- TF-M - lists.trustedfirmware.org

by Kumar Gala

I’ve been curious if something like https://lgtm.com/ could be used to have checks for code guidelines. - k > On Nov 19, 2019, at 8:22 AM, Kevin Townsend via TF-M <tf-m(a)lists.trustedfirmware.org> wrote: > > Hi Tamas, > > Just to add to the conversation, something that the Zephyr project added to make > enforcing the coding guidelines easier was a config file for uncrustify. > > https://docs.zephyrproject.org/latest/contribute/index.html#uncrustify > > The Zephyr config file itself can be seen here: > https://github.com/zephyrproject-rtos/zephyr/blob/master/.uncrustify.cfg > > The advantage here is that most text editors can be configured to automatically > apply these rules and avoid common white space or other issues. > > I've generally found this very useful generating PRs and just ensuring > I didn't make > any obvious errors when I commit files or changes. > > Best regards, > Kevin > > > On Mon, 18 Nov 2019 at 17:31, Tamas Ban via TF-M > <tf-m(a)lists.trustedfirmware.org> wrote: >> >> Hi, >> >> I would like to open a conversation about TF-M coding guideline<https://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/coding_gui…>. I have these proposals: >> >> * Change the rule of the 80 character column width: >> * Max 80 characters length. >> * Column length is max 80 character in first place, but there are exceptions when length could be MAX 120 character: >> * Degrades code understandability: short, obscured variable names; awkward line breaks >> * Maximum 1% of the lines can exceed 80 charter length. >> * Might remove this rule, because in many cases we are not complaint with it. For example PSA Crypto API: >> >> o Order function parameters so that input params are before output params. >> >> o https://git.trustedfirmware.org/trusted-firmware-m.git/tree/interface/inclu… >> >> I'm interested in your opinions! Other rules also can be revisited! >> >> Tamas >> -- >> TF-M mailing list >> TF-M(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-m > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m

6 years

1
0
0 0

Re: [TF-M] Coding guideline

by Kevin Townsend

Hi Tamas, Just to add to the conversation, something that the Zephyr project added to make enforcing the coding guidelines easier was a config file for uncrustify. https://docs.zephyrproject.org/latest/contribute/index.html#uncrustify The Zephyr config file itself can be seen here: https://github.com/zephyrproject-rtos/zephyr/blob/master/.uncrustify.cfg The advantage here is that most text editors can be configured to automatically apply these rules and avoid common white space or other issues. I've generally found this very useful generating PRs and just ensuring I didn't make any obvious errors when I commit files or changes. Best regards, Kevin On Mon, 18 Nov 2019 at 17:31, Tamas Ban via TF-M <tf-m(a)lists.trustedfirmware.org> wrote: > > Hi, > > I would like to open a conversation about TF-M coding guideline<https://git.trustedfirmware.org/trusted-firmware-m.git/tree/docs/coding_gui…>. I have these proposals: > > * Change the rule of the 80 character column width: > * Max 80 characters length. > * Column length is max 80 character in first place, but there are exceptions when length could be MAX 120 character: > * Degrades code understandability: short, obscured variable names; awkward line breaks > * Maximum 1% of the lines can exceed 80 charter length. > * Might remove this rule, because in many cases we are not complaint with it. For example PSA Crypto API: > > o Order function parameters so that input params are before output params. > > o https://git.trustedfirmware.org/trusted-firmware-m.git/tree/interface/inclu… > > I'm interested in your opinions! Other rules also can be revisited! > > Tamas > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m

6 years

1
0
0 0

T398/T413, uploaded

by Thomas Törnblom

I have just uploaded the first of a set of changes to allow building TF-M with the IAR toolchain. https://review.trustedfirmware.org/c/trusted-firmware-m/+/2560 Please review. Thanks, Thomas -- *Thomas Törnblom*, /Product Engineer/ IAR Systems AB Box 23051, Strandbodgatan 1 SE-750 23 Uppsala, SWEDEN Mobile: +46 76 180 17 80 Fax: +46 18 16 78 01 E-mail: thomas.tornblom(a)iar.com <mailto:thomas.tornblom@iar.com> Website: www.iar.com <http://www.iar.com> Twitter: www.twitter.com/iarsystems <http://www.twitter.com/iarsystems>

