Hi all,
I have pushed for review patches to enable persistent keys in the TF-M Crypto service. With these changes, persistent keys will be stored by Mbed Crypto using the ITS APIs exposed by TF-M.
The reviews are here:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/3252 (implementation)
https://review.trustedfirmware.org/c/trusted-firmware-m/+/3253 (tests)
Currently, merging of these patches is blocked as they depend on Mbed Crypto 2.0 (or greater), which adds support for the latest ITS 1.0.0 APIs exposed by TF-M. Integrating Mbed Crypto 2.0 with TF-M is a work in progress.
If anyone wants to test these patches in the meantime, it is possible to cherry pick the patch in the Mbed Crypto repo that adds support for ITS 1.0.0. With the Mbed Crypto repo checked-out at the "mbedcrypto-1.1.0" tag, do a "git cherry-pick bda5a2111" to cherry pick the relevant patch.
Kind regards,
Jamie
Hi,
TF-M Profile 1 initiative addressing TF-M footprint reduction to make TF-M usable on more constrained MCUs. As part of this activity attestation service is planned to be refactored as follows:
* Static token creation: Not use QCBOR and T_COSE libraries to token creation
* HMAC based token authentication: Rely only on symmetric crypto algorithms
These changes are optional, the current functionality (dynamic token creation + ECDSA based authentication) remains available and default setting in higher profiles (3).
A design proposal was created, feel free to review & comment:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/3344
BR,
Tamas
The IAR port of TF-M is mostly done and all regression tests runs OK,
with the exception of some of the QCBOR tests.
I've analyzed the issue to be the NaN tests to not follow the Arm
run-time ABI.
The issue is with doubles where some of the tested NaN:s only have set
bits in the lower 32 bits of the mantissa.
>From
https://developer.arm.com/docs/ihi0043/e/run-time-abi-for-the-arm-architect…
---
If NaNs are supported, it is only required to recognize, process, and
convert those values with at least one bit set in the 20 most
significant bits of the mantissa. Remaining bits should be zero and can
be ignored. When a quiet NaN of one precision is converted to a quiet of
the other precision, the most significant 20 bits of the mantissa must
be preserved. Consequently:
* A NaN can be recognized by processing the most significant or only
word of the representation. The least significant word of a double
can be ignored (it should be zero).
* Each ABI-complying value has a single-precision representation, and
a corresponding double-precision representation in which the least
significant word is zero.
* Each ABI-complying NaN value is converted between single- and
double-precision in the same way that Arm VFP VCVT instructions
convert the values.
---
The IAR toolchain only checks the upper 32 bits for NaN / INF and the
double precision NaN tests misinterprets some of the hand crafted NaN:s
as INF.
How should TF-M handle this?
Thomas
--
*Thomas Törnblom*, /Product Engineer/
IAR Systems AB
Box 23051, Strandbodgatan 1
SE-750 23 Uppsala, SWEDEN
Mobile: +46 76 180 17 80 Fax: +46 18 16 78 01
E-mail: thomas.tornblom(a)iar.com <mailto:thomas.tornblom@iar.com>
Website: www.iar.com <http://www.iar.com>
Twitter: www.twitter.com/iarsystems <http://www.twitter.com/iarsystems>
In CMSIS we are using a Test Framework that offers the flexibility to:
1. output to classic printf, but redirecting is on just a single place.
2. Record test output to memory (for devices that have not printf facility)
3. Output the test results in XML for nice formatting using browsers (we use this for filing test reports).
We have used this framework on various projects, across 4 different compilers, on many different targets (simulation, FPGA without UART, etc.).
The framework is for example here https://github.com/ARM-software/CMSIS-Driver_Validation/tree/master/Source. But we used it also for various other projects.
If there is interest, we could do some work to explain it better and make it scalable to TF-M.
Hi Robert,
I see two topics mixing together in this discussion:
1. Project configuration methods/strategy
2. Tooling for that
The CMSIS-Zone addresses both of the items somehow. Believe it would be beneficial if you could summaries the thoughts and bring this important topic for discussion on the upcoming Open Technical forum on Feb 6. This would be a good opportunity to present CMSIS-Zone and get a feedback from the community.
