Hi Erik,

 

Exactly. The library model supports a single Secure context. There are no roadmap items currently, aiming to change this.

 

There is no technical reason why multiple context couldn’t be handled by the library model. At the early phase of the project development we decided to implement solutions that might be limited in functionality, but are easier targets for security analysis.

 

Regards,

Mate

 

 

Thanks,

 

The library model seems to treat the entire SPE as a single resource as it appears to lock and only allow a single entry at a time:

               /* This is the "Big Lock" on the secure side, to guarantee single entry

* to SPE

*/

extern int32_t tfm_secure_lock;

 

Is this a limitation of the current implementation or is this the envisioned design for the library model?

 

If the latter, is there a technical/security reason why only a single entry is allowed? Or is it that no use-case to allow multiple entry has been discussed.

 

To back up a bit, we have use cases where I would like to see the NSPE RTOS make all the scheduling decisions and further have all the secure peripheral resources be managed individually with respect to blocking threads.

The IPC model seems to be built around having a scheduler in the SPM and the library model seems to preclude the ability to manage secure peripherals individually.

 

 

 

Hi Erik,

 

Yes, the two working models are mutually exclusive, and the model is selected compile time, by choosing a corresponding config cmake file.

 

I'm afraid there isn't a comprehensive specification for the Library model, like for IPC model.

 

For examples on calling services in library model, you can have a look in the Secure Service API implementations. Look in interface/src for NS, and in the directory of the services, for example services/initial_attestation/tfm_attestation_secure_api.c for secure examples.

 

The working model specific code parts that are in common files are (across the whole TF-M codebase) guarded by the TFM_PSA_API define:

 

    #ifdef TFM_PSA_API

        /* IPC model implementation */

    #else /* TFM_PSA_API */

        /* Library model implementation */

    #endif /* TFM_PSA_API */

 

If a source file is IPC model specific it has ‘ipc’ in its name, or is in a directory called ‘ipc’. Library model specific files have ‘func’ in their name.

 

Regards,

Mate

 

 

Mate,

 

Thanks for providing your time to respond. Understanding there are two models in play helps a lot. A few follow up questions…

 

Can you confirm that the models are mutually exclusive?

This page indicates to me that they are mutually exclusive: https://ci.trustedfirmware.org/job/tf-m-build-test-nightly/lastSuccessfulBuild/artifact/build-docs/tf-m_documents/install/doc/user_guide/html/docs/user_guides/tfm_build_instruction.html#configurations

Or are there provisions to allow a system to run both models on the _same_ execution node? For example running both on the same v7 or v8 with TrustZone core.

If there are provisions for this, where can I go to get a better understanding of them?

 

Also, is there any spec for the library model beyond the API descriptions in the CMSIS documentation (https://arm-software.github.io/CMSIS_5/Core/html/using_TrustZone_pg.html#RTOS_TrustZone)?

If not, then I’ll rely on reading the existing code.

 

Please feel free to point me more documentation if I can get answers there.  (I don’t mind a friendly “read the manual” or “run this example code.”)

 

Thanks again for your time.

 

Erik Shreve, PSEM

Software Security Engineer & Architect (CMCU Platform Development)

 

 

Hi Erik,

 

Your mail contains quite a few questions. I'll try to give an overview in the topic you are asking, hoping that it is going to answer most (hopefully all) questions. If there is anything left unanswered, please follow up.

 

So currently TF-M supports two working model: IPC model, and Library model. Library model has no scheduling on the secure side, secure services are called like normal functions.

 

The IPC model contains a simple scheduler. (IPC model is an implementation of the PSA Firmware Framework for M (PSA-FF-M): https://developer.arm.com/-/media/Files/pdf/PlatformSecurityArchitecture/Architect/DEN0063-PSA_Firmware_Framework-1.0.0-2.pdf?revision=2d1429fa-4b5b-461a-a60e-4ef3d8f7f4b4 ) In this  model, all the secure partitions have a runtime context associated with them. They have a separate stack, and their runtime state is saved when they are not scheduled by the Secure scheduler. This means that the number of secure contexts is determined compile time.

 

'Cooperative Scheduling Rules' document is a proposal of how a Non-Secure and a Secure scheduler should work together, to efficiently handle secure and non-secure asynchronous events. Currently The Secure scheduler has no knowledge of the state of the NS scheduler, and vice-versa. There is a roadmap item 'Scheduler - Initial Support' (currently without deadline) at https://developer.trustedfirmware.org/w/tf_m/planning/ which refers to this.

 

The RTOS Thread Context Management API implementation had been added to TF-M, to support a feature called TF-M Non-Secure client identification. It is used by the

 

   /**

     * \brief Stores caller's client id in state context

     */

    void tfm_core_get_caller_client_id_handler(const uint32_t svc_args[]);

 

API that is available for the secure services. Through this API secure services can distinguish Non-Secure clients.

 

TF-M manages a database of clients reported by the Non secure software (through the TZ_*APIs), and also tracks the ID of the currently active client. That client ID is returned by 'tfm_core_get_caller_client_id_handler' (in case the Secure Service was called from Non-Secure code)

 

Please note that the 'tfm_core_get_caller_client_id_handler' API is only supported in Library model. The TZ_* APIs are implemented in the NSPM module: secure_fw/core/tfm_nspm_func.c.

 

The IPC model's implementation of the NSPM module is empty: secure_fw/core/tfm_nspm_ipc.c

 

The original idea behind the RTOS Thread Context Management API is that the Secure context creation (allocating stack, and other supporting data structures) and destruction is initiated from the Non-Secure code. The number of active secure contexts is decided by the NS code in run time (of course if there is no more resource, the context creation fails). On scheduling, the non-secure SW notifies the secure code, to activate the context for the thread to be scheduled. This results in setting the secure stack pointer to the desired context (hence the “prepare”). After the NS Scheduler returns to the thread, the Secure or the Non-Secure code continues execution, depending on whether Secure, or Non-Secure execution had been interrupted by the NS scheduling.

 

Neither the single secure context design of the library model, and the above described design of the IPC model supports this approach, and that's why the semantics of the APIs in TF-M are different in TF-M.

 

Regards,

Mate

 

 

Hello everyone, I’m new to the list. Quick introduction: I work at Texas Instruments and I’m investigating TFM for use in some of our platforms here.

 

I’m trying to understand the scheduling and task architecture for PSA and the TFM implementation and how that intersects with NS tasks.

 

I found the following:

https://ci.trustedfirmware.org/job/tf-m-build-test-nightly/lastSuccessfulBuild/artifact/build-docs/tf-m_documents/install/doc/user_guide/html/docs/design_documents/tfm_cooperative_scheduling_rules.html

https://arm-software.github.io/CMSIS_5/Core/html/group__context__trustzone__functions.html

 

The existing TFM implementation doesn’t seem to do much with the tz_context interface. It looks like it tracks which NS client is active, but I don’t see where it uses that information to do anything.

Am I missing something?

 

I’d like to understand more about where TFM is going with the tz_context interface.

 

Will there be a tz_context focused scheduler? I can imagine one where the SPM associates NS clients with running Secure Partitions and resumes execution of a running a Secure Partition when the NS RTOS indicates the NS client is “active.” But it isn’t clear to me if this is the direction or not.

I note that the text for TZ_LoadContext_S says “**Prepare** the secure context for execution so that a thread in the non-secure state can call secure library modules.” Preparing sounds different than immediate execution.

 

Are there other documents I can read or source implementations I can reference to get more of a handle on this?

 

Thanks,

 

Erik Shreve, PSEM

Software Security Engineer & Architect (CMCU Platform Development)

Texas Instruments