CN111414246B - Cross-secure-world real-time function calling method and device on computing platform with TEE extension - Google Patents

Cross-secure-world real-time function calling method and device on computing platform with TEE extension Download PDF

Info

Publication number
CN111414246B
CN111414246B CN202010251385.4A CN202010251385A CN111414246B CN 111414246 B CN111414246 B CN 111414246B CN 202010251385 A CN202010251385 A CN 202010251385A CN 111414246 B CN111414246 B CN 111414246B
Authority
CN
China
Prior art keywords
time
call
gpos
tee
real
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010251385.4A
Other languages
Chinese (zh)
Other versions
CN111414246A (en
Inventor
董攀
朱浩
高珑
李小玲
谭郁松
杨沙洲
秦莹
马俊
刘晓东
廖湘科
吴庆波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN202010251385.4A priority Critical patent/CN111414246B/en
Publication of CN111414246A publication Critical patent/CN111414246A/en
Application granted granted Critical
Publication of CN111414246B publication Critical patent/CN111414246B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/4881Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/04Generating or distributing clock signals or signals derived directly therefrom
    • G06F1/14Time supervision arrangements, e.g. real time clock
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4812Task transfer initiation or dispatching by interrupt, e.g. masked
    • G06F9/4818Priority circuits therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • G06F9/5038Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the execution order of a plurality of tasks, e.g. taking priority or time dependency constraints into consideration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/48Indexing scheme relating to G06F9/48
    • G06F2209/484Precedence
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/50Indexing scheme relating to G06F9/50
    • G06F2209/5021Priority

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method and a device for calling a real-time function across a secure world on a computing platform with TEE extension G The method controls the return result of the RG call sent to the GPOS in the REE general subsystem in the RTOS, ensures that the RG call in the RTOS in the TEE real-time subsystem can be executed at the first time of the GPOS and obtains the corresponding execution result at the first time, and also combines a notification mechanism based on software interrupt and a (called) function execution mechanism based on interrupt service to enhance the call. The invention ensures that the time for returning the function call sent by the TEE real-time subsystem to the REE general subsystem meets certain certainty, does not obviously influence the normal operation and the original performance of the two subsystems, and can effectively ensure the real-time property of the RG call from the TEE to the REE.

Description

Cross-secure-world real-time function calling method and device on computing platform with TEE extension
Technical Field
The invention relates to a computer operating system, in particular to a method and a device for calling a cross-secure world real-time function on a computing platform with TEE extension.
Background
As is well known, the so-called "Real-time" of a computer operating system means "on-time", and a Real-time system (RTS) means that a system can respond to a request of an external event in time, complete processing of the event within a specified time, and control coordinated and consistent operation of all Real-time tasks. The correctness of a real-time system depends not only on the logical result calculated by the system, but also on the time at which this result is generated. Real-time operating systems have strict deterministic requirements for the design of their sub-functions, including: task management, memory management, file management, I/O device management, and the like. First, timing accuracy is an important factor affecting real-time performance. These rely not only on the clock accuracy provided by some hardware, but also on the high accuracy clock timing functions implemented by the real-time operating system. Second, a real-time application system usually needs to process a variety of external information or events, but the urgency of the processing is a small or urgent component. Some must react immediately and some may delay processing. Therefore, a multi-level interrupt nesting processing mechanism needs to be established to ensure timely response and processing of real-time events with high urgency. Third, the real-time operating system also needs to be able to schedule and run real-time tasks in time. The real-time scheduling mechanism comprises two aspects, namely, the real-time task is guaranteed to be scheduled preferentially on a scheduling strategy and an algorithm; and secondly, more 'safe switching' time points are established to ensure timely scheduling of real-time tasks.
