- TF-M - lists.trustedfirmware.org

by Miklos Balint

One fundamental reason for driving context changes from handler mode is to have privilege and isolation control when switching contexts. So it all boils down to the requirements of a particular deployment. If there is no compartmentalization and privilege control in NSPE, i.e. all NS threads and the OS have identical access policies to secure assets, it should be possible to lift this requirement and accept NSPE context change notifications that transition from NSPE to SPE in thread mode. This, however, only results in a performance improvement if SPE also bypasses handler mode for this operation, requiring slightly more than skin-deep modifications in TF-M to handle all possible (ab)uses of the secure context management feature. I think this can be a valid choice for a specific implementation, but support for this as a configuration switch in the upstream and threat modelling the alternate setting would be a stretch in our team's current roadmap. /M -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of DeMars, Alan via TF-M Sent: 13 February 2019 05:11 To: tf-m(a)lists.trustedfirmware.org Subject: [TF-M] tz_context APIs Why do all the APIs declared in tz_context.h need to be called from NS Handler mode? Is this a hard requirement or can it be configured 'OFF'? For performance reasons, our OS doesn't trap into handler mode to perform thread management like creation, scheduling, and context switching. Having to switch to handler mode without a very compelling reason seems like unnecessary overhead in performance-critical code. Alan -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 2 months

1
0
0 0

tz_context APIs

by DeMars, Alan

Why do all the APIs declared in tz_context.h need to be called from NS Handler mode? Is this a hard requirement or can it be configured 'OFF'? For performance reasons, our OS doesn't trap into handler mode to perform thread management like creation, scheduling, and context switching. Having to switch to handler mode without a very compelling reason seems like unnecessary overhead in performance-critical code. Alan

5 years, 2 months

1
0
0 0

Re: [TF-M] Clarification of pre-existing TFM secure service alignment with PSA APIs

by Ken Liu (Arm Technology China)

Hi Alan, After PSA IPC model takes place, existing services need to be modified to support it. The action is not a re-implement actually. The basic idea is creating an IPC SP body and calls existing secure service functions. There are also some commits for reference: https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/473/ https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/474/ There are IPC compatible items in roadmap reflects the plan: https://developer.trustedfirmware.org/w/tf_m/planning/ Thanks -Ken > -----Original Message----- > From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of DeMars, > Alan via TF-M > Sent: Tuesday, February 12, 2019 9:39 AM > To: tf-m(a)lists.trustedfirmware.org > Subject: [TF-M] Clarification of pre-existing TFM secure service alignment with > PSA APIs > > Is my understanding correct that the existing set of secure services (audit, crypto, > sst, etc) that use the "Library" or function-call-based-model to enter the SPE are > being redesigned to conform to the PSA IPC model, meaning that each service > will be re-implemented as a SP with a forever loop? > > If so, does this mean that the existing set of NS-facing APIs associated with each > secure service will be re-implemented as libraries that funnel all of their calls > into the SPE through the 3 PSA IPC calls (psa_connect(), psa_call(), and > psa_close())? > > Alan > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 2 months

1
0
0 0

Clarification of pre-existing TFM secure service alignment with PSA APIs

by DeMars, Alan

Is my understanding correct that the existing set of secure services (audit, crypto, sst, etc) that use the "Library" or function-call-based-model to enter the SPE are being redesigned to conform to the PSA IPC model, meaning that each service will be re-implemented as a SP with a forever loop? If so, does this mean that the existing set of NS-facing APIs associated with each secure service will be re-implemented as libraries that funnel all of their calls into the SPE through the 3 PSA IPC calls (psa_connect(), psa_call(), and psa_close())? Alan

