I am attempting to route FIQ timer interrupts using the ARM timers (not system timers) to EL3 in order to achieve introspection.  I am running TF-A (cross compiled for AArch64/AArch32) on a Raspberry Pi 4B, which uses the Broadcom 2711 chipset.  I have written some code, but I am not an embedded software engineer – I’m an IoT pentester.  The ARM timers look like this:

RPI4_ARM_TIMER_LOAD         0x400

RPI4_ARM_TIMER_VALUE       0x404

…..

RPI4_ARM_TIMER_FREE_COUNTER   0x420

System timers are:

RPI4_SYS_TIMER_CLO, RPI4_SYS_TIMER_CS, etc…

I have successfully implement a Linux driver that allows me to dump kernel page tables and memory; however, I cannot see user page tables (even after running a CPU intensive program ).  I believe the only way to view user page tables is to have interrupts routed to EL3 – a Linux driver is not sufficient.  I have 3 UARTs attached with a debug log and screen setup.  From what I have read, the Raspberry Pi 4B uses GICv2.  TF-A supports EL3 routing when the build option GICV2_GO_FOR_EL3 is enabled, which I have done. 

From what I have gathered, the FIQ interrupt has to be written in assembly.  So far, I have created a vector table, loaded the vector table, and masked and unmasked interrupts using daifclr, #3 and daifset, #3 instructions, using inline assembly.  The timer is initinitialized and handled using C functions.  I am using inline assembly, because I am adding code to the TF-A base, and I have not discovered how to add .S files to the build without receiving make errors.  I will gladly share the code I have if it helps, but what I am really looking for is if anyone believes I am on the right track or not.  Obviously, I am not implementing something correctly since the interrupt is not being handled.  Thanks.

Thomas

Sent from Mail for Windows 10