Hello,
The next Technical Forum is planned on Thursday, March 19 at 7:00-8:00 UTC.
Please reply on this email with your proposals for agenda topics.
Best regards,
Anton Komlev
Hi,
TF-M version information is carried by manifest data, which is appended to the image in a post build step (at image signing):
* Image header: Contains image actual version: 1.0.0
* Image TLV (footer): Can contains a dependency TLV entry which refers to the dependent image by an ID and its minimum version.
Dependency verification:
* At boot time the bootloader checks whether the dependency would be satisfies after a software upgrade. If not then it deny the update.
* https://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/user_guide…
At runtime there is no API to get the image version or its capability.
Did I answer your question?
Tamas
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Reinhard Keil via TF-M
Sent: 09 March 2020 09:45
To: tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: [TF-M] Product Lifecycle Management: TF-M + Non-Secure Application
Hi,
How does TF-M consider Product Lifecycle Management (PLM)?
Assuming the following scenario where TF-M and Non-Secure Application are independently developed/updated in a deployed system:
* TF-M is delivered i.e. by a silicon vendor in a pre-configured variant and Non-Secure Application starts to use this configuration.
* During PLM there is a decision to update/upgrade/downgrade TF-M. The new image is pushed to deployed devices independent of Non_Secure application.
Questions that I have:
* Is there a way for the Non-Secure application to identify the functionality available in TF-M?
* How is it ensured that new TF-M versions are compatible with previous versions?
Reinhard
Abhishek,
A few days, I posted the reasons why MPC/PPC should not be used for level 3 isolation. Did you had a chance to read that?
MPC/PPC implement system wide isolation. IMHO, reprogramming it for level 3 isolation should be not considered as it creates various problems for the system designer.
You did also ask, how to ensure that security is actually enabled, basically if security has been initalized. The best approach would be to check if the SAU->CTRL is correctly set; if not the system should shut down.
Reinhard
Hi,
How does TF-M consider Product Lifecycle Management (PLM)?
Assuming the following scenario where TF-M and Non-Secure Application are independently developed/updated in a deployed system:
* TF-M is delivered i.e. by a silicon vendor in a pre-configured variant and Non-Secure Application starts to use this configuration.
* During PLM there is a decision to update/upgrade/downgrade TF-M. The new image is pushed to deployed devices independent of Non_Secure application.
Questions that I have:
* Is there a way for the Non-Secure application to identify the functionality available in TF-M?
* How is it ensured that new TF-M versions are compatible with previous versions?
Reinhard
We need to be cognizant of the target usage and user base. The vast majority of usage is v8m in which case the HAL can be simple and targeted for TrustZone. Based on what I have witnessed other than the changes required to support dual/multicore usage. Why not offer a HAL option for TrustZone and one for dual/multicore?
All the best!
Reed
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Abhishek Pandit via TF-M <tf-m(a)lists.trustedfirmware.org>
Reply-To: Abhishek Pandit <Abhishek.Pandit(a)arm.com>
Date: Friday, March 6, 2020 at 4:28 AM
To: "tf-m(a)lists.trustedfirmware.org" <tf-m(a)lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] TrustZone initialisation procedure
Hi,
I see this slight differently. The purpose of TF-M HAL is to abstract out specific HW dependencies from the SW framework for creating isolated secure partitions. As you can understand, various systems have differences in what components are utilized for isolation, but TF-M needs to implement a generic mechanism that works across multiple platforms. Therefore it’s important to consider what’s platform specific and what’s generic.
In that sense, SAU and other system components are specific to the underlying HW hence should be part of platform implementation. Of course, it is possible to implement a unified HAL for a family of devices, however I would still expect the hardware abstraction layer in TF-M to remain agnostic of how the HW implements/facilitates isolation of secure world.
I don’t disagree with the suggestion about enhancements but they seem platform specific to me so should be discussed in that context.
Thanks,
Abhishek
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu via TF-M
Sent: 04 March 2020 03:14
To: tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] TrustZone initialisation procedure
Hi Jonatan,
The enhancement of this TZ_SAU_Setup() sounds reasonable, and there are more background items to be considerate:
* The SPM need to re-configure the isolation hardware dynamically under isolation level 3 while SPM scheduling, and MPC/PPC is potentially included. So I am not sure what the ‘system isolation’ mean in your mail, if you want a static initialization for all isolation settings then it will not work for SPM at least for the isolation level 3 design. If it includes the minimal security (and fundamental) setting while system booting and there are other functions to update the isolation setting later, it is do-able.
* How does the parameter pass into this function? Because SPM needs to know the status of the existing isolation setting for some purposes (such as security checking), so there needs to be a way to let SPM know the isolation status.
So if we do the fundamental security setup in SystemInit(), the advantage is the protection is already enabled between SystemInit() exits and SPM_Init() (There are platform init process in this stage). The cons are SPM may not check the isolation status. And if we do isolation in SPM_Init(), the advantage is SPM can know the status and the cons are Platform Init is not restricted (It could access anywhere).
I would suggest not to propose the calling time strictly for this new enhanced API.
I know cypress uses customized protection initialization mechanism so any ideas?
