Hi colleagues!
Could we get a list of MISRA/CERT-C violations that were found by tf-m Coverity CI, as example from https://ci.trustedfirmware.org/job/tf-m-coverity/lastSuccessfulBuild/
Also (if it possible), could you provide Coverity configs to help align this tool setup on our side to CI and to check all changes before any pool requests?
Best regards,
Kostiantyn Tkachov
Cypress Semiconductor Ukraine
Firmware Security
Hello,
I am writing to you asking help because we are having problems when I try to compile the Trusted Firmware M from source code.
I downloaded the code from the official repository: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git
I moved to the last TAG: TF-Mv1.5.0
I am following this tutorial for PSOC64 platform https://tf-m-user-guide.trustedfirmware.org/platform/ext/target/cypress/pso…
When I execute the first cmake command indicating the platform and the toolchain everything works well: cmake -DTFM_PLATFORM=cypress/psoc64 -DTFM_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake ..
The problems appears when I build the code using the second cmake command: cmake --build cmake_build -- -j
I got this output
[cid:image003.jpg@01D82A77.95B43640]
/home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c: In function 't_cose_crypto_pub_key_verify':
/home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c:145:5: error: conversion to non-scalar type requested
145 | verification_key_psa = (psa_key_handle_t)verification_key.k.key_handle;
| ^~~~~~~~~~~~~~~~~~~~
/home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c: In function 't_cose_crypto_pub_key_sign':
/home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c:194:5: error: conversion to non-scalar type requested
194 | signing_key_psa = (psa_key_handle_t)signing_key.k.key_handle;
| ^~~~~~~~~~~~~~~
/home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c: In function 't_cose_crypto_sig_size':
/home/admin/Escritorio/trusted-firmware-m/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c:245:5: error: conversion to non-scalar type requested
245 | signing_key_psa = (psa_key_handle_t)signing_key.k.key_handle;
| ^~~~~~~~~~~~~~~
secure_fw/partitions/internal_trusted_storage/CMakeFiles/tfm_psa_rot_partition_its.dir/build.make:425: recipe for target 'secure_fw/partitions/internal_trusted_storage/CMakeFiles/tfm_psa_rot_partition_its.dir/__/__/__/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.o' failed
make[2]: *** [secure_fw/partitions/internal_trusted_storage/CMakeFiles/tfm_psa_rot_partition_its.dir/__/__/__/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.o] Error 1
make[2]: *** Waiting for unfinished jobs....
CMakeFiles/Makefile2:1347: recipe for target 'secure_fw/partitions/internal_trusted_storage/CMakeFiles/tfm_psa_rot_partition_its.dir/all' failed
make[1]: *** [secure_fw/partitions/internal_trusted_storage/CMakeFiles/tfm_psa_rot_partition_its.dir/all] Error 2
Makefile:135: recipe for target 'all' failed
make: *** [all] Error 2
There are the version of the software that are using:
arm-none-eabi-gcc (GNU Arm Embedded Toolchain 10.3-2021.10) 10.3.1 20210824 (release)
cmake version 3.23.0-rc2
It seems strange to me that there are compilation errors in the source code, that's why I am writing this mail, in case there is a bug in the code.
Best regards.
Antonio Javier Cabrera Gutierrez
Infineon Technologies AG
PhD Candidate
R&D Engineer
IFAG BEX RDE RDF ISS
Office: +49 89 234 36403
Mobile: +49 151 181 34322
AntonioJavier.CabreraGutierrez(a)infineon.com<mailto:AntonioJavier.CabreraGutierrez@infineon.com>
Am Campeon 1-15
85579 Neubiberg
Germany
www.infineon.com<http://www.infineon.com> Discoveries<http://www.infineon.com/discoveries> Facebook<http://www.facebook.com/infineon> Twitter<http://www.twitter.com/Infineon> LinkedIn<http://www.linkedin.com/company/infineon-technologies>
Part of your life. Part of tomorrow.
Infineon Technologies AG
Chairman of the Supervisory Board: Dr. Wolfgang Eder
Management Board: Dr. Reinhard Ploss (CEO), Dr. Helmut Gassel, Jochen Hanebeck, Dr. Sven Schneider
Registered Office: Neubiberg
Commercial Register: München HRB 126492
This e-mail and any attachments are confidential. They are intended solely for the attention and use of the named addressee(s). If you are not the named addressee(s) you must not use, disclose, retain or reproduce all or any part of the information contained in this e-mail or any attachments. Any unauthorized use or disclosure may be unlawful. If you have received this e-mail by mistake, please inform the sender immediately and delete it and all copies from your system and destroy any hard copies of it.
Hi all,
We are currently testing the tfm-m implementation on a STMicroelectronic chip: stm32u5 board.
This stm32u5 has a special register: SYSCFG_CSLOCKR (see https://www.st.com/resource/en/reference_manual/rm0456-stm32u575585-armbase…). This register allows to lock the PRIS bit of the AIRCR register from further modification.