6 years

1
0
0 0

Re: [TF-M] [EXTERNAL] RE: secure interrupt handlng in IPC mode

by DeMars, Alan

I don't know that the SPE needs to be restored to its IDLE state prior to a thread pre-empting NS interrupt occurring. I just assumed that these 2 rules required it: a. All of the SPE interrupts must have higher priority than NSPE interrupts d. A NSPE interrupt is not allowed to preempt SPE ISR (I assumed that this rule applies to the SP while it is processing the ISR as well). Alan -----Original Message----- From: TF-M [mailto:tf-m-bounces@lists.trustedfirmware.org] On Behalf Of Edison Ai (Arm Technology China) via TF-M Sent: Thursday, November 14, 2019 12:58 AM To: tf-m(a)lists.trustedfirmware.org Cc: nd Subject: Re: [TF-M] [EXTERNAL] RE: secure interrupt handlng in IPC mode Hi Alan, I have one question, why the SPE needs restored to its IDLE state prior to a thread pre-empting NS interrupt occurring? About a secure interrupt is configured with a lower priority than pendsv, I do not think it is a good idea. The pendsv is used to trigger the scheduler to switch thread. The normal interrupt process should like this: Interrupt happen -> jump into related ISR -> do necessary process such as mask interrupt status, send even or signal to related SP. -> set pendsv to trigger scheduler -> jump out ISR -> scheduler to decide which thread to run. In these sequences, if there are many interrupts happen at the same time, and high priority interrupt will interrupt low priority interrupt. Each ISR will trigger pendsv. But only one pendsv hander function needs to be processed. If we set the pendsv with high priority. Each interrupt will trigger pendsv and the pendsv handler will be processed every time. It will be more complex and spend more CPU time. Sorry that I do not know what is your detail scenario, and it will be more clear and helpful if you can provide more information. Thanks, Edison -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu (Arm Technology China) via TF-M Sent: Thursday, November 14, 2019 3:12 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] [EXTERNAL] RE: secure interrupt handlng in IPC mode Hi Alan, I have created the cooperative scheduling doc link here for comment: https://review.trustedfirmware.org/c/trusted-firmware-m/+/2466 BR /Ken -----Original Message----- From: DeMars, Alan <ademars(a)ti.com> Sent: Thursday, November 14, 2019 10:44 AM To: Mate Toth-Pal <Mate.Toth-Pal(a)arm.com> Cc: tf-m(a)lists.trustedfirmware.org; nd <nd(a)arm.com>; Ken Liu (Arm Technology China) <Ken.Liu(a)arm.com> Subject: Re: [EXTERNAL] RE: secure interrupt handlng in IPC mode Mate, Apart from the surprising behavior actually working to my benefit, my concern is the implications of violating the Cooperative Scheduling Rules I quoted below. The normal behavior (ie the SP running in thread mode with no exception priority when servicing a secure interrupt) seems to violate those rules. Is this a problem for the scheduler? Alan > On Nov 13, 2019, at 5:08 AM, Mate Toth-Pal <Mate.Toth-Pal(a)arm.com> wrote: > > Hi Alan, > > That's a quite difficult question I think. > > At first look, it seems a to be a valid thinking that a secure partition that is handling an IRQ signal should be considered as an SPE ISR. > > However implementing this seems to be a nontrivial task. > > The code in the secure partitions is organised into a single thread, that executes a while loop, calls 'psa_wait()' in every iteration, and acts on the signals returned by