Hi Erik,
Thanks for proposing improvements to TF-M, cooperative scheduling namely. You hit the topic which was considered but postponed at some moment. Believe, it will be beneficial to all of us to discuss it online and share our views on potential
improvement and possible side effects.
Let me know, please, if you want to include this topic into next forum agenda?
Kind regards,
Anton Komlev
From: TF-M <tf-m-bounces@lists.trustedfirmware.org>
On Behalf Of Shreve, Erik via TF-M
Sent: 23 March 2020 14:26
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] Multi-threaded single-scheduler model proposal
I’d like to propose an additional model that provides a single-scheduler _and_ multiple thread support for PSA RoT.
To state a little more specifically:
* The NSPE scheduler makes all scheduling decisions for execution (call) flows of the NSPE tasks – including when those flows are operating in secure side
* APIs are provided to the NSPE scheduler to switch SPE task contexts (one task context associated to each NSPE task that uses PSA RoT)
* Resource locking APIs are provided to allow PSA RoT functions to communicate with the NSPE scheduler (i.e. mutex take/give)
* A SPE scheduler may still exist for application root of trust services, if any exist on a system.
I don’t see anything written up on a model like this in the design proposals or Phabricator. However, it appears to me that such a model (or something similar) must have been previously discussed.
A brief word on the motivation for such a proposal… To ease (and thus increase) adaptation of PSA RoT, wherein those services are protected from nontrusted code, the impact to the NSPE code should be minimized. The current models (Library,
IPC) do well to minimize the impact from an API standpoint. That is, the NSPE caller need not know where/how the PSA RoT operates in order to compile. However, the current models do not minimize impact to scheduling on single core systems. The library model
locks behind a single mutex the operations that previously existed independent of one another. The IPC model provides more flexibility. However, it still extends lock times beyond current implementations and it introduces an additional scheduler which removes
determinism and forces system designers to rethink existing code.
I’d like to know if there are any recorded plans for such a model (or something more similar to it than the three items above). If not, has it been discussed and actively rejected? If so why?
I can/will write up a more concrete proposal, but wanted to get some discussion around the high-level idea first.
Thanks,
Erik Shreve, PSEM
Software Security Engineer & Architect (CMCU Platform Development)
Texas Instruments Inc.
12500 TI Boulevard, MS F4000
Dallas, TX 75243