The issue here is that, in the ST implementation, thanks to this SYSCFG_CSLOCKR, the PRIS bit of the AIRCR is locked at boot (Reset_Handler in file startup_stm32u5xx_s.c). Resulting in the function tfm_arch_set_secure_exception_priorities() not being able to set the PRIS bit of the AIRCR. This situation lead to big issues at runtime as interrupt priority of NSPE are able to pre-empt interrupt of SPE.
Disabling the locking of PRIS bit solve our problem but currently we don't see a clean way to integrate chip specific security features (something like callback/tfm_hal_ ) after the function tfm_arch_set_secure_exception_priorities() has been called.
What would be the best way to fix the current issue which could also arise on other platform ?
Regards,
Romain
Hi all,
As part of the documentation improvements, a new design proposal guideline [1] is proposed to replace and simplify the current process.
The basic idea is to encourage developers to share their design via mailing list and tech forum, without a well-formatted design document.
If developers prefer a document for a new feature, please provide an integration guide/user manual instead.
Please check the details in the patch below.
[1] https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/14104
The rendered html version: https://ci-builds.trustedfirmware.org/static-files/KTOoRMhB4VsgNQFkdMgWZcZG…
Best regards,
Hu Ziji
Hello,
I am trying to write an Application RoT for a research project I am a part of. I have run into an issue that I have been unable to solve independently.
My problem is the unexpected behavior of psa_wait() when using signal masks.
I have two signals, TFM_TIMER1_IRQ_SIGNAL and TFM_SECURE_FUNCTION_SIGNAL. The TIMER1_IRQ signal is triggered by an FLIH interrupt handler that returns TFM_FLIH_SIGNAL. The interrupt is triggered every 1 second by TIMER1. The TFM_SECURE_FUNCTION_SIGNAL is triggered by a periodic function call from the NSPE (a Zephyr thread) and is called every 10 seconds.
Observed result:
If PSA_WAIT_ANY is used as a signal mask, the TIMER0_IRQ_SIGNAL will only be received when TFM_SECURE_FUNCTION_SIGNAL is received, ergo, every 10 s. Thus any stage 2 handling of an interrupt would be missed.
If TFM_TIMER1_IRQ_SIGNAL is used as a signal mask, the signal will be received every 1 s as expected. The TFM_SECURE_FUNCTION_SIGNAL will never be received, as can be expected in the NSPEtoo.
I have tried a "hybrid approach" where I call psa_wait(TFM_TIMER1_IRQ_SIGNAL, PSA_BLOCK) /* handle signals .... */ and then psa_wait(TFM_SECURE_FUNCTION_SIGNAL, PSA_POLL). The stage 2 IRS is called, and the secure function is also called. But not with the regularity that I would like.
Am I missing something obvious? I have read the Secure Interrupt Integration Guide and carefully studied the SLIH and FLIH test services for the TF-M regression tests. Have I forgotten to reset a signal somewhere? Does the interrupt not preempt the NSPE?
I would be immensely grateful for any or all responses. If you need more information, please let me know.
Best wishes,
Martin Gunnarsson
PhD Student
RISE Research Institutes of Sweden & Lund University
Complete code of my Application RoT:
#include <stdbool.h>
#include <stdint.h>
#include <stddef.h>
#include "tfm_api.h"
#include "tfm_secure_api.h"
#include "psa/service.h"
#include "tfm_sp_log.h"
#include "psa_manifest/pid.h"
#include "psa_manifest/tfm_secure_partition.h"
#include <hal/nrf_gpio.h>
#include <hal/nrf_timer.h>
#include <helpers/nrfx_reset_reason.h>
#include <nrf_board.h>
#include <region_defs.h>
#define TIMER_RELOAD_VALUE (1*1024*1024)
static volatile uint32_t interrupt_ctr = 0;
static volatile uint32_t function_ctr = 0;
static void timer_init(NRF_TIMER_Type * TIMER)
{
nrf_timer_mode_set(TIMER, NRF_TIMER_MODE_TIMER);
nrf_timer_bit_width_set(TIMER, NRF_TIMER_BIT_WIDTH_32);
nrf_timer_frequency_set(TIMER, NRF_TIMER_FREQ_1MHz);
nrf_timer_cc_set(TIMER, NRF_TIMER_CC_CHANNEL0, TIMER_RELOAD_VALUE);
/* Clear the timer once event is generated. */
nrf_timer_shorts_enable(TIMER, NRF_TIMER_SHORT_COMPARE0_CLEAR_MASK);
}
static void timer_stop(NRF_TIMER_Type * TIMER)
{
nrf_timer_task_trigger(TIMER, NRF_TIMER_TASK_STOP);
nrf_timer_int_disable(TIMER, NRF_TIMER_INT_COMPARE0_MASK);
nrf_timer_event_clear(TIMER, NRF_TIMER_EVENT_COMPARE0);
}
static void timer_start(NRF_TIMER_Type * TIMER)
{
timer_stop(TIMER);
nrf_timer_task_trigger(TIMER, NRF_TIMER_TASK_CLEAR);
nrf_timer_int_enable(TIMER, NRF_TIMER_INT_COMPARE0_MASK);
nrf_timer_task_trigger(TIMER, NRF_TIMER_TASK_START);
