HackMDARM Trusted Firmware-M (TF-M)
tags: ARM Cortex-M
目標
學習 ARM TrustZone ,理解其設計及架構,並且進一步學習 ARM Trusted Firmware-M
ARM TrustZone for ARMv8-M
學習 ARM TF-M 之前,應該先學習其基礎架構 TrustZone
在學習 ARM TrustZone 的路上讀了很多第二手文件,繞了非常多冤枉路,但最後發現還是第一手文件 TrustZone technology for Armv8-M Architecture Version 2.1 最清楚,又再次證明第一手文件的重要性
ARM TrustZone technology
在 ARMv8-M 裡的 TrustZone 是一種 optional Security Extension ,最主要的目的是對嵌入式系統提供系統安全的基礎架構
不過早在 ARM Cortex-A 就已經有 TrustZone 這個架構了,而建立在 ARMv8-M 的 TrustZone 和 ARM Cortex-M 的 TrustZone 非常相似,例如兩者的處理器都有 secure state 及 non-secure state 兩種狀態,且 non-secure state 只可以存取類型為 Non-secure 的記憶體
雖然兩者有不少相同處,但還是有不同的地方
- ARMv8-M 的 TrustZone 有多個 Secure function entry points ,而 ARM Cortex-A 的 TrustZone 則只有一個 Secure function entry point
- 處理器執行 secure function 時,仍可觸發 Non-secure 的中斷
TrustZone 將系統及軟體拆分成 Secure world 及 Normal world
- Secure software 可以存取 Secure 及 Non-secure 的記憶體及資源
- Normal software 只能夠存取 Non-secure 的記憶體及資源
- 這兩種 security state 都擁有獨立的 Thread mode 及 Handler mode
如果有實作 Cortex-M Security Extensions (CMSE) 的話,處理器一開始預設為 Secure state ,反之則為 Non-secure state
CMSE is the compiler support for the Security Extension (architecture intrinsics and options) and is part of the Arm C Language (ACLE) specification.
說了這麼多,直接上圖比較快,下圖為 TrustZone 是怎麼分割處理器的示意圖
而在 ARMv8-M architecture Security Extension 裡,有一些很重要的元件會被實作在 Secure world 裡,如下圖所示
- A Secure boot loader
- Secret key
- Flash programming support
- High value assets
Memory system and memory partitioning
TrustZone 將記憶體分成 Secure (S) 及 Non-secure (NS) 兩種類型,其中 Secure 又可以在細分成 Secure (S) 及 Non-secure Callable (NSC) 兩種類型
Secure (S)
地址為 Secure 類型的記憶體及外部設備只能由 Secure software 及 Secure masters 做存取
Non-secure Callable (NSC)
NSC 是一個很特別的類型。在 ARMv8-M 裡,只有 NSC 可以儲存 SG instruction
SG instruction: enables software to transition from Non-secure to Secure state
通常 NSC memory region 含有 tables of small branch veneers (entry points) 。為了避免 Non-secure application 跳進非法的 entry points ,所以就有了 SG instruction
當有 Non-secure 的程式要呼叫 Secure 函式時
- 第一個執行的指令一定是 SG instruction
- SG instruction 一定要在 NSC region ,可以由 Secure Attribution Unit (SAU) 或 Implementation Defined Attribution Unit (IDAU) 設定
The reason for introducing NSC memory is to prevent other binary data, for example, a lookup table, which has a value the same as the opcode as the SG instruction, being used as an entry function in to the Secure state. By separating NSC and Secure memory types, Secure program code containing binary data can be securely placed in a Secure region without direct exposure to the Normal world, and can only be accessed using valid entry points in NSC memory
Non-secure (NS)
地址為 Non-secure 類型的記憶體及外部設備被整個系統的 software 做存取
Attribution unit (SAU and IDAU)
如果 ARMv8-M Security Extension 已經包含到處理器裡,則記憶體的 security 類型則是由 Security Attribution Unit (SAU) 及 Implementation Defined Attribution Unit (IDAU) 來決定
如果沒有定義 SAU regions 或是 SAU 是 disable 的狀態,且系統沒有 IDAU 的話,整個記憶體地址都會被定義為 Secure 且處理器無法切換至 Non-secure state ,這時如果有切換到 Non-secure state 的動作都會導致 fault 的產生
TODO: 補齊後面的內容
SAU register summary
下圖為 SAU 所有的暫存器,一共有五種且負責不同的設定
- RAZ : Read-As-Zero
- WI : Writes Ignored
| Address | Name | Type | Reset value | Processor security state | Description |
|---|---|---|---|---|---|
| 0xE000EDD0 | SAU_CTRL | RW | 0x00000000 | - Secure - Non-secure |
- SAU Control register - RAZ/WI |
| 0xE000EDD4 | SAU_TYPE | RO | 0x0000000x | - Secure - Non-secure |
- SAU Type register - RAZ/WI |
| 0xE000EDD8 | SAU_RNR | RW | UNKNOWN | - Secure - Non-secure |
- SAU Region Number Register - RAZ/WI |
| 0xE000EDDC | SAU_RBAR | RW | UNKNOWN | - Secure - Non-secure |
- SAU Region Base Address Register - RAZ/WI |
| 0xE000EDE0 | SAU_RLAR | RW | UNKNOWN | - Secure - Non-secure |
- SAU Region Limit Address Register - RAZ/WI |
SAU_CTRL
功能: 啟動 SAU 及設定整個記憶體的類型
Allows enabling of the Security Attribution Unit
| Bits | Field | Description |
|---|---|---|
| [31:2] | Reserved | Reserved – read as 0 (RES0) |
| 1 | ALLNS | All Non-secure 當 SAU_CTRL.ENABLE 為 0 時,這個 bit 控制整個記憶體為 Secure 或是 Non-secure 0: 記憶體為 Secure 類型 (不為 NSC) 1: 記憶體為 Non-secure 類型 |
| 0 | ENABLE | Enable SAU 0: SAU 為 disable 1: SAU 為 enable |
SAU_TYPE
功能: 說明 SAU region 設定的數量
Indicates the number of regions implemented by the Security Attribution Unit
| Bits | Field | Description |
|---|---|---|
| [31:8] | Reserved | Reserved – read as 0 (RES0) |
| [7:0] | SREGION | SAU regions. 說明 SAU region 的數量 |
SAU_RNR
功能: 設定所選 SAU region 的編號
Selects the region currently accessed by SAU_RBAR and SAU_RLAR
| Bits | Field | Description |
|---|---|---|
| [31:8] | Reserved | Reserved – read as 0 (RES0) |
| [7:0] | REGION | Region number. Indicates the SAU region that SAU_RBAR and SAU_RLAR accesses |
SAU_RBAR
功能: 設定所選 SAU Region 的 base address
Provides indirect read and write access to the base address of the currently selected SAU region
| Bits | Field | Description |
|---|---|---|
| [31:5] | BADDR | Base address. Holds bits [31:5] of the base address for the selected SAU region |
| [4:0] | Reserved | Reserved – read as 0 (RES0) |
SAU_RLAR
功能: 設定所選 SAU Region 的 limit address
Provides indirect read and write access to the limit address of the currently selected SAU region.
