Hi Roman,
Thank you for sharing your findings. Let us check and back with comments.
Thanks and best regards, Anton
From: Roman.Mazurak--- via TF-M tf-m@lists.trustedfirmware.org Sent: Friday, February 16, 2024 11:20 AM To: tf-m@lists.trustedfirmware.org Cc: Bohdan.Hunko@infineon.com; Chris.Brand@infineon.com Subject: [TF-M] SPM thread and FLIH
Hi all,
It seems that on v2.0 there is a problem with FLIH handling during execution of SPM thread.
1. A partition #1 is running with unprivileged attribute (CONTROL.nPRIV = 1). 2. It requests PSA API (for example psa_call). 3. psa_call is serviced via SVC. prepare_to_thread_mode_spm schedules handling of psa_call in SPM thread mode (by prepare_to_thread_mode_spm). 4. prepare_to_thread_mode_spm saves CONTROL to saved_control. Than set CONTROL.nPRIV = 0 (privileged for SPM thread). 5. Exit from SVC starts execution of tfm_spm_client_psa_call in SPM thread (privileged). 6. SPM thread is interrupted by FLIH IRQ. 7. FLIH IRQ handler calls spm_handle_interrupt. 8. spm_handle_interrupt switches boundary to prepare environment for FLIH handler (partition #2) and schedules execution of FLIH handler. 9. FLIH handler is executed. 10. tfm_flih_return_to_isr is called on exit from FLIH handler. It restores boundary of partition #1 and set CONTROL.nPRIV = 1. Than returns to FLIH IRQ handler. 11. FLIH IRQ handler exit to SPM thread that has been interrupted on step #6. 12. SPM thread have no enough permissions, because it's running with CONTROL.nPRIV equal to 1 (unprivileged). So, processing environment is unprivileged and tfm_spm_client_psa_call fails on accessing restricted resource.
Does my understanding correct? If yes it means that we should fix exit from FLIH to SPM thread.
Regards, Roman.