August 2019 - TF-M - lists.trustedfirmware.org

Re: [TF-M] [RFC] Code restructure of core/spm

by Ken Liu (Arm Technology China)

Hi, The first patch for moving header files is ready at: https://review.trustedfirmware.org/c/trusted-firmware-m/+/1561 Comments are welcome. I had thought to push patches together but looks like it would block other patches for a while to show a neat merged list, so I would push them one by one. Will keep you update when incoming patches are ready. BR /Ken > -----Original Message----- > From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu > (Arm Technology China) via TF-M > Sent: Thursday, August 1, 2019 11:12 AM > To: tf-m(a)lists.trustedfirmware.org > Cc: nd <nd(a)arm.com> > Subject: [TF-M] [RFC] Code restructure of core/spm > > Hi, > > Several patches for code restructure is coming. Before I post the gerrit items, I > want to collect your feedback on this. These changes contain: > > - Move header files into dedicated directory for easy include, and clean the > included headers in sources; > - Change some files' name to let them make more sense. > - Move SPM related files into 'spm' folder instead of putting them in 'core'. > - Move some interface files into 'ns_callable' since they are interfaces. > - Remove 'ipc' folder after all files in it are well arranged. > > I will try to do these patches together so they can be merged together. > But before that I want to request for comments about this, feel free to reply in > this thread or comment on the task (add yourself if you are missing as > subscribers): > https://developer.trustedfirmware.org/T426 > > BR > > /Ken > > > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m

4 years, 8 months

1
0
0 0

Linker file changes for multi-core

by Christopher Brand

Please take a look at the patches I've put together to the linker files for multi-core. The fundamental issue that necessitates this change is that the ARMv6/v7 MPU is quite constrained in terms of configuration - the size has to be an exact power of 2, and the base address has to be aligned to the size. This means that we need to group data together in memory so that we can minimize the gaps that we have to introduce to meet the MPU* requirements. To that end, I've grouped all the privileged data together and grouped all the unprivileged data together, and introduced a new #define, S_DATA_UNPRIV_START, that (optionally, in multi-core only) allows the start address of the unprivileged secure data to be specified. This then enables configuring a single MPU region to cover all the unprivileged secure data. Note that only data sections are affected - code is left alone (mostly because the PSoC6 platform has so little Flash that we can't afford any padding at all). https://review.trustedfirmware.org/c/trusted-firmware-m/+/1731 groups the privileged data separate from the unprivileged https://review.trustedfirmware.org/c/trusted-firmware-m/+/1732 adds support for S_DATA_UNPRIV_START Thanks, Chris * In this email I've said "MPU". Technically it's the "SMPU (System Memory Protection Unit) on PSoC6, but that has the same limitations as the ARMv6 MPU. This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.

4 years, 8 months

1
0
0 0

Build system changes for dual core platforms

by Andrei Narkevitch

Hi, Please review the proposed build system changes. Intention of those is to lay groundwork for building TFM for dual core platforms (aka twincpu). The main problem of the existing build system is that it assumes that both tfm_s and tfm_ns run on the same core. In dual core systems secure and non-secure code runs on two independent cores. Each CPU core can be different in terms of architecture, configuration etc, and this adds the requirement of separating out secure and non-secure builds.. The patches basically do the following: * Introduce TFM_MULTI_CORE_TOPOLOGY, that distinguish single core and multicore builds. * Split secure and non-secure builds and build both in single building execution. https://review.trustedfirmware.org/c/trusted-firmware-m/+/1747 https://review.trustedfirmware.org/c/trusted-firmware-m/+/1748 https://review.trustedfirmware.org/c/trusted-firmware-m/+/1749 Thanks, Andrei This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.

