Hi Joakim,
On 4/2/20 10:18 AM, Joakim Bech via TF-A wrote:
> Hi Sandrine,
>
> On Wed, Apr 01, 2020 at 11:46:20AM +0200, Sandrine Bailleux wrote:
>> Hi Joakim,
>>
>> On 4/1/20 10:08 AM, Joakim Bech via TSC wrote:
>>> How that works in practice is that all OP-TEE maintainers are adding
>>> their "Tested-by" (see example [2]) tag for the platform they maintain
>>> when we're doing a release. If there are platforms with no "Tested-by"
>>> tag, then they simply end up with the "last known version".
>>
>> I think that's a very good idea!
>>
> The "Tested-by" part for OP-TEE releases has been working pretty good,
> not sure how scalable it is the long run though. To give some more
> info regarding the "last known version", we even at one point had some
> stop-light for that. I.e. if a maintainer missed testing a release once,
> then it became "orange". If missed twice, then it became "red" and we
> showed last know supported version. But we dropped that idea a short
> while after introducing it.
May I know why you dropped the idea? Was it too much maintenance? If
that's the reason I guess again this could be addressed with some
automation work (generating the stop-light status from the commit
message info).
>>> However, to keep that up-to-date, it requires some discipline from the
>>> people maintaining such a table ... something that we in the OP-TEE
>>> project haven't been very good at :)
>>
>> Can't this be automated, such that it doesn't need to be manually kept
>> up-to-date? I imagine we could have some tools generating the platform
>> support table out of such a commit message.
>>
> Indeed it could, it's just a matter of doing some scripting if one
> doesn't want to do it manually. I already have Python scripts pulling
> all tags from GitHub pull requests. But there are of course several
> other ways how one could pull that kind of information.
Regards,
Sandrine
Hi Erik,
On 4/1/20 9:24 PM, Shreve, Erik via TF-A wrote:
> Sandrine,
>
> To clarify on functionality vs. support. I listed out a support life cycle consisting of the following states:
> Fully Supported
> Orphan
> Out of Date
> Deprecated
> These states are intended to have nothing to do with functionality, but only the support offered for the functionality that currently exists for a platform.
>
> I think I may have confused things when I listed "Functional Support" as the heading to represent "Functionality."
> I'm proposing that the supported "Functionality" should be documented in a standard way (within a project) for every platform.
>
> I do agree this could be burdensome to keep up with. But that is why I suggested that the project's feature list be versioned. The platform's supported feature list document would reference the version of the project feature list used. Platform maintainers then don' t have to continuously update the document. But it will be clear how long it has been since they did update and thus what information may be missing. Versioning the feature list document is also why I mentioned that the project version number may want to adopt a version number scheme where feature changes are represented by a certain part of the version number. For example Semantic Versioning 2.0.0: https://semver.org/. Hope that clarifies the intent? For implementation of this I'm imagining each project could create a supported_feature_list.rst file and each platform would copy that file into their platform doc folder and fill it in. I'm not saying that approach would be required at tf.org level, just sharing to further illustrate.
>
> That said, perhaps the implementation details for a project would not warrant such a document per platform? My primary concern around this is misuse/misconfiguration. If a platform doesn't support a feature or configuration it may not be obvious to a user unless an error is generated at build or run-time.
OK, I think I get the idea now, thanks for the explanations. This looks
reasonable to me. The idea of keeping a project's feature list being
mirrored and filled in per platform sounds like something we would want
to enforce at the tf.org level IMO.
At the same time, this could also be handled at the build system level
as you pointed out, or more precisely by the configuration manager. I am
thinking about the Linux kernel, where support for a particular feature
is handled (and documented) through the KConfig system. This might be a
more scalable approach. And it doesn't prevent us from also
auto-generating some feature list out of the Kconfig files for making
this information more accessible to users.
> My secondary concern is being able to consistently track tickets/bugs with features. Thus, I'm recommending that the features on that list be used with the ticket/issue system by feature name. This would allow users to find all bugs for Feature X on Platform Y in Project Z.
> Related to that, when I mentioned "tags." I wasn't thinking of Git tags, but "labels" in the ticket/issue tracking system(s). Different systems work differently for labeling/categorizing issues, but the goal is to provide a consistent way (per project) to find issues related to a feature on a platform.
>
> If requiring a feature list it is too much at the tf.org level then I'll be satisfied to push for that kind of documentation in the projects or platforms I'm involved in if/as appropriate.
Yes, good point, I think it would be desirable to be able to tie tickets
to some specific platform/feature/version. And I think it makes sense to
unify this across tf.org projects.