| Bits | Field | Description |
|---|---|---|
| [31:5] | LADDR | Limit address [31:5]. Bits [4:0] of the limit address are defined as 0x1F |
| [4:2] | Reserved | Reserved – read as 0 (RES0) |
| 1 | NSC | 0: Region is not Non-secure callable 1: Region is Non-secure callable |
| 0 | ENABLE | 0: SAU region is disabled 1: SAU region is enabled |
SAU Region Configuration
基本上,當 SAU 啟動之後,沒有被選取的 SAU region 都會自動被設定為 Secure 類型,也就是下圖的灰色區域
- 使用 SAU_RLAR 可以啟動所選取的 SAU region
- 當 SAU_RLAR.ENABLE = 1 且 SAU RLAR.NSC = 0 ,該 SAU region 為 Non-secure
- 當 SAU_RLAR.ENABLE = 1 且 SAU RLAR.NSC = 1 ,該 SAU region 為 Non-secure Callable
最後給個設定 SAU 的範例程式,主要是參考 CMSIS 程式碼
// Configure SAU using CMSIS
// Configure SAU Region 0
// Start Address 0x00200000
// Limit Address 0x003FFFE0
// Secure non-secure callable
// Use CMSIS to access SAU Region Number Register (SAU_RNR)
// Select region 0
SAU->RNR = (0);
// Set SAU Region Base Address Register (SAU_RBAR)
SAU->RBAR = (0x00200000U & SAU_RBAR_BADDR_Msk);
// Set SAU Region Limit Address Register (SAU_RLAR)
SAU->RLAR = (0x003FFFE0U & SAU_RLAR_LADDR_Msk) |
((1U << SAU_RLAR_NSC_Pos) & SAU_RLAR_NSC_Msk) | 1U;
// Configure SAU Region 1
// Start Address 0x20200000
// Limit Address 0x203FFFE0
// Non-secure
// Select region 1
SAU->RNR = (1);
// Set SAU Region Base Address Register (SAU_RBAR)
SAU->RBAR = (0x20200000U & SAU_RBAR_BADDR_Msk);
// Set SAU Region Limit Address Register (SAU_RLAR)
SAU->RLAR = (0x203FFFE0U & SAU_RLAR_LADDR_Msk) |
((0U << SAU_RLAR_NSC_Pos) & SAU_RLAR_NSC_Msk) | 1U;
// Enable SAU
// Use CMSIS to access SAU Control Register (SAU_CTRL)
// Set ENABLE bit[0] to 1
// Set ALLNS bit[1] to 1
// All memory is secure when SAU is disabled
SAU->CTRL = ((SAU_INIT_CTRL_ENABLE << SAU_CTRL_ENABLE_Pos) & SAU_CTRL_ENABLE_Msk) |
((SAU_INIT_CTRL_ALLNS << SAU_CTRL_ALLNS_Pos) & SAU_CTRL_ALLNS_Msk);
IDAU interface
IDAU 和 SAU 的主要功能蠻像的,都是對處理器通知特定的記憶體地址是 Secure 、 Non-secure 或是 Non-secure Callable 類型,也可以提供 region number 。比較特別的在於,可以標記哪些記憶體區域是可以不用 security chcking ,像是 ROM table
IDAU 的界面和處理器有關,不過以 ARM Cortex-M 為例, IDAU 的界面都很相近
理論上 IDAU 是可以設計成可程式控制的,但如此一來 IDAU 界面的訊號很可能就需要配合 timing critical paths ,這可能會複雜化整個 IDAU 的設計也會增加整個設計的 gate count ,因此是不必要的。所以通常 IDAU 只有提供簡單的 memory map
下圖為 IDAU 的基礎界面示意圖
ARMv8-M 定義了一組由 512MB 分割的 memory map ,並且以 256MB 再做切割,上半部定義為 Secure memory ,下半部定義為 Non-secure memory
Note: 可以利用地址的 bit [28] 判斷該地址為 Secure 或是 Non-secure 類型
如此一來就可以得到下圖
IDAU 可以利用以下的方式產生所需的訊號
- 使用地址的 bit [28] 可以指示為 Secure 或 Non-secure
- The Secure NSC indication can reuse the Secure indication. This results in all Secure regions being indistinguishable from Secure NSC regions, and are therefore callable from Non-secure software by default. The Secure software must therefore use the internal SAU to force most of the Secure NSC regions to be Secure regions (not NSC) before allowing any Non-secure software to run.
It is important to ensure that only those memory areas that contain valid Secure entry functions (using the SG instruction) are configured to be NSC. Other Secure memories, for example, the stack, could contain data pattern that matches the SG instruction and therefore must not be configured as an NSC region.
- The region number can be generated from bits [31:28] of the address value, with the Region Valid signal tied high. It is important that region numbers are unique for each memory region, unless the memory region number is indicated as invalid by the IDAU interface.
- The Exempted Region control is set to 1 if the address is in the CoreSight ROM table address ranges, allowing the debugger to access to the ROM tables for device identification, even if the debugger is restricted to Non-secure debug only.
There is no restriction on whether Secure memory must be in the upper or lower half of each memory region. If the processor being used has an initial boot address that is restricted to address 0x00000000, then it is better to have the lower half of the address marked as Secure so that the processor can boot in the Secure state.