Real-time systems and General Purpose systems (GPOS) are two opposing concepts. Although all the systems are multitask systems, the general system better pursues the throughput, user interaction or multimedia capability of the system, which is contradictory to the real-time performance, so that common Windows, linux, android and iOS operating systems are developed as general systems, and the real-time guarantee capability is not ideal enough. If the systems are modified in real time, the original design targets of the systems can be damaged. The method is an effective mode for solving the contradiction between the two systems and constructing a system with mixed capacity. Such hybrid systems are required In many fields, for example, the Electronic System of the smart car includes subsystems such as an ECU (Electronic Control unit), an ADAS (Advanced Driver-Assistance System), and an IVIS (In-Vehicle Information System). The IVIS needs to pay attention to user interaction, and the ECU focuses on real-time information acquisition and response. If the subsystems can be integrated into a hardware platform, obvious advantages of cost, weight reduction, power consumption and the like can be achieved, and information sharing among the subsystems is promoted.
The TEE (also called Trusted Execution Environment) is a secure area isolated from the host system, and runs in parallel with the host operating system as an independent Environment. The TEE technique protects data and code by using hardware and software, thereby ensuring that confidentiality and integrity of code and data loaded in a secure area are protected, and obtaining stronger security guarantee than a conventional REE (Rich Execution Environment) Environment. Trusted applications running in the TEE can access all functions of the main processor and memory on the platform, while hardware isolation protects these components from user-installed applications running in the main operating system.
Currently, common TEE technologies include TrustZone, SGX and the like. TrustZone is proposed by ARM company, and software resources and hardware resources are divided into trusted areas and untrusted areas, which are respectively used as TEE and REE, so as to protect sensitive data and applications. The TrustZone can ensure that the security state software is started firstly when being powered on, and the subsequent loaded starting image is verified step by step. After TrustZone is enabled, the physical processor can switch between two security modalities, defined as normal world (running GPOS) and secure world (running TEE OS), respectively. An extra control signal bit, called as a Non-Secure (NS) bit, is added by the TrustZone to read and write each channel on the system bus, and resources such as a memory can be divided into a Secure state and a Non-Secure state through the NS bit. TrustZone realizes the safety isolation of resources such as memory, IO and the like through bus control and auxiliary controllers such as TZASC, TZMA, TZPC and the like. SGX, fully known as Software Guard Extensions, is a security extension to the Intel architecture. SGX builds a TEE by creating an enclave (enclave) that encapsulates the security operations of legitimate software in one enclave, protecting it from malware, neither privileged nor non-privileged software accessing the enclave. The security boundaries of the enclave contain only the CPU and itself, that is, even the operating system or and VMM (Hypervisor) cannot affect the code and data inside the enclave once the software and data are located in the enclave.
Because the design goal of the TEE is to isolate the resources therein from the resources of the REE, and avoid the influence of the REE operation, the TEE can also be used for realizing a Real-Time subsystem which coexists with the REE concurrently, and further a hybrid System with a general-Time Operating System (RTOS) environment and a Real-Time Operating System (RTOS) environment is constructed. An important requirement of such a hybrid system is the sharing and interaction of information between subsystems, for example, the IVIS subsystem in the vehicle system needs to obtain sensor information from the ECU subsystem, and the IVIS subsystem may also need to help it store log information, etc. The invention is here of particular interest for function calls issued by the RTOS to the REE, since such function calls, as an operation of the RTOS, should not impair the real-time behavior, i.e. also satisfy the time-deterministic requirements. This in turn creates a conflict with the system nature of the interacting party REE, since the REE has no guarantee of time certainty.
In a hybrid system developed based on TEE, the RTOS is typically operated at a higher priority, the GPOS is configured to run when the RTOS has no Ready real-time Task (Ready Task), and the IDLE Task of the RTOS switches the GPOS to the CPU, thus avoiding time waste in the RTOS. A function call issued by a task of the RTOS (set to τ) is called an RG call. The RG call issue and return procedure typically has 6 necessary steps, which may be in different order, including: tau sends out a call request, and then the CPU is yielded through dormancy; RTOS schedules ready real-time tasks until REE environment as a secondary scheduling unit is switched to CPU for execution; GPOS in REE runs and executes secondary scheduling until the service process of function calling is switched to CPU for execution; the GPOS continues to run until an exception occurs or the active SMC call switches back to the TEE; the RTOS carries out primary scheduling, wherein a returned call is detected and tau is put back to a ready task queue; τ is woken up to execute and the RG call returns. It can be seen that in this process, there are two problems that may cause significant interference to the real-time performance of the RG call, one is that the RG call lacks support of a priority policy in the RTOS, and the time of the service process in the GPOS is not controllable.
