- TF-M - lists.trustedfirmware.org

Please explain tfm_register_client_id() use case

by DeMars, Alan

As currently specified, I don't see a simple way to invoke the tfm_register_client_id() API ONLY ONCE for each NS client thread. It appears that tfm_register_client_id() must be called after TZ_LoadContext_S() because the clientId provided by tfm_register_client_id() is always associated with the CURRENT NS MemoryId. However, TZ_LoadContext_S() is designed to be called only when the NS OS actually switches to a new NS thread. This creates pressure for tfm_register_client_id() to be called during a NS thread switch. However, calling tfm_register_client_id() on EVERY NS context switch is redundant and CPU wasteful. Adding code to test whether tfm_register_client_id() has already been called for a particular NS thread also seems wasteful. What seems natural to me is to add a MemoryId argument to tfm_register_client_id() so that the clientID can be mapped to the MemoryId provided by TZ_AllocModuleContext_S() right after TZ_AllocModuleContext_S() is called (ie only once). Please correct my understanding of how tfm_register_client_id() is intended to be used if the above analysis is off base. Alan

6 years, 2 months

1
0
0 0

Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M

by Andrej Butok

Hi David, > Using shared libraries may give the window to exploit the vulnerabilities. Yes, you are right. BUT Code size may be a very critical parameter especially for constrained MCUs. Please do not give any mandatory limits. If any, they should be configurable. Let's give a possibility to choose for final users. BTW: 1) Current TF-M is using library approach with mbedTLS copy per each service. OK, security => but wasting of resources. In our code, we are using one copy of mbedTLS to avoid this type of wasting, but it requires original code modification. Please, give more freedom to final TFM users! 2) Why the TFM services (SST, attestation) do not call PSA Crypto API? It will eliminates mbedTLS duplication. Thanks, Andrej -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of David Wang (Arm Technology China) via TF-M Sent: Monday, March 25, 2019 10:57 AM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M Hi Ken, Some comments from security review's perspective. * Using shared libraries may give the window to exploit the vulnerabilities. App RoT can analyze the shared lib to find out the useable vulnerabilities for attacking PSA RoT. * Is it a good idea to have two separate shared libs - one for all app RoT and one for all PSA RoT for isolation level2? (can still share one copy for level1.) Regards, David Wang Arm Electronic Technology (Shanghai) Co., Ltd Phone: +86-21-6154 9142 (ext. 59142) -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu (Arm Technology China) via TF-M Sent: Monday, March 25, 2019 5:05 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M Hi, The document is updated due to a change in MPU regions part: In original design, some partition libraries like 'thread_exit' is going to be linked with partition statically, which means there would be multiple copies of these libraries for each partition. This provided strict protection of isolation but it looks over-protect. If we keep one shared code region for each partition to call these libraries, we could: * Save memory * The protection is enough if we mark the code area as read-only. In this case, the unprivileged code and RO region needs to be kept and these shared codes could be put there. The requirement of these codes are: * These codes must be thread safe and reentrant * These codes must be put in read-only region The change mainly happen under section "Linker script sections re-arrangement". Please help to comment. Thanks! -Ken > -----Original Message----- > From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken > Liu (Arm Technology China) via TF-M > Sent: Thursday, March 21, 2019 3:20 PM > To: tf-m(a)lists.trustedfirmware.org > Cc: nd <nd(a)arm.com> > Subject: Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M > > Hi, > The document is updated, and keep open for comments ; ) > > The updated content is: > > 1. Available MPU regions for peripheral has number limitation based > on platform. If a SP needs many un-continuous peripheral registers and > the number exceeds available MPU number, it needs further investigation. > 2. Rely on linker to clean the unused object files instead of > remove them in scatter before the dependency is fully figured out. > > Thanks! > > -Ken > > From: Ken Liu (Arm Technology China) > Sent: Tuesday, February 19, 2019 6:44 PM > To: tf-m(a)lists.trustedfirmware.org > Cc: nd <nd(a)arm.com> > Subject: [RFC] Design document of isolation level 2 on TF-M > > Hello, > The first IPC implementation works under isolation level 1. The high > isolation levels need to be there to get compatible with PSA Firmware > Framework. A design document is created about implementing isolation level 2 for IPC model: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeve > loper.trustedfirmware.org%2Fw%2Ftf_m%2Fdesign%2Ftrusted_firmware-& > data=02%7C01%7Candrey.butok%40nxp.com%7C6a9c2cb6a5034aec48b908d6b10845 > 48%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C636891046406628979&amp > ;sdata=yPus0lkd4L71ng5Z5o2hu2bDEMBAzSwUxAm1fyYf564%3D&reserved=0 > m_isolation_level_2/ > > The mainly change of isolation level 2 compare to isolation level 1 is: > * Put AppRoT Secure Partitions' components with same attribute (code, > read- only data, read-write data) into the same region, which helps > MPU setting region attributes. > * Change Secure Partition privileged setting based on Secure Partition > type while scheduling. > * Change mechanism of privileged API, such as printf. > > If you have any comments please share it. You can reply in mailing > list if there is no place for putting comments on the page. > > Thank you! > > -Ken > > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > s.trustedfirmware.org%2Fmailman%2Flistinfo%2Ftf-m&data=02%7C01%7Ca > ndrey.butok%40nxp.com%7C6a9c2cb6a5034aec48b908d6b1084548%7C686ea1d3bc2 > b4c6fa92cd99c5c301635%7C0%7C0%7C636891046406638984&sdata=7Wva1R6Lv > EKMxCpaVr6gRE26Fodub%2FPTQlLOiB2YvX0%3D&reserved=0 -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru… -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru…

6 years, 2 months

1
0
0 0

Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M

by David Wang (Arm Technology China)

Hi Ken, Some comments from security review's perspective. * Using shared libraries may give the window to exploit the vulnerabilities. App RoT can analyze the shared lib to find out the useable vulnerabilities for attacking PSA RoT. * Is it a good idea to have two separate shared libs - one for all app RoT and one for all PSA RoT for isolation level2? (can still share one copy for level1.) Regards, David Wang Arm Electronic Technology (Shanghai) Co., Ltd Phone: +86-21-6154 9142 (ext. 59142) -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu (Arm Technology China) via TF-M Sent: Monday, March 25, 2019 5:05 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M Hi, The document is updated due to a change in MPU regions part: In original design, some partition libraries like 'thread_exit' is going to be linked with partition statically, which means there would be multiple copies of these libraries for each partition. This provided strict protection of isolation but it looks over-protect. If we keep one shared code region for each partition to call these libraries, we could: * Save memory * The protection is enough if we mark the code area as read-only. In this case, the unprivileged code and RO region needs to be kept and these shared codes could be put there. The requirement of these codes are: * These codes must be thread safe and reentrant * These codes must be put in read-only region The change mainly happen under section "Linker script sections re-arrangement". Please help to comment. Thanks! -Ken > -----Original Message----- > From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken > Liu (Arm Technology China) via TF-M > Sent: Thursday, March 21, 2019 3:20 PM > To: tf-m(a)lists.trustedfirmware.org > Cc: nd <nd(a)arm.com> > Subject: Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M > > Hi, > The document is updated, and keep open for comments ; ) > > The updated content is: > > 1. Available MPU regions for peripheral has number limitation based > on platform. If a SP needs many un-continuous peripheral registers and > the number exceeds available MPU number, it needs further investigation. > 2. Rely on linker to clean the unused object files instead of > remove them in scatter before the dependency is fully figured out. > > Thanks! > > -Ken > > From: Ken Liu (Arm Technology China) > Sent: Tuesday, February 19, 2019 6:44 PM > To: tf-m(a)lists.trustedfirmware.org > Cc: nd <nd(a)arm.com> > Subject: [RFC] Design document of isolation level 2 on TF-M > > Hello, > The first IPC implementation works under isolation level 1. The high > isolation levels need to be there to get compatible with PSA Firmware > Framework. A design document is created about implementing isolation level 2 for IPC model: > https://developer.trustedfirmware.org/w/tf_m/design/trusted_firmware- > m_isolation_level_2/ > > The mainly change of isolation level 2 compare to isolation level 1 is: > * Put AppRoT Secure Partitions' components with same attribute (code, > read- only data, read-write data) into the same region, which helps > MPU setting region attributes. > * Change Secure Partition privileged setting based on Secure Partition > type while scheduling. > * Change mechanism of privileged API, such as printf. > > If you have any comments please share it. You can reply in mailing > list if there is no place for putting comments on the page. > > Thank you! > > -Ken > > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

6 years, 2 months

1
0
0 0

Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M

by Ken Liu (Arm Technology China)

Hi, The document is updated due to a change in MPU regions part: In original design, some partition libraries like 'thread_exit' is going to be linked with partition statically, which means there would be multiple copies of these libraries for each partition. This provided strict protection of isolation but it looks over-protect. If we keep one shared code region for each partition to call these libraries, we could: * Save memory * The protection is enough if we mark the code area as read-only. In this case, the unprivileged code and RO region needs to be kept and these shared codes could be put there. The requirement of these codes are: * These codes must be thread safe and reentrant * These codes must be put in read-only region The change mainly happen under section "Linker script sections re-arrangement". Please help to comment. Thanks! -Ken > -----Original Message----- > From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu > (Arm Technology China) via TF-M > Sent: Thursday, March 21, 2019 3:20 PM > To: tf-m(a)lists.trustedfirmware.org > Cc: nd <nd(a)arm.com> > Subject: Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M > > Hi, > The document is updated, and keep open for comments ; ) > > The updated content is: > > 1. Available MPU regions for peripheral has number limitation based on > platform. If a SP needs many un-continuous peripheral registers and the number > exceeds available MPU number, it needs further investigation. > 2. Rely on linker to clean the unused object files instead of remove them in > scatter before the dependency is fully figured out. > > Thanks! > > -Ken > > From: Ken Liu (Arm Technology China) > Sent: Tuesday, February 19, 2019 6:44 PM > To: tf-m(a)lists.trustedfirmware.org > Cc: nd <nd(a)arm.com> > Subject: [RFC] Design document of isolation level 2 on TF-M > > Hello, > The first IPC implementation works under isolation level 1. The high isolation > levels need to be there to get compatible with PSA Firmware Framework. A > design document is created about implementing isolation level 2 for IPC model: > https://developer.trustedfirmware.org/w/tf_m/design/trusted_firmware- > m_isolation_level_2/ > > The mainly change of isolation level 2 compare to isolation level 1 is: > * Put AppRoT Secure Partitions' components with same attribute (code, read- > only data, read-write data) into the same region, which helps MPU setting > region attributes. > * Change Secure Partition privileged setting based on Secure Partition type while > scheduling. > * Change mechanism of privileged API, such as printf. > > If you have any comments please share it. You can reply in mailing list if there is > no place for putting comments on the page. > > Thank you! > > -Ken > > -- > TF-M mailing list > TF-M(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-m

6 years, 2 months

1
0
0 0

Re: [TF-M] English topics

by Summer Qin (Arm Technology China)

Really sorry! sent by mistake. On 3/21/19, 5:41 PM, "TF-M on behalf of Summer Qin (Arm Technology China) via TF-M" <tf-m-bounces(a)lists.trustedfirmware.org on behalf of tf-m(a)lists.trustedfirmware.org> wrote: IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

6 years, 3 months

1
0
0 0

English topics

by Summer Qin (Arm Technology China)

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years, 3 months

1
0
0 0

[RFC] Design document of SST IPC model

by Summer Qin (Arm Technology China)

Hi, The design document of SST IPC compatibility has been updated due to SST supports Protected Storage API now. Please take a look at the document and give feedback if you have: https://developer.trustedfirmware.org/w/tf_m/design/sst_ipc_compatibility/ Thanks a lot! Summer

6 years, 3 months

1
0
0 0

File attribute and line ending in sources

by Edison Ai (Arm Technology China)

Hi， I created two patches to fix the line ending and file attribute problem in the source code. Could you take a look that these patches and mind the file attribute and line ending change while submitting patches? Patches links are here: * https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/723/ * https://review.trustedfirmware.org/#/c/trusted-firmware-m/+/724/ Thanks, Edison

6 years, 3 months

1
0
0 0

[RFC] Design document of isolation level 2 on TF-M

by Ken Liu (Arm Technology China)

Hello, The first IPC implementation works under isolation level 1. The high isolation levels need to be there to get compatible with PSA Firmware Framework. A design document is created about implementing isolation level 2 for IPC model: https://developer.trustedfirmware.org/w/tf_m/design/trusted_firmware-m_isol… The mainly change of isolation level 2 compare to isolation level 1 is: * Put AppRoT Secure Partitions' components with same attribute (code, read-only data, read-write data) into the same region, which helps MPU setting region attributes. * Change Secure Partition privileged setting based on Secure Partition type while scheduling. * Change mechanism of privileged API, such as printf. If you have any comments please share it. You can reply in mailing list if there is no place for putting comments on the page. Thank you! -Ken

6 years, 3 months

1
1
0 0

Re: [TF-M] IPC and clang

by Edison Ai (Arm Technology China)

Hi Andrej, For you question, please see my comments: If I understand well, the Crypto, SST and Attestation services do not use IPC, so far. Right? - Yes. Should the SST/Crypto/Attestation services be disabled when IPC is enabled? - No, we do not have to disable them. May the Library and IPC APIs be used simultaneously? - Yes. When using " ConfigCoreIPC.cmake" configure file with enabling the " REGRESSION", you can see all the regression test can work. What part of TFM is using IPC? - There are two IPC test partitions to use the IPC: trusted-firmware-m/test/test_services/tfm_ipc_client and trusted-firmware-m/test/test_services/tfm_ipc_service. They are used to do basic IPC function tests. Thanks, Edison -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Andrej Butok via TF-M Sent: Wednesday, March 20, 2019 3:36 PM To: tf-m(a)lists.trustedfirmware.org Subject: Re: [TF-M] IPC and clang Hi Edison, If I understand well, the Crypto, SST and Attestation services do not use IPC, so far. Right? Should the SST/Crypto/Attestation services be disabled when IPC is enabled? May the Library and IPC APIs be used simultaneously? What part of TFM is using IPC? Thanks, Andrej -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Edison Ai (Arm Technology China) via TF-M Sent: Wednesday, March 20, 2019 8:22 AM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] IPC and clang Hi Andrej, We tested the IPC works on Musca A but not try it on Musca B yet. The current IPC related patches are used to enable IPC mechanism, but services such as crypto, protect storage and attestation are yet to make use of IPC. Thanks, Edison -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Andrej Butok via TF-M Sent: Tuesday, March 19, 2019 6:06 PM To: tf-m(a)lists.trustedfirmware.org Subject: Re: [TF-M] IPC and clang Hi Edison, OK. So, according to https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tr… the armclang IPC was added only to one platform (target/mps2/an521/armclang/mps2_an521_s.sct). What about Musca A and Musca B? Thanks, Andrej -----Original Message----- From: Edison Ai (Arm Technology China) <Edison.Ai(a)arm.com> Sent: Tuesday, March 19, 2019 9:52 AM To: Andrej Butok <andrey.butok(a)nxp.com> Cc: nd <nd(a)arm.com> Subject: RE: IPC and clang Hi Andrej, You can see the log history of master branch: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.trust…p;reserved=0. All the IPC patches had been existed in master branch. You can use the master branch now, all the IPC functions had been ready for GCC and ARMCLANG. Thanks, Edison -----Original Message----- From: Andrej Butok <andrey.butok(a)nxp.com> Sent: Tuesday, March 19, 2019 4:43 PM To: Edison Ai (Arm Technology China) <Edison.Ai(a)arm.com> Cc: nd <nd(a)arm.com> Subject: RE: IPC and clang Hi Edison, https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.trust… master head the latest commit is still 4-day old (4 days Core: Retrieve extra parameter from correct positionHEADmaster Summer Qin). Should I wait some time till it will be propagated to the public git? Thanks, Andrej -----Original Message----- From: Edison Ai (Arm Technology China) <Edison.Ai(a)arm.com> Sent: Tuesday, March 19, 2019 9:26 AM To: Andrej Butok <andrey.butok(a)nxp.com> Cc: nd <nd(a)arm.com> Subject: RE: IPC and clang Hi Andrej, You are welcome. Now, the "feature-ipc" branch had been merge into the master branch with the merge patch mentioned below. So all the patches in "feature-ipc" branch had been merge into master too. You can find the related IPC patch in the log history of master branch. The IPC can works rightly in GCC and ARMCLANG on master branch. Thanks, Edison -----Original Message----- From: Andrej Butok <andrey.butok(a)nxp.com> Sent: Tuesday, March 19, 2019 4:10 PM To: Edison Ai (Arm Technology China) <Edison.Ai(a)arm.com> Cc: nd <nd(a)arm.com> Subject: RE: IPC and clang Thanks Adison, Yes, we are using the master branch. When are you planning to merge the mentioned fix to the mainline? Thanks, Andrej -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Edison Ai (Arm Technology China) via TF-M Sent: Tuesday, March 19, 2019 9:00 AM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] IPC and clang Hi Andrej, I think you mention the "Merge remote-tracking branch 'feature-ipc' into 'master" patch: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tr…p;reserved=0. This is a merge patch to fix the merge conflicts. The original patch to support to change the linker file is here: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Freview.tr…p;reserved=0. You can see both the linker files for GCC and ARMCLANG are changed. IPC had been developed and tested on both the GCC and ARMLANG already. Thanks for your question. Edison -----Original Message----- From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Andrej Butok via TF-M Sent: Tuesday, March 19, 2019 3:35 PM To: tf-m(a)lists.trustedfirmware.org Subject: [TF-M] IPC and clang Hello, I have noticed, that with adding the IPC feature to master branch, it were updated GCC linker files (#ifdef TFM_PSA_API sections), but ARMCLANG linker files are without any change. Does it mean that IPC was developed and tested only using GCC? Is there a plan to updated the armclang linker files? Thanks, Andrej Butok -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru… -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru… -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru… -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru… -- TF-M mailing list TF-M(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m

6 years, 3 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

TF-M