synchronization between normal and secure world

Norman Feske norman.feske at ...1...
Wed May 6 10:26:26 CEST 2015

Hi Stefan,

> It would be more suitable for my app to not do the critical action in
> normal world, but ask the secure world to do it. Then it would be
> synchronized as well, but only one world switch back and forth necessary.
> I think I have to bite the apple and implement what you mention, a mutex
> in a shared memory section. Do you have any further input for me
> according to this? Especially about the "mapped uncached" property?

I hope you don't mind me chiming in. I doubt that mutex-based
synchronization of a shared buffer between both worlds is the best way
forward. Instead, I would investigate a protocol similar to Genode's
synchronous bulk transfer approach as described in Section 3.6.5 of the
upcoming manual [1].

In short, while the normal world is active, it can freely access the
memory without the need for synchronization. To hand over the data to
the secure world, the normal world performs a secure method call (smc)
to the secure world. While the secure world is active, the normal world
cannot (by definition [2]) be active. So the secure world can safely
consume the data (e.g., by copying out the data from the shared buffer
to a private buffer). Once the secure world is finished, the smc call
returns, which implicitly hands back the "ownership" of the shared
buffer to the normal world. Would that approach possibly work for you?


[2] On the multi-processor system, this may not be true. Here, the
    normal world would need to perform the synchronization of smc calls.
    But this synchronization does not involve the secure world.

Dr.-Ing. Norman Feske
Genode Labs ·

Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth

More information about the users mailing list