|
AM263x MCU+ SDK
08.05.00
|
|
- Note
- Secure IPC Notify driver enables IPC communication between R5F cores and HSM M4 core. This driver cannot be used without encrypted HSMRt binary for HS-FS devices (will be available in 8.4) and TIFS-MCU for HS-SE devices (available on mySecureSW).
Introduction
- The secure IPC notify(SIPC Notify) driver enables IPC communication between R5FSSx-x cores and HSM M4 core for HS-SE devices.
- SIPC provides a means of secure communication between R5FSSx and HSM M4 for using HSM services. The underlying implementation uses mailbox HW interrupts and HSM MBOX shared memory(refer Mailbox mechanism for SIPC) to pass messages from R5FSSx-x to HSM M4 and vice versa.
- The trusted R5FSSx-x which can post a request for services from HSM are termed as secure hosts. A non-secure host cannot communicate with HSM, moreover, the shared memory used in SIPC communication is not accessible to non-secure hosts. The cores that are going to be secure hosts are defined via sysconfig and this will be a static configuration at compile time. At a time there can only be atmost two secure hosts which can talk to HSM via SIPC, thus the name secure IPC.
- Note
- Sysconfig initialization has to be handled by HSM client. For Secure IPC, Sysconfig is not supported in this release. It will be available with upcoming SDK releases along with HSM client
Secure IPC design description
- SIPC supports RTOS-based implementation on the R5F side. The concept of CLIENT IDs is borrowed from IPC Notify, where in the RTOS scenario each task has a callback registered of type SIPC_FxnCallback. This function will be called when a message is received for a respective CLIENT ID. Refer to Understanding inter-processor communication (IPC) to know more about CLIENT IDs.
- HSM client is a wrapper on top of SIPC which asks for specific services from TIFS-MCU. User can install TIFS package from MySecureSw portal.
SIPC communication model
Mailbox mechanism for SIPC
- SIPC uses HSM_MBOX (2KB) memory for secure communication with HSM. It uses MBOX_READ_DONE_ACK interrupt to notify target core to read from the dedicated message queue residing in HSM_MBOX memory. IPC Notify uses MSS_MBOX(16KB) memory for R5<-->R5 communication.
SIPC shared memory configuration
- The swQx is a struct holding pointer to actual queue location in HSM MBOX. There can be atmost 2 secure hosts at a time, so the total number of queues will be 4. If R5F wants to send a message to HSM then R5F writes into R5F -> HSM queue and sends an interrupt to HSM M4, once acknowledged HSM will read the message from the same queue. Similarly, If HSM wants to send a message then HSM will write into HSM --> R5 queues and sends an interrupt to R5F.
- Note
- The entire HSM MBOX memory must be read and write protected for non-secure hosts. setting up this firewall configuration is the responsibility of the HSM server running on M4.
SIPC initialization
- Following parameters are user-configurable.
- Queue Depth. -: Number of elements per queue.
- Number of secure hosts -: Could be 1 or 2.
- Secure hosts core Ids -: which R5F cores will be secure hosts.
These parameters will be initialized via sysconfig.
#define SIPC_QUEUE_LENGTH (32u)
#define SIPC_NUM_R5_CORES (2u)
uint8_t gQueue_R5ToHsm[SIPC_NUM_R5_CORES][SIPC_QUEUE_LENGTH*
SIPC_MSG_SIZE]
__attribute__((aligned(8),section(
".bss.sipc_hsm_queue_mem")));
uint8_t gQueue_HsmToR5[SIPC_NUM_R5_CORES][SIPC_QUEUE_LENGTH*
SIPC_MSG_SIZE]
__attribute__((aligned(8),section(
".bss.sipc_r5f_queue_mem")));
- sysconfig will also generate code to allocate memory for the queues in HSM MBOX based on Queue depth and number of secure hosts. The pointer to this queue will be passed to SIPC_init at init time. For the initialization on R5F side, the SIPC_Params::tx_SipcQueues will point to gQueue_R5ToHsm where R5F will write to HSM. Similarly, SIPC_Params::rx_SipcQueues will point to gQueueHsmToR5 from where R5F will read the message sent by HSM M4.
- As the size of HSM MBOX is 2KB the max Queue Depth is limited.
- if SIPC_NUM_R5_CORES is 2 then the total number of queues will be 4 and the max queue depth will be 492/ SIPC_MSG_SIZE .
- if SIPC_NUM_R5_CORES is 1 then the total number of queues will be 1 and the max queue depth will be 984/ SIPC_MSG_SIZE .
- SIPC Initialization from R5F secure host
void SIPC_R5F_secure_host_config()
{
int32_t status;
}
- SIPC Initialization from HSM
void SIPC_HSM_config(void)
{
int32_t status;
}
- linker command file
- Following sections need to be defined as described below. The SIPC queues will be initialized in then mentioned memory sections.
SECTIONS
{
.bss.sipc_hsm_queue_mem (NOLOAD) : {} > MAILBOX_HSM
.bss.sipc_r5f_queue_mem (NOLOAD) : {} > MAILBOX_R5F
}
MEMORY
{
RTOS_NORTOS_IPC_SHM_MEM : ORIGIN = 0x72000000, LENGTH = 0x3E80
MAILBOX_HSM: ORIGIN = <HSM MBOX START ADDR> , LENGTH = 0x000003CE
MAILBOX_R5F: ORIGIN = <HSM MBOX START ADDR + 0x000003CE> , LENGTH = 0x000003CE
}
Message format.
