Hi,
Noticed this interesting discussion and provide my inputs:
From the description I guess the received data needs to be decrypted by a secure key or interactive with secure data. If the decryption can be processed in a 'threaded' ISR, then it would be all
fine as the decryption can be delegated to SPE by a generic secure call. If the decryption is expected in NS ISR, it would be tricky because call to the secure service is expected to be done in threads, and the decryption would also occupy the system for a
longer time as secure handler (non-secure handler calls into) mode has the priority higher than any non-secure handler, which boosts the radio's ISR into highest when performing a secure call no spite of which priority it is set in the NVIC.
The 3rd point provides a method closer to a workable one but needs some tweaks – notifying the NSPE by triggering an NS software IRQ would be easier, then NSPE scheduling could let the NS thread
retrieve the data by a secure service call – Caution that Secure ISR cannot share the decrypted data to NSPE directly! This creates another channel to expose data to NSPE, which is not following FF-M.
Please correct me if my assumption is wrong, then let’s discuss it from another angle
😉
Thanks.
/Ken
From: Romain JAYLES via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Monday, December 5, 2022 7:01 PM
To: Kevin Peng <Kevin.Peng@arm.com>; tf-m@lists.trustedfirmware.org
Subject: [TF-M] Re: TF-M and communication stack in NSPE
Hello Kevin,
Thank you for your detailed answer.
Here are my comments on each point:
When you mention the use of “notification mechanism”, there is no such thing already developed in the TF-M for now ? The issue I see with this type of mechanism is that if the notification relies on the TF-M scheduler,
it could potentially introduce too much delay in the interrupt treatment to be compliant with the protocol requirements (depending on the core frequency).
For the “call TF-M from NonSecure in handler mode”, I was meaning that in SFN mode, it is impossible to call TF-M API when the NSPE is in handler mode (referring to the
psa_interface_sfn.c and the multiples checks of __get_active_exc_num() != EXC_NUM_THREAD_MODE). Which will be problematic if the NSPE wants to modify the Radio IRQ propriety (enable/disable/priority) while in handler mode, as it will be necessary
to call our TF-M Secure Partition to modify the Radio IRQ propriety.
Thank you,
Best Regards,
Romain
From: Kevin Peng <Kevin.Peng@arm.com>
Sent: Monday, December 5, 2022 4:06 AM
To: Romain JAYLES <romain.jayles@st.com>;
tf-m@lists.trustedfirmware.org
Subject: RE: TF-M and communication stack in NSPE
Hi,
Just providing my own understandings.
Please check blow.
Best Regards,
Kevin
From: Romain JAYLES via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Friday, December 2, 2022 17:33
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] TF-M and communication stack in NSPE
Hello,
We are currently integrating a protocol stack with a Radio IRQ in a TrustZone environment with the TF-M as the SPE.
The Radio IRQ requires fast treatment from our protocol stack, the need is to have the Radio IRQ handled with the lowest latency possible.
The fact that all the IRQs in the NonSecure side can’t preempt IRQ on the Secure side in the TF-M design leads us to the following possibilities with several limitations:
[Kevin] “which by design will have a lower priority of our IRQ because it’s in the Secure side”
- I think you meant “higher priority”. That’s true. This might be only solved by design to limit the usage of Secure interrupts.
[Kevin] This depends on the on isolation level and the type of the Secure Partition you deploy. If you apply isolation level 3 for TF-M and ARoT type to the Secure Partition, then it’s low possibility to introduce
any Security flaws. That’s because each ARoT Secure Partition is isolated with their own domains in isolation level 3 and the APIs for interacting with the framework is designed to be secure.
[Kevin] This sounds like a good solution. By “forward an IRQ to the NonSecure”, are you referring to SPE callback to NSPE? Well, that is not supported in TF-M so you should apply some notification mechanism instead.
Around the “call TF-M from NonSecure in handler mode”, could you describe more?
Do you already have experienced with this type of problematics, or do you see TF-M configurations which will be more suitable for such a use-case ?
Thank you,
Regards,
Romain