Hi, For first point, we can take a security analysis on this part and check if there are vulnerabilities. The security requirement for these code are quite high, you can take 'memset' as example, it is read-only, caller stack based so no footprint would leave to another caller.
For seconds point, it is do-able -- but need big change everywhere; and it back to the per-partition library design while we move to isolation level 3.
-Ken
-----Original Message----- From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of David Wang (Arm Technology China) via TF-M Sent: Monday, March 25, 2019 5:57 PM To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M
Hi Ken, Some comments from security review's perspective.
- Using shared libraries may give the window to exploit the vulnerabilities. App
RoT can analyze the shared lib to find out the useable vulnerabilities for attacking PSA RoT.
- Is it a good idea to have two separate shared libs - one for all app RoT and one
for all PSA RoT for isolation level2? (can still share one copy for level1.)
Regards, David Wang Arm Electronic Technology (Shanghai) Co., Ltd Phone: +86-21-6154 9142 (ext. 59142)
-----Original Message----- From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Ken Liu (Arm Technology China) via TF-M Sent: Monday, March 25, 2019 5:05 PM To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M
Hi,
The document is updated due to a change in MPU regions part:
In original design, some partition libraries like 'thread_exit' is going to be linked with partition statically, which means there would be multiple copies of these libraries for each partition. This provided strict protection of isolation but it looks over-protect.
If we keep one shared code region for each partition to call these libraries, we could:
- Save memory
- The protection is enough if we mark the code area as read-only.
In this case, the unprivileged code and RO region needs to be kept and these shared codes could be put there. The requirement of these codes are:
- These codes must be thread safe and reentrant
- These codes must be put in read-only region
The change mainly happen under section "Linker script sections re-arrangement". Please help to comment.
Thanks!
-Ken
-----Original Message----- From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Ken Liu (Arm Technology China) via TF-M Sent: Thursday, March 21, 2019 3:20 PM To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: Re: [TF-M] [RFC] Design document of isolation level 2 on TF-M
Hi, The document is updated, and keep open for comments ; )
The updated content is:
- Available MPU regions for peripheral has number limitation based
on platform. If a SP needs many un-continuous peripheral registers and the number exceeds available MPU number, it needs further investigation. 2. Rely on linker to clean the unused object files instead of remove them in scatter before the dependency is fully figured out.
Thanks!
-Ken
From: Ken Liu (Arm Technology China) Sent: Tuesday, February 19, 2019 6:44 PM To: tf-m@lists.trustedfirmware.org Cc: nd nd@arm.com Subject: [RFC] Design document of isolation level 2 on TF-M
Hello, The first IPC implementation works under isolation level 1. The high isolation levels need to be there to get compatible with PSA Firmware Framework. A design document is created about implementing isolation level 2
for IPC model:
https://developer.trustedfirmware.org/w/tf_m/design/trusted_firmware- m_isolation_level_2/
The mainly change of isolation level 2 compare to isolation level 1 is:
- Put AppRoT Secure Partitions' components with same attribute (code,
read- only data, read-write data) into the same region, which helps MPU setting region attributes.
- Change Secure Partition privileged setting based on Secure Partition
type while scheduling.
- Change mechanism of privileged API, such as printf.
If you have any comments please share it. You can reply in mailing list if there is no place for putting comments on the page.
Thank you!
-Ken
-- TF-M mailing list TF-M@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m
-- TF-M mailing list TF-M@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m -- TF-M mailing list TF-M@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m
tf-m@lists.trustedfirmware.org
-
Ken Liu (Arm Technology China)