Hi,
I recently uploaded the patch (https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/33536) to add qti platform support for qcs615. The patch is fully isolated and doesn't touch any common code and doesn't get included in any other platform compilation.
On enabling basic CI, I see some failures which are unrelated to my patch.
I wonder what the next step should be. If somebody can help me, it will be greatly appreciated.
Thanks
Amarinder
Hi,
As a follow up to the Firmware-A v2.12 release [1], we are pleased to share the shrinkwrap tool [2]
configurations have been updated to consume latest firmware/upstream ingredients using following tags:
TF-A: v2.12.0
TF-a-tests: v2.12.0
Hafnium: v2.12.0
TF-RMM: tf-rmm-v0.6.0
CCA EDK2: 3223_arm_cca_rmm_v1.0_rel0_v3
linux: cca-full/v5+v7
kvmtool: cca/v3
An additional merge request is in queue for kvm-unit-tests update to cca/rmm-v1.0-rel0 tag.
Shrinkwrap is a convenient tool for building a fully integrated Arm CCA SW stack running on
the Base AEM FVP platform. In particular this is the tool of choice for RMM development to
reproduce a 3 or 4 worlds RME based environment.
Regards,
Olivier.
[1] https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.…
[2] https://shrinkwrap.docs.arm.com/en/latest/
Hi Max,
> Can we say this presentation (2022) is there and ready to use?
Yes, there are multiple measured boot and attestation schemes are implemented in TF-A and Trusted Services. What to use is depends on your use case and your system capability:
- A class core only
- A+M system where the M core is in a secure enclave
> By the way, you mentioned that attestation is not handled in TF-a (EL3), but the below EL3 handler handles it (RMM_ATTEST_GET_PLAT_TOKEN). Does it just send the request to the "Trusted Service" you were referencing?
No, they are different.
The available options/schemes:
* -If you have a single A class core and you want something similar to psa_initial_attest_get_token() then read this:
https://trusted-services.readthedocs.io/en/latest/services/attest-service-d…
Here the token is created by a secure service running in SEL0/1. EL3 only responsible for making the world switch (S<->NS). This is callable from Linux user space, with the libs and kernel driver pointed out by George.
* What you mentioned above (RMM_ATTEST_GET_PLAT_TOKEN) is basically the CCA attestation scheme, where there are two halves tokens. It is targeting the RME capable systems which otherwise have A+M cores. One half of the token is produced by the M class secure enclave(HES) the other half by the RMM running in REL2 on the A core. There is a hash link between the half tokens.
Please elaborate your use case then I can help more!
Regards,
Tamas
From: Gyorgy Szing <Gyorgy.Szing(a)arm.com>
Sent: Monday, December 2, 2024 11:43 AM
To: Max Adam <maxadamcamb(a)gmail.com>; Tamas Ban <Tamas.Ban(a)arm.com>
Subject: Re: [TF-A] Interaction with TF-a from NS World
Hi,
"By the way, you mentioned that attestation is not handled in TF-a (EL3),"
Sorry, my bad. Since you mentioned PSA I got the impression you are after PSA Initial Attestation, and that is out of scope for TF-A.
Tamas: Can you please respond to the RMM related attestation question?
/George
On 2024-12-02, 11:38, "Max Adam" <maxadamcamb(a)gmail.com<mailto:maxadamcamb@gmail.com>> wrote:
Hi Gyorgy,
Thank you for the detailed comment. It is really helpful, especially this link seems good to chase: https://git.yoctoproject.org/meta-arm/about/documentation/trusted-services.…
Basically, I was following this link from @Tamas.ban@arm.com<mailto:Tamas.ban@arm.com>; "CCA attestation and measured both"
https://www.trustedfirmware.org/docs/Attestation_and_Measured_Boot.pdf
Can we say this presentation (2022) is there and ready to use?
By the way, you mentioned that attestation is not handled in TF-a (EL3), but the below EL3 handler handles it (RMM_ATTEST_GET_PLAT_TOKEN). Does it just send the request to the "Trusted Service" you were referencing?
Error! Filename not specified.
Gyorgy Szing <Gyorgy.Szing(a)arm.com<mailto:Gyorgy.Szing@arm.com>>, 2 Ara 2024 Pzt, 09:29 tarihinde şunu yazdı:
Hi Max,
Please check this picture [1]. It shows the exception levels on an aarch64 platforms, and typical components executing at each exception level.
TF-A is a Secure Monitor implementation. It is the most privileged component, and its main goal is to route calls between the NWd and SWd. Each call to SWd must go through this component. E.g. if an "aarch64 App" wishes to use a service provided by a Trusted Service, a call has to be made into EL1 (e.g. Linux Kernel), then if a Hypervisor is present to EL2, then to the Monitor at EL3 (TF-A), then to optional S-EL2 (e.g. Hafnium), S-EL1 (e.g. OP_TEE) and finally to S-EL0.
TF-A does not implement the PSA APIs.
OP-TEE is a Trusted OS, and a reference implementation of the Global Platforms standards [2]. PSA is not part of GP, and AFAIK there is no TA implementing PSA APIs.
The PSA reference implementation for Cortex-A is developed in the Trusted Services project. The project implements all services required for PSA certification (Crypto, ITS, PS, Attestation) plus a few non-psa ones like Firmware Update Service or UEFI Variable service. We developed a Linux kernel driver called tstee (up-stream since v6.10) , and two shared libraries which can be used by linux user-space applications to access the services. Libts implements service discovery and the TS RPC components, and "libtspsa" carries easy to use PSA client implementations (basically the C PSA API).