5 years, 2 months

1
0
0 0

Re: [TF-M] How to run PSA API compliance tests with TF-M SST service

by Marc Moreno Berengue

Hi all, All the patches needed to pass all the PSA API Compliance tests have been merged into TF-M master branch, so there is no need for step [2] below, just checkout the TF-M master branch. Thanks, Marc Moreno ________________________________ From: Marc Moreno Berengue Sent: 01 February 2019 18:17 To: tf-m(a)lists.trustedfirmware.org Cc: nd Subject: [TF-M] How to run PSA API compliance tests with TF-M SST service <mailto:nd@arm.com>Hi all, The Secure Storage (SST) service has been updated to align it with the PSA Protected Storage APIs version 1.0. There are a set of patches which implements this change. Please, find more information about those changes in the following ticket: https://developer.trustedfirmware.org/T218 It's possible to run the PSA API Compliance tests (https://github.com/ARM-software/psa-arch-tests/tree/master/api-tests/dev_ap…) with the TF-M SST service by following the instructions below. (The instructions assume that psa-arch-tests and trusted-firmware-m directories are at the same level in the filesystem): 1. Checkout https://github.com/ARM-software/psa-arch-tests/ 2. Checkout https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/589/ 3. Copy the `interface/include/psa_protected_storage.h` to `interface/include/psa/protected_storage.h` as this is the header name expected by the PSA API Compliance tests 4. Build the SST tests for the PSA API compliance as described in the `psa-arch-tests/api-tests` for one of the supported targets, providing the include path of the TF-M interface (i.e. trusted-firmware-m/interface/include). Set crypto and internal trusted storage as not implemented in `psa-arch-tests/api-tests/platform/targets/<TARGET_NAME>/Makefile`. Set PSA_CRYPTO_IMPLEMENTED:=0 and PSA_INTERNAL_TRUSTED_STORAGE_IMPLEMENTED:=0 * The list of tests being run is specified in the file `psa-arch-tests/api-tests/dev_apis/protected_storage/testsuite.db` * For example, this command will build the tests for AN521 "./tools/scripts/setup.sh --target tgt_dev_apis_tfm_an521 --toolchain ARMCLANG --cpu_arch armv8m_ml --verbose 2 --suite protected_storage --include ../../trusted-firmware-m/interface/include --archive_tests" 5. Build TF-M by using the ConfigPsaApiTest.cmake, enabling the PSA API Compliance tests for SST service by adding the following cmake switch during the configuration step: "-DPSA_API_TEST_SECURE_STORAGE=ON" * For example, this command will build the TF-M + NS app with PSA API Protected Storage tests for AN521 "cmake -G"Unix Makefiles" -DPROJ_CONFIG=`readlink -f ../ConfigPsaApiTest.cmake` -DTARGET_PLATFORM=AN521 -DCOMPILER=ARMCLANG -DPSA_API_TEST_SECURE_STORAGE=ON ../" This will make our NS test app run a subset of the PSA API compliance tests for SST service. Thanks, Marc Moreno

5 years, 3 months

1
0
0 0

Re: [TF-M] [EXTERNAL] Re: generated header files

by DeMars, Alan

Mate, Thank you! I was able to regenerate from an edited .yaml file and get exactly what I needed. Alan > On Feb 7, 2019, at 11:47 PM, Mate Toth-Pal via TF-M <tf-m(a)lists.trustedfirmware.org> wrote: > > Hi Alan, > > Currently the generation of these files is a manual step that should be done prior to build. > > The script that does the generation is the tools/tfm_parse_manifest_list.py python script. The script has to be run with no command line parameters from the TF-M source root dir. The location of two files, tools\tfm_generated_file_list.yaml and tools\tfm_manifest_list.yaml are hardcoded into the script, and they specify the files the script works on. > > tfm_manifest_list.yaml contains the list of partition manifest files. These yaml files provide the information that template files have to be filled with. > tfm_generated_file_list.yaml contains the list of files to be generated. The script assumes, that for each <generated_file_path>/<generated_file_name> there is a file <generated_file_path>/<generated_file_name>.template file, which is used as a template for generation. > > Please note, that the current version of this script on master contains a custom parser and substituting code, however we have a plan to replace it to the Jinja2 template parser engine. Please see the proposal here: https://developer.trustedfirmware.org/w/tf_m/design/code_generation_with_ji… > > Regards, > Mate > > -----Original Message----- > From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of DeMars, Alan via TF-M > Sent: 07 February 2019 22:35 > To: tf-m(a)lists.trustedfirmware.org > Subject: [TF-M] generated header files > > I'm using the feature-ipc branch and I notice a lot of these warnings in TF-M header files: > > /*********** WARNING: This is an auto-generated file. Do not edit! ***********/ > > When are these files generated? I assume they're derived from associated manifest files. > > When I use cmake to create a "ConfigCoreIPC.cmake" build area, I don't see any header files being generated in the process. Any changes I've made to header files with these warnings are still present. Is there a TF-M cmake configuration that regenerates these files? If so, how do I invoke it so I can more properly reconfigure a custom SP? > > Alan > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 3 months

