Hello,
Continue the last topic - looks like there are requirements on assigning bits for indicating ns agents and a customized C-based manifest for TZ NS Agent is somewhat out of fashion, so if there are plans to add the customized manifest support into the tooling recently, could you please considerate these points:
- Need an extra place to confirm the out-of-ffm customized setting or there would be errors reported mentioning non-standard manifest items are applied if no confirmation is found. - The confirmation place should not be in the single manifest for partitions which may bring a bad example of abused customization. Users may just copy these manifests into their project and use them without deeper consideration. The tooling need to report errors for such copy-and-use cases.
Take 'ns_agent' as an example, if it is applied in one manifest, the ideal for an confirmation is in the manifest list file, such as:
tfm_manifest_list.yaml: ... "manifest": "${CMAKE_SOURCE_DIR}/secure_fw/partitions/ns_agent_mailbox/ns_agent_mailbox.yaml", "confirm_customized_fields": "ns_agent", /* Confirm it or tooling would report errors when meet "ns_agent" */
Any ideas about this proposal? Feel free to comment, thanks.
BR
/Ken
From: Bohdan.Hunko@infineon.com Bohdan.Hunko@infineon.com Sent: Saturday, January 14, 2023 6:19 PM To: Ken Liu Ken.Liu@arm.com; tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: RE: Partitions without manifest files are not linked correctly in L3
Hi Ken,
Thanks for the reply. I see that we both are on the same track now. I agree that moving these partitions to manifest scheme will require some more time and planning so for now I decided to go with simpler option - align stacks in .c files. Here are the patches that I have prepared:
* https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/18803 * https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/18804
Regards, Bohdan Hunko
Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com
From: Ken Liu via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Sent: 6 January 2023 09:02 To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Cc: nd <nd@arm.commailto:nd@arm.com> Subject: [TF-M] Re: Partitions without manifest files are not linked correctly in L3
Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safehttps://intranet-content.infineon.com/explore/aboutinfineon/rules/informationsecurity/ug/SocialEngineering/Pages/SocialEngineeringElements_en.aspx.
Hi Bohdan,
The size and position for stack buffers are aligned with specific values already (mostly 8 bytes but TZ Agent is 32 bytes), the linker script alignment should cover the alignments defined with __attribute in sources, so I think in general it should work in most of the cases, could you tell the problem in details after you changed TFM_LINKER_PSA_ROT_LINKER_DATA_ALIGNMENT or other settings?
The reason for not using manifest for these partitions is that these partitions are special, especially the agent partitions. Agent partitions have special IDs and flags (AGENT flags indicating they could call agent-specific API or won't get blocked forever), putting these flags in the manifest would remind users that they could apply these special settings as well -- but if we can apply some limitations when these settings are set, it is also acceptable (For example, provide a long-named option in the manifest to remind users they are touching unusual features when users set special flags, such as: "confirm_non_standard_settings: yes").
Trustzone NS Agent is much more special than mailbox agents. Mailbox agent has the capability to call agent-specific API, but TZ NS Agent is part of secure context management hence it couples with some 'core' work tightly, hence putting it with SPM together is more convenient, especially now we are applying the minimal isolation rules. In the future, if a system is powerful enough to isolate SPM and all other components, this TZ Agent needs to be updated fundamentally as well. But this won't block turn metadata it into manifests - the linker script and HAL API defines how the isolation rules and levels are applied, and manifests define the way how to manage partitions in a unified way.
Just as what you have described, if we are progressing quickly we can apply option 1. For option 2 we need a plan before going ahead.
Thanks.
/Ken
From: Bohdan.Hunko--- via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Sent: Thursday, January 5, 2023 6:59 PM To: tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org Subject: [TF-M] Partitions without manifest files are not linked correctly in L3
In isolation level 3 partitions code/data in linker script are gathered together and aligned using information from manifest files. Currently there are 2 partitions that are not using manifest files, and instead have hand written load_info.c files. These partitions are: NS agent trust zone and idle partition.
When partition does not have manifest file then its code/data is not gathered together (as there is no manifest to provide needed information). This results in partition code/data being linked directly to SPM. Also code/data may be not correctly aligned (if platform requires special alignment for PSA/APP RoT partitions).
For example if platform define custom TFM_LINKER_PSA_ROT_LINKER_DATA_ALIGNMENT, NS agent TZ and idle partitions stacks will not be aligned properly.
This is a problem because resulting alignment is not sufficient for the platform, which means that functions that apply protections fail.
I see several solutions to this problem:
1. Add alignment to stack of these special partitions. Both the start and the size of the stack should be aligned to satisfy alignment requirements. This is fairly easy fix with small amount of changes. The problem is that code/data of these partitions will still be located in SPM code/data sections which is not ideal solution. I would say this is bare minimum solution, just to make things work. 2. Better solution might be to move these special partitions to now use manifest files. The problem I see is that these partition use special priorities values which are not supported by manifest tool. Also NS Agent TZ uses special PID = 0, which I believe is also not supported by manifest tool. I think this is more time consuming fix but overall this should result in better and easier to understand code.
Would be glad to hear a feedback on this topic.
Regards, Bohdan Hunko
Cypress Semiconductor Ukraine Engineer CSUKR CSS ICW SW FW Mobile: +38099 50 19 714 Bohdan.Hunko@infineon.commailto:Bohdan.Hunko@infineon.com