# arm

TF-A-Tests
Enhancements for
Realm World Validation

Shruti Gupta

02 May 2024



## Agenda

- → TF-A-Tests Baremetal tests for CCA SW Stack
- + Build Command
- + Realm Lifecycle
- + PSCI Flow
- Misc Testcases
  - Realm Memory Management
  - Exception Model
  - Arch Feature SVE/PMU/Timer
  - Security extension Pauth/BTI/DIT



## Arm CCA software stack





## TF-A-Tests for Realm Tests

- + TFTF Capabilities
  - Supports creation of 2 Realms, up to 8 REC per Realm
  - Supports scheduling of multiple Rec on multiple Physical CPU
  - Realm Payload is Platform independent





## **Build Command & Memory Layout**

- + Three World Execution Instruction
- → Make PLAT=fvp ENABLE\_REALM\_PAYLOAD\_TESTS=1 all

Generates realm.bin, tftf.bin. Realm.bin is appended at end of tftf.bin





## Realm Management Interface

#### Discovery

RMI\_VERSION RMI FEATURES

#### Memory delegation

RMI\_GRANULE\_DELEGATE
RMI GRANULE UNDELEGATE

#### Realm lifecycle

RMI\_REALM\_CREATE
RMI\_REALM\_DESTROY
RMI\_REALM\_ACTIVATE

#### Stage 2 table management

RMI\_RTT\_CREATE

RMI\_RTT\_DESTROY

RMI\_RTT\_FOLD

RMI\_RTT\_READ\_ENTRY

RMI\_RTT\_INIT\_RIPAS

RMI\_RTT\_SET\_RIPAS

RMI\_RTT\_MAP\_UNPROTECTED

RMI\_RTT\_UNMAP\_UNPROTECTED

#### Realm memory management

RMI\_DATA\_CREATE
RMI\_DATA\_CREATE\_UNKNOWN
RMI\_DATA\_DESTROY

#### Realm VCPU lifecycle

RMI\_REC\_CREATE

RMI\_REC\_DESTROY

RMI\_REC\_AUX\_COUNT

RMI\_PSCI\_COMPLETE

Realm VCPU scheduling
RMI REC ENTER



## Realm Services Interface

Discovery

RSI\_VERSION
RSI\_REALM\_CONFIG

IPA state management

RSI\_IPA\_STATE\_GET RSI\_IPA\_STATE\_SET

Communication

RSI\_HOST\_CALL

#### Measurement

RSI\_MEASUREMENT\_EXTEND RSI\_MEASUREMENT\_READ

#### Attestation

RSI\_ATTESTATION\_TOKEN\_INIT
RSI\_ATTESTATION\_TOKEN\_CONTINUE

#### **PSCI**



## Realm, Rec, RTT





## Realm Payload lifecycle



host\_create\_activate\_realm\_payload()



## **TFTF Framework**

#### **Host APIs**

- + Helpers
  - host\_create\_activate\_realm\_payload
  - host\_enter\_realm\_execute
  - •
- + RMI Calls
  - host\_rmi\_rtt\_readentry
  - host\_rmi\_rtt\_set\_ripas
  - •

#### Realm APIs

- + Helpers
  - realm\_cpu\_on
  - realm\_printf
  - ..
- -- RSI Calls
  - rsi\_ipa\_state\_get
  - rsi\_exit\_to\_host
  - •
- → PSCI

Common lib pauth\_test\_lib\_fill\_regs\_and\_template, ..



## TFTF RTT Setup

- + Host loads realm.bin to a new region (protected IPA), sets up RTT
  - Helper host\_realm\_delegate\_map\_protected\_data
    - § RMI DATA CREATE
    - § RMI RTT CREATE
- → Host maps shared NS buffer in Realm memory (unprotected IPA), sets up RTT
  - Helper host\_realm\_map\_unprotected





## Realm tests Flow NS Buffer Realm 5. Get Host CMD and ARGS from NS Buffer Execute test function 3. Setup Realm test cmd Put result in NS Buffer Args to pass to realm 1. Runs Host test function 2. Create Realm Host RMM 4. Enter Realm Realm



## **NS Buffer**

- + Realm does not have UART, print buffer is transferred to Host via HOST\_CALL

```
* This structure maps the shared memory to be used between the Host and Realm
 * payload
typedef struct host shared data {
       /* Buffer used from Realm for logging */
       uint8 t log_buffer[MAX_BUF_SIZE];
       /* Command set from Host and used by Realm */
       uint8 t realm_cmd;
       /* array of params passed from Host to Realm */
       u register t host_param_val[MAX_DATA_SIZE];
        /* array of output results passed from Realm to Host */
        u register t realm_out_val[MAX_DATA_SIZE];
        /* Buffer to save Realm command results */
        uint8 t realm_cmd_output_buffer[REALM_CMD_BUFFER_SIZE];
} host_shared_data_t;
```



