- TF-M - lists.trustedfirmware.org

TF-M psa crypto test do not set the algorithms in psa_key_attributes_t

by Swarowsky, Markus

Hello, I was adding sanity checks to the psa_crypto_driver_wrappers to validate bits/type and policy->alg of the given psa_key_attributes_t attributes for the psa_generate_key, psa_import_key, and psa_copy_key calls. To check it the given combination is within the psa specification. In the PSA crypto spec it says: The key permitted-algorithm policy is required for keys that will be used for a cryptographic operation, see Permitted algorithms<https://armmbed.github.io/mbed-crypto/html/api/keys/policy.html#permitted-a…>. [https://armmbed.github.io/mbed-crypto/html/api/keys/management.html?highlig…] Which is most likely the case for all key types except of PSA_KEY_TYPE_RAW_DATA But after adding the sanity checks the TF-M crypto tests(test_c*_testing_* and TFM_S/NS_CRYPTO_TEST_10*) failed. I took a look at these tests, it turned out that they don't set the algorithm flag for the key attributes. My question now is, is the algorithm flag skipped on purpose or just missed during the test case creation as It should be set according to the psa crypto spec? Thanks for the help and the feedback Markus Swarowsky | R & D Engineer M +47 404 66 922 | Trondheim, Norway nordicsemi.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nordic…> | devzone.nordicsemi.com<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevzone.n…> Facebook<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.faceb…> | LinkedIn<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linke…> | Twitter<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.c…> | YouTube<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtu…> | Instagram<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.insta…> [Nordic_logo_signature]<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nordic…>

3 years

2
5
0 0

TF-M Open CI Unstable

by Xinyu Zhang

Hi, TF-M Open CI is unstable for the time being because of the ArmClang license issue in Jenkins. Sorry for any inconvenience! I'll let you know once it is back to normal. Thanks, Xinyu

3 years

1
1
0 0

[RFC]Moving faults handlers to dedicated file

by Kevin Peng

Dear platform owners, I'm moving faults handlers to dedicated files from spm_hal.c as this file should be for Library Model only. https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/16858 Please check your platforms respectively. Plan to merge it on next Monday. Best Regards, Kevin

3 years

1
0
0 0

Level 3 Isolation improvements

by Bohdan.Hunko＠infineon.com

Hi everyone, I have several questions related to L3 isolation in TFM. First of all, FFM specifies that: * In L3 PSA RoT partitions does not need to be isolated from SPM (and vice versa) * PSA RoT partitions does not need to be isolated from each other * PSA RoT partitions and SPM must be isolated from APP RoT partitions * APP RoT partitions must be isolated from each other This picture from TFM docs<https://tf-m-user-guide.trustedfirmware.org/docs/technical_references/desig…> seem to illustrate statements above. Currently platforms with L3 support (e.g. an521) follow the rules stated above. They achieve this by executing PSA RoT partitions and SPM in privileged mode, and APP RoT partitions in unprivileged mode. Partition boundaries are only updated when switching to APP RoT partition. From description of tfm_hal_activate_boundary (see code here<https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/secure_fw/…>) and this an521 code<https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/e…> seems like platform can determine whether partition will be executed in privileged or unprivileged mode. So my questions are: 1. For improved isolation in L3 does it make sense to: * isolate SPM from PSA RoT partitions * isolate PSA RoT partitions from each other (like APP RoT partitions are isolated) 1. If question 1 make sense then can platform achieve this improved isolation with current code base? From this an521 code<https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/e…> it seems like platform may set all partitions to be executed in unprivileged mode and dynamically switch boundaries between them (between both PSA and APP RoT partitions). SPM will remain in privileged mode. It seems like this approach is possible with minor changes to SPM. For example this code will need<https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/secure_fw/…> to be changed to call tfm_hal_activate_boundary regardless of partition privilege level. Are there any other changes needed to make this approach work? Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

3 years

2
5
0 0

Enable stack protection in the regression tests

by Swarowsky, Markus

Hey, While trying to debug a crash in the TF-M regression tests, I noticed that the msplim_ns register is set to 0x0, leaving the non-secure application without any stack to protection, sadly I wasn't able to figure out how to enable the stack protection, which would be nice as we suspect that a stack overflow could cause the crash. Therefore, I would be interested if it possible to enable stack protection for the non-secure application of the TF-M regression tests and if so, how? Thanks for the help Markus Swarowsky | R & D Engineer M +47 404 66 922 | Trondheim, Norway nordicsemi.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nordic…> | devzone.nordicsemi.com<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevzone.n…> Facebook<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.faceb…> | LinkedIn<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linke…> | Twitter<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.c…> | YouTube<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtu…> | Instagram<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.insta…> [Nordic_logo_signature]<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nordic…>

3 years

5
4
0 0

Partition assets attributes

by Bohdan.Hunko＠infineon.com

Hi everyone, I have several questions related to partition assets attributes. FFM specifies 2 types of assets (mmio_regions): * Named MMIO region * Numbered MMIO region FFM does not really specify the use cases for these 2 different types. I expect that Named region is only used for peripherals and numbered region is only used for memory regions. Am I right here? If no, then what the use cases for these 2 types are and what is currently supported in TFM? Also I see that in tools/templates/partition_load_info.template lines 221-224 ASSET_ATTR_NUMBERED_MMIO or ASSET_ATTR_NAMED_MMIO are assigned for assets from manifest files depending on their type, but tools/templates/partition_load_info.template#187<https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/tools/temp…> does not assign any of these attributes for "PART_REGION_ADDR(PT_{{manifest.name}}_PRIVATE, _DATA_START$$Base)" at isolation level 3. Is this some a bug or I am missing some knowledge on this mmio_regions stuff? Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

3 years, 1 month

2
3
0 0

TF-M Library model deprecation proposal

by Anton Komlev

Hello, Following tech forum today and the presentation on August 18 (to be published asap), I propose to deprecate TF-M library model as an obsolete and replace it with SFN model as a successor. PSA compliant SFN and IPC, defined in FF_M will then be the 2 supported models in TF-M going forward. Please share your thoughts and concerns on the proposal. Having no objections, we will depreciate the Library model after October 1 and it will be removed in TF-M v1.7.0 Thanks, and best regards, Anton

3 years, 1 month

1
1
0 0

Template implementations used in production

by Bøe, Sebastian

Hi, we wish to avoid the pitfalls of "doing your own security", and at the same time not use dummy/template code that is not meant for production. May I ask if it is still accurate what the docs say here about the template folder, namely that nothing in the template folder should be used in production without being ported first? This directory contains platform-independent dummy implementations of the interfaces in platform/include. These implementations can be built directly for initial testing of a platform port, or used as a basic template for a real implementation for a particular target. They must not be used in production systems. $ ls platform/ext/common/template/ attest_hal.c flash_otp_nv_counters_backend.c otp_flash.c tfm_initial_attest_pub_key.c crypto_keys.c flash_otp_nv_counters_backend.h tfm_fih_rng.c tfm_rotpk.c crypto_nv_seed.c nv_counters.c tfm_initial_attestation_key.pem tfm_symmetric_iak.key

3 years, 1 month

2
1
0 0

SFN non-secure interface sources

by Andersson, Joakim

Hi. I was testing the SFN model on the TF-M 1.6 release and I am confused about which API source files should be used for the non-secure application. The documentation here is lacking, so I am going by what we do in the build scripts of TF-M and tf-m-tests. The non-secure source files that are exported and included in the nonsecure API library are tfm_<partition>_ipc_api.c. This strikes me as odd, to use the IPC source files for the SFN model. If this is correct the naming is misleading. From the code the selection is done based on PSA_API definition. Based on this if this is the correct source files to use then I would think this should either be documented or renamed to something that better reflect the use, perhaps tfm_<partition>_psa_api.c? In the documentation there is a lot of room for improvements, the existence of tfm_<partition>_secure_api.c could lead to confusion since it is not always well described. tfm_attestation_integration_guide.rst: System integrators might need to port these interfaces to a custom secure partition manager implementation (SPM). Implementations in TF-M project can be found here: - ``interface/src/tfm_initial_attestation_func_api.c``: non-secure interface implementation for library model - ``interface/src/tfm_initial_attestation_ipc_api.c``: non-secure interface implementation for IPC model - ``secure_fw/partitions/initial_attestation/tfm_attestation_secure_api.c``: secure interface implementation Here it is not clear to me what "secure interface implementation" means, it could be interpreted as the SFN API. tfm_crypto_integration_guide.rst: - ``tfm_crypto_secure_api.c`` : This module implements the PSA Crypto API client interface exposed to the Secure Processing Environment Here it is clearer that tfm_<partition>_secure_api.c is the interface to the SPE. However the documented NSPE interface source file does not even exist, and does not explain the IPC / FUNC difference: | NSPE client API interface | This module exports the client API of PSA Crypto to the NSPE | ``./interface/src/tfm_crypto_api.c`` tfm_fwu_service.rst: | NSPE client API interface | This module exports the client API of PSA Firmware Update to | ``./interface/src/tfm_firmware_update_func_api.c`` | | | the NSPE(i.e. to the applications). | ``./interface/src/tfm_firmware_update_ipc_api.c`` | Here it is mentioned the two possible source files, but it is not specified when to use which source file. Generally: Between all the services this is not consistently listed, for example the tfm_its_service.rst file does not have the table of source files. If there is a general description of the non-secure interface sources, I couldn't find it. -Joakim AnderSSON

3 years, 1 month

2
1
0 0

Failure mode of protected storage with faulty NV counters?

by Jeremy Herbert

Hi, I am not too familiar with TF-M, so please forgive me if this is a silly question. The protected storage APIs appear to require the use of on-die flash to store a non-volatile counter that is used for rollback protection. This is severely limiting in terms of the number of writes, because basically you get as many writes as the endurance of the flash on the MCU (for example, the nordic cortex M33 devices have a rated write endurance of 10k cycles per page, and I don't think there is any wear levelling in TF-M). For example, assuming that a device was configured to write to the protected storage on boot, one could pretty easily exhaust this flash in a few hours by continuously power cycling it. Even if the 10k writes is a very conservative rating, it seems pretty likely that the counter flash will fail before UINT32_MAX. My question is: what happens to the security and functionality of the protected storage if the internal NV flash write fails silently? I don't know much about the semiconductor physics at play here, but presumably it could fail to make the counter a constant number, or fail to a random number. I had a quick look but there don't appear to be any checks in the code to ensure that a value was actually written correctly to the NV counters flash in case of silent corruption - it seems to just assume that any error would be detectable by some return code from the flash write driver. I was looking for some check like: if (value_to_write != value_read_back) return FLASH_WORN_OUT_ERROR; But I wasn't able to find it. So assuming it isn't actually there, if the counter fails to a constant (which is not UINT32_MAX) then presumably the rollback protection would be broken for all writes after that point (and maybe some before depending on the constant). If it fails to a random number, then it would be broken in a more "random" way - ie it would randomly work/not work depending on the value of the counter, until all UINT32_MAX numbers are randomly selected as the counter value. Also, given that typical AEAD ciphers like AES-GCM typically fail catastrophically with nonce reuse and the protected storage is indeed AEAD (though I can't quite work out yet which cipher is used), if these non-volatile counters are used to generate a nonce then potentially the encryption of the device could be broken just by rebooting the device until the flash is worn out, and then the nonce will be reused if the flash fails to a constant value. Could someone please help me clear up if my understanding here is correct? As is, I am struggling a bit to understand how to use the protected storage API in a secure way with this constraint, because if an attacker has any way to repeatedly cause a flash write it is basically game over. Any help would be greatly appreciated. Thanks, Jeremy

