Discussion:
[TZ_VMM] - i.MX53 QSB
Tiago Brito
2016-05-25 14:56:56 UTC
Permalink
Hi, I have an i.MX53 QSB development board and I want to experiment with
ARM TrustZone.

I'm a beginner with regards to genode and kernel development in general.

I was able to run tz_vmm on the QSB and interact with the linux which runs
in normal world. What I want to do next is a fairly simple system where
inside linux I can call an SMC and switch to the secure world, then whilst
in secure world print something (like "Hello From Secure World" and also
print some argument from the normal world) and then go back to linux.

I have read some of the messages in the mailing list and I noticed some of
you (other mailing list subscribers) already achieved similar communication
protocols but because I'm new to genode I don't know where to start.

I know I probably have to create a kernel module for the linux running in
normal world so I can call SMC from a userspace application, but I don't
know how to do that since I don't see where the linux is being compiled for
genode [1]. Do I have to compile another linux? How do I incorporate this
new linux version to work with genode?

Besides this I also don't know where to start modifying tz_vmm in order to
achieve my goals. I know where tz_vmm's code is but I don't know where to
start changing it. I have also seen some mailing list questions regarding
the world switch from secure world to normal world. It seems that from
normal to secure you should call an SMC, but from secure to normal the
monitor mode implementation cannot handle entries from the secure world and
thus no SMC can be called directly [2].

Can you give my some feedback on how to achieve these things on the i.MX53
QSB?

Thanks in advance, Tiago

[1] - https://sourceforge.net/p/genode/mailman/message/33244107/
[2] - https://sourceforge.net/p/genode/mailman/message/34244066/
Stefan Kalkowski
2016-05-31 09:35:01 UTC
Permalink
Hello Tiago,
Post by Tiago Brito
Hi, I have an i.MX53 QSB development board and I want to experiment with
ARM TrustZone.
I'm a beginner with regards to genode and kernel development in general.
I was able to run tz_vmm on the QSB and interact with the linux which runs
in normal world. What I want to do next is a fairly simple system where
inside linux I can call an SMC and switch to the secure world, then whilst
in secure world print something (like "Hello From Secure World" and also
print some argument from the normal world) and then go back to linux.
I have read some of the messages in the mailing list and I noticed some of
you (other mailing list subscribers) already achieved similar communication
protocols but because I'm new to genode I don't know where to start.
Well, the very first pointer to gain more understanding of this concrete
scenario ist to read the detailed documentation of it:

http://genode.org/documentation/articles/trustzone

Most of your questions, e.g., how to build the Linux kernel?, or is it a
modified Linux kernel? are already answered there.
Post by Tiago Brito
I know I probably have to create a kernel module for the linux running in
normal world so I can call SMC from a userspace application, but I don't
know how to do that since I don't see where the linux is being compiled for
genode [1]. Do I have to compile another linux? How do I incorporate this
new linux version to work with genode?
Actually the Linux kernel version you are using when executing the
tz_vmm run-script already issues SMC calls that switch to the secure
world, where the VMM handles those calls and afterwards returns to the
normal world.
Post by Tiago Brito
Besides this I also don't know where to start modifying tz_vmm in order to
achieve my goals. I know where tz_vmm's code is but I don't know where to
start changing it. I have also seen some mailing list questions regarding
the world switch from secure world to normal world. It seems that from
normal to secure you should call an SMC, but from secure to normal the
monitor mode implementation cannot handle entries from the secure world and
thus no SMC can be called directly [2].
The typical activity flow is:

* Linux kernel issues an SMC call, e.g., to tell the VMM where its
framebuffer is located in physical memory [1]
* the HW kernel of Genode receives an exception, pauses the Linux VM,
and delivers a signal to the related VMM [2]
* the VMM receives the signal that the VM got paused due to an SMC
call [3]
* the VMM informs the HW kernel that the VM should be executed again
after handling the call [4]
* next time the scheduler of the HW kernel chooses the VM, it issues a
world-switch to it [5]

