Hi Andrej,
The idea of the OS wrapper layer is to abstract the underlying OS, so that the test app can use generic wrapper APIs, which are implemented using OS-specific APIs. In os_wrapper_rtx.c, we provide an example implementation that targets the CMSIS-RTOS2 APIs for RTX.
As osThreadJoinable is not supported by FreeRTOS, you can remove that attribute in your port, and implement os_wrapper_join_thread() as a no-op. We use semaphores for synchronisation in the test app anyway, so os_wrapper_join_thread() only needs to be implemented if threads are joinable and so need join() to be called to free up resources associated with the thread.
I do think we could make the OS wrapper layer a bit more generic though. We could replace the only call to os_wrapper_join_thread() that currently exists with a call to a new function os_wrapper_delete_thread(), which is defined to release the resources associated with a thread context. For CMSIS-RTOS2 this can be empty because this happens automatically, but for other RTOS APIs there may be some delete() function that needs to be called. Let me know what you think.
Best wishes,
Jamie
-----Original Message-----
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Andrej Butok via TF-M
Sent: 02 May 2019 15:04
To: tf-m(a)lists.trustedfirmware.org
Subject: [TF-M] Avoid osThreadJoin()
Hello,
The TFM test applications are using CMSIS-RTOS2 API. And this is good.
But could you delete os_wrapper_join_thread()and avoid using of osThreadJoin().
If I understand well, its support by RTOS tasks is optional (via osThreadJoinable flag).
The problem is that the osThreadJoin() functionality is not supported by FreeRTOS (https://arm-software.github.io/CMSIS-FreeRTOS/General/html/tech_data.html).
It is critical obstacle.
Could you tell what are you going to do with this requirement? To understand, if to continue with a FreeRTOS port.
Thank you
Andrej Butok
--
TF-M mailing list
TF-M(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m
Hello,
The TFM test applications are using CMSIS-RTOS2 API. And this is good.
But could you delete os_wrapper_join_thread()and avoid using of osThreadJoin().
If I understand well, its support by RTOS tasks is optional (via osThreadJoinable flag).
The problem is that the osThreadJoin() functionality is not supported by FreeRTOS (https://arm-software.github.io/CMSIS-FreeRTOS/General/html/tech_data.html).
It is critical obstacle.
Could you tell what are you going to do with this requirement? To understand, if to continue with a FreeRTOS port.
Thank you
Andrej Butok
Hi Andrej,
TF-M has no requirement on NS thread execution being unprivileged, nor is it mandated by PSA.
It is one of a set of measures that make non-secure thread isolation possible, reduce attack surface and provide a degree of tolerance against programming errors, but its absence does not invalidate the security measures provided by TF-M, so it is a fully valid implementation to make NSPE a single protection domain and all non-secure code execution privileged.
Regards
Miklos
-----Original Message-----
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Andrej Butok via TF-M
Sent: 02 May 2019 14:19
To: TF-M(a)lists.trustedfirmware.org
Subject: [TF-M] NS application privilege mode
Hello,
May a non-secure TFM user application stay in the privilege mode after start-up? It's needed, as some system registers are accessible only in the privilege mode.
Asking, because the TFM NS Musca start-up code is switching to the unprivileged mode from very beginning:
MRS R0, control ; Get control value
ORR R0, R0, #1 ; Select switch to unprivilage mode
ORR R0, R0, #2 ; Select switch to PSP
MSR control, R0
Hope, it is not mandatory.
Thanks,
Andrej Butok
--
TF-M mailing list
TF-M(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m
Hello,
May a non-secure TFM user application stay in the privilege mode after start-up? It's needed, as some system registers are accessible only in the privilege mode.
Asking, because the TFM NS Musca start-up code is switching to the unprivileged mode from very beginning:
MRS R0, control ; Get control value
ORR R0, R0, #1 ; Select switch to unprivilage mode
ORR R0, R0, #2 ; Select switch to PSP
MSR control, R0
Hope, it is not mandatory.
Thanks,
Andrej Butok
Hi,
This is a proposal that introduces scheduling rules in TF-M.
Introduction:
On ArmV8-M CPUs, NSPE and SPE share the same physical processing element(PE). A TF-M enabled system need to be able to handle asynchronous events (interrupts) regardless of current security state of the PE; and that may lead to scheduling decisions. This introduces significant complexity into TF-M. To keep the integrity of (NSPE and SPE) schedulers and call paths between NSPE and SPE, following set of rules are imposed on the TF-M scheduler design.
https://developer.trustedfirmware.org/w/tf_m/design/cooperative_scheduling/
Feedback welcome!
Thanks,
Ashu
Hi All,
The parts that refer to the BASEPRI_NS register being set on return from Secure services has been removed from the document (marked with strikethrough), as the attack surfaces introduced by not doing it are mitigated by the veneer stack checking on secure function entry.
Sorry for the inconvenience.
Best regards,
Mate
-----Original Message-----
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Mate Toth-Pal via TF-M
Sent: 29 April 2019 15:21
To: tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: [TF-M] Non-secure interrupt handling design proposal
Hi All,
The design proposal for the Non-secure interrupt handling is available for review at the following link:
https://developer.trustedfirmware.org/w/tf_m/design/ns_interrupt_handling/
Please share your thoughts in this mail thread.
Thank you!
Best regards,
Mate
--
TF-M mailing list
TF-M(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m
Hi,
There was a cmake response file patch to fix the linker error especially in windows:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/237
In this patch I set proper flags for linkers, but also enable response file as default, which caused some concerns about: is the response file option stable enough, will it break the build?