3 years, 1 month

4
15
0 0

Re: [TF-M] Supporting encryption with ITS

by Sherry Zhang

Hi George, The ITS without encryption is not a compromised RoT. In the PSA Secure Storage API spec, the PSA Internal Trust Storage aims at providing a place for devices to store their most intimate secrets. Also “””””””””””””””””””” 1. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from read and modification by attackers with physical access to the device. 2. The storage underlying the PSA Internal Trusted Storage Service MUST be protected from direct read or write access from software partitions outside of the PSA Root of Trust (PRoT). “””””””””””””””””””” So, for internal trusted storage service, it requires the underlying storage itself should provide being read or write protection. The storage area should be a “trusted” area. Does the storage area on your device meet this requirement? Is the memory physically isolated? If not, I wonder why not uses the Protected Storage service instead? For the design of adding encryption in ITS, in the PS partition, the `iv` and the encrypted object data are stored with the object file while the tag of each object is stored with the object table file. So, if encrypt the PS object in the ITS file system, how the PS partition get the `tag` of each object? After a rough thought, I think probably a standalone encryption for ITS is more reasonable. As this is a relatively “big topic”, would you like to hold a discussion on the TF-M Tech forum if it is not limited by confidential information? The next Tech forum will be hold on this Thursday 3:00 PM UTC time. Regards, Sherry Zhang From: Vasilakis, Georgios <georgios.vasilakis(a)nordicsemi.no<mailto:georgios.vasilakis@nordicsemi.no>> Sent: Friday, September 24, 2021 8:52 PM To: Sherry Zhang <Sherry.Zhang2(a)arm.com<mailto:Sherry.Zhang2@arm.com>>; tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> Cc: nd <nd(a)arm.com<mailto:nd@arm.com>> Subject: Re: [TF-M] Supporting encryption with ITS Hello Sherry, Thank you for your input! 1. Our threat model is more concerned about attacks which can happen very early in the boot process, I think. A completely compromised RoT is not in our threat model. 2. I see that, ITS is supposed to store small objects. The storage overhead of adding encryption will be probably bigger than 20 bytes I think but the intention is to have this only as a configuration, not as the default option. 3. Agreed, a HAL API should be used for this. Do you have any opinion on the design of it? Do you think that it adds value to do try to use a common design for the object handling of both PS and ITS or is it better to have it as a standalone thing for the ITS. Regards, George ________________________________ From: Sherry Zhang <Sherry.Zhang2(a)arm.com<mailto:Sherry.Zhang2@arm.com>> Sent: Friday, September 24, 2021 11:58 AM To: Vasilakis, Georgios <georgios.vasilakis(a)nordicsemi.no<mailto:georgios.vasilakis@nordicsemi.no>>; tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>> Cc: nd <nd(a)arm.com<mailto:nd@arm.com>> Subject: RE: [TF-M] Supporting encryption with ITS Hi George, Some comments from my side: 1. Internal trusted storage is part of the Root of Trust domain. If ITS storage device is attacked, then the code flash where the PSA Rot SP locates may also be attacked. Does the thread model of your system require the encryption in ITS? 2. The ITS service is intended to be used to interface to a small piece of storage. Encryption would increase the context for each ITS file. For example, similarly to PS object context, the `IV` which is used in encryption as well as the generated `tag` should be added into each file context. They total together can be about more than 20 bytes. 3. If the encryption is mandatory/ necessary required by the thread model of your system, as discussed, the PSA crypto service should not be called to avoid the circular. I think a HAL API for encryption may be created in ITS for platform implementation defined encryption/decryption. Regards, Sherry Zhang From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Vasilakis, Georgios via TF-M Sent: Thursday, September 23, 2021 10:47 PM To: Gyorgy Szing <Gyorgy.Szing(a)arm.com<mailto:Gyorgy.Szing@arm.com>>; Fabian Schmidt <fabian.schmidt(a)nxp.com<mailto:fabian.schmidt@nxp.com>> Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>; tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> Subject: Re: [TF-M] Supporting encryption with ITS Hey Gyorgy, These are very valuable comments! I am aware of the circular dependency issue because the PSA apis are using the ITS as a storage backend. This, as you said, can be circumvented by using a software crypto library or an implementation specific API. So, for the encryption a flexible API can be used which can allow externals to use their own function calls. Regarding the key storage, this is what I had in mind as well, using derived keys from the HUK. So that we don't need to store anything but the crypto metadata. Adding another layer of storage will raise more issues, I think. ________________________________ From: Gyorgy Szing <Gyorgy.Szing(a)arm.com<mailto:Gyorgy.Szing@arm.com>> Sent: Thursday, September 23, 2021 4:30 PM To: Fabian Schmidt <fabian.schmidt(a)nxp.com<mailto:fabian.schmidt@nxp.com>>; Vasilakis, Georgios <georgios.vasilakis(a)nordicsemi.no<mailto:georgios.vasilakis@nordicsemi.no>> Cc: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>; nd <nd(a)arm.com<mailto:nd@arm.com>> Subject: RE: [TF-M] Supporting encryption with ITS Hi, AFAIK the main reason for ITS not using encryption is the problem of circular dependency. ITS is used by crypto SP for key storage, so how will crypto fetch the key from ITS to decrypt ITS? You could use a software crypto implementation (another mbed-tls instance) in ITS, but where would you safely store the keys? If you have a two layer ITS, one for only storing the keys for the second instance, and a second, encrypted one, then you end up with something like ITS and PS. You may not need a full blown on-chip FLASH device for ITS. If you have a HUK available, you can derive the same SP specific keys from that at each boot, and store these in RAM backed ITS. You won’t be able to store other keys in ITS in a persistent way of course, but for that you can use PS. Well, something along these lines. Perhaps the TF-M team could help better if you could share some details on why your customer would need encrypted ITS. (A PSA for Cortex-A (TS) maintainer chiming in to a “not his business” discussion here 😉 ) /George From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Fabian Schmidt via TF-M Sent: September 23, 2021 15:51 To: Vasilakis, Georgios <georgios.vasilakis(a)nordicsemi.no<mailto:georgios.vasilakis@nordicsemi.no>> Cc: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> Subject: Re: [TF-M] Supporting encryption with ITS Hi George, I’m wondering if that would add value. To my understanding, ITS was never designed to be encrypted because of the way it’s supposed to be set up. (It’s Internal Trusted Storage.) I believe best practice is to place it in a “trusted” location, one that is ideally only accessible from Secure world, and also ideally on-die. If you then restrict outside access to the internal flash (JTAG, flash programmer ports,…), you’re pretty golden, in that no unauthorized party should be able to read from or write to the ITS.* Let me know if I misunderstand anything about ITS or TrustZone, but that’s my view. Maybe I’m painting an idealized picture. Greetings, Fabian Schmidt * at least short of a sophisticated physical attack or finding some loophole in TrustZone… From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Vasilakis, Georgios via TF-M Sent: Donnerstag, 23. September 2021 15:28 To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> Subject: [EXT] [TF-M] Supporting encryption with ITS Caution: EXT Email Hey all, Lately the requirement for an encrypted ITS solution is being asked from our customers and I would like to have a discussion here on how we can design this in a reasonable way. The first thought that came to my mind was to add the functionality to the ITS flash-fs layer. This layer contains file metadata in the its_file_meta_t structure and it should be possible to expand this to include additional crypto metadata (conditionally). This seems to be the less invasive change to me, even though it will introduce some increased memory usage since supporting encryption will mean that we cannot read the data in chunks anymore, we will have to use static buffers. At the same time, I looked at the PS partition since I knew that it has support for encryption. I believe that some core concepts of both solutions have similarities even though the code is quite different. For example, a file in ITS is similar to an object in PS and the (linear) list of file metadata in ITS is similar to the concept of the object table in PS. So, I think that it should be possible to design some generic-enough APIs that we can use for both the ITS and PS. Even though this will require some major refactoring in both partitions, it will decrease the code of these services which will probably decrease maintenance later. What are your thoughts on this? Regards, George

3 years, 1 month

6
16
0 0

Re: Status of RSS platform?

by Maulik Patel

Hi Chris, RSS build requires new runtime Measured Boot Service. This service partition is not yet part of PSA specification and hence it resides in the tf-m-extras repository. (https://git.trustedfirmware.org/TF-M/tf-m-extras.git/) For out of tree partition build, if you map the tf-m-extras repo and provideTFM_EXTRA_MANIFEST_LIST_FILES =<path_to_measured_boot_manifest_list.yaml> and TFM_EXTRA_PARTITION_PATHS=<path_to_measured_boot_partition> (example as below), then it should fix build issue. -DTFM_EXTRA_MANIFEST_LIST_FILES=../../tf-m-extras/partitions/measured_boot/measured_boot_manifest_list.yaml -DTFM_EXTRA_PARTITION_PATHS=../../tf-m-extras/partitions/measured_boot If the error persists, could you please send me the build options you are using and I'll look into this further. Best Regards, Maulik ________________________________ From: tf-m-request(a)lists.trustedfirmware.org <tf-m-request(a)lists.trustedfirmware.org> Sent: Wednesday, September 7, 2022 1:00 AM To: tf-m(a)lists.trustedfirmware.org <tf-m(a)lists.trustedfirmware.org> Subject: TF-M Digest, Vol 47, Issue 7 Send TF-M mailing list submissions to tf-m(a)lists.trustedfirmware.org To subscribe or unsubscribe via email, send a message with subject or body 'help' to tf-m-request(a)lists.trustedfirmware.org You can reach the person managing the list at tf-m-owner(a)lists.trustedfirmware.org When replying, please edit your Subject line so it is more specific than "Re: Contents of TF-M digest..." Today's Topics: 1. Status of RSS platform? (Chris.Brand(a)infineon.com) ---------------------------------------------------------------------- Message: 1 Date: Tue, 6 Sep 2022 21:48:05 +0000 From: <Chris.Brand(a)infineon.com> Subject: [TF-M] Status of RSS platform? To: <tf-m(a)lists.trustedfirmware.org> Message-ID: <2441d128df93483abc1da39c38e89885(a)infineon.com> Content-Type: multipart/alternative; boundary="_000_2441d128df93483abc1da39c38e89885infineoncom_" Hi, I'm wondering what the status of the RSS platform is. I tried to build it from the current HEAD of master and also from a few earlier commits, and cannot get it to build (I get an error about TFM_MEASURED_BOOT_SID being undeclared in some of the generated code). I was curious about the implementation of tfm_hal_get_mem_security_attr(), tfm_hal_get_secure_access_attr() and tfm_hal_get_ns_access_attr() on an ARMv8 multi-core platform, but there doesn't currently seem to be an implementation of those HAL functions. Thanks, Chris Brand Cypress Semiconductor (Canada), Inc. An Infineon Technologies Company Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand(a)infineon.com<mailto:Chris.Brand@infineon.com> International Place 13700 V6V 2X8 Richmond Canada www.infineon.com<www.cypress.com<http://www.cypress.com>> www.cypress.com<http://www.cypress.com> Discoveries<http://www.infineon.com/discoveries> Facebook<http://www.facebook.com/infineon> Twitter<http://www.twitter.com/Infineon> LinkedIn<http://www.linkedin.com/company/infineon-technologies> Part of your life. Part of tomorrow. NOTICE: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material of Infineon Technologies AG and its affiliated entities which is for the exclusive use of the individual designated above as the recipient. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact immediately the sender by returning e-mail and delete the material from any computer. If you are not the specified recipient, you are hereby notified that all disclosure, reproduction, distribution or action taken on the basis of this message is prohibited.

3 years, 1 month

3
3
0 0

TF-M configurability

by Anton Komlev

Hello, Recently we discussed the movement of relevant options into C header files as a potential configuration improvement. By this mail thread, I would like to provoke discussion on what else we are lacking in TF-M configurability and thoughts to make it better. Please share your ideas to review them in the upcoming tech forum. Thanks, Anton

3 years, 1 month

2
2
0 0

Status of RSS platform?

by Chris.Brand＠infineon.com

Hi, I'm wondering what the status of the RSS platform is. I tried to build it from the current HEAD of master and also from a few earlier commits, and cannot get it to build (I get an error about TFM_MEASURED_BOOT_SID being undeclared in some of the generated code). I was curious about the implementation of tfm_hal_get_mem_security_attr(), tfm_hal_get_secure_access_attr() and tfm_hal_get_ns_access_attr() on an ARMv8 multi-core platform, but there doesn't currently seem to be an implementation of those HAL functions. Thanks, Chris Brand Cypress Semiconductor (Canada), Inc. An Infineon Technologies Company Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand(a)infineon.com<mailto:Chris.Brand@infineon.com> International Place 13700 V6V 2X8 Richmond Canada www.infineon.com<www.cypress.com> www.cypress.com<http://www.cypress.com> Discoveries<http://www.infineon.com/discoveries> Facebook<http://www.facebook.com/infineon> Twitter<http://www.twitter.com/Infineon> LinkedIn<http://www.linkedin.com/company/infineon-technologies> Part of your life. Part of tomorrow. NOTICE: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material of Infineon Technologies AG and its affiliated entities which is for the exclusive use of the individual designated above as the recipient. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact immediately the sender by returning e-mail and delete the material from any computer. If you are not the specified recipient, you are hereby notified that all disclosure, reproduction, distribution or action taken on the basis of this message is prohibited.

3 years, 1 month

2
1
0 0

Reproducible test builds

by Bøe, Sebastian

Hello, when building TF-M you get the same result no matter what computer you build from assuming all the tooling is the same version. The builds are reproducible in other words. But when building TF-M together with the tests, e.g. by building the regression test suite you will get a different binary depending on where in the filesystem the tf-m-tests repository has been installed. This is because the TEST_FAIL macro uses the gcc macro _FILE_ which injects the absolute paths of source files into strings in the binary. This is a big problem for people using CI systems as a different sized binary can affect race conditions, flash region usage overflows, etc.. I think we should make builds reproducible by default, possibly with a configuration for adding absolute paths into the binary for those that prefer so. I would like to write a patch to this affect, but would prefer to get some feedback now so I don't have to re-write it in review. The simplest solution is to remove __FILE__ from the TEST_FAIL macro,but this would remove useful information and may also fail in the future if someone else uses __FILE__. The more common way of solving this problem is to add a flag to the compiler that instructs it to replace any occurrences of the absolute path with something else during macro expansion. For instance replace "C:/repos/tf-m-tests/source_file.c" with "TFM_TESTS/source_file.c". For gcc the flag is -fmacro-prefix-map=<old_string>=<new_string>. I don't know what the flag is for the other supported compilers or if they support it at all. Would it be OK to only support reproducible builds for the compilers that support an equivalent of macro-prefix-map?

3 years, 1 month

2
4
0 0

What do you think using configuration headers in TF-M ?

by Anton Komlev

Hello, TF-M has many options to configure. All of them are declared as a CMake variables and many of them translated to compiler definitions later. Since the idea of TF-M configuration via config header file(s) was warmly received on the last tech forum I would like to check with community opinion on such hypothetical move: Configure TF-M via definitions in header files while leave CMake for a building control only. Please share your thoughts, opinions and the possible dependencies. Thanks, Anton

3 years, 1 month

6
9
0 0

[RFC] Fault Injection Hardening (FIH) re-enablement on AN521 are ready for review

by Ken Liu

Hello, The FIH functionality reference implementation on AN521 was there before, and then get turned off last year because it increases the effort of updating the HAL interface. Now the HAL interface update is done, this functionality is re-enabled on AN521, based on the updated HAL. The patches are pushed for your review: https://review.trustedfirmware.org/q/topic:%22FIH_AN521_RE%22+(status:open%… The mechanism is mainly the same as the previous implementation, The document is under modifying to reflect the re-enablement changes but still can be read to recall the general concept: https://tf-m-user-guide.trustedfirmware.org/technical_references/design_doc… Please leave your comments in the patches or do overall discussions in this mail thread. Thanks! /Ken

3 years, 1 month

1
0
0 0

AN524 Flash_Driver issue consult

by jidong.mei＠armchina.com

Hi All : I'm developing Flash Driver for TF-M AN524 demo , and trobuled by some code logic . It's that : For , AN524 , PS storage Area is redirect to BRAM , so PS area related read and write can be done using memcpy without Flash driver being implementened . see : platform/ext/target/arm/mps3/an524/cmsis_driver/Driver_Flash.c /* Redirecting PS storage to BRAM */ if (addr >= FLASH_REDIRECT_BASE && addr <= FLASH_REDIRECT_LIMIT) { start_addr = FLASH_REDIRECT_DEST + (addr - FLASH_REDIRECT_BASE); /* PS Flash is emulated over BRAM. use memcpy function. */ memcpy((void *)start_addr, data, cnt); } else { /* Flash driver for QSPI is not ready */ return ARM_DRIVER_ERROR_UNSUPPORTED; } My question is : What the purpose of "else" branch above ? After I implement QSPI driver , in "if" branch , I remove redirect operation , and use Flash Write APIs to replace memcpy func. Then , shoud "else" branch be removed? Or , should I put Flash write driver in "else" branch , and keep "if" branch the same with origion? Best regards, Jidong Mei

3 years, 2 months

2
2
0 0

CMSIS in TF-M

by Chris.Brand＠infineon.com

TF-M includes platform/ext/cmsis, which is CMSIS v5.9.0 with some TF-M-specific changes. Looking at the history for that directory, it seems that we periodically update it and have to re-apply the TF-M-specific changes (which looks to be the naming of the stack and the copy table size). I'm wondering whether there's a plan to either push the TF-M changes into upstream CMSIS or to change TF-M so that they're not needed? It would be nice to just pull CMSIS from upstream like we do with other external libraries... Chris Brand Cypress Semiconductor (Canada), Inc. An Infineon Technologies Company Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand(a)infineon.com<mailto:Chris.Brand@infineon.com> International Place 13700 V6V 2X8 Richmond Canada www.infineon.com<www.cypress.com> www.cypress.com<http://www.cypress.com> Discoveries<http://www.infineon.com/discoveries> Facebook<http://www.facebook.com/infineon> Twitter<http://www.twitter.com/Infineon> LinkedIn<http://www.linkedin.com/company/infineon-technologies> Part of your life. Part of tomorrow. NOTICE: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material of Infineon Technologies AG and its affiliated entities which is for the exclusive use of the individual designated above as the recipient. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact immediately the sender by returning e-mail and delete the material from any computer. If you are not the specified recipient, you are hereby notified that all disclosure, reproduction, distribution or action taken on the basis of this message is prohibited.

