Arm TrustZone监视器模式开关设计 [英] arm trustzone monitor mode switch design

问题描述

基本世界切换流程为:

将FIQ设置为监视模式

set FIQ to monitor mode

1. 正常世界-> FIQ已触发

1. normal world -> FIQ triggered

1. ->进入监视模式(切换到安全世界"，恢复安全世界"上下文)
2. ->在安全世界sys模式下
3. -> FIQ不清楚，请在安全世界中输入FIQ处理程序

第3步和第4步，我们还原了目标上下文后， 手臂将触发异常以输入异常 行为正确吗? (如果我们不在监控器模式向量表中跳转到FIQ句柄)

step3 and step 4, after we restore the target context, arm will trigger the exception to enter the exception is the behavior correct? (if we dont branch to FIQ handle in monitor mode vector table)

我们需要如下流程: (没有世界上下文切换的情况，只需进入监控模式以检查是否需要世界切换，然后直接从监控模式输入irq异常.由于硬件的限制，我们需要这样做，因为我们的芯片中只有IRQ)

we need flow like below: (no world context switch case, just enter monitor mode to check if we need world switch, and enter irq exception from monitor mode directly. we need this because of our hw limitation, we only have IRQ in our chip)

将IRQ设置为监视模式

set IRQ to monitor mode

1. 正常世界用户模式->已触发IRQ

1. normal world user mode -> IRQ triggered

1. ->进入监视器，执行我们想执行的操作，检查是否需要上下文切换，为IRQ模式准备一些spsr/lr

->进入正常世界的IRQ模式，irq处理

-> irq完成，返回到用户模式

对于非世界切换情况，我们想让普通世界os不了解监视模式，即使他直接进入irq模式并从irq模式返回也是如此. 对于世界切换情况，只需将其切换为监视模式即可.

for non-world switch case, we would like to let the normal world os does not know about the monitor mode, just though he enters the irq mode directly and return from irq mode. for world switch case, just switch it in the monitor mode.

还是在监视模式下执行irq_handle?

or it's just do the irq_handle in the monitor mode?

eq.
普通世界操作系统usr模式-> irq-> usr模式
普通世界操作系统usr模式->监视irq处理程序-> usr模式

eq.
normal world OS usr mode -> irq -> usr mode
normal world OS usr mode -> monitor to irq handler -> usr mode

设计流程是否可行?

推荐答案

流程是否可行且设计合理?

is the flow possible and well design?

有可能. 精心设计"是主观的.它有几个失败或不理想的问题.我猜您的系统没有 GIC ;这是一个可信任区域的中断控制器. GIC具有存储寄存器，使普通世界的OS几乎可以像在安全世界中一样使用它.

It is possible. 'well designed' is subjective. It has several fails or non-ideal issues. I guess your system doesn't have a GIC; which is a trustzone aware interrupt controller. The GIC has banked registers which allow the normal world OS to use it (almost) as if it was in the secure world.

您不清楚您是否希望安全世界中断?我想从非世界交换案例..."的陈述中猜想.如果只有正常世界处理的中断，那么事情就简单了.不要跳转到IRQ(或FIQ)上的监视模式.有一个用于设置此行为的寄存器(

It is not clear from you question whether you want the secure world to have interrupts? I guess from the statement 'for non-world switch case...'. If you only have interrupts handled by the normal world, things are simple. Don't branch to monitor mode on an IRQ (or FIQ). There is a register to set this behaviour (SCR/security configuration register).

对于双重世界中断情况，您有两个问题.

For the dual world interrupt case, you have two issues.

1. 您需要信任正常的操作系统.
2. 中断延迟会增加.

您必须始终在监视模式下进行中断.监视器必须检查中断控制器源，以查看中断所属的世界.根据世界的不同，可能需要进行世界切换.这将增加中断等待时间.同样，正常世界和安全世界都将处理相同的中断控制器寄存器.因此，使用多个中断驱动程序尝试操纵寄存器(RMW)时，您会遇到恶意的安全问题和非恶意的竞争情况.通常，如果您的芯片没有GIC，但CPU支持TrustZone，则对于使用TrustZone尚未充分考虑您的系统. L1/L2缓存控制器还必须具有TrustZone意识，并且那里也可能有问题.

You must always take the interrupt in monitor mode. The monitor must check the interrupt controller source to see what world the interrupt belongs to. It may need to do a world switch depending on the world. This will increase interrupt latency. As well, both the normal and secure world will be dealing with the same interrupt controller registers. So you have malicious security concerns and non-malicious race conditions with multiple interrupt drivers trying to manipulate registers (RMW). Generally, if your chip doesn't have a GIC, but the CPU supports TrustZone, the your system hasn't been well thought through for TrustZone use. The L1/L2 cache controllers must also be TrustZone aware and you possible have issue there as well.

如果您具有Linux(或正常环境中的某些其他开源OS)，则最好用虚拟"中断驱动程序替换正常世界的中断驱动程序.普通世界的虚拟IRQ代码将使用SMC指令设置虚拟寄存器并为特定中断注册IRQ例程.然后，安全的世界/监视器IRQ代码将直接分支到已解码的IRQ例程.

If you have Linux (or some other open source OS in the normal world), it would be better to replace the normal world interrupt driver with a 'virtual' interrupt driver. The normal world virtual IRQ code would use the SMC instruction to set virtual registers and register IRQ routines for specific interrupts. The secure world/monitor IRQ code would then branch directly to the decoded IRQ routine.

使用GIC，使用 GICC_CTLR 将 group 0 (安全世界)中断设置为FIQ，将 group 1 (正常世界)中断设置为IRQ. >位FIQEnb.即，您将GIC中带有DIST的中断分类为安全中断或正常中断(因此也称为FIQ/IRQ).

With a GIC, set the group 0 (secure world) interrupts as FIQ and group 1 (normal world) as IRQ using the GICC_CTLR bit FIQEnb. Ie, you classify the interrupts with the DIST in the GIC to be either secure or normal (and therefore FIQ/IRQ).

您必须解决日程安排问题以及如何抢先使用其他操作系统.通常(最简单)是始终运行安全操作系统，但这意味着某些Linux(正常世界)中断可能会由于安全世界(RTOS)主线代码而非常延迟.

You have to work through scheduling issues and how you want the different OS's to pre-empt. Normally (easiest) is to always have the secure OS running, but this means that some Linux (normal world) interrupts may be very delayed by the secure world (RTOS) main line code.

这篇关于Arm TrustZone监视器模式开关设计的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！