Hi Bohdan,
The size and position for stack buffers are aligned with specific values already (mostly 8 bytes but TZ Agent is 32 bytes), the linker script alignment should cover the alignments defined with __attribute in sources, so I think in general
it should work in most of the cases, could you tell the problem in details after you changed TFM_LINKER_PSA_ROT_LINKER_DATA_ALIGNMENT or other settings?
The reason for not using manifest for these partitions is that these partitions are special, especially the agent partitions. Agent partitions have special IDs and flags (AGENT flags indicating they could call agent-specific API or won't
get blocked forever), putting these flags in the manifest would remind users that they could apply these special settings as well -- but if we can apply some limitations when these settings are set, it is also acceptable (For example, provide a long-named
option in the manifest to remind users they are touching unusual features when users set special flags, such as: "confirm_non_standard_settings: yes").
Trustzone NS Agent is much more special than mailbox agents. Mailbox agent has the capability to call agent-specific API, but TZ NS Agent is part of secure context management hence it couples with some ‘core’ work tightly, hence putting
it with SPM together is more convenient, especially now we are applying the minimal isolation rules. In the future, if a system is powerful enough to isolate SPM and all other components, this TZ Agent needs to be updated fundamentally as well. But this won't
block turn metadata it into manifests - the linker script and HAL API defines how the isolation rules and levels are applied, and manifests define the way how to manage partitions in a unified way.
Just as what you have described, if we are progressing quickly we can apply option 1. For option 2 we need a plan before going ahead.
Thanks.
/Ken
From: Bohdan.Hunko--- via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Thursday, January 5, 2023 6:59 PM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] Partitions without manifest files are not linked correctly in L3
In isolation level 3 partitions code/data in linker script are gathered together and aligned using information from manifest files. Currently there
are 2 partitions that are not using manifest files, and instead have hand written load_info.c files. These partitions are: NS agent trust zone and idle partition.
When partition does not have manifest file then its code/data is not gathered together (as there is no manifest to provide needed information). This results in partition code/data being
linked directly to SPM. Also code/data may be not correctly aligned (if platform requires special alignment for PSA/APP RoT partitions).
For example if platform define custom TFM_LINKER_PSA_ROT_LINKER_DATA_ALIGNMENT, NS agent TZ and idle partitions stacks will not be aligned properly.
This is a problem because resulting alignment is not sufficient for the platform, which means that functions that apply protections fail.
I see several solutions to this problem:
Would be glad to hear a feedback on this topic.
Regards,
Bohdan Hunko
Cypress Semiconductor Ukraine
Engineer
CSUKR CSS ICW SW FW
Mobile: +38099 50 19 714
Bohdan.Hunko@infineon.com