Disclosure of Invention
The technical problems to be solved by the invention are as follows: the invention provides a method and a device for calling the real-time function of a cross-safety world on a computing platform with TEE extension, aiming at the problems in the prior art, and the method and the device enable the time for returning the function call sent by a TEE real-time subsystem to an REE general subsystem to meet certain certainty, simultaneously do not obviously influence the normal operation and the original performance of the two subsystems, and can effectively ensure the real-time property of RG call from the TEE to the REE.
In order to solve the technical problems, the invention adopts the technical scheme that:
a cross-secure-world real-time function calling method on a computing platform with TEE extension comprises the following implementation steps:
1) Assigning a system task τ specified in RTOS in a TEE real-time subsystem G The initial priority of (2) is set to be the same as the idle task;
2) Detecting RG call sent to GPOS in REE general subsystem in RTOS, and skipping to execute the next step when RG call is sent by a task in RTOS;
3) Changing system task τ G The priority of the system is made to be the task with the highest priority in all the tasks which send the RG call and do not receive the return result in the RTOS;
4) Checking whether there is a return result from GPOS, if so, setting the RG called task corresponding to the return result as a ready state, and correcting the system taskτ G The priority of the system is made to be the task with the highest priority in all the tasks which send the RG call and do not receive the return result in the RTOS;
5) Judging whether all RG calls have received the return result, if all RG calls have received the return result, the system task tau is processed G The priority of (2) is restored to the initial priority and the jump is performed step 2).
Optionally, the step 4) further includes a step of recording an issue time of an RG call when detecting the RG call sent to a GPOS in the REE generic subsystem in the RTOS, and the processing step specified in the step 2) further includes: step 4), aiming at all RG calls which do not receive the return result, judging whether the time difference between the current system time and the sending time of the RG call exceeds a preset threshold value, if so, awakening the task called by the RG and informing the RG call of overtime error, and then correspondingly correcting the system task tau G The priority of (2) makes it the highest priority task among all the tasks in the RTOS which issue RG calls and have not received the returned result.
Optionally, the step 4) further includes a step of counting the number of timeout errors of the RG call.
Optionally, the step 4) further includes that when the number of timeout errors exceeds a preset threshold, the RTOS kernel suspends the GPOS, broadcasts the errors, and sends the system task τ to the system task G The priority of (2) is restored to the original priority.
Optionally, the system task τ G The execution steps are as follows: and entering a critical zone, judging whether the GPOS operates, if the GPOS operates, calling the request monitor to switch to the GPOS through the SMC, and exiting the critical zone.
Optionally, steps 3) to 5) are executed by scheduling in a clock interrupt processing function.
Optionally, the RG call sent to the GPOS in the REE general subsystem in step 2) is specifically a notification transfer RG call sent to the GPOS in a software interrupt manner, so that the RG call starts to be processed at the first time of online execution of the GPOS, and after the RG call is executed by the GPOS, the CPU is immediately switched to the TEE environment by invoking software interrupt or actively generating an exception, and the caller is notified that the execution result is returned.
Optionally, when the GPOS executes the RG call, the service code of the called function is directly executed in the interrupt service of the GPOS or indirectly called by the interrupt service.