BR
/Ken
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Jonatan Antoni via TF-M
Sent: Tuesday, March 3, 2020 11:09 PM
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Subject: [TF-M] TrustZone initialisation procedure
Hi all,
I am trying to align TrustZone initialisation procedure between TF-M and CMSIS.
In CMSIS the approach from the early v8-M days is to have a “partition.h” file providing “TZ_SAU_Setup()” function. This function is called during low level “SystemInit()” which runs as part of the pre-main (called from ResetHandler and before running C lib init).
In contrast TF-M calls “tfm_spm_hal_init_isolation_hw()” (which is similar to “TZ_SAU_Setup()” plus PPC/MPC configuration) during “tfm_core_init()” (which runs in secure “main()”).
The advantage of “TZ_SAU_Setup()” is that this function is available by standard for all TrustZone devices. The shortcoming is it doesn’t cover MPC/PPC configuration, yet. Ideally we can enhance CMSIS standard to offer a “TrustZone_Setup()” function (the name is still to be defined) that does all this. That would simplify the TF-M HAL to just one single function call that should be provided by each TrustZone-Device low level init code.
The final question is: When does this function need to be called? Are you aware of any reason why we should not configure the “system isolation” already during low level init (pre-main)? This could simplify TF-M code even more. In TF-M we could simply rely on a properly configured TrustZone isolation before running any TF-M code.
Cheers,
Jonatan Antoni
Senior Engineering Manager - CMSIS [Germany on Google Android 8.0] [United Kingdom on Google Android 8.0]
Arm Germany GmbH
Phone: +49 (0)89 262 029 618 | Fax: +49 (0)89 456 040-19
Email: jonatan.antoni(a)arm.com<mailto:jonatan.antoni@arm.com> | Visit: www.keil.com<http://www.keil.com > | Address: Bretonischer Ring 16, 85630 Grasbrunn, Germany
Sitz der Gesellschaft: Grasbrunn | Handelsregister: München (HRB 175362) | USt-IdNr.: DE 187925309
Geschäftsführer: Joachim Krech, Reinhard Keil
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi,
I see this slight differently. The purpose of TF-M HAL is to abstract out specific HW dependencies from the SW framework for creating isolated secure partitions. As you can understand, various systems have differences in what components are utilized for isolation, but TF-M needs to implement a generic mechanism that works across multiple platforms. Therefore it's important to consider what's platform specific and what's generic.
In that sense, SAU and other system components are specific to the underlying HW hence should be part of platform implementation. Of course, it is possible to implement a unified HAL for a family of devices, however I would still expect the hardware abstraction layer in TF-M to remain agnostic of how the HW implements/facilitates isolation of secure world.
I don't disagree with the suggestion about enhancements but they seem platform specific to me so should be discussed in that context.
Thanks,
Abhishek
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu via TF-M
Sent: 04 March 2020 03:14
To: tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] TrustZone initialisation procedure
Hi Jonatan,
The enhancement of this TZ_SAU_Setup() sounds reasonable, and there are more background items to be considerate:
* The SPM need to re-configure the isolation hardware dynamically under isolation level 3 while SPM scheduling, and MPC/PPC is potentially included. So I am not sure what the 'system isolation' mean in your mail, if you want a static initialization for all isolation settings then it will not work for SPM at least for the isolation level 3 design. If it includes the minimal security (and fundamental) setting while system booting and there are other functions to update the isolation setting later, it is do-able.
* How does the parameter pass into this function? Because SPM needs to know the status of the existing isolation setting for some purposes (such as security checking), so there needs to be a way to let SPM know the isolation status.
So if we do the fundamental security setup in SystemInit(), the advantage is the protection is already enabled between SystemInit() exits and SPM_Init() (There are platform init process in this stage). The cons are SPM may not check the isolation status. And if we do isolation in SPM_Init(), the advantage is SPM can know the status and the cons are Platform Init is not restricted (It could access anywhere).
I would suggest not to propose the calling time strictly for this new enhanced API.
I know cypress uses customized protection initialization mechanism so any ideas?
BR
/Ken
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Jonatan Antoni via TF-M
Sent: Tuesday, March 3, 2020 11:09 PM
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Subject: [TF-M] TrustZone initialisation procedure
Hi all,
I am trying to align TrustZone initialisation procedure between TF-M and CMSIS.
In CMSIS the approach from the early v8-M days is to have a "partition.h" file providing "TZ_SAU_Setup()" function. This function is called during low level "SystemInit()" which runs as part of the pre-main (called from ResetHandler and before running C lib init).
In contrast TF-M calls "tfm_spm_hal_init_isolation_hw()" (which is similar to "TZ_SAU_Setup()" plus PPC/MPC configuration) during "tfm_core_init()" (which runs in secure "main()").
The advantage of "TZ_SAU_Setup()" is that this function is available by standard for all TrustZone devices. The shortcoming is it doesn't cover MPC/PPC configuration, yet. Ideally we can enhance CMSIS standard to offer a "TrustZone_Setup()" function (the name is still to be defined) that does all this. That would simplify the TF-M HAL to just one single function call that should be provided by each TrustZone-Device low level init code.