For application scenarios where an Armv8-M processor is used together with an Armv8-A system with a shared memory security attribute configuration, then the IDAU response signal should be generated based on the system-wide security arrangement; the simple memory map arrangement that is described here would be insufficient.
Memory configuration
以 CM33 為例,整合上述所介紹的 SAU 及 IDAU ,說明一個地址的 security 是如何去決定的
一個地址的 security 主要是由 Security Attribution Unit (SAU) 及 Implementation Defined Attribution Unit (IDAU) 共同決定,而如果當兩種硬體都有使用時,會選擇最高的 security level ,下表為兩種硬體不同的設定所產生不同的結果
| IDAU | SAU Region | Final Security |
|---|---|---|
| S | X | S |
| X | S | S |
| NS | NSC | NSC |
| NS | NS | NS |
| NSC | NS | NSC |
Switching between Secure and Non-secure states
ARMv8-M Security Extension 允許在 Secure 及 Non-secure 間直接呼叫函式,只不過有些規定需要遵守
以下是 Secure 及 Non-secure 轉換時會使用到的相關指令
| Instruction | Description |
|---|---|
| SG | Secure gateway Used for switching from Non-secure to Secure state at the first instruction of Secure entry point |
| BXNS | Branch with exchange to Non-secure state Used by Secure software to branch or return to Non-secure program |
| BLXNS | Branch with link and exchange to Non-secure state Used by Secure software to call Non-secure functions |
下圖為 Secure state 及 Non-secure state 進行 state transition 時的流程圖
Non-secure state convert to Secure state
從 Non-secure 函式呼叫到 Secure 函式最直接的方式就是透過 Secure software entry point 的方式,其記憶體類型為 NSC ,且第一個指令就是 SG instruction
當 Secure 函式執行完畢後,會透過指令 BXNS 回到 Non-secure 函式。如果不使用合法的 entry point 來呼叫 Secure 函式的話,則會產生 Fault event
下圖為 Non-secure 函式呼叫 Secure 函式的流程圖
至於是產生什麼 Fault 呢?
- 如果是 ARMv8-M Mainline 的話,是透過 SecureFault Exception 處理
- 如果是 ARMv8-M Baseline 的話,是透過 HardFault 處理
至於 Mainline 及 Baseline 的差別,可以參考 ARMv8-M subprofiles
基本上 ARMv8-M 可以間單分成兩種 subprofiles ,處理器可以被實作成 ARMv8-M Architecture 或者是含有 Main Extension 的 ARMv8-M Architecture ,因此可以簡單的定義什麼是 Mainline 及 Baseline
- 有 Main Extension 的處理器可以視為 Mainline implementation
- 無 Main Extension 的處理器可以視為 Baseline implementation
- 兩者都支援 ARM TrustZone
因此 ARMv8-M Architecture 是有 Main Extension 的處理器的子集合,如下圖所示
Secure state convert to Non-secure state
ARMv8-M Security Extension 也允許 Secure 的程式呼叫 Non-secure 的函式。舉例來說,可以透過指令 BLXNS 呼叫 Non-secure 函式
而在狀態轉換 (state transition) 的過程中,像是回傳地址 (return address) 以及處理器的狀態資訊 (register…) 都會被儲存在 Secure stack 上,且會將一組特殊值 (稱為 FNC_RETURN) 儲存在 Link Register (LR) 上
當 Non-secure 函式執行完畢後會回到剛剛提到的 FNC_RETURN 數值的地址,接著會將原本儲存在 secure stack 的資料復原並返回到原本的呼叫者 (secure 函式)
藉由這樣的方法,系統可以隱藏應該要回傳的地址,而 secure software 可以選擇要傳入到 Non-secure 函式的暫存器並且在進入 Non-secure 函式前清空其他暫存器的 secure data
下圖為 Secure 函式呼叫 Non-secure 函式的流程圖
接著是提到的暫存器 FNC_RETURN 的資訊
| Bits | Field | Description |
|---|---|---|
| [31:24] | PREFIX | This field reads as 0b11111110 |
| [23:1] | ONES | This field reads as 0b11111111111111111111111 |
| 0 | S | Secure Indicates whether the function call was from the Non-secure or Secure state. Because FNC_RETURN is only used when calling from the Secure state, this bit is always set to 1. However, some function chaining cases can result in an SG instruction clearing this bit, so the architecture ignores the state of this bit when processing a branch to FNC_RETURN The possible values of this bit are: 0: From Non-secure state 1: From Secure state |
State transition due to exception or interrupt
State transition 也有可能因為 exception 及 interrupt 而發生,每個 interrupt 都可以設定為 Secure 或 Non-secure ,可以由 Interrupt Target Non-secure (NVIC_ITNS) register 來決定
ARMv8-M Security Extension 裡,不管處理器正在執行 Secure 或 Non-secure 的程式,都沒有限制 Secure 及 Non-secure interrupt 的觸發
- 如果 exception 或 interrupt 和處理器當前的 state 相同,處理方式和 M 系列的處理器大致相同
- 主要有差異的部份在於處理器正在執行 Secure 程式,但發生了 Non-secure 中斷,此時系統會自動將所有的 Secure information 存進 Secure stack ,並且清空所有暫存器的資料以避免資料外洩
TrustZone 對 ARMv8-M 的技術能保留低中斷延遲的特性,只差在上述第二種情況會有些微的延遲,為了將所有的 secure 資料儲存在 Secure stack
Security states of the processor
簡單來說,由正在執行的指令其記憶體類型來決定當前處理器的 security state !
