New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can I start a TA without being called by CA? #1541

Closed
SimonWan opened this Issue May 16, 2017 · 11 comments

Comments

Projects
None yet
3 participants
@SimonWan

SimonWan commented May 16, 2017

Hi experts,

I deployed a security research tool in TrustZone as a static TA.
To call this sTA, I always run CA at first then call the related TA functions.

Now I want to skip the CA part because I don't want to trust any normal world activity.
So my question is can I start a dynamic TA / static TA without being called by CA?

Thank you in advance!

Simon

@vchong

This comment has been minimized.

Contributor

vchong commented May 16, 2017

The point of the TA is to provide secure services to the normal world. If you don't want any interaction with normal world, maybe look into implementing your research tool as a service? grep -R service_init * and you can see some examples.

@SimonWan

This comment has been minimized.

SimonWan commented May 16, 2017

@vchong thank you for the suggestion. I'm looking the example code now. By the way, if I develop the tool as a service and assume all cores are running as the normal world status, do you know anyway for me to wake up the service in secure world without making request from normal world?

@vchong

This comment has been minimized.

Contributor

vchong commented May 16, 2017

You're welcome. What exactly does this tool do? It sounds like you want to do/start/run something in secure world (scan for malware maybe?) without a trigger from normal world. I'm not sure but don't think that's possible. The maintainers/experts will have to confirm.

@SimonWan

This comment has been minimized.

SimonWan commented May 16, 2017

@vchong my tool is trying to detect rootkit of normal world and I hope the tool could run even if the normal world OS is corrupted. If I can invoke this tool without noticing the normal world, then the tool could achieve best result. Please let me know if you guys have any thought, thanks!

@etienne-lms

This comment has been minimized.

Contributor

etienne-lms commented May 16, 2017

Hi Simon,
As @vchong stated, OP-TEE is designed to serve non-secure world requests that are issued through SMCs. With current OP-TEE you cannot run a background secure-only thread, you need the non-secure world to issue a SMC to request some processing from secure world. Once the secure request is completed, the TEE jumps back the the non-secure world that gets the status of its request.

Actually, you could run secure-only process from a secure interrupt but such sequence should run with non-secure interruption masked and it is likely that linux kernel will not like it (a long lasting sequence with linux timer interrupt masked on the target running cpu). On the other hand, if you allow non-secure interrupts to reach the non-secure world while your executing your secure service, then you must accept that non-secure can refuse to return to secure world once its interrupt is served.

@SimonWan

This comment has been minimized.

SimonWan commented May 16, 2017

@etienne-lms thank you for the reply. I understand that once blocking the non-secure interrupt s, the normal world would suffer the bad performance issue.
My current solution is dividing the secure task to many small pieces and I only block the non-secure interrupt in a short time period every time. After each small piece is finished, the core could switch back to handle the non-secure interrupts. So far the performance looks acceptable for me.

You mentioned you could run secure-only process from a secure interrupt in the reply, do you mean that even if all cores are running in non-secure status, I can raise a secure interrupt somehow?
Could you please provide more details if this is possible? Thank you!

@etienne-lms

This comment has been minimized.

Contributor

etienne-lms commented May 16, 2017

I guess the easiest way would be to generate some secure timer interrupts to get your sequence being executed step by step.

@etienne-lms

This comment has been minimized.

Contributor

etienne-lms commented May 16, 2017

Note that "process" was not a good word in my sentence could run secure-only process from a secure interrupt. Your sequence will run in the context of your secure interrupt handler.

@SimonWan

This comment has been minimized.

SimonWan commented May 16, 2017

@etienne-lms thanks! I think I get your point. Last question: Does OPTEE use any secure timer interrupt? I just want to find some example code as the study starting point.

@etienne-lms

This comment has been minimized.

Contributor

etienne-lms commented May 16, 2017

You platform must register a handler for the secure interrupts (FIQ on GICv1/v2, IRQ in GICv3) to be handled by the OP-TEE generic GIC driver. Check how platforms do set field .nintr of their private struct thread_handlers.

Then, the OP-TEE GIC generic driver allows you to register a handler function for a target interrupt index (and to configure the GIC for that interrupt). Look at ps2mouse.c or interrupt_tests.c to see how you can register a handler for an interrupt within OP-TEE.

@SimonWan

This comment has been minimized.

SimonWan commented May 18, 2017

@etienne-lms got it, thank you very much for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment