From ARMv7, the ARM architecture defines different architectural profiles and this edition of this manual describes only the A and R profiles. ARM, the ARM Powered logo, Thumb, and StrongARM are registered free, worldwide licence to use this ARM Architecture Reference Manual for the purposes. ARM: ARMv7-A architecture reference manual, issue C, help/?topic=/ 3. ARM: Integrator baseboards.
|Published (Last):||27 April 2004|
|PDF File Size:||17.30 Mb|
|ePub File Size:||15.59 Mb|
|Price:||Free* [*Free Regsitration Required]|
A while back we wrote about the QEMU implementation of Arm TrustZonealso known as Arm Security extensions support, and now that this work is being accepted into mainline QEMU we want to highlight some aspects about the usage model and testing of the functionality. Although the functional support is now available upstream, it is currently disabled while the details of the usage are ironed out.
Specifically, command line options are being added to allow users sdi0406c enable or disable the Arm Security extensions from the command line. This is especially important for maintaining backwards compatibility of existing machine models incorporating TrustZone enabled processors.
Achieving backwards compatibility and allowing easy future use of Arm TrustZone, we are introducing the following configuration changes:.
The Arm Security extensions are currently only supported, and enabled by default, on the Versatile Express and the virt machine models. All other machine models will have the Arm Security extensions dsi0406c by default. This option is unavailable on all other machine models. Disabling the security extension will restore the legacy behavior to no secure state. Using the -kernel command line option to run Linux on an Arm Versatile Express machine model will result in it booting ddi0406v the secure state by default.
If undesirable, the user may disable the security extension as described vdi0406c. Use of the -kernel command line option to run Linux on a QEMU virt machine model will result in it booting into non-secure state by default. The -bios command is the preferred approach for running TrustZone enabled environments. This limited ddi0406x makes the security functionality more susceptible to breakages going unnoticed. Vdi0406c this reason, it is important to have a well-defined set of tests to verify proper operation as well as to prevent future regressions.
We are developing a standalone test guest binary, which validates the QEMU security extension functionality. Ddi040c part of our overall mission to improve test coverage of open-source technologies, Linaro is committed to establish a testing framework for the implemented functionality to guard against functional regressions and defend the upstream code.
A Measurement Study of ARM Virtualization Performance
A TrustZone environment includes multiple distinct parts including a secure bootloader, secure and non-secure operating systems, a non-secure root file system, a Trusted Execution Environment and both secure and non-secure applications. As you could imagine, using such an environment for test purposes would be fairly involved and fraught with variances that ultimately compromise the repeatability of the testing. Additionally, from a practical point of view, the number of distinct parts to be coordinated would likely discourage regular testing.
Given the above, our goal is to balance the complexity of creating a sufficient QEMU TrustZone test infrastructure without the complexity and burden of using a typical TrustZone environment. Emulating TrustZone enabled environments will typically rely on using the -bios command line option.
This option allows machine emulation to begin at reset by loading and executing a raw image at a known starting address. The -bios command is a more low-level command giving users complete control of the first instruction executed when the CPU comes out of reset.
This is in contrast to the on Arm more typically used -kernel rdi0406c option, which skips over the initial machine reset by using its own internal bootloader to more conveniently jump right to the high-level OS. By using the -bios command line option, control of the bootloading stage is left srm to the user just as is done on real hardware. This allows a true secure environment to be emulated in QEMU by allowing both secure and non-secure bootloading stages as directed by the user.
This more closely emulates actual Armv7 hardware, which starts in secure PL1 mode making it ideal for loading the initial secure bootloader. In a typical Arm TrustZone environment, a bootloader is responsible for loading and initiating execution of the secure world software and possibly the non-secure qrm software as well.
Most often, secure and non-secure software are separate binary images that are loaded into one or more ROM locations. The bootloader is usually sophisticated enough to perform the required amount of device initialization and image loading. Given the standalone nature of the QEMU Arm TrustZone test, it would be overkill to use something as complicated as a bare-metal bootloader. Instead, to simplify the testing setup, we construct a single test binary by concatenating separate secure and di0406c images into a single file.
