topic Re: Accessing FLEXCAN in secure user mode in i.MX Processors

Accessing FLEXCAN in secure user mode

alip — Fri, 16 Sep 2016 04:11:19 GMT

Hi all,

We have a bare-metal application (no Linux) that runs in "secure user" mode. The first access to the FELXCAN registers (a load) causes an abort. I have verified and the clocks are all set up properly, and memory mappings are all correct too.

I set a break-point on this problematic load instruction (which is the first access to the FLEXCAN peripheral). After the debugger hit the break-point, a single-step caused an abort of course. Then I rebooted the board and stopped on the same instruction again, manually changed the CPU mode to "secure system" through the JTAG debugger and then single-stepped, the load instruction executed correctly. This implied that "secure user" didn't have access to FLEXCAN.

Inspection of the CSU registers (CSU_CL0 in this case) showed that the value is set to 0x00330033, which according to the Security Reference Manual should permit RD+WR for secure user mode. The AIPSTZx_OPACx registers are all set to zero (and AIPSTZx_MPR gives access to all four masters), so the peripherals should not need supervisor privilege for access.

Out of curiosity, I performed two tests:

- Set CSU_CL0 to 0x00FF00FF to make it fully permissive (full RD+WR access in all modes), and accessing the register in secure user mode still caused a trap (wrong behaviour)

- Set CSU_CL0 to 0x00000000 to make it fully disallow access, and accessing the register even in secure system mode caused a trap (correct behaviour, proving that I am modifying the correct CSU register, and my modifications take effect)

Can anyone shed some light on this? To me it seems like a silicon errata, in which it doesn't allow access to FLEXCAN in secure user mode, no matter the security configuration. I'm have verified this on IMX6Q (SabreLite) and IMX6QPLUS (Nitrogen).

Thanks in advance.

Re: Accessing FLEXCAN in secure user mode

igorpadykov — Mon, 19 Sep 2016 23:42:37 GMT

Hi Ali

seems there is confusion regarding "secure user mode",

as vague defined mode. Could you provide documentation where it is

defined. Seems "secure system" as you described is secure mode used

in processor documentation.

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Re: Accessing FLEXCAN in secure user mode

alip — Tue, 20 Sep 2016 00:20:26 GMT

Hi Igor,

Thanks for your answer.

Quoting from the manual:

There are four security modes of operation in the system distinguished by security (TrustZone/non-TrustZone) and privilege (Supervisor/User) setting of the module. Below is the list of these security modes from the highest security level to the lowest:
1. TrustZone (Secure) Privilege (Supervisor) Mode - Highest Security Level
2. TrustZone (Secure) non-Privilege (User) Mode - Medium Security Level
3. non-TrustZone (Regular) Privilege (Supervisor) Mode - Medium Security Level
4. non-TrustZone (Regular) non-Privilege (User) Mode - Lowest Security Level

By "secure user mode" I was referring to the second level above, and by "secure system mode" I was referring to the first. The only difference that I was manually setting the processor mode to "system" instead of "supervisor":

System mode: Software executing in System mode executes at PL1. System mode has the same registers available as User mode, and is not entered by any exception.

The default CSU_CL0 value of 0x00330033 is supposed to provide RD+WR access for the first two security levels above, but doesn't seem to work for the second.

Re: Accessing FLEXCAN in secure user mode

igorpadykov — Tue, 20 Sep 2016 01:04:49 GMT

Hi Ali

unfortunately nxp does not support trustzone in its bsps, however

one can try arm examples on below link

ARM Information Center

Best regards
igor

Re: Accessing FLEXCAN in secure user mode

alip — Tue, 20 Sep 2016 03:28:54 GMT

Hi Igor,

I think you are misunderstanding my question. What I'm asking is why the FLEXCAN device can be accessed in secure system mode, but not secure user mode, if the corresponding CSU register (according to the NXP manual itself) is set up to give access to both modes.

Regards,

Ali

Re: Accessing FLEXCAN in secure user mode

TomE — Tue, 20 Sep 2016 04:02:35 GMT

Good luck in getting any further on this.

I went to download the "Security Reference Manual" to read it for myself, only to get a "24 to 48 hours approval" notice, which will probably fail given the (lack of) details in my Profile.

I would suggest you do some more investigation to see if you can narrow down the problem.

Can you perform this test on as many of the other peripherals as you can, so see if it is only FlexCAN with this problem, or whether it is a particular group of devices?

The Manuals have bugs in them. The register assignments may be wrong. So the bits you're changing in the CSU may not be the ones wired to FlexCAN. I would suggest enabling access for every device in the system through the CSU registers except for the ones documented to be for FlexCAN. If you can get to it then, try to find out which bits in the register actually control FlexCAN.

Is the FlexCAN core on the other side of a peripheral bridge that might also be participating in the security model? Same test as for the previous suggestion - turn everything else on and see if it works, then start turning things off until it doesn't. For instance "13.1.1 Features" mentions security settings for the "AHB to IP Bridge", detailed in the Security Reference Manual.

Let us know if you find anything.

Tom

Re: Accessing FLEXCAN in secure user mode

igorpadykov — Tue, 20 Sep 2016 05:31:22 GMT

Hi Tom

Security Reference Manual can be found on (though not latest version )

Q&A: How is mx6 PMIC_ON_REQ under SW control? | NXP Community

Best regards
igor

Re: Accessing FLEXCAN in secure user mode

igorpadykov — Tue, 20 Sep 2016 05:34:43 GMT

Hi Ali

this mode is specific TrustZone secure mode:

TrustZone (Secure) non-Privilege (User) Mode

there is no support trustzone in nxp bsps or bare metal examples,

suggest try arm examples on above link and try to get extended security support

using NXP Professional Services:

http://www.nxp.com/support/nxp-professional-services:PROFESSIONAL-SERVICE

Best regards
igor

Re: Accessing FLEXCAN in secure user mode

TomE — Tue, 20 Sep 2016 06:50:09 GMT

Thanks for the pointer to that manual. Not much use demanding registration for access to a manual when it is freely available there.

The documentation in that manual on which registers connect to what looks pretty bulletproof. I'd still try "enabling everything" to see if anything changes.

It is hard to find in the manual (and I can't find a diagram showing this), but the FlexCAN peripherals are on the "IPS Bus" and that is bridged through to the "AHB" via the AIPSTZ. And that has security override stuff in it, so I'd check its registers too. Section 1.9 in the Security Manual mentions this, and the register definitions look to be in the normal Reference Manual.

Tom

Re: Accessing FLEXCAN in secure user mode

alip — Tue, 20 Sep 2016 08:10:09 GMT

Thanks Tom. Tried "enabling everything else" and it didn't help.

And I had forgotten to mention that the AIPSTZx_OPACx registers are all set to zero (and AIPSTZx_MPR gives access to all four masters), so the peripherals should not need supervisor privilege for access. I'll add this to the original post.