The final question is: When does this function need to be called? Are you aware of any reason why we should not configure the "system isolation" already during low level init (pre-main)? This could simplify TF-M code even more. In TF-M we could simply rely on a properly configured TrustZone isolation before running any TF-M code.
Cheers,
Jonatan Antoni
Senior Engineering Manager - CMSIS [Germany on Google Android 8.0] [United Kingdom on Google Android 8.0]
Arm Germany GmbH
Phone: +49 (0)89 262 029 618 | Fax: +49 (0)89 456 040-19
Email: jonatan.antoni(a)arm.com<mailto:jonatan.antoni@arm.com> | Visit: www.keil.com<http://www.keil.com > | Address: Bretonischer Ring 16, 85630 Grasbrunn, Germany
Sitz der Gesellschaft: Grasbrunn | Handelsregister: München (HRB 175362) | USt-IdNr.: DE 187925309
Geschäftsführer: Joachim Krech, Reinhard Keil
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Alan,
It (8.3.5) is one of the cases can be dealt with, and now it is not detail defined yet. Can you describe what your practical purpose for S/NS interactive is so that we could collect feedbacks to check if the rules are applicable?
/Ken
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of DeMars, Alan via TF-M
Sent: Wednesday, March 4, 2020 10:51 PM
To: 'tf-m(a)lists.trustedfirmware.org' <tf-m(a)lists.trustedfirmware.org>
Subject: [TF-M] SPM_IDLE
Mention is made to "SPM_IDLE" in the Cooperative Scheduling Rules document:
https://ci.trustedfirmware.org/job/tf-m-build-test-nightly/lastSuccessfulBu…
I'm struggling to understand section 8.3.5 which references SPM_IDLE but doesn't really define it. Is there more info on this topic? It appears to be a proposed solution for allowing other NS threads to be scheduled while the current NS thread is waiting for an asynchronous event in the secure service it has called.
Alan
I have just pushed a simple one liner for
tools/tfm_parse_manifest_list.py, which keeps the generated #include
file names using unix style paths, even if the files were generated on
windows.
In the past I have manually fixed up the paths on the generated #include
lines in some of the files, but got bored and fixed the script instead.
https://review.trustedfirmware.org/c/trusted-firmware-m/+/3605
I also pushed a major (80 files) fix last night that cleans up most of
the warnings when building with the IAR toolkit, which for now has more
warnings enabled than ARMCLANG and GNUARM. This should make it easier to
enable "pedantic" mode with GNUARM as well.
https://review.trustedfirmware.org/c/trusted-firmware-m/+/3594
Thomas
--
*Thomas Törnblom*, /Product Engineer/
IAR Systems AB
Box 23051, Strandbodgatan 1
SE-750 23 Uppsala, SWEDEN
Mobile: +46 76 180 17 80 Fax: +46 18 16 78 01
E-mail: thomas.tornblom(a)iar.com <mailto:thomas.tornblom@iar.com>
Website: www.iar.com <http://www.iar.com>
Twitter: www.twitter.com/iarsystems <http://www.twitter.com/iarsystems>
Hi,
Today, I measured the call overhead on the function entry to TF-M is significant and will cause side effects for time deterministic MCU applications using the MDK debugger on STM32L5.
Compiler: AC6.14 -oz (optimized for image size)
TFM configuration: TFM_LVL=1, library mode, TFM_NS_CLIENT_IDENTIFICATION = OFF
--- Execution time measurement:
Function call of NS psa_open_key to corresponding secure function:
NS: dispatch -> S: tfm_crypto_open_key 2135 cycles
NS: dispatch -> S: psa_open_key 2536 cycles
NS: psa_open_key -> S: psa_open_key 2825 cycles (this is with RTOS mutex overhead)
tfm_core_sfn_request(const struct tfm_sfn_req_s *desc_ptr)
{
__ASM volatile(
"PUSH {r4-r12, lr} \n"
"SVC %[SVC_REQ] \n" <--- effectively disables interrupts for 1970 Cycles
"MOV r4, #0 \n"
On Musca (~48MHz) the overhead is 45us for a TF-M call.
--- Code Size overhead:
Each TFM function has the following flow:
tfm_ns_interface_dispatch (this is a central function)
#33 result = fn(arg0, arg1, arg2, arg3); -> calls each TF-M function with individual veneer
tfm_core_partition_request (which is again central function)
As function inlining is used, the each veneer requires 180 bytes.
In my system there are 4 ITS and 46 Crypto functions; with the net result of ~10K code for just the veneer entries.
Here are some suggestions:
* Using a central entry point to TF-M could save ~10KB; I suggest a table driven approach (could be generated from "manifest" information).
* In LVL1 isolation, why is it required to switch from NS: thread->S: handler->S: thread mode. Is it not possible to just call NS: thread-> S: thread?
* Disabling NS interrupts for 1970 cycles will be problematic for many time critical applications that are ISR driven; some is caused by parameter checking:
* current sequence: first check, then copied (which requires to disable interrupts); Better: First copy, then check could avoid ISR blocking.
I hope this helps to improve TFM.
Reinhard