Regards
Stefan

[1]
https://github.com/skalk/linux/blob/bc1707a23a9770cf080a1b87b4f553a2a39ac636/drivers/video/mxc/mxc_ipuv3_fb.c#L339
[2]
https://github.com/genodelabs/genode/blob/master/repos/base-hw/src/core/spec/arm_v7/trustzone/kernel/vm.cc#L52
[3]
https://github.com/genodelabs/genode/blob/master/repos/os/src/server/tz_vmm/spec/imx53/main.cc#L95
[4]
https://github.com/genodelabs/genode/blob/master/repos/os/src/server/tz_vmm/spec/imx53/main.cc#L119
[5]
https://github.com/genodelabs/genode/blob/master/repos/base-hw/src/core/spec/arm_v7/trustzone/kernel/vm.cc#L72
Post by Tiago Brito
Can you give my some feedback on how to achieve these things on the i.MX53
QSB?
Thanks in advance, Tiago
[1] - https://sourceforge.net/p/genode/mailman/message/33244107/
[2] - https://sourceforge.net/p/genode/mailman/message/34244066/
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
genode-main mailing list
https://lists.sourceforge.net/lists/listinfo/genode-main
--
Stefan Kalkowski
Genode Labs

http://www.genode-labs.com/ · http://genode.org/
Tiago Brito
2016-05-31 10:52:50 UTC
Permalink
2016-05-31 10:35 GMT+01:00 Stefan Kalkowski <
Post by Stefan Kalkowski
Hello Tiago,
Hi Stefan, thanks for your response. It really helps!
Post by Stefan Kalkowski
Post by Tiago Brito
Hi, I have an i.MX53 QSB development board and I want to experiment with
ARM TrustZone.
I'm a beginner with regards to genode and kernel development in general.
I was able to run tz_vmm on the QSB and interact with the linux which
runs
Post by Tiago Brito
in normal world. What I want to do next is a fairly simple system where
inside linux I can call an SMC and switch to the secure world, then
whilst
Post by Tiago Brito
in secure world print something (like "Hello From Secure World" and also
print some argument from the normal world) and then go back to linux.
I have read some of the messages in the mailing list and I noticed some
of
Post by Tiago Brito
you (other mailing list subscribers) already achieved similar
communication
Post by Tiago Brito
protocols but because I'm new to genode I don't know where to start.
Well, the very first pointer to gain more understanding of this concrete
http://genode.org/documentation/articles/trustzone
Most of your questions, e.g., how to build the Linux kernel?, or is it a
modified Linux kernel? are already answered there.
I read this and I now understand the flow which makes tz_vmm work.
Post by Stefan Kalkowski
Post by Tiago Brito
I know I probably have to create a kernel module for the linux running in
normal world so I can call SMC from a userspace application, but I don't
know how to do that since I don't see where the linux is being compiled
for
Post by Tiago Brito
genode [1]. Do I have to compile another linux? How do I incorporate this
new linux version to work with genode?
Actually the Linux kernel version you are using when executing the
tz_vmm run-script already issues SMC calls that switch to the secure
world, where the VMM handles those calls and afterwards returns to the
normal world.
I understand this, but is there a way to make a user-level application to
trigger an SMC (with an identifier) so that the secure world, after
trapping the SMC, can do something accordingly?