Each of the images have fixed offsets in the binary file and are linked at a known starting virtual addresses for easy loading and execution of each image. The benefit of using a single binary is that QEMU can be invoked by simply using the -bios command line option to point to our single test binary.
By loading the single binary into an execute-in-place flash device in QEMU mapped at the reset address, execution begins in the secure image which contains a small bootloader responsible for initializing the secure world. The secure world then initializes monitor mode which makes it possible to transition between the secure and non-secure worlds.
The bootloader is also responsible for loading the non-secure image as well as eventually booting the non-secure software by going through monitor mode. The primary responsibility of the secure world component is to facilitate the execution edi0406c test cases directed at it. This is accomplished through dedicated supervisor SVC and monitor mode SMC exception handlers with predefined opcodes for routing and executing test cases supplied from the non-secure world.
In addition, the secure world component includes the primary bootloader and hardware initialization for the secure world as well as abort handlers for catching and reporting expected and unexpected exceptions.
The ark tests included and directly executed by the secure world component are preliminary checks for security extension support and validation of the initial processor state. Otherwise, the majority of the test cases are defined in the non-secure user mode component and dispatched to the secure world.
The secure world infrastructure is capable of executing tests in either supervisor PL1 or user PL0 mode. The primary responsibility of the monitor component is to handle transitioning between the secure and non-secure worlds, just like in a real Trusted Execution Environment.
Transitions are performed through the use of predefined opcodes for directing SMC ddl0406c.
Testing QEMU Arm TrustZone
The non-secure world component is the main test component and contains the bulk of the actual test cases. The non-secure world includes both supervisor mode PL1 and user mode PL0 functionality.
The privileged functionality is responsible for ddi0406f world initialization and set-up.
It also includes an SVC exception handler accepting predefined opcodes for initiating non-secure privileged operations and for forwarding secure world operation requests.
The unprivileged functionality consists of the suite of TrustZone test functions executed in the varying agm and states. As depicted below, all test functions originate as part of the non-secure user mode functionality. Each test function is dispatched to a specific processor mode and secure state from non-secure user mode through a series of SVC and SMC calls.
The test function dispatching allows data to be passed to the function as well as allowing status to be returned sdi0406c the origin.
The approach both exercises the newly added functionality and stresses transitioning between the two worlds and their respective processor modes. Test execution behaves as you might expect with a Trusted Execution Environment TEE by initiating secure operations from a user mode application.
Just like a Trusted Execution Environment, execution utilizes secure monitor calls for transitioning between the worlds. As well, TrustZone features are leveraged to keep these worlds isolated. Currently, the test provides the necessary infrastructure for validating the proper arj of code executing in the secure and non-secure worlds.
The infrastructure includes functionality for performing transitions between the worlds as well as utilities ddi00406c verifying exception behavior.
As well, the below set of tests are provided for dd0406c certain TrustZone architectural features as well as to serve as an example. Tests that the smc instruction generates an undefined exception when executed in non-secure P0 state.
Tests xdi0406c the monitor mode exception has the correct secure state depending on the executing secure state. Test for the secure to non-secure world handshake. This test is provided to insure the mechanism is working properly as all other tests are liekly to fail otherwise. The instructions in the previous blog post are still relevant and may be followed for executing secure images.
Once cloned, change directory to the newly created test root directory qemu. The tests can then be run with the following command from the root of the QEMU directory not the ddl0406c directory:. Currently, the tests are restricted to the Arm Versatile Express and Virt machine models, but can be expanded in the future to include other models.
ARM Architecture Reference Manual ARMv7-A and ARMv7-R edition
Thoughts after Autoware 96Boards Demo Thursday, December 6, The countdown to Linaro Connect Bangk Industry leaders form Autoware Founda Monday, December 10, Bitmain joins Linaro 96Boards Steerin Thursday, November 8, Linaro announces launch of Machine In Monday, September 17, Tuesday, July 17, Friday, September 7, Two weeks to go to the HPC Workshop! Friday, July 13, Datacentre and cloud sessions at Lina Thursday, August 30, Report an Issue Edit on Github. Tests that monitor mode is entered in the correct processor mode and has dfi0406c correct state.
Test that smc calls are not restricted when SCR. SCD is set and no virtualization is enabled.