Hi Reinhard & Ken,
There are definitely some challenging trade-offs, and the right approach can depend on the system and use case.
PSA Firmware Framework is a architectural interface design for deployment on different CPU/SoC designs, and defines an interrupt framework that:
1. can be implemented on these different architectures 2. is aligned with the security & isolation principles of the Framework
PSA-FF does not stop an implementation (such as TF-M) from providing additional interrupt frameworks that provide lower-latency for some components. These will obviously be non-portable (to other PSA-FF implementations) and may have security trade-offs if the ISR runs in a privileged secure state to achieve performance requirements.
As you suggest, although it is possible to discuss the options in general - it is only possible to make good design decisions with real use cases for integrating hardware devices into the secure side of the system, and the required behaviour of the interrupt handlers.
There is a substantial evidence that weakening the isolation requirements is not typically balanced by keeping the critical code simple, reviewed and secure - based on the experience of TrustZone and other TEE software implementations. I agree that such careful code development is possible, but it is not normal (at the moment).
Regards, Andrew
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Reinhard Keil via TF-M Sent: 18 December 2019 13:49 To: tf-m@lists.trustedfirmware.org Subject: [TF-M] irq handling in library mode
Ken, thanks for the reply.
My take on that is that instead of adding overhead to ISR, ISR should be executed fast. For ISRs we should publish clear guidelines that explain potential side effects of ISR execution.
These guidelines should advocate that ISR is kept short, and workload is off-loaded to thread execution. How this is exactly done in secure side needs to be defined, as the RTOS (on non-secure side) might inconsistent and not be available.
What would be really good is to have typical ISR routines that execute in secure side. This would better allow us to judge what is really needed. I believe most of them are small anyway.
Reinhard IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
tf-m@lists.trustedfirmware.org