1
0
0 0

Re: [TF-M] How to run PSA API compliance tests with TF-M Crypto

by Antonio De Angelis

Hi all, All the patches needed to pass all the PSA API Compliance tests from the ew_beta0 branch have been merged into TF-M master branch, so there is no need for step [2] below, just checkout the TF-M master branch. Thanks, Antonio -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Antonio De Angelis via TF-M Sent: 31 January 2019 21:42 To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [Tf-m] How to run PSA API compliance tests with TF-M Crypto Hi all, after a restructuring of the patches in the pull request, the patch that needs to be checked out at step [2] in the instructions in the mail below is amended to: 2. Checkout https://review.trustedfirmware.org/c/trusted-firmware-m/+/588/ Thanks, Antonio ________________________________ From: Antonio De Angelis Sent: 30 January 2019 17:21 To: tf-m(a)lists.trustedfirmware.org Cc: nd Subject: How to run PSA API compliance tests with TF-M Crypto Hi all, It’s possible to run a subset of the PSA API Compliance tests with the TF-M Crypto service by following the instructions below (it assumes that psa-arch-tests and trusted-firmware-m directories are at the same level in the filesystem): 1. Checkout https://github.com/ARM-software/psa-arch-tests/tree/ew_beta0 (ew_beta0 branch of the PSA API Compliance tests repo) 2. Checkout https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/561/ 3. Copy the interface/include/psa_crypto.h to interface/include/psa/crypto.h as this is the header name expected by the PSA API Compliance tests 4. Build the Crypto tests for the PSA API compliance as described in the psa-arch-tests/api-tests for one of the supported targets, providing the include path of the TF-M interface (i.e. trusted-firmware-m/interface/include) * The list of tests being run is specified in the file psa-arch-tests/api-tests/dev_apis/crypto/testsuite.db * For example, this command will build the tests for AN521 “./tools/scripts/setup.sh --target tgt_dev_apis_tfm_an521 --toolchain ARMCLANG --cpu_arch armv8m_ml --verbose 2 --suite crypto --include ../../trusted-firmware-m/interface/include --archive_tests” 5. Build TF-M by using the ConfigPsaApiTest.cmake, enabling the PSA API Compliance tests for Crypto by adding the following cmake switch during the configuration step: “-DPSA_API_TEST_CRYPTO=ON” * For example, this command will build the TF-M + NS app with PSA API Crypto tests for AN521 “cmake -G"Unix Makefiles" -DPROJ_CONFIG=`readlink -f ../ConfigPsaApiTest.cmake` -DTARGET_PLATFORM=AN521 -DCOMPILER=ARMCLANG -DPSA_API_TEST_CRYPTO=ON ../” This will make our NS test app run a subset of the PSA API compliance tests for Crypto. We are currently working on fixing the remaining failures. Thanks, Antonio -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 3 months

1
0
0 0

Re: [TF-M] generated header files

by Mate Toth-Pal

Hi Alan, Currently the generation of these files is a manual step that should be done prior to build. The script that does the generation is the tools/tfm_parse_manifest_list.py python script. The script has to be run with no command line parameters from the TF-M source root dir. The location of two files, tools\tfm_generated_file_list.yaml and tools\tfm_manifest_list.yaml are hardcoded into the script, and they specify the files the script works on. tfm_manifest_list.yaml contains the list of partition manifest files. These yaml files provide the information that template files have to be filled with. tfm_generated_file_list.yaml contains the list of files to be generated. The script assumes, that for each <generated_file_path>/<generated_file_name> there is a file <generated_file_path>/<generated_file_name>.template file, which is used as a template for generation. Please note, that the current version of this script on master contains a custom parser and substituting code, however we have a plan to replace it to the Jinja2 template parser engine. Please see the proposal here: https://developer.trustedfirmware.org/w/tf_m/design/code_generation_with_ji… Regards, Mate -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of DeMars, Alan via TF-M Sent: 07 February 2019 22:35 To: tf-m(a)lists.trustedfirmware.org Subject: [TF-M] generated header files I'm using the feature-ipc branch and I notice a lot of these warnings in TF-M header files: /*********** WARNING: This is an auto-generated file. Do not edit! ***********/ When are these files generated? I assume they're derived from associated manifest files. When I use cmake to create a "ConfigCoreIPC.cmake" build area, I don't see any header files being generated in the process. Any changes I've made to header files with these warnings are still present. Is there a TF-M cmake configuration that regenerates these files? If so, how do I invoke it so I can more properly reconfigure a custom SP? Alan -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

5 years, 3 months

1
0
0 0

generated header files

by DeMars, Alan

I'm using the feature-ipc branch and I notice a lot of these warnings in TF-M header files: /*********** WARNING: This is an auto-generated file. Do not edit! ***********/ When are these files generated? I assume they're derived from associated manifest files. When I use cmake to create a "ConfigCoreIPC.cmake" build area, I don't see any header files being generated in the process. Any changes I've made to header files with these warnings are still present. Is there a TF-M cmake configuration that regenerates these files? If so, how do I invoke it so I can more properly reconfigure a custom SP? Alan