What I read from other posts is that I have to change tz_vmm's Linux in
order to support this.
I think other people from this mailing list already did so by adding system
calls or kernel modules which trigger the SMC.
This way my user-level application can use this system call/kernel module
in order to manually switch to the secure world.
Post by Stefan Kalkowski
Post by Tiago Brito
Besides this I also don't know where to start modifying tz_vmm in order
to
Post by Tiago Brito
achieve my goals. I know where tz_vmm's code is but I don't know where to
start changing it. I have also seen some mailing list questions regarding
the world switch from secure world to normal world. It seems that from
normal to secure you should call an SMC, but from secure to normal the
monitor mode implementation cannot handle entries from the secure world
and
Post by Tiago Brito
thus no SMC can be called directly [2].
* Linux kernel issues an SMC call, e.g., to tell the VMM where its
framebuffer is located in physical memory [1]
* the HW kernel of Genode receives an exception, pauses the Linux VM,
and delivers a signal to the related VMM [2]
* the VMM receives the signal that the VM got paused due to an SMC
call [3]
* the VMM informs the HW kernel that the VM should be executed again
after handling the call [4]
* next time the scheduler of the HW kernel chooses the VM, it issues a
world-switch to it [5]
From tz_vmm's code I understand that both r0 and r1 registers can be used
as arguments for the SMC, which solves the identifier problem I mentioned.
This way I can change tz_vmm so that when the SMC triggered by the
user-level app is caught I can print something to the serial console.
Post by Stefan Kalkowski
Regards
Stefan
Thanks again!

Best Regards, Tiago
Post by Stefan Kalkowski
[1]
https://github.com/skalk/linux/blob/bc1707a23a9770cf080a1b87b4f553a2a39ac636/drivers/video/mxc/mxc_ipuv3_fb.c#L339
[2]
https://github.com/genodelabs/genode/blob/master/repos/base-hw/src/core/spec/arm_v7/trustzone/kernel/vm.cc#L52
[3]
https://github.com/genodelabs/genode/blob/master/repos/os/src/server/tz_vmm/spec/imx53/main.cc#L95
[4]
https://github.com/genodelabs/genode/blob/master/repos/os/src/server/tz_vmm/spec/imx53/main.cc#L119
[5]
https://github.com/genodelabs/genode/blob/master/repos/base-hw/src/core/spec/arm_v7/trustzone/kernel/vm.cc#L72
Post by Tiago Brito
Can you give my some feedback on how to achieve these things on the
i.MX53
Post by Tiago Brito
QSB?
Thanks in advance, Tiago
[1] - https://sourceforge.net/p/genode/mailman/message/33244107/
[2] - https://sourceforge.net/p/genode/mailman/message/34244066/
Stefan Kalkowski
2016-05-31 12:18:42 UTC
Permalink
Hello Tiago,
Post by Tiago Brito
2016-05-31 10:35 GMT+01:00 Stefan Kalkowski <
Post by Stefan Kalkowski
Hello Tiago,
Hi Stefan, thanks for your response. It really helps!
Post by Stefan Kalkowski
Post by Tiago Brito
Hi, I have an i.MX53 QSB development board and I want to experiment with
ARM TrustZone.
I'm a beginner with regards to genode and kernel development in general.
I was able to run tz_vmm on the QSB and interact with the linux which
runs
Post by Tiago Brito
in normal world. What I want to do next is a fairly simple system where
inside linux I can call an SMC and switch to the secure world, then
whilst
Post by Tiago Brito
in secure world print something (like "Hello From Secure World" and also
print some argument from the normal world) and then go back to linux.
I have read some of the messages in the mailing list and I noticed some
of
Post by Tiago Brito
you (other mailing list subscribers) already achieved similar
communication
Post by Tiago Brito
protocols but because I'm new to genode I don't know where to start.
Well, the very first pointer to gain more understanding of this concrete
http://genode.org/documentation/articles/trustzone
Most of your questions, e.g., how to build the Linux kernel?, or is it a
modified Linux kernel? are already answered there.
I read this and I now understand the flow which makes tz_vmm work.
Post by Stefan Kalkowski
Post by Tiago Brito
I know I probably have to create a kernel module for the linux running in
normal world so I can call SMC from a userspace application, but I don't
know how to do that since I don't see where the linux is being compiled
for
Post by Tiago Brito
genode [1]. Do I have to compile another linux? How do I incorporate this
new linux version to work with genode?
Actually the Linux kernel version you are using when executing the
tz_vmm run-script already issues SMC calls that switch to the secure
world, where the VMM handles those calls and afterwards returns to the
normal world.
I understand this, but is there a way to make a user-level application to
trigger an SMC (with an identifier) so that the secure world, after
trapping the SMC, can do something accordingly?
What I read from other posts is that I have to change tz_vmm's Linux in
order to support this.
I think other people from this mailing list already did so by adding system
calls or kernel modules which trigger the SMC.
This way my user-level application can use this system call/kernel module
in order to manually switch to the secure world.
Incorporating an interface into the Linux kernel so that a user-land
program can communicate with a kernel subsystem is really beyond the
scope of this mailing-list. Moreover, there are plenty of resources
about such topics that can be found in the web.

