Add preemption timer to bound TA execution#907
Conversation
sangho2
changed the title
sangho2
changed the title
sangho2
changed the title
sangho2
changed the title
sangho2
force-pushed
the
sanghle/lvbs/timebomb
branch
3 times, most recently
from
7bea3f7 to
e5adb24
Compare
sangho2
force-pushed
the
sanghle/lvbs/timebomb
branch
from
4ac37cb to
d795648
Compare
sangho2
force-pushed
the
sanghle/lvbs/timebomb
branch
from
d795648 to
f4be5b2
Compare
sangho2
force-pushed
the
sanghle/lvbs/timebomb
branch
from
f4be5b2 to
e4329fc
Compare
sangho2
force-pushed
the
sanghle/lvbs/timebomb
branch
from
d2d638b to
d7f79ae
Compare
sangho2
added
the
must-not-merge:blocked-on-other-changes
|
Potential conflict with PR #865. Merge it first and then this one. |
| linux_syscall = [] | ||
| devbox = [] | ||
| # Tighten the preemption timer quantum so runaway-TA preemption can be tested | ||
| # without waiting out the production budget. Test builds only. |
There was a problem hiding this comment.
This PR for now uses 8 seconds, which is slightly below Linux kernel's hard CPU lockup timeout (10 seconds).
| // member variable offset calculation in assembly code). | ||
| unsafe { run_thread_arch(&mut thread_ctx, ctx_ptr, u8::from(reenter)) }; | ||
| // | ||
| // Arm the preemption timer for this TA entry; disarmed at the VTL0-return |
There was a problem hiding this comment.
Nit: "bracket the entry" is a little confusing.
| //! expiry it fires `STIMER_VECTOR` and the shim terminates the offending | ||
| //! thread. |
There was a problem hiding this comment.
Where does the shim terminate the thread?
There was a problem hiding this comment.
A user-mode STIMER interrupt will be delivered to the OP-TEE shim, and it'll terminate the thread. No extra code in this PR for this because the OP-TEE has no notion of interrupt such that its shim currently just terminates the thread if there is an interrupt.
|
🤖 SemverChecks 🤖 No breaking API changes detected Note: this does not mean API is unchanged, or even that there are no breaking changes; simply, none of the detections triggered. |
2 participants
This PR adds a timer-based mechanism for preempting TAs on the LVBS platform. In OP-TEE, TA execution is unbounded because there is no secure-world scheduler: if a TA spins in an infinite loop, it can hold the (V)CPU indefinitely. On Arm TrustZone, the normal world can eventually regain control by interrupting the secure world. However, in Hyper-V, VTL0 is not allowed to interrupt VTL1.
To overcome this problem, this PR implements a VTL1-local one-shot preemption timer based on the Hyper-V synthetic timer to limit the execution time of each TA command invocation (which could span multiple syscalls). If it fires, the VTL1 kernel kills the TA and returns back to VTL0.