4 years, 8 months

1
0
0 0

Re: [TF-M] tfm_core_irq_signals array

by Miklos Balint

Hi Thomas, The first variable in a tfm_core_irq_signal_data_t structure is a partition_id. ID 0 is reserved and cannot be a valid entry in this array so it could, in theory, be checked for terminating the loop. I would argue, however, that having a compile time constant loop count variable is better from a performance and optimization point of view. If loop count is const 0 an optimizing compiler can eliminate the loop altogether while if the iteration count depends on the value of an entry in the array, it would be more unlikely to eliminate the unused loop. The key metrics that TF-M is currently measured against are memory footprint and to a lesser degree latency, and having the extra element in the array and the extra iteration in the loop are both sub-optimal in this respect. I do understand the need, however, to keep the constructs standard C and eliminate deviations. Those can lead to build errors or worse: unexpected runtime behaviour with a simple change in a compiler version or similar, so having a clean, standard, predictable code is essential. So thank you for your effort and yes, until and unless we find a more optimal way to get around this problem, please do introduce the proposed change, taking into possible consideration my first comment on helping the compiler detect the unused code. Regards Miklos -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Thomas Törnblom via TF-M Sent: 14 August 2019 08:53 To: tf-m(a)lists.trustedfirmware.org Subject: [TF-M] tfm_core_irq_signals array Just back from vacation and I notice that a lot seems to have happened while I was away :) As you may know, I'm adding support for the IAR toolchain to tf-m, and this mostly involve cleaning up and eliminating non-standard C constructs that gcc and armclang seems to accept, but which our toolchain does not and is non-standard. One thing we don't accept is zero sized arrays, and I cleaned up a few instances before going on vacation and now I see that a new one has crept in, tfm_core_irq_signals. For the other instances I added a zero initialized element at the end of the array and instead of generating a "count" variable at compile time I used that trailing zero element as a limit while looping over the array. In those cases it was fairly easy and safe as there was at least one pointer element that was non-null for all elements except the last. In this case all members of the struct are scalars and I'm not sure if there is a value I can assign to any of the members that are guaranteed to never be legal and that I can test for. Or should I just use the changes below, where I add a dummy trailing element and adjust the tfm_core_irq_signals_count variable for this? --- /* Definitions of the signals of the IRQs */ const struct tfm_core_irq_signal_data_t tfm_core_irq_signals[] = { #ifdef TFM_PARTITION_TEST_CORE { TFM_IRQ_TEST_1_ID, SPM_CORE_IRQ_TEST_1_SIGNAL_TIMER_0_IRQ, TFM_TIMER0_IRQ, 64 }, #endif /* TFM_PARTITION_TEST_CORE */ {0, 0, 0, 0} }; const size_t tfm_core_irq_signals_count = (sizeof(tfm_core_irq_signals) / sizeof(*tfm_core_irq_signals)) - 1; --- /Thomas -- *Thomas Törnblom*, /Product Engineer/ IAR Systems AB Box 23051, Strandbodgatan 1 SE-750 23 Uppsala, SWEDEN Mobile: +46 76 180 17 80 Fax: +46 18 16 78 01 E-mail: thomas.tornblom(a)iar.com <mailto:thomas.tornblom@iar.com> Website: www.iar.com <http://www.iar.com> Twitter: www.twitter.com/iarsystems <http://www.twitter.com/iarsystems> -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

4 years, 8 months

1
0
0 0

tfm_core_irq_signals array

by Thomas Törnblom

Just back from vacation and I notice that a lot seems to have happened while I was away :) As you may know, I'm adding support for the IAR toolchain to tf-m, and this mostly involve cleaning up and eliminating non-standard C constructs that gcc and armclang seems to accept, but which our toolchain does not and is non-standard. One thing we don't accept is zero sized arrays, and I cleaned up a few instances before going on vacation and now I see that a new one has crept in, tfm_core_irq_signals. For the other instances I added a zero initialized element at the end of the array and instead of generating a "count" variable at compile time I used that trailing zero element as a limit while looping over the array. In those cases it was fairly easy and safe as there was at least one pointer element that was non-null for all elements except the last. In this case all members of the struct are scalars and I'm not sure if there is a value I can assign to any of the members that are guaranteed to never be legal and that I can test for. Or should I just use the changes below, where I add a dummy trailing element and adjust the tfm_core_irq_signals_count variable for this? --- /* Definitions of the signals of the IRQs */ const struct tfm_core_irq_signal_data_t tfm_core_irq_signals[] = { #ifdef TFM_PARTITION_TEST_CORE { TFM_IRQ_TEST_1_ID, SPM_CORE_IRQ_TEST_1_SIGNAL_TIMER_0_IRQ, TFM_TIMER0_IRQ, 64 }, #endif /* TFM_PARTITION_TEST_CORE */ {0, 0, 0, 0} }; const size_t tfm_core_irq_signals_count = (sizeof(tfm_core_irq_signals) / sizeof(*tfm_core_irq_signals)) - 1; --- /Thomas -- *Thomas Törnblom*, /Product Engineer/ IAR Systems AB Box 23051, Strandbodgatan 1 SE-750 23 Uppsala, SWEDEN Mobile: +46 76 180 17 80 Fax: +46 18 16 78 01 E-mail: thomas.tornblom(a)iar.com <mailto:thomas.tornblom@iar.com> Website: www.iar.com <http://www.iar.com> Twitter: www.twitter.com/iarsystems <http://www.twitter.com/iarsystems>