it. > > The phenomenon we observed with your setup was the following: > 1. When the Handler mode interrupt handler, that had lower priority than the PendSV reenabled interrupts after setting the signal, was interrupted by the PendSV handler. > 2. PendSV handler scheduled the partition with the interrupt signal set, and did an exception return to thread mode. > 3. The code of the Secure partition thread started executing, in Thread mode, but with the priority of the interrupt from the first point, as that interrupt handler was interrupted before it could do exception return to acknowledge the handling of the interrupt in the NVIC. > 4. After the partition thread code called psa_wait again, the scheduler restored the context of the interrupt handler from the first point, that handler did an exception return, and everything is 'back to normal' > > Now, if I understand properly, your proposal is to make the conditions in point 3. to be mandatory for any scheduler implementation. > > To make this happen in TF-M, all the secure interrupts should have lower priority than the PendSV handler. This is necessary so that the above detailed behaviour is valid for all the interrupts. > > The problem with this is that the SPM has no control over which signal the code of the secure partition is going to execute. So in the current design a secure partition might decide to handle a service call signal (if there is any) instead of an IRQ signal, and that would be against our intention. We might be able to modify psa_wait to return only IRQ signals if there is any active, but that would be a violation of the PSA FF spec. > > Regards, > Mate > > From: DeMars, Alan <ademars(a)ti.com> > Sent: 12 November 2019 17:47 > To: Mate Toth-Pal <Mate.Toth-Pal(a)arm.com> > Cc: Ken Liu (Arm Technology China) <Ken.Liu(a)arm.com> > Subject: RE: secure interrupt handlng in IPC mode > > You can CC the tf-m mailing list. > > From: Mate Toth-Pal [mailto:Mate.Toth-Pal@arm.com] > Sent: Tuesday, November 12, 2019 8:02 AM > To: DeMars, Alan > Cc: Ken Liu (Arm Technology China) > Subject: [EXTERNAL] RE: secure interrupt handlng in IPC mode > > Hi Alan > > Would it be OK to you if I cc the TF-M mailing list in my answer? > > Or if you would prefer that, I can move the 'Cooperative Scheduling Rules' document to the TF-M source (in the docs folder), and you can create a patch for it in gerrit. > > Thanks, > Mate > > > From: DeMars, Alan <mailto:ademars@ti.com> > Sent: 11 November 2019 21:05 > To: Mate Toth-Pal <mailto:Mate.Toth-Pal@arm.com> > Cc: Ken Liu (Arm Technology China) <mailto:Ken.Liu@arm.com> > Subject: secure interrupt handlng in IPC mode > > Hi Mate! > > I've been doing some thinking about the unexpected behavior we saw when a secure interrupt is configured with a lower priority than pendsv. > > I think the below statements in the Cooperative Scheduling Rules discussion: > > a. All of the SPE interrupts must have higher priority than NSPE > interrupts d. A NSPE interrupt is not allowed to preempt SPE ISR must > extend to the priority level of the SP as it services the interrupt while in thread mode. > > Otherwise the problem that these rules are meant to avoid can arise: the SPE is not completely restored to its IDLE state prior to a thread pre-empting NS interrupt occurring. > > So, rather than the behavior we witnessed being unexpected, I think it may have to be enforced. > > Is this correct thinking? > > Alan > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

