- TF-M - lists.trustedfirmware.org

Re: [TF-M] Simplify RTOS / TF-M interface (single thread execution)

by Gyorgy Szing

Hi, Sorry the image did not got trough. One way to share the image could be to create a ticket here https://developer.trustedfirmware.org/maniphest/ where the image can be uploaded. /George -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Reinhard Keil via TF-M Sent: 12 December 2019 13:13 To: tf-m(a)lists.trustedfirmware.org Cc: Bruno Mendes <Bruno.Mendes(a)arm.com> Subject: [TF-M] Simplify RTOS / TF-M interface (single thread execution) When using TF-M on v8-M with Secure Function Call SFC (aka Library) mode, the entry to the secure side is protected by a Mutex. Thus only one thread at the time is calling a secure service. The picture below should therefore represent the execution flow (Level 1 isolation). [cid:image003.jpg@01D5B0ED.DEEA6A60] Under this assumption there is no need to implement TZ_context management in the RTOS (https://arm-software.github.io/CMSIS_5/Core/html/using_TrustZone_pg.html#RT…). Any RTOS could be used, provided that the Mutex capability is sufficient. Moreover this design should create a really simple secure side: * Only one stack is needed on the secure side for Thread mode execution * No multi-threading issues that need to be resolved (i.e. with access of hardware crypto accelerators) The drawback of course is that only one task at a time can use a secure service. However an RTOS with priority inversion will ensure that the Secure service is executed as fast as possible, once a scheduling conflict arises. I would like to gather feedback on that approach. Let me know what you think. Reinhard IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 4 months

2
1
0 0

Simplify RTOS / TF-M interface (single thread execution)

by Reinhard Keil

When using TF-M on v8-M with Secure Function Call SFC (aka Library) mode, the entry to the secure side is protected by a Mutex. Thus only one thread at the time is calling a secure service. The picture below should therefore represent the execution flow (Level 1 isolation). [cid:image003.jpg@01D5B0ED.DEEA6A60] Under this assumption there is no need to implement TZ_context management in the RTOS (https://arm-software.github.io/CMSIS_5/Core/html/using_TrustZone_pg.html#RT…). Any RTOS could be used, provided that the Mutex capability is sufficient. Moreover this design should create a really simple secure side: * Only one stack is needed on the secure side for Thread mode execution * No multi-threading issues that need to be resolved (i.e. with access of hardware crypto accelerators) The drawback of course is that only one task at a time can use a secure service. However an RTOS with priority inversion will ensure that the Secure service is executed as fast as possible, once a scheduling conflict arises. I would like to gather feedback on that approach. Let me know what you think. Reinhard IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

5 years, 4 months

1
0
0 0

Re: [TF-M] [EXTERNAL] Secure Interrupt handling - RE: TF-M technical Forum slides and recording

by DeMars, Alan

Ken, Task scheduling (context switching) in our RTOS is always performed in thread mode, even when asynchronous pre-emption occurs resulting from an ISR readying a higher priority task. All kernel-managed interrupts are routed to a common interrupt dispatcher that, just prior to returning from an interrupt, will invoke the task scheduler when it determines that there are no more interrupts pending and there is scheduling work to do. In that case, an artificial interrupt context is created so that thread mode can be "returned to" from handler mode. The task scheduler is then invoked in thread mode from the stack of the pre-empted task. Regarding secure interrupts, our use cases only employ secure interrupts as a consequence of a psa_call() initiating a process that completes when an interrupt goes off sometime later. Rather than spin-waiting for the interrupt-completion signal, or parking in a WFI, we simply return from the psa_call() with a special return code indicating that the process has started and that the calling thread will be notified of completion by the secure callback mechanism I described at the conference in Lyon. The calling thread then pends on a semaphore. When the secure interrupt goes off later on, a dedicated non-secure interrupt is triggered that ultimately ends up posting the semaphore that the NS thread is pended on. Upon returning from the pend, the NS thread then re-enters the SP (using psa_call()) to complete the transaction. Alan -----Original Message----- From: TF-M [mailto:tf-m-bounces@lists.trustedfirmware.org] On Behalf Of Ken Liu (Arm Technology China) via TF-M Sent: Tuesday, December 10, 2019 8:04 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd Subject: [EXTERNAL] [TF-M] Secure Interrupt handling - RE: TF-M technical Forum slides and recording Thank Bill for updating this. I want to use this thread to follow up on the topic 'secure interrupt' given in the 1st tech forum. That is a prologue of the scheduler and interrupt designs. And I do see there are some use cases that I did not focus on, so I want to collect more user scenarios first, and then try to enhance the drafting design (will be published after I updated it base on your inputs). About the secure interrupt usage: - A secure interrupt would be introduced by a secure service call in general; is there any scenarios that there would be an interval secure interrupt since secure service want to do something? For example, a secure timer triggers to let secure service has the chance to do things in the background (not for an ongoing secure call from NSPE) after a period of time? And the question about the system Alan mentioned, just want to confirm if it is a pure thread mode scheduling system? How does the system handle interrupts? Thanks. -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Bill Fletcher via TF-M Sent: Monday, December 9, 2019 7:57 PM To: TF-M mailing list <tf-m(a)lists.trustedfirmware.org> Subject: [TF-M] TF-M technical Forum slides and recording Hi all, I've posted links to the (updated) slide deck and a recording of the call on the meetings page of the Trusted Firmware website: https://www.trustedfirmware.org/meetings/tf-m-technical-forum/ Regards Bill -- [image: Linaro] <http://www.linaro.org/> *Bill Fletcher* | *Field Engineering* T: +44 7833 498336 <+44+7833+498336> bill.fletcher(a)linaro.org | Skype: billfletcher2020 -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 4 months