The best,
Anton
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Gyorgy Szing via TF-M
Sent: 03 February 2020 09:50
To: Robert Rostohar <Robert.Rostohar(a)arm.com>; tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] Exporting flash_layout.h and region_defs.h
Hi Robert,
“It is a standalone utility that can be used also from command-line. “
The homepage says this is the command to run it “headless”:
eclipsec.exe -noSplash -consoleLog –launcher.suppressErrors -application com.arm.cmsis.zone.ui.headlessgen -azone FILENME.azone -ftl FTL_DIR -ftl_gen FTL_GEN_DIR
For me this means you still need Eclipse to be installed on your PC to run it and thus this is still and IDE extension just it has support being run headless.
There might be ways to run it without Eclipse, but this does not seem to be officially supported. This means there is expected to be sparse information on how-to-do this, no, or limited support. There is a risk in using this tool to generate extra work (need to work out what environment it needs, need to document it, need to test it to ensure proper operation, need to support issues with the environment, etc…).
This is not really helping us for now, hopefully this changes in the future.
/George
From: Robert Rostohar <Robert.Rostohar(a)arm.com<mailto:Robert.Rostohar@arm.com>>
Sent: 03 February 2020 09:27
To: Gyorgy Szing <Gyorgy.Szing(a)arm.com<mailto:Gyorgy.Szing@arm.com>>; tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: RE: Exporting flash_layout.h and region_defs.h
Hi Gyorgy,
Yes, the memory map needs to be communicated to non-secure world and the existing headers are not the best way.
CMSIS-Zone is one possible tool that could help here and make it user friendly. It provides memory partitioning and also assignment of peripherals to secure or non-secure world.
It is a standalone utility that can be used also from command-line.
Best regards,
Robert
From: Gyorgy Szing <Gyorgy.Szing(a)arm.com<mailto:Gyorgy.Szing@arm.com>>
Sent: Monday 3 February 2020 09:05
To: Robert Rostohar <Robert.Rostohar(a)arm.com<mailto:Robert.Rostohar@arm.com>>; tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: RE: Exporting flash_layout.h and region_defs.h
Hi,
Looking at the big picture, the secure side is owning the memory map, so it seems to be inevitable to communicate this information to the non-secure world. There are many ways to do this, ranging from capturing the info in documentation to providing configuration to high-level memory layout definition tools. The build system could support multiple options, but the first implementation shall focus on portability.
Having a set of header files, which (as the tf-m build system already shows) make the needed information available for both the C program, the linker and the build system, seems to be a good fit to me. It might not be the most user friendly, but is highly accessible.
What those header files actually do contain is a different question. Sor security reasons it may be a good idea to remove all information not needed by the NS world. Luckily CMake has the needed features to solve this issue.
And when we are at the topic, we need to provide a solution for defining available peripherals to as the secure vs non-secure peripheral availability is also controlled by the secure-side.
There seems to be room for a tool independent of tf-m to help standardizing the format this information can be captured in, to help portability of this information and to enhance user-experience. Unfortunately CMSIS-Zone (as per this page https://arm-software.github.io/CMSIS_5/Zone/html/zTInstall.html ) is an IDE extension and thus it is hardly applicable in a command-line focused build environment.
/George
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Robert Rostohar via TF-M
Sent: 03 February 2020 08:15
To: TF-M(a)lists.trustedfirmware.org<mailto:TF-M@lists.trustedfirmware.org>
Subject: Re: [TF-M] Exporting flash_layout.h and region_defs.h
Hi,
I don’t believe this is the right approach.
TF-M currently includes a non-secure side application (integration test) which is built together with the secure side. This is also reflected in “flash_layout.h” and “region_defs.h” which mixes defines for the secure and non-secure side.
While this might be convenient within TF-M current build setup for the platforms that are supported, it causes issues in real applications and when trying to make this scalable across a large number of platforms. We have seen those issues already while working on providing TF-M as a CMSIS-Pack.
There should be a clean separation of files between the secure and non-secure side.
The mentioned header files should not be imposed to the non-secure side.
Typically non-secure software will have a device specific linker script which will only need to know limited information from the memory layout (non-secure code and data location). Also the secure side might be prebuilt and the non-secure side developed and built separately.
One possible solution is to use a CMSIS-Zone to partition the memory layout on a global level and then splitting it to sub-systems for secure and non-secure and exporting only relevant information for each side. This approach will be used also with TF-M CMSIS-Pack which should be available soon.