4 years, 8 months

1
0
0 0

Re: [TF-M] gcc linker script help

by Miklos Balint

Hi Chris, Please note that the master branch does support level 2 isolation, so the grouping of sections according to trust domains is already present both for gcc and armclang there. I suggest to refer to that implementation and work from that instead of re-doing it from scratch to avoid unnecessary bifurcation of linker scripts and scatter files for the two platform types. Isolation level 2 readiness was a non-trivial piece of work executed in Q2 so I'd hope that effort can be reused in the twincpu branch. Regards Miklos -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Christopher Brand via TF-M Sent: 07 August 2019 22:04 To: TF-M(a)lists.trustedfirmware.org Subject: [TF-M] gcc linker script help Hi, I'm working on supporting TFM_LVL 2 on the PSoC6 platform in the feature-twincpu branch. To that end, I want to group all the secure data that needs to be accessed by secure unprivileged code separate from the secure data that is privileged-only. I have a patch at https://review.trustedfirmware.org/c/trusted-firmware-m/+/1731 that moves sections around to make this practical and then a patch at https://review.trustedfirmware.org/c/trusted-firmware-m/+/1732 that fixes the start of the unprivileged secure data for the armclang linker. I've been trying to get the same result with the gcc linker, but so far it either hasn't done what I want or it's failed to link. If anyone more familiar with the gcc linker is able to help, I'd really appreciate it! And of course review comments are always welcome, too - I don't want this to break anything. Thanks, Chris This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message. -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

4 years, 8 months

2
1
0 0

gcc linker script help

by Christopher Brand

Hi, I'm working on supporting TFM_LVL 2 on the PSoC6 platform in the feature-twincpu branch. To that end, I want to group all the secure data that needs to be accessed by secure unprivileged code separate from the secure data that is privileged-only. I have a patch at https://review.trustedfirmware.org/c/trusted-firmware-m/+/1731 that moves sections around to make this practical and then a patch at https://review.trustedfirmware.org/c/trusted-firmware-m/+/1732 that fixes the start of the unprivileged secure data for the armclang linker. I've been trying to get the same result with the gcc linker, but so far it either hasn't done what I want or it's failed to link. If anyone more familiar with the gcc linker is able to help, I'd really appreciate it! And of course review comments are always welcome, too - I don't want this to break anything. Thanks, Chris This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.