> Regarding the other conversational tidbits:
>
> Thanks for pointing out that the original proposal does say "builds all configurations supported by this platform" under "Fully Supported." I can see the intention here now. Substituting "features" for "configurations" would broaden the meaning a bit.
OK, I will change the wording, thanks for the suggestion.
> You said: "I am starting to think that we need a list of items to be defined per project."
> Yes, this sounds like a great idea.
>
> My original mention of wanting a "stronger standard put forth for platform documentation" was a response to seeing "Limited Support" in the original proposal allowing documentation to fall out of date.
>
>
> Hope that clarifies some of my thoughts. If not, I'm happy to continue the discussion. Thanks again for taking feedback!
>
> Erik Shreve, PSEM
> Software Security Engineer & Architect (CMCU Platform Development)
>
> -----Original Message-----
> From: Sandrine Bailleux [mailto:sandrine.bailleux@arm.com]
> Sent: Wednesday, April 01, 2020 4:18 AM
> To: Shreve, Erik; tf-a; tf-m(a)lists.trustedfirmware.org; tsc(a)lists.trustedfirmware.org; op-tee(a)linaro.org
> Cc: nd(a)arm.com
> Subject: Re: [EXTERNAL] [TF-M] Project Maintenance Proposal for tf.org Projects
>
> Hello Erik,
>
> Thanks for the feedback.
>
> On 3/26/20 3:37 PM, Shreve, Erik wrote:
>> Sandrine,
>>
>> Really glad to see this being pulled together. A couple of areas of feedback around the Platform Support Life Cycle.
>>
>> As previously mentioned there are two orthogonal concerns captured in the current life cycle: Support and Functionality.
>> I'd like to see these split out.
>
> Yes, you are the second person to mention that and I agree with you
> both. Unless someone disagrees, I intend to update the proposal and
> separate these 2 concepts in the next version of the document.
>
>> For functionality, chip vendors may not have a business case for supporting all features on a given platform but they may provide full support for the features they have chosen to include.
>> A simple example would be supporting PSA FF Isolation Level 1 only due to lack of HW isolation support needed to achieve Isolation Level 2 or greater.
>
> I completely agree. It would not make sense to support all features on
> all platforms just for the sake of completeness. Each platform ought to
> implement what is relevant in its case.
>
> That's what the current proposal tried to convey: a fully supported
> platform must "build all configurations *supported by this platform*"
> and "All *supported* configurations are tested in the CI". The key word
> here is supported and that would be defined by the platform itself. But
> I can see that maybe this wasn't clear enough. Your proposal below makes
> that a lot clearer.
>
>> Also, I'd like to see a stronger standard put forth for platform documentation. If a platform is "supported," I believe the documentation should be complete and accurate. A lack of complete and clear documentation leaves open a wide door for misuse/misconfiguration which could result in a vulnerable system.
>
> Fair point.
>
> But is it something we should include in this proposal or should we push
> it to a separate document setting expectations for the project's
> documentation, which the current general proposal could refer to (as in,
> "the platform should provide quality documentation up to the project's
> criteria defined in document XXX')?
>
> This is definitely an important topic but I am wary of keeping the
> tf.org proposal concise and focused at this point. I am worried that if
> we put too much stuff in it discussions will diverge too much and we
> might never reach an agreement.
>
> The same applies to testing standards for example, we could detail that
> in the proposal or simply leave it to projects to define it separately.
>
>> Here is a more concrete proposal:
>>
>> Functional Support:
>> Each project shall provide a standard feature or functionality list.
>> Each platform shall include in its documentation a copy of this list with the supported functionality marked as supported.
>> The platform documentation may reference a ticket if support is planned but not yet present.
>> The platform documentation shall explicitly state if a feature or function has no plans for support.
>
> Regarding the last item, this would require all platform maintainers to
> update their documentation every time a new feature is added to the
> project's global list of features. This seems too much of a constraint
> and unnecessary maintenance burden to me.
>
> I think a better, more lightweight alternative might be to let platform
> maintainers list what's supported and if some feature is not listed, it
> implies that it is not supported. This does not prevent platform
> maintainers from indicating their future plans of supporting a feature
> if they want to.
>
>> The feature/functionality list shall be versioned, with the version tied to the release version(s) of the project.
>> In this way, it will be clear if a platform was last officially updated for version X but the project is currently at version Y > X.
>
> I can see that Joakim Bech proposed something similar, with more details
> about how this was implemented for OP-TEE.