- 如果處理器執行 Non-secure memory 的指令,則處理器為 Non-secure state
- 如果處理器執行 Secure memory 的指令,則處理器為 Secure state
- 如果處理器為 Secure state 一定從 Secure memory 取得指令
ARMv8-M 允許在 Secure software 及 Non-secure software 間執行函式呼叫,只不過在 Non-secure 函式呼叫 Secure 函式時加了一些限制,像是一定要透過合法的 Secure entry point 才可以
Note: 當 Non-secure 函式呼叫 Secure 函式時,在 state transition 時執行的第一個指令一定是 SG instruction ,且處理器一定要處於 Non-secure state
Design characteristics
講了這麼多,可以總結一下 TrustZone 對 ARMv8-M 的設計有主要以下幾個關鍵的特性
- Non-secure code can call Secure functions using valid entry points only. There is no limitation on the number of entry points
- Low switching overhead in cross security domain calls. There is only one extra instruction (SG) when calling from the Non-secure to the Secure domain, and only a few extra clock cycles when calling from the Secure state to Non-secure functions
- Non-secure interrupt requests can still be served during the execution of Secure code, with minimal impact on the interrupt latency, stacking of the full register banks is required instead of just the caller saving registers
- The processor starts up in Secure state by default. This start up mode enables root-of-trust implementations such as Secure boot
- Low power. There is no need for separate register banks for Secure and Non-secure states, while Non-secure interrupt handlers are still prevented from snooping into data used by Secure operations
- Ease of use. Interrupt handlers remain programmable in C, and Non-secure software can access Secure APIs with standard C/C++ function calls
- High flexibility. The design allows Secure software to call Non-secure functions. This function is often required when protected middleware on the Secure side must access device driver code in the Non-secure side. The Secure state can also have privileged and unprivileged execution states, so this state can support multiple Secure software components with a protection mechanism between them
Test Target Instruction
TODO: 補齊 TT 說明
TT Example
TODO: 補齊資料
ARM Trusted Firmware-M
ARM TF-M 最主要的資料還是官方網站的資料最多,因此主要還是以第一手文件為主
Introduction
參考 Introduce Trusted Firmware-M 可以簡單認識 ARM Trusted Firmware-M 大致的架構
Trusted Firmware-M (TF-M) implements the Secure Processing Environment (SPE) for Armv8-M, Armv8.1-M architectures (e.g. the Cortex-M33, Cortex-M23, Cortex-M55, Cortex-M85 processors) and dual-core platforms. It is the platform security architecture reference implementation aligning with PSA Certified guidelines, enabling chips, Real Time Operating Systems and devices to become PSA Certified
Trusted Firmware-M consists of:
- Secure Boot to authenticate integrity of NSPE and SPE images
- TF-M Core responsible for controlling the isolation, communication and execution within SPE and with NSPE
- Crypto, Internal Trusted Storage (ITS), Protected Storage (PS) and Attestation secure services
Platform Security Architecture (PSA)
PSA 是 ARM 為了打造一個安全的系統而建立的通用架構,這東西真的很抽象… ,參考 Arm Platform Security Architecture: Can It Secure The IoT? 的說明,可以初步認識建立 PSA 的目的
PSA 是由 ARM 所提倡的安全架構,其目的是要處理 IoT 系統在安全上的缺點
Platform Security Architecture (PSA) is an initiative from Arm that aims to address some of the shortcomings with IoT security
那 PSA 要怎麼運作呢 ?
TODO: 補齊 Analyze, Architecture and Implement
PSA Architecture
參考 Arm® Platform Security Architecture Trusted Base System Architecture for Arm®v6-M, Arm®v7-M and Arm®v8-M 2.0 及 Arm® Platform Security Architecture Firmware Framework 1.0
TODO: 補充資料
Secure Boot
參考 ARM 在研討會上的發表 HKG18-223 - Trusted Firmware M : Trusted Boot ,可以大致了解 Secure Boot 的流程
Bootloader1 (BL1)
參考 BL1 Immutable bootloader ,裡頭說明 ARM TF-M 的 BL1 是如何設計的,以下提出幾個 ARM TF-M 的 BL1 的特點
- 整個 BL1 程式碼分成兩個部份,分別為 Bootloader1_1(BL1_1) 及 Bootloader1_2(BL1_2)
- 可以用來更新 BL2 (下一個 stage) 的 image
- A post-quantum resistant asymmetric signature scheme for verifying the next boot stage image
BL1_1 and BL1_2 split bootloaders
TODO: 補充資料
BL1_1 Example code
Note: FIH - Fault Injection Hardening
int main(void)
{
...
/* Copy BL1_2 from OTP into SRAM*/
FIH_CALL(bl1_read_bl1_2_image, fih_rc, (uint8_t *)BL1_2_CODE_START);
if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
FIH_PANIC;
}
FIH_CALL(validate_image_at_addr, fih_rc, (uint8_t *)BL1_2_CODE_START);
if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
BL1_LOG("[ERR] BL1_2 image failed to validate\r\n");
FIH_PANIC;
}
BL1_LOG("[INF] Jumping to BL1_2\r\n");
/* Jump to BL1_2 */
boot_platform_quit((struct boot_arm_vector_table *)BL1_2_CODE_START);
/* This should never happen */
FIH_PANIC;
}
fih_int validate_image_at_addr(uint8_t *image)
{
uint8_t computed_bl1_2_hash[BL1_2_HASH_SIZE];
uint8_t stored_bl1_2_hash[BL1_2_HASH_SIZE];
fih_int fih_rc = FIH_FAILURE;
FIH_CALL(bl1_sha256_compute, fih_rc, image, BL1_2_CODE_SIZE,
computed_bl1_2_hash);
if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
FIH_RET(FIH_FAILURE);
}
FIH_CALL(bl1_otp_read_bl1_2_image_hash, fih_rc, stored_bl1_2_hash);
if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
FIH_RET(FIH_FAILURE);
}
FIH_CALL(bl_secure_memeql, fih_rc, computed_bl1_2_hash,
stored_bl1_2_hash, BL1_2_HASH_SIZE);
if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
FIH_RET(FIH_FAILURE);
}
FIH_RET(FIH_SUCCESS);
}
fih_int bl_secure_memeql(const void *ptr1, const void *ptr2, size_t num)
{
fih_int is_equal = FIH_SUCCESS;
size_t block_start;
size_t block_end;
size_t curr = 0;
uint8_t rnd[RNG_CHUNK_BYTES];
size_t rnd_curr_idx = sizeof(rnd);
/* Do comparison. Every n bytes (where n is random between 1 and 9),
* reverse the direction.
