Timers

[Stefan Kalkowski]

Hi Christian,

On 04/03/2017 01:24 AM, christian schulte wrote:
> Hi
> 
> I am running Genode VMM demo on i.mx53 QSB. I wanted to configure the
> secure world or tz_vmm to switch to the normal world periodically using
> timer driver. It would be great if you could give me a hint how to do that.

Actually, one of the EPIT timers is already used by our kernel for
scheduling. Thereby, you already enter the secure world regularily. If I
remember correctly the GPT timer is used by Linux for scheduling.

In general, you have to assign the corresponding timer device to be used
by the secure world only, using the Central Security Unit (CSU), e.g.
for GPT and EPIT 1 + 2 change this line:

  repos/base-hw/src/core/include/spec/imx53/trustzone/csu.h:118

into:

  write<Csl04::Slave_a>(Csl00::SECURE);

Unfortunately, all these timers EPIT 1 + 2 and GPT are assigned to the
same bank in the CSU, which guards memory-mapped I/O access to
peripherals. Therefore, you cannot differentiate in between those timers
with regard to TrustZone access.

In our in-depth TrustZone article[1] that also describes the i.MX53
demonstrator, we mentioned:

"For our prototype, we partitioned the platform where easily feasible
(e.g., for DDR memory, interrupts) but we did not attempt to implement
device emulators. In the case of the clock and power management module,
we decided to grant the normal world access to the devices, yet disabled
code paths in the Linux kernel that would interfere with the liveliness
of secure world. We feel that this approach is appropriate for a
demonstrator. For building a real product, the decision would come down
to an even-handed judgement."

A real solution implies that you have to change the Linux guest kernel
to not touch any of those timers, and deny access of the "normal" world.
Thereby, the VMM would receive a data-abort whenever Linux accesses one
of these timers.

If you just want to experiment around, you can leave the cooperative
usage of the timers in between both worlds as it is, but use the
watchdogs for your experiment. They are guarded by Csl03::Slave_a and
Csl03::Slave_b.

You can find all security related register settings, like the CSU
registers, in the "MCIMX53 Multimedia Applications Processor Security
Reference Manual", you have to follow the link in this forum[2].

Moreover, after extracting the timer access from the "normal" world, you
have to configure the corresponding interrupt number to be a secure
interrupt, otherwise it will still be delivered to Linux. Therefore, add
your timer/watchdog interrupt number here:

  repos/base-hw/src/core/spec/imx53/trustzone/platform_support.cc:31

I hope this clarifies your questions.

Regards
Stefan

[1] https://genode.org/documentation/articles/trustzone
[2] https://community.nxp.com/thread/331611

> I think the board supports three timers (EPIT, GPT and watchdog).
> 
> Which timer is accessed and used by the guest OS (Linux) and which one
> is not. How to protect the Genode timer driver as the normal world or
> Linux may interfere with it?
> 
> Thanks a lot!
> 
> Best regards,
> Christian
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 
> 
> _______________________________________________
> genode-main mailing list
> genode-main at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/genode-main
> 

-- 
Stefan Kalkowski
Genode Labs

https://github.com/skalk · http://genode.org/