
Hi,
Tomorrow, Tuesday, January 25 it's time for another LOC monthly meeting. For
time and connection details see the calendar at
https://www.trustedfirmware.org/meetings/
- OP-TEE 4.1.0 has been released
- There's an ongoing effort to move tee-supplicant processing into the
kernel to avoid user space dependency during boot
Any other topics?
Thanks,
Jens
I am currently offline-signing Trusted Applications and and I have realized that there are no stripped.elf files for the above TAs. Why is that and how can I offline-sign them?
This series proposes the implementation of a remoteproc tee driver to
communicate with a TEE trusted application responsible for authenticating and
loading the remoteproc firmware image in an Arm secure context.
1) Principle:
The remoteproc tee driver provides services to communicate with the OP-TEE
trusted application running on the Trusted Execution Context (TEE).
The trusted application in TEE manages the remote processor lifecycle:
- authenticating and loading firmware images,
- isolating and securing the remote processor memories,
- supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33),
- managing the start and stop of the firmware by the TEE.
2) Format of the signed image:
Refer to:
https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc…
3) OP-TEE trusted application API:
Refer to:
https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem…
4) OP-TEE signature script
Refer to:
https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py
Example of usage:
sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem
5) Impact on User space Application
No sysfs impact.the user only needs to provide the signed firmware image
instead of the ELF image.
For more information about the implementation, a presentation is available here
(note that the format of the signed image has evolved between the presentation
and the integration in OP-TEE).
https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds
Arnaud Pouliquen (4):
remoteproc: Add TEE support
dt-bindings: remoteproc: add compatibility for TEE support
remoteproc: stm32: create sub-functions to request shutdown and
release
remoteproc: stm32: Add support of an OP-TEE TA to load the firmware
.../bindings/remoteproc/st,stm32-rproc.yaml | 53 ++-
drivers/remoteproc/Kconfig | 10 +
drivers/remoteproc/Makefile | 1 +
drivers/remoteproc/stm32_rproc.c | 233 +++++++++--
drivers/remoteproc/tee_remoteproc.c | 393 ++++++++++++++++++
include/linux/tee_remoteproc.h | 99 +++++
6 files changed, 742 insertions(+), 47 deletions(-)
create mode 100644 drivers/remoteproc/tee_remoteproc.c
create mode 100644 include/linux/tee_remoteproc.h
--
2.25.1
I have recently commited some changes to the OP-TEE docs regarding the offline signing of TAs. I have now revisited my work after the holidays and the signing process is now failing with
ERROR:sign_encrypt.py:Verification failed, ignoring given signature.
although I am sure not to have changed anything. There is no TA being producd anymore. I am currently not sure if I made a mistake and did not see this, although I think I should have realized that no TAs are produced successfully.
I am currently a bit pressed for time and was hoping that someone could assist me with the signing process. In the previous version there was a header prepended to the file that is to be signed
echo "0000: 3031300D 06096086 48016503 04020105 000420" | \
xxd -c 19 -r > /tmp/sighdr
cat /tmp/sighdr $(base64 --decode digestfile) > /tmp/hashtosign
This script did not work and I omitted it. Can someone tell me why this was needed in the first place or how I could fix this step?
I tried fixing the step as follows
echo "0000: 3031300D 06096086 48016503 04020105 000420" | \
xxd -c 19 -r > /tmp/sighdr
base64 --decode digestfile > /tmp/digestfile
cat /tmp/sighdr /tmp/digestfile > /tmp/hashtosign
but the pkcs11-tool then complains that the signature is too long.
Any help appreciated!
---
Jan
[BCC all OP-TEE maintainers]
Hi OP-TEE maintainers & contributors,
OP-TEE v4.1.0 is scheduled to be released on 2024-01-19. So, now is
a good time to start testing the master branch on the various platforms
and report/fix any bugs.
The GitHub pull request for collecting Tested-by tags or any other
comments is https://github.com/OP-TEE/optee_os/pull/6574.
As usual, we will create a release candidate tag one week before the
release date for final testing.
In addition to that you can find some additional information related to
releases here: https://optee.readthedocs.io/en/latest/general/releases.html
Thanks,
Jens