## REC entry and exit

RMI\_REC\_ENTER(rec, run)

# "Inject SEA" flag "Trap WFx" flags GPRs GIC HCR, LRs

#### **RmiRecExit**

REC exit reason

ESR EL2, FAR EL2, HPFAR EL2

**GPRs** 

GIC HCR, LRs, MISR, VMCR

Virt + phys timer control, compare

RIPAS change values

Host call immediate value

PMU overflow, interrupt enable, counter enable

#### Exit reasons

- + Emulatable Data Abort
- → Non-emulatable Data Abort
- + Instruction Abort
- Sysreg emulation(ICC\_SGI\*R\_EL1 and ICC\_DIR\_EL1 writes only)
- WFx
- + IRQ
- + FIQ
- → PSCI
- + RIPAS change
- + Host call
- + SError



## **TFTF Testcase**

- + <testcase name="Realm payload multi rec single cpu"
  - function="host\_realm\_multi\_rec\_single\_cpu" />
- + <testcase name="Multiple Realm EL1 creation and execution test"
  - function="host\_test\_multiple\_realm\_create\_enter" />





# Tests for PSCI Support



#### **PSCI CPU ON Sequence** RecA RecB 8. Run 3. PSCI 10. recB warmboot 2.run recA CPU On Ret CPU\_ON recA RecB result 1. rec\_enter A RMM Host 4. REC\_EXIT\_PSCI 5. PSCI\_COMPLETE

6. return

7. rec\_enter A

9. rec\_enter B



## Boot Sequence Realm Payload





## **TFTF Testcase**

<testcase name="Realm payload multi rec multiple cpu"

function="host\_realm\_multi\_rec\_multiple\_cpu"/>

```
> Executing 'Realm payload multi rec multiple cpu'
INFO:
         Realm start adr=0x8811a000
[VMID 7] [Rec 0]: Realm: running on CPU = 0x0
INFO:
         Booting
INFO:
         Booting
INFO:
         Booting
[VMID 7][Rec 1]: running on CPU = 0x1 cxt id= 0x101
INFO:
         Booting
[VMID 7] [Rec 2]: running on CPU = 0x2 cxt id= 0x102
INFO:
         Booting
[VMID 7] [Rec 3]: running on CPU = 0x3 cxt id= 0x103
INFO:
         Booting
[VMID 7] [Rec 4]: running on CPU = 0x4 cxt id= 0x104
INFO:
         Booting
[VMID 7] [Rec 5]: running on CPU = 0x5 cxt id= 0x105
[VMID 7] [Rec 6]: running on CPU = 0x6 cxt id= 0x106
[VMID 7] [Rec 7]: running on CPU = 0x7 cxt id= 0x107
INFO:
         Powering off
[VMID 7] [Rec 0]: All CPU are off
  TEST COMPLETE
```

```
PSCI c4000003
                             1 8811a000 101 88131fa0 88131fa0 88131f60 ffffffc8 > c4000003 1 8811a000 101
SMC RMM PSCI COMPLETE
                             88223000 88235000 0 > RMI SUCCESS
PSCI c4000003
                             2 8811a000 102 88131fa0 88131fa0 88131f60 ffffffc8 > c4000003 2 8811a000 102
SMC RMM PSCI COMPLETE
                             88223000 88247000 0 > RMI SUCCESS
PSCI c4000003
                             3 8811a000 103 88131fa0 88131fa0 88131f60 ffffffc8 > c4000003 3 8811a000 103
                             88223000 88259000 0 > RMI SUCCESS
SMC RMM PSCI COMPLETE
PSCI c4000003
                             4 8811a000 104 88131fa0 88131fa0 88131f60 ffffffc8 > c4000003 4 8811a000 104
SMC RMM PSCI COMPLETE
                             88223000 8826b000 0 > RMI SUCCESS
PSCI c4000003
                             5 8811a000 105 88131fa0 88131fa0 88131f60 ffffffc8 > c4000003 5 8811a000 105
SMC RMM PSCI COMPLETE
                             88223000 8827d000 0 > RMI SUCCESS
PSCI c4000003
                             6 8811a000 106 88131fa0 88131fa0 88131f60 ffffffc8 > c4000003 6 8811a000 106
SMC RMM PSCI COMPLETE
                             88223000 8828f000 0 > RMI SUCCESS
PSCI c4000003
                             7 8811a000 107 88131fa0 88131fa0 88131f60 ffffffc8 > c4000003 7 8811a000 107
SMC RMM PSCI COMPLETE
                             88223000 882a1000 0 > RMI SUCCESS
PSCI 84000002
                             0 0 0 0 0 0 0 > 0 0 0
PSCI 84000002
                             0 0 0 0 0 0 0 > 0 0 0
PSCI 84000002
                             0 0 0 0 0 0 0 > 0 0 0
PSCI 84000002
PSCI 84000002
PSCI 84000002
                             0 0 0 0 0 0 0 > 0 0 0 0
PSCI 84000002
                             0 0 0 0 0 0 0 > 0 0 0
PSCI c4000004
                             1 0 107 88131fa0 88131fa0 88131f60 ffffffc8 > c4000004 1 0 107
SMC RMM PSCI COMPLETE
                             88223000 88235000 0 > RMI SUCCESS
PSCI c4000004
                             2 0 107 88131fa0 88131fa0 88131f60 ffffffc8 > c4000004 2 0 107
SMC RMM PSCI COMPLETE
                             88223000 88247000 0 > RMI SUCCESS
PSCI c4000004
                             3 0 107 88131fa0 88131fa0 88131f60 ffffffc8 > c4000004 3 0 107
SMC RMM PSCI COMPLETE
                             88223000 88259000 0 > RMI SUCCESS
PSCI c4000004
                             4 0 107 88131fa0 88131fa0 88131f60 ffffffc8 > c4000004 4 0 107
```

