Skip to content

Aarch64/FEAT_SEL2 secure S1 translation for a NS page resolves to the secure IPA space

Host environment

  • Operating system: Ubuntu

  • OS/kernel version: 20.04

  • Architecture: x86

  • QEMU flavor: qemu-system-aarch64

  • QEMU version: 7.2.91 (v8.0.0-rc1-36-g60ca584b)

  • QEMU command line: See 'Steps to reproduce'

    <...>/qemu/build/aarch64-softmmu/qemu-system-aarch64 -nographic -serial file:uart0.log -serial file:uart1.log -smp 2 -machine virt,secure=on,mte=on,gic-version=3,virtualization=true -cpu max,sme=off,pauth-impdef=on -d unimp -semihosting-config enable=on,target=native -m 1057 -bios bl1.bin -initrd rootfs.cpio.gz -kernel Image -no-acpi -append 'console=ttyAMA0,38400 keep_bootcon root=/dev/vda2 nokaslr' -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0,max-bytes=1024,period=1000 -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic

Emulated/Virtualized environment

  • Operating system: TF-A/Hafnium firmware + Linux
  • OS/kernel version: Linux 6.2.0
  • Architecture: Arm

Description of problem

Follow up to https://lists.trustedfirmware.org/archives/list/hafnium@lists.trustedfirmware.org/thread/ZUHRGWVDPUQ5CK6SRWZ7AMI5IKVS6J47/

In context of Hafnium project (SEL2 / SPM firmware), implementing secure/non-secure page tables split rooted by VTTBR/VSTTBR in TZ secure world. Observing transactions always resolve to the secure IPA space (hence to the page tables rooted to by VSTTBR) whichever the state of the S1 MMU translation NS bit. Access to a page mapped NS from the SEL1 Trusted OS, causes a S2 page fault even though mapped in page tables rooted to by VTTBR.

The VTCR_EL2/VSTCR_EL2 settings at SEL2 are as follows: VTCR_EL2.NSA/NSW=10b VSTCR_EL2.SA/SW=00b

Note the same set of changes (https://review.trustedfirmware.org/q/topic:%2522od/split-vttbr%2522+status:open) run fine for the same scenario on FVP.

Steps to reproduce

  1. build qemu master 60ca584b
  2. unzip qemu-sel2-vttbr-fail.zip
  3. Run
<...>/qemu/build/aarch64-softmmu/qemu-system-aarch64 -nographic -serial file:uart0.log -serial file:uart1.log -smp 2 -machine virt,secure=on,mte=on,gic-version=3,virtualization=true -cpu max,sme=off,pauth-impdef=on -d unimp -semihosting-config enable=on,target=native -m 1057 -bios bl1.bin -initrd rootfs.cpio.gz -kernel Image -no-acpi -append 'console=ttyAMA0,38400 keep_bootcon root=/dev/vda2 nokaslr'  -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0,max-bytes=1024,period=1000 -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic

Additional information

qemu-60ca58-qemu-tfa-hf-linux-fail.txt illustrates the failure, linux boot stops, after sharing a NS page to the TOS, and the TOS retrieving the page, mapping as NS and accessing it (ends in a dead loop, because of the S2 PF in the TOS).

qemu-tfa-hf-linux-pass.txt shows the expected output where the NS mem sharing operation succeeds.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information