- TF-M - lists.trustedfirmware.org

Re: [TF-M] Adding Cypress PSoC64 platform support

by David Hu (Arm Technology China)

Hi all, After several rounds of review, I'd like to merge Cypress PSoC 64 support on master branch this Tuesday. If you have more comments or opinions, please share them before Tuesday. Thank you. Best regards, Hu Ziji -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Christopher Brand via TF-M Sent: Saturday, December 7, 2019 4:13 AM To: tf-m(a)lists.trustedfirmware.org Subject: [TF-M] Adding Cypress PSoC64 platform support Hi, I recently pushed patches to add support for a platform based on Cypress' PSoC64 SoC to gerrit. Given that this is the first non-Arm platform to be posted, it seems worth drawing attention to. Comments very much appreciated. I do anticipate a few small updates to the patchset, even in the absence of comments. In particular, there are some documentation improvements to come. There are four patches in total, ending with https://review.trustedfirmware.org/c/trusted-firmware-m/+/2728 https://review.trustedfirmware.org/c/trusted-firmware-m/+/2725/1 adds files to the platform/ext/cmsis directory, and so will affect/be affected by https://review.trustedfirmware.org/c/trusted-firmware-m/+/2578 Thanks, Chris This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message. -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 11 months

1
0
0 0

Re: [TF-M] Please review the patch set to extract duplicated template files from platforms

by David Hu (Arm Technology China)

Hi all, I'd like to merge the patch set https://review.trustedfirmware.org/q/topic:%22template_plat_files%22+(statu… soon if no further comments. Please share your comments before this Tuesday. Best regards, Hu Ziji -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of David Hu (Arm Technology China) via TF-M Sent: Thursday, December 12, 2019 11:57 AM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: [TF-M] Please review the patch set to extract duplicated template files from platforms Hi all, I submit a patch set to extract the duplicated identical template files dummy_xxx.c from targets and put them under platform/ext/common/template folder. The purpose is to collect a common template of booting/attestation example for platforms and each platform doesn't need to keep a copy under its folder anymore. Since it is a general change related to all platforms using template files, I'd like to ask for review here. Any comments would be appreciated. Please check the patch details in https://review.trustedfirmware.org/q/topic:%22template_plat_files%22+(statu… The background is described in https://developer.trustedfirmware.org/T539. Best regards, Hu Ziji -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 11 months

1
0
0 0

Re: [TF-M] Simplify RTOS / TF-M interface (single thread execution)

by David Wang (Arm Technology China)

The current RTOS integration with TZ API support is to make it generic. You can use "empty" implementation for these API if you don't use multiple secure context (SFC or IPC model) and have no multiple NS client IDs requirements. Besides that, the users can leverage TZ API for some other purposes, e.g. policy control for which NS task can access which secure partitions and etc. But that's quite use case specific. Just FYI. Regards, David Wang ARM Electronic Technology (Shanghai) Co., Ltd Phone: +86-21-6154 9142 (ext. 59142) ________________________________ From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Reinhard Keil via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: 13 December 2019 19:41 To: tf-m(a)lists.trustedfirmware.org <tf-m(a)lists.trustedfirmware.org> Subject: Re: [TF-M] Simplify RTOS / TF-M interface (single thread execution) Ken, thanks for all your swift answers. Sorry, I need to check on this part of the answer again: * What happens worst case when an RTOS does not implement TZ RTOS Context Management? Ken.L: If there is no locking protection in NS and multiple ns calling would panic. TZ RTOS Context Management does not prevent from that. Correct. So the only feature that is enabled with TZ RTOS Context Management is 'client ID identification' for Protected Storage (and potentially other services). Reinhard IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 11 months

1
0
0 0

Re: [TF-M] Create another branch for feature development

by Gyorgy Szing

Hi, Hi, I agree, the CI shall not dictate how we use the version control system. It shall adapt. Regarding your suggestions, I think the main problem is we are mixing stuff, this time quality with version control. Before we make decisions we shall understand where we are. The current quality policy is that we only make releases for communication purposes. To give a clean interface for tf-m users and to allow planning their work. Releases allow them to execute their tf-m integration process less frequently. Only for each release or specific releases and not for each commit. The current quality policy identifies a single quality level only, and says any patch we publish is "golden quality", it matches the highest quality standard we can achieve (with sane constraints). Also to make our life easy we decided to use the master branch to hold these patches. At the same time we use the master branch for development. Any change we make is made against master. This means each pull request and thus each review targets master. For review purposes the best is to have a chain of small modifications, otherwise the review content becomes too large to follow. The TF-A "branching strategy" tries to address this issue by introducing an integration branch used for development. This allows master to be more release specific. I suggest to take the following approach (details to be discussed): - introduce more quality levels i.e.: - none: content of a topic branch, or content pushed to review. - bronze: content passed code review and patch specific testing. - silver: content passed a more though daily testing. - gold: a release. A pack of source-code, feature state document (release notes), reviewed documentation (user manual, reference manual), test evidence, documentation of test efforts to allow repeatability. The version control system can be used to store content, and to provide identification info (i.e. tagging), but most likely the release will need other kind of storage to be used (i.e. documentation). - platina: reaching extra quality level trough passing PSA or some FUSA qualification. Or we may simply use extra release for this. Naming the quality levels allows us to have a cleaner definition of what can be expected at a specific level (set of quality measures, i.e. static analysis, code review, test configuration). It would also allow us cleaner communication and to find how we use the version system for quality purposes. I also expect this discussion to help defining how the version system is used for development purposes. The current state works ok, but is a sort of naturally grown. We might have reached the point when more pragmatic approach may be needed. /George -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Minos Galanakis via TF-M Sent: 13 December 2019 12:23 To: Edison Ai (Arm Technology China) via TF-M <tf-m(a)lists.trustedfirmware.org>; Soby Mathew <Soby.Mathew(a)arm.com> Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] Create another branch for feature development Hi all. My personal comments on this. I would like to point out that the CI is a tool, not the core project. I do not believe we should be changing our development strategy based on what the tool is doing. We should instead adjust the tool to fit our requirements. * No patches should be/ are merged to master when CI fails. If master breaks it should most commonly be because of something we are not testing for. Using an integration branch would not change that. * As a developer I find it more convoluted to work with projects who use different integration strategies. The most common assumption in open source projects is that you have a master branch which is the bleeding edge, but can contain untested bugs, and the release immutable git tags for versioning. Using branch merges as versioning is a design for the pull request model which is not quite compatible with Gerrit. * Most of the CI downtime has nothing to do with the merge strategy, they are more of a chicken and the egg philosophical problem. If your patch or branch introduced a change which affects the tests outputs, how will you test it if the CI expects the old output? An integration branch would not solve the merge freeze periods, would just affect a different branch from master. * I believe feature branches are quite useful, since changes to master do not disrupt the development flow of a big change, and even though they will require some maintenance to re-sync before the final patch , it will be handled by an engineer who knows the feature, and full understands the regression vectors. If I were to suggest some changes for stability purposes, I would start smaller: * Update documentation to instruct users to check out from release tags, warning then that master is constantly changing. * Adjust the CI to detect an Allow-CI flag from every branch. That way developers can test any patch from any feature branch. The logic for that is already present in the code, but requires Gerrit to be configured accordingly. * Add an undo process. This would be the only case for an integration branch. All patches are merged to a temporary branch, after confirming they have passed testing individually. On the once per day nightly test, the group of different patches, will be tested against an extensive job, in models and hardware, and only if successful it will fast forward master to that state. Regards Minos ________________________________ From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Edison Ai (Arm Technology China) via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: 13 December 2019 08:55 To: Soby Mathew <Soby.Mathew(a)arm.com>; 'tf-m(a)lists.trustedfirmware.org' <tf-m(a)lists.trustedfirmware.org> Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] Create another branch for feature development Hi Soby, Thanks for your detail description. > Integration is a temporary merge branch to merge several patches and run the CI against. Usually once CI passes, the master will be fast forwarded to integration within a day. > This helps us to test integration of patches and detect any failure before master is updated. This means the master will pass CI at any given merge point. I think it's a good method like this so that we can double confirm the "master" branch is stable. And this also can fix one case even the CI can work normally: one patch is ready to merge, and it is not based on the latest HEAD, but there is no conflict. We can merge the patch directly and let gerrit do rebase by itself. But we cannot confirm the CI test can pass. Any comment for this from others? For multiple feature branches, I think we can stop to discuss about it now until we have some strong demands for it. It is indeed a big change for us now. Thanks, Edison -----Original Message----- From: Soby Mathew <Soby.Mathew(a)arm.com> Sent: Friday, December 13, 2019 5:14 AM To: Edison Ai (Arm Technology China) <Edison.Ai(a)arm.com>; 'tf-m(a)lists.trustedfirmware.org' <tf-m(a)lists.trustedfirmware.org> Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] Create another branch for feature development On 11/12/2019 09:05, Edison Ai (Arm Technology China) via TF-M wrote: > Hi Gyorgy, > > Thanks to point it out. I agree with you that it will be better if we can align these two projects in this. I had a quick check the branches from TF-A: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/. > There are three branches in TF-A: > - "integration" branch, should be used for new features. > - "master" branch, which is behind of "integration" branch. But I am nor sure what is the strategy to update it. Hi Edison, Integration is a temporary merge branch to merge several patches and run the CI against. Usually once CI passes, the master will be fast forwarded to integration within a day. This helps us to test integration of patches and detect any failure before master is updated. This means the master will pass CI at any given merge point. > - "topics/epic_beta0_spmd", I thinks it should like a feature branch for big feature. > @Soby Mathew Could you help to share more information about it? Thanks very much. We usually do not have feature branches in TF-A. The topics/epic_beta0_spmd is a prototyping branch where we wanted to share code with collaborators outside TF-A. The patches on this branch are not visible in gerrit review and no patches in gerrit review will be merged to this branch. Once the prototyping is complete, then patches on this branch will be reworked and pushed to gerrit review and finally get merged to integration and this branch will be deleted. Our experience have been, long running development branches are generally a maintenance overhead. Merging these development branches before a release may also be risky as some of the changes may have unknown interactions and may become difficult to resolve. The "topic" in gerrit review is effectively a branch. For example, this review: https://review.trustedfirmware.org/#/q/topic:od/debugfs+(status:open+OR+sta… is a set of patches on topic "od/debugfs" and can be treated as development branch. This branch is alive as long as patches are not merged. We need to understand the motivations for the change. Broken CI is an argument but development branches will only exacerbate that problem since we don't know the stability of each of those branches. Also merge conflict will not reduce due to development branches. Its just delaying the merge conflict to a later point. There may be other reasons, but generally it is better to merge sensible patches (+2ed) within a feature even before the feature is complete as it will reduce merge conflicts (we have to ensure testing/build coverage for the patch). These are my thoughts on this. Best Regards Soby Mathew -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 12 months

1
0
0 0

Re: [TF-M] Simplify RTOS / TF-M interface (single thread execution)

by Reinhard Keil

Ken, thanks for all your swift answers. Sorry, I need to check on this part of the answer again: * What happens worst case when an RTOS does not implement TZ RTOS Context Management? Ken.L: If there is no locking protection in NS and multiple ns calling would panic. TZ RTOS Context Management does not prevent from that. Correct. So the only feature that is enabled with TZ RTOS Context Management is 'client ID identification' for Protected Storage (and potentially other services). Reinhard IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

5 years, 12 months

1
0
0 0

Re: [TF-M] Create another branch for feature development

by Minos Galanakis

Hi all. My personal comments on this. I would like to point out that the CI is a tool, not the core project. I do not believe we should be changing our development strategy based on what the tool is doing. We should instead adjust the tool to fit our requirements. * No patches should be/ are merged to master when CI fails. If master breaks it should most commonly be because of something we are not testing for. Using an integration branch would not change that. * As a developer I find it more convoluted to work with projects who use different integration strategies. The most common assumption in open source projects is that you have a master branch which is the bleeding edge, but can contain untested bugs, and the release immutable git tags for versioning. Using branch merges as versioning is a design for the pull request model which is not quite compatible with Gerrit. * Most of the CI downtime has nothing to do with the merge strategy, they are more of a chicken and the egg philosophical problem. If your patch or branch introduced a change which affects the tests outputs, how will you test it if the CI expects the old output? An integration branch would not solve the merge freeze periods, would just affect a different branch from master. * I believe feature branches are quite useful, since changes to master do not disrupt the development flow of a big change, and even though they will require some maintenance to re-sync before the final patch , it will be handled by an engineer who knows the feature, and full understands the regression vectors. If I were to suggest some changes for stability purposes, I would start smaller: * Update documentation to instruct users to check out from release tags, warning then that master is constantly changing. * Adjust the CI to detect an Allow-CI flag from every branch. That way developers can test any patch from any feature branch. The logic for that is already present in the code, but requires Gerrit to be configured accordingly. * Add an undo process. This would be the only case for an integration branch. All patches are merged to a temporary branch, after confirming they have passed testing individually. On the once per day nightly test, the group of different patches, will be tested against an extensive job, in models and hardware, and only if successful it will fast forward master to that state. Regards Minos ________________________________ From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Edison Ai (Arm Technology China) via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: 13 December 2019 08:55 To: Soby Mathew <Soby.Mathew(a)arm.com>; 'tf-m(a)lists.trustedfirmware.org' <tf-m(a)lists.trustedfirmware.org> Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] Create another branch for feature development Hi Soby, Thanks for your detail description. > Integration is a temporary merge branch to merge several patches and run the CI against. Usually once CI passes, the master will be fast forwarded to integration within a day. > This helps us to test integration of patches and detect any failure before master is updated. This means the master will pass CI at any given merge point. I think it's a good method like this so that we can double confirm the "master" branch is stable. And this also can fix one case even the CI can work normally: one patch is ready to merge, and it is not based on the latest HEAD, but there is no conflict. We can merge the patch directly and let gerrit do rebase by itself. But we cannot confirm the CI test can pass. Any comment for this from others? For multiple feature branches, I think we can stop to discuss about it now until we have some strong demands for it. It is indeed a big change for us now. Thanks, Edison -----Original Message----- From: Soby Mathew <Soby.Mathew(a)arm.com> Sent: Friday, December 13, 2019 5:14 AM To: Edison Ai (Arm Technology China) <Edison.Ai(a)arm.com>; 'tf-m(a)lists.trustedfirmware.org' <tf-m(a)lists.trustedfirmware.org> Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] Create another branch for feature development On 11/12/2019 09:05, Edison Ai (Arm Technology China) via TF-M wrote: > Hi Gyorgy, > > Thanks to point it out. I agree with you that it will be better if we can align these two projects in this. I had a quick check the branches from TF-A: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/. > There are three branches in TF-A: > - "integration" branch, should be used for new features. > - "master" branch, which is behind of "integration" branch. But I am nor sure what is the strategy to update it. Hi Edison, Integration is a temporary merge branch to merge several patches and run the CI against. Usually once CI passes, the master will be fast forwarded to integration within a day. This helps us to test integration of patches and detect any failure before master is updated. This means the master will pass CI at any given merge point. > - "topics/epic_beta0_spmd", I thinks it should like a feature branch for big feature. > @Soby Mathew Could you help to share more information about it? Thanks very much. We usually do not have feature branches in TF-A. The topics/epic_beta0_spmd is a prototyping branch where we wanted to share code with collaborators outside TF-A. The patches on this branch are not visible in gerrit review and no patches in gerrit review will be merged to this branch. Once the prototyping is complete, then patches on this branch will be reworked and pushed to gerrit review and finally get merged to integration and this branch will be deleted. Our experience have been, long running development branches are generally a maintenance overhead. Merging these development branches before a release may also be risky as some of the changes may have unknown interactions and may become difficult to resolve. The "topic" in gerrit review is effectively a branch. For example, this review: https://review.trustedfirmware.org/#/q/topic:od/debugfs+(status:open+OR+sta… is a set of patches on topic "od/debugfs" and can be treated as development branch. This branch is alive as long as patches are not merged. We need to understand the motivations for the change. Broken CI is an argument but development branches will only exacerbate that problem since we don't know the stability of each of those branches. Also merge conflict will not reduce due to development branches. Its just delaying the merge conflict to a later point. There may be other reasons, but generally it is better to merge sensible patches (+2ed) within a feature even before the feature is complete as it will reduce merge conflicts (we have to ensure testing/build coverage for the patch). These are my thoughts on this. Best Regards Soby Mathew -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 12 months

