Hi Sandeep,

 

Your question is about architecture and beyond TF-M scope.

Assume you are referring to BFHFNMINS bit.

Please find the answers from Cortex-M architecture experts:

 

There's plenty of ways in which the NS state can attempt to attack the S state. The goal of the architecture is to detect and report these attacks to the S state. BusFault is a particularly interesting one as the fault can be asynchronous so it may not be possible to determine which state triggered the error. Secure code must therefore assume the worse and handle the fault accordingly.

 

The design of Armv8-M does not prevent a Non-secure software from crashing a system. But it ensures that if anything "bad" happened, a fault handler in the Secure world would execute.  The key objective is that if a Non-secure world crashed, it should not end up with Secure data being leaked, or Secure resources being manipulated.

For example,

- if BFHFNMINS is set to 0 (normal for a TrustZone environment), a bus error triggers a BusFault in the Secure world

- if an invalid FNC_RETURN or EXC_RETURN is carried out, it could trigger fault in SPE. But such issue should be catch by stack sealing and therefore SPE can handle the error.

 

Regards,

Anton

 

-----Original Message-----
From: Sandeep Tripathy via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Monday, March 20, 2023 3:53 PM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] How does TF-M deal with the faults originated from NSPE

 

Hi tf-m experts,

I have a fundamental query on v8m trustZone and containability of secure fault and other escalated HardFaults to SPE.

With BFHFNMINA set to '0' IIUC that a malicious actor in NSPE can willingly cause fault in SPE ? Is there a way to contain the fault in NS world?

Thanks

Sandeep

--

TF-M mailing list -- tf-m@lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave@lists.trustedfirmware.org