6 years

2
1
0 0

Re: [TF-M] Commonly accepted default documentation layout

by Christopher Brand

I think you're right that we need some rules like this, and the list below looks reasonable to me. The list should probably be a document in its own right... Chris > -----Original Message----- > From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Minos > Galanakis via TF-M > Sent: Thursday, November 14, 2019 3:14 AM > To: tf-m(a)lists.trustedfirmware.org > Cc: nd <nd(a)arm.com> > Subject: [TF-M] Commonly accepted default documentation layout > > Hi > > With our documentation growing, and more people contributing to it, it is > quite essential to start a discussion on some basic commonly accepted rules > about the format of choice. > > Restructured text allows you to achieve similar looking results using multiple > approaches, but this makes it harder for tools like Sphinx to render properly, > since the rendering template can be applied on per project basis, not on a > per file basis. > I took the liberty of investigating the existing documentation, and mostly > looking for top level headers which can be done by using either > > > > #################### > > This is a top-level header > > #################### > > # Reference docs: > # design_documents/tfm_its_service.rst > # design_documents/secure_boot_hw_key_integration.rst > > # Reference docs: > # user_guides/tfm_secure_boot.rst > # user_guides/tfm_user_guide.rst > > > > > > or > > > ==================== > This is a top level header > ==================== > > # Reference docs: > # design_documents/tfm_its_service.rst > # design_documents/secure_boot_hw_key_integration.rst > > > > > Since we are looking for the path of least resistance, I would like to propose > that we follow the format the majority of document uses.This is the format > used in > `user_guides/tfm_user_guide.rst<https://git.trustedfirmware.org/trusted- > firmware-m.git/plain/docs/user_guides/tfm_user_guide.rst>` . > > When writing a document and coming across a requirement that has not > been defined yet, we should be aiming for compliance with official Python > guidelines<https://devguide.python.org/documenting/#style-guide> which > is the most commonly used notation. > > The following rules should be considered: > > > 1. H1 document title headers should be expressed by # with over-line (rows > on top and bottom) of the text > 2. Only ONE H1 header should allowed per document, ideally placed on top > of the page. > 3. H2 headers should be expressed by * with over-line > 4. H2 header's text should be UNIQUE in per document basis > 5. H3 headers should be expressed by a row of '=' > 6. H4 headers should be expressed by a row of '-' > 7. H3 and H4 headers have no limitation about naming. They can have > similar names on the same document, if they have different parents. > 8. H5 headers should be expressed by a row of '^' > 9. H5 headers will be rendered in document body but not in menus on the > navigation bar. > 10. Do not go deeper than 5 level of heading > 11. When writing guide, which are expected to be able to be readable by > command line tools, it would be best practice to add long complicated tables, > and UML diagrams in the bottom of the page and using internal > references(auto-label). See the current version of the > `/user_guides/tfm_sw_requirement.rst<https://git.trustedfirmware.org/tru > sted-firmware-m.git/plain/docs/user_guides/tfm_sw_requirement.rst>` > and the proposed patch<https://review.trustedfirmware.org/c/trusted- > firmware-m/+/2456> > > Please let me know if you have any questions/objection or proposals or new > rules you would like to be considered. > > > Thanks, > Minos > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.

6 years

1
0
0 0

New platform in TF-M: Musca-S1

by Mate Toth-Pal

Hi All, TF-M support for a new platform Musca-S1 is on review: https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/2452/ We are planning to merge the patch this week. Comments are welcome on the review. Regards, Mate

