Hi Bohdan,

FF-M proposes a balanced design to leave flexibility for those platforms that lack hardware resources or have concerns about performance. It is a plus if one platform can improve the isolation.

TF-M showcases the specification proposal mainly, and leaves the flexibility in the HAL API to give the platform that wants to improve the isolation a chance to do it in an easier way.

Yes, your findings are correct, SPM switches the boundaries when the boundary handle is different – so if you assign unique handles to PRoT partitions, the boundary is switched. What you need to do is changing the implementation of isolation boundary HAL implementation, no need to change the SPM code.

BR.

/Ken

From: Bohdan.Hunko--- via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Thursday, September 29, 2022 4:59 AM
To: tf-m@lists.trustedfirmware.org
Cc: Hennadiy.Kytsun@infineon.com
Subject: [TF-M] Level 3 Isolation improvements

Hi everyone,

I have several questions related to L3 isolation in TFM.

First of all, FFM specifies that:

In L3 PSA RoT partitions does not need to be isolated from SPM (and vice versa)
PSA RoT partitions does not need to be isolated from each other
PSA RoT partitions and SPM must be isolated from APP RoT partitions
APP RoT partitions must be isolated from each other

This picture from TFM docs seem to illustrate statements above.

Currently platforms with L3 support (e.g. an521) follow the rules stated above.

They achieve this by executing PSA RoT partitions and SPM in privileged mode, and APP RoT partitions in unprivileged mode. Partition boundaries are only updated when switching to APP RoT partition.

From description of tfm_hal_activate_boundary (see code here) and this an521 code seems like platform can determine whether partition will be executed in privileged or unprivileged mode.

So my questions are:

For improved isolation in L3 does it make sense to:

isolate SPM from PSA RoT partitions
isolate PSA RoT partitions from each other (like APP RoT partitions are isolated)

If question 1 make sense then can platform achieve this improved isolation with current code base?
From this an521 code it seems like platform may set all partitions to be executed in unprivileged mode and dynamically switch boundaries between them (between both PSA and APP RoT partitions). SPM will remain in privileged mode.
It seems like this approach is possible with minor changes to SPM. For example this code will need to be changed to call tfm_hal_activate_boundary regardless of partition privilege level.
Are there any other changes needed to make this approach work?

Regards,

Bohdan Hunko

Cypress Semiconductor Ukraine

Engineer

CSUKR CSS ICW SW FW

Mobile: +38099 50 19 714
Bohdan.Hunko@infineon.com