i.MX6 and TZC380 Action

vsiles · ‎01-09-2017

Hi !

I have configured the TZASC of my i.MX6q board to protect the last 256 Mb (from 0x4000_0000 to 0x4800_0000) of RAM from the Normal World. First, I configured the TZASC Action register with the value 2, to be notified via IRQ of the accesses but just ignore them silently (no fault). I get a notification during u-boot sequence, so I'm trying to understand what's wrong.

Since I didn't manage to find the culprit, I decided to change the action to 1, in order to trigger a pagefault (DECERR) (or at least that's how I understand it), and in this configuration, u-boot works fine, it doesn't seem to get an exception.

Once u-boot is done, I can see that the fault address register of the TZASC is no longer 0, but a secure address, so something happened, but no fault seems to have been created.

Is my understanding of the TZASC action register correct ? Is there a way to get the address of the exact instruction which is trying to access the secure part of the DDR ?

V.

PS: for your information, the AXI ID I get are either 0x18 or 0x19, which seems to be ARM_S0/ARM_S1, but I don't know at all what they stand for.

b36401 · ‎01-10-2017

Please refer chapter 1.13 "TrustZone Address Space Controller" of Security Reference Manual for i.MX 6 Processors.

Have a great day,
Victor

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

vsiles · ‎01-11-2017

Hi ! This section only gives general information about the TZASC, nothing about speculative accesses.

I think my issue comes from speculative access (or some similar behavior) of the CPU. I tried to disabled the speculative read/write in TZASC1 (which is the only TZASC configured) and I still get ASC1 interrupts that are not actual fault, but seems to be speculative/prospective access: they are always on address which are return address of function, addresses that are logical "close" to my switch S -> NS code, and it only happens during boot sequence, when the CPU frequency is quite high (so more switch between worlds in my case).

Since the TZASC support for speculative access is not enough to prevent these" false positive" interrupt, is there a way to be sure there will not be any such interrupts ?

PS: I'm sure they are not illegal access since they only lead to interrupt, they don't lead to exception (tzasc action is set to 3).

Thank you for your time !

vsiles · ‎01-10-2017

I just tried to disable speculative read/write in the TZASC (by write 0x3 to the Speculative Register at offset 0x30) and I still got two interrupt hits in the TZASC1.

vsiles · ‎01-10-2017

By adding some isb in my S -> NS commutation code, I see less interrupts. The faulty addresses are mostly "return" address that may be in $lr at some point, so I think speculation is in cause, even if it is disabled in the TZASC.

Is there a way to avoid this completely ? so that TZASC only triggers IRQ on "actual" attempt to read/write secure memory ?

i.MX6 and TZC380 Action

i.MX6 and TZC380 Action

i.MX6Quad