Best regards,
Robert
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Devaraj Ranganna via TF-M
Sent: Friday 31 January 2020 17:09
To: TF-M(a)lists.trustedfirmware.org<mailto:TF-M@lists.trustedfirmware.org>
Subject: [TF-M] Exporting flash_layout.h and region_defs.h
Hi,
The headers `flash_layout.h` and `region_defs.h` as the name suggests defines layout of flash and how different regions are organised in flash and ram respectively. These headers define the location of Bootloader if any, secure and non-secure firmware in flash and these defines are used in the linker scripts. As far as I can tell, these headers will be used by NS RTOS without any modifications, I can confirm that, this is the case in Mbed OS.
Since these headers are usually imported into NS RTOS without any modifications, I propose that we export these headers as part of the build.
Thanks,
Dev
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi George
The headless mode is functional identical to a command-line mode. I agree that the command line is not self-explaining in the moment, but this can be improved over time.
CMSIS-Zone is a tool that is specifically designed for Cortex-M security and MPU configuration. It is fully supported by Arm and part of our CMSIS open source activities.
CMSIS-Zone
* Supports all Cortex-M23/M33 devices that are on the market public today and extending this support is easy to achieve with an *.rzone file
* The *.rzone approach will be part of our IP configuration activities that is under Socrates.
* The template engine gives you flexibility for generating many different files, source, header, linker scripts etc.
* The tool has both GUI interface and command line mode
* All XML files are fully documented and explained
* It generates static setup which reduces the run-time overhead and the memory footprint. Both is critical for TF-M
* While it requires Eclipse framework, this is not different form other tools (i.e. Phyton requires Phyton framework).
So, I somewhat cannot understand your argument.
Thanks
Reinhard
Hi,
Looking at the big picture, the secure side is owning the memory map, so it seems to be inevitable to communicate this information to the non-secure world. There are many ways to do this, ranging from capturing the info in documentation to providing configuration to high-level memory layout definition tools. The build system could support multiple options, but the first implementation shall focus on portability.
Having a set of header files, which (as the tf-m build system already shows) make the needed information available for both the C program, the linker and the build system, seems to be a good fit to me. It might not be the most user friendly, but is highly accessible.
What those header files actually do contain is a different question. Sor security reasons it may be a good idea to remove all information not needed by the NS world. Luckily CMake has the needed features to solve this issue.
And when we are at the topic, we need to provide a solution for defining available peripherals to as the secure vs non-secure peripheral availability is also controlled by the secure-side.
There seems to be room for a tool independent of tf-m to help standardizing the format this information can be captured in, to help portability of this information and to enhance user-experience. Unfortunately CMSIS-Zone (as per this page https://arm-software.github.io/CMSIS_5/Zone/html/zTInstall.html ) is an IDE extension and thus it is hardly applicable in a command-line focused build environment.
/George
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Robert Rostohar via TF-M
Sent: 03 February 2020 08:15
To: TF-M(a)lists.trustedfirmware.org
Subject: Re: [TF-M] Exporting flash_layout.h and region_defs.h
Hi,
I don’t believe this is the right approach.
TF-M currently includes a non-secure side application (integration test) which is built together with the secure side. This is also reflected in “flash_layout.h” and “region_defs.h” which mixes defines for the secure and non-secure side.
While this might be convenient within TF-M current build setup for the platforms that are supported, it causes issues in real applications and when trying to make this scalable across a large number of platforms. We have seen those issues already while working on providing TF-M as a CMSIS-Pack.
There should be a clean separation of files between the secure and non-secure side.
The mentioned header files should not be imposed to the non-secure side.
Typically non-secure software will have a device specific linker script which will only need to know limited information from the memory layout (non-secure code and data location). Also the secure side might be prebuilt and the non-secure side developed and built separately.
One possible solution is to use a CMSIS-Zone to partition the memory layout on a global level and then splitting it to sub-systems for secure and non-secure and exporting only relevant information for each side. This approach will be used also with TF-M CMSIS-Pack which should be available soon.
Best regards,
Robert
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Devaraj Ranganna via TF-M
Sent: Friday 31 January 2020 17:09
To: TF-M(a)lists.trustedfirmware.org<mailto:TF-M@lists.trustedfirmware.org>
Subject: [TF-M] Exporting flash_layout.h and region_defs.h
Hi,
The headers `flash_layout.h` and `region_defs.h` as the name suggests defines layout of flash and how different regions are organised in flash and ram respectively. These headers define the location of Bootloader if any, secure and non-secure firmware in flash and these defines are used in the linker scripts. As far as I can tell, these headers will be used by NS RTOS without any modifications, I can confirm that, this is the case in Mbed OS.