4 years, 8 months

1
0
0 0

Debugger setup for MPS2+ AN521

by Kevin Townsend

tl;dr: unable to connect to MPS2+ AN521 with JLink and perform a soft reset to halt at NSPE init, and debug an init issue. Connect via SWD fails, connect via JTAG seems OK, but soft reset requests consistently fail, preventing meaningful debug/trace of the code. Looking for advice on known-good debug setup with GDB and Linux. Full explanation follows: I'm currently working on an application with the following setup: - TF-M (latest) running in the secure processing environment - Zephyr running in the NSPE - PSA FF APIs to communicate between PEs I've run into a HW problem with the UART peripheral that I need to debug, but using a J-Link has been problematic, and I was curious if anyone else has had any success with GDB or JLinkExe and the MPS2+. To debug, I currently do the following: - Copy a valid TF-M + Zephyr and BL2 image to the MPS2+ - Physically reset the MPS2+ (AN521) - Wait for the image to start up (based on serial output) - Connect the debugger - Attempt to reset I get the following output at connect (entering the 'connect' command at the J-Link prompt): NOTE: I've been unable to get SWD to work, and had to fall back to JTAG for the interface. ---------------------------------------- $ JLinkExe -device Cortex-M33 -if jtag -speed auto SEGGER J-Link Commander V6.44i (Compiled May 17 2019 17:38:03) DLL version V6.44i, compiled May 17 2019 17:37:52 Connecting to J-Link via USB...O.K. Firmware: J-Link V9 compiled May 17 2019 09:50:41 Hardware version: V9.10 S/N: 609100327 License(s): RDI, FlashBP, FlashDL, JFlash, GDB VTref=3.011V Device position in JTAG chain (IRPre,DRPre) <Default>: -1,-1 => Auto-detect JTAGConf>connect ERROR while parsing value for IRPre. Using default: -1. ERROR while parsing value for DRPre. Using default: -1. Device "CORTEX-M33" selected. Connecting to target via JTAG TotalIRLen = 4, IRPrint = 0x01 JTAG chain detection found 1 devices: #0 Id: 0x6BA00477, IRLen: 04, CoreSight JTAG-DP Scanning AP map to find all available APs AP[3]: Stopped AP scan as end of AP map has been reached AP[0]: APB-AP (IDR: 0x54770002) AP[1]: AHB-AP (IDR: 0x84770001) AP[2]: AHB-AP (IDR: 0x84770001) Iterating through AP map to find AHB-AP to use AP[0]: Skipped. Not an AHB-AP AP[1]: Core found AP[1]: AHB-AP ROM base: 0xF0008000 CPUID register: 0x410FD211. Implementer code: 0x41 (ARM) Found Cortex-M33 r0p1, Little endian. FPUnit: 8 code (BP) slots and 0 literal slots Security extension: implemented Secure debug: enabled CoreSight components: ROMTbl[0] @ F0008000 ROMTbl[0][0]: F0009000, CID: B105900D, PID: 000BB9A4 GPR ROMTbl[0][1]: E00FF000, CID: B105100D, PID: 000BB4C9 ROM Table ROMTbl[1] @ E00FF000 ROMTbl[1][0]: E000E000, CID: B105900D, PID: 000BBD21 Cortex-M33 ROMTbl[1][1]: E0001000, CID: B105900D, PID: 000BBD21 DWT ROMTbl[1][2]: E0002000, CID: B105900D, PID: 000BBD21 FPB ROMTbl[1][3]: E0000000, CID: B105900D, PID: 000BBD21 ITM ROMTbl[1][5]: E0041000, CID: B105900D, PID: 001BBD21 ETM ROMTbl[1][6]: E0042000, CID: B105900D, PID: 000BBD21 CTI Cortex-M33 identified. ---------------------------------------- But any attempt to perform a soft reset fails, which makes debugging the init code problematic: ---------------------------------------- J-Link>r 0 Reset delay: 0 ms Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit. Reset: Halt core after reset via DEMCR.VC_CORERESET. Reset: Reset device via AIRCR.SYSRESETREQ. Reset: CPU may have not been reset (DHCSR.S_RESET_ST never gets set). Reset: Using fallback: Reset pin. Reset: Halt core after reset via DEMCR.VC_CORERESET. Reset: Reset device via reset pin Reset: VC_CORERESET did not halt CPU. (Debug logic also reset by reset pin?). Reset: Reconnecting and manually halting CPU. AP map detection skipped. Manually configured AP map found. AP[0]: CUSTOM-AP (IDR: Not set) AP[1]: AHB-AP (IDR: Not set) AP[1]: Skipped. Invalid implementer code read from CPUIDVal[31:24] = 0x00 AP map detection skipped. Manually configured AP map found. AP[0]: CUSTOM-AP (IDR: Not set) AP[1]: AHB-AP (IDR: Not set) AP[1]: Skipped. Invalid implementer code read from CPUIDVal[31:24] = 0x00 ************************** WARNING: CPU could not be halted ************************** Reset: Core did not halt after reset, trying to disable WDT. Reset: Halt core after reset via DEMCR.VC_CORERESET. Reset: Reset device via reset pin Reset: VC_CORERESET did not halt CPU. (Debug logic also reset by reset pin?). Reset: Reconnecting and manually halting CPU. AP map detection skipped. Manually configured AP map found. AP[0]: CUSTOM-AP (IDR: Not set) AP[1]: AHB-AP (IDR: Not set) AP[1]: Skipped. Invalid implementer code read from CPUIDVal[31:24] = 0x00 AP map detection skipped. Manually configured AP map found. AP[0]: CUSTOM-AP (IDR: Not set) AP[1]: AHB-AP (IDR: Not set) AP[1]: Skipped. Invalid implementer code read from CPUIDVal[31:24] = 0x00 ************************** WARNING: CPU could not be halted ************************** ****** Error: Could not find core in Coresight setup ---------------------------------------- If anyone is using a J-Link or J-Trace and ideally GDB to do any meaningful debugging or tracing on the MPS2+ any suggestions on proper setup would be valuable, and I'm happy to document an eventual working config for inclusion in the project doc files. Barring that, an alternative GDB-based setup would be useful if someone has a known-good solution? Best regards, Kevin Townsend