2
1
0 0

Re: [TF-M] Secure storage and Internal trusted storage code logic check

by lg

Hi Edison, Thanks for your quick reply. I will try to upstream a patch later. Thanks, Matt At 2019-12-12 11:15:51, "Edison Ai \\(Arm Technology China\\) via TF-M" <tf-m(a)lists.trustedfirmware.org> wrote: >Hi Matt, > >Thanks very much for your mail. It looks like it is indeed a problem here. >Can you upstream a patch to help to fix them directly? > >Thanks, >Edison > >-----Original Message----- >From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of lg via TF-M >Sent: Thursday, December 12, 2019 9:43 AM >To: tf-m(a)lists.trustedfirmware.org >Subject: [TF-M] Secure storage and Internal trusted storage code logic check > >Hi TFM Secure storage & Internal trusted storage experts, > > > It seems there are code logic errors in both files sst_flash_fs_mblock.c and its_flash_fs_mblock.c. > There are following codes in function its_flash_fs_mblock_reset_metablock in its_flash_fs_mblock.c: > > > for (i = ITS_INIT_DBLOCK_START; i < ITS_NUM_DEDICATED_DBLOCKS; i++) { > /* If a flash error is detected, the code erases the rest > * of the blocks anyway to remove all data stored in them. > */ > err |= its_flash_erase_block(i); > } > This loop starts from ITS_INIT_DBLOCK_START and ends to ITS_NUM_DEDICATED_DBLOCKS. > If there are four ITS blocks including meta blocks and data blocks in all, that means ITS_INIT_DBLOCK_START > is 3 and ITS_NUM_DEDICATED_DBLOCKS is 1. But the above loop can not erase the data block any way. > Should it be the following logic? > > > for (i = 0; i < ITS_NUM_DEDICATED_DBLOCKS; i++) { > /* If a flash error is detected, the code erases the rest > * of the blocks anyway to remove all data stored in them. > */ > err |= its_flash_erase_block(i+ITS_INIT_DBLOCK_START); > } > It is the same logic in function sst_flash_fs_mblock_reset_metablock in file sst_flash_fs_mblock.c. > > > Please help to check. > > >Thanks. >Matt. > >-- >TF-M mailing list >TF-M(a)lists.trustedfirmware.org >https://lists.trustedfirmware.org/mailman/listinfo/tf-m >-- >TF-M mailing list >TF-M(a)lists.trustedfirmware.org >https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 4 months

1
0
0 0

Please review the patch set to extract duplicated template files from platforms

by David Hu (Arm Technology China)

Hi all, I submit a patch set to extract the duplicated identical template files dummy_xxx.c from targets and put them under platform/ext/common/template folder. The purpose is to collect a common template of booting/attestation example for platforms and each platform doesn't need to keep a copy under its folder anymore. Since it is a general change related to all platforms using template files, I'd like to ask for review here. Any comments would be appreciated. Please check the patch details in https://review.trustedfirmware.org/q/topic:%22template_plat_files%22+(statu… The background is described in https://developer.trustedfirmware.org/T539. Best regards, Hu Ziji

5 years, 4 months

1
0
0 0

Re: [TF-M] Secure storage and Internal trusted storage code logic check

by Edison Ai (Arm Technology China)

Hi Matt, Thanks very much for your mail. It looks like it is indeed a problem here. Can you upstream a patch to help to fix them directly? Thanks, Edison -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of lg via TF-M Sent: Thursday, December 12, 2019 9:43 AM To: tf-m(a)lists.trustedfirmware.org Subject: [TF-M] Secure storage and Internal trusted storage code logic check Hi TFM Secure storage & Internal trusted storage experts, It seems there are code logic errors in both files sst_flash_fs_mblock.c and its_flash_fs_mblock.c. There are following codes in function its_flash_fs_mblock_reset_metablock in its_flash_fs_mblock.c: for (i = ITS_INIT_DBLOCK_START; i < ITS_NUM_DEDICATED_DBLOCKS; i++) { /* If a flash error is detected, the code erases the rest * of the blocks anyway to remove all data stored in them. */ err |= its_flash_erase_block(i); } This loop starts from ITS_INIT_DBLOCK_START and ends to ITS_NUM_DEDICATED_DBLOCKS. If there are four ITS blocks including meta blocks and data blocks in all, that means ITS_INIT_DBLOCK_START is 3 and ITS_NUM_DEDICATED_DBLOCKS is 1. But the above loop can not erase the data block any way. Should it be the following logic? for (i = 0; i < ITS_NUM_DEDICATED_DBLOCKS; i++) { /* If a flash error is detected, the code erases the rest * of the blocks anyway to remove all data stored in them. */ err |= its_flash_erase_block(i+ITS_INIT_DBLOCK_START); } It is the same logic in function sst_flash_fs_mblock_reset_metablock in file sst_flash_fs_mblock.c. Please help to check. Thanks. Matt. -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 4 months