*/
while (curr < num) {
/* Only generate more entropy if we've run out */
if (rnd_curr_idx == sizeof(rnd)) {
bl1_trng_generate_random(rnd, sizeof(rnd));
rnd_curr_idx = 0;
}
/* Forward case. Always at least one byte */
block_start = curr;
block_end = curr + (rnd[rnd_curr_idx++] & SHUFFLE_MASK) + 1;
if (block_end > num) {
block_end = num;
}
for (; curr < block_end; curr++) {
if (((uint8_t *)ptr1)[curr] != ((uint8_t *)ptr2)[curr]) {
is_equal = FIH_FAILURE;
}
}
/* Only generate more entropy if we've run out */
if (rnd_curr_idx == sizeof(rnd)) {
bl1_trng_generate_random(rnd, sizeof(rnd));
rnd_curr_idx = 0;
}
/* Reverse case. Always at least one byte */
block_start = curr;
block_end = curr + (rnd[rnd_curr_idx++] & SHUFFLE_MASK) + 1;
if (block_end > num) {
block_end = num;
}
for (curr = block_end - 1; curr >= block_start; curr--) {
if (((uint8_t *)ptr1)[curr] != ((uint8_t *)ptr2)[curr]) {
is_equal = FIH_FAILURE;
}
}
curr = block_end;
}
if (curr != num) {
FIH_PANIC;
}
FIH_RET(is_equal);
}
BL1_2 Example code
int main(void)
{
...
BL1_LOG("[INF] Attempting to boot image 0\r\n");
FIH_CALL(validate_image, fih_rc, 0);
if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
BL1_LOG("[INF] Attempting to boot image 1\r\n");
FIH_CALL(validate_image, fih_rc, 1);
if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
FIH_PANIC;
}
}
BL1_LOG("[INF] Jumping to BL2\r\n");
boot_platform_quit((struct boot_arm_vector_table *)BL2_CODE_START);
FIH_PANIC;
}
static fih_int validate_image(uint32_t image_id)
{
fih_int fih_rc = FIH_FAILURE;
struct bl1_2_image_t *image;
FIH_CALL(copy_and_decrypt_image, fih_rc, image_id);
if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
BL1_LOG("[ERR] BL2 image failed to decrypt\r\n");
FIH_RET(FIH_FAILURE);
}
image = (struct bl1_2_image_t *)BL2_IMAGE_START;
BL1_LOG("[INF] BL2 image decrypted successfully\r\n");
FIH_CALL(validate_image_at_addr, fih_rc, image);
if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
BL1_LOG("[ERR] BL2 image failed to validate\r\n");
FIH_RET(FIH_FAILURE);
}
BL1_LOG("[INF] BL2 image validated successfully\r\n");
FIH_RET(FIH_SUCCESS);
}
fih_int copy_and_decrypt_image(uint32_t image_id)
{
int rc;
#ifdef TFM_BL1_MEMORY_MAPPED_FLASH
fih_int fih_rc;
#endif /* TFM_BL1_MEMORY_MAPPED_FLASH */
struct bl1_2_image_t *image_to_decrypt;
struct bl1_2_image_t *image_after_decrypt =
(struct bl1_2_image_t *)BL2_IMAGE_START;
#ifdef TFM_BL1_MEMORY_MAPPED_FLASH
/* If we have memory-mapped flash, we can do the decrypt directly from the
* flash and output to the SRAM. This is significantly faster if the AES
* invocation calls through to a crypto accelerator with a DMA, and slightly
* faster otherwise.
*/
image_to_decrypt = (struct bl1_2_image_t *)(FLASH_BASE_ADDRESS +
bl1_image_get_flash_offset(image_id));
/* Copy everything that isn't encrypted, to prevent TOCTOU attacks and
* simplify logic.
*/
FIH_CALL(bl_secure_memcpy, fih_rc, image_after_decrypt,
image_to_decrypt,
sizeof(struct bl1_2_image_t) -
sizeof(image_after_decrypt->protected_values.encrypted_data));
#else
/* If the flash isn't memory-mapped, defer to the flash driver to copy the
* entire block in to SRAM. We'll then do the decrypt in-place.
*/
bl1_image_copy_to_sram(image_id, (uint8_t *)BL2_IMAGE_START);
image_to_decrypt = (struct bl1_2_image_t *)BL2_IMAGE_START;
#endif /* TFM_BL1_MEMORY_MAPPED_FLASH */
rc = bl1_aes_256_ctr_decrypt(TFM_BL1_KEY_BL2_ENCRYPTION,
image_to_decrypt->header.ctr_iv,
(uint8_t *)&image_to_decrypt->protected_values.encrypted_data,
sizeof(image_after_decrypt->protected_values.encrypted_data),
(uint8_t *)&image_after_decrypt->protected_values.encrypted_data);
if (rc) {
FIH_RET(fih_int_encode_zero_equality(rc));
}
if (image_after_decrypt->protected_values.encrypted_data.decrypt_magic
!= BL1_2_IMAGE_DECRYPT_MAGIC_EXPECTED) {
FIH_RET(FIH_FAILURE);
}
FIH_RET(FIH_SUCCESS);
}
Secure Partition Manager (SPM)
主要參考 Secure Partition Manager 搭配 Trusted Firmware-M v1.0 理解 ARM TF-M 裡 SPM 的實作細節
首先,應該要先了解 client 是如何取得 TF-M 的服務,如下圖所示。基本上 client (服務的使用者) 會透過 client API 取得系統的服務 (相關的服務會被匯聚成 Secure Partition (SP) 並位於 Secure Partition Environment (SPE))
這裡的 Secure Partition 則是包含:
- Client API 及 Secure Partition API 的實作
- Manage partition runtime to follow FF-M
- Involves necessary implementation-defined items to support the implementation
至於 client 是怎麼去取得服務,則是需要透過 Secure Partition Manager (SPM) 來管理
The principles for TF-M SPM implementation:
- SPM can treat these components as the client: NS Agent, SFN Partition, and IPC partition.
- These components can provide services: SFN Partition, IPC partition, and built-in services. A built-in service is built up with SPM together.
- All partition services must be accessed by Client API.
- Partitions interact with client data by Secure Partition API.
- Built-in services are strongly recommended to be accessed by Client API. Customized interfaces are restricted.
