- TF-M - lists.trustedfirmware.org

BL2 builds, no "PYTHON_EXECUTABLE" defined

by Thomas Törnblom

While attempting to build for the musca_s1, with mcuboot, on Windows, the build failed very late and brought up a Code Writer window on my screen. I nailed it down to no "PYTHON_EXECUTABLE" being defined while processing bl2/ext/mcuboot/CMakeLists.txt, which caused the build line to just attempt to run wrapper.py, with no interpreter, and windows brought up the appropriate tools to write python code. Adding "-DPYTHON_EXECUTABLE=python" to the cmake line fixed that, but it seems that this shouldn't be needed. The build tools should handle this, or? There is a line: #! /usr/bin/env python3 in wrapper.py, and I assume linux will handle this appropriately, but it doesn't seem windows does. Cheers, Thomas -- *Thomas Törnblom*, /Product Engineer/ IAR Systems AB Box 23051, Strandbodgatan 1 SE-750 23 Uppsala, SWEDEN Mobile: +46 76 180 17 80 Fax: +46 18 16 78 01 E-mail: thomas.tornblom(a)iar.com Website: www.iar.com <http://www.iar.com> Twitter: www.twitter.com/iarsystems <http://www.twitter.com/iarsystems>

2 years, 11 months

2
1
0 0

Flash definitions usage

by Bohdan.Hunko＠infineon.com

Hi everyone, I was trying to understand usage of TOTAL_ROM_SIZE and FLASH_TOTAL_SIZE from musca_b1/sse_200/partitions/flash_layout.h file. I haven't found any usage of these definitions. Does anyone know what is the reason to have them defined? Regards, Bohdan Hunko Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko(a)infineon.com<mailto:Bohdan.Hunko@infineon.com>

2 years, 11 months

1
0
0 0

Inline asm syntax unified and symbol reference in IAR toolchain

by Ken Liu

Hi Thomas and all, I noticed there are some #if !defined(__ICCARM__) ".syntax unified \n" #endif In source code, looks like ".syntax unified" is not support in IAR, is that true? If it could not be supported in a short term, we can define some wrapper such as: #ifdef __ICCARM__ #define CLAIM_SYNTAX_UNIFIED "\n" #else #define CLAIM_SYNTAX_UNIFIED ".syntax unified \n" #endif Another question is about the: #if defined(__ICCARM__) #pragma required = do_schedule #endif If we claim do_schedule in the constraints, is the above "#pragma required" still needed? __asm (".... :: "i"(do_schedule)); We can create a patch to test this - using a constraint looks more proper. Thanks. /Ken

