Hi,大家好。
我们团队花了很长时间实现了基于ARM TrustZone的安全内核T6:t6_overview,现在代码已进入稳定版本,目前支持三星SoC、ARM Versatile Express,正在支持Freescale,T6正计划开源,但不知道国内这方面的需求怎么样。
板上大神不少,希望大家能给出点意见或批评,让我们能够有动力将T6一直维护下去。
谢谢。
Hi Wenhao,
Great work! I am interested in your work. Some questions:
1) Do you support multi-core for TZ mode? How's your TZ app scheduling work? Is the whole TZ including all apps a single thread in Linux kernel ? or It is separated from Linux scheduling?
2) What's your interrupt handling policy? FIQ for TZ , IRQ for NW? How do you process NW IRQ when ARM is in TZ mode?
3) Is your TZ code, data stacks protected by TZASC secure memory ?
4) Assuming your TZ app has its own memory space, do you have standard interface for shared memory between NW and TZ? Or do you use GP TEE API?
5) Can different TZA talk to each other? Can they share memory?
6) Do you provide periodic timer FIQ to your TZ?
Thanks,
Ochaoboy
Hi Ochaoboy,
1. Yes. For multicore support, T6 runs in the primary CPU while Rich OS runs in all CPUs. T6 applications are scheduled by a trusted timer separately.
2. Yes, FIQ for TZ and IRQ for NW. In a uniprocessor, T6 maintains a GIC vector table for secure and normal world separately. When in secure world, only the interested interrupts are enabled, all others are disabled until switching back to normal world. Though there is a more elegant way to do this in muliprocessor, we have implemented this yet.
3. Of course they should be protected by TZASC. And the secure peripherals, such as the trusted timer, should be set as secure by TZPC.
4. We have our own shared memory mechanism. GP TEE API is too complex to use, we take a simple way. In T6, communication between NW and SW is like IPC.
5. No, they are totally separated.
6. Yes, the trusted timer mentioned above.
Thanks for the reply, some more questions:
So it seems T6 only runs in one CPU (for example CPU0). And you have another timer FIQ triggering T6 task scheduling?
What's the relation between the Linux timer (10ms) and your FIQ timer? If T6 has lots of work to do, will it stop Linux timer IRQ?
How can other normal world task submit command to your T6 trustlet? If other CPU wants to get service from T6, they have to place request in shared mem and submit to T6 ?
And you have a Stub thread in CPU0 waiting to get commands from other CPUs?
This is not a good design, you should turn on IRQ processing even if T6 runs in secure world.
There are many software real time requests in Linux, especially for media player etc.
GP TEE API is very clean and simple. So how do you transfer large buffer in NW to SW using your API?
It seems that your Trustlet runs in its own address, so I assume you have some mechanism to populate SW page tables to map a Linux NW virtual address to your Trustlet virtual address..
Or you just pass physical address instead from NW to SW?
Trustzone is a promising area and so far there are only few companies (Trustsonic, Dixcrex) have Trustzone solution.
I recommend you to go on working to make T6 with product ready quality.
I can't see your source code, but based on all the information, I'd suggest the following things:
1) Use GP TEE APIs , this is an industry standard, you can't use your own proprietary APIs
2) Improve your memory management , make sure the shared memory NW/SW are well designed
3) Do not mask IRQ handling in SW, this is critical, your T6 will not be usable if you mask IRQ in SW
ochaoboy
Really helpful and valuable reply, thanks. Here are my comments:
1. T6 has two ways to handle scheduling, the first one is reserve a FIQ timer, the second one is to use non-preemptive scheduling if you don't want to modify non-secure kernel. We put FIQ timer a higher priority that Linux timer IRQ. Communication between worlds has synchronized and asynchronized ways: invoke SMC directly or through an interrupt.
2. Maybe that is not a good design, but we sometimes got too many interrupts when switching to secure world, that is why we currently disable most of IRQs that we don't care.
4. We provide shared memory mechanism, it is Trustlet's responsibility to decide how to handle its buffers. T6 maintains the mapping of secure and non-secure memory in Trustlet's page table.
We may provide GP TEE API as an alternative lib in the future.
Currently, we are: 1) trying to remove the board specific NDA codes and refine project configuration for public download, as we could not come up with a better approach, 2) solving L2 cache issue, some parts of which needs to be initialized in secure world. It may take some days since we are busy preparing some exams...
Thanks Ochaoboy.
Wenhao
很好的方法,祝考试取得好成绩。
祝LZ考试得高分