- Built-in services can call SPM internal interfaces directly.
Partition runtime model
在 ARM TF-M 裡, Secure Partition 可以選擇使用兩種方式來執行 — Inter-Process Communication (IPC) 及 Secure Function (SFN) Mode
使用 IPC 時,在 SP 裡會有一個 thread 持續等待 signal ,由 SPM 透過 client API 轉換 client 給出的存取資訊,並且送出 singal 給目標 SP ,而 SP 的 thread 接收到 Signal 後會開始執行 client 所需要的服務並且回報給 client
TODO: 補充 IPC 實際例子
接著為 SFN 的部份, SFN 主要就是每個 SP 會提供大量的 entry function 給 client 使用,而 client 則可以直接呼叫任何有提供 entry function 的服務,因此整個 SFN 表面上就是一般的 function call ,以下提供 ARM TF-Mv1.0 提供的部份 entry function ,可以看到不同的 SP 都有提供各式各樣的 API
#ifdef TFM_PARTITION_SECURE_STORAGE
/******** TFM_SP_STORAGE ********/
psa_status_t tfm_tfm_sst_set_req_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_sst_get_req_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_sst_get_info_req_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_sst_remove_req_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_sst_get_support_req_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
#endif /* TFM_PARTITION_SECURE_STORAGE */
#ifdef TFM_PARTITION_INTERNAL_TRUSTED_STORAGE
/******** TFM_SP_ITS ********/
psa_status_t tfm_tfm_its_set_req_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_its_get_req_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_its_get_info_req_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_its_remove_req_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
#endif /* TFM_PARTITION_INTERNAL_TRUSTED_STORAGE */
#ifdef TFM_PARTITION_AUDIT_LOG
/******** TFM_SP_AUDIT_LOG ********/
psa_status_t tfm_audit_core_retrieve_record_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_audit_core_add_record_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_audit_core_get_info_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_audit_core_get_record_info_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_audit_core_delete_record_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
#endif /* TFM_PARTITION_AUDIT_LOG */
lli
#ifdef TFM_PARTITION_CRYPTO
/******** TFM_SP_CRYPTO ********/
psa_status_t tfm_tfm_crypto_get_key_attributes_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_crypto_open_key_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_crypto_close_key_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_crypto_reset_key_attributes_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
Runtime management
The runtime execution runs among the components, there are 4 runtime states:
- Initializing state, to set up the SPM runtime environment after system powers up
- IDLE state, when SPM runtime environment is set up and partitions are ready for service access.
- Serving state, when partition is under initializing or service access handling.
- Background state, such as the arrival of secure interrupt or unexpected faults. Background state returns to the state it preempts. Background state can be nested.
ARM TF-M SPM trace code
int32_t tfm_core_sfn_request_thread_mode(struct tfm_sfn_req_s *desc_ptr)
{
enum tfm_status_e res;
int32_t *args;
int32_t retVal;
res = tfm_core_check_sfn_parameters(desc_ptr);
if (res != TFM_SUCCESS) {
/* The sanity check of iovecs failed. */
return (int32_t)res;
}
/* No excReturn value is needed as no exception handling is used */
res = tfm_core_sfn_request_handler(desc_ptr, 0);
if (res != TFM_SUCCESS) {
tfm_secure_api_error_handler();
}
/* Secure partition to secure partition call in TFM level 1 */
args = desc_ptr->args;
retVal = desc_ptr->sfn(args[0], args[1], args[2], args[3]);
/* return handler should restore original exc_return value... */
res = tfm_return_from_partition(NULL);
if (res == TFM_SUCCESS) {
/* If unlock successful, pass SS return value to caller */
return retVal;
} else {
/* Unlock errors indicate ctx database corruption or unknown
* anomalies. Halt execution
*/
ERROR_MSG("Secure API error during unlock!");
tfm_secure_api_error_handler();
}
return (int32_t)res;
}
uint32_t tfm_core_svc_handler(uint32_t *svc_args, uint32_t lr, uint32_t *msp)
{
uint8_t svc_number = 0;
/*
* Stack contains:
* r0, r1, r2, r3, r12, r14 (lr), the return address and xPSR
* First argument (r0) is svc_args[0]
*/
if (is_return_secure_stack(lr)) {
/* SV called directly from secure context. Check instruction for
* svc_number
*/
svc_number = ((uint8_t *)svc_args[6])[-2];
} else {
/* Secure SV executing with NS return.
* NS cannot directly trigger S SVC so this should not happen. This is
* an unrecoverable error.