Unlike IPC Notify the message size of SIPC can be in the range of 3 to 100 bytes.
- The minimum message size is 3 bytes i.e [ Dest ClientId ][ Src ClientId ][data]. Users can change SIPC_MSG_SIZE based on a protocol that is implemented on top of SIPC.
- Following is an example of a message structure used by HSM client to communicate with HSM via SIPC. The size of a message is 13 bytes refer to HSM_CLIENT.
message format used by HSM client
- Note
- It is recommended to use 13 bytes message format as mentioned above for optimal latency.
Example usage.
- Consider a use case where R5F sends a message to HSM and HSM echoes back the same message.
- Do SIPC_init.
- Register a callback to handle the message from HSM SIPC_registerClient.
- Sends a message using SIPC_sendMsg and pend on a semaphore to Wait for a message.
- Once the message is received post the semaphore SemaphoreP_post and exit.
uint32_t gSrcClientId0 = 3u;
uint32_t gSrcClientId1 = 4u;
uint32_t gDestClientId = 1u;
void sipc_sec_host_msg_handler(uint8_t remoteCoreId, uint8_t localClientId, uint8_t remoteClientId, uint8_t* msgValue,
void *
args)
{
}
void sipc_sec_host_start(void)
{
int32_t status;
uint8_t msgValue[
SIPC_MSG_SIZE] = { 0x00 , 0x00 ,0x02,0x03,0x04,0x05,0x06,0x07};
status =
SIPC_sendMsg(gRemoteCoreId, gDestClientId, gSrcClientId1 ,msgValue, 1);
}
void main()
{
SIPC_R5F_secure_host_config();
sipc_sec_host_start();
}
- Refer Secure IPC example for more info.
- Note
- The secure IPC example project is a part of TIFS package for HS-SE devices. To use this example user needs to sign an NDA(non disclosure agreement). TIFS package can installed via mysecure software.
API
APIs for Secure IPC Notify
Parameters used by SIPC_init.
Definition: sipc_notify.h:84
void * args
Definition: hsmclient_msg.h:4
union HsmVer_t_ __attribute__((packed)) HsmVer_t
type for reading HSMRt version.
uintptr_t tx_SipcQueues[MAX_SEC_CORES_WITH_HSM]
Definition: sipc_notify.h:98
@ CORE_INDEX_SEC_MASTER_1
Definition: sipc_notify_cfg.h:126
@ CORE_INDEX_HSM
Definition: sipc_notify_cfg.h:127
uint32_t secHostCoreId[MAX_SEC_CORES_WITH_HSM - 1]
Definition: sipc_notify.h:104
#define SystemP_WAIT_FOREVER
Value to use when needing a timeout of infinity or wait forver until resource is available.
Definition: SystemP.h:83
uint32_t numCores
Definition: sipc_notify.h:86
void SIPC_Params_init(SIPC_Params *params)
Set default value to SIPC_Params.
#define SIPC_MSG_SIZE
SIPC message size in bytes each element of queue will be of this size.
Definition: sipc_notify_cfg.h:46
@ CORE_ID_R5FSS0_0
Definition: sipc_notify_cfg.h:109
uint32_t coreIdList[MAX_SEC_CORES_WITH_HSM]
Definition: sipc_notify.h:89
#define SystemP_SUCCESS
Return status when the API execution was successful.
Definition: SystemP.h:56
int32_t SIPC_init(SIPC_Params *params)
Initialize Secure IPC notify module.
int32_t SIPC_registerClient(uint8_t localClientId, SIPC_FxnCallback msgCallback, void *args)
Register a callback to handle messages received from a specific remote core and for a specific local ...
uint32_t ipcQueue_eleSize_inBytes
Definition: sipc_notify.h:95
@ CORE_INDEX_SEC_MASTER_0
Definition: sipc_notify_cfg.h:125
int32_t SIPC_sendMsg(uint8_t remoteSecCoreId, uint8_t remoteClientId, uint8_t localClientId, uint8_t *msgValue, SIPC_fifoFlags waitForFifoNotFull)
Send message to a specific remote core and specific client ID on that remote core.
uint32_t ipcQueue_length
Definition: sipc_notify.h:94
void SemaphoreP_post(SemaphoreP_Object *obj)
Post a semaphore object or unlock a mutex.
uintptr_t rx_SipcQueues[MAX_SEC_CORES_WITH_HSM]
Definition: sipc_notify.h:100
@ CORE_ID_R5FSS0_1
Definition: sipc_notify_cfg.h:110
Opaque semaphore object used with the semaphore APIs.
Definition: SemaphoreP.h:59
int32_t SemaphoreP_constructBinary(SemaphoreP_Object *obj, uint32_t initValue)
Create a binary semaphore object.
#define DebugP_assert(expression)
Function to call for assert check.
Definition: DebugP.h:159
int32_t SemaphoreP_pend(SemaphoreP_Object *obj, uint32_t timeToWaitInTicks)
Pend on a semaphore object or lock a mutex.