Shared Memory in tz_vmm demo

[Stefan Kalkowski]

Hi Joseph,

On 04/04/2016 07:17 PM, Joseph Lee wrote:
> Hi,
> 
> I used "*dma_alloc_coherent( )"* as described in this thread (
> https://sourceforge.net/p/genode/mailman/message/34685275/) to allocate
> shared memory between the trustzone worlds in the tz_vmm example on i.mx53
> qsb. It works well. But my questions is how do we  prevent the normal world
> from modifying this shared buffer while it is being used by the secure
> world. Thanks in advance for answers.

this might be an issue in multi-processor environments only, where more
than one core is used by the non-secure world. In the uni-processor case
(the only one we experimented with TrustZone yet: CortexA8) either the
secure world is running, or the normal world. As long as you do not
schedule the non-secure Linux it won't run, and this is in the hands of
the VMM, which handles traps and calls from the VM, and also makes it
runnable again.

But even in the multi-processor case I would question whether this is a
problem. In the normal case the guest OS should not touch the shared
buffer after it send a request to the secure world. The VMM then copies
the message out of the shared buffer and parses it. If the guest OS
maliciously changes the shared buffer during the copy process that would
result in a broken message. But the guest OS could place such a
malicious message already in the first place. The parsing routine of the
VMM must be robust against any kind of content it gets anyway, similar
to all kind of input-data handlers from unsecure sources (e.g.: web
formular interpreter ...).

regards
Stefan

> 
> 
> 
> Kind regards,
> Joseph
> 
> 
> 
> ------------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> genode-main mailing list
> genode-main at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/genode-main
> 

-- 
Stefan Kalkowski
Genode Labs

http://www.genode-labs.com/ · http://genode.org/