2 years, 11 months

2
5
0 0

Re: [TF-M] System reset

by Andrew Thoelke

Hi Sebastian, The section in the Platform Security Model is describing the behavior of a system reset – the recommendation is that any preceding runtime state (in volatile memory, or in CPU or peripheral registers) does not influence the execution of the reboot. This is except for an optional suspend or hibernate state, which explicitly maintains runtime state while powering off most or all of the system and will resume via a CPU reset. System security requirements might require explicit clearing of volatile memory on reset to prevent cold-boot style attacks that could allow an attacker to read any residual RAM contents – although software-based attacks of this kind are partly mitigated by trusted boot, which prevents an attacker from running arbitrary code at reset (unlike devices that boot from untrusted flash memory). The specific bullet list in the PSA Firmware Framework for M (in §3.5.1 on Panics) is describing the challenges for an implementation that does NOT do the recommended action of resetting the system when a Secure Partition panics, which justifies the recommendation to reset the system. If the SPM does reset the system, then the challenges in that bullet list are avoided. The issues listed are: > * An individual Secure Partition cannot be reset and restarted in isolation. > * A Secure Partition may have state maintained on behalf of clients that will be destroyed when restarting the service. There is no mechanism to re-synchronize the clients. > * It is not possible to determine at the point of panic how much corruption has occurred within the Secure Partition and elsewhere in the SPE. If the SPM only restarted the Secure Partition that panicked, then any previous runtime state within that Secure Partition is lost, including any ongoing connections with clients of services within that partition, or any resources that those services were managing for their clients. FF-M does not provide a specified mechanism for such clients to be informed that the connections are broken, and there is no way to provide a general strategy that allows a client to recover from a service failure. This is what is meant by “There is no mechanism to re-synchronize the clients.”. I have just realized that in FF-M 1.1, there may be scenarios in which restarting a Secure Partition could be justified and technically feasible. If a Secure Partition with only Stateless services maintains no client state or resources, and also maintains no connections to other RoT Services (so there are no RoT Services maintaining state for this Secure Partition) – then restarting this Secure Partition might not suffer from the first two complications listed in §3.5.1. The third issue is harder to control: the risks from the data corruption that lead up to the panic depends partly on the SPE isolation policies, and on what this Secure Partition was responsible for. Reset remains the recommended response to a Secure Partition panic in v1.1.0. Regards, Andrew Thoelke Arm Ltd. From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu via TF-M Sent: 26 October 2021 10:51 To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: Re: [TF-M] System reset Hi Sebastian, The specification writer looks not here these two days, let me try to explain it based on my understanding. I think two specs both recommend clearing general runtime data while resetting. If the booting runtime clearing code can clear the RAM data for a specific platform, the memory clearing in the 'tfm_spm_hal_system_reset ' can be skipped. Basically, simple hardware reset triggering is just fine. The special-purpose memory to be retained during resetting is not a generic runtime memory, hence they need to be treated specially, such as putting them in a special bank or region and skipping clearing them during booting. This special region can be treated as a private asset of one service, which could NOT be shared between components for direct access. The owner service provides the functionality around this asset. Please put more comments or corrections, thanks. /Ken From: TF-M <mailto:tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Sebastian Bøe via TF-M Sent: Monday, October 25, 2021 3:16 PM To: mailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] System reset Hi, I would like some clarification about system reset. There are these two statements about it in the PSM and PSA-FF: "No run-time state from before the reset should be retained or used, except where necessary if suspend or hibernate are supported, see section 4.6." -- PSM page 22. "A Secure Partition may have state maintained on behalf of clients that will be destroyed when restarting the service." -- PSA-FF page 47. Is it the responsibility of tfm_spm_hal_system_reset to destroy this state or is it OK to destroy it after reset as a part of the C runtime startup procedure? I assume for instance that PRoT .bss is cleared as a part of the C runtime startup procedure, but should it also have been destroyed as a part of tfm_spm_hal_system_reset ? PSM - Platform Security Model. https://developer.arm.com/documentation/den0128/0100/ PSA-FF PSA Firmware Framework https://armkeil.blob.core.windows.net/developer/Files/pdf/PlatformSecurityA… Sebastian Bøe Nordic Semiconductor

2 years, 11 months

2
1
0 0

[PLATFORM ATTENTION REQUIRED] Unify the HAL APIs for IPC Model

by Kevin Peng

Hi all, I'm been working to unify the HAL APIs for IPC Model. The IPC Model currently uses two different sets of HAL APIs: * tfm_spm_hal_* - This is mainly used by the Library Model and IPC Model re-uses some of them * tfm_hal_* - This is introduced for IPC Model and some are shared to Library Model This might be confusing for platform vendors. So I'm trying to make it clear for IPC Model by: * Duplicating the shared APIs and rename the IPC copy to tfm_hal_* * Combining several platform init APIs to a single tfm_platform_init for IPC Model * tfm_spm_hal_enable_fault_handlers * tfm_spm_hal_system_reset_cfg * tfm_spm_hal_init_debug * tfm_spm_hal_nvic_interrupt_target_state_cfg * tfm_spm_hal_nvic_interrupt_enable With these changes, IPC Model will use tfm_hal_* APIs only. Please platform owners review these patches<https://review.trustedfirmware.org/q/topic:%22decouple_legacy_hal_for_ipc%2…> to see if any mistakes (the patches mainly move codes around) or any platforms missed in the patches. Plan to have them merged before the end of October. Thanks. Best Regards, Kevin

