reduce genode TCB

rijurekha at ...71... rijurekha at ...71...
Fri Aug 4 09:52:16 CEST 2017

We have built a trap and emulation secure world application based on the
genode tz_vmm demo, to run on the IMX53 QSB and Sabre Tablet. This allows
us to handle applications like reliably turning on/off some peripherals.
E.g. for Bluetooth radio, we make GPIO 3/4 secure in CSU. When Android
tries to turn on Bluetooth, we get an external data abort in secure world
for which we do nothing and give back control. Android gives up after a
few retries. For other peripherals that use GPIO 3/4 and therefore share
the CSU setting, we also get the external abort, but we emulate the
instruction in secure world before giving back control to linux.

The current secure world has 27539 LOC. The baseline can be,
which also turned on/off peripherals, rewriting normal world device
drivers from secure world. It has only about 4K LoC in TCB (section 6 para
2 and 3).

Looking at the .d files in hw_imx53 with sloc, we get the following
break-down. The bulk of the code is coming from genode OS framework. The
question I have is:  does the tz_vmm demo minimally use genode components?
If yes, then maybe this is the best TCB size we can expect? If not, then
what are some parts that can be cut down?


Secure world user space component tz_vmm (~3.5K LoC)
(1) loads and monitors the normal world linux in original genode demo,
we added our instruction emulation code here - 1353 LoC
(2) ARM instruction decoding library DARM - 2070 LoC

Hardware related files (~2.5K LoC)

Genode OS: (~19K LoC)
(1) C/C++ standard library functions, data structures, other programming
utitlies - 2634 LoC
(2) Memory allocation and management - 2710 LoC
(3) Device access - 707 LoC
(4) Thread and synchronization - 1768 LoC
(5) CPU - 1286 LoC
(6) Debugging - 1248 LoC
(7) Inter-Process Communication - 2595 LoC
(8) Client server framework - 406 LoC
(9) Other stuff ....

More information about the users mailing list