1
0
0 0

Re: [TF-M] Simplify RTOS / TF-M interface (single thread execution)

by Reinhard Keil

Ken, Thanks for your reply. Let me summarize what I have understood: TF-M SFC mode: * Allows only one thread at the time to call secure services. * When secure services are called recursively (multiple threads) TF-M goes into 'panic' state. This should not happen with proper mutex locks. * TZ RTOS Context Management interface is only required when "Client Oriented Policy" is used. I have updated the diagram to reflect what I have understood. Obviously the SVC would be only executed when the call into "secure" is from Thread mode. Is my understanding correct? (diagram is also under: https://developer.trustedfirmware.org/T615) - I just realized that you made a similar picture). [cid:image003.jpg@01D5B197.BE352670] The initial question can be then refined to: * TZ RTOS Context management is only needed when "Client Oriented Policy" is used. * When and why is "Client Oriented Policy" a requirement on v8-M systems? * Is there a way to disable ""Client Oriented Policy" in the current TF-M Core? * This applies for both the TF-M firmware itself and the related test suite. * What happens worst case when an RTOS does not implement TZ RTOS Context Management? Reinhard _______________________________________________________________________________ Reinhard Keil | Phone: +49 89 456040-13 | Email: reinhard.keil(a)arm.com<mailto:reinhard.keil@arm.com> | www.keil.com<http://www.keil.com> ARM Germany GmbH | Bretonischer Ring 16 | D-85630 Grasbrunn,Germany Sitz der Gesellschaft: Grasbrunn | Handelsregister: München (HRB 175362) Geschäftsführer: Andrew Smith, Joachim Krech, Reinhard Keil IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

5 years, 12 months

2
1
0 0

Re: [TF-M] Secure storage and Internal trusted storage code logic check

by Edison Ai (Arm Technology China)

Hi Matt, Thanks for your quick patch. Hi All, The patch link is here: https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/2792/. Please help to review it if you are interested. Thanks, Edison -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of lg via TF-M Sent: Thursday, December 12, 2019 4:42 PM To: tf-m(a)lists.trustedfirmware.org Subject: Re: [TF-M] Secure storage and Internal trusted storage code logic check Hi Edison, Thanks for your quick reply. I will try to upstream a patch later. Thanks, Matt At 2019-12-12 11:15:51, "Edison Ai \\(Arm Technology China\\) via TF-M" <tf-m(a)lists.trustedfirmware.org> wrote: >Hi Matt, > >Thanks very much for your mail. It looks like it is indeed a problem here. >Can you upstream a patch to help to fix them directly? > >Thanks, >Edison > >-----Original Message----- >From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of lg via TF-M >Sent: Thursday, December 12, 2019 9:43 AM >To: tf-m(a)lists.trustedfirmware.org >Subject: [TF-M] Secure storage and Internal trusted storage code logic check > >Hi TFM Secure storage & Internal trusted storage experts, > > > It seems there are code logic errors in both files sst_flash_fs_mblock.c and its_flash_fs_mblock.c. > There are following codes in function its_flash_fs_mblock_reset_metablock in its_flash_fs_mblock.c: > > > for (i = ITS_INIT_DBLOCK_START; i < ITS_NUM_DEDICATED_DBLOCKS; i++) { > /* If a flash error is detected, the code erases the rest > * of the blocks anyway to remove all data stored in them. > */ > err |= its_flash_erase_block(i); > } > This loop starts from ITS_INIT_DBLOCK_START and ends to ITS_NUM_DEDICATED_DBLOCKS. > If there are four ITS blocks including meta blocks and data blocks in all, that means ITS_INIT_DBLOCK_START > is 3 and ITS_NUM_DEDICATED_DBLOCKS is 1. But the above loop can not erase the data block any way. > Should it be the following logic? > > > for (i = 0; i < ITS_NUM_DEDICATED_DBLOCKS; i++) { > /* If a flash error is detected, the code erases the rest > * of the blocks anyway to remove all data stored in them. > */ > err |= its_flash_erase_block(i+ITS_INIT_DBLOCK_START); > } > It is the same logic in function sst_flash_fs_mblock_reset_metablock in file sst_flash_fs_mblock.c. > > > Please help to check. > > >Thanks. >Matt. > >-- >TF-M mailing list >TF-M(a)lists.trustedfirmware.org >https://lists.trustedfirmware.org/mailman/listinfo/tf-m >-- >TF-M mailing list >TF-M(a)lists.trustedfirmware.org >https://lists.trustedfirmware.org/mailman/listinfo/tf-m -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 12 months

