Version 56 vs 57
Version 56 vs 57
Edits
Edits
- Edit by gabor-toth-arm, Version 57
- Jun 26 2023 9:48 AM
- Edit by gabor-toth-arm, Version 56
- Jun 26 2023 9:46 AM
« Previous Change | Next Change » |
Edit Older Version 56... | Edit Older Version 57... |
Content Changes
Content Changes
= OP-TEE SPMC implementation
== Introduction
==== OP-TEE SPMC implementation
This document describes the OP-TEE SPMC (Secure Partition Manager Core) implementation. This implementation is used to support the Trusted Services PSA Secure Partitions (SPs). The PSA SPs are implemented based on the Arm FF-A specification. The OP-TEE SPMC can be used as a reference S-EL1 implementation and the Trusted Services can be used a reference S-EL0 SP implementations.
==== FF-A
Arm Firmware Framework for Arm A-profile (FF-A) is a framework designed to standardize the communication between the various software images.
Including the communication between the various software images in the Secure world and Normal world. The current release of the OP-TEE SPMC is based around the [FF-A v1.0 spec](https://developer.arm.com/documentation/den0077/latest).
==== OP-TEE
OP-TEE is an open source Trusted Execution Environment (TEE) relying on the Arm TrustZone technology. More information can be found at [readthedocs](https://optee.readthedocs.io/en/latest/). OP-TEE can run both as a S-EL1 SP or as the S-EL1 SPMC.
This document describes OP-TEE as a S-EL1 SPMC. The current mainline OP-TEE version can be found [here](https://github.com/OP-TEE/optee_os).
==== Trusted Services
The Trusted Services project provides a framework for developing and deploying device Root of Trust (RoT) services across a range of secure processing environments such as those provided by OP-TEE and Hafnium.
More information about Trusted Services can be found at [Trusted-Services](https://trusted-services.readthedocs.io/en/latest/).
== Current Status
Limited support for OP-TEE SPMC aligning with FF-A 1.0 is available in OP-TEE v3.19. Complete support for FF-A 1.0 and TS is planned for upcoming releases. See below for status.
For the OP-TEE release specific testing and results please see the following page:
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-19/ | OP-TEE 3.19 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-20/ | OP-TEE 3.20 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-21/ | OP-TEE 3.21 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-22/ | OP-TEE 3.22 release ]]
== Important Changes ==
Add support for discovering if the CRC32 instruction family is implemented by the PE.
Convey this information to Secure Partitions through the SP manifest DT.
Non-secure interrupt handling through FF-A
Implement the FF-A v1.1 boot protocol for passing boot info to Secure Partitions.
==== SPMC status
OP-TEE SPMC FF-A status:
| Description | Status |
|-------------------|---------------|
| SP loading | Supported |
| SP messaging | Supported |
| SP manifest files | Supported |
| Memory management | Supported |
| Interrupts | Supported |
OP-TEE SPMC FF-A messages status:
| Name | Status |
|--------------------------|--------------------------|
| FFA_ERROR | Supported |
| FFA_SUCCESS | Supported |
| FFA_INTERRUPT | Not supported |
| FFA_VERSION | Supported |
| FFA_FEATURES | Supported |
| FFA_RX_RELEASE | Supported |
| FFA_RXTX_MAP | Supported |
| FFA_RXTX_UNMAP | Supported |
| FFA_PARTITION_INFO_GET | Supported |
| FFA_ID_GET | Supported |
| FFA_MSG_WAIT | Supported |
| FFA_YIELD | Not supported |
| FFA_RUN | Not supported |
| FFA_NORMAL_WORLD_RESUME | Not supported |
| FFA_MSG_SEND | Not supported |
| FFA_MSG_SEND_DIRECT_REQ | Supported |
| FFA_MSG_SEND_DIRECT_RESP | Supported |
| FFA_MSG_POLL | Not supported |
| FFA_MEM_DONATE | Not supported |
| FFA_MEM_LEND | Not supported |
| FFA_MEM_SHARE | Partially supported [^1] |
| FFA_MEM_RETRIEVE_REQ | Supported |
| FFA_MEM_RETRIEVE_RESP | Supported |
| FFA_MEM_RELINQUISH | Supported |
| FFA_MEM_RECLAIM | Supported |
[^1]: Sharing device memory is not yet supported.
OP-TEE SP loading mechanism:
| Description | Status |
|-------------|-----------|
| Embedded SP | Supported |
| FIP SP | Supported |
==== Trusted Services status
All Trusted Services Secure Partitions are supported with OP-TEE SPMC v3.19.