2 years, 11 months

1
1
0 0

System reset

by Sebastian Bøe

Hi, I would like some clarification about system reset. There are these two statements about it in the PSM and PSA-FF: "No run-time state from before the reset should be retained or used, except where necessary if suspend or hibernate are supported, see section 4.6." -- PSM page 22. "A Secure Partition may have state maintained on behalf of clients that will be destroyed when restarting the service." -- PSA-FF page 47. Is it the responsibility of tfm_spm_hal_system_reset to destroy this state or is it OK to destroy it after reset as a part of the C runtime startup procedure? I assume for instance that PRoT .bss is cleared as a part of the C runtime startup procedure, but should it also have been destroyed as a part of tfm_spm_hal_system_reset ? PSM - Platform Security Model. https://developer.arm.com/documentation/den0128/0100/ PSA-FF PSA Firmware Framework https://armkeil.blob.core.windows.net/developer/Files/pdf/PlatformSecurityA… Sebastian Bøe Nordic Semiconductor

2 years, 11 months

2
1
0 0

ITS File System Enhancement

by Sherry Zhang

Hi, I created patches to add the XOR checksum of the whole metadata into the ITS metadata_block header. This is to check the possible error in the flash. It can happen that the ITS file system is upgraded to the new one while the ITS assets are maintained with the current ITS file system. To support compatibility with the current ITS filesystem version, at the initialization of the file system, the file metadata and the block metadata, together with the metadata_block_header are updated to the new ITS file system. The patches are: https://review.trustedfirmware.org/q/topic:%22ITS_FILESYSTEM%22+(status:ope… Would you like to review the patches? Any comments are welcomed! Regards, Sherry Z

2 years, 11 months

1
0
0 0

PSoC scheduling broken

by Chris.Brand＠infineon.com

Running regression tests with the current HEAD, the secure tests all pass but the non-secure tests get stuck early on (I suspect that responses don't get back to the NS core). Reverting 5e68b11764673ee32bae0de8ecf3cde45cc55ea1 "SPM: Trigger scheduler at the end of SPM API" fixes the issue. Was that patch tested with multi-core? I created a patch to revert that patch for now - https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/11998 Chris Brand Cypress Semiconductor (Canada), Inc. Sr Prin Software Engr CSCA CSS ICW SW PSW 1 Office: +1 778 234 0515 Chris.Brand(a)infineon.com<mailto:Chris.Brand@infineon.com>

