Hi Roman,
Thank you for sharing your findings. Let us check and back with comments.
Thanks and best regards,
Anton
From: Roman.Mazurak--- via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Friday, February 16, 2024 11:20 AM
To: tf-m@lists.trustedfirmware.org
Cc: Bohdan.Hunko@infineon.com; Chris.Brand@infineon.com
Subject: [TF-M] SPM thread and FLIH
Hi all,
It seems that on v2.0 there is a problem with FLIH handling during execution of SPM thread.
- A partition #1 is running with unprivileged attribute (CONTROL.nPRIV = 1).
- It requests PSA API (for example
psa_call).
- psa_call is serviced via SVC.
prepare_to_thread_mode_spm schedules handling of psa_call in SPM thread mode (by
prepare_to_thread_mode_spm).
- prepare_to_thread_mode_spm saves
CONTROL to saved_control. Than set CONTROL.nPRIV = 0 (privileged for SPM thread).
- Exit from SVC starts execution of
tfm_spm_client_psa_call in SPM thread (privileged).
- SPM thread is interrupted by FLIH IRQ.
- FLIH IRQ handler calls
spm_handle_interrupt.
- spm_handle_interrupt switches boundary to prepare environment for FLIH handler (partition #2) and schedules execution of FLIH handler.
- FLIH handler is executed.
- tfm_flih_return_to_isr is called on exit from FLIH handler. It restores boundary of partition #1 and set
CONTROL.nPRIV = 1. Than returns to FLIH IRQ handler.
- FLIH IRQ handler exit to SPM thread that has been interrupted on step #6.
- SPM thread have no enough permissions, because it’s running with
CONTROL.nPRIV equal to 1 (unprivileged). So, processing environment is unprivileged and
tfm_spm_client_psa_call fails on accessing restricted resource.
Does my understanding correct? If yes it means that we should fix exit from FLIH to SPM thread.
Regards,
Roman.