Hi Bohdan,

 

The size and position for stack buffers are aligned with specific values already (mostly 8 bytes but TZ Agent is 32 bytes), the linker script alignment should cover the alignments defined with __attribute in sources, so I think in general it should work in most of the cases, could you tell the problem in details after you changed TFM_LINKER_PSA_ROT_LINKER_DATA_ALIGNMENT or other settings?

 

The reason for not using manifest for these partitions is that these partitions are special, especially the agent partitions. Agent partitions have special IDs and flags (AGENT flags indicating they could call agent-specific API or won't get blocked forever), putting these flags in the manifest would remind users that they could apply these special settings as well -- but if we can apply some limitations when these settings are set, it is also acceptable (For example, provide a long-named option in the manifest to remind users they are touching unusual features when users set special flags, such as: "confirm_non_standard_settings: yes").

 

Trustzone NS Agent is much more special than mailbox agents. Mailbox agent has the capability to call agent-specific API, but TZ NS Agent is part of secure context management hence it couples with some ‘core’ work tightly, hence putting it with SPM together is more convenient, especially now we are applying the minimal isolation rules. In the future, if a system is powerful enough to isolate SPM and all other components, this TZ Agent needs to be updated fundamentally as well. But this won't block turn metadata it into manifests - the linker script and HAL API defines how the isolation rules and levels are applied, and manifests define the way how to manage partitions in a unified way.

 

Just as what you have described, if we are progressing quickly we can apply option 1. For option 2 we need a plan before going ahead.

 

Thanks.

 

/Ken

 

 

In isolation level 3 partitions code/data in linker script are gathered together and aligned using information from manifest files. Currently there are 2 partitions that are not using manifest files, and instead have hand written load_info.c files. These partitions are: NS agent trust zone and idle partition. 

When partition does not have manifest file then its code/data is not gathered together (as there is no manifest to provide needed information). This results in partition code/data being linked directly to SPM. Also code/data may be not correctly aligned (if platform requires special alignment for PSA/APP RoT partitions).

For example if platform define custom TFM_LINKER_PSA_ROT_LINKER_DATA_ALIGNMENT, NS agent TZ and idle partitions stacks will not be aligned properly.

 

This is a problem because resulting alignment is not sufficient for the platform, which means that functions that apply protections fail.

 

I see several solutions to this problem:

1. Add alignment to stack of these special partitions. Both the start and the size of the stack should be aligned to satisfy alignment requirements.
   This is fairly easy fix with small amount of changes. The problem is that code/data of these partitions will still be located in SPM code/data sections which is not ideal solution. I would say this is bare minimum solution, just to make things work.
2. Better solution might be to move these special partitions to now use manifest files. The problem I see is that these partition use special priorities values which are not supported by manifest tool. Also NS Agent TZ uses special PID = 0, which I believe is also not supported by manifest tool. I think this is more time consuming fix but overall this should result in better and easier to understand code.

 

Would be glad to hear a feedback on this topic.

 

Regards,

Bohdan Hunko

 

Cypress Semiconductor Ukraine

Engineer

CSUKR CSS ICW SW FW

Mobile: +38099 50 19 714
Bohdan.Hunko@infineon.com