So I created an updated one, which just set correct response file switch for linkers, and do not enable response file as default. In the case if ARMCLANG response is enabled by cmake automatically, cmake could apply correct response flag for ARMCLANG:
https://review.trustedfirmware.org/c/trusted-firmware-m/+/925
Because they are pushed towards different branches, so a new gerrit item is generated which lost the history...The only difference with previous one is removed below line :
set(CMAKE_${lang}_USE_RESPONSE_FILE_FOR_OBJECTS 1)
The reason I raise this patch is because, this problem happens every time in my PC so I have to cherry-pick this patch before building anything. I had seen someone got the same issue, and want to check how you solve this.
Call for volunteers to help verifying this patch (925) in your side and provide feedback to ensure it will not break the building, is there anyone could help? Just cherry-pick this patch into your environment is OK.
Thanks.
-Ken
Hi all,
I've created a change as a follow-on from the mail discussion below to provide a design pattern proposal: IOCTL for platform-specific services.
https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/951/
Brief problem statement:
Some platforms required services and HAL functions that were not generic to warrant their dedicated generic HAL API functions as that implied a requirement for *all* platforms to implement - essentially stub - the implementation if the functionality was not applicable to that platform. The existing solution doesn't scale so I propose to introduce a single mandatory function that serves as a platform-specific wrapper/arbiter for services that are specific to a single platform, or a family of similar platforms.
Note that at present the change IS the design proposal - I felt it would make more sense to present it this time as code changes and documentation updates instead of a single linear design document.
Let me know your thought in this mail thread for generic observations or on the review page for specific details of the implementation.
Thanks
Regards,
Miklos
-----Original Message-----
From: Michel JAOUEN <michel.jaouen(a)st.com>
Sent: 11 April 2019 17:38
To: Miklos Balint <Miklos.Balint(a)arm.com>; tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: RE: Platform: Create platform service for pin functions
Hello,
You should detail your proposal with single entry.
It should help to implement the function really required for dedicated platform.
Regards
-----Original Message-----
From: Miklos Balint <Miklos.Balint(a)arm.com>
Sent: jeudi 11 avril 2019 17:28
To: Michel JAOUEN <michel.jaouen(a)st.com>; tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: RE: Platform: Create platform service for pin functions
Michel,
I agree there is a need for a more generic design pattern for such platform-specific features.
I think that there should be a single entry point for any platform specific service request to the platform/ directory and each platform should/could list the specific features it supports. Then the specific function type would be encoded in an invec to the service request.
But I think a more detailed design proposal is needed with enough room for discussion before committing to a new pattern, and I'd prefer to avoid introducing platform dependencies in the services/ folder. That folder should ideally just have an indirection across HAL to a platform-specific service request arbiter.
Any opinions or should I produce a more detailed proposal to show what I mean?
Regards
Miklos
-----Original Message-----
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Michel JAOUEN via TF-M
Sent: 11 April 2019 13:57
To: tf-m(a)lists.trustedfirmware.org
Subject: Re: [TF-M] Platform: Create platform service for pin functions
I see that there is https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/825/
On review , it adds some dummy functions for the platform not requiring these services Can we think about introducing some configuration on platform basis.
As example , I post
https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/854/
Best regards
From: Michel JAOUEN
Sent: mercredi 10 avril 2019 13:05
To: 'tf-m(a)lists.trustedfirmware.org' <tf-m(a)lists.trustedfirmware.org>
Subject: Platform: Create platform service for pin functions
Hello,
I noticed the merge of this api, which seems require only for platform Musca_a.
This create the need to implement dummy functions for the other platform.
would it be better to make this configurable for each platform ?
I think for the interface connected to platform partition, it is important to have a flexibility.
As example some platform , may require an API requesting a pin to be configureable from non secure .
Best regards
--
TF-M mailing list
TF-M(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m
Hi Stanislav,
Thanks for reporting the issue. As the issue seems to be in the PSA Tests rather than TF-M, please can you report it directly to the psa-arch-tests project here https://github.com/arm-software/psa-arch-tests as we in the TF-M team do not maintain that code.
Best wishes,
Jamie
-----Original Message-----
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Stanislav Jancik via TF-M
Sent: 25 April 2019 12:51
To: tf-m(a)lists.trustedfirmware.org
Subject: [TF-M] TF-M ARM GCC PSA Test 014 fail
Hi,
I use "7 2018-q2-update" ARMGCC compiler. The PSA Tests code works when it is compiled by ARMGLANG, but a fail occurs when the same code is compiled by ARMGCC.
Issue:
When TEST: 414 runs, I've got secure violation fault. See report bellow:
TEST: 414 | DESCRIPTION: Optional APIs not supported check [Info] Executing tests from non-secure Optional PS APIs are not supported.
[Check 1] Call to create API should fail as API not supported [Check 2] Create valid storage with set API [Check 3] Call to set_extended API call should fail [Check 4] Verify data is unchanged Oops... Secure fault!!! You're not going anywhere!
Reason:
The valtest_entry_p014 is overwritten by read_buff variable and this caused this fail.
Workaround:
When I changed read_buff declaration in test_p014.c from static uint8_t read_buff[TEST_BUFF_SIZE/4] = {0}; to static uint32_t read_buff[TEST_BUFF_SIZE/4] = {0}; the code is running correctly. But I think, that it should be officially fixed.
Best Regards
Stanislav
--
TF-M mailing list
TF-M(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m