1
0
0 0

Re: [TF-M] Create another branch for feature development

by Soby Mathew

On 11/12/2019 09:05, Edison Ai (Arm Technology China) via TF-M wrote: > Hi Gyorgy, > > Thanks to point it out. I agree with you that it will be better if we can align these two projects in this. I had a quick check the branches from TF-A: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/. > There are three branches in TF-A: > - "integration" branch, should be used for new features. > - "master" branch, which is behind of "integration" branch. But I am nor sure what is the strategy to update it. Hi Edison, Integration is a temporary merge branch to merge several patches and run the CI against. Usually once CI passes, the master will be fast forwarded to integration within a day. This helps us to test integration of patches and detect any failure before master is updated. This means the master will pass CI at any given merge point. > - "topics/epic_beta0_spmd", I thinks it should like a feature branch for big feature. > @Soby Mathew Could you help to share more information about it? Thanks very much. We usually do not have feature branches in TF-A. The topics/epic_beta0_spmd is a prototyping branch where we wanted to share code with collaborators outside TF-A. The patches on this branch are not visible in gerrit review and no patches in gerrit review will be merged to this branch. Once the prototyping is complete, then patches on this branch will be reworked and pushed to gerrit review and finally get merged to integration and this branch will be deleted. Our experience have been, long running development branches are generally a maintenance overhead. Merging these development branches before a release may also be risky as some of the changes may have unknown interactions and may become difficult to resolve. The "topic" in gerrit review is effectively a branch. For example, this review: https://review.trustedfirmware.org/#/q/topic:od/debugfs+(status:open+OR+sta… is a set of patches on topic "od/debugfs" and can be treated as development branch. This branch is alive as long as patches are not merged. We need to understand the motivations for the change. Broken CI is an argument but development branches will only exacerbate that problem since we don't know the stability of each of those branches. Also merge conflict will not reduce due to development branches. Its just delaying the merge conflict to a later point. There may be other reasons, but generally it is better to merge sensible patches (+2ed) within a feature even before the feature is complete as it will reduce merge conflicts (we have to ensure testing/build coverage for the patch). These are my thoughts on this. Best Regards Soby Mathew

5 years, 12 months

2
1
0 0

Re: [TF-M] Simplify RTOS / TF-M interface (single thread execution)

by Ken Liu (Arm Technology China)

Hi Reinhard, Guess this diagram for a long time ago design since the latest version there is no need for NS SVC. (Check diagram attached in the ticket). I think the existing library model implementation is almost the one you described, just some points: - We use a secure SVC in SPM for sanitization input/output buffers. - We do secure partition maintenance in SPM (forward call, maintain state). The TZ API implementation under SFC is for the purpose that some services have bound the client with policies so they need to know which client is calling. It can be skipped if there is no such client-orient policy. And one thing to mention, even we propose to use locks in RTOS for locking the interface, there would be a chance that some RTOS has a limitation on these lock APIs, or someone just acts as an attacker who skips the necessary locking operations, then we need to provide some detection in the secure side as countermeasures, and this part needs to be documented to remind users that, please make sure there is only one ongoing secure call or a panic is generated. Then it would be RTOS' choice to decide if they want to avoid this panic by locking. /Ken -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Reinhard Keil via TF-M Sent: Thursday, December 12, 2019 11:22 PM To: tf-m(a)lists.trustedfirmware.org Subject: Re: [TF-M] Simplify RTOS / TF-M interface (single thread execution) As the picture got lost, I did create also https://developer.trustedfirmware.org/T615 This contains the picture Reinhard IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 12 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

TF-M