*/
tfm_core_panic();
}
switch (svc_number) {
case TFM_SVC_SFN_REQUEST:
lr = tfm_core_partition_request_svc_handler(svc_args, lr);
break;
case TFM_SVC_SFN_RETURN:
lr = tfm_core_partition_return_handler(lr);
break;
case TFM_SVC_VALIDATE_SECURE_CALLER:
tfm_core_validate_secure_caller_handler(svc_args);
break;
case TFM_SVC_GET_CALLER_CLIENT_ID:
tfm_core_get_caller_client_id_handler(svc_args);
break;
case TFM_SVC_SPM_REQUEST:
tfm_core_spm_request_handler((struct tfm_state_context_t *)svc_args);
break;
case TFM_SVC_MEMORY_CHECK:
tfm_core_memory_permission_check_handler(svc_args);
break;
case TFM_SVC_DEPRIV_REQ:
lr = tfm_core_depriv_req_handler(svc_args, lr);
break;
case TFM_SVC_DEPRIV_RET:
lr = tfm_core_depriv_return_handler(msp, lr);
break;
case TFM_SVC_PSA_WAIT:
tfm_core_psa_wait(svc_args);
break;
case TFM_SVC_PSA_EOI:
tfm_core_psa_eoi(svc_args);
break;
case TFM_SVC_ENABLE_IRQ:
tfm_core_enable_irq_handler(svc_args);
break;
case TFM_SVC_DISABLE_IRQ:
tfm_core_disable_irq_handler(svc_args);
break;
case TFM_SVC_GET_BOOT_DATA:
tfm_core_get_boot_data_handler(svc_args);
break;
default:
#ifdef PLATFORM_SVC_HANDLERS
svc_args[0] = platform_svc_handlers(svc_num, svc_args, lr);
#endif
break;
}
return lr;
}
08000480 <func1>:
8000480: b480 push {r7}
8000482: b085 sub sp, #20
8000484: af00 add r7, sp, #0
8000486: 6078 str r0, [r7, #4]
8000488: 6039 str r1, [r7, #0]
800048a: 2300 movs r3, #0
800048c: 60fb str r3, [r7, #12]
800048e: 687b ldr r3, [r7, #4]
8000490: 1cda adds r2, r3, #3
8000492: 683b ldr r3, [r7, #0]
8000494: fb02 f303 mul.w r3, r2, r3
8000498: 60fb str r3, [r7, #12]
800049a: 68fb ldr r3, [r7, #12]
800049c: 4618 mov r0, r3
800049e: 3714 adds r7, #20
80004a0: 46bd mov sp, r7
80004a2: f85d 7b04 ldr.w r7, [sp], #4
80004a6: 4770 bx lr
080004a8 <func2>:
80004a8: b480 push {r7}
80004aa: b085 sub sp, #20
80004ac: af00 add r7, sp, #0
80004ae: 6078 str r0, [r7, #4]
80004b0: 6039 str r1, [r7, #0]
80004b2: 2300 movs r3, #0
80004b4: 60fb str r3, [r7, #12]
80004b6: 687b ldr r3, [r7, #4]
80004b8: 1cda adds r2, r3, #3
80004ba: 683b ldr r3, [r7, #0]
80004bc: fb02 f303 mul.w r3, r2, r3
80004c0: 60fb str r3, [r7, #12]
80004c2: 68fb ldr r3, [r7, #12]
80004c4: 4618 mov r0, r3
80004c6: 3714 adds r7, #20
80004c8: 46bd mov sp, r7
80004ca: f85d 7b04 ldr.w r7, [sp], #4
80004ce: 4770 bx lr
int func1(int a, int b)
{
int out = 0;
out = (a + 3) * b;
return out;
}
int func2(int a,int b)
{
int out = 0;
do {
out = (a + 3) * b;
} while (0);
return out;
}
int main()
{
int rc;
rc = func1(0,3);
printf("rc = %d\n", rc);
rc = func2(0,3);
printf("rc = %d\n", rc);
return 0;
}
#include <stdio.h>
#define TEST_DOWHILE(a, b) \
do { \
out = (a + 3) * b; \
out++; \
} while (0)
#define TEST_NORMAL(a, b) \
{ \
out = (a + 3) * b; \
out++; \
}
int test(int a)
{
int out = 0;
if (a)
TEST_NORMAL(0, 3);
else
TEST_DOWHILE(0, 3);
return out;
}
int main(void)
{
printf("%d\n", test(0));
printf("%d\n", test(1));
return 0;
}
error: 'else' without a previous 'if'
20 | else
| ^~~~
if ()
{
...
};
else
do {
...
} while(0);
TODO: 補充資訊
Security Code test
kernel.elf: file format elf32-littlearm
Disassembly of section .text:
10000000 <Reset_Handler-0x8>:
10000000: 10080000 .word 0x10080000
10000004: 10000008 .word 0x10000008
10000008 <Reset_Handler>:
10000008: 4800 ldr r0, [pc, #0] ; (1000000c <Reset_Handler+0x4>)
1000000a: 4700 bx r0
1000000c: 1000004d .word 0x1000004d
10000010 <secure_func>:
10000010: b480 push {r7}
10000012: b083 sub sp, #12
10000014: af00 add r7, sp, #0
10000016: 6078 str r0, [r7, #4]
10000018: 687b ldr r3, [r7, #4]
1000001a: 4618 mov r0, r3
1000001c: 370c adds r7, #12
1000001e: 46bd mov sp, r7
10000020: bc80 pop {r7}
10000022: 4770 bx lr
10000024 <__acle_se_secure_func_veneer>:
10000024: b580 push {r7, lr}
10000026: b082 sub sp, #8
10000028: af00 add r7, sp, #0
1000002a: 6078 str r0, [r7, #4]
1000002c: 6878 ldr r0, [r7, #4]
1000002e: f7ff ffef bl 10000010 <secure_func>
10000032: 4603 mov r3, r0
10000034: 4618 mov r0, r3
10000036: 3708 adds r7, #8
10000038: 46bd mov sp, r7
1000003a: e8bd 4080 ldmia.w sp!, {r7, lr}
1000003e: 4671 mov r1, lr
10000040: 4672 mov r2, lr
10000042: 4673 mov r3, lr
10000044: 46f4 mov ip, lr
10000046: f38e 8c00 msr CPSR_fs, lr
1000004a: 4774 bxns lr
1000004c <main>:
1000004c: b580 push {r7, lr}
1000004e: af00 add r7, sp, #0
10000050: 2000 movs r0, #0
10000052: f7ff ffe7 bl 10000024 <__acle_se_secure_func_veneer>
10000056: 2300 movs r3, #0
10000058: 4618 mov r0, r3
1000005a: bd80 pop {r7, pc}
Disassembly of section .gnu.sgstubs:
10001000 <secure_func_veneer>:
10001000: e97f e97f sg
10001004: f7ff b80e b.w 10000024 <__acle_se_secure_func_veneer>
...
svc_number = 5
new SVC number = 9
#include <arm_cmse.h>
int secure_func(int x)
{
return x;
}
int __attribute__((cmse_nonsecure_entry)) secure_func_veneer(int x)
{
return secure_func(x);
}
int main(void)
{
secure_func_veneer(0);
return 0;
}
.arch armv8-m.main
.fpu softvfp
.eabi_attribute 20, 1
.eabi_attribute 21, 1
.eabi_attribute 23, 3
.eabi_attribute 24, 1
.eabi_attribute 25, 1
.eabi_attribute 26, 1
.eabi_attribute 30, 6
.eabi_attribute 34, 1
.eabi_attribute 18, 4
.file "secure.c"
.text
.align 1
.global secure_func
.syntax unified
.thumb
.thumb_func
.type secure_func, %function
secure_func:
push {r7}
sub sp, sp, #12
add r7, sp, #0
str r0, [r7, #4]
ldr r3, [r7, #4]
mov r0, r3
adds r7, r7, #12
mov sp, r7
@ sp needed
pop {r7}
bx lr
.size secure_func, .-secure_func
.align 1
.global secure_func_veneer
.global __acle_se_secure_func_veneer
.syntax unified
.thumb
.thumb_func
.type __acle_se_secure_func_veneer, %function
.syntax unified
.thumb
.thumb_func
.type secure_func_veneer, %function
secure_func_veneer:
__acle_se_secure_func_veneer:
@ Non-secure entry function: called from non-secure code.