3 years, 2 months

2
1
0 0

ITS/PS improvements

by Roman.Mazurak＠infineon.com

Hello all, I made a patch (https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/16214) that reorganize interaction between ITS partition, ITS file system and ITS flash driver. 1. ITS flash driver interface is decoupled from ITS file system. 2. ITS flash driver interface isn't dependent on upper layers like ITS FS or ITS. 3. ITS flash driver emulated in RAM (its_flash_ram) can be used without CMSIS flash driver even in production environment if needed. 4. Target can provide own implementation of ITS flash driver without implementing CMSIS flash driver. Which can be more flexible or simple in some cases. 5. Allocation of ITS flash driver instance by ITS partition is not dependent on lower layers like CMSIS driver. ITS partition uses abstract flash driver interface to bind ITS file system and driver instance. This changes gives following benefits. 1. Vendors can provide ITS flash driver without need to create an intermediate CMSIS flash driver. 2. It's possible to implement ITS encryption by adding a new ITS flash driver that performs encryption and uses existing drivers (NOR, NAND, RAM, platform specific) as the storage backend. 3. It's possible to use ITS file system + ITS encryption driver (b) for Protected Storage directly without additional context switching during access to PS file system handled by ITS partition. I think it should improve performance of PS. 4. Use ITS file system directly in application specific custom partitions by allocating ITS file system context and ITS flash driver. Best regards, Roman.

3 years, 2 months

1
0
0 0

Service vs Partition wording in manifest files

by Bohdan.Hunko＠infineon.com

Hi everyone, From what I see manifest lists (e.g. tools/tfm_manifest_list.yaml) describe partitions, but "name" field there (which is a description of the partition) uses "Service" word, for example: "name": "Protected Storage Service", Shouldn't this be "name": "Protected Storage Partition" ? Why do TFM uses Service when describing the Partition? Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

3 years, 2 months

3
12
0 0

TF-M Tech Forum minutes / upcoming Tech Forums calendar

by Don Harbin

Hi All, A gentle reminder that past TF-M Tech Forum minutes/recordings including the last one from August 4th can be found *here <https://www.trustedfirmware.org/meetings/tf-m-technical-forum/>* . Also, the public calendar that includes upcoming TF-M tech forums can be found *here* <https://www.trustedfirmware.org/meetings/>. Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

3 years, 2 months

1
0
0 0

Request about local test with IAR compiler

by Jianliang Shen

Hi, I made a patch<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/16106> to change CMSIS-RTOS RTX library attribute for ARMv8-M Mainline platforms in TF-M, the reference is CMSIS-RTOS2<https://www.keil.com/pack/doc/CMSIS/RTOS2/html/pDirectory_Files.html#libFil…>. As CI doesn't cover IAR compiler, I'm very grateful if someone who is convenient can help me build and run it with IAR toolchain locally. Best Regards Jianliang Shen

3 years, 2 months

1
0
0 0

Proposal for coding standard update: Increase chars per line 80-> 128.

by Anton Komlev

Hi, TF-M coding standard<https://tf-m-user-guide.trustedfirmware.org/contributing/coding_guide.html> mandates up to 80 characters per line. This looks a bit too restrictive nowadays with no punch cards or text terminals. I propose to increase this limit to 120 or 140 characters. Personally like 128. Are there any thoughts or objections against it? Thanks, Anton

3 years, 2 months

6
7
0 0

Example Partition Updates

by Kevin Peng

Hi all, Please be noted that the TF-M example Secure Partition has been moved from the tf-m-tools repo to the tf-m-extras<https://git.trustedfirmware.org/TF-M/tf-m-extras.git/tree/examples/example_…> repo. It has also been aligned with the latest TF-M. The documentations are improved as well. It could be a good reference for Secure Partition developer starters. Best Regards, Kevin

3 years, 2 months

2
2
0 0

Documentation improvements

by Anton Komlev

Hello, The project documentation will never be ideal and we are continuing improving it. Let me ask you for reply to this email with the pain points you have experienced or suggestions for improvements to be considered in this phase. Your direct contribution with docs articles will be much appreciated too. For example: TF-M debugging technics and experience would be very helpful. Thank you in advance, Anton

3 years, 2 months

3
3
0 0

TF-M CI build failures in master

by Andersson, Joakim

It looks like the TF-M CI has build failures in the master branch. The build log for tf-m-build-and-test has a lot of build errors: https://ci.trustedfirmware.org/blue/organizations/jenkins/tf-m-build-and-te… The following message is printed: [2022-08-01T11:14:49.204Z] Exception: Invalid "conditional" attribute: "TEST_NS_CORE" for TFM Core Test Service. Please set to one of ['on', 'true', 'enabled'] or ['off', 'false', 'disabled', ''], case-insensitive. [2022-08-01T11:14:49.204Z] CMake Error at tools/CMakeLists.txt:158 (message): [2022-08-01T11:14:49.204Z] File generation failed The top commit on master looks like a likely candidate for this problem: commit 56979ee5579dbb90bbf598af4c252259e5f20777 (tfm/master) Author: Kevin Peng kevin.peng(a)arm.com<mailto:kevin.peng@arm.com> Date: Thu May 12 12:11:31 2022 +0800 Tools: Pass build configurations through header file This patch adds a new configuration header file argument for the manifest tool. For example, this PR is triggering the issue: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/16110 Joakim Andersson | Senior R&D Engineer Trondheim, Norway nordicsemi.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nordic…> | devzone.nordicsemi.com<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevzone.n…> Facebook<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.faceb…> | LinkedIn<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linke…> | Twitter<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.c…> | YouTube<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtu…> | Instagram<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.insta…> [Nordic_logo_signature]<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nordic…>

3 years, 3 months

3
3
0 0

[RFC]Decoupling manifest tool with build system

by Kevin Peng

[Thread res-used, title renamed] Hi all, This is now happening - fully support non-CMake use of the manifest tool. Here is the patch: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15756 With this patch, the manifest tool takes build configurations from a config header file instead of replying on the build system. Please check the details in the patch. Any comments are welcome. Best Regards, Kevin -----Original Message----- From: Andrej Butok <andrey.butok(a)nxp.com> Sent: Thursday, May 12, 2022 2:49 PM To: Kevin Peng <Kevin.Peng(a)arm.com>; Raef Coles <Raef.Coles(a)arm.com> Cc: tf-m(a)lists.trustedfirmware.org Subject: RE: Any usage of environment variables in manifest lists > If there are strong requirements on supporting the non-cmake usecase Yes, it is 😉 -----Original Message----- From: Kevin Peng via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: Thursday, May 12, 2022 5:46 AM To: Kevin Peng <Kevin.Peng(a)arm.com>; Raef Coles <Raef.Coles(a)arm.com>; tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: [TF-M] Re: Any usage of environment variables in manifest lists Well, I think I figured out a way to decouple them. If there are strong requirements on supporting the non-cmake usecase, I can try to work it out. Best Regards, Kevin -----Original Message----- From: Kevin Peng via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: Thursday, May 12, 2022 10:09 AM To: Raef Coles <Raef.Coles(a)arm.com>; tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: [TF-M] Re: Any usage of environment variables in manifest lists Yes. The manifest tool is now fully replying on CMake (it has been, since I introduced the conditional parsing of manifests around half a year ago). It needs to be aware of the build configurations. Best Regards, Kevin -----Original Message----- From: Raef Coles <Raef.Coles(a)arm.com> Sent: Wednesday, May 11, 2022 7:15 PM To: tf-m(a)lists.trustedfirmware.org; Kevin Peng <Kevin.Peng(a)arm.com> Cc: nd <nd(a)arm.com> Subject: Re: Any usage of environment variables in manifest lists Hey Kevin Does this mean that cmake will be required to generate the headers/etc from the manifests? I believe in the past we deliberately supported the non-cmake usecase, as some people were building TF-M in alternate ways. Raef ________________________________________ From: Kevin Peng via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: 11 May 2022 09:24 To: tf-m(a)lists.trustedfirmware.org Cc: nd Subject: [TF-M] Any usage of environment variables in manifest lists Hi, Is there anyone using environment variables for the "manifest" attribute in out-of-tree manifest lists? I'm asking because I'm working to support configurable stack_size for Secure Partitions<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tr…>. In the patch the support of environment variables in manifest lists is removed<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tr…>. Because I have to call the CMake command configure_file to replace the stack_size symbols (CMake variables<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tr…> surrounded with "@") with their values. While configure_file does not recognize environment variables. If you do have environment variables in manifest list, there is an alternative: Replace the env. variables with CMake variables surrounded with "@" and set the value of the CMake variables in either config files or command line inputs. Best Regards, Kevin -- TF-M mailing list -- tf-m(a)lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave(a)lists.trustedfirmware.org -- TF-M mailing list -- tf-m(a)lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave(a)lists.trustedfirmware.org

3 years, 3 months

1
1
0 0

Intended use of psa_reset_key_attributes()

by S Krishnan, Archanaa

Hi, What was the intended usage of psa_reset_key_attribute(*attributes) which requires a PSA call from non-secure side to reset the client attributes? I am curious because the attributes to be reset comes from the non-secure memory, not directly associated with ITS/PS. The current IPC setup performs a PSA call to tfm_crypto_rest_key_attributes()(https://git.trustedfirmware.org/TF-M/trust… This function creates a copy of client key attribute in a secure key attribute structure. The secure key attribute is reset (set to 0) and then copied back to the client key attribute before returning to non-secure code. At first glance, this seems like a roundabout way to zeorise client side attributes. Regards, Archanaa

3 years, 3 months

2
3
0 0

FW: [Tf-openci-triage] [Maintenance] - ci.staging.trustedfirmware.org down time 2022-07-22

by Xinyu Zhang

Hi All, FYI. Open CI will be down from 2022 07-22 18:00 UTC to 2022-07-22 22:00 UTC for Jenkins upgrade. Please let us know if there is any problem. Thanks Xinyu -----Original Message----- From: Kelley Spoon via Tf-openci-triage <tf-openci-triage(a)lists.trustedfirmware.org> Sent: Thursday, July 21, 2022 10:14 PM To: tf-openci(a)lists.trustedfirmware.org; tf-openci-triage(a)lists.trustedfirmware.org Subject: [Tf-openci-triage] [Maintenance] - ci.staging.trustedfirmware.org down time 2022-07-22 Hello All, The server will be offline to start a maintenance window on 2022-07-22 at 20:00 UTC. Jenkins will be put into "Shutdown Mode" at 2022-07-22 18:00 UTC to stop accepting new jobs and allow executing tasks to complete. This downtime is required to add a plugin to Jenkins to support new functionality required for a service being developed. The version of Jenkins and the plugins currently being run will not be changing. Emails will be sent prior to and following the upgrade to provide status reports. Start: 2022 07-22 18:00 UTC End: 2022-07-22 22:00 UTC Regards, -- Kelley Spoon <kelley.spoon(a)linaro.org> -- Tf-openci-triage mailing list -- tf-openci-triage(a)lists.trustedfirmware.org To unsubscribe send an email to tf-openci-triage-leave(a)lists.trustedfirmware.org

3 years, 3 months

1
0
0 0

ns_agent flag

by Chris.Brand＠infineon.com

In https://lists.trustedfirmware.org/archives/list/tf-m@lists.trustedfirmware.… Ken mentions the need for a special flag in the manifest to indicate a non-secure agent partition. The code change is fairly easy, I think, but the manifest file format is specified by PSA, and presumably would also need to change. How do we go about doing that? Thanks, Chris Brand Cypress Semiconductor (Canada), Inc. An Infineon Technologies Company Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand(a)infineon.com<mailto:Chris.Brand@infineon.com> International Place 13700 V6V 2X8 Richmond Canada www.infineon.com<www.cypress.com> www.cypress.com<http://www.cypress.com> Discoveries<http://www.infineon.com/discoveries> Facebook<http://www.facebook.com/infineon> Twitter<http://www.twitter.com/Infineon> LinkedIn<http://www.linkedin.com/company/infineon-technologies> Part of your life. Part of tomorrow. NOTICE: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material of Infineon Technologies AG and its affiliated entities which is for the exclusive use of the individual designated above as the recipient. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact immediately the sender by returning e-mail and delete the material from any computer. If you are not the specified recipient, you are hereby notified that all disclosure, reproduction, distribution or action taken on the basis of this message is prohibited.