Passed



# arm

# Realm Memory Management



## Realm IPA state (RIPAS) and Host IPA state (HIPAS)

- + Realm and Host each have their own view of the Realm's Protected IPA space
- + Each of the two can manipulate this view independently





## **TFTF Testcases**

- -- <testcase name="New Realm PAS Validation"</p>
  - function="host\_realm\_pas\_validation\_new" />
- -- <testcase name="Active Realm PAS validation"</p>
  - function="host\_realm\_pas\_validation\_active" />



# arm

# Realm Memory Exception Model



## Realm Memory Exception

The following table summarizes the properties of Realm IPA space. ITPGKW

| Realm IPA                     | Data access<br>causes abort to<br>Realm?                          | Data access causes REC exit<br>due to Data Abort? | Instruction fetch causes abort to Realm? | Instruction fetch causes<br>REC exit due to<br>Instruction Abort? |
|-------------------------------|-------------------------------------------------------------------|---------------------------------------------------|------------------------------------------|-------------------------------------------------------------------|
| Protected,<br>RIPAS=EMPTY     | Always (SEA)                                                      | Never                                             | Always (SEA)                             | Never                                                             |
| Protected,<br>RIPAS=RAM       | Never                                                             | When<br>HIPAS=UNASSIGNED                          | Never                                    | When<br>HIPAS=UNASSIGNED                                          |
| Protected,<br>RIPAS=DESTROYED | Never                                                             | Always                                            | Never                                    | Always                                                            |
| Unprotected                   | Host can inject<br>SEA following<br>REC exit due to<br>Data Abort | When<br>HIPAS=UNASSIGNED_NS                       | Always (SEA)                             | Never                                                             |
| Outside Realm IPA space       | Always (Address<br>Size Fault)                                    | Never                                             | Always (Address<br>Size Fault)           | Never                                                             |