6 years

1
0
0 0

Commonly accepted default documentation layout

by Minos Galanakis

Hi With our documentation growing, and more people contributing to it, it is quite essential to start a discussion on some basic commonly accepted rules about the format of choice. Restructured text allows you to achieve similar looking results using multiple approaches, but this makes it harder for tools like Sphinx to render properly, since the rendering template can be applied on per project basis, not on a per file basis. I took the liberty of investigating the existing documentation, and mostly looking for top level headers which can be done by using either #################### This is a top-level header #################### # Reference docs: # design_documents/tfm_its_service.rst # design_documents/secure_boot_hw_key_integration.rst # Reference docs: # user_guides/tfm_secure_boot.rst # user_guides/tfm_user_guide.rst or ==================== This is a top level header ==================== # Reference docs: # design_documents/tfm_its_service.rst # design_documents/secure_boot_hw_key_integration.rst Since we are looking for the path of least resistance, I would like to propose that we follow the format the majority of document uses.This is the format used in `user_guides/tfm_user_guide.rst<https://git.trustedfirmware.org/trusted-firmware-m.git/plain/docs/user_guid…>` . When writing a document and coming across a requirement that has not been defined yet, we should be aiming for compliance with official Python guidelines<https://devguide.python.org/documenting/#style-guide> which is the most commonly used notation. The following rules should be considered: 1. H1 document title headers should be expressed by # with over-line (rows on top and bottom) of the text 2. Only ONE H1 header should allowed per document, ideally placed on top of the page. 3. H2 headers should be expressed by * with over-line 4. H2 header's text should be UNIQUE in per document basis 5. H3 headers should be expressed by a row of '=' 6. H4 headers should be expressed by a row of '-' 7. H3 and H4 headers have no limitation about naming. They can have similar names on the same document, if they have different parents. 8. H5 headers should be expressed by a row of '^' 9. H5 headers will be rendered in document body but not in menus on the navigation bar. 10. Do not go deeper than 5 level of heading 11. When writing guide, which are expected to be able to be readable by command line tools, it would be best practice to add long complicated tables, and UML diagrams in the bottom of the page and using internal references(auto-label). See the current version of the `/user_guides/tfm_sw_requirement.rst<https://git.trustedfirmware.org/trusted-firmware-m.git/plain/docs/user_guid…>` and the proposed patch<https://review.trustedfirmware.org/c/trusted-firmware-m/+/2456> Please let me know if you have any questions/objection or proposals or new rules you would like to be considered. Thanks, Minos

6 years

1
0
0 0

The svcall switch-case vs function table

by Ken Liu (Arm Technology China)

Hi, I am trying to look at into the svcall logics and found if we keep using the switch/case would make it hard to abstract this logic for different configurations. Thinking to move this static defined svc codes into an array-based function table. The pros are, the svc code set for different configurations is configurable, we don't need any #ifdef inside the svc numbers but rely on the configuration provided svc headers, and these headers are used inside configuration logic. And the overall svcall logic does not need to know the exact number definition but just do a f[num].func() call. The cons... I think the only thing is table may be out of date and cause a potential problem? or some function has only <4 parameter but we have to define a f(a0,a1,a2,a3) type function and fill extra parameter as zeros? This won't improve the execution efficiency if the svc numbers are continuous since compiler uses 'TBB' to create a mapping table while processing switch/case, so we can skip this point while talking pros. Welcome to comment or propose patches for this. Thanks. /Ken

6 years

1
0
0 0

Re: [TF-M] [EXTERNAL] RE: secure interrupt handlng in IPC mode

by Edison Ai (Arm Technology China)

