Dear ARM Engineer,
I have a question about interrupt level fast word switch for trustzone enabled ecosystem.
For scenario - 1 core is running in one World, interrupt of the other World happen. How to switch the core to the other world quickly.
Solution-1
In the whitepaper prd29-genc-009492c_trustzone_security_whitepaper.pdf
one solution is already mentioned. - monitor route slolution.
but this solution need carefully deal with monitor, NWD OS, SWD OS interrupt related code.
Solution-2
I was checking another solution which one World OS actively do swtich directly while the other world interrupt happen.
From ARM GIC Spec, spurious interrupt ID 1022 & 1023 seems to be possible as the flag.
(Suppose NWD only use IRQ, SWD only use FIQ)
After test,
1022 can help SWD->NWD for case cpu core in SWD and IRQ happened.
1023 can not help NWD->SWD for case cpu core in NWD and FIQ happened. (As 1023 will also happen in other case)
So is there any extra flag/way can help Solution-2 do NWD->SWD.
Or say Besides Monitro solution, is there any other way can help interrupt level fast word switch NWD->SWD while FIQ happen.
Thanks!
»
Quick Links
Page 1 of 1
[Trustzone] interrupt level fast world switch(NWD->SWD) solution?
Trustzone GIC Cortex 1023
Rate Topic:
1 Votes
#2
ttfn 
- Super Contributor
-
- Group: Members
- Posts: 590
- Joined: 29-September 06
Posted 11 October 2012 - 07:18 AM
The basic problem with (2) is that it relies on both OSs (NWD and SWD) behaving. Probably not an issue for the Secure world OS. But for the Normal world OS, if it were compromised (and because of this risk you have TZ), the malicious code could easily prevent you ever switching back to the Secure world.
The advantage to (1) is that the FIQ is beyond the control of Normal world OS, so if compromised, you can set enter the Secure world.
The advantage to (1) is that the FIQ is beyond the control of Normal world OS, so if compromised, you can set enter the Secure world.
#3
isogen74
- Super Contributor
-
- Group: Members
- Posts: 1104
- Joined: 20-March 07
Posted 11 October 2012 - 08:32 AM
Whatever happens you need to go through the monitor - it's the gate keeper between the two worlds, and ensures no unintended data leakage from secure to non-secure.
For A-profile cores the trustzone monitor overhead tends to be in the noise - the code is usually only a couple of hundred CPU cycles - most A-profile cores lose more time than that in the interrupt handler due to cache and tlb misses. So before you try to micro-optimize and throw your security in the bin, please check that you actually need the interrupt to go faster. In reality you probably don't.
Iso
For A-profile cores the trustzone monitor overhead tends to be in the noise - the code is usually only a couple of hundred CPU cycles - most A-profile cores lose more time than that in the interrupt handler due to cache and tlb misses. So before you try to micro-optimize and throw your security in the bin, please check that you actually need the interrupt to go faster. In reality you probably don't.
Iso
This post has been edited by isogen74: 11 October 2012 - 08:33 AM
When optimizing software, consider that the quickest code to run is the bit you removed from the call path.
#4
raymao
- Member
-
- Group: Members
- Posts: 2
- Joined: 10-February 12
Posted 12 October 2012 - 02:32 AM
Thanks for reply, guys
We all agree monitor solution is better(best) solution to this case.
monitor solution has better performance but inflexible.
I mean, for one world OS, giveup CPU stradegy can be changeable while the other world interrupt* happen.
e.g.
1.every interrupt* happen do world switch
2.every N(2,3) interrupt* happen do world switch
3.only NOT in critical area code(hope to be finished before switch), interrupt* happen do world switch
We all agree monitor solution is better(best) solution to this case.
monitor solution has better performance but inflexible.
I mean, for one world OS, giveup CPU stradegy can be changeable while the other world interrupt* happen.
e.g.
1.every interrupt* happen do world switch
2.every N(2,3) interrupt* happen do world switch
3.only NOT in critical area code(hope to be finished before switch), interrupt* happen do world switch
#5
isogen74
- Super Contributor
-
- Group: Members
- Posts: 1104
- Joined: 20-March 07
Posted 12 October 2012 - 11:26 AM
Why is it inflexible? It's entirely configured by software.
If you want it to behave like any other interrupt handler (i.e. allow nesting of secure and non-secure interrupts in either direction) just allow the normal world to mask FIQ in the NSACR in CP15. The only overhead over "single world model" is the latency of the monitor transitions, but other than that it should behave like any OS behaves with interrupts masked (or not).
The behaviour is entirely down to how your security use cases need to function, and what attacks you want to prevent. TrustZone provides a bag of tools, and is very flexible - restrictions need only be applied if your use case needs them ...
If you want it to behave like any other interrupt handler (i.e. allow nesting of secure and non-secure interrupts in either direction) just allow the normal world to mask FIQ in the NSACR in CP15. The only overhead over "single world model" is the latency of the monitor transitions, but other than that it should behave like any OS behaves with interrupts masked (or not).
The behaviour is entirely down to how your security use cases need to function, and what attacks you want to prevent. TrustZone provides a bag of tools, and is very flexible - restrictions need only be applied if your use case needs them ...
When optimizing software, consider that the quickest code to run is the bit you removed from the call path.
Share this topic:
Page 1 of 1