## **TFTF Testcases**

- -- <testcase name="Realm SEA Unprotected"</pre>
  - function="host\_realm\_sea\_unprotected" />
- -- <testcase name="Realm SEA Adr Fault"</p>
  - function="host\_realm\_sea\_adr\_fault" />
- -- <testcase name="Realm Abort Unassigned RAM"</p>
  - function="host\_realm\_abort\_unassigned\_ram" />
- -- <testcase name="Realm Abort Unassigned Destroyed"</p>
  - function="host\_realm\_abort\_unassigned\_destroyed" />



```
> Executing 'Realm SEA Adr Fault'
INFO:
         Realm start adr=0x8811a000
         base ipa=0x200088000000
INFO:
[VMID 14] [Rec 0]: Initial ripas=0x0
[VMID 14] [Rec 0]: Generate Data Abort
         Rec0 ESR=0x97c08210
INFO:
[VMID 14] [Rec 1]: Initial ripas=0x0
[VMID 14] [Rec 1]: Generate Instruction Abort
INFO:
         Rec1 ESR=0x86000210
         base ipa=0x20200088000000
INFO:
[VMID 14] [Rec 2]: Initial ripas=0x0
[VMID 14] [Rec 2]: Generate Data Abort
         Rec2 ESR=0x96000000
INFO:
[VMID 14] [Rec 3]: Initial ripas=0x0
[VMID 14] [Rec 3]: Generate Instruction Abort
         Rec3 ESR=0x86000000
INFO:
  TEST COMPLETE
                                                                 Passed
> Executing 'Realm Abort Unassigned RAM'
         Realm start adr=0x8811a000
INFO:
         Initial state base = 0x8824a000 rtt.state=0x0 rtt.ripas=0x1
INFO:
[VMID 15] [Rec 0]: Initial ripas=0x1
[VMID 15] [Rec 0]: Generate Instruction Abort
         IA FAR=0x0, HPFAR=0x8824a0 ESR=0x80000007
INFO:
[VMID 15] [Rec 1]: Initial ripas=0x1
[VMID 15] [Rec 1]: Generate Data Abort
         DA FAR=0x0, HPFAR=0x8824a0 ESR=0x90000007
INFO:
  TEST COMPLETE
                                                                 Passed
> Executing 'Realm Abort Unassigned Destroyed'
       Realm start adr=0x8811a000
INFO:
       Initial state base = 0x8824a000 rtt.state=0x1 rtt.ripas=0x1
INFO:
       New state4 base = 0x8824a000 rtt.state=0x0 rtt.ripas=0x2
INFO:
[VMID 16] [Rec 0]: Initial ripas=0x2
[VMID 16] [Rec 0]: Generate Instruction Abort
         IA FAR=0x0, HPFAR=0x8824a0 ESR=0x80000007
INFO:
[VMID 16] [Rec 1]: Initial ripas=0x2
[VMID 16] [Rec 1]: Generate Data Abort
         DA FAR=0x0, HPFAR=0x8824a0 ESR= 0x90000007
INFO:
  TEST COMPLETE
                                                                 Passed
```



## Misc Testcases

- → SVE/FPU/SIMD Verify Save restore registers across Exceptions
  - host\_sve\_realm\_check\_config\_register
  - host\_realm\_fpu\_access\_in\_rl\_ns\_se
- + PMU Access PMU counter from Realm, Tests PMU overflow ISR injection
  - host\_realm\_pmuv3\_overflow\_interrupt
- → PAuth Realms can enable Pauth, program keys, verify save/restore of keys, testcase to generate Pauth Fault in Realm
  - host\_realm\_pauth\_fault



## **Future Work**

- + Add more tests for Increased Coverage
- Optimize Realm payload loading
- + Tests for LPA2 Support
- + Enable Stage 1 in Realms with LPA2 Support
- + Framework for Planes & Device Assignment Testing





Thank You

+ Danke
Gracias

+ Grazie

ありがとう

**Asante** 

谢谢

Merci

감사합니다

धन्यवाद

Kiitos

شکرًا

ধন্যবাদ

תודה ధన్యవాదములు



## **CPPCheck**

CPPCheck is an open-source C/C++ static analyzer tool.

CPPCheck can detect bugs like

#### **Undefined Behaviors**

- + Dead pointers
- + Division by zero
- + Integer overflows
- + Invalid bit shift operands
- + Invalid conversions
- + Invalid usage of STL
- + Memory management
- + Null pointer dereferences
- + Out of bounds checking
- + Uninitialized variables
- + Writing const data

#### Security Vulnerabilities

- + Buffer Errors
- + Improper Access Control
- → Information Leak
- Permissions, Privileges, and Access Control

#### **Coding Standards**

- + Misra C 2012
- + Cert C



## Installing CPPCheck

- + Recommended version 2.13.4
- → To install CPPCheck from source –
- → git clone https://github.com/danmar/cppcheck.git -b 2.13.x
- mkdir build
- + cd build
- -- cmake ..
- -- cmake --build.
- + export PATH=\$cppcheck\_root/build/bin:\$cppcheck\_root/htmlreport:\$PATH
- ← cppcheck --version



## Integrating CPPCheck in RMM Project

- -- cmake -DRMM\_CONFIG=fvp\_defcfg -S . -B build -DCMAKE\_EXPORT\_COMPILE\_COMMANDS=ON
- + To run CPPCheck standalone
  - cmake --build build cppcheck
  - Generates cppcheck.xml in build/tools/cppcheck folder
- + To run CPPCheck + MISRA
  - cmake --build build -- cppcheck-misra
     Generates cppcheck\_misra.xml in build/tools/cppcheck folder
- + Refer <a href="https://cppcheck.sourceforge.io/manual.pdf">https://cppcheck.sourceforge.io/manual.pdf</a>