2 years, 11 months

2
5
0 0

Enable GPIO IRQ in TFM 1.3 with zephry v2.7.0 on nrf5340DK

by Singh, Yaduvir

Hi All, I want to enable GPIO IRQ in Trusted firmware-m 1.3 on nrf5340DK. I have TFM 1.3 which comes with zephyr v2.7.0 image flashed to board. followed the steps of https://www.trustedfirmware.org/docs/tech_forum_20210819BriefUpdatesInterru… and tfm_slih_test_service which has TIMER0 interrupt handler. Steps1: Assigning the interrupt GPIOTE0 and TIMER0 in secure partition manifest file. Steps2: Assigning the MMIO region of GPIOTE0 and TIMER0 in secure partition manifest file. Step3: Enable(psa_irq_enable) for both GPIOTE0,TIMER0 and Start (tfm_plat_test_secure_timer_start) the TIMER0. Step4: waiting for interrupt SIGNAL defined in secure partition manifest file for GPIOTE0 and TIMER0) using psa_wait(PSA_WAIT_ANY, PSA_BLOCK) in the secure partition source code. But do not receive any signal for TIMER0 and GPIOTE0. Q1) at least TIMER0 signal should be received after the timer start? Q2)Are there any steps i missed to enable IRQ in TFM secure partition? Q3)Also, for GPIOTE i need to enable IRQ on the particular pin of port0 ex P0.8, How can i know the signal generated for the interrupt is for P0.8? Q4)In tfm_secure_irq_handling.rst it mentions "it is important the macro name matches the platform's handler function for that IRQ source." - In case ``source`` is defined IRQ macro, the name of the handler becomes ``void <macro>_Handler(void)``. I do not understand why we need to have a handler function name matching with IRQ source when we have to wait on psa_wait(PSA_WAIT_ANY, PSA_BLOCK) for IRQ signal? Step1,Step2 /*#####################################################################*/ modules\tee\tfm\trusted-firmware-m\platform\ext\target\nordic_nrf\common\nrf5340\tfm_peripherals_def.h #ifndef __TFM_PERIPHERALS_DEF_H__ #define __TFM_PERIPHERALS_DEF_H__ #include <nrf.h> #ifdef __cplusplus extern "C" { #endif #define TFM_TIMER0_IRQ (TIMER0_IRQn) #define TFM_TIMER1_IRQ (TIMER1_IRQn) #define TFM_GPIOTE0_IRQ (GPIOTE0_IRQn) #define TFM_SPIM4_IRQ (SPIM4_IRQn) struct platform_data_t; extern struct platform_data_t tfm_peripheral_std_uart; extern struct platform_data_t tfm_peripheral_timer0; extern struct platform_data_t tfm_peripheral_std_gpiote0; extern struct platform_data_t tfm_peripheral_std_spim4; #define TFM_PERIPHERAL_STD_UART (&tfm_peripheral_std_uart) #define TFM_PERIPHERAL_TIMER0 (&tfm_peripheral_timer0) #define TFM_PERIPHERAL_GPIOTE0 (&tfm_peripheral_std_gpiote0) #define TFM_PERIPHERAL_SPIM4 (&tfm_peripheral_std_spim4) #define TFM_PERIPHERAL_FPGA_IO (0) #ifdef __cplusplus } #endif #endif /* __TFM_PERIPHERALS_DEF_H__ */ modules\tee\tfm\trusted-firmware-m\platform\ext\target\nordic_nrf\common\nrf5340\target_cfg.c struct platform_data_t tfm_peripheral_timer0 = { NRF_TIMER0_S_BASE, NRF_TIMER0_S_BASE + (sizeof(NRF_TIMER_Type) - 1), }; struct platform_data_t tfm_peripheral_std_uart = { NRF_UARTE1_S_BASE, NRF_UARTE1_S_BASE + (sizeof(NRF_UARTE_Type) - 1), }; struct platform_data_t tfm_peripheral_std_gpiote0 = { NRF_GPIOTE0_S_BASE, NRF_GPIOTE0_S_BASE + (sizeof(NRF_GPIOTE_Type) - 1), }; struct platform_data_t tfm_peripheral_std_spim4 = { NRF_SPIM4_S_BASE, NRF_SPIM4_S_BASE + (sizeof(NRF_SPIM_Type) - 1), }; /*Secure partition manifest file change*/ samplepartition.yaml { "psa_framework_version": 1.1, "name": "TFM_SP_sample", # Possible options: "PSA-ROT | APPLICATION-ROT" "type": "APPLICATION-ROT", "priority": "NORMAL", "model": "IPC", "entry_point": "sample_partition_main", "stack_size": "0x200", "services": [ # Define the secure service here. { "name": "TFM_EXAMPLE_SERVICE", # SIDs must be unique, ones that are currently in use are documented in # tfm_secure_partition_addition.rst on line 184 "sid": "0x00001001", "non_secure_clients": true, "version": 1, "version_policy": "STRICT" }, ], # Define all the IRQs that the service wants to handle. "mmio_regions": [ { "name": "TFM_PERIPHERAL_GPIOTE0", "permission": "READ-WRITE" }, { "name": "TFM_PERIPHERAL_SPIM4", "permission": "READ-WRITE" }, { "name": "TFM_PERIPHERAL_TIMER0", "permission": "READ-WRITE" }, ], "irqs": [ { "source": "TFM_GPIOTE0_IRQ", "name": "TFM_GPIOTE0_IRQ", "handling": "SLIH", "tfm_irq_priority": 64, }, { "source": "TFM_SPIM4_IRQ", "name": "TFM_SPIM4_IRQ", "handling": "SLIH", "tfm_irq_priority": 64, }, { "source": "TFM_TIMER0_IRQ", "name": "TFM_TIMER0_IRQ", "handling": "SLIH", "tfm_irq_priority": 64, } ], "dependencies": [ "TFM_CRYPTO" ] } Step3, Step4 /*#####################################################################*/ /*Secure partition Code*/ sample_partition.c #define TIMER_RELOAD_VALUE (1*1000*1000) static void gpiote0_handler(void) { LOG_INFFMT("gpiote0_handler called!!\n"); psa_irq_disable(TFM_GPIOTE0_IRQ_SIGNAL); psa_eoi(TFM_GPIOTE0_IRQ_SIGNAL); } static void spim4_handler(void) { LOG_INFFMT("spim4_handler called !\n"); psa_irq_disable(TFM_SPIM4_IRQ_SIGNAL); psa_eoi(TFM_SPIM4_IRQ_SIGNAL); } static void timer0_handler(void) { LOG_INFFMT("timer0_handler called!\n"); psa_irq_disable(TFM_TIMER0_IRQ_SIGNAL); psa_eoi(TFM_TIMER0_IRQ_SIGNAL); } static void timer_init(NRF_TIMER_Type * TIMER, uint32_t ticks) { nrf_timer_mode_set(TIMER, NRF_TIMER_MODE_TIMER); nrf_timer_bit_width_set(TIMER, NRF_TIMER_BIT_WIDTH_32); nrf_timer_frequency_set(TIMER, NRF_TIMER_FREQ_1MHz); nrf_timer_cc_set(TIMER, NRF_TIMER_CC_CHANNEL0, ticks); nrf_timer_one_shot_enable(TIMER, NRF_TIMER_CC_CHANNEL0); } static void timer_stop(NRF_TIMER_Type * TIMER) { nrf_timer_task_trigger(TIMER, NRF_TIMER_TASK_STOP); nrf_timer_int_disable(TIMER, NRF_TIMER_INT_COMPARE0_MASK); nrf_timer_event_clear(TIMER, NRF_TIMER_EVENT_COMPARE0); } static void timer_start(NRF_TIMER_Type * TIMER) { timer_stop(TIMER); nrf_timer_task_trigger(TIMER, NRF_TIMER_TASK_CLEAR); nrf_timer_int_enable(TIMER, NRF_TIMER_INT_COMPARE0_MASK); nrf_timer_task_trigger(TIMER, NRF_TIMER_TASK_START); } void tfm_plat_test_secure_timer_start(void) { timer_init(NRF_TIMER0, TIMER_RELOAD_VALUE); timer_start(NRF_TIMER0); } void tfm_plat_test_secure_timer_stop(void) { timer_stop(NRF_TIMER0); } void sample_partition_main(void) { psa_signal_t signals; psa_irq_enable(TFM_SPIM4_IRQ_SIGNAL); psa_irq_enable(TFM_GPIOTE0_IRQ_SIGNAL); /*Start timer interrupt*/ psa_irq_enable(TFM_TIMER0_IRQ_SIGNAL); tfm_plat_test_secure_timer_start(); /* Continually wait for one or more of the partition's RoT Service or * interrupt signals to be asserted and then handle the asserted signal(s). */ while (1) { signals = psa_wait(PSA_WAIT_ANY, PSA_BLOCK); if (signals & TFM_GPIOTE0_IRQ_SIGNAL) { gpiote0_handler(); }else if (signals & TFM_SPIM4_IRQ_SIGNAL) { spim4_handler(); }else if (signals & TFM_TIMER0_IRQ_SIGNAL) { timer0_handler(); } else { psa_panic(); } } } /*#####################################################################*/ Thanks Yaduvir

