mirror of https://github.com/ARMmbed/mbed-os.git
[M2351] Override NS interface by locking kernel scheduler
Lock kernel scheduler rather than mutex to guarantee serialization of NS secure callspull/10959/head
Chun-Chieh Li
parent
dec84ede7e
commit
a0a1c4d52c
|
|
@ -0,0 +1,157 @@
|
|||
/*
|
||||
* Copyright (c) 2019, Nuvoton Technology Corporation
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include <stdint.h>
|
||||
#include <stdbool.h>
|
||||
#include "cmsis.h"
|
||||
#include "cmsis_os2.h"
|
||||
#include "tfm_ns_lock.h"
|
||||
#include "mbed_critical.h"
|
||||
#include "mbed_assert.h"
|
||||
#include "mbed_error.h"
|
||||
|
||||
/* Approach to serialization of NS secure calls required by TF-M secure world
|
||||
*
|
||||
* Default implementation of NS interface uses mutex to meet the requirement,
|
||||
* but it cannot support NS secure call in interrupt-disabled context. Instead,
|
||||
* in this override, NS secure call is guaranteed to be non-preemptive during
|
||||
* this period by locking kernel scheduler. Apparently, this approach has one
|
||||
* weakness: all other threads are also locked during this period. Until there's
|
||||
* a better approach coming out, we can just use this expedient one.
|
||||
*
|
||||
* For the 'lock kernel scheduler' approach to work thoroughly, we must also
|
||||
* address some side issues:
|
||||
*
|
||||
* - Prohibit NS secure call from ISR except SVC, so non-preemptive doesn't break.
|
||||
* - Allow NS secure call in SVC context because it is synchronous. Here, we lock
|
||||
* interrupt instead of kernel scheduler because svcRtxKernelLock()/svcRtxKernelRestoreLock(...)
|
||||
* are inaccessible outside rtx_kernel.c. Currently, this is rare case and would cause
|
||||
* little trouble (see known paths below).
|
||||
* - Call into secure world straight in interrupt-disabled context. When in
|
||||
* interrupt-disabled context, NS secure call is guaranteed to be non-preemptive
|
||||
* naturally.
|
||||
* - Call into secure world straight at pre-rtos stage. When at pre-rtos stage,
|
||||
* NS secure call is guaranteed to be non-preemptive naturally.
|
||||
* - osKernelLock() will error when kernel state is 'osKernelSuspended'. Address
|
||||
* it separately. Known path of NS secure call when kernel state is 'osKernelSuspended':
|
||||
* - default idle thread > osKernelSuspend() > lp_ticker_init > SYS_ResetModule_S/
|
||||
* CLK_SetModuleClock_S/CLK_EnableModuleClock_S
|
||||
*
|
||||
* Known paths of NS secure call in interrupt-disabled context:
|
||||
* - mbed-os/platform/mbed_sleep_manager.c > sleep_manager_sleep_auto >
|
||||
* hal_sleep/hal_deepsleep > nu_idle_s/nu_powerdown_s
|
||||
* - mbed-os/hal/LowPowerTickerWrapper.cpp > LowPowerTickerWrapper::init >
|
||||
* lp_ticker_init > SYS_ResetModule_S/CLK_SetModuleClock_S/CLK_EnableModuleClock_S
|
||||
* - mbed-os/platform/mbed_board.c > mbed_die > pin_function_s
|
||||
* - mbed-os-tests-mbed_hal-rtc > rtc_write_read_test > rtc_write >
|
||||
* CLK_IsRTCClockEnabled_S
|
||||
*
|
||||
* Known paths of NS secure call in SVC context:
|
||||
* - In tickless mode, osKernelStart > svcRtxKernelStart > OS_Tick_Enable >
|
||||
* us_ticker_init/lp_ticker_init > SYS_ResetModule_S/CLK_SetModuleClock_S/
|
||||
* CLK_EnableModuleClock_S
|
||||
*/
|
||||
|
||||
struct ns_interface_state
|
||||
{
|
||||
bool init; // Flag if kernel has initialized (and then scheduler
|
||||
// has started)
|
||||
};
|
||||
|
||||
static struct ns_interface_state ns_interface = {
|
||||
.init = false
|
||||
};
|
||||
|
||||
/* Override tfm_ns_lock_init()
|
||||
*
|
||||
* On Mbed OS, we expect this function is called before kernel scheduler is
|
||||
* started so that we can distinguish pre-rtos and rtos stage to meet the
|
||||
* requirement of serialization of NS secure calls.