Trusted Services SP support status:
| Name | Status |
|--------------------------|-----------|
| internal-trusted-storage | Supported |
| protected-storage | Supported |
| crypto | Supported |
| attestation | Supported |
| smm-gateway | Supported |
== Build
The build process follows the [OP-TEE build process](https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution). Additional information is needed for some steps:
- [Step 1](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-1-prerequisites): The Trusted Services project has some extra requirements described on [this page](https://trusted-services.readthedocs.io/en/latest/developer/software-requirements.html), please install these.
- [Step 2](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-2-install-android-repo): -
- [Step 3](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-3-get-the-source-code): Use the manifest file for Trusted Services integration and use the 3.19.0 tagged version.
`repo init -u https://github.com/OP-TEE/manifest.git -m fvp-ts.xml -b 3.19.0`
- [Step 4](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-4-get-the-toolchains): -
- [Step 5](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-5-build-the-solution): -
- [Step 6 and onwards](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-6-flash-the-device): Since we're running on models instead of real hardware, these steps are not necessary.
== Boot
The current system uses the Arm AEMv-A Base Platform FVP to run the test environment. The latest version can be found at [Arm Architecture Models](https://developer.arm.com/downloads/-/arm-ecosystem-models). The downloaded FVP should be extracted at the project root (`<project root>/Base_RevC_AEMvA_pkg`).
Boot the system on the FVP:
make -C build run-only
Two console windows should appear, one for the Secure World and one for the Normal World. When the boot is complete, login as root. Then run these commands to load the necessary kernel modules and install the TS test applications and libraries:
/mnt/host/out/linux-arm-ffa-tee/load_module.sh
/mnt/host/out/linux-arm-ffa-user/load_module.sh
cp -at /usr /mnt/host/out/ts-install/arm-linux/bin /mnt/host/out/ts-install/arm-linux/lib
To run the SPMC tests built into xtest (OP-TEE test suite):
xtest -t ffa_spmc
= OP-TEE SPMC implementation
== Introduction
==== OP-TEE SPMC implementation
This document describes the OP-TEE SPMC (Secure Partition Manager Core) implementation. This implementation is used to support the Trusted Services PSA Secure Partitions (SPs). The PSA SPs are implemented based on the Arm FF-A specification. The OP-TEE SPMC can be used as a reference S-EL1 implementation and the Trusted Services can be used a reference S-EL0 SP implementations.
==== FF-A
Arm Firmware Framework for Arm A-profile (FF-A) is a framework designed to standardize the communication between the various software images.
Including the communication between the various software images in the Secure world and Normal world. The current release of the OP-TEE SPMC is based around the [FF-A v1.0 spec](https://developer.arm.com/documentation/den0077/latest).
==== OP-TEE
OP-TEE is an open source Trusted Execution Environment (TEE) relying on the Arm TrustZone technology. More information can be found at [readthedocs](https://optee.readthedocs.io/en/latest/). OP-TEE can run both as a S-EL1 SP or as the S-EL1 SPMC.
This document describes OP-TEE as a S-EL1 SPMC. The current mainline OP-TEE version can be found [here](https://github.com/OP-TEE/optee_os).
==== Trusted Services
The Trusted Services project provides a framework for developing and deploying device Root of Trust (RoT) services across a range of secure processing environments such as those provided by OP-TEE and Hafnium.
More information about Trusted Services can be found at [Trusted-Services](https://trusted-services.readthedocs.io/en/latest/).
== Current Status
Limited support for OP-TEE SPMC aligning with FF-A 1.0 is available in OP-TEE v3.19. Complete support for FF-A 1.0 and TS is planned for upcoming releases. See below for status.
For the OP-TEE release specific testing and results please see the following page:
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-19/ | OP-TEE 3.19 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-20/ | OP-TEE 3.20 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-21/ | OP-TEE 3.21 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-22/ | OP-TEE 3.22 release ]]
== Important Changes ==
- Added support for discovering if the CRC32 instruction family is implemented by the PE. Conveying this information to Secure Partitions through the SP manifest DT.
- Implemented non-secure interrupt handling through FF-A
- Implemented the FF-A v1.1 boot protocol for passing boot info to Secure Partitions.