In addition, the embodiment also provides a device for calling the function in real time across the secure world on the computing platform with the TEE extension, which includes a computer device, on which a GPOS and an RTOS are simultaneously run, wherein the GPOS is located in an REE environment, and the RTOS is located in a TEE environment, the computer device is programmed or configured to execute the step of the method for calling the function in real time across the secure world on the computing platform with the TEE extension, or a memory of the computer device stores a computer program programmed or configured to execute the method for calling the function in real time across the secure world on the computing platform with the TEE extension.
Furthermore, the present embodiment also provides a computer-readable storage medium, on which a computer program programmed or configured to execute the cross-secure-world real-time function call method on the TEE-extended computing platform is stored.
Compared with the prior art, the invention has the following advantages: the invention assigns a system task tau in RTOS in a TEE real-time subsystem G The initial priority of (2) is set to be the same as the idle task; detecting RG call sent to GPOS in REE general subsystem in RTOS, and promoting system task tau when RG call is sent by task in RTOS G The priority of the system is made to be the task with the highest priority in all the tasks which send the RG calls and do not receive the return result in the RTOS, and simultaneously, the appointed processing steps are executed at regular time, and the appointed processing steps comprise: checking whether a return result from the GPOS exists or not, if so, setting an RG-called task corresponding to the return result to be in a ready state, and correcting a system task tau G The priority of the system is made to be the task with the highest priority in all the tasks which send the RG call and do not receive the return result in the RTOS; step (b), judging whether all RG calls have received the return result, if all RG calls have received the return resultThe RG calls all receive the return result and then the system task tau is processed G The priority of the TEE is recovered to the initial priority, and a task calling mechanism (G-priority interchange mechanism) between the TEE real-time subsystem and the REE general subsystem is realized through the method, so that the time for returning the function calling sent by the TEE real-time subsystem to the REE general subsystem meets certain certainty, the normal operation and the original performance of the two subsystems cannot be obviously influenced, and the real-time property of RG calling from the TEE to the REE can be effectively ensured. By adopting the method, the RTOS of the TEE-based hybrid system can obtain services from the GPOS, and the more abundant functions of the GPOS are utilized; service requests sent by the RTOS across the environment can be executed in a deterministic time, so that the real-time requirement of the RTOS subsystem is still met; the mechanism of the invention has little influence on the operation and the efficiency of the original system, and can still maximally utilize the CPU resource on the premise of ensuring the real-time performance of the RTOS.
Drawings
FIG. 1 is a schematic diagram of a basic flow of a method according to an embodiment of the present invention.
FIG. 2 is an example of task invocation in an embodiment of the present invention.
Detailed Description
The computing platform with the TEE extension generally runs an RTOS (real-time operating system) in the TEE real-time subsystem and a GPOS (general-purpose operating system, such as Linux and Android) in the REE general subsystem. The invention relates to a method and a device for calling a real-time function across a secure world on a computing platform with TEE extension, which aim to solve the technical problems that: by establishing a plurality of methods and mechanisms in the GPOS and the RTOS, the time for returning the function call sent by the TEE real-time subsystem to the REE general subsystem meets certain certainty, and the normal operation and the original performance of the two subsystems cannot be obviously influenced. This embodiment will guarantee the real-time nature of the RG call from TEE to REE through three main mechanisms: g-priority interchange mechanism, notification mechanism based on software interrupts, methods for interrupt service based (called) function execution. The following will describe the present embodiment of building a section real-time process on a hikey620 development board using a haishi 6220 SoC processor, with an ARMv8 processor supporting TrustZone as an implementation platform. The basic cases of the hi6220 SoC processor and the hikey620 development board are: the memory supports the aarch64 and aarch32 instruction sets, 8-core CPU, 2 GB LPDD 3 memory, and has 72kB on-chip SRAM. The Armv8 Cpu core supports EL0-EL34 privileged states, where the corresponding normal world and secure world can be subdivided into non-secure EL0\ EL1\ EL2\ EL3 states supporting REE and secure EL0\ EL1\ EL3 states supporting TEE. Each core of the armav 8 CPU builds a non-secure physical clock (non-secure physical clock) as the clock source of the REE, and a secure physical clock (secure physical clock) as the clock source of the TEE. The function of TrustZone resource isolation is initialized and configured by trustfirmware when starting, and hardware resources in the TEE environment and the REE environment respectively comprise: clock source, physical memory, required IO, interrupts, etc. The CPU will switch between TEE and REE according to the model of RTOS primary scheduling and GPOS secondary scheduling. RTOS adopts a Fixed Priority Scheduling (Fixed Priority Scheduling) strategy supporting preemption, and GPOS adopts a conventional Linux system and a kernel default Scheduling strategy.