3 years, 3 months

2
1
0 0

Last call for comments on patch 15362

by Chris.Brand＠infineon.com

Hi, We'd like to merge https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15362 which makes a small modification to all platform configs (TFM_CONFIG_USE_TRUSTZONE and TFM_MULTI_CORE_TOPOLOGY lose their default values and must be specified for every platform). Chris Brand Cypress Semiconductor (Canada), Inc. An Infineon Technologies Company Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand(a)infineon.com<mailto:Chris.Brand@infineon.com> International Place 13700 V6V 2X8 Richmond Canada www.infineon.com<www.cypress.com> www.cypress.com<http://www.cypress.com> Discoveries<http://www.infineon.com/discoveries> Facebook<http://www.facebook.com/infineon> Twitter<http://www.twitter.com/Infineon> LinkedIn<http://www.linkedin.com/company/infineon-technologies> Part of your life. Part of tomorrow. NOTICE: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material of Infineon Technologies AG and its affiliated entities which is for the exclusive use of the individual designated above as the recipient. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact immediately the sender by returning e-mail and delete the material from any computer. If you are not the specified recipient, you are hereby notified that all disclosure, reproduction, distribution or action taken on the basis of this message is prohibited.

3 years, 3 months

1
0
0 0

Re: [TF-A] Re: Rebooting LTS discussion

by Varun Wadekar

Hi Everyone, We presented a proposal at the Tech Forum yesterday to take the LTS idea forward. The recording link and password are provided below. This effort is important for the project, and we don't want to rush into something that is not useful. With holidays and other engagements, we want to provide more time to digest the information and provide feedback. We will schedule another Tech forum discussion in September to hear feedback/concerns/questions. See you soon! -Varun Recording: https://linaro-org.zoom.us/rec/share/wYFz4jQvpLZntYSamyjc5-n_bGNcx_RFm-amEd… Passcode: NUx82^W= From: Joanna Farley <Joanna.Farley(a)arm.com> Sent: Wednesday, 22 June 2022 3:05 PM To: Varun Wadekar <vwadekar(a)nvidia.com>; Okash Khawaja <okash(a)google.com> Cc: Matteo Carlini <Matteo.Carlini(a)arm.com>; tf-a(a)lists.trustedfirmware.org Subject: Re: [TF-A] Re: Rebooting LTS discussion External email: Use caution opening links or attachments Hi Everyone, I learnt today that our peer project (TF-M) are having a similar LTS discussion and have their own LTS Tech forum session tomorrow. Its an 8am BST(GMT+1) meeting start but I'm told the LTS discussion is mid agenda so expect the discussion on that to start around 8:30am. I'm told it's an information gathering session rather than a proposal session. Anyway the Zoom id of the call is below. These are recorded like TF-A sessions and will be uploaded to their Techforum page. Joanna This event has been changed with this note: "Extending end date" TF-M Tech forum When Changed: Every 4 weeks from 12am to 1am on Thursday Mountain Standard Time - Phoenix Where https://linaro-org.zoom.us/j/92535794925?pwd=TTl0cmo4R2hTNm8wcHo1M3ZKdjlnUT…<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinaro-or…> (map<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.googl…>) Calendar anton.komlev(a)arm.com<mailto:anton.komlev@arm.com> Who * Don Harbin - creator * tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> * anton.komlev(a)arm.com<mailto:anton.komlev@arm.com> * leonardo.sandoval(a)linaro.org<mailto:leonardo.sandoval@linaro.org> * abdelmalek.omar1(a)gmail.com<mailto:abdelmalek.omar1@gmail.com> more details ><https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcalendar.…> About TF-M Tech forum: This is an open forum for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC. Feel free to forward it to colleagues. Details of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.googl…> ====Zoom==== Topic: TF-M Tech forum - Asia Time Zone Friendly Time: Nov 12, 2020 07:00 AM Greenwich Mean Time Every 4 weeks on Thu, until Mar 4, 2021, 5 occurrence(s) Nov 12, 2020 07:00 AM Dec 10, 2020 07:00 AM Jan 7, 2021 07:00 AM Feb 4, 2021 07:00 AM Mar 4, 2021 07:00 AM Please download and import the following iCalendar (.ics) files to your calendar system. Weekly: https://linaro-org.zoom.us/meeting/tJYodOyvpz8jGNEc_1ykVap8Zg6oTLqZZSeJ/ics…<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.googl…> Join Zoom Meeting https://linaro-org.zoom.us/j/92535794925?pwd=TTl0cmo4R2hTNm8wcHo1M3ZKdjlnUT…<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.googl…> Meeting ID: 925 3579 4925 Passcode: 414410 One tap mobile +12532158782,,92535794925# US (Tacoma) +13462487799,,92535794925# US (Houston) Dial by your location +1 253 215 8782 US (Tacoma) +1 346 248 7799 US (Houston) +1 669 900 9128 US (San Jose) +1 301 715 8592 US (Germantown) +1 312 626 6799 US (Chicago) +1 646 558 8656 US (New York) 888 788 0099 US Toll-free 877 853 5247 US Toll-free Meeting ID: 925 3579 4925 Find your local number: https://linaro-org.zoom.us/u/aesS64I7GW<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.googl…> Going (anton.komlev(a)arm.com<mailto:anton.komlev@arm.com>)? All events in this series: Yes<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcalendar.…> - Maybe<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcalendar.…> - No<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcalendar.…> more options ><https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcalendar.…> Invitation from Google Calendar<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcalendar.…> You are receiving this courtesy email at the account anton.komlev(a)arm.com<mailto:anton.komlev@arm.com> because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcalendar.…> and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.g…>. From: Joanna Farley <Joanna.Farley(a)arm.com<mailto:Joanna.Farley@arm.com>> Date: Tuesday, 21 June 2022 at 18:11 To: Varun Wadekar <vwadekar(a)nvidia.com<mailto:vwadekar@nvidia.com>>, Okash Khawaja <okash(a)google.com<mailto:okash@google.com>> Cc: Matteo Carlini <Matteo.Carlini(a)arm.com<mailto:Matteo.Carlini@arm.com>>, tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Subject: Re: [TF-A] Re: Rebooting LTS discussion Thanks Varun and Okash. I'll update Jul 14th invite and add LTS as the discussion area. From: Varun Wadekar <vwadekar(a)nvidia.com<mailto:vwadekar@nvidia.com>> Date: Tuesday, 21 June 2022 at 17:24 To: Joanna Farley <Joanna.Farley(a)arm.com<mailto:Joanna.Farley@arm.com>>, Okash Khawaja <okash(a)google.com<mailto:okash@google.com>> Cc: Matteo Carlini <Matteo.Carlini(a)arm.com<mailto:Matteo.Carlini@arm.com>>, tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Subject: RE: [TF-A] Re: Rebooting LTS discussion Hi Joanna, Thanks for the update. Okash and I would be ready by July 14. We will prepare the slides for the session. -Varun From: Joanna Farley <Joanna.Farley(a)arm.com<mailto:Joanna.Farley@arm.com>> Sent: Tuesday, 21 June 2022 5:07 PM To: Okash Khawaja <okash(a)google.com<mailto:okash@google.com>>; Varun Wadekar <vwadekar(a)nvidia.com<mailto:vwadekar@nvidia.com>> Cc: Matteo Carlini <Matteo.Carlini(a)arm.com<mailto:Matteo.Carlini@arm.com>>; tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> Subject: Re: [TF-A] Re: Rebooting LTS discussion External email: Use caution opening links or attachments Okash, Varun, Any thoughts when you want to do a LTS TechForum session. 30th June is now taken and the next scheduled one after that is 14th July. We could try and do a special one on 7th July if that's better. I'm reliant on you guys to jointly prepare and present a LTS TF-A Tech forum session Joanna From: Joanna Farley via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Date: Monday, 6 June 2022 at 13:47 To: Okash Khawaja <okash(a)google.com<mailto:okash@google.com>> Cc: Matteo Carlini <Matteo.Carlini(a)arm.com<mailto:Matteo.Carlini@arm.com>>, tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Subject: [TF-A] Re: Rebooting LTS discussion Hi Okash, The next session after next week is Thursday 30th June at 4pm BST. This is also available with nothing currently scheduled. Joanna From: Okash Khawaja <okash(a)google.com<mailto:okash@google.com>> Date: Monday, 6 June 2022 at 13:34 To: Joanna Farley <Joanna.Farley(a)arm.com<mailto:Joanna.Farley@arm.com>> Cc: Varun Wadekar <vwadekar(a)nvidia.com<mailto:vwadekar@nvidia.com>>, Matteo Carlini <Matteo.Carlini(a)arm.com<mailto:Matteo.Carlini@arm.com>>, tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Subject: Re: [TF-A] Re: Rebooting LTS discussion Hi Joanna and Varun, Sounds good to me. I will be out of country during next week. After that should be fine. Thanks, Okash On Mon, Jun 6, 2022 at 12:13 PM Joanna Farley <Joanna.Farley(a)arm.com<mailto:Joanna.Farley@arm.com>> wrote: Varun, Okash, I believe the two of you have some interest in the LTS topic. Would the two of you be willing to jointly prepare and present a TF-A Tech forum session? The next available session is Thursday 16th June at 4pm BST. I'm sure there are many definitions of what a LTS release branch is in terms of purpose, content, duration etc. I would expect many platform providers are doing this downstream today and I could imagine there may be variations. Some degree of consensus on how this is managed and resourced would be needed I believe between multiple platform providers who would want to consume this. It would be good to see issues raised for discussion. I'm happy to host if the two of you and any other platform providers interested can prepare a TF-A session to present to the broader TF-A community. Thanks Joanna From: Varun Wadekar via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Date: Tuesday, 31 May 2022 at 15:23 To: Matteo Carlini <Matteo.Carlini(a)arm.com<mailto:Matteo.Carlini@arm.com>>, Okash Khawaja <okash(a)google.com<mailto:okash@google.com>>, tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> Subject: [TF-A] Re: Rebooting LTS discussion Hi Matteo/Okash, Thanks for re-starting the discussion. We (NVIDIA) are still interested in the idea and would like to discuss the next steps. I like the idea of a hotfix release, although would propose back-porting fixes to more tags. A targeted tech forum or another mechanism works for me. I would like to discuss the scope of the activity and the engagement model. -Varun -----Original Message----- From: Matteo Carlini <Matteo.Carlini(a)arm.com<mailto:Matteo.Carlini@arm.com>> Sent: Tuesday, 17 May 2022 3:39 PM To: Okash Khawaja <okash(a)google.com<mailto:okash@google.com>>; tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> Cc: Varun Wadekar <vwadekar(a)nvidia.com<mailto:vwadekar@nvidia.com>>; raghu.ncstate(a)icloud.com<mailto:raghu.ncstate@icloud.com> Subject: RE: [TF-A] Rebooting LTS discussion External email: Use caution opening links or attachments Hi Okash, Thanks for rebooting the conversation. Out of the brainstorming from 1.5 yrs ago, we had this page published with an initial RFC proposal for LTSs: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper…<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper…> Worth mentioning that, in the meanwhile, the TF-M project has introduced the concept of Hotfix releases (which is a very lightweight process for backporting critical bug fix/security fixes only to the last available tagged release): https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftf-m-user…<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftf-m-user…> I'm curious to hear others' opinion and interest (@Varun, @Raghu ?) to possibly revive this topic in either in a Tech Forum or at a project TSC/Board level. Thanks Matteo -- TF-A mailing list -- tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> To unsubscribe send an email to tf-a-leave(a)lists.trustedfirmware.org<mailto:tf-a-leave@lists.trustedfirmware.org>

3 years, 3 months

2
1
0 0

Partition priority questions

by Bohdan.Hunko＠infineon.com

Hi everyone, TFM manifest files allow to specify priority for the partition. FFM 1.0 and FFM 1.1 specify that there are 3 possible values for this field: Low, NORMAL, HIGH. This field is used in several template files to generate needed for SPM information. From what I see there are several problems with current implementation: 1. In secure_fw/spm/cmsis_func/tfm_spm_db_func.inc.template priority field is used to generate .partition_priority filed of spm_partition_static_data_t structure. It uses TFM_PRIORITY() macro to convert priority to numeric value. The problem is that this field is actually never used, instead all priority checking is done using .flags field of partition_{{manifest.name|lower}}_load_info_t structure (tools/templates/partition_load_info.template file). 2. .flags field uses PARTITION_PRI_ macro to convert priority to numeric value. Possible values for TFM_PRIORITY() are: LOW, NORMAL, HIGH, but PARTITION_PRI_ macro has: LOWES, LOW, NORMAL, HIGH, HIGHEST priorities. More over priorities with same names for these 2 macros have different numeric values (e.g. PARTITION_PRI_LOW is 0x7F while TFM_PRIORITY_LOW is 0xFF) 3. Scatter files does not account for HIGHEST priority (see code here<https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/e…>). This is a problem for all toolchains including both common scatter files (L1 and L2) and scatter files templates for L3 So I have several questions on this topic: 1. Are LOWEST and HIGHEST priorities system reserved? Because for now they cant be used in manifest files as TFM_PRIORITY() does not have support them. 2. Should TFM_PRIORITY() macro and .partition_priority filed of spm_partition_static_data_t structure be removed? This will mean that if LOWEST and HIGHEST priorities are system reserved then validation of value for "priority" manifest field should be added to tfm_parse_manifest_list.py 3. Should scatter files be fixed to account for HIGHEST priority? 4. secure_fw/partitions/ns_agent_tz/load_info_ns_agent_tz.c for NS agent TZ specifies (PARTITION_PRI_LOWEST - 1) for a .flags filed. Higher priority numeric values is lower real priority, which means that TZ NS agent partition priority is between LOW and LOWEST priority. This seems like a hack to me, maybe we should introduce One more named priority? 5. In secure_fw/partitions/CMakeLists.txt idle partition is included when IPC backend is used. Idle partition is used to retrigger scheduling before going into WFI state (just to be sure that higher priority partitions were executed and there is not pending request). I can see how this partition is useful for MULTICORE case, to have kind of sleep state. But for TZ case TZ ns agent is always RUNNABLE and have higher priority that IDLE partition so it does not look like IDLE partition will ever be scheduled in TZ case. In such case condition in this Cmake file should be changed from "if (CONFIG_TFM_SPM_BACKEND_IPC)" to "if (TFM_PARTITION_NS_AGENT_MAILBOX)" Am I wrong somewhere? Sorry, I know that is a lot of questions, but this scheduling stuff is really hard to wrap a head around. Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