4 years, 8 months

1
0
0 0

Re: [TF-M] Changes to CI for python dependencies

by Kevin Townsend

Hi Minos, Thanks for the detailed reply/explanation. This sounds similar to the CI setup for Zephyr where I test changes locally first. I'm happy to put together a change request for this, based on any feedback here (if it's deemed worth merging in, etc.): https://review.trustedfirmware.org/c/trusted-firmware-m/+/1695 Best regards, Kevin On Mon, 5 Aug 2019 at 15:34, Minos Galanakis via TF-M <tf-m(a)lists.trustedfirmware.org> wrote: > > The CI comprises of three modules. The Jenkins logic, the Python Scripts and the docker build slave. > > > The environment is provided by the docker build slave and provisioned into the pipeline flow when the venv is created for each stage: > > virtualenv -p python3 ${VENV_P3_NAME} --system-site-packages > > No requirements are installed at the Jenkins Stage, but if needed as an one-off (i.e. for staging purposes), the design supports it. > > > The case for installing Python requirements on the fly using requirements.txt > > > Extending requirements dynamically on the fly, can be quite a challenge due to the way Jenkins handles the absolute resolution of workspace directory on each step. In short Python’s virtual-environment stores the configuration paths in absolute format, while Jenkins is not guaranteed to give you the same reference to a working directory in consecutive calls in the pipeline. > > So if you create a venv at stage 1, which evaluates ~/ as /server/workspace/fubar-job/venv/.. and then attempt to call it in a following parallel step, the code may be located at /server/workspace/1/fubar-job/venv > > At this point you can either create the VENV in each stage, and reinstall the requirements, effectively wasting bandwidth or hack it by piping everything in SED before activating to ensure the path is resolved correctly. > > For that purposes the ci-scripts level requirements.txt will be deprecated in the next feature update. > > > How should a user access or modify the TF-M Build environment. > > > Environment will be established at the docker build stage. > > https://review.trustedfirmware.org/admin/repos/ci/dockerfiles > > And more specifically the requirements for Python3 in this file: > > https://git.trustedfirmware.org/ci/dockerfiles.git/tree/xenial-amd64-tf-m-b… > > After it has been updated and merged you should raise a ticket and request the image to get rebuilt, or if it is not very critical, wait for some other party change to trigger the build. > > The process requires creating local docker image, meant to test your changes but also allowing you to access the TF-M build environment as deployed on the CI. You can do that following the steps below: > > > # Get the docker image > > $ git clone https://review.trustedfirmware.org/ci/dockerfiles && cd dockerfiles/xenial-amd64-tf-m-build > > # Edit the entry point to convert it not to be a jenkins-slave > > $ vi Dockerfile > > # change ENTRYPOINT ["/usr/local/bin/jenkins-slave"] to ENTRYPOINT [/bin/bash"], save exit > > # Build the image > > $ docker build ./ > > # Find the image hash id > > $ docker image ls > > # Run an interactive bash shell, mounting a local directory as /opt/openci in instance (if required to share files) > > $ docker run -it --name tf-m-build-env -v /YOUR_CUSTOM_PATH:/opt/openci 10bcb173cd39 > > # You can relaunch that instance in the future by starting it again. > > $ docker start && docker -exec -it tf-m-build-env /bin/bash > > > > Please let me know if you need more clarity or guidance on how to handle modifications on the CI. > > > Regards, > > Minos Galanakis > > ________________________________ > From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Antonio De Angelis via TF-M <tf-m(a)lists.trustedfirmware.org> > Sent: 02 August 2019 14:57 > To: tf-m(a)lists.trustedfirmware.org <tf-m(a)lists.trustedfirmware.org> > Cc: nd <nd(a)arm.com> > Subject: Re: [TF-M] Changes to CI for python dependencies > > +Minos now > > -----Original Message----- > From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Antonio De Angelis via TF-M > Sent: 02 August 2019 14:47 > To: tf-m(a)lists.trustedfirmware.org > Subject: Re: [TF-M] Changes to CI for python dependencies > > Minos, could you have a look at this? > > Thanks, > Antonio > > -----Original Message----- > From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Kevin Townsend via TF-M > Sent: 02 August 2019 12:44 > To: Thomas Törnblom via TF-M <tf-m(a)lists.trustedfirmware.org> > Subject: [TF-M] Changes to CI for python dependencies > > In an effort to migrate to the more modern 'cryptography' module in imgtool.py (which mcuboot has already switched to upstream), I created a change request here: > https://review.trustedfirmware.org/c/trusted-firmware-m/+/1695 > > The change fails in CI, however, due to the missing cryptography module in the CI build environment: > https://ci.trustedfirmware.org/job/tf-m-build-test-review/1740/artifact/bui… > > This brings up the following issues: > > - How can/should changes be made to the CI build environment? > - Can the overall TF-M installation process be improved automating > Python module installation via a requirements.txt file? > > Adding a requirements.txt file means that file could be run when the CI environment starts a new test build, taking into account any dependency changes that are part of the change request (version updates, etc.). > > This would also have the positive side effect of users no longer having to scan through tfm_sw_requirement.rst to see what they don't have installed, or parse build failures for missing module names. > > I'm happy to make a new change request adding a requirements.txt file, and update the documentation accordingly, but t's not clear to me how to propose the required changes to the CI setup? > > Best regards, > Kevin Townsend > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m

