Our requirement is to send email securely from our embedded device running on STM32H7 processor. There's an SMTP client application (implemented using Mbed TLS library) running on this device, which will send emails to the recipient via custom/public email server such as smtp.gmail.com. We are planning to use S/MIME email certificate from the one of the Trusted CA, for encryption of the email message and authentication of the client/server. We learnt that each S/MIME email certificate support only one email address, but we will be having multiple devices running on the field and each device will have unique email address from which email will be sent. Getting S/MIME email certificate for device will not be feasible, is there any better way we can handle this scenario effectively. Your response to this problem is greatly appreciated.
Thank you,
Nagaraj
Hi,
On the last tech forum (June 22) we started discussion on multicore hybrid platforms.
By this mail I’d like to follow up and continue offline analyses on new use-cases and requirements for TF-M design update.
The recorded session is available here: https://linaro-org.zoom.us/rec/share/yseF-mYwUTtHHPkQJQO6IEv72xCd0Lz1pQQecc…, Passcode: 5s=Npv=w
and slides: https://www.trustedfirmware.org/docs/tech_forum_20230622_Hybrid_platforms.p…
The current plan is to take time, think on the use-cases and map them on requirements. With more thought and materials, we will have another session about September time to define our needs in the support of new type of platform.
Please share your thoughts in reply.
Thanks,
Anton
Hi,
We are planning to update the mechanism on partition interface ABI selection in IPC model.
In current Implementation, cross call ABI is chosen in Isolation Level 1, and SVC call ABI is chosen in Isolation Level 2&3.
However, interfaces are actually the bridge between SPM and caller partitions. If one partition shares the same boundary with SPM, cross call ABI is the choice; while if one partition does not share the same boundary with SPM, a SVC ABI is the proper choice.
But, a simple comparison between two boundary values cannot be used for checking if the two boundaries are the same one - these values might be encoded with bit fields and contains more info than memory regions. Hence the comparison should be done by who generated them - the isolation HAL implementation in platform sources.
So here comes to the following design:
1. In HAL function tfm_hal_bind_boundary, encode p_ldinf into boundary value, so that there is no need to pass both p_ldinf and boundary value to switch boundary.
1. Implement a HAL function to compare boundaries and switch boundary if needed.
tfm_hal_status_t tfm_hal_switch_boundary(
uintptr_t target_boundary,
uintptr _t current_boundary,
uint32_t compare_only, /* 0: Switch boundary if they are different, 1: Only compare whether the boundaries are different and do not switch */
uint32_t* compare_result); /* Tell the caller whether the boundaries are different */
1. Select correct type of ABI when processing metadata of partition based on boundary.
void prv_process_metadata(struct partition_t *p_pt)
{
...
tfm_hal_switch_boundary(SPM_BOUNDARY, p_pt->boundary, 1, *compare_result);
if (compare_result == 1) {
p_rt_meta->psa_fns = &psa_api_svc;
} else {
p_rt_meta->psa_fns = &psa_api_cross;
}
...
}
Please let us know if you have any suggestion.
Thanks,
Xinyu
Hi All,
I wanted to let you know that next Thursday, July 27th, the TF-A Tech Forum
will be hosting a presentation on OpenCI and MISRA presented by Paul
Sokolovski of Linaro and Roberto Bagnara from Bugseng. MISRA is being
enabled on both TF-A and TF-M in OpenCI, so sending this out to both lists
since users in both domains may be interested in the session.
Meeting time and dial up info can be found in the TF community calendar
located here: https://www.trustedfirmware.org/meetings/
Best Regards,
Don Harbin
TrustedFirmware Community Manager
don.harbin(a)linaro.org
Hi all,
I'm wondering why client API is build with tfm_sprt target (Secure Partition Runtime Library)? Client API is used by non-secure clients and secure clients. It means that static library is built once, but used with two different images. And it's expected that such images can use different types of cores, compilation settings, etc...
Probably it make sense to build this target in scope of psa_interface.
Regards,
Roman.
Dear TF-M developers,
I am currently adapting a basic MbedTLS / PSA Crypto example such that it would run on the NS side with TF-M doing the crypto.
At the end, this is very similar to this psa_sign_verify_message_test from the NS crypto test suite :
https://git.trustedfirmware.org/TF-M/tf-m-tests.git/tree/test/secure_fw/sui…
But my build config of MbedTLS has MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT enabled because I have a custom mbedtls_platform_setup / mbedtls_platform_teardown.
And I can't see any place in TF-M where mbedtls_platform_setup/mbedtls_platform_teardown are called :
? -> mbedtls_platform_setup
? -> mbedtls_platform_teardown
At first, I tried to put this code into the psa_driver_wrapper_init/psa_driver_wrapper_free but I have a similar problem :
tfm_crypto_engine_init -> psa_crypto_init -> psa_driver_wrapper_init
? -> mbedtls_psa_crypto_free -> psa_driver_wrapper_free
Is there any cmake/Kconfig option or any C macros to hook TF-M initialization/shutdown with mbedtls_platform_setup/mbedtls_platform_teardown without patching TF-M ?
If not, could mbedtls_platform_setup be called here ? https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/secure_fw/…
or is there a nicer way of doing this ?