>
>> Note: projects will need to adopt (if they have not already) a version scheme that distinguishes between feature updates and bug fixes.
>
> Sorry I didn't get this, could you please elaborate?
>
>> Each project and platform shall use tags or similar functionality on tickets to associate tickets to features/functionality and platforms.
>> If the names of tags can't match the name of the feature or platform exactly then a mapping shall be provided in the appropriate document(s).
>
> If there's no appropriate tag in some cases, I guess we could always use
> a git SHA1 of a specific commit.
>
>> Life Cycle State
>>
>> Fully Supported
>> There is (at least) one active code owner for this platform.
>> All supported features build and either all tests pass or failures are associated with tracked known issues.
>> Other (not associated to a test) Known Issues are tracked
>> Documentation is up to date
>>
>> Note: Projects should document standards on how "active" code ownership is measured and
>> further document standards on how code owners are warned about impending life cycle state changes.
>
> Yes, good point, that is currently undefined in the proposal but I agree
> that it needs defining per project. I will add an item in the last
> section of the document.
>
> I am starting to think that we need a list of items to be defined per
> project. This list would complement the general tf.org proposal. Things
> like code owners/maintainers activity, code review timelines, and so on.
>
>>
>> Orphan
>> There is no active code owner
>> All supported features build and either all tests pass or failures are associated with tracked known issues.
>> Other (not associated to a test) Known Issues may not have been maintained (as there is no active code owner)
>> Documentation status is unclear since there is no active code owner.
>> There has been no change to the feature/functionality list in the project since the platform was last "Fully Supported"
>
> I am confused, you said earlier that you would like to see the concepts
> of support and functionality split out, but here you're listing 'orphan'
> as one of the possible states... Did I miss your point?
>
>> Out of date
>> Same as orphan, but either:
>> there have been changes to the feature/functionality list, or
>> there are failing tests without tracked tickets, or
>> there are known documentation issues.
>>
>> Deprecated
>> Same as Out of Date, but the build is broken. Platform may be removed from the project codebase in the future.
>>
>> Erik Shreve, PSEM
>> Software Security Engineer & Architect (CMCU Platform Development)
Hi all,
I am proposing some patches to move away from using fixed NS region numbers defined by TF-M core, to having platform-defined SAU region numbering. The motivation for the change is to give platforms more flexibility when configuring the isolation hardware, and in particular, to make it possible to use tools like CMSIS-Zone to generate the isolation hardware configuration.
There are a couple of patches:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/3484 -- Removes the memory permission check API from TF-M, which was the only user of the fixed region numbers. This API is no longer required because the SPM does all necessary memory permission checks before control reaches the secure partition. The patch removes uses of this API from the Attestation service, the platform service and the tests.
https://review.trustedfirmware.org/c/trusted-firmware-m/+/3485 -- Removes the fixed region numbers and refactors all platforms to no longer use them.
Reviews appreciated.
Kind regards,
Jamie
Finally it will be fixed.
It was confusing for new people,
Thank you ;)
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Kevin Peng via TF-M
Sent: Friday, April 3, 2020 8:04 AM
To: 'tf-m(a)lists.trustedfirmware.org' <tf-m(a)lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com>
Subject: [TF-M] Renaming SST to PS
Hi,
Please be aware that there is a ongoing change<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tr…> to rename the SST (Secure STorage) service to PS (Protected Storage).
This is to align with the PSA Storage API spec. The SST service is the implementation of the PSA Protected Storage service.
The change renames lots of files, API names, build configurations etc...
Lots of impacts are expected. Please do get prepared.
Another notice after merging the change will be sent too.
And, comments are always welcomed.
Best Regards,
Kevin
Hi,
Please be aware that there is a ongoing change<https://review.trustedfirmware.org/c/trusted-firmware-m/+/3597> to rename the SST (Secure STorage) service to PS (Protected Storage).
This is to align with the PSA Storage API spec. The SST service is the implementation of the PSA Protected Storage service.
The change renames lots of files, API names, build configurations etc...
Lots of impacts are expected. Please do get prepared.
Another notice after merging the change will be sent too.
And, comments are always welcomed.
Best Regards,
Kevin
Hi,
Perfect timing! Please check this change:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/3592
There is no reason, the above change fix it.
BR,
Tamas
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Cindy Chaumont via TF-M
Sent: 02 April 2020 20:01
To: tf-m(a)lists.trustedfirmware.org
Subject: [TF-M] mcmse option to compile non secure image
Hello,
I have been working for a few weeks with the Trusted Firmware M software and I was wondering a question to which I cannot find an answer.
