search

apache / incubator-teaclave-trustzone-sdk

Teaclave TrustZone SDK enables safe, functional, and ergonomic development of trustlets.
https://teaclave.apache.org
Apache License 2.0
206 stars 59 forks source link

Upgrade to OPTEE 3.11.0&3.12.0 #24

Closed DemesneGH closed 3 years ago

DemesneGH commented 3 years ago

Hi @mssun , As we discussed before, we have upgraded the sdk to OPTEE 3.11.0 and it passed the ci test locally.

The changes we made are:

  1. Upgrade optee submodules to 3.11.0(in optee/)
  2. Modify some code in optee-utee: 1)change name of utee syscalls(in tee_api_defines.rs,utee_syscalls.rs,trace.rs). 2)add -O0 in .cargo/config to avoid generating ta elf with nbuckets==0(which causes ldelf panic). 3)add definition of __ta_entry(in user_ta_header.rs,tee_api_private.rs,.cargo/config,examples/xxx/ta/ta_static.rs). 4)change examples/xxx/ta/ta_aarch64.lds to ensure GOT is writable.
  3. Modify some code in these examples: •authentication •diffie_hellman •random •secure_storage

The new sdk is compatible with OPTEE 3.11.0&3.12.0.Built TAs can run on OPTEE OS 3.8.0,3.11.0 and 3.12.0.Other versions have not been tested.

Contributors are Rong Fan@fanrong1992 and Yuan Zhuang@DemesneGH.

Best regards, Yuan Zhuang

mssun commented 3 years ago

Thanks for your contributions. @xiangmy, can you help to review this PR? Thanks.

xiangmy commented 3 years ago

Hi @DemesneGH @mssun

Thanks for the work! The __ta_entry and __utee_return are diverging functions, so I think we should reflect that. The reset changes look good to me.

BTW, I also add "-C", "link-arg=max-page-size=4096" in the .cargo/config to force the TA to align at 4 KB. But, I guess the -O0 flag solves this problem as well as the ldelf panic which I don't know how to deal with. I suppose there would be some better options instead of removing the optimization.

Anyway, thanks for the good work! Mingyuan

DemesneGH commented 3 years ago

Hi @xiangmy

But, I guess the -O0 flag solves this problem as well as the ldelf panic which I don't know how to deal with. I suppose there would be some better options instead of removing the optimization.

The -O0 flag has the same effect as setting opt-level=1 in examples/xxx/ta/Cargo.toml.Since the default value is opt-level=3 for rust release binaries, it will add a -O1 when linking the TA elf.Maybe there is a bug of ld which leads invalid nbuckets under some circumstances, or OPTEE OS should check the value of nbuckets. Since the link.mk for TA in OPTEE examples written in C doesn't have the optimization too, we removed the optimization to solve the problem.If there are better solutions we will update then.

Best Regards, Yuan

xiangmy commented 3 years ago

Hi @DemesneGH ,

The -O0 gives no optimization, and it's corresponding to opt-level=0. The OPTEE uses -Os by default (see here). I'm not sure about the default opt-level for this sdk. Maybe @mssun can help clarify this.

Thanks, Mingyuan

DemesneGH commented 3 years ago

Hi @xiangmy We printed link args by add "-Z", "print-link-args" then found this sdk uses opt-level=3 for release binaries defaultly(same as default profiles here), which leads adding -O1.When setting opt-level=1(or opt-level=0) there are no -Ox arguments,which is same as -O0. I didn't see -Os in printed link args, but I'll try to add -Os to find the difference.

Best regards, Yuan

DemesneGH commented 3 years ago

Hi @xiangmy

The OPTEE uses -Os by default (see here).

This mk file is probably for OPTEE OS binaries(such as tee.elf), not for TAs.Link.mk for TA is in here,which is a part of ta_dev_kit(imported when building TAs),and it seems not having -Os.

Best Regards Yuan

DemesneGH commented 3 years ago

Hi @mssun Thanks for your review.I've updated the code.

Best Regards, Yuan

xiangmy commented 3 years ago

Hi @xiangmy

The OPTEE uses -Os by default (see here).

This mk file is probably for OPTEE OS binaries(such as tee.elf), not for TAs.Link.mk for TA is in here,which is a part of ta_dev_kit(imported when building TAs),and it seems not having -Os.

Best Regards Yuan

Hi @DemesneGH ,

TAs have the same optimization level as the OS. The flow of passing the -Os flag is (for aarch64): platform-cflags-optimization -> ta_arm64-platform-cflags -> ta-mk-file-export-vars-ta_arm64 -> ta.mk

Would adding -Os (instead of -O0) and opt-level = "s" work in our case?

Thanks, Mingyuan

DemesneGH commented 3 years ago

Hi @xiangmy

Would adding -Os (instead of -O0) and opt-level = "s" work in our case?

Yes.Adding -Os instead of -O0 works, and set opt-level="s"will also add -Os in link arguments. I‘ve tried several cases and the results are:

  1. Setting opt-level="s" will add -Os,builds elf of nbuckets == 1
  2. Setting opt-level=3 will add -O1,builds elf of nbuckets == 0
  3. Setting opt-level=2 will add -O1,builds elf of nbuckets == 0
  4. Setting opt-level=1 will not add -Ox(-O0 by default),builds elf of nbuckets == 1
  5. Setting opt-level=0 will not add -Ox(-O0 by default),builds elf of nbuckets == 1

This man page says :

-Os enables all -O2 optimizations except those that often increase code size: -falign-functions -falign-jumps -falign-labels -falign-loops -fprefetch-loop-arrays -freorder-blocks-algorithm=stc

But it's still unclear what the optimizations do and what leads illegal nbuckets. Anyway,thanks for your advice.I'll update -O0 to -Os.

Best regards, Yuan

mssun commented 3 years ago

Merged. Thank you all!