|
||||
*/
|
||||
enum tfm_status_e tfm_ns_lock_init()
|
||||
{
|
||||
if (!ns_interface.init) {
|
||||
osKernelState_t kernel_state = osKernelGetState();
|
||||
MBED_ASSERT(kernel_state == osKernelInactive || kernel_state == osKernelReady);
|
||||
|
||||
ns_interface.init = true;
|
||||
}
|
||||
|
||||
return TFM_SUCCESS;
|
||||
}
|
||||
|
||||
/* Override tfm_ns_lock_dispatch(...) */
|
||||
uint32_t tfm_ns_lock_dispatch(veneer_fn fn,
|
||||
uint32_t arg0, uint32_t arg1,
|
||||
uint32_t arg2, uint32_t arg3)
|
||||
{
|
||||
/* Prohibit NS secure call from ISR except SVC, so non-preemptive doesn't break */
|
||||
uint32_t ipsr = __get_IPSR();
|
||||
if (ipsr == 11U) {
|
||||
/* Allow NS secure call in SVC context because it is synchronous. Here,
|
||||
* we lock interrupt instead of kernel scheduler because svcRtxKernelLock()/
|
||||
* svcRtxKernelRestoreLock(...) are inaccessible outside rtx_kernel.c. */
|
||||
core_util_critical_section_enter();
|
||||
uint32_t result = fn(arg0, arg1, arg2, arg3);
|
||||
core_util_critical_section_exit();
|
||||
|
||||
return result;
|
||||
} else if (ipsr) {
|
||||
MBED_ERROR1(MBED_MAKE_ERROR(MBED_MODULE_KERNEL, MBED_ERROR_CODE_PROHIBITED_IN_ISR_CONTEXT), "Prohibited in ISR context", (uintptr_t) fn);
|
||||
}
|
||||
|
||||
/* Call into secure world straight in interrupt-disabled context because
|
||||
* NS secure call is non-preemptive naturally */
|
||||
if (!core_util_are_interrupts_enabled()) {
|
||||
return fn(arg0, arg1, arg2, arg3);
|
||||
}
|
||||
|
||||
/* Call into secure world straight at pre-rtos stage because NS secure
|
||||
* call is non-preemptive naturally */
|
||||
if (!ns_interface.init) {
|
||||
return fn(arg0, arg1, arg2, arg3);
|
||||
}
|
||||
|
||||
/* osKernelLock() will error when kernel state is 'osKernelSuspended'. Address
|
||||
* it separately. */
|
||||
osKernelState_t kernel_state = osKernelGetState();
|
||||
if (kernel_state == osKernelSuspended) {
|
||||
return fn(arg0, arg1, arg2, arg3);
|
||||
} else if (kernel_state == osKernelError) {
|
||||
MBED_ERROR1(MBED_MAKE_ERROR(MBED_MODULE_KERNEL, MBED_ERROR_CODE_UNKNOWN), "RTX kernel state error", (uintptr_t) fn);
|
||||
}
|
||||
|
||||
/* Lock kernel scheduler and save previous lock state for restore */
|
||||
int32_t lock_state = osKernelLock();
|
||||
if (lock_state == osError) {
|
||||
MBED_ERROR1(MBED_MAKE_ERROR(MBED_MODULE_KERNEL, MBED_ERROR_CODE_UNKNOWN), "Unknown RTX error", (uintptr_t) fn);
|
||||
}
|
||||
MBED_ASSERT(lock_state >= 0);
|
||||
|
||||
/* NS secure call is non-preemptive because kernel scheduler is locked */
|
||||
uint32_t result = fn(arg0, arg1, arg2, arg3);
|
||||
|
||||
/* Restore previous lock state */
|
||||
lock_state = osKernelRestoreLock(lock_state);
|
||||
if (lock_state == osError) {
|
||||
MBED_ERROR1(MBED_MAKE_ERROR(MBED_MODULE_KERNEL, MBED_ERROR_CODE_UNKNOWN), "Unknown RTX error", (uintptr_t) fn);
|
||||
}
|
||||
MBED_ASSERT(lock_state >= 0);
|
||||
|
||||
return result;
|
||||
}
|
||||
Loading…
Reference in New Issue