Trusted Services follows the Firmware Framework for A-Profile standard (FF-A) which defines a protocol to be used between exception levels and a runtime model. PSA services are deployed to S-EL0 Secure Partitions and need a Secure Partition Manager implementation executing at a higher exception levels. The reference SPMD implementation is part of the TF-A project, the S-EL2 reference SPMC is Hafnium [5], and the S-EL1 reference implementation is OP-TEE SPMC [6]. (Only one SPMC implementation can be present on a system.)
A major difference between the Cortex-M and the Cortex-A ecosystem is the level of diversity. While a Cortex-M stack is typically implemented using components from one or maximum a few stakeholders, a Cortex-A stack is built from components owned by a vast set of owners. As a result, integration of a Cortex-A software stack is much more complex. There are multiple integration systems targeting the problem like Buildroot and Yocto. Trusted Services supports two integration systems currently. The OP-TEE integration system, which is a gnumake and Buildroot based solution (see [7]) and Yocto where the meta-arm layer [8] hosts TS recipes. Please find some TS specific meta-arm documentation here: [9]
For more help and information, about PSA on Cortex-A and TS feel free to drop an email to the TS mailing list [10], and/or to me.
/George
1: https://documentation-service.arm.com/static/63a065c41d698c4dc521cb1b
2: https://globalplatform.org/about-globalplatform/
3: https://trusted-services.readthedocs.io/en/stable/overview/index.html
4: https://developer.arm.com/architectures/Firmware%20Framework%20for%20A-Prof…
5: https://hafnium.readthedocs.io/en/latest/secure-partition-manager/index.html
6: https://optee.readthedocs.io/en/latest/architecture/spmc.html
7: https://github.com/OP-TEE/build
8: https://git.yoctoproject.org/meta-arm
9: https://git.yoctoproject.org/meta-arm/about/documentation/trusted-services.…
10: https://lists.trustedfirmware.org/mailman3/lists/trusted-services.lists.tru…
On 2024-12-01, 21:14, "Max Adam via TF-A" <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> wrote:
Hello All,
I am coming from the TF-m domain, and now I am struggling with TF-a as I am not a Linux expert.
I am just looking for the interactions with TF-a, such as getting psa attestation token etc.
How can I find example these interactions from NS World (Linux) or lower privilege Secure World Executions such as OP-TEE or OP-TEE TAs?
I suppose there shall be drivers and APIs provided by TF-a?
Thanks
Max
Hello All,
I am coming from the TF-m domain, and now I am struggling with TF-a as I am
not a Linux expert.
I am just looking for the interactions with TF-a, such as getting psa
attestation token etc.
How can I find example these interactions from NS World (Linux) or lower
privilege Secure World Executions such as OP-TEE or OP-TEE TAs?
I suppose there shall be drivers and APIs provided by TF-a?
Thanks
Max
Hi Everyone,
In order to facilitate development for Device Assignment tests for RME-DA, we have added MbedTLS repo as a submodule dependency to tf-a-tests. The merge commit can be found here : https://review.trustedfirmware.org/plugins/gitiles/TF-A/tf-a-tests/+/3e72cd…
The patch is done in such a way that existing build of TF-A-Tests or Test run is not affected due to the additional dependency. Only tests which depend on MbedTLS will be affected in that they will either be skipped or fail at runtime due to the missing dependency. Also, the change allows to use the config `MBEDTLS_DIR` to point to a MbedTLS directory outside the tf-a-tests source tree. This aligns with the TF-A mechanism for MbedTLS dependancy in case the submodule mechanism is not preferred.
We expect existing CI and testing infrastructure to be unaffected by this change. Please let us know if you have any comments.
Best Regards
Soby Mathew
This event has been canceled.
TF-A Tech Forum
Thursday Nov 28, 2024 ⋅ 5pm – 6pm
Central European Time - Paris
We run an open technical forum call for anyone to participate and it is not
restricted to Trusted Firmware project members. It will operate under the
guidance of the TF TSC. Feel free to forward this invite to colleagues.
Invites are via the TF-A mailing list and also published on the Trusted
Firmware website. Details are here:
https://www.trustedfirmware.org/meetings/tf-a-technical-forum/Trusted
Firmware is inviting you to a scheduled Zoom meeting.Join Zoom
Meetinghttps://linaro-org.zoom.us/my/trustedfirmware?pwd=VktXcm5MNUUyVVM4R0k3ZUtvdU84QT09
One tap mobile+16465588656,,9159704974# US (New
York)+16699009128,,9159704974# US (San Jose)Dial by your location +1
646 558 8656 US (New York) +1 669 900 9128 US (San Jose) 877
853 5247 US Toll-free 888 788 0099 US Toll-freeMeeting ID: 915 970
4974Find your local number: https://zoom.us/u/ad27hc6t7h
Guests
tf-a(a)lists.trustedfirmware.org
~~//~~
Invitation from Google Calendar: https://calendar.google.com/calendar/
You are receiving this email because you are an attendee on the event. To
stop receiving future updates for this event, decline this event.
Forwarding this invitation could allow any recipient to send a response to
the organizer, be added to the guest list, invite others regardless of
their own invitation status, or modify your RSVP.
Learn more https://support.google.com/calendar/answer/37135#forwarding