}
static void timer_event_clear(NRF_TIMER_Type *TIMER)
{
nrf_timer_event_clear(TIMER, NRF_TIMER_EVENT_COMPARE0);
}
void tfm_secure_controller_secure_timer_start(void)
{
timer_init(NRF_TIMER1);
timer_start(NRF_TIMER1);
}
void tfm_secure_controller_secure_timer_clear_intr(void)
{
timer_event_clear(NRF_TIMER1);
}
psa_flih_result_t tfm_timer1_irq_flih(void)
{
tfm_secure_controller_secure_timer_clear_intr();
interrupt_ctr++;
return PSA_FLIH_SIGNAL;
}
static psa_status_t tfm_sp_secure_function_ipc(psa_msg_t *msg)
{
function_ctr++;
LOG_INFFMT("Secure function called %u times, interrupt ctr: %u\n", function_ctr, interrupt_ctr );
return PSA_SUCCESS;
}
void tfm_sp_secure_function(psa_msg_t *msg) {
psa_status_t status;
status = tfm_sp_secure_function_ipc(msg);
psa_reply(msg->handle, status);
}
void tfm_sp_entry(void)
{
LOG_INFFMT("Secure Partition: Init\n");
tfm_secure_controller_secure_timer_start();
psa_irq_enable(TFM_TIMER1_IRQ_SIGNAL);
psa_signal_t signals = 0;
uint32_t ctr = 0;
while (1) {
signals = psa_wait(TFM_TIMER1_IRQ_SIGNAL, PSA_BLOCK);
if ( (signals & TFM_TIMER1_IRQ_SIGNAL) == TFM_TIMER1_IRQ_SIGNAL) {
ctr++;
LOG_INFFMT("FLIH stage 2 %u\n", interrupt_ctr);
psa_reset_signal(TFM_TIMER1_IRQ_SIGNAL);
}
if ( ctr % 10 == 0 ) {
signals = psa_wait(PSA_WAIT_ANY, PSA_POLL);
if ( (signals & TFM_SECURE_FUNCTION_SIGNAL) == TFM_SECURE_FUNCTION_SIGNAL) {
psa_msg_t msg;
psa_get(signals, &msg);
tfm_sp_secure_function(&msg);
}
}
}
}
Hi,
in the effort to ease debugging by supporting a choice between halting and rebooting
we are introducing a new HAL API:
void tfm_hal_system_halt(void)
which by default (weak) does:
__disable_irq();
while(1) { __WFE(); }
CPUs cannot halt. But they can sleep until they are awoken in a loop, which is pretty close.
tfm_hal_system_halt() is, when configured so, used by tfm_core_panic() which is why we disable irqs
to stop all threads of execution, not just the thread that is executing.
Currently it is proposed that tfm_core_panic() halts when TFM_HALT_ON_CORE_PANIC is ON
and otherwise reboots.
TFM_HALT_ON_CORE_PANIC is default ON if and only if Debug mode is enabled.
Any feedback to these changes are welcome, and if any platform needs to halt in a different manner
then a contribution would be welcome as well.
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/13839
Hi, all
I'd like to share two new refinements in TF-M test repo to you.
l The struct variable test_result_t has been removed from the definition of struct variable test_t. It is unnecessary to set an initial value of test result for each case. With this change, the binary size will be reduced. Please see [test patch]<https://review.trustedfirmware.org/c/TF-M/tf-m-tests/+/13822/4> for more details.
l The flag TEST_SKIPPED has been added into enum variable test_status_t, works with TEST_PASSED and TEST_FAILED. TEST_SKIPPED indicates that the test case is skipped in runtime when the test environment is unavailable. Please ee [test patch]<https://review.trustedfirmware.org/c/TF-M/tf-m-tests/+/13826/5> for more details.
Hope these two changes can help your work in the future. Please let me know if anything can be improved. Thanks!
Best Regards
Jianliang Shen
Hi,
the performance improvement presentation[0] reports a FF PSA API overhead
of 20 000 CPU cycles for the psa_call. Which is 300 us for a 64MHz CPU.
This is quite a lot of instructions and I am concerned about whether
real world embedded application's will have time to call these secure services.
I'm interested in isolation level 2.
I understand that it is not possible to have isolation level 2 with library mode. But what about SFN
mode, could that eventually support isolation level 2?
If not, what is the current status of optimizing the service call overhead for IPC.
Is it considered to be as optimized as it can be or is there still hope for optimizing further?
[0] https://www.trustedfirmware.org/docs/tf-m_forum_20211209-TF-M_Performance-I…
Hi,
The next Technical Forum is planned on Thursday, February 17, 15:00-16:00 UTC (US time zone).
Please reply on this email with your proposals for agenda topics.
Recording and slides of previous meetings are here:
https://www.trustedfirmware.org/meetings/tf-m-technical-forum/
Best regards,
Anton
Hi,
We got a tiny update merged in level 3 ld/sct files to support partition runtime:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/13925
Platforms with level 3 support please have a test and report issue here if spotted. We have internally tested MPS2 and MUSCA_B1.
Thanks.
/Ken