4 years, 8 months

2
1
0 0

Re: [TF-M] independent device driver model working along side SPM

by Miklos Balint

Hi Manoj, Please elaborate on the problem you are seeing and the steps you want to take so we can consider if it's something TF-M is in the process of addressing or if it is out of scope. On first read I feel there's a contradiction: The point of having TF-M - or any secure "supervising entity" - in the system is that it has awareness of the goings-on in the system, understands the states of parallel contexts that are supported by the hardware, to control its security aspects. Having a device driver "not plugged in TF-M" would, on the face of it, defeat the purpose of TF-M as a management entity, and the device driver would need not only to handle its own threat vectors, but any potential collisions with TF-M's understanding and control of the system state, making it, in effect, part of the management entity. So rather than the driver being not plugged in, I guess what we need to work out is how TF-M can be extended to cover the type of use case you are working on, without compromising the holistic security model that TF-M implements - but there's no one-size-fits-all solution. Thanks and regards Miklos -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of R, Manoj via TF-M Sent: 05 July 2019 10:24 To: tf-m(a)lists.trustedfirmware.org Subject: [TF-M] independent device driver model working along side SPM Hi, Is there a design guideline available for device driver which is working on secure side alongside SPM. I do not want to plug my driver in TF-M due to latency considerations. Basically my plan is to introduce non secure callable veneers for calling the interfaces of the driver which I am introducing. Any thoughts on this will be helpful. Regards Manoj -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

4 years, 8 months

2
5
0 0

2024

2023

2022

2021

2020

2019

2018

TF-M August 2019