==== SPMC status
OP-TEE SPMC FF-A status:
| Description | Status |
|-------------------|---------------|
| SP loading | Supported |
| SP messaging | Supported |
| SP manifest files | Supported |
| Memory management | Supported |
| Interrupts | Supported |
OP-TEE SPMC FF-A messages status:
| Name | Status |
|--------------------------|--------------------------|
| FFA_ERROR | Supported |
| FFA_SUCCESS | Supported |
| FFA_INTERRUPT | Not supported |
| FFA_VERSION | Supported |
| FFA_FEATURES | Supported |
| FFA_RX_RELEASE | Supported |
| FFA_RXTX_MAP | Supported |
| FFA_RXTX_UNMAP | Supported |
| FFA_PARTITION_INFO_GET | Supported |
| FFA_ID_GET | Supported |
| FFA_MSG_WAIT | Supported |
| FFA_YIELD | Not supported |
| FFA_RUN | Not supported |
| FFA_NORMAL_WORLD_RESUME | Not supported |
| FFA_MSG_SEND | Not supported |
| FFA_MSG_SEND_DIRECT_REQ | Supported |
| FFA_MSG_SEND_DIRECT_RESP | Supported |
| FFA_MSG_POLL | Not supported |
| FFA_MEM_DONATE | Not supported |
| FFA_MEM_LEND | Not supported |
| FFA_MEM_SHARE | Partially supported [^1] |
| FFA_MEM_RETRIEVE_REQ | Supported |
| FFA_MEM_RETRIEVE_RESP | Supported |
| FFA_MEM_RELINQUISH | Supported |
| FFA_MEM_RECLAIM | Supported |
[^1]: Sharing device memory is not yet supported.
OP-TEE SP loading mechanism:
| Description | Status |
|-------------|-----------|
| Embedded SP | Supported |
| FIP SP | Supported |
==== Trusted Services status
All Trusted Services Secure Partitions are supported with OP-TEE SPMC v3.19.
Trusted Services SP support status:
| Name | Status |
|--------------------------|-----------|
| internal-trusted-storage | Supported |
| protected-storage | Supported |
| crypto | Supported |
| attestation | Supported |
| smm-gateway | Supported |
== Build
The build process follows the [OP-TEE build process](https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution). Additional information is needed for some steps:
- [Step 1](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-1-prerequisites): The Trusted Services project has some extra requirements described on [this page](https://trusted-services.readthedocs.io/en/latest/developer/software-requirements.html), please install these.
- [Step 2](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-2-install-android-repo): -
- [Step 3](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-3-get-the-source-code): Use the manifest file for Trusted Services integration and use the 3.19.0 tagged version.
`repo init -u https://github.com/OP-TEE/manifest.git -m fvp-ts.xml -b 3.19.0`
- [Step 4](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-4-get-the-toolchains): -
- [Step 5](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-5-build-the-solution): -
- [Step 6 and onwards](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-6-flash-the-device): Since we're running on models instead of real hardware, these steps are not necessary.
== Boot
The current system uses the Arm AEMv-A Base Platform FVP to run the test environment. The latest version can be found at [Arm Architecture Models](https://developer.arm.com/downloads/-/arm-ecosystem-models). The downloaded FVP should be extracted at the project root (`<project root>/Base_RevC_AEMvA_pkg`).
Boot the system on the FVP:
make -C build run-only
Two console windows should appear, one for the Secure World and one for the Normal World. When the boot is complete, login as root. Then run these commands to load the necessary kernel modules and install the TS test applications and libraries:
/mnt/host/out/linux-arm-ffa-tee/load_module.sh
/mnt/host/out/linux-arm-ffa-user/load_module.sh
cp -at /usr /mnt/host/out/ts-install/arm-linux/bin /mnt/host/out/ts-install/arm-linux/lib
To run the SPMC tests built into xtest (OP-TEE test suite):
xtest -t ffa_spmc
= OP-TEE SPMC implementation
== Introduction
==== OP-TEE SPMC implementation
This document describes the OP-TEE SPMC (Secure Partition Manager Core) implementation. This implementation is used to support the Trusted Services PSA Secure Partitions (SPs). The PSA SPs are implemented based on the Arm FF-A specification. The OP-TEE SPMC can be used as a reference S-EL1 implementation and the Trusted Services can be used a reference S-EL0 SP implementations.
==== FF-A
Arm Firmware Framework for Arm A-profile (FF-A) is a framework designed to standardize the communication between the various software images.
Including the communication between the various software images in the Secure world and Normal world. The current release of the OP-TEE SPMC is based around the [FF-A v1.0 spec](https://developer.arm.com/documentation/den0077/latest).
==== OP-TEE
OP-TEE is an open source Trusted Execution Environment (TEE) relying on the Arm TrustZone technology. More information can be found at [readthedocs](https://optee.readthedocs.io/en/latest/). OP-TEE can run both as a S-EL1 SP or as the S-EL1 SPMC.
This document describes OP-TEE as a S-EL1 SPMC. The current mainline OP-TEE version can be found [here](https://github.com/OP-TEE/optee_os).
==== Trusted Services
The Trusted Services project provides a framework for developing and deploying device Root of Trust (RoT) services across a range of secure processing environments such as those provided by OP-TEE and Hafnium.
More information about Trusted Services can be found at [Trusted-Services](https://trusted-services.readthedocs.io/en/latest/).
== Current Status
Limited support for OP-TEE SPMC aligning with FF-A 1.0 is available in OP-TEE v3.19. Complete support for FF-A 1.0 and TS is planned for upcoming releases. See below for status.