@ args = 0, pretend = 0, frame = 8
@ frame_needed = 1, uses_anonymous_args = 0
push {r7, lr}
sub sp, sp, #8
add r7, sp, #0
str r0, [r7, #4]
ldr r0, [r7, #4]
bl secure_func
mov r3, r0
mov r0, r3
adds r7, r7, #8
mov sp, r7
@ sp needed
pop {r7, lr}
mov r1, lr
mov r2, lr
mov r3, lr
mov ip, lr
msr APSR_nzcvq, lr
bxns lr
.size secure_func_veneer, .-secure_func_veneer
.align 1
.global main
.syntax unified
.thumb
.thumb_func
.type main, %function
main:
@ args = 0, pretend = 0, frame = 0
@ frame_needed = 1, uses_anonymous_args = 0
push {r7, lr}
add r7, sp, #0
movs r0, #0
bl secure_func_veneer
movs r3, #0
mov r0, r3
pop {r7, pc}
.size main, .-main
.ident "GCC: (GNU Arm Embedded Toolchain 10.3-2021.10) 10.3.1 20210824 (release)"
/* Linker script to configure memory regions. */
MEMORY
{
NS_CODE (rx) : ORIGIN = 0x00000000, LENGTH = 512K
S_CODE_BOOT (rx) : ORIGIN = 0x10000000, LENGTH = 512k
FLASH-REGION-WITH-NSC-ENABLED (rx) : ORIGIN = 0x10001000, LENGTH = 10k
RAM (rwx) : ORIGIN = 0x20000000, LENGTH = 512k
}
/* Entry Point */
ENTRY(Reset_Handler)
SECTIONS
{
...
/* Linkerscript Section for TrustZone Secure Gateway veneers */
.gnu.sgstubs : ALIGN (32)
{
. = ALIGN(32);
_start_sg = .;
*(.gnu.sgstubs*)
. = ALIGN(32);
_end_sg = .;
} > FLASH-REGION-WITH-NSC-ENABLED
}
#include <arm_cmse.h>
typedef int __attribute__((cmse_nonsecure_call)) (*ns_type)(int);
int non_secure_func(int x)
{
return x;
}
ns_type nsfunc = (ns_type) non_secure_func;
int secure_func(int x)
{
return nsfunc(x);
}
int __attribute__((cmse_nonsecure_entry)) secure_func_veneer(int x)
{
return secure_func(x);
}
int main(void)
{
secure_func_veneer(0);
return 0;
}
non_secure_func:
push {r7}
sub sp, sp, #12
add r7, sp, #0
str r0, [r7, #4]
ldr r3, [r7, #4]
mov r0, r3
adds r7, r7, #12
mov sp, r7
@ sp needed
pop {r7}
bx lr
.size non_secure_func, .-non_secure_func
.global nsfunc
.data
.align 2
.type nsfunc, %object
.size nsfunc, 4
nsfunc:
.word non_secure_func
.text
.align 1
.global secure_func
.syntax unified
.thumb
.thumb_func
.type secure_func, %function
secure_func:
push {r4, r7, lr}
sub sp, sp, #12
add r7, sp, #0
str r0, [r7, #4]
ldr r3, .L5
ldr r3, [r3]
ldr r0, [r7, #4]
mov r4, r3
lsrs r4, r4, #1
lsls r4, r4, #1
mov r1, r4
mov r2, r4
mov r3, r4
bl __gnu_cmse_nonsecure_call
mov r3, r0
mov r0, r3
adds r7, r7, #12
mov sp, r7
@ sp needed
pop {r4, r7, pc}
secure_func_veneer:
__acle_se_secure_func_veneer:
push {r7, lr}
sub sp, sp, #8
add r7, sp, #0
str r0, [r7, #4]
ldr r0, [r7, #4]
bl secure_func
mov r3, r0
mov r0, r3
adds r7, r7, #8
mov sp, r7
@ sp needed
pop {r7, lr}
mov r1, lr
mov r2, lr
mov r3, lr
mov ip, lr
msr APSR_nzcvq, lr
bxns lr
.size secure_func_veneer, .-secure_func_veneer
.align 1
.global main
.syntax unified
.thumb
.thumb_func
.type main, %function
main:
@ args = 0, pretend = 0, frame = 0
@ frame_needed = 1, uses_anonymous_args = 0
push {r7, lr}
add r7, sp, #0
movs r0, #0
bl secure_func_veneer
movs r3, #0
mov r0, r3
pop {r7, pc}
.size main, .-main
.ident "GCC: (GNU Arm Embedded Toolchain 10.3-2021.10) 10.3.1 20210824 (release)"
TODO: 補充資訊
關鍵字
- secure gateway instruction
- root of trust (RoT)
- hardware security module (HSM)
- public key infrastructures (PKIs)
- ARM Coresight
參考資料
- TrustZone technology for Armv8-M Architecture Version 2.1
- Trusted Firmware-M Documentation
- STM32Trust Video Series: TFM Part 1 - Overview
- STM32Trust Video Series: TFM Part 2 - L5 Getting Started
- STM32Trust Video Series: TFM Part 3 - L5 Environment Setup
- STM32Trust Video Series: TFM Part 4 - L5 Out-of-the-box
- Trusted Firmware M, Secure Partitioning – Compartmentalization in IoT - Miklos Balint & Ken Liu, Arm
- YVR18-108:Trusted Firmware for M, technical deep dive
- HKG18-212 - Trusted Firmware M : Introduction
- HKG18-221 - Trusted Firmware M : Core and Partition Manager
- HKG18-222 - Trusted Firmware M : Secure Storage
- HKG18-223 - Trusted Firmware M : Trusted Boot