3 years, 3 months

2
2
0 0

PSA arch test problem

by Bohdan.Hunko＠infineon.com

Hi, Lately I have been working with PSA arch tests and found few issues with them: 1. PSA arch tests build on Windows fails. I am using the following command: cmake -S . -B build_gcc_psoc64 -G"Unix Makefiles" -DTFM_PLATFORM=cypress/psoc64 -DTEST_PSA_API=INITIAL_ATTESTATION This is true for all the compilers and build types. I have also tried building Musca B1 and the results are the same. Is this expected behavior? Are PSA arch test meant to be built on windows? 2. I have tried building PSA arch tests with IAR on both Linux and Windows and it does not work. From quick investigation it looks like IAR is not supported. Am I right? And if so the is there a plan to support PSA arch tests for IAR compiler? Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

3 years, 3 months

6
15
0 0

Proposal for Musca-B1 SE deprecation

by Anton Komlev

Hello, We would like to propose removing the Musca-B1 Secure Enclave platform configuration* in TF-M. This solution was developed to demonstrate the PSA Configuration to support the TF-M Secure Services on Secure Enclave providing Secure Services to the Host processor running non-secure application. Musca-B1 SE was the foundation of the Corstone-1000** solution, which provides a secure enclave implementation that is also PSA L2 Ready Certified. Please reply if there are any concerns deprecating and removing the Musca-B1 SE configuration from TF-M . Process for deprecation and removal of platforms can be found here https://tf-m-user-guide.trustedfirmware.org/platform/ext/platform_deprecati… * https://tf-m-user-guide.trustedfirmware.org/platform/ext/target/arm/musca_b… ** https://tf-m-user-guide.trustedfirmware.org/platform/ext/target/arm/corston… Thanks, Anton

3 years, 3 months

1
1
0 0

Manifest files questions

by Bohdan.Hunko＠infineon.com

Hi everyone, I have several questions related to manifest files in TFM: 1. Currently TFM dos not support dynamic memory allocation, so heap_size manifest field is a bit special. Presence of heap_size field for library model will generate error in tfm_spm_db_func.inc.template but when TFM_PSA_API is ON heap_size is used in partition_load_info.template which will silently set .heap_size struct field to 0 without generation of any error. As dynamic memory allocation is not supported I think error should be generated in both files. Also I think that error should only be generated if heap_size filed is present and is not "0" (if it is not present or is 0 then no error should be generated because it is compliant with "no dynamic memory rule") 2. Manifest files support numbered mmio regions for partitions. Example "mmio_regions": [ { "base": "MY_CUSTOM_REGION_BASE", "size": "MY_CUSTOM_REGION_SIZE", "permission": "READ-WRITE" } ] The questions is why doesn't TFM use this field for ITS and PS areas instead of handling them manually? Can this be reworked to use mmio regions? If so then is this work planned and when approximately it will be done? Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

3 years, 3 months

2
1
0 0

Library fetching improvements

by Bohdan.Hunko＠infineon.com

Hi, Recently I have been adding some new libraries to my TFM project and what I always end up doing is: go to some existing file which fetches the library, copy code from there, paste it to my file, change few links, versions and names. It is a bit annoying to copy-paste that code each time, also it is hard to maintain (if pattern for fetching libraries changes) and also copy pasting might lead to some code not being updated. My proposal is to have a function that can be used to fetch a library. This way it will be easier to add new libraries and this change will make code cleaner. Please let me know your thoughts on this proposal. Regards Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

3 years, 3 months

5
8
0 0

Automatically copy RAM_VECTORS when using ARMClang and IAR

by Bohdan.Hunko＠infineon.com

Hi, When poking around some startup files I have found interesting place related to RAM_VECTORS support CMSIS have __PROGRAM_START macro which is different for each compiler. For GCC it uses __cmsis_start, for ARMClang - __main and for IAR - __iar_program_start Basically each of the functions should copy several sections (.TFM_DATA for example) from FLASH to RAM and zero out some parts of RAM (for .TFM_BSS for example) In current implementation GCC __cmsis_start function also copies the vector table from FLASH to SRAM (if RAM_VECTORS are enabled) But ARMClang and IAR equivalents of that function (__main, __iar_program_start) does not seem to take care of copying vector table, so platforms startup should do that I wonder if there is a way to change linker script in a way which will make copying of vector table automatic (by compiler dependent function). This will make platform startups a bit cleaner and will allow platform to just use __PROGRAM_START macro without any additional code to copy vector table. From what I see IAR has "initialize by copy" syntaxis so I think it may be used to tell IAR to automatically copy vector table. It is a bit more tricky with ARMClang as I have not found a way to do that there. I am not a big expert in ARMClang and IAR so maybe someone may help me here, give some directions or confirm that currently there is no way to make this idea work. Basically the intention is to simplify platform startup code and offload common operations to compiler specific platform independent functions. Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

3 years, 3 months

2
5
0 0

FW: [Tf-openci] [Maintenance] - ci.trustedfirmware.org down time 2022-07-08

by Xinyu Zhang

Hi All, FYI. Open CI will be down from 2022-07-07 23:00 UTC to 2022-07-08 03:00 UTC for Jenkins upgrade. Please let us know if there is any problem. Thanks Xinyu -----Original Message----- From: Kelley Spoon via Tf-openci <tf-openci(a)lists.trustedfirmware.org> Sent: Wednesday, July 6, 2022 2:02 PM To: tf-openci(a)lists.trustedfirmware.org; tf-openci-triage(a)lists.trustedfirmware.org Subject: [Tf-openci] [Maintenance] - ci.trustedfirmware.org down time 2022-07-08 Hello All, The server will be offline to start a maintenance window on 2022-07-08 at 01:00 UTC. Jenkins will be put into "Shutdown Mode" at 2022-07-07 23:00 UTC to stop accepting new jobs and allow executing tasks to complete. This downtime is required to execute an upgrade to Jenkins 2.332.3. The upgrade will address several security advisories for Jenkins core and its plugins and will also bring the server to feature parity with staging. Emails will be sent prior to and following the upgrade to provide status reports. Start: 2022 07-08 01:00 UTC End: 2022-07-08 03:00 UTC Regards, -- Kelley Spoon <kelley.spoon(a)linaro.org> -- Tf-openci mailing list -- tf-openci(a)lists.trustedfirmware.org To unsubscribe send an email to tf-openci-leave(a)lists.trustedfirmware.org

3 years, 3 months

1
0
0 0

Ask for review on TF-M memory check interface update patch

by Summer Qin

Hi, I have sorted out memory check functions and done some refinement. As it covers all the platforms, may I ask for a review on these patches<https://review.trustedfirmware.org/q/topic:%22memory-check-interface-update…>? I would like to merge it by 30th of this month if possible. Thanks so much! Best Regards, Summer

3 years, 4 months

1
0
0 0

PS partition dependencies

by Chris.Brand＠infineon.com

I'm experimenting with a build with the SFN backend, and I've hit an error. cmake -S . -B build_musca_sse200_GNUARM_Release -DTFM_PLATFORM=arm/musca_b1/sse_200 -DCONFIG_TFM_SPM_BACKEND=SFN -DTFM_PARTITION_PLATFORM=OFF -DTFM_PARTITION_FIRMWARE_UPDATE=OFF -DPS_ROLLBACK_PROTECTION=OFF cmake --build build_musca_sse200_GNUARM_Release results in .../build_musca_sse200_GNUARM_Release/generated/secure_fw/partitions/protected_storage/auto_generated/load_info_tfm_protected_storage.c:85:9: error: 'TFM_SP_PLATFORM_NV_COUNTER_SID' undeclared here (not in a function); did you mean 'TFM_SP_NON_SECURE_ID'? TFM_SP_PLATFORM_NV_COUNTER_SID, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TFM_SP_NON_SECURE_ID Config/check_config.cmake line 93 is tfm_invalid_config((TFM_PARTITION_PROTECTED_STORAGE AND PS_ROLLBACK_PROTECTION) AND NOT TFM_PARTITION_PLATFORM) but secure_fw/partitions/protected_storage/tfm_protected_storage.yaml lists TFM_SP_PLATFORM_NV_COUNTER as a dependency unconditionally. The easy fix is to change check_config.cmake to have the PS partition unconditionally require the platform partition, but it seems that the intent is that it should still be possible to enable PS without rollback protection. Chris Brand Cypress Semiconductor (Canada), Inc. An Infineon Technologies Company Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand(a)infineon.com<mailto:Chris.Brand@infineon.com> International Place 13700 V6V 2X8 Richmond Canada www.infineon.com<www.cypress.com> www.cypress.com<http://www.cypress.com> Discoveries<http://www.infineon.com/discoveries> Facebook<http://www.facebook.com/infineon> Twitter<http://www.twitter.com/Infineon> LinkedIn<http://www.linkedin.com/company/infineon-technologies> Part of your life. Part of tomorrow. NOTICE: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material of Infineon Technologies AG and its affiliated entities which is for the exclusive use of the individual designated above as the recipient. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact immediately the sender by returning e-mail and delete the material from any computer. If you are not the specified recipient, you are hereby notified that all disclosure, reproduction, distribution or action taken on the basis of this message is prohibited.

3 years, 4 months

2
1
0 0

Ask for review on TF-M patch

by Sherry Zhang

Hi, I have created a patch<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15313/> which removes the unnecessary heap(including the RAM memory reserved for heap and the heap related symbols). As it covers all the platforms and compilers, may I ask for a review on this patch<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15313/>? This patch saves about 680 bytes Flash while 4200 bytes RAM. I would like to merge it by 29th this month if possible. Thanks so much! Regards, Sherry Zhang

3 years, 4 months

1
0
0 0

Technical Forum call - June 23 - agenda

by Anton Komlev

Hello, the agenda for the forum tomorrow, June 23, 7:00-8:00 UTC 1. Proposal of External Trusted Secure Storage by Poppy Wu 2. Long Time Support (LTS) in TF-M project: the needs, cadence, scope. Open discussion. 3. AOB Link to the forum: https://linaro-org.zoom.us/j/92535794925?pwd=TTl0cmo4R2hTNm8wcHo1M3ZKdjlnUT… Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Thanks, Anton

3 years, 4 months

1
0
0 0

Technical Forum call - June 23

by Anton Komlev

Hello, The next Technical Forum is planned on Thursday, June 23, 7:00-8:00 UTC (East time zone). Please reply on this email with your proposals for agenda topics. Link to the forum: https://linaro-org.zoom.us/j/92535794925?pwd=TTl0cmo4R2hTNm8wcHo1M3ZKdjlnUT… Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

3 years, 4 months

1
1
0 0

Re: Technical Forum call - June 23

by Edward Yang

Hi Anton, I'd like to give a presentation about the proposal of External Trusted Secure Storage, and the presentation will take about 30 minutes, thanks. Best Regards, Poppy Wu 吴偏偏 Macronix Microelectronics (Suzhou) Co.,Ltd 旺宏微电子（苏州）有限公司 http://www.mxic.com.cn Anton Komlev via TF-M <tf-m(a)lists.trustedfirmware.org> 2022/06/15 20:31 Please respond to Anton Komlev <Anton.Komlev(a)arm.com> To "tf-m(a)lists.trustedfirmware.org" <tf-m(a)lists.trustedfirmware.org> cc nd <nd(a)arm.com> Subject [TF-M] Technical Forum call - June 23 Hello, The next Technical Forum is planned on Thursday, June 23, 7:00-8:00 UTC (East time zone). Please reply on this email with your proposals for agenda topics. Link to the forum: https://linaro-org.zoom.us/j/92535794925?pwd=TTl0cmo4R2hTNm8wcHo1M3ZKdjlnUT… Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton -- TF-M mailing list -- tf-m(a)lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave(a)lists.trustedfirmware.org ============================================================================ CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as it attachments from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================

3 years, 4 months

1
0
0 0

Migrate to Mbed TLS PSA configuration scheme

by Summer Qin

Hi, TF-M is going to migrate to Mbed TLS PSA configuration scheme which is recommended by Mbed TLS. With this new feature, TF-M is able to: * more conveniently to align and check TF-M Crypto feature setting against Mbed TLS configuration. * enable the HW crypto accelerator to use PSA drivers and get rid of Mbed TLS software implementation. Therefore, it can decrease the Crypto SW code size for HW accelerator. After migrating to Mbed TLS PSA configuration scheme, TF-M ROM size will save about 6.5kB. The general mbedtls-psa-configuration<https://review.trustedfirmware.org/q/topic:%22mbedtls-psa-configuration%22+…> patches are going to be merged soon. While the HW crypto patch is still under platform owner review until this Friday. It is welcome that if you have any comments and suggestions : ) Best Regards, Summer

3 years, 4 months

1
0
0 0

Refining TF-M contribution processes

by David Hu

Hi all, I'm refining TF-M contribution processes. Hope it can better support you to contribute to TF-M community. Currently I focus on the following two repos: * Tf-m-extras: specify the tf-m-extras additional requirements. Enable contributor to specify the maintainers. Patch link<https://review.trustedfirmware.org/c/TF-M/tf-m-extras/+/15430>. * Trusted firmware-m: simplify the contribution process a bit to align with current development practices. Make it as a general process reference for other TF-M repos. Patch link<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15472>. Can I ask your to take a look at those changes to the processes? Please let us know if any step can be optimized/clarified further. Any feedback is welcome. Best regards, Hu Ziji

3 years, 4 months

1
0
0 0

TF-M documentation integration

by Anton Komlev

Hello, TF-M documentation reflects the documents in the main TF-M repository (https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/docs) only. There are 5 other repos (tests, tools, extras, CI) with corresponded docs being good to be linked to the main. Looking for ideas / advice on the best way to do that. The main problem is that Sphinx (the documentation tool) renders files under its configuration directory only, ignoring everything outside of it so reference to external repos is not an easy task. I see several solutions: 1. The main doc points to external files (*.rst) as an external link without rendering it. Like this<https://git.trustedfirmware.org/TF-M/tf-m-tools.git/tree/depend-trace-tool/…>. <-- Simplest way. 2. Create Sphinx doc for each repository, store rendered output in a temporal storage and link the main to generated HTML files. 3. Use intersphinx<https://www.sphinx-doc.org/en/master/usage/extensions/intersphinx.html> to link across repositories. Again, need rendered docs in each repo and additional preparation. 4. Anything else? Any thoughts or experience to share? Thanks in advance, Anton

3 years, 4 months

2
3
0 0

Technical Forum call - June 9

by Anton Komlev

Hi, The next Technical Forum is planned on Thursday, June 9, 15:00-16:00 UTC (West time zone). Please reply on this email with your proposals for agenda topics. Link to the forum: https://linaro-org.zoom.us/j/95570795742?pwd=N21YWHJpUjZyS3Fzd0tkOG9hanpidz… Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

3 years, 4 months

1
1
0 0

Mis-use of tfm_spm_partition_set_state()

by Chris.Brand＠infineon.com

Looking at the declaration and body of this function, the first parameter is clearly a partition index (index into g_spm_partition_db.partitions[]), and all the call sites in secure_fw/spm/cmsis_func/spm_func.c use it that way. The three call sites in secure_fw/spm/cmsis_func/main.c, though, all pass a PID instead. This happens to work because g_spm_partition_db.partitions[0].static_data->partition_id == 0 and g_spm_partition_db.partitions[1].static_data->partition_id == 1. I don't see anything that guarantees that that will always be true, though. There is a static function get_partition_id() in secure_fw/spm/cmsis_func/spm_func.c that maps from PID to partition index - should that be exported and called to address this? Thanks, Chris Brand .

