| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 1 | ################### |
| 2 | Secure IRQ handling |
| 3 | ################### |
| 4 | |
| 5 | The Armv8-M Architecture makes it possible to configure interrupts to target |
| 6 | secure state. |
| 7 | |
| 8 | TF-M makes it possible for secure partitions to get notified of secure |
| 9 | interrupts. |
| 10 | |
| 11 | By default TF-M sets up interrupts to target NS state. To configure an interrupt |
| 12 | to target secure state and assign a handler to it, the manifest of the partition |
| 13 | must be edited. |
| 14 | |
| 15 | See the following example: |
| 16 | |
| 17 | |
| 18 | .. code-block:: yaml |
| 19 | |
| 20 | { |
| 21 | "name": "...", |
| 22 | "type": "...", |
| 23 | "priority": "...", |
| 24 | |
| 25 | ... |
| 26 | |
| 27 | "irqs": [ |
| 28 | { |
| Jaykumar Pitambarbhai Patel | b3799e1 | 2019-10-08 17:23:12 +0530 | [diff] [blame] | 29 | "source": "5", |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 30 | "signal": "DUAL_TIMER" |
| 31 | }, |
| 32 | { |
| Jaykumar Pitambarbhai Patel | b3799e1 | 2019-10-08 17:23:12 +0530 | [diff] [blame] | 33 | "source": "TFM_IRQ_LINE_TIMER_1", |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 34 | "signal": "TIMER_1" |
| 35 | "tfm_irq_priority": 64, |
| 36 | } |
| 37 | ], |
| 38 | |
| 39 | ... |
| 40 | |
| 41 | } |
| 42 | |
| 43 | To set up a handler in a partition, the ``irqs`` node must be added. A single |
| 44 | secure partition can have handlers registered for multiple IRQs, in this case |
| 45 | the list ``irqs`` has multiple elements in it. |
| 46 | |
| 47 | An IRQ handler is defined by the following nodes: |
| 48 | |
| Boris Deletic | af02a71 | 2020-09-09 15:17:22 +0100 | [diff] [blame^] | 49 | - ``source``: The IRQ number or the name of the IRQ line. With the name of the |
| 50 | IRQ line, there must be defined a macro in ``tfm_peripherals_def.h`` which is |
| 51 | substituted to the IRQ line num. The IRQ line nums and sources are defined by |
| 52 | each platform: for example, they are defined in ``platform_irq.h`` for the |
| 53 | Musca-S1 platform. When defining new macros in ``tfm_peripherals_def.h``, it |
| 54 | is important the macro name matches the platform's handler function for that |
| 55 | IRQ source. |
| 56 | - ``signal``: The name of the signal for this IRQ. |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 57 | - ``tfm_irq_priority``: The priority of the IRQ. This number must be in the |
| 58 | range [0-255] inclusive. Please note that some of the less significant bits of |
| 59 | this value might be dropped based on the number of priority bits implemented |
| 60 | in the platform. |
| 61 | |
| 62 | .. important:: |
| 63 | |
| 64 | The name of the privileged interrupt handler is derived from the node |
| 65 | specifying the IRQ line number. |
| 66 | |
| Jaykumar Pitambarbhai Patel | b3799e1 | 2019-10-08 17:23:12 +0530 | [diff] [blame] | 67 | - In case ``source`` is IRQ number, the name of the handler becomes |
| 68 | ``void irq_<number>_Handler(void)``. |
| 69 | - In case ``source`` is defined IRQ macro, the name of the handler becomes |
| 70 | ``void <macro>_Handler(void)``. |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 71 | |
| Boris Deletic | af02a71 | 2020-09-09 15:17:22 +0100 | [diff] [blame^] | 72 | This is important, because the derived name has to be present in the vector |
| 73 | table as the handler of the IRQ. The platform startup functions are specified |
| 74 | in the vector table defined in the platform secure startup file. The user |
| 75 | should verify the names of the generated handlers match for a given platform |
| 76 | IRQ. |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 77 | |
| 78 | .. Note:: |
| 79 | |
| Jaykumar Pitambarbhai Patel | b3799e1 | 2019-10-08 17:23:12 +0530 | [diff] [blame] | 80 | ``signal`` and ``source`` are mandatory. |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 81 | |
| 82 | ``tfm_irq_priority`` is optional. If ``tfm_irq_priority`` is not set for an |
| 83 | IRQ, the default is value is ``TFM_DEFAULT_SECURE_IRQ_PRIOTITY``. |
| 84 | |
| 85 | If an IRQ handler is registered, TF-M will: |
| 86 | |
| Jaykumar Pitambarbhai Patel | b3799e1 | 2019-10-08 17:23:12 +0530 | [diff] [blame] | 87 | - Set the IRQ with number or macro to target secure state |
| 88 | - Set the priority of IRQ with number or macro to ``tfm_irq_priority`` or to |
| 89 | the default. |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 90 | |
| 91 | TF-M configures the interrupt lines to be disabled by default. Interrupts for a |
| 92 | service can be enabled by the secure service by calling |
| 93 | ``void tfm_enable_irq(psa_signal_t irq_signal)``. The function can be called in |
| 94 | the service init function. |
| 95 | |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 96 | Library model |
