Is pre-emption while in secure mode supported? If so, NS RTOS may have to be modified to handle switching from a thread who’s PC and SP are in secure domain.
How would a secure service thread block while waiting for a security-protected hardware process to finish (ie what is the secure driver model)?
Alan
From: TF-M [mailto:tf-m-bounces@lists.trustedfirmware.org]
On Behalf Of Reinhard Keil via TF-M
Sent: Thursday, April 2, 2020 5:49 AM
To: tf-m@lists.trustedfirmware.org
Cc: nd
Subject: [EXTERNAL] [TF-M] Multi-threaded single-scheduler model proposal
Hi Erik,
Really great to see your involvement. Let me share my view on a TF-M execution model for constrained single core v8-M with TrustZone using Secure Function Call (aka library) mode:
On secure side: single thread execution only. Not stack swapping. NS to S calls are blocking until secure execution completes.
On non-secure side: RTOS with threaded execution. Entry to secure side protected with Mutex.
This structure is explain on page 27 of
https://github.com/ARM-software/CMSIS_5/blob/develop/CMSIS_Review_Meeting_2020.pdf
IMHO, there are various benefits:
·
Overall less complexity, no need of tz_context, any RTOS would work, less memory overhead (i.e. single stack at secure side)
·
No impact to time deterministic execution on the NS side unless two threads call secure services
·
Conflict of mulitple threads calling secure services could be minimized with RTOS that offers priority inversion
Are there any obvious problems with the above model?
Thanks
Reinhard Keil – Sr. Director Embedded Tools, Arm
P.S. maybe you read also
https://lists.trustedfirmware.org/pipermail/tf-m/2020-March/000805.html
IMHO we need to simplify the NS to S call entry to speed-up the overall system