Ken,
If I understand the proposal, I’m afraid the latency and overhead associated with every peripheral register access (read or write) would be completely unacceptable for our requirements.
Alan
On Oct 9, 2019, at 8:47 PM, Ken Liu (Arm Technology China) via TF-M tf-m@lists.trustedfirmware.org wrote:
Hi Alan,
The secure service is allowed to access some peripherals they want (introduce them in the manifest file), which means if you want to access a I2C device you can just (ALL CODE HERE IS PSEUDO CODE AND IS NOT REAL):
I2c_write (I2C_ADDR, SLAVE_ADDR, value);
While: I2c_write(addr, value) { *host_reg_slave_addr = addr; *host_reg_slave_data = value; *host_reg_control_go = 1; }
The reason of providing the SVC interface is because the APP RoT Service may want to access some registers but they could not because those registers may be set as privileged.
The secure service needs to handle the hardware driver in their own domain instead of putting all drivers into core.
So the in the handler there would be permission checking:
case SVC_ACCESS_RESOUCE: If (spm_check_address_ownership(addr, CURRENT_SP)) ret = do_access(addr, data, sz, flags);
And the IIC_WRITE was implemented as: I2c_write(addr, value) { *host_reg_slave_addr = addr; *host_reg_slave_data = value; *host_reg_control_go = 1; }
Now turned into: I2c_write(addr, value) { SVC_ACCESS(host_reg_slave_addr, addr, flag), SVC_ACCESS(host_reg_slave_data, value, flag), SVC_ACCESS(host_reg_control_go, 1, flag)}
But if you are saying that, there are some even more complex logics for example some I2C devices can be accessed under privileged only while all the rest can be accessed freely, yes, the interface I proposed is limited. In this case you can introduce the customized logic into core with some new SVC.
If the previous line is your case, please go on with the modification in the first mail, the modification looks okay, and let's discuss base on the patches.
Thanks.
/Ken
-----Original Message----- From: DeMars, Alan ademars@ti.com Sent: Thursday, October 10, 2019 11:14 AM To: Ken Liu (Arm Technology China) Ken.Liu@arm.com Cc: nd nd@arm.com Subject: RE: augmenting the SVC_Handler_IPC() to support custom services
I think the TFM_SVC_ACCESS_RESOURCE proposal is too limiting. What if (as is true in our case) there is a complex sequence of writes/reads and careful timing that must be performed to access a resource?
I'm not sure why TF-M is wanting/needing to limit what I can do with the secure SVC handler. You've claimed ownership of the standard mechanism for entering secure privileged mode and are more-or-less dictating the set of APIs that can be provided/implemented with this standard mechanism.
Alan
-----Original Message----- From: Ken Liu (Arm Technology China) [mailto:Ken.Liu@arm.com] Sent: Wednesday, October 9, 2019 7:47 PM To: DeMars, Alan Cc: nd Subject: [EXTERNAL] RE: augmenting the SVC_Handler_IPC() to support custom services
Hi Alan,
Since the peripheral accessing functionality is missing now, the way you mentioned would be the only choice. We got a plan to implement some function for accessing privileged resources, can you promote your function into a common implementation so that we could re-use your code for future development?
The proposed way would be: TFM_SVC_ACCESS_RESOURCE
And the parameter would be:
uintptr_t resource_addr /* The address you want to access */ void *p_user_buffer /* User-provided buffer */ size_t size /* size of user buffer */ uint32_t flags /* Flags, like read/write */
Or you can define a customized structure for the parameter (if you put more than 4 parameters svc_handler need to dispatch customized aapcs which makes life hard) when you are accessing some serial connected devices?
Thanks.
/Ken
-----Original Message----- From: DeMars, Alan ademars@ti.com Sent: Thursday, October 10, 2019 10:27 AM To: Ken Liu (Arm Technology China) Ken.Liu@arm.com Cc: nd nd@arm.com Subject: RE: augmenting the SVC_Handler_IPC() to support custom services
Ken,
There are certain resources that can only be interrogated in secure privilege mode on our platform. Nonetheless, unprivileged SP code (ie level 2) will need to be informed of content available in those privileged resources. As TFM has claimed ownership of the SVC handler, I need to extend that SVC handler to provide the functionality our SP services require.
Alan
-----Original Message----- From: TF-M [mailto:tf-m-bounces@lists.trustedfirmware.org] On Behalf Of Ken Liu (Arm Technology China) via TF-M Sent: Wednesday, October 9, 2019 7:04 PM To: tf-m@lists.trustedfirmware.org Cc: nd Subject: [EXTERNAL] Re: [TF-M] augmenting the SVC_Handler_IPC() to support custom services
Hi Alan,
Looks like you are working under IPC model, and you need something to do in core/spm. If you can provide more details then it will be great.
From the code change itself, it has no problem, I am planning a re-structure on this part so if there are issues we can fix them later one. But when we look at the service programming model, we need to know the newly added SVC function is really an 'spm/core' function.
Calling an SVC typically happen when we want to access privileged resource (registers or restricted memory), or some other customized behaviours. We need to be careful when we adding core functionalities because TF-M IPC model maintains a very small core and provide only necessary core functionalities (scheduling, spm). There are PSA RoT Services who has a higher privileged level already, and secure partition can access the peripheral they want.
Thanks.
/Ken
-----Original Message----- From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of DeMars, Alan via TF-M Sent: Thursday, October 10, 2019 4:38 AM To: 'tf-m@lists.trustedfirmware.org' tf-m@lists.trustedfirmware.org Subject: [TF-M] augmenting the SVC_Handler_IPC() to support custom services
I need to add custom SPM APIs to augment our SP services. Consequently, I need to extend the set of SVCs supported in SVC_Handler_IPC().
I propose to modify the SVC_Handler_IPC() function's 'default' handler to invoke a locally defined weak function such as below:
default: return (custom_ipc_svc_handlers(svc_num, ctx, lr));
__attribute__((weak)) int32_t custom_ipc_svc_handlers(tfm_svc_number_t svc_num, uint32_t *ctx, uint32_t lr) { LOG_MSG("Unknown SVC number requested!"); return PSA_ERROR_GENERIC_ERROR; }
This will allow a 'strong'ly defined custom_ipc_svc_handlers() function to be invoked if provided.
Is this OK?
Another approach is for me to hijack the root SVC handler in the secure vector table, but this seems too heavy handed to me.
Alan
TF-M mailing list TF-M@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m -- TF-M mailing list TF-M@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m -- TF-M mailing list TF-M@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m