| Galanakis, Minos | cc8cde7 | 2019-11-11 15:41:23 +0000 | [diff] [blame] | 97 | ============= |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 98 | |
| 99 | In Library model a function with the name derived from the value of the |
| Jaykumar Pitambarbhai Patel | b3799e1 | 2019-10-08 17:23:12 +0530 | [diff] [blame] | 100 | ``source`` property is generated. This function will be put in the vector table |
| 101 | by the linker (as the handlers in the startup assembly are defined as weak |
| 102 | symbols). The code generated for this function will forward the call to the |
| 103 | function with the name of the value of the ``signal`` property post-fixed with |
| 104 | ``_isr``. |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 105 | |
| 106 | .. hint:: |
| 107 | |
| 108 | for a signal ``"signal": "DUAL_TIMER"`` the name of the handler function is |
| 109 | ``DUAL_TIMER_isr`` |
| 110 | |
| 111 | The signature of the IRQ handler in the partition must be the following: |
| 112 | |
| 113 | .. code-block:: c |
| 114 | |
| 115 | void partition_irq_handler(void); |
| 116 | |
| 117 | The detailed description on how secure interrupt handling works in the Library |
| 118 | model see |
| 119 | `Secure Partition Interrupt Handling design document <https://developer.trustedfirmware.org/w/tf_m/design/secure_partition_interrupt_handling/>`_. |
| 120 | |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 121 | IPC model |
| Galanakis, Minos | cc8cde7 | 2019-11-11 15:41:23 +0000 | [diff] [blame] | 122 | ========= |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 123 | |
| 124 | The detailed description on how secure interrupt handling works in the IPC |
| 125 | model, see the |
| 126 | `PSA Firmware Framework and RoT Services specification <https://pages.arm.com/psa-resources-ff.html>`_. |
| 127 | |
| Galanakis, Minos | cc8cde7 | 2019-11-11 15:41:23 +0000 | [diff] [blame] | 128 | ********************** |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 129 | Implementation details |
| Galanakis, Minos | cc8cde7 | 2019-11-11 15:41:23 +0000 | [diff] [blame] | 130 | ********************** |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 131 | |
| Galanakis, Minos | f56baf6 | 2019-11-11 13:57:42 +0000 | [diff] [blame] | 132 | Library model implementation |
| Galanakis, Minos | cc8cde7 | 2019-11-11 15:41:23 +0000 | [diff] [blame] | 133 | ============================ |
| Mate Toth-Pal | 4341de0 | 2018-10-02 12:55:47 +0200 | [diff] [blame] | 134 | |
| 135 | As a result of the function call like behaviour of secure services in library |
| 136 | model, some information that is critical for the SPM to keep track of partition |
| 137 | states, is stored on the stack of the active partitions. When an interrupt |
| 138 | happens, and a handler partition is set to running state, it has access to its |
| 139 | whole stack, and could corrupt the data stacked by the SPM. To prevent this, a |
| 140 | separate Context stack is introduced for each secure partition, that is used by |
| 141 | the SPM to save this information before starting to execute secure partition |
| 142 | code. |
| 143 | |
| 144 | A stack frame to this context stack is pushed when the execution in the |
| 145 | partition is interrupted, and when a handler in the partition interrupts another |
| 146 | service. So the maximal stack usage can happen in the following situation: |
| 147 | |
| 148 | Consider secure partition 'A'. 'A' is running, and then it is interrupted by |
| 149 | an other partition. Then the lowest priority interrupt of 'A' is triggered. |
| 150 | Then before the handler returns, the partition is interrupted by another |
| 151 | partition's handler. Then before the running handler returns, the second |
| 152 | lowest interrupt of 'A' is triggered. This can go until the highest priority |
| 153 | interrupt of 'A' is triggered, and then this last handler is interrupted. At |
| 154 | this point the context stack looks like this: |
| 155 | |
| 156 | .. code-block:: |
| 157 | |
| 158 | +------------+ |
| 159 | | [intr_ctx] | |
| 160 | | [hndl_ctx] | |
| 161 | | . | |
| 162 | | . | |
| 163 | | . | |
| 164 | | [intr_ctx] | |
| 165 | | [hndl_ctx] | |
| 166 | | [intr_ctx] | |
| 167 | +------------+ |
| 168 | |
| 169 | Legend: |
| 170 | [intr_ctx]: Frame pushed when the partition is interrupted |
| 171 | [hndl_ctx]: Frame pushed when the partition is handling an interrupt |
| 172 | |
| 173 | So the max stack size can be calculated as a function of the IRQ count of 'A': |
| 174 | |
| 175 | .. code-block:: |
| 176 | |
| 177 | |
| 178 | max_stack_size = intr_ctx_size + (IRQ_CNT * (intr_ctx_size + hndl_ctx_size)) |
| 179 | |
| 180 | -------------- |
| 181 | |
| Boris Deletic | af02a71 | 2020-09-09 15:17:22 +0100 | [diff] [blame^] | 182 | *Copyright (c) 2018-2020, Arm Limited. All rights reserved.* |