Hi Joseph,
On 04/04/2016 07:17 PM, Joseph Lee wrote:
Hi,
I used "*dma_alloc_coherent( )"* as described in this thread ( https://sourceforge.net/p/genode/mailman/message/34685275/) to allocate shared memory between the trustzone worlds in the tz_vmm example on i.mx53 qsb. It works well. But my questions is how do we prevent the normal world from modifying this shared buffer while it is being used by the secure world. Thanks in advance for answers.
this might be an issue in multi-processor environments only, where more than one core is used by the non-secure world. In the uni-processor case (the only one we experimented with TrustZone yet: CortexA8) either the secure world is running, or the normal world. As long as you do not schedule the non-secure Linux it won't run, and this is in the hands of the VMM, which handles traps and calls from the VM, and also makes it runnable again.
But even in the multi-processor case I would question whether this is a problem. In the normal case the guest OS should not touch the shared buffer after it send a request to the secure world. The VMM then copies the message out of the shared buffer and parses it. If the guest OS maliciously changes the shared buffer during the copy process that would result in a broken message. But the guest OS could place such a malicious message already in the first place. The parsing routine of the VMM must be robust against any kind of content it gets anyway, similar to all kind of input-data handlers from unsecure sources (e.g.: web formular interpreter ...).
regards Stefan
Kind regards, Joseph
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main