memory reference monitor in SW
Rijurekha Sen
rijurekha at ...71...
Fri Nov 11 17:07:42 CET 2016
I have an imx53 sabre tablet. I am trying to implement a reference monitor in SW, to create a trace for memory accesses from android running in NW.
I do not need to monitor all memory accesses, but those corresponding to IPU and I2C. I am actually interested in the OV5642 camera module - and want to monitor in SW all memory read/writes corresponding to android camera activities running in NW. Going through the android device driver code, saw that IPU and I2C do the memory related operations and configurations for the camera. In http://www.mit.edu/afs.new/sipb.mit.edu/project/freebsd/head/sys/gnu/dts/arm/imx53.dtsi, which matches the IMX53 reference manual, the IPU and three I2C physical address ranges are mentioned.
If I want to create a reference monitor for these physical memory addresses, should I mark these as secure memory? According to https://community.arm.com/thread/4852#15483, to just read/write NW pages, SW doesn’t need extra hardware configuration like TZASC, M4IF, TZPC or CSU. This is possibly what https://www.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/mobisys16_restricted-spaces.pdf uses to check/modify android loaded in NW RAM. But my SW will need to know when NW is making a particular memory access, so the ability to passively read/write NW memory locations from SW isn’t useful.
How can I mark multiple blocks of physical address ranges (corresponding to memory mapped IO and not SRAM/DRAM) as secure? The M4IF seems to split the DDR external memory into two blocks. Should I use TZASC, as according to genode documentation - "Due to experimentation, we were able to deduct the following insights. The TZASC controller on the platform is used to secure physical address ranges that are addressable through the Static Memory Controller (SMC). In principal, it should be possible to secure another memory controller by a TZASC too, but on the platform, it is restricted to the SMC. These physical address regions correspond to the I/O resources of peripheral devices, some SRAM, and flash memory.” Or do I need to configure the CSU? What is the way to configure TZASC or CSU, to make particular physical address ranges secure?
When some physical memory is marked as secure, does NW access there cause a data abort? Does it automatically trap to monitor code, and SW can see what NW instruction caused it? I will need to record that access in SW, emulate that instruction in SW and give back control to NW. I understand that because IPU is needed for any display related activity (and accel/magnetometer/audio … all seem to be I2C devices), making those memory regions secure will cause android to fault even at booting. So I will possibly see the intended behavior, even without using the android camera.
Thanks in advance for any suggestions on how to proceed.
Thanks!
Riju
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.genode.org/pipermail/users/attachments/20161111/73e6bd59/attachment.html>
More information about the users
mailing list