3 years, 4 months

2
2
0 0

Mailbox agent redesign

by Chris.Brand＠infineon.com

Hi, Reading https://tf-m-user-guide.trustedfirmware.org/technical_references/design_doc… it mentions the plan to move ns_agent_mailbox to have "a positive valued Partition ID in the manifest" and it also states that "A standard Secure Partition gets errors when calling the Extended API". Given that it will not possible to use the PID to identify the ns_agent_mailbox, how will the Extended API functions know whether the caller is a standard Secure Partition or not? There was a patch https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15142 that introduced a flag to identify the ns_agent_tz partition - would this be similar? Also, is there a plan for which release this functionality is expected to appear? Thanks, Chris Brand

3 years, 4 months

2
1
0 0

Usage of TFM_SYSTEM_FP cmake variable

by Bohdan.Hunko＠infineon.com

Hi everyone, I have noticed that GCC toolchain uses CONFIG_TFM_FP to determine FP setting while IAR and Clang use TFM_SYSTEM_FP cmake variable. I was not able to find any docs on this variable, and also there is no assignment of this variable in TFM source code (only read operation from this variable). Is this intendent behavior? Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

3 years, 4 months

2
4
0 0

psa_connect() return invalid connect handle error

by Edward Yang

Hi experts, We are developing a demo based on TF-M framework, and we also developed an application RoT partition SP1 and a PSA RoT partition SP2. The secure partition SP1 needs calling a SP2's service during SP1's init(), when the SP1_init() calls a SP2 service, as the SP2 partition hasn't been inited, the SP2_init() executes before handling requestS from SP1. But the returned connect handle is an invalid handle, return PSA_ERROR_GENERIC_ERROR. I am wondering why an invalid connect handle is returned? Any hints? Best Regards, Poppy Wu 吴偏偏 Macronix Microelectronics (Suzhou) Co.,Ltd 旺宏微电子（苏州）有限公司 http://www.mxic.com.cn ============================================================================ CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as its attachment(s) from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================

3 years, 4 months

2
1
0 0

Non-secure use of NMI

by Andersson, Joakim

Hi. I was looking into a failing test-case in the Zephyr project for the NMI not being processed when using TF-M. The issue is that SCB.AIRCR.BFHFNMINS bit is not set, so the non-secure write to SCB.ICSR.NMIPENDSET is ignored. Is this a decision that was explicitly made for the TF-M configuration to not allow the non-secure application to use the NMI handler? I could not find anything in the TF-M documentation mentioning the NMI. Are there security concerns related to the NMI? Joakim Andersson | Senior R&D Engineer Trondheim, Norway nordicsemi.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nordic…> | devzone.nordicsemi.com<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevzone.n…> Facebook<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.faceb…> | LinkedIn<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linke…> | Twitter<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.c…> | YouTube<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtu…> | Instagram<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.insta…> [Nordic_logo_signature]<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nordic…>

3 years, 5 months

2
1
0 0

Technical Forum call - May 26

by Anton Komlev

Hi, The next Technical Forum is planned on Thursday, May 26, 7:00-8:00 UTC (East time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

3 years, 5 months

1
1
0 0

tfm_arch_is_priv() is not available for v8arch

by Bohdan.Hunko＠infineon.com

Hi everyone, While looking through TFM code I have noticed that tfm_arch_is_priv() is defined for v6 and v7 in secure_fw/spm/cmsis_psa/arch/tfm_arch_v6m_v7m.h but not defined for v8. Also tfm_arch_v6m_v7m.h is located in secure_fw/spm/cmsis_psa/arch/ folder, while tfm_arch_v8m.h is located in secure_fw/spm/include/. I think that tfm_arch_is_priv() should also be defined for v8 and also tfm_arch_v6m_v7m.h should be moved to secure_fw/spm/include/. If file will be moved then we can clean up some target_include_directories() which used secure_fw/spm/cmsis_psa/arch/ folder. Any thoughts on this? Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

3 years, 5 months

2
1
0 0

Re: Enable SPI interrupt in secure partition

by Edward Yang

Hi Kevin, Thanks for your instruction. We're developing an application RoT partition which access a sensor via an SPI interface(Based on RA6M4_EK development board). After commands have been transferred to the sensor, an SPI_TX_INTERRUPT should be triggered, then calls spi_tx_isr(). Now let's put aside binding secure interrupts to each secure partition, just talk about how to enable SPI interrupts in secure world simply. Here is my implementation: 1.Configure this SPI peripheral as secure peripheral. 2.Assign SPI tx and rx interrupts to secure state by setting NVIC->ITNS register. 3.Enable SPI tx and rx interrupts by seeting NVIC->ISER register. But during debug, I found that spi0_tx_isr() (The ISRs are also placed under this application RoT partition's folder) has never been triggered. Is there anything that I miss? Best Regards, Poppy Wu 吴偏偏 Macronix Microelectronics (Suzhou) Co.,Ltd 旺宏微电子（苏州）有限公司 http://www.mxic.com.cn Kevin Peng via TF-M <tf-m(a)lists.trustedfirmware.org> 2022/05/17 09:45 Please respond to Kevin Peng <Kevin.Peng(a)arm.com> To Edward Yang <EdwardYang(a)mxic.com.cn>, "tf-m(a)lists.trustedfirmware.org" <tf-m(a)lists.trustedfirmware.org> cc Subject [TF-M] Re: Enable SPI interrupt in secure partition Hi Poppy, First-Level Interrupt Handling (FLIH) should be recommended in your use case as you have latency requirements. Here is an example: https://git.trustedfirmware.org/TF-M/tf-m-tests.git/tree/test/secure_fw/sui… You’ll firstly need to add an “irq” item in the manifest and “handling ” it with “FLIH”: https://git.trustedfirmware.org/TF-M/tf-m-tests.git/tree/test/secure_fw/sui… And also add the “mmio_regions” item with the associated device (SPI) to give access permissions to the Secure Partition. The IRQ handling should be in the Secure Partition: https://git.trustedfirmware.org/TF-M/tf-m-tests.git/tree/test/secure_fw/sui… Note that, no PSA APIs are allowed in the handling. Best Regards, Kevin From: Edward Yang via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: Monday, May 16, 2022 5:38 PM To: tf-m(a)lists.trustedfirmware.org Subject: [TF-M] Enable SPI interrupt in secure partition Hi experts, Recently we're developing a demo based on TF-M, this demo involves using SPI module to drive a sensor by sending commands in a secure partition. And we need to enable SPI receive and send interrupt in this secure partition and the latency shall be as small as possible. I am wondering how to implement this secure interrupts. Is there any example code or instrucstions? Thanks. Best Regards, Poppy Wu 吴偏偏 Macronix Microelectronics (Suzhou) Co.,Ltd 旺宏微电子（苏州）有限公司 http://www.mxic.com.cn CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as its attachment(s) from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================-- TF-M mailing list -- tf-m(a)lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave(a)lists.trustedfirmware.org ============================================================================ CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as it attachments from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================

3 years, 5 months

2
1
0 0

Enable SPI interrupt in secure partition

by Edward Yang

Hi experts, Recently we're developing a demo based on TF-M, this demo involves using SPI module to drive a sensor by sending commands in a secure partition. And we need to enable SPI receive and send interrupt in this secure partition and the latency shall be as small as possible. I am wondering how to implement this secure interrupts. Is there any example code or instrucstions? Thanks. Best Regards, Poppy Wu 吴偏偏 Macronix Microelectronics (Suzhou) Co.,Ltd 旺宏微电子（苏州）有限公司 http://www.mxic.com.cn ============================================================================ CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as its attachment(s) from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================

3 years, 5 months

2
1
0 0

'memset/memcpy/mem*' API usage in secure firmware

by Ken Liu

Hi TF-Mers, There are several versions of mem* API set in the system. At the very beginning, the whole secure firmware was put in the library model, and it is expected to be self-contained -- at least at the source level as the first step. Hence a 'tfm_mem*' API set is created for secure firmware usage. The same reason for involving 'spm_mem*' in the PSA compliance model. When we designed HAL for SPM, we noticed that SPM HAL actually run in the same domain as SPM, hence we encouraged developers to use 'spm_mem*' in SPM HAL. This brings a bit of difficulty, especially when the platform sources are shared for multiple targets, while other targets do not have 'spm_mem*' API. As 'mem*' is actually common enough (as they are fundamental API of libc), hence redefine the name is applicable only a system is highly self-contained. In our case, using 'mem*' API can bring much convenience. Hence I am thinking to let sources other than SPM use 'mem*' API, they are platform, partitions and runtime libraries. For SPM sources (under secure_fw/spm), a source-level 'spm_mem*' is kept, to keep the possibility to make SPM itself really self-contained. Now it is only source-level because 'spm_mem*' is actually forwarded to 'mem*'. I am creating a patch to change this, and want to know your opinion. Thanks. /Ken

3 years, 5 months

1
0
0 0

Any usage of environment variables in manifest lists

by Kevin Peng

Hi, Is there anyone using environment variables for the "manifest" attribute in out-of-tree manifest lists? I'm asking because I'm working to support configurable stack_size for Secure Partitions<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15155>. In the patch the support of environment variables in manifest lists is removed<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15155/1/tool…>. Because I have to call the CMake command configure_file to replace the stack_size symbols (CMake variables<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15155/1/secu…> surrounded with "@") with their values. While configure_file does not recognize environment variables. If you do have environment variables in manifest list, there is an alternative: Replace the env. variables with CMake variables surrounded with "@" and set the value of the CMake variables in either config files or command line inputs. Best Regards, Kevin

3 years, 5 months

3
5
0 0

Re: Technical Forum call - May 12 Cancelled

by David Hu

Hi all, I'd like to cancel tech form in May 12 due to empty agenda. Best regards, Hu Ziji From: David Hu via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: Thursday, May 5, 2022 2:11 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: [TF-M] Technical Forum call - May 12 Hi, (On behalf of Anton) The next Technical Forum is planned on Thursday, May 12, 15:00-16:00 UTC (West time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Hu Ziji

3 years, 5 months

1
0
0 0

Attestation token new spec

by Tamas Ban

Hi, the initial attestation token implementation is aligned with this specification: https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-05 This spec is still evolving and there is a newer version which changes the key values of the claims in the token: https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-09.html#tab…<https://www.ietf.org/archive/id/draft-tschofenig-rats-psa-token-09.html%23t…> This can cause combability issues between token issuer (device) and token verifier (some remote verification service). This is an ABI change between token issuer and consumer. The breaking effect would be manifest in unaccepted IAT tokens by the verifier. On-device side I see these options to make the transition: - A build-time option could be introduced which determines which range of key numbers to use. The default value would be the new range. To not let new users pick up the old values accidentally. Existing users can notice the incompatibility issue during the integration test and adjust their build command accordingly. However, the old range would be announced as deprecated in the next TF-M release, then will be removed in the next release after. - Immediate switch over to the new range, without supporting the old range anymore. On the verification service side, an SW update can handle the transition and might be accepting both ranges for a while. I assume the verification service can be updated more easily than remote devices therefore better to handle the compatibility issue there. - Keeping the support for both ranges for the long term and letting users choose by build time. Please share your thoughts on: - Are you aware that the attestation service is used in deployed devices where this transition can cause incompatibility? - From the above list which option would you vote to support the transition? Best regards, Tamas Ban

3 years, 5 months

1
0
0 0

Under-layer runtime functions in assembly

by Ken Liu

Hi, In one of the past tech forums, we claimed that we don't encourage contribution in common logic in assembly, and one of the patches was abandoned because of this. That patch is designed to improve the memset/memcpy performance. We override these APIs in general because we want the code can be auditable. Then we provided implementations in C, but it shows these implementation does not provide good performance. We want to apply the toolchain provided versions, and looks GNU tool provides the straightest 'byte-copy' version. And armclang involves unnecessary variants which increase the code size a little (not big). Hence we provide a version with 'tiny' optimization in assembly and mark this patch an exception to the review guidelines, as these under-layer functions won't get changed frequently. We are also seeking an ideal way to apply toolchain versions. The patch is here for your review: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/13735 Thanks. /Ken

3 years, 5 months

1
0
0 0

Supporting encryption with ITS

by Vasilakis, Georgios

Hello all, I wanted to let you know that I made the PR which adds encryption on ITS files using the methodology that we discussed before. The encryption is happening in a transparent way for the user, and I tried to avoid major changes in the ITS filesystem. Please add yourself as a reviewer and provide feedback if you think that this is an interesting use case for you. https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/15096 Regards, Georgios Vasilakis

3 years, 5 months

1
0
0 0

Technical Forum call - May 12

by David Hu

Hi, (On behalf of Anton) The next Technical Forum is planned on Thursday, May 12, 15:00-16:00 UTC (West time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Hu Ziji