2 years, 11 months

3
5
0 0

Re: [TF-M] [ATTENTION] SPM Update: Secure Partition build flag 'CONFIG_TFM_BUILDING_SPE' required.

by Ken Liu

Hi everyone, If you are creating out-of-tree partitions, please assign c-flag 'CONFIG_TFM_BUILDING_SPE' to the partitions sources. The reason is that FFM client header is used by both SPE and NSPE clients, and SPE would support multiple ABI methods and these methods can co-exist in the system, this flag can help the partition to choose correct ABI for FFM API. Check here for an example: https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/11897/11/sec… Or do you think choosing one ABI as the default ABI (default ABI owns the spec originally defined symbols) should work? Any comments please feel free to raise. BR. /Ken From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Ken Liu via TF-M Sent: Wednesday, October 20, 2021 3:12 PM To: tf-m(a)lists.trustedfirmware.org Cc: nd <nd(a)arm.com> Subject: [TF-M] [ATTENTION] SPM logic is under significant updating before End of Oct Hi, To support FFM 1.1 features (SFN mainly), the SPM logic is under significant updating till End of Oct, please: - If you are doing release-targeted development, please based on the released tags. - If you are developing with the latest master branch, please report bugs met. Our plan is to collect all bugs and fix them after this update, before the next release. - Keen to receive your fixes and contributions. It would be very nice if you can do these. All patches would go as a usual process, hence it should work for most of the configurations, except those not covered by the automation test. The platform related interfaces are not changing, hence no worry for platform owners. Thanks! /Ken

2 years, 11 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

TF-M