5 years, 3 months

1
0
0 0

Re: [TF-M] [Tf-m] [EXTERNAL] Re: Non-secure Client Management

by Miklos Balint

Hi Alan, https://developer.trustedfirmware.org/w/tf_m/planning/ has a roadmap of planned feature support by calendar quarter. NSPM for the thread-based design is not explicitly highlighted but I would expect it to be implemented as part of the Q2 SPM work or Q3 Scheduler work the latest. Any feedback on that or any other aspect of the roadmap is very welcome so we can take that into account when updating the plans. For the TZ functions, please note that these are not proprietary to TF-M but form a standard CMSIS API, a generic RTOS feature for TrustZone-enabled devices: https://www.keil.com/pack/doc/CMSIS/Core/html/group__context__trustzone__fu… Since these calls are direct function calls between NSPE and SPE, the overhead should be in the order of a few dozen clock cycles each, not much more than regular RTOS context switch hooks that would be available in several RTOSes. Are you concerned that this overhead is a major limitation? If so, one enhancement TF-M could provide to support a simplified non-CMSIS-compliant NSPE RTOS implementation is for TZ_LoadContext_S to implement the functionality you described for "SwitchContext", taking only the new MemoryId as argument - the old id is stored in the NSPM database anyway, so the context to be Stored in this case can be inferred by TF-M. If the new context is not secure-accessing, FreeContext can be used as defined by CMSIS. This way TF-M does not introduce proprietary new functions for functionality already defined by the standard. Please note that this solution would still need to be analysed for security implications as TF-M would be making additional assumptions on NSPE state - although I don't see a reason for concern at this point. /M -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of DeMars, Alan via TF-M Sent: 03 February 2019 15:18 To: Ken Liu (Arm Technology China) <Ken.Liu(a)arm.com> Cc: nd <nd(a)arm.com>; tf-m(a)lists.trustedfirmware.org Subject: Re: [Tf-m] [EXTERNAL] Re: Non-secure Client Management Ken, Thank you for your prompt response. Please see my replies below. Alan > Hi Alan, > The proposed APIs are implemented for library mode. It will not work under IPC mode in 'feature-ipc' branch. The support of NSPM for IPC will come later. Is their a feature rollout schedule that I can follow? > The TZ_LoadContext_S() and TZ_StoreContext_S() need to be called every time while secure service accessed NS thread get entering/leaving. It is not combined into one function, because not all NS threads need to access secure service. For those NS threads which do not need to access secure service, these TZ_ APIs are unnecessary to be called. For example, if NS scheduler switches from one secure service accessed thread into the other generic thread, only TZ_StoreContext_S() needs to be called before context switching. To avoid the rather burdensome overhead of calling into the SPM twice on those NS context switches in which either the leaving or entering contexts are secure accessing threads, I propose that a NULL TZ_MemoryId_t be defined so that a single TZ_SwitchContext_S() function with two TZ_MemoryId_t arguments can be called. The NULL TZ_MemoryId_t would be passed to identify an entering or leaving context that is not secure accessing. > The method of blocking the caller client is based on scenarios. If there are some 'wait' is necessary while secure service is working (waiting for secure hardware IRQ as an example), the method you mentioned may be involved (special return value with an NS IRQ notification). This functionality is not in place right now. > > -Ken > >> -----Original Message----- >> From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of >> DeMars, Alan via TF-M >> Sent: Sunday, February 3, 2019 9:17 AM >> To: tf-m(a)lists.trustedfirmware.org >> Subject: [Tf-m] Non-secure Client Management >> >> Regarding the Non-secure Client Management proposal: >> >> >> https://developer.trustedfirmware.org/w/tf_m/design/ns_client_managem >> ent/ >> >> I notice that the veneers for the proposed APIs are in s_veneers.o. >> Does this mean that the proposal has been adopted and implemented? Is >> it functional in the current feature-ipc branch? >> >> I have a question about the TZ_LoadContext_S() and TZ_StoreContext_S() APIs: >> Is it expected that each context switch in the NS world will be >> signaled by calls to each of these APIs indicating the "entering" >> context and "leaving" context respectively? If so, then why not >> collapse these two APIs into one called >> TZ_SwitchContext__S() and pass both the "entering" and "leaving" >> TZ_MemoryId_t's as arguments? >> >> Or is TZ_StoreContext_S() only to be called when a NS context will >> never call into the SPM again? If that is the case, why isn't >> TZ_FreeModuleContext_S() sufficient? >> >> Regarding the "Concurrent secure service requests" discussion, what >> does "a non-secure client is blocked on an asynchronous secure service completion"? >> Would this be achieved by a special return status from psa_call() >> indicating that the current service request is in process and will >> complete later on? The psa_call() calling thread would then block on >> a semaphore that would be released by a dedicated NS IRQ interrupt? Is any of this functionality in place yet? >> >> Alan

5 years, 3 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

TF-M