(btw, I am currently experimenting on qemu mps2-an521)
Thanks for any advice ! 🙂
Best regards,
Rehan MALAK
Intrinsic ID
Hi Andrey,
Patch 21339<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/21339> introduced changes of configuration order:
1. Platform configuration via TARGET_CONFIG_HEADER_FILE.
2. Project configuration via PROJECT_CONFIG_HEADER_FILE
3. config_base.h
It means that target can't change configuration that is expected to be changed by project. Example:
1. Platform must redefine ITS_STACK_SIZE to satisfy driver requirements. The good way for this is to set ITS_STACK_SIZE in config_tfm_target.h.
2. Project developer need to perform some additional debugging or profiling of the product, so the TF-M must be built with extra code that require additional stack size. It means that project developer need to #undef ITS_STACK_SIZE and then redefine it using #define ITS_STACK_SIZE. But this #undef/#define approach is not safe, because it's possible to calculate some other settings using configuration variable in config_tfm_target.h or perform additional configuration validation by config_tfm_target.h.
It looks like the new changes created another bunch of problems for TF-M configuration.
Regards,
Roman.
FYI to all TF dev teams leveraging Open CI.
Best regards,
Don
---------- Forwarded message ---------
From: Glen Valante via Tf-openci-triage <
tf-openci-triage(a)lists.trustedfirmware.org>
Date: Fri, 23 Jun 2023 at 08:41
Subject: [Tf-openci-triage] FYI; Cambridge Lab Down
To: tf-openci-triage(a)lists.trustedfirmware.org <
tf-openci-triage(a)lists.trustedfirmware.org>
Hello All;
FYI; the Cambridge lab took a serious power hit and is down. They are
scrambling to get things back up, but it may take all weekend.
Expect LAVA failures and other strange results.
Thanks;
-g
--
[image: Linaro] <http://www.linaro.org>
Glen Valante | *Director Program & Project Management*
T: +1.508.517.3461 <1617-320-5000>
glen.valante(a)linaro.org | Skype: gvalante <callto:gvalante>
--
Tf-openci-triage mailing list -- tf-openci-triage(a)lists.trustedfirmware.org
To unsubscribe send an email to
tf-openci-triage-leave(a)lists.trustedfirmware.org
Hi all,
I am currently trying out TF-M together with Zephyr and therefore ported it to the Nucleo-U575ZI-Q evaluation board. I started to struggle when trying to implement an example for a custom Secure Partition (SP) which should access peripherals.
I recognized, that the `target_cfg.*` throughout different vendors follow different design principles. E.g. for Nordic controllers an example is given with their nordic-sdk on how to implement peripheral access for a SP (https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.0.0/nrf/samples/tfm/…). For ST devices I tried to transfer this, however, where unsuccessful so far as for the ST microcontrollers the peripheral definitions are missing, and things are just different.
Is there any example for ST controllers on how to make specific peripherals only accessible through SPE? Is this currently supported for ST devices?
And another question, as the Embedded Open Source Summit arises, is TF-M represented somewhere on conferences?
Kind Regards
Christian Spinnler
Siemens AG
Technology
Connectivity & Edge
T CED SSI-DE
Schuckertstrasse 2
91058 Erlangen, Deutschland
mailto:christian.spinnler@siemens.com
www.siemens.com<https://siemens.com>
Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Jim Hagemann Snabe; Vorstand: Roland Busch, Vorsitzender; Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Sitz der Gesellschaft: Berlin und München, Deutschland; Registergericht: Berlin-Charlottenburg, HRB 12300, München, HRB 6684; WEEE-Reg.-Nr. DE 23691322
Hi all,
In GCC linker scripts ands of sections are aligned using following syntax:
. = ALIGN(TFM_LINKER_XXX_ALIGNMENT);
But in ARMClang TFM does not use similar approach, instead it creates Position tags sections like following:
TFM_APP_CODE_START +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT EMPTY 0x0 {
}
TFM_APP_ROT_LINKER +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT {
*tfm_app_rot_partition* (+RO-CODE, +RO-DATA)
*libplatform_s* (TFM_*_APP-ROT_ATTR_FN)
*.o (TFM_*_APP-ROT_ATTR_FN)
}
/*
* This empty, zero long execution region is here to mark the end address
* of APP RoT code.
*/
TFM_APP_CODE_END +0 ALIGN TFM_LINKER_APP_ROT_LINKER_CODE_ALIGNMENT EMPTY 0x0 {
}
I believe this is done because clang does not have syntaxes for aligning end of the section (please correct me if I am wrong).
This approach results in bug in TFM_UNPRIV_CODE section protections, because TFM_UNPRIV_CODE Base and Limit are used directly and Limit is not aligned.
For now this problem stayed undetected because present platforms does not validate region_limit when applying protections.
I have created this patch<https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/21169> , which adds validation of region_limit and ran Ci on it and I can see that CI failed in tests for Clang builds
So I guess this is the problem that have to be fixed. I see following possible solutions:
1. Align and of TFM_UNPRIV_CODE section (but I guess clang does not support that)
2. Add position tags for _START and END
Solution 1 will simpler as it will not require changed in platform code, but I guess clang syntaxes is limiting us here.
So my question would be whether there is a plan to fix this issue ?
Regards,
Bohdan Hunko
Cypress Semiconductor Ukraine
Engineer
CSUKR CSS ICW SW FW
Mobile: +38099 50 19 714
Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>