Hi Alan, I have one question, why the SPE needs restored to its IDLE state prior to a thread pre-empting NS interrupt occurring? About a secure interrupt is configured with a lower priority than pendsv, I do not think it is a good idea. The pendsv is used to trigger the scheduler to switch thread. The normal interrupt process should like this: Interrupt happen -> jump into related ISR -> do necessary process such as mask interrupt status, send even or signal to related SP. -> set pendsv to trigger scheduler -> jump out ISR -> scheduler to decide which thread to run. In these sequences, if there are many interrupts happen at the same time, and high priority interrupt will interrupt low priority interrupt. Each ISR will trigger pendsv. But only one pendsv hander function needs to be processed. If we set the pendsv with high priority. Each interrupt will trigger pendsv and the pendsv handler will be processed every time. It will be more complex and spend more CPU time. Sorry that I do not know what is your detail scenario, and it will be more clear and helpful if you can provide more information. Thanks, Edison -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu (Arm Technology China) via TF-M Sent: Thursday, November 14, 2019 3:12 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] [EXTERNAL] RE: secure interrupt handlng in IPC mode Hi Alan, I have created the cooperative scheduling doc link here for comment: https://review.trustedfirmware.org/c/trusted-firmware-m/+/2466 BR /Ken -----Original Message----- From: DeMars, Alan <ademars(a)ti.com> Sent: Thursday, November 14, 2019 10:44 AM To: Mate Toth-Pal <Mate.Toth-Pal(a)arm.com> Cc: tf-m(a)lists.trustedfirmware.org; nd <nd(a)arm.com>; Ken Liu (Arm Technology China) <Ken.Liu(a)arm.com> Subject: Re: [EXTERNAL] RE: secure interrupt handlng in IPC mode Mate, Apart from the surprising behavior actually working to my benefit, my concern is the implications of violating the Cooperative Scheduling Rules I quoted below. The normal behavior (ie the SP running in thread mode with no exception priority when servicing a secure interrupt) seems to violate those rules. Is this a problem for the scheduler? Alan > On Nov 13, 2019, at 5:08 AM, Mate Toth-Pal <Mate.Toth-Pal(a)arm.com> wrote: > > Hi Alan, > > That's a quite difficult question I think. > > At first look, it seems a to be a valid thinking that a secure partition that is handling an IRQ signal should be considered as an SPE ISR. > > However implementing this seems to be a nontrivial task. > > The code in the secure partitions is organised into a single thread, that executes a while loop, calls 'psa_wait()' in every iteration, and acts on the signals returned by it. > > The phenomenon we observed with your setup was the following: > 1. When the Handler mode interrupt handler, that had lower priority than the PendSV reenabled interrupts after setting the signal, was interrupted by the PendSV handler. > 2. PendSV handler scheduled the partition with the interrupt signal set, and did an exception return to thread mode. > 3. The code of the Secure partition thread started executing, in Thread mode, but with the priority of the interrupt from the first point, as that interrupt handler was interrupted before it could do exception return to acknowledge the handling of the interrupt in the NVIC. > 4. After the partition thread code called psa_wait again, the scheduler restored the context of the interrupt handler from the first point, that handler did an exception return, and everything is 'back to normal' > > Now, if I understand properly, your proposal is to make the conditions in point 3. to be mandatory for any scheduler implementation. > > To make this happen in TF-M, all the secure interrupts should have lower priority than the PendSV handler. This is necessary so that the above detailed behaviour is valid for all the interrupts. > > The problem with this is that the SPM has no control over which signal the code of the secure partition is going to execute. So in the current design a secure partition might decide to handle a service call signal (if there is any) instead of an IRQ signal, and that would be against our intention. We might be able to modify psa_wait to return only IRQ signals if there is any active, but that would be a violation of the PSA FF spec. > > Regards, > Mate > > From: DeMars, Alan <ademars(a)ti.com> > Sent: 12 November 2019 17:47 > To: Mate Toth-Pal <Mate.Toth-Pal(a)arm.com> > Cc: Ken Liu (Arm Technology China) <Ken.Liu(a)arm.com> > Subject: RE: secure interrupt handlng in IPC mode > > You can CC the tf-m mailing list. > > From: Mate Toth-Pal [mailto:Mate.Toth-Pal@arm.com] > Sent: Tuesday, November 12, 2019 8:02 AM > To: DeMars, Alan > Cc: Ken Liu (Arm Technology China) > Subject: [EXTERNAL] RE: secure interrupt handlng in IPC mode > > Hi Alan > > Would it be OK to you if I cc the TF-M mailing list in my answer? > > Or if you would prefer that, I can move the 'Cooperative Scheduling Rules' document to the TF-M source (in the docs folder), and you can create a patch for it in gerrit. > > Thanks, > Mate > > > From: DeMars, Alan <mailto:ademars@ti.com> > Sent: 11 November 2019 21:05 > To: Mate Toth-Pal <mailto:Mate.Toth-Pal@arm.com> > Cc: Ken Liu (Arm Technology China) <mailto:Ken.Liu@arm.com> > Subject: secure interrupt handlng in IPC mode > > Hi Mate! > > I've been doing some thinking about the unexpected behavior we saw when a secure interrupt is configured with a lower priority than pendsv. > > I think the below statements in the Cooperative Scheduling Rules discussion: > > a. All of the SPE interrupts must have higher priority than NSPE > interrupts d. A NSPE interrupt is not allowed to preempt SPE ISR must > extend to the priority level of the SP as it services the interrupt while in thread mode. > > Otherwise the problem that these rules are meant to avoid can arise: the SPE is not completely restored to its IDLE state prior to a thread pre-empting NS interrupt occurring. > > So, rather than the behavior we witnessed being unexpected, I think it may have to be enforced. > > Is this correct thinking? > > Alan > > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