3 years, 5 months

1
0
0 0

TF-M v1.6.0 release

by Anton Komlev

Hello, I am pleased to announce the new v1.6.0 released of TF-M project. New major features are: * MCUboot updated to v1.9.0. * Mbed TLS updated to v3.1.0 (Support all required PSA Crypto APIs). * Enabled Secure Function (SFN) Model Partition compliance in IPC backend. * Interrupt support (both SLIH/FLIH) for the SFN backend. * MM-IOVEC Support for the SFN backend. * The following Secure Partitions are converted to SFN model: * Protected Storage * Internal Trusted Storage * Initial Attestation * FF-M v1.1 SFN Model supported in Profile Small. * HAL Separation of Library Model and IPC/SFN backend. * FP support for Armv8.1-M Mainline for IPC backend. * Simplified build output message and configurable output. * Halting instead of rebooting on panic in debug build type. * Automated testing of MCUboot BL2. * A new driver interface for the CC-312 runtime library as specified in the PSA Unified Driver spec [1]_. * Added reference bootloader stage 1 (BL1) bootloader for certain platforms. * A new CC312 ROM library for the BL1. * Updated documentation structure. The changes tagged by TF-Mv1.6.0 and located in the release/v1.6.x<https://review.trustedfirmware.org/q/project:TF-M%252Ftrusted-firmware-m+br…> branch at the moment. In short, they will be integrated with the main branch and be available from there. Thanks everyone for contribution, review and support this milestone. Anton

3 years, 6 months

1
0
0 0

Technical Forum call - April 28

by Anton Komlev

Hi, The next Technical Forum is planned on Thursday, April 28, 7:00-8:00 UTC (East time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

3 years, 6 months

1
1
0 0

Asking for review of external trusted secure storage partition implementation code

by Edward Yang

Hi everyone, We have discussed the design proposal of supporting secure Flash in tf-m framework via this mailing list before,now the implementation code of this external trusted secure storage partition has been uploaded to tf-m-extras repo for review： https://review.trustedfirmware.org/c/TF-M/tf-m-extras/+/14953 And the binary component of this patch has also been uploaded to tf-binaries repo： https://review.trustedfirmware.org/c/tf-binaries/+/14954 For easy understanding please refer to this document first: https://review.trustedfirmware.org/c/TF-M/tf-m-extras/+/14953/1/partitions/… Looking forward to your comments and suggestions. Best Regards, Poppy Wu 吴偏偏 Macronix Microelectronics (Suzhou) Co.,Ltd 旺宏微电子（苏州）有限公司 http://www.mxic.com.cn ============================================================================ CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as it attachments from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================

3 years, 6 months

1
0
0 0

Start of TF-M v1.6.0 release process

by Anton Komlev

Hello, The branch release/1.6.x<https://git.trustedfirmware.org/TF-M%2Ftrusted-firmware-m.git/log/?h=refs%2…> has been created, indicating the project feature's freeze and beginning the release process. Expecting to place RC1 tag asap, after successful run of the basic tests. Let me remind that the code is not frozen, and development can be continued on the main branch. Thanks, Anton

3 years, 6 months

1
4
0 0

TF-M Open CI Back to Normal

by Xinyu Zhang

Hi All, TF-M Open CI is back to normal now. Please feel free to use it. Thanks, Xinyu From: Xinyu Zhang via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: Monday, April 18, 2022 12:06 PM To: TF-M mailing list <tf-m(a)lists.trustedfirmware.org> Subject: [TF-M] TF-M Open CI Down Hi All, Sorry to inform you that TF-M Open CI is down for the time being because of Jenkins upgrade. I'll let you know once it is back to normal. Apologize for any inconvenience! Thanks, Xinyu

3 years, 6 months

1
0
0 0

TF-M Open CI Down

by Xinyu Zhang

Hi All, Sorry to inform you that TF-M Open CI is down for the time being because of Jenkins upgrade. I'll let you know once it is back to normal. Apologize for any inconvenience! Thanks, Xinyu

3 years, 6 months

1
0
0 0

Technical Forum call - April 14 is CANCELLED

by Anton Komlev

Hi, The forum is cancelled because of the empty agenda and the assumption that many of us in the west time zone will have a long weekend this week. Thanks, Anton From: Anton Komlev via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: Wednesday, April 6, 2022 12:43 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: [TF-M] Technical Forum call - April 14 Hi, The next Technical Forum is planned on Thursday, April 14, 15:00-16:00 UTC (West time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

3 years, 6 months

1
0
0 0

TF-M Isolation 3

by Doka.Dokanov-Dobrovolskyi＠infineon.com

Hello! My name is Oleg. I'm working on TF-M Isolation Level 3 testing and I need to develop test cases list for it. Could you be so kind to provide me the test cases list? May be you know where I can find it by myself? Also I have test cases list for Isolation Leve 2. Am I right that it can be reused for Isolation Level 3 with some changes? I will be very appreciate for any help. Thank you so much, Oleg Dokanov

3 years, 6 months

2
1
0 0

Technical Forum call - April 14

by Anton Komlev

Hi, The next Technical Forum is planned on Thursday, April 14, 15:00-16:00 UTC (West time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

3 years, 6 months

2
2
0 0

Mbed TLS GitHub migration

by Dave Rodgman

Hi all, Please be advised that the Mbed TLS GitHub migration is complete. The new home for Mbed TLS is: https://github.com/Mbed-TLS We recommend updating your project, checkouts, etc to point at the new repository, but it's not urgent as everything will continue to work for some time via automatic redirection. Also please note that our project boards, which we use for planning upcoming work via epics, and tracking current activity, have moved. They are now available here: Epics board: https://github.com/orgs/Mbed-TLS/projects/1 Current activity: https://github.com/orgs/Mbed-TLS/projects/2 Thanks Dave Rodgman On 22/03/2022, 14:52, "Dave Rodgman via Mbed-tls-announce" <mbed-tls-announce(a)lists.trustedfirmware.org> wrote: Hi all, Please note that in the next couple of weeks, we will migrate Mbed TLS to a new GitHub organisation. Your existing scripts, links etc for accessing Mbed TLS on GitHub should not be affected. This will change the url from https://github.com/ARMmbed/mbedtls to https://github.com/Mbed-TLS/mbedtls . GitHub will redirect any accesses to the old URL for the foreseeable future, but we would recommend updating your links once the migration is complete. All of the Mbed TLS repositories will migrate to this new organisation, i.e.: mbedtls mbedtls-docs mbedtls-test Thanks Dave Rodgman -- Mbed-tls-announce mailing list -- mbed-tls-announce(a)lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-announce-leave(a)lists.trustedfirmware.org

3 years, 7 months

1
0
0 0

Technical Forum call - March 31

by Anton Komlev

Hi, The next Technical Forum is planned on Thursday, March 31, 7:00-8:00 UTC (East time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

3 years, 7 months

3
3
0 0

TF-M on GitHub opinions collection

by Anton Komlev

Hello, Quite some time ago there was a proposal to move TF-M into GitHub. The main motivation is: more convenient review process, the Wiki for knowledge sharing and issue tracking facility. This idea had been discussed multiple times in TSC. The following options were considered: 1. Hybrid: Add TF-M on GitHub with 2 ways synchronization between GitHub and existing Git/Gerrit 2. GitHub only: Move to GitHub completely and drop Gerrit. 3. Mirror: Create a read-only mirror on GitHub. TF-M review process stays in Gerrit but Wiki and issue tracking are on GitHub. 4. Nothing: Stay on Gerrit as good enough solution. The options are ordered by complexity and cost each has pros and cons. The Mirror option (3) seeing as the best compromise and practically affordable in a short time. Please share your opinion and comments on the topic with any dependencies or specific requirements to be considered. Thanks, Anton

3 years, 7 months

8
17
0 0

TF-M Profile Small supports SFN model

by David Hu

Hi all, I'd like to ask for your help to review the patch which enables SFN model in TF-M Profile Small. SFN model is defined in FF-M v1.1 spec. With this patch, Profile Small still enables Library model by default and users can select SFN model instead via build command. Patch: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/14500 TF-M Profile Small document update: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/14501 Any comment or suggestion is welcome. Best regards, Hu Ziji

3 years, 7 months

1
0
0 0

TrustedFirmware Code of Conduct

by Don Harbin

Hi All, Please find the link to the TrustedFirmware Community Code of Conduct here: https://developer.trustedfirmware.org/w/collaboration/community_guidelines/… Trusted Firmware has a very diverse and global developer community. It is important that we adhere to the code of conduct in all our interactions. For some of you all this may be new and for others just a gentle reminder. In either case, if you have any questions, please feel free to reach out to me directly. And thanks to you all for your contributions to the TrustedFirmware community! Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

3 years, 7 months

1
0
0 0

Technical Forum call - March 17

by Arnold Gabriel Benedict

Hi, I would like to present our study on RPC Test Framework for TF-M along with a demo in our next technical forum on 17th March. Thanks, Arnold

3 years, 7 months

2
1
0 0

Secure Partition interrupt signal processing

by Andersson, Joakim

Hi. I've been working on making an example on how an application can use the secure interrupts in a secure partition in TF-M. During this I've encountered an issue where the secure partition will not be scheduled to process the secure interrupt signal in certain conditions. I've compared it to the current SLIH and FLIH test cases to my observed behaviour and I could see that they did not have this problem. I've created a test-case that triggers the problem [0]. In the mailing list I can see that this was actually discussed recently [1] The summary is that secure partitions will not be scheduled to process a secure interrupt signal when the interrupt is interrupting the NSPE. I could not find that this was documented anyway, but maybe I have overlooked. In any case I find this behaviour very unexpected and I would like to know if this is indeed a design decision and the behaviour has to be this way? If I wanted to do some processing in the secure partition context it would now mean that I have to get the NSPE to trigger this through a secure partition call. This seems like a limitation to me . I'd like to know what would be the issue with scheduling the partition once it now has the signal asserted. I've done a quick test with scheduling the partition at this point with [2] and this now works as I expect it to. I'd be happy to follow up with submitting a change to schedule the partition as done in [2] if that is an acceptable solution. [0] https://github.com/joerchan/tf-m-tests/commit/d9f0a3a7653b594d0fa797d9e0bca… [1] https://lists.trustedfirmware.org/archives/list/tf-m@lists.trustedfirmware.… [2] https://github.com/joerchan/sdk-trusted-firmware-m/commit/e5512c6e8b2bad95c…

3 years, 7 months

2
1
0 0

MCUboot upgraded to v1.9.0 in TF-M

by Sherry Zhang

Hi, Just a reminder that the MCUboot version has been upgraded to v1.9.0<https://github.com/mcu-tools/mcuboot/releases/tag/v1.9.0> in TF-M. If you are using the local MCUboot repo, then you need to update it to that version to avoid build error. Regards, Sherry Zhang

3 years, 7 months

1
0
0 0

Technical Forum call - March 17

by Anton Komlev

Hi, The next Technical Forum is planned on Thursday, March 17, 15:00-16:00 UTC (West time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

3 years, 7 months

1
0
0 0

The new design proposal guideline now take effect

by David Hu

Hi all, The new and simplified TF-M design proposal guideline is approved: https://tf-m-user-guide.trustedfirmware.org/docs/contributing/tfm_design_pr…. Please feel free to submit your topics to mailing list or tech forum! Formal design documents are NOT required anymore. Best regards, Hu Ziji

3 years, 7 months

1
0
0 0

TF-M release v1.6,0 date change to April 28

by Anton Komlev

Hello, TF-M release v1.6.0 will be shifted from April 15 to April 28. The main reason is Easter holiday and expected lack of availability from community and platform owners around that date. Feature freeze will be moved to April 6th when the release branch will be created. Please update your plans accordingly. Please let me know if this change make difficulty for you and better date is possible. Thanks, Anton

3 years, 7 months

1
0
0 0

Simplify TFM_PLATFORM in build system

by Jianliang Shen

Hi all, I want to simplify the flag TFM_PLATFORM in build system. TF-M now already supports two different ways to choose specific platform, for example AN521: - Absolute path: '<tf-m path>/platform/ext/target/arm/mps2/an521' - Relative path: 'arm/mps2/an21' Recently I have uploaded a [tf-m patch]<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/14260> to support platform name: - Platform name: 'an521' I think it will be more convenient for developers to use: - Users don't need to remember and type the absolute or relative path, only target platform name is enough. - If the structure of certain platform is changed, the default build command of TFM_PLATFORM is same. I'd be very grateful if you can give any suggestion or enhancement for me. Thanks. Best Regards Jianliang Shen

3 years, 7 months

1
0
0 0

TF-M design documents about spm

by zhilei.wang

Dear All, I view the tf-m source code for the first time, and many of the code details can not be make clear. So .., where may I find the design documents of spm, for example: trusted-firmware-m-TF-Mv1.5.0\secure_fw\spm\cmsis_func and cmsis_psa software modules. Best Regards Wang Zhilei | Software Beken Corporation ---------------------------------------------------------------------------- ---------------------------------------------------------

3 years, 8 months

3
2
0 0

Technical Forum call - March 3

by Anton Komlev

Hi, The next Technical Forum is planned on Thursday, March 3, 7:00-8:00 UTC (Asian time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

3 years, 8 months

2
2
0 0

TF-M covertly results and configs to align our coverity environment to TF-M project CI

by Kostiantyn.Tkachov＠infineon.com

Hi colleagues! Could we get a list of MISRA/CERT-C violations that were found by tf-m Coverity CI, as example from https://ci.trustedfirmware.org/job/tf-m-coverity/lastSuccessfulBuild/ Also (if it possible), could you provide Coverity configs to help align this tool setup on our side to CI and to check all changes before any pool requests? Best regards, Kostiantyn Tkachov Cypress Semiconductor Ukraine Firmware Security