As shown in fig. 1, the method for invoking a real-time function across a secure world on a computing platform with a TEE extension according to the embodiment includes:
1) System task tau specified in RTOS in TEE real-time subsystem G The initial priority of (2) is set to be the same as the idle task;
2) Detecting RG call sent to GPOS in REE general subsystem in RTOS, and skipping to execute the next step when RG call is sent by task in RTOS;
3) Changing system task τ G The priority of the system is made to be the task with the highest priority in all the tasks which send the RG call and do not receive the return result in the RTOS;
4) Checking whether a return result from GPOS exists, if so, setting the RG-called task corresponding to the return result to a ready state, and correcting the system task tau G The priority of the system is made to be the task with the highest priority in all the tasks which send the RG call and do not receive the return result in the RTOS;
5) Determines whether all RG calls have received a return result,if all RG calls have received the return result, the system task tau is processed G Returns the priority of (2) to the initial priority, and jumps to execute step 2).
The steps 1) to 2) are the task calling mechanism (i.e. the G-priority interchange mechanism) between the TEE real-time subsystem and the REE general subsystem. The priority mechanism is a core means for allocating resources and guaranteeing real-time tasks according to importance degree. The RG calls also need to work in conjunction with the priority mechanism of task scheduling to meet the requirements of the priority channel system, otherwise it may eventually cause confusion in task execution. In the embodiment, a special task with variable priority is specially set in the RTOS for the requirement: system task tau G Denoted as G-task. The specific operation of the G-task is similar to an IDLE task in the RTOS, and acts as a container for the GPOS, and once switched to the CPU, causes a context switch immediately, so that the GPOS can be executed. The priority of the G-task is consistent with the real-time task with the highest priority (when a plurality of real-time tasks send the RG calls at the same time) sending the RG calls, and if no function call exists in the current system, the priority of the G-task is consistent with that of the IDLE task.
In this embodiment, the step 2) of detecting an RG call in the RTOS, which is sent to a GPOS in the REE generic subsystem, further includes a step of recording an issue time of the RG call, and the processing step specified in the step 2) further includes: step 4), aiming at all RG calls which do not receive the return result, judging whether the time difference between the current system time and the sending time of the RG call exceeds a preset threshold value, if so, awakening the task called by the RG and informing the RG call of overtime error, and then correspondingly correcting the system task tau G The priority of (2) makes it the highest priority task among all tasks in the RTOS that issued the RG call and have not received the return result.
In this embodiment, step 4) further includes a step of counting the number of timeout errors occurring in the RG call.
In this embodiment, the step 4) further includes that when the number of timeout errors exceeds a preset threshold, the number of timeout errors occurring in the RTOS exceeds the preset thresholdThe kernel suspends the GPOS, broadcasts the error, and puts the system task τ on G The priority of (1) is restored to the original priority.
In this embodiment, the system task τ G The execution steps are as follows: entering a critical zone, judging whether the GPOS operates, if the GPOS operates, calling a request monitor to switch to the GPOS through an SMC (sheet molding compound), and exiting the critical zone, wherein a C language pseudo code is as follows:
G_system_task( ) // τ G function definition of
{
EnterCritical (), entry/entry into critical section
if (GPOS _ Running)// first judging whether GPOS is Running
{
SMC _ call (Switch _ to _ GPOS)// requesting Monitor to Switch to GPOS through SMC call
}
ExitCritical (),/exit critical section
}
System task tau G Is virtually similar to the IDLE task IDLE _ system _ task () with the difference that it has a variable priority, the IDLE task has a fixed lowest priority, and there are some functions in the IDLE task that account for the CPU utilization information of the RTOS.