Anyway, I think there are probably different approaches for this. I
would build a Linux kernel module that provides a file with a
corresponding ioctl interface. Maybe there is a more convenient way to
do so, but this is the path I would follow being in your position.

In all scenarios we built, communication to the secure world was
initiated within Linux kernel subsystems only.
Post by Tiago Brito
Post by Stefan Kalkowski
Post by Tiago Brito
Besides this I also don't know where to start modifying tz_vmm in order
to
Post by Tiago Brito
achieve my goals. I know where tz_vmm's code is but I don't know where to
start changing it. I have also seen some mailing list questions regarding
the world switch from secure world to normal world. It seems that from
normal to secure you should call an SMC, but from secure to normal the
monitor mode implementation cannot handle entries from the secure world
and
Post by Tiago Brito
thus no SMC can be called directly [2].
* Linux kernel issues an SMC call, e.g., to tell the VMM where its
framebuffer is located in physical memory [1]
* the HW kernel of Genode receives an exception, pauses the Linux VM,
and delivers a signal to the related VMM [2]
* the VMM receives the signal that the VM got paused due to an SMC
call [3]
* the VMM informs the HW kernel that the VM should be executed again
after handling the call [4]
* next time the scheduler of the HW kernel chooses the VM, it issues a
world-switch to it [5]
From tz_vmm's code I understand that both r0 and r1 registers can be used
as arguments for the SMC, which solves the identifier problem I mentioned.
This way I can change tz_vmm so that when the SMC triggered by the
user-level app is caught I can print something to the serial console.
In general you can use all general-purpose registers, as long as you
preserve them, to communicate between both worlds. What kind of protocol
you use, and how the VMM reacts to SMC is up to you.

Regards
Stefan
Post by Tiago Brito
Post by Stefan Kalkowski
Regards
Stefan
Thanks again!
Best Regards, Tiago
Post by Stefan Kalkowski
[1]
https://github.com/skalk/linux/blob/bc1707a23a9770cf080a1b87b4f553a2a39ac636/drivers/video/mxc/mxc_ipuv3_fb.c#L339
[2]
https://github.com/genodelabs/genode/blob/master/repos/base-hw/src/core/spec/arm_v7/trustzone/kernel/vm.cc#L52
[3]
https://github.com/genodelabs/genode/blob/master/repos/os/src/server/tz_vmm/spec/imx53/main.cc#L95
[4]
https://github.com/genodelabs/genode/blob/master/repos/os/src/server/tz_vmm/spec/imx53/main.cc#L119
[5]
https://github.com/genodelabs/genode/blob/master/repos/base-hw/src/core/spec/arm_v7/trustzone/kernel/vm.cc#L72
Post by Tiago Brito
Can you give my some feedback on how to achieve these things on the
i.MX53
Post by Tiago Brito
QSB?
Thanks in advance, Tiago
[1] - https://sourceforge.net/p/genode/mailman/message/33244107/
[2] - https://sourceforge.net/p/genode/mailman/message/34244066/
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
genode-main mailing list
https://lists.sourceforge.net/lists/listinfo/genode-main
--
Stefan Kalkowski
Genode Labs

http://www.genode-labs.com/ · http://genode.org/
Loading...