3 years, 8 months

2
1
0 0

Problem compiling Trusted Firmware M in Linux for PSOC64

by AntonioJavier.CabreraGutierrez＠infineon.com

Hello, I am writing to you asking help because we are having problems when I try to compile the Trusted Firmware M from source code. I downloaded the code from the official repository: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git I moved to the last TAG: TF-Mv1.5.0 I am following this tutorial for PSOC64 platform https://tf-m-user-guide.trustedfirmware.org/platform/ext/target/cypress/pso… When I execute the first cmake command indicating the platform and the toolchain everything works well: cmake -DTFM_PLATFORM=cypress/psoc64 -DTFM_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake .. The problems appears when I build the code using the second cmake command: cmake --build cmake_build -- -j I got this output [cid:image003.jpg@01D82A77.95B43640] /home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c: In function 't_cose_crypto_pub_key_verify': /home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c:145:5: error: conversion to non-scalar type requested 145 | verification_key_psa = (psa_key_handle_t)verification_key.k.key_handle; | ^~~~~~~~~~~~~~~~~~~~ /home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c: In function 't_cose_crypto_pub_key_sign': /home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c:194:5: error: conversion to non-scalar type requested 194 | signing_key_psa = (psa_key_handle_t)signing_key.k.key_handle; | ^~~~~~~~~~~~~~~ /home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c: In function 't_cose_crypto_sig_size': /home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c:245:5: error: conversion to non-scalar type requested 245 | signing_key_psa = (psa_key_handle_t)signing_key.k.key_handle; | ^~~~~~~~~~~~~~~ secure_fw/partitions/internal_trusted_storage/CMakeFiles/tfm_psa_rot_partition_its.dir/build.make:425: recipe for target 'secure_fw/partitions/internal_trusted_storage/CMakeFiles/tfm_psa_rot_partition_its.dir/__/__/__/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.o' failed make[2]: *** [secure_fw/partitions/internal_trusted_storage/CMakeFiles/tfm_psa_rot_partition_its.dir/__/__/__/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.o] Error 1 make[2]: *** Waiting for unfinished jobs.... CMakeFiles/Makefile2:1347: recipe for target 'secure_fw/partitions/internal_trusted_storage/CMakeFiles/tfm_psa_rot_partition_its.dir/all' failed make[1]: *** [secure_fw/partitions/internal_trusted_storage/CMakeFiles/tfm_psa_rot_partition_its.dir/all] Error 2 Makefile:135: recipe for target 'all' failed make: *** [all] Error 2 There are the version of the software that are using: arm-none-eabi-gcc (GNU Arm Embedded Toolchain 10.3-2021.10) 10.3.1 20210824 (release) cmake version 3.23.0-rc2 It seems strange to me that there are compilation errors in the source code, that's why I am writing this mail, in case there is a bug in the code. Best regards. Antonio Javier Cabrera Gutierrez Infineon Technologies AG PhD Candidate R&D Engineer IFAG BEX RDE RDF ISS Office: +49 89 234 36403 Mobile: +49 151 181 34322 AntonioJavier.CabreraGutierrez(a)infineon.com<mailto:AntonioJavier.CabreraGutierrez@infineon.com> Am Campeon 1-15 85579 Neubiberg Germany www.infineon.com<http://www.infineon.com> Discoveries<http://www.infineon.com/discoveries> Facebook<http://www.facebook.com/infineon> Twitter<http://www.twitter.com/Infineon> LinkedIn<http://www.linkedin.com/company/infineon-technologies> Part of your life. Part of tomorrow. Infineon Technologies AG Chairman of the Supervisory Board: Dr. Wolfgang Eder Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider Registered Office: Neubiberg Commercial Register: München HRB 126492 This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the sender immediately and delete it and all copies from your system and destroy any hard copies of it.

3 years, 8 months

3
2
0 0

Locking of PRIS bit in AIRCR register

by JAYLES Romain

Hi all, We are currently testing the tfm-m implementation on a STMicroelectronic chip: stm32u5 board. This stm32u5 has a special register: SYSCFG_CSLOCKR (see https://www.st.com/resource/en/reference_manual/rm0456-stm32u575585-armbase…). This register allows to lock the PRIS bit of the AIRCR register from further modification. The issue here is that, in the ST implementation, thanks to this SYSCFG_CSLOCKR, the PRIS bit of the AIRCR is locked at boot (Reset_Handler in file startup_stm32u5xx_s.c). Resulting in the function tfm_arch_set_secure_exception_priorities() not being able to set the PRIS bit of the AIRCR. This situation lead to big issues at runtime as interrupt priority of NSPE are able to pre-empt interrupt of SPE. Disabling the locking of PRIS bit solve our problem but currently we don't see a clean way to integrate chip specific security features (something like callback/tfm_hal_ ) after the function tfm_arch_set_secure_exception_priorities() has been called. What would be the best way to fix the current issue which could also arise on other platform ? Regards, Romain

3 years, 8 months

3
4
0 0

Please review a new design proposal guideline

by David Hu

Hi all, As part of the documentation improvements, a new design proposal guideline [1] is proposed to replace and simplify the current process. The basic idea is to encourage developers to share their design via mailing list and tech forum, without a well-formatted design document. If developers prefer a document for a new feature, please provide an integration guide/user manual instead. Please check the details in the patch below. [1] https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/14104 The rendered html version: https://ci-builds.trustedfirmware.org/static-files/KTOoRMhB4VsgNQFkdMgWZcZG… Best regards, Hu Ziji

3 years, 8 months

1
0
0 0

Issues with psa_wait() when waiting for interrupts and IPC function calls.

by Martin Gunnarsson

Hello, I am trying to write an Application RoT for a research project I am a part of. I have run into an issue that I have been unable to solve independently. My problem is the unexpected behavior of psa_wait() when using signal masks. I have two signals, TFM_TIMER1_IRQ_SIGNAL and TFM_SECURE_FUNCTION_SIGNAL. The TIMER1_IRQ signal is triggered by an FLIH interrupt handler that returns TFM_FLIH_SIGNAL. The interrupt is triggered every 1 second by TIMER1. The TFM_SECURE_FUNCTION_SIGNAL is triggered by a periodic function call from the NSPE (a Zephyr thread) and is called every 10 seconds. Observed result: If PSA_WAIT_ANY is used as a signal mask, the TIMER0_IRQ_SIGNAL will only be received when TFM_SECURE_FUNCTION_SIGNAL is received, ergo, every 10 s. Thus any stage 2 handling of an interrupt would be missed. If TFM_TIMER1_IRQ_SIGNAL is used as a signal mask, the signal will be received every 1 s as expected. The TFM_SECURE_FUNCTION_SIGNAL will never be received, as can be expected in the NSPEtoo. I have tried a "hybrid approach" where I call psa_wait(TFM_TIMER1_IRQ_SIGNAL, PSA_BLOCK) /* handle signals .... */ and then psa_wait(TFM_SECURE_FUNCTION_SIGNAL, PSA_POLL). The stage 2 IRS is called, and the secure function is also called. But not with the regularity that I would like. Am I missing something obvious? I have read the Secure Interrupt Integration Guide and carefully studied the SLIH and FLIH test services for the TF-M regression tests. Have I forgotten to reset a signal somewhere? Does the interrupt not preempt the NSPE? I would be immensely grateful for any or all responses. If you need more information, please let me know. Best wishes, Martin Gunnarsson PhD Student RISE Research Institutes of Sweden & Lund University Complete code of my Application RoT: #include <stdbool.h> #include <stdint.h> #include <stddef.h> #include "tfm_api.h" #include "tfm_secure_api.h" #include "psa/service.h" #include "tfm_sp_log.h" #include "psa_manifest/pid.h" #include "psa_manifest/tfm_secure_partition.h" #include <hal/nrf_gpio.h> #include <hal/nrf_timer.h> #include <helpers/nrfx_reset_reason.h> #include <nrf_board.h> #include <region_defs.h> #define TIMER_RELOAD_VALUE (1*1024*1024) static volatile uint32_t interrupt_ctr = 0; static volatile uint32_t function_ctr = 0; static void timer_init(NRF_TIMER_Type * TIMER) { nrf_timer_mode_set(TIMER, NRF_TIMER_MODE_TIMER); nrf_timer_bit_width_set(TIMER, NRF_TIMER_BIT_WIDTH_32); nrf_timer_frequency_set(TIMER, NRF_TIMER_FREQ_1MHz); nrf_timer_cc_set(TIMER, NRF_TIMER_CC_CHANNEL0, TIMER_RELOAD_VALUE); /* Clear the timer once event is generated. */ nrf_timer_shorts_enable(TIMER, NRF_TIMER_SHORT_COMPARE0_CLEAR_MASK); } static void timer_stop(NRF_TIMER_Type * TIMER) { nrf_timer_task_trigger(TIMER, NRF_TIMER_TASK_STOP); nrf_timer_int_disable(TIMER, NRF_TIMER_INT_COMPARE0_MASK); nrf_timer_event_clear(TIMER, NRF_TIMER_EVENT_COMPARE0); } static void timer_start(NRF_TIMER_Type * TIMER) { timer_stop(TIMER); nrf_timer_task_trigger(TIMER, NRF_TIMER_TASK_CLEAR); nrf_timer_int_enable(TIMER, NRF_TIMER_INT_COMPARE0_MASK); nrf_timer_task_trigger(TIMER, NRF_TIMER_TASK_START); } static void timer_event_clear(NRF_TIMER_Type *TIMER) { nrf_timer_event_clear(TIMER, NRF_TIMER_EVENT_COMPARE0); } void tfm_secure_controller_secure_timer_start(void) { timer_init(NRF_TIMER1); timer_start(NRF_TIMER1); } void tfm_secure_controller_secure_timer_clear_intr(void) { timer_event_clear(NRF_TIMER1); } psa_flih_result_t tfm_timer1_irq_flih(void) { tfm_secure_controller_secure_timer_clear_intr(); interrupt_ctr++; return PSA_FLIH_SIGNAL; } static psa_status_t tfm_sp_secure_function_ipc(psa_msg_t *msg) { function_ctr++; LOG_INFFMT("Secure function called %u times, interrupt ctr: %u\n", function_ctr, interrupt_ctr ); return PSA_SUCCESS; } void tfm_sp_secure_function(psa_msg_t *msg) { psa_status_t status; status = tfm_sp_secure_function_ipc(msg); psa_reply(msg->handle, status); } void tfm_sp_entry(void) { LOG_INFFMT("Secure Partition: Init\n"); tfm_secure_controller_secure_timer_start(); psa_irq_enable(TFM_TIMER1_IRQ_SIGNAL); psa_signal_t signals = 0; uint32_t ctr = 0; while (1) { signals = psa_wait(TFM_TIMER1_IRQ_SIGNAL, PSA_BLOCK); if ( (signals & TFM_TIMER1_IRQ_SIGNAL) == TFM_TIMER1_IRQ_SIGNAL) { ctr++; LOG_INFFMT("FLIH stage 2 %u\n", interrupt_ctr); psa_reset_signal(TFM_TIMER1_IRQ_SIGNAL); } if ( ctr % 10 == 0 ) { signals = psa_wait(PSA_WAIT_ANY, PSA_POLL); if ( (signals & TFM_SECURE_FUNCTION_SIGNAL) == TFM_SECURE_FUNCTION_SIGNAL) { psa_msg_t msg; psa_get(signals, &msg); tfm_sp_secure_function(&msg); } } } }

3 years, 8 months

2
8
0 0

New API tfm_hal_system_halt()

by Bøe, Sebastian

Hi, in the effort to ease debugging by supporting a choice between halting and rebooting we are introducing a new HAL API: void tfm_hal_system_halt(void) which by default (weak) does: __disable_irq(); while(1) { __WFE(); } CPUs cannot halt. But they can sleep until they are awoken in a loop, which is pretty close. tfm_hal_system_halt() is, when configured so, used by tfm_core_panic() which is why we disable irqs to stop all threads of execution, not just the thread that is executing. Currently it is proposed that tfm_core_panic() halts when TFM_HALT_ON_CORE_PANIC is ON and otherwise reboots. TFM_HALT_ON_CORE_PANIC is default ON if and only if Debug mode is enabled. Any feedback to these changes are welcome, and if any platform needs to halt in a different manner then a contribution would be welcome as well. https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/13839

3 years, 8 months

1
0
0 0

TF-M regression test refinements

by Jianliang Shen

Hi, all I'd like to share two new refinements in TF-M test repo to you. l The struct variable test_result_t has been removed from the definition of struct variable test_t. It is unnecessary to set an initial value of test result for each case. With this change, the binary size will be reduced. Please see [test patch]<https://review.trustedfirmware.org/c/TF-M/tf-m-tests/+/13822/4> for more details. l The flag TEST_SKIPPED has been added into enum variable test_status_t, works with TEST_PASSED and TEST_FAILED. TEST_SKIPPED indicates that the test case is skipped in runtime when the test environment is unavailable. Please ee [test patch]<https://review.trustedfirmware.org/c/TF-M/tf-m-tests/+/13826/5> for more details. Hope these two changes can help your work in the future. Please let me know if anything can be improved. Thanks! Best Regards Jianliang Shen

3 years, 8 months

1
0
0 0

FF PSA API overhead

by Bøe, Sebastian

Hi, the performance improvement presentation[0] reports a FF PSA API overhead of 20 000 CPU cycles for the psa_call. Which is 300 us for a 64MHz CPU. This is quite a lot of instructions and I am concerned about whether real world embedded application's will have time to call these secure services. I'm interested in isolation level 2. I understand that it is not possible to have isolation level 2 with library mode. But what about SFN mode, could that eventually support isolation level 2? If not, what is the current status of optimizing the service call overhead for IPC. Is it considered to be as optimized as it can be or is there still hope for optimizing further? [0] https://www.trustedfirmware.org/docs/tf-m_forum_20211209-TF-M_Performance-I…

3 years, 8 months

2
1
0 0

Technical Forum call - Feb 17

by Anton Komlev

Hi, The next Technical Forum is planned on Thursday, February 17, 15:00-16:00 UTC (US time zone). Please reply on this email with your proposals for agenda topics. Recording and slides of previous meetings are here: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Best regards, Anton

3 years, 8 months

2
2
0 0

[FYI] Tiny update in level 3 ld/sct files

by Ken Liu

Hi, We got a tiny update merged in level 3 ld/sct files to support partition runtime: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/13925 Platforms with level 3 support please have a test and report issue here if spotted. We have internally tested MPS2 and MUSCA_B1. Thanks. /Ken

3 years, 8 months

1
0
0 0

halting or rebooting on faults

by Bøe, Sebastian

Hi, it seems we could try to be more consistent with fault handling. The current default behaviour is: Error code returned from an SPE function? Reboot. MemFault/HardFault/SecureFault in the SPE? Halt. Null-pointer dereference from the NSPE? (results in a secure fault for cortex-m) Halt. Should we perhaps consistently halt or consistently reboot for these three cases and allow this to be configurable? It is not clear to me why an error returned from a function results in a reboot, whereas a Hardfault does not. They both indicate a fault in the SPE. At the very least the behaviour should be configurable, which this PR is a step towards: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/13839

3 years, 8 months

5
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

TF-M