Hi
There seem to be scheduling bug we have found in SPM.
This bug is related to handling of interrupts that arrives during SVC call and assert signed for partition.
Steps to reproduce:
1. Call psa_wait() from partition (e.g. mailbox partition)
2. During execution of SVC handler generate Interrupt that asserts signal of that partition (e.g. mailbox partition signal ) (adding long delay in SVC handler or adding breakpoint in SVC handler helps to easier reproduce this )
3. Following sequence happens:
* Mailbox IRQ has lower priority than SVC thus SVC is not preempted.
* SVC sees that mailbox partition is blocked (as it is waiting for signal and no signals are pending)
* SVC triggers pendSV
i. Mailbox IRQ and pendSV are both pending
* Mailbox IRQ has higher priority than pendSV thus Mailbox IRQ is executed
* Mailbox IRQ calls spm_handle_interrupt
i. Signal is asserted thus spm_handle_interrupt in thrd_next calls query_state_cb which returns THRD_STATE_RET_VAL_AVAIL and thus tfm_arch_set_context_ret_code is called
ii. tfm_arch_set_context_ret_code sets return code using OLD value of partition PSP (as it was never updated, as it is updated in PendSV)
* Mailbox IRQ return, pendsv is started and it runs mailbox partition
i. Mailbox partition has 0 as signal because return value was written to wrong location is stack
Patch I have attached to the mail solves this problem for us BUT it seems more like a workaround than a proper fix(
Anyways it would be nice to have this problem review by SPM experts and have proper fix (maybe we have other places with same problem...)
Regards,
Bohdan Hunko
Cypress Semiconductor Ukraine
Engineer
CSUKR CSS ICW SW FW
Mobile: +38099 50 19 714
Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>
Hi,
I’d like to give you a heads-up that build split feature branch will be merged back to main branch very soon this week.
Trusted-firmware-m build split branch: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/?h=feature…
Tf-m-tests build split branch: https://git.trustedfirmware.org/TF-M/tf-m-tests.git/tree/?h=feature-build-s…
Build split feature improves how NS side integrate with TF-M SPE and therefore build commands are changed for building regression tests and PSA arch tests.
Could you please refer to https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/23898 for updated commands/configuration to integrate NS side and port platforms after build split?
If anything is broken after build split, please let us know. It would be also appreciated if you could contribute to build split. 😊
Any feedback or comment is welcome.
Best regards,
Hu Ziji
I have a few questions regarding RSS and Secure Enclave to see what's required and considered for SoC design to leverage RSS and why we nee to use RSS & TF-M
1. What is the difference between RSS and Secure Enclave?
- Is RSS the same as Secure Enclave?
- Or is it referring to any subsystem providing runtime crypto service regardless of whether it's a Secure Enclave or not?
Question below is assuming RSS is a Secure Enclave......
2. What enables TF-M to operate as a Secure Enclave?
- To operate as a Secure Enclave, HW support is mandatory?
a) If so, we must use a Secure Enclave IP such as cryptoisland(CI-300P-C)?
b) Or can we construct a Secure Enclave with some other IPs(LCM, KMU, CryptoCell) metioned RSS doc? (by using TF-M without secure enclave IP)
It feels vague whether this can be called a Secure Enclave...
https://tf-m-user-guide.trustedfirmware.org/platform/arm/rss/rss_key_manage…
- If HW support is not mandatory, I wonder how TF-M can operate as a Secure Enclave.
- The article below seems to say that TF-M can provide Secure Enclave functionality without HW support. or I may misunderstand.
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.2.0/tfm/technical_re…
Hi,
Reading through https://tf-m-user-guide.trustedfirmware.org/integration_guide/non-secure_cl… I'm wondering why so much of the work is done in the secure world. Ultimately, the secure world relies on the non-secure world to tell it the client_id, directly or indirectly. Is there a good reason for the NCSE part to reside in the secure world, rather than the non-secure?
Particularly as the document states that the non-secure RTOS may have a built-in "Secure Context Manager", there may well be redundancy between that and NCSE that could be eliminated if the NCSE was in the NSPE. And the less code there is in the secure world, the less scope for vulnerabilities.
If client_ids themselves were passed from the NS to the S world, it would probably be very easy to use that same interface on the NS core in a dual core system, too.
Chris
Hi,
Seems like following code
$<$<BOOL:TFM_PARTITION_PLATFORM>:${CMAKE_CURRENT_SOURCE_DIR}/services/src/tfm_platform_system.c>
In platform/ext/target/arm/corstone1000/CMakeLists.txt is wrong because it uses TFM_PARTITION_PLATFORM but should use ${ TFM_PARTITION_PLATFORM }
If so then maybe platform maintainers can fix this.
Regards,
Bohdan Hunko
Cypress Semiconductor Ukraine
Engineer
CSUKR CSS ICW SW FW
Mobile: +38099 50 19 714
Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>
Is 11.2-2022.02 the recommended compiler version?
I saw TF-M v1.8 states:
" GNU Arm compiler version *10-2020-q4-major* has an issue in CMSE
support. The bug is reported in `here <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99157>`__.
Select other GNU Arm compiler versions instead.
GNU Arm compiler version greater and equal than *11.3.Rel1* has a linker issue in syscall.
Select other GNU Arm compiler versions instead.
"
Regards,
Brian Quach
SimpleLink MCU
Texas Instruments Inc.
Hi,
When is it appropriate to use "__tz_c_veneer" vs. "__tfm_nspm_secure_gateway_attributes__"? The only difference appears to be placing it in "SFN" section.
Regards,
Brian Quach
SimpleLink MCU
Texas Instruments Inc.
Hello,
I am trying to build TF-M v1.8 with a custom tfm_mbedcrypto_config_profile_medium.h . I mainly do not want to use a platform specific calloc /free calls, instead use standard free() and calloc(). If I disable MBEDTLS_PLATFORM_MEMORY and MBEDTLS_PLATFORM_C in tfm_mbedcrypto_config_profile_medium.h and attempt to build TF-M, I get the following error:
/arm-none-eabi/lib/thumb/v8-m.main+fp/hard/libnosys.a(sbrk.o): in function `_sbrk':
/data/jenkins/workspace/GNU-toolchain/arm-11/src/newlib-cygwin/libgloss/libnosys/sbrk.c:21: undefined reference to `end'
I'm able to build mbedtls package with both MBEDTLS_PLATFORM_MEMORY and MBEDTLS_PLATFORM_C disabled without any errors, the undefined reference error is only seen when building TF-M.
Any thoughts on how to resolve this?
Regards,
Archanaa
Hi all,
Seems like dependency on generated files is broken.
Steps to reproduce:
1. Build any platform at any mode
2. Change any .template file
3.
Expected result:
1. New file is generated from the updated .template file
Actual result:
1. Generated files step is skipped.
My best guess will be that 1ce59292a47b1316e5d8b4d28bcaf9d8e2bdc0a5 broke it.
Could this be fixed?
Regards,
Bohdan Hunko
Cypress Semiconductor Ukraine
Engineer
CSUKR CSS ICW SW FW
Mobile: +38099 50 19 714
Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>
Hello,
Some time ago we planned to rename our master branch to main in all 6 repositories. There are multiple ways of doing that and I want to discuss with the community the best way suitable for all.
I can see the following options:
1. rename master->main and use the main from one day.
2. Create the main for contribution with main->master sync. Make master R/O and delete it in 3 months.
3. Keep contributing to the master but syncing master->main.
4. Other way?
I suggest option 2 but looking for better alternatives if any.
Thanks,
Anton