## Misra Configuration

https://github.com/TF-RMM/tf-rmm/tree/main/tools/cppcheck



## **CPPCheck Suppression**

- + Inline Suppression
  - /\* cppcheck-suppress uninitvar \*/
  - /\* cppcheck-suppress [arrayIndexOutOfBounds, uninitvar] \*/
  - /\* cppcheck-suppress-begin uninitvar \*/
  - /\* cppcheck-suppress-end uninitvar \*/
- → Suppression.txt
  - [error id]:[filename]:[line]
  - \*:\*/ext/\*
  - [Uninitvar, arrayIndexOutOfBounds]:\*/file.c:10



## **CPPCheck output**

→ Generates XML output

```
<errors>
  <error id="someError" severity="error" msg="short error text"
  verbose="long error text" inconclusive="true" cwe="312">
      <location file0="file.c" file="file.h" line="1"/>
  </error>
```

- -- Cppcheck-htmlreport --
  - Takes XML input and generates user-friendly html report.
  - htmlreport/cppcheck-htmlreport --file=cppcheck\_misra.xmlr.xml --report-dir=test --source-dir=.
  - Generated test/index.html



## CI Job

#### + CPPCheck job is automated in internal RMM CI, CI+1

#### Cppcheck report - [project name] error warning portability performance style information | cppcheck clang-tidy | File: Message Defect summary Active checkers: 4/637 (use --checkers-report=<filename> to see details) checkersReport information Toggle all /mnt/c/workspace/demo/tf-rmm/drivers/pl011/src/pl011.c Show # Defect ID misra-c2012-8.4 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) ✓ 11 misra-c2012-10.4 rkspace/demo/tf-rmm/lib/allocator/src/memory\_alloc.c misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) ✓ 8 misra-c2012-10.6 misra-c2012-10.4 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 5 misra-c2012-18.4 misra-c2012-10.4 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) ✓ 3 misra-c2012-10.1 185 misra-c2012-10.4 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 3 misra-c2012-8.4 misra-c2012-10.1 misra violation (rule-texts-file not found; tools/cppcheck/misra.rules) 2 misra-c2012-10.7 misra-c2012-18.4 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 2 misra-c2012-17.2 misra-c2012-18.4 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 245 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 1 knownConditionTrueFalse misra-c2012-18.4 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) ✓ 1 misra-c2012-10.3 misra-c2012-18.4 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 1 misra-c2012-14.2 misra-c2012-10.4 misra violation (rule-texts-file not found; tools/copcheck/misra.rules) 1 misra-c2012-17.3 misra-c2012-10.1 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) misra-c2012-10.4 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 429 misra-c2012-10.4 style misra violation (rule-texts-file not found; tools/copcheck/misra.rules) Statistics 431 misra-c2012-10.4 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 432 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 433 misra-c2012-10.3 434 misra-c2012-10.4 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) /mnt/c/workspace/demo/tf-rmm/lib/gic/src/gic.c misra-c2012-10.6 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) /mnt/c/workspace/demo/tf-rmm/lib/realm/include/rec.h misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) misra-c2012-10.4 606 misra-c2012-10.6 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 1036 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) knownConditionTrueFalse style The comparison 's2tte&ns\_attr\_host\_mask != ns\_attrs' is always false because 's2tte&ns\_attr\_host\_mask' and 'ns\_attrs' represent the same value. 1274 misra-c2012-10.6 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) /mnt/c/workspace/demo/tf-rmm/lib/xlat/src/xlat contexts. misra-c2012-10.6 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) /mnt/c/workspace/demo/tf-rmm/lib/xlat/src/xlat tables core.c 313 misra-c2012-17.2 misra violation (rule-texts-file not found; tools/concheck/misra.rules) 326 misra-c2012-17.2 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) /mnt/c 259 misra-c2012-17.3 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 450 misra-c2012-8.4 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) orkspace/demo/tf-rmm/runtime/core/sysregs.c misra violation (rule-texts-file not found: tools/concheck/misra.rules) orkspace/demo/tf-rmm/ruptime/rmi/realm.c misra-c2012-10.6 misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 114 116 misra-c2012-10.6 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) 196 style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules) /mnt/c/workspace/demo/tf-rmm/runtime/rmi/run.c style misra violation (rule-texts-file not found: tools/cppcheck/misra.rules)



## **Future Work**

- → Add GitHub Action to run CPPCheck
- → Maintain 0 CPPCheck MISRA errors on RMM Main





Thank You

+ Danke
Gracias

+ Grazie

ありがとう

**Asante** 

谢谢

Merci

감사합니다

धन्यवाद

Kiitos

شکرًا

ধন্যবাদ

תודה ధన్యవాదములు