Since these headers are usually imported into NS RTOS without any modifications, I propose that we export these headers as part of the build.
Thanks,
Dev
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi,
I don’t believe this is the right approach.
TF-M currently includes a non-secure side application (integration test) which is built together with the secure side. This is also reflected in “flash_layout.h” and “region_defs.h” which mixes defines for the secure and non-secure side.
While this might be convenient within TF-M current build setup for the platforms that are supported, it causes issues in real applications and when trying to make this scalable across a large number of platforms. We have seen those issues already while working on providing TF-M as a CMSIS-Pack.
There should be a clean separation of files between the secure and non-secure side.
The mentioned header files should not be imposed to the non-secure side.
Typically non-secure software will have a device specific linker script which will only need to know limited information from the memory layout (non-secure code and data location). Also the secure side might be prebuilt and the non-secure side developed and built separately.
One possible solution is to use a CMSIS-Zone to partition the memory layout on a global level and then splitting it to sub-systems for secure and non-secure and exporting only relevant information for each side. This approach will be used also with TF-M CMSIS-Pack which should be available soon.
Best regards,
Robert
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Devaraj Ranganna via TF-M
Sent: Friday 31 January 2020 17:09
To: TF-M(a)lists.trustedfirmware.org
Subject: [TF-M] Exporting flash_layout.h and region_defs.h
Hi,
The headers `flash_layout.h` and `region_defs.h` as the name suggests defines layout of flash and how different regions are organised in flash and ram respectively. These headers define the location of Bootloader if any, secure and non-secure firmware in flash and these defines are used in the linker scripts. As far as I can tell, these headers will be used by NS RTOS without any modifications, I can confirm that, this is the case in Mbed OS.
Since these headers are usually imported into NS RTOS without any modifications, I propose that we export these headers as part of the build.
Thanks,
Dev
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi,
Why the title is ‘linker issue’ since it is discussing about the printf things?
/Ken
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Devaraj Ranganna via TF-M
Sent: Friday, January 31, 2020 9:57 PM
To: TF-M(a)lists.trustedfirmware.org
Subject: [TF-M] TF-M NS regression tests - linker issue
Hi,
The TF-M NS regression tests were portable enough to run in a rich OS environment. After replacing printf with tfm_log_printf, the TF-M regression tests are now no longer portable enough to run in an OS environment. Many OSes already have a way to print, usually via a printf function, and the TF-M regression tests probably should use this.
It's important that TF-M regression tests remain portable and capable of running in an OS environment so that system integrators can be confident that TF-M is working as intended post-integration.
I’ve already created a ticket for this https://developer.trustedfirmware.org/T664
Response from Ken in the ticket:
Hi Jamie,
The background for this changing is, the ARMCLANG printf involves \_\_stdout' into the image and this conflicts with some CMSIS functionalities. (CMSIS team reported that __stdout would affect the mutex init in ARMCLANG). That is the reason why I skipped the default printf.
I think for an RTOS, the toolchain provided printf sometimes come with unknown symbols and causes unexpected behaviour, as the discussion in list/channel, most people are trying to avoid toolchain printf and use some lightweight output.
And for the test, it should use wrapped TEST_LOG(), instead of calling printf itself, since some RTOS do not provide a std 'printf' function.
Is there any discussion thread about this issue?
Thanks
Thanks,
Dev
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Chris,
Approved and merged, based on the two +1 reviews.
Kind regards,
Jamie
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Christopher Brand via TF-M
Sent: 31 January 2020 17:11
To: tf-m(a)lists.trustedfirmware.org
Subject: [TF-M] Compilation failure
https://review.trustedfirmware.org/c/trusted-firmware-m/+/3243 fixes a compilation error for the armclang build of the PSoc64 platform. The error was introduced by commit e3c75a4955e665e78d55b22f07db73d31a6bf101 (https://review.trustedfirmware.org/c/trusted-firmware-m/+/3031/10 ) which was merged 21st January.
It would be really nice to have this breakage last less than two weeks, so is there somebody around who can approve it?
Thanks,
Chris
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
