search

OP-TEE / optee_os

Trusted side of the TEE
Other
1.58k stars 1.06k forks source link

TZASC(TZC-400) Configuration and Memory access control ? #4227

Closed SmallPond closed 3 years ago

SmallPond commented 3 years ago

Hi OP-TEE Group,

By reading the relevant source code of OP-TEE and ARM Trusted Firmware, I find that only a few platforms(e.g. Juno FVP Hikey960)provide the base address of TZC-400.

I would like to konw how to ensure that the non-secure world cannot access the secure world’s memory if the TZC400 registers are not configured.

So if anyone here could help me regarding this.

Thanks.

Emantor commented 3 years ago

By reading the relevant source code of OP-TEE and ARM Trusted Firmware, I find that only a few platforms(e.g. Juno FVP Hikey960)provide the base address of TZC-400.

I would like to konw how to ensure that the non-secure world cannot access the secure world’s memory if the TZC400 registers are not configured.

So if anyone here could help me regarding this.

Devices I know (ST STM32MP1 & NXP i.MX SoCs) use either the TZC400 or TZC380. Some devices also implement their own "DDR firewalls" as I like to call them :grin: However OTOH there are no examples in upstream OP-TEE. Other devices don't have a "DDR firewall" at all, like the Raspberry Pi 3. It's still useful for a development platform, but not ready for any kind of production use.

SmallPond commented 3 years ago

Hi OP-TEE Group, By reading the relevant source code of OP-TEE and ARM Trusted Firmware, I find that only a few platforms(e.g. Juno FVP Hikey960)provide the base address of TZC-400. I would like to konw how to ensure that the non-secure world cannot access the secure world’s memory if the TZC400 registers are not configured. So if anyone here could help me regarding this.

Devices I know (ST STM32MP1 & NXP i.MX SoCs) use either the TZC400 or TZC380. Some devices also implement their own "DDR firewalls" as I like to call them 😁 However OTOH there are no examples in upstream OP-TEE. Other devices don't have a "DDR firewall" at all, like the Raspberry Pi 3. It's still useful for a development platform, but not ready for any kind of production use.

yes, I know that different devices have their "Memory firewall" implementation.

But if "firewall" is not configured, then how the system prevents the non-secure world from accessing the secure world memory? For example, I can not find the base address of TZC400 in RK3399/Kirin960 technical reference manual and the source code of ATF and OP-TEE. No code to Initialize and configure the “firewall”.

SmallPond commented 3 years ago

I would like to know how can I get the base address of the "memory firewall" of a certain SoC (for example RK3399). Can I only contact the corresponding manufacturer?

Thanks. @Emantor

jforissier commented 3 years ago

For HiKey (620) there is https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/hisilicon/hikey/hikey_security.c. For HiKey960: there is no protection, the firewall is not configured for lack of information on how to do it.

For RK3399 I have no idea if the information is publicly available or not, you may have to contact the manufacturer.

SmallPond commented 3 years ago

For HiKey (620) there is https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/hisilicon/hikey/hikey_security.c. For HiKey960: there is no protection, the firewall is not configured for lack of information on how to do it.

For RK3399 I have no idea if the information is publicly available or not, you may have to contact the manufacturer.

Thank you!