6 years

1
0
0 0

Re: [TF-M] secure interrupt handlng in IPC mode

by Mate Toth-Pal

Hi Alan, That's a quite difficult question I think. At first look, it seems a to be a valid thinking that a secure partition that is handling an IRQ signal should be considered as an SPE ISR. However implementing this seems to be a nontrivial task. The code in the secure partitions is organised into a single thread, that executes a while loop, calls 'psa_wait()' in every iteration, and acts on the signals returned by it. The phenomenon we observed with your setup was the following: 1. When the Handler mode interrupt handler, that had lower priority than the PendSV reenabled interrupts after setting the signal, was interrupted by the PendSV handler. 2. PendSV handler scheduled the partition with the interrupt signal set, and did an exception return to thread mode. 3. The code of the Secure partition thread started executing, in Thread mode, but with the priority of the interrupt from the first point, as that interrupt handler was interrupted before it could do exception return to acknowledge the handling of the interrupt in the NVIC. 4. After the partition thread code called psa_wait again, the scheduler restored the context of the interrupt handler from the first point, that handler did an exception return, and everything is 'back to normal' Now, if I understand properly, your proposal is to make the conditions in point 3. to be mandatory for any scheduler implementation. To make this happen in TF-M, all the secure interrupts should have lower priority than the PendSV handler. This is necessary so that the above detailed behaviour is valid for all the interrupts. The problem with this is that the SPM has no control over which signal the code of the secure partition is going to execute. So in the current design a secure partition might decide to handle a service call signal (if there is any) instead of an IRQ signal, and that would be against our intention. We might be able to modify psa_wait to return only IRQ signals if there is any active, but that would be a violation of the PSA FF spec. Regards, Mate From: DeMars, Alan <ademars(a)ti.com> Sent: 12 November 2019 17:47 To: Mate Toth-Pal <Mate.Toth-Pal(a)arm.com> Cc: Ken Liu (Arm Technology China) <Ken.Liu(a)arm.com> Subject: RE: secure interrupt handlng in IPC mode You can CC the tf-m mailing list. From: Mate Toth-Pal [mailto:Mate.Toth-Pal@arm.com] Sent: Tuesday, November 12, 2019 8:02 AM To: DeMars, Alan Cc: Ken Liu (Arm Technology China) Subject: [EXTERNAL] RE: secure interrupt handlng in IPC mode Hi Alan Would it be OK to you if I cc the TF-M mailing list in my answer? Or if you would prefer that, I can move the 'Cooperative Scheduling Rules' document to the TF-M source (in the docs folder), and you can create a patch for it in gerrit. Thanks, Mate From: DeMars, Alan <mailto:ademars@ti.com> Sent: 11 November 2019 21:05 To: Mate Toth-Pal <mailto:Mate.Toth-Pal@arm.com> Cc: Ken Liu (Arm Technology China) <mailto:Ken.Liu@arm.com> Subject: secure interrupt handlng in IPC mode Hi Mate! I've been doing some thinking about the unexpected behavior we saw when a secure interrupt is configured with a lower priority than pendsv. I think the below statements in the Cooperative Scheduling Rules discussion: a. All of the SPE interrupts must have higher priority than NSPE interrupts d. A NSPE interrupt is not allowed to preempt SPE ISR must extend to the priority level of the SP as it services the interrupt while in thread mode. Otherwise the problem that these rules are meant to avoid can arise: the SPE is not completely restored to its IDLE state prior to a thread pre-empting NS interrupt occurring. So, rather than the behavior we witnessed being unexpected, I think it may have to be enforced. Is this correct thinking? Alan IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

TF-M