1
0
0 0

Secure storage and Internal trusted storage code logic check

by lg

Hi TFM Secure storage & Internal trusted storage experts, It seems there are code logic errors in both files sst_flash_fs_mblock.c and its_flash_fs_mblock.c. There are following codes in function its_flash_fs_mblock_reset_metablock in its_flash_fs_mblock.c: for (i = ITS_INIT_DBLOCK_START; i < ITS_NUM_DEDICATED_DBLOCKS; i++) { /* If a flash error is detected, the code erases the rest * of the blocks anyway to remove all data stored in them. */ err |= its_flash_erase_block(i); } This loop starts from ITS_INIT_DBLOCK_START and ends to ITS_NUM_DEDICATED_DBLOCKS. If there are four ITS blocks including meta blocks and data blocks in all, that means ITS_INIT_DBLOCK_START is 3 and ITS_NUM_DEDICATED_DBLOCKS is 1. But the above loop can not erase the data block any way. Should it be the following logic? for (i = 0; i < ITS_NUM_DEDICATED_DBLOCKS; i++) { /* If a flash error is detected, the code erases the rest * of the blocks anyway to remove all data stored in them. */ err |= its_flash_erase_block(i+ITS_INIT_DBLOCK_START); } It is the same logic in function sst_flash_fs_mblock_reset_metablock in file sst_flash_fs_mblock.c. Please help to check. Thanks. Matt.

5 years, 4 months

1
0
0 0

Re: [TF-M] IAR libc behavior?

by Ken Liu (Arm Technology China)

Thanks Thomas. Let me try that link. /Ken -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Thomas Törnblom via TF-M Sent: Wednesday, December 11, 2019 9:13 PM To: tf-m(a)lists.trustedfirmware.org Subject: Re: [TF-M] IAR libc behavior? Hi Ken, There should be no difference from GNUARM or ARMCLANG in this respect. Should not need any special switches. If you wish to try out our tools, you can download a trial version until we have arranged for a permanent solution, see: https://www.iar.com/iar-embedded-workbench/#!?architecture=Arm Cheers, Thomas Den 2019-12-11 kl. 11:05, skrev Ken Liu (Arm Technology China) via TF-M: > Hi Thomas, > > I have a question about IAR compiler since we verify default GNUARM and ARMCLANG in the existing sources. > If we are trying to implementing some internal version of libc APIs like 'memcmp', would IAR link with this implemented version first, or it just report a link error of duplicated symbol? Any switches do we need to assign to support this? > > Thanks. > > /Ken -- *Thomas Törnblom*, /Product Engineer/ IAR Systems AB Box 23051, Strandbodgatan 1 SE-750 23 Uppsala, SWEDEN Mobile: +46 76 180 17 80 Fax: +46 18 16 78 01 E-mail: thomas.tornblom(a)iar.com <mailto:thomas.tornblom@iar.com> Website: www.iar.com <http://www.iar.com> Twitter: www.twitter.com/iarsystems <http://www.twitter.com/iarsystems> -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 4 months

1
0
0 0

Re: [TF-M] IAR libc behavior?

by Thomas Törnblom

Hi Ken, There should be no difference from GNUARM or ARMCLANG in this respect. Should not need any special switches. If you wish to try out our tools, you can download a trial version until we have arranged for a permanent solution, see: https://www.iar.com/iar-embedded-workbench/#!?architecture=Arm Cheers, Thomas Den 2019-12-11 kl. 11:05, skrev Ken Liu (Arm Technology China) via TF-M: > Hi Thomas, > > I have a question about IAR compiler since we verify default GNUARM and ARMCLANG in the existing sources. > If we are trying to implementing some internal version of libc APIs like 'memcmp', would IAR link with this implemented version first, or it just report a link error of duplicated symbol? Any switches do we need to assign to support this? > > Thanks. > > /Ken -- *Thomas Törnblom*, /Product Engineer/ IAR Systems AB Box 23051, Strandbodgatan 1 SE-750 23 Uppsala, SWEDEN Mobile: +46 76 180 17 80 Fax: +46 18 16 78 01 E-mail: thomas.tornblom(a)iar.com <mailto:thomas.tornblom@iar.com> Website: www.iar.com <http://www.iar.com> Twitter: www.twitter.com/iarsystems <http://www.twitter.com/iarsystems>

5 years, 4 months

1
0
0 0

IAR libc behavior?

by Ken Liu (Arm Technology China)

Hi Thomas, I have a question about IAR compiler since we verify default GNUARM and ARMCLANG in the existing sources. If we are trying to implementing some internal version of libc APIs like 'memcmp', would IAR link with this implemented version first, or it just report a link error of duplicated symbol? Any switches do we need to assign to support this? Thanks. /Ken

5 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

TF-M