This concerns CMSE, I thought the -mcmse option should only be used to compile secure images (http://www.keil.com/support/man/docs/armclang_ref/armclang_ref_pge144464730…). However, it seems to me that the non secure image of TF-M is also compiled with the -mcmse option. Is there a reason for this?
Thank you in advance for the answer,
Best regards,
Cindy Chaumont
(Intern in embedded computing at Witekio)
Hello,
I have been working for a few weeks with the Trusted Firmware M software and I was wondering a question to which I cannot find an answer.
This concerns CMSE, I thought the -mcmse option should only be used to compile secure images (http://www.keil.com/support/man/docs/armclang_ref/armclang_ref_pge144464730…). However, it seems to me that the non secure image of TF-M is also compiled with the -mcmse option. Is there a reason for this?
Thank you in advance for the answer,
Best regards,
Cindy Chaumont
(Intern in embedded computing at Witekio)
Is pre-emption while in secure mode supported? If so, NS RTOS may have to be modified to handle switching from a thread who's PC and SP are in secure domain.
How would a secure service thread block while waiting for a security-protected hardware process to finish (ie what is the secure driver model)?
Alan
From: TF-M [mailto:tf-m-bounces@lists.trustedfirmware.org] On Behalf Of Reinhard Keil via TF-M
Sent: Thursday, April 2, 2020 5:49 AM
To: tf-m(a)lists.trustedfirmware.org
Cc: nd
Subject: [EXTERNAL] [TF-M] Multi-threaded single-scheduler model proposal
Hi Erik,
Really great to see your involvement. Let me share my view on a TF-M execution model for constrained single core v8-M with TrustZone using Secure Function Call (aka library) mode:
On secure side: single thread execution only. Not stack swapping. NS to S calls are blocking until secure execution completes.
On non-secure side: RTOS with threaded execution. Entry to secure side protected with Mutex.
This structure is explain on page 27 of https://github.com/ARM-software/CMSIS_5/blob/develop/CMSIS_Review_Meeting_2…
IMHO, there are various benefits:
* Overall less complexity, no need of tz_context, any RTOS would work, less memory overhead (i.e. single stack at secure side)
* No impact to time deterministic execution on the NS side unless two threads call secure services
* Conflict of mulitple threads calling secure services could be minimized with RTOS that offers priority inversion
Are there any obvious problems with the above model?
Thanks
Reinhard Keil - Sr. Director Embedded Tools, Arm
P.S. maybe you read also https://lists.trustedfirmware.org/pipermail/tf-m/2020-March/000805.html
IMHO we need to simplify the NS to S call entry to speed-up the overall system
Hi,
Looks like another non-secure thread with higher priority could not access secure service since the secure context belongs to previous ongoing non-secure thread and tz_context is not proposed?
/Ken
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Reinhard Keil via TF-M
Sent: Thursday, April 2, 2020 9:52 PM
To: DeMars, Alan <ademars(a)ti.com>; tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] Multi-threaded single-scheduler model proposal
Alan,
"I was afraid that this was the proposal. No lower priority NS threads can run while waiting for the secure interrupt. Only higher priority threads that are initiated by a NS interrupt can run."
You are correct, scheduling of lower priority NS threads would be not possible. This is definitely a shortcoming of the solution.
May I ask: how long does a hardware crypto operation take? What time could be used for low priority NS thread execution?
Reinhard
Hi Erik,
Really great to see your involvement. Let me share my view on a TF-M execution model for constrained single core v8-M with TrustZone using Secure Function Call (aka library) mode:
On secure side: single thread execution only. Not stack swapping. NS to S calls are blocking until secure execution completes.
On non-secure side: RTOS with threaded execution. Entry to secure side protected with Mutex.
This structure is explain on page 27 of https://github.com/ARM-software/CMSIS_5/blob/develop/CMSIS_Review_Meeting_2…
IMHO, there are various benefits:
* Overall less complexity, no need of tz_context, any RTOS would work, less memory overhead (i.e. single stack at secure side)
* No impact to time deterministic execution on the NS side unless two threads call secure services
* Conflict of mulitple threads calling secure services could be minimized with RTOS that offers priority inversion
Are there any obvious problems with the above model?
Thanks
Reinhard Keil - Sr. Director Embedded Tools, Arm
P.S. maybe you read also https://lists.trustedfirmware.org/pipermail/tf-m/2020-March/000805.html
IMHO we need to simplify the NS to S call entry to speed-up the overall system