Hi
I am running Genode VMM demo on i.mx53 QSB. I wanted to configure the secure world or tz_vmm to switch to the normal world periodically using timer driver. It would be great if you could give me a hint how to do that. I think the board supports three timers (EPIT, GPT and watchdog).
Which timer is accessed and used by the guest OS (Linux) and which one is not. How to protect the Genode timer driver as the normal world or Linux may interfere with it?
Thanks a lot!
Best regards, Christian
Hi Christian,
On 04/03/2017 01:24 AM, christian schulte wrote:
Hi
I am running Genode VMM demo on i.mx53 QSB. I wanted to configure the secure world or tz_vmm to switch to the normal world periodically using timer driver. It would be great if you could give me a hint how to do that.
Actually, one of the EPIT timers is already used by our kernel for scheduling. Thereby, you already enter the secure world regularily. If I remember correctly the GPT timer is used by Linux for scheduling.
In general, you have to assign the corresponding timer device to be used by the secure world only, using the Central Security Unit (CSU), e.g. for GPT and EPIT 1 + 2 change this line:
repos/base-hw/src/core/include/spec/imx53/trustzone/csu.h:118
into:
writeCsl04::Slave_a(Csl00::SECURE);
Unfortunately, all these timers EPIT 1 + 2 and GPT are assigned to the same bank in the CSU, which guards memory-mapped I/O access to peripherals. Therefore, you cannot differentiate in between those timers with regard to TrustZone access.
In our in-depth TrustZone article[1] that also describes the i.MX53 demonstrator, we mentioned:
"For our prototype, we partitioned the platform where easily feasible (e.g., for DDR memory, interrupts) but we did not attempt to implement device emulators. In the case of the clock and power management module, we decided to grant the normal world access to the devices, yet disabled code paths in the Linux kernel that would interfere with the liveliness of secure world. We feel that this approach is appropriate for a demonstrator. For building a real product, the decision would come down to an even-handed judgement."
A real solution implies that you have to change the Linux guest kernel to not touch any of those timers, and deny access of the "normal" world. Thereby, the VMM would receive a data-abort whenever Linux accesses one of these timers.
If you just want to experiment around, you can leave the cooperative usage of the timers in between both worlds as it is, but use the watchdogs for your experiment. They are guarded by Csl03::Slave_a and Csl03::Slave_b.
You can find all security related register settings, like the CSU registers, in the "MCIMX53 Multimedia Applications Processor Security Reference Manual", you have to follow the link in this forum[2].
Moreover, after extracting the timer access from the "normal" world, you have to configure the corresponding interrupt number to be a secure interrupt, otherwise it will still be delivered to Linux. Therefore, add your timer/watchdog interrupt number here:
repos/base-hw/src/core/spec/imx53/trustzone/platform_support.cc:31
I hope this clarifies your questions.
Regards Stefan
[1] https://genode.org/documentation/articles/trustzone [2] https://community.nxp.com/thread/331611
I think the board supports three timers (EPIT, GPT and watchdog).
Which timer is accessed and used by the guest OS (Linux) and which one is not. How to protect the Genode timer driver as the normal world or Linux may interfere with it?
Thanks a lot!
Best regards, Christian
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main