Hi Reinhard,

Your approach is good for a RTOS.

For secure firmware, we need to:

A secure partition may bind an interrupt in its manifest, which means the interrupt related logic of a secure partition should be inside secure partition’s scope. (This is what the library model is doing.)
To avoid affect non-secure RTOS execution, IRQ should be quick and heavy execution can be delay into secure partition thread. (This is what IPC model is doing).

This interrupt handling is keeping evolution, we are trying to create a proposal to provide:

Fast ISR execution.
Put non-urgent interrupt related logic into thread.

Now we are collecting proposals and your comment is an important input. And I think the DMA part needs to be considerate much as you have mentioned, it may bypass MPU.

If anyone is also working on this topic, please send mail in this mailing list or create an issue (developer.trustedfirmware.org).

Thanks.

/Ken

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Reinhard Keil via TF-M
Sent: Tuesday, December 17, 2019 4:04 PM
To: tf-m@lists.trustedfirmware.org
Subject: Re: [TF-M] irq handling in library mode

I would argue that “IRQ handling” should just be standard v8M hardware behaviour for the following rational:

IRQ routines should be short and simple by nature – it is therefore relative easy to fully verify it and ensure that there are no side effects.
IRQ should be therefore executed in handler mode using MSP, no MPU protection, only protection via SAU, PPC, MPC.

Another reason of this relaxed approach is the usage of DMA.

DMA is frequently controlled by IRQ
DMA also bypasses MPU, therefore same behaviour as IRQ.

Overall this approach ensures simple, fast IRQ execution (sales argument of v8M) and reduces risk software glitches in TF-M Core.

What is wrong with that approach?

Reinhard

_______________________________________________________________________________

Reinhard Keil | Phone: +49 89 456040-13 | Email: reinhard.keil@arm.com | www.keil.com

ARM Germany GmbH | Bretonischer Ring 16 | D-85630 Grasbrunn,Germany

Sitz der Gesellschaft: Grasbrunn | Handelsregister: München (HRB 175362)

Geschäftsführer: Andrew Smith, Joachim Krech, Reinhard Keil

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.