For the OP-TEE release specific testing and results please see the following page:
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-19/ | OP-TEE 3.19 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-20/ | OP-TEE 3.20 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-21/ | OP-TEE 3.21 release ]]
- [[ https://developer.trustedfirmware.org/w/trusted-services/op-tee-spmc/release-testing-3-22/ | OP-TEE 3.22 release ]]
== Important Changes ==
Add- Added support for discovering if the CRC32 instruction family is implemented by the PE. Conveying this information to Secure Partitions through the SP manifest DT.
Convey this information to Secure Partitions through the SP manifest DT.
N- Implemented non-secure interrupt handling through FF-A
- Implemented the FF-A v1.1 boot protocol for passing boot info to Secure Partitions.
==== SPMC status
OP-TEE SPMC FF-A status:
| Description | Status |
|-------------------|---------------|
| SP loading | Supported |
| SP messaging | Supported |
| SP manifest files | Supported |
| Memory management | Supported |
| Interrupts | Supported |
OP-TEE SPMC FF-A messages status:
| Name | Status |
|--------------------------|--------------------------|
| FFA_ERROR | Supported |
| FFA_SUCCESS | Supported |
| FFA_INTERRUPT | Not supported |
| FFA_VERSION | Supported |
| FFA_FEATURES | Supported |
| FFA_RX_RELEASE | Supported |
| FFA_RXTX_MAP | Supported |
| FFA_RXTX_UNMAP | Supported |
| FFA_PARTITION_INFO_GET | Supported |
| FFA_ID_GET | Supported |
| FFA_MSG_WAIT | Supported |
| FFA_YIELD | Not supported |
| FFA_RUN | Not supported |
| FFA_NORMAL_WORLD_RESUME | Not supported |
| FFA_MSG_SEND | Not supported |
| FFA_MSG_SEND_DIRECT_REQ | Supported |
| FFA_MSG_SEND_DIRECT_RESP | Supported |
| FFA_MSG_POLL | Not supported |
| FFA_MEM_DONATE | Not supported |
| FFA_MEM_LEND | Not supported |
| FFA_MEM_SHARE | Partially supported [^1] |
| FFA_MEM_RETRIEVE_REQ | Supported |
| FFA_MEM_RETRIEVE_RESP | Supported |
| FFA_MEM_RELINQUISH | Supported |
| FFA_MEM_RECLAIM | Supported |
[^1]: Sharing device memory is not yet supported.
OP-TEE SP loading mechanism:
| Description | Status |
|-------------|-----------|
| Embedded SP | Supported |
| FIP SP | Supported |
==== Trusted Services status
All Trusted Services Secure Partitions are supported with OP-TEE SPMC v3.19.
Trusted Services SP support status:
| Name | Status |
|--------------------------|-----------|
| internal-trusted-storage | Supported |
| protected-storage | Supported |
| crypto | Supported |
| attestation | Supported |
| smm-gateway | Supported |
== Build
The build process follows the [OP-TEE build process](https://optee.readthedocs.io/en/latest/building/gits/build.html#get-and-build-the-solution). Additional information is needed for some steps:
- [Step 1](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-1-prerequisites): The Trusted Services project has some extra requirements described on [this page](https://trusted-services.readthedocs.io/en/latest/developer/software-requirements.html), please install these.
- [Step 2](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-2-install-android-repo): -
- [Step 3](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-3-get-the-source-code): Use the manifest file for Trusted Services integration and use the 3.19.0 tagged version.
`repo init -u https://github.com/OP-TEE/manifest.git -m fvp-ts.xml -b 3.19.0`
- [Step 4](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-4-get-the-toolchains): -
- [Step 5](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-5-build-the-solution): -
- [Step 6 and onwards](https://optee.readthedocs.io/en/latest/building/gits/build.html#step-6-flash-the-device): Since we're running on models instead of real hardware, these steps are not necessary.
== Boot
The current system uses the Arm AEMv-A Base Platform FVP to run the test environment. The latest version can be found at [Arm Architecture Models](https://developer.arm.com/downloads/-/arm-ecosystem-models). The downloaded FVP should be extracted at the project root (`<project root>/Base_RevC_AEMvA_pkg`).
Boot the system on the FVP:
make -C build run-only
Two console windows should appear, one for the Secure World and one for the Normal World. When the boot is complete, login as root. Then run these commands to load the necessary kernel modules and install the TS test applications and libraries:
/mnt/host/out/linux-arm-ffa-tee/load_module.sh
/mnt/host/out/linux-arm-ffa-user/load_module.sh
cp -at /usr /mnt/host/out/ts-install/arm-linux/bin /mnt/host/out/ts-install/arm-linux/lib
To run the SPMC tests built into xtest (OP-TEE test suite):
xtest -t ffa_spmc