In this embodiment, steps 3) to 5) are performed by scheduling in a clock interrupt processing function.
This embodiment assigns a system task τ G Is set to be the same as the IDLE task. When a task in the RTOS sends an RG call request, the RTOS changes a system task tau after a yield () operation is called G Priority, let system task τ G Becomes the highest priority task of all tasks that the RG call has not yet been requested to return. When RTOS is doing clock-driven scheduling (i.e. scheduling in clock interrupt handling function), it will check if there is RG call return, if yes, will set its caller task to ready state, and will system task tau G Is adjusted to the task of highest priority among the tasks that have not been returned. If all RG calls have been returned, the system task τ will be sent G The original priority is restored. Considering that the GPOS is a subsystem (relative to the RTOS) with lower reliability, in this embodiment, a timeout threshold is set for each RG call, and when the RTOS detects that the RG call does not return after the duration of the RG call exceeds the threshold, the RTOS wakes up the caller task, notifies the caller task of the timeout error, and then corrects the system task τ correspondingly G The priority of (2). Further, if such timeout errors are excessive, the RTOS kernel may suspend the GPOS and broadcast the error, recovering the system task τ G The priority of the system is an initial value, so that the situation that the GPOS is in error and affects the RTOS subsystem can be avoided. FIG. 2 is an example of a method for enhancing cross-secure world real-time function calls on a TEE extended computing platform based on a notification mechanism of software interrupts: there are 3 real-time tasks in the RTOS subsystem in this example: tau is 1 、τ 2 And τ 3 In the order of priority τ 123 . Before time (1), τ 1 、τ 2 And τ 3 Are idle states, which will keep the system in the GPOS running state. At time (1), τ 3 Ready and scheduled to execute immediately. At tau 3 During operation τ 1 Ready, wait τ 3 After completion of time (2) < tau > 1 Is scheduled for execution. At time (3), τ 2 Ready and seizing CPU, and recovering tau after time (4) is finished 1 Is performed. Tau is 1 An RG call is issued at time (5) and goes to sleep, after which the system task τ G Is adjusted to τ 1 The priority of the hold is scheduled to be executed on the CPU. The GPOS executes online and further executes the service called by the RG. At time (6), the service called by the RG is not yet completed, at which point the system is due to τ 3 Takes place with preemption, τ 3 And (6) executing. At time (7), τ 3 After the execution, the ready task with the highest priority in the system is the system task tau G So it will switch to GPOS to continue executing the service function called by RG. At time (8), the service is complete and the system will task the system τ G Is restored to the initial value, wake-up τ 1 And causes it to execute until time (9), τ 1 And finishing the execution. All real-time in the system at this timeTasks are IDLE, IDLE task execution, system switch to GPOS, time in 2 Ready and preempts the CPU.
Further, the present embodiments also provide a notification mechanism based on software interrupts to enhance cross-secure world real-time function calls on a TEE-extended computing platform: in this embodiment, the RG call sent to the GPOS in the REE generic subsystem in step 2) is specifically to send a notification delivery RG call to the GPOS in a manner of software-generated interrupt, so that the RG call is started to be processed at the first time of online execution of the GPOS, and after the execution of the RG call by the GPOS is completed, the CPU is immediately switched to the TEE environment by invoking the software-generated interrupt or actively generating an exception, and the caller is notified that the execution result has been returned. Since the Interrupt is the fastest mechanism to trigger the processor response, this embodiment uses a Software Generated Interrupt (Software Generated Interrupt) mode to send a notification to the GPOS of the REE, and passes the RG call request, so that the first time when the GPOS executes online starts to process the RG call request without relying on secondary scheduling. Therefore, the real-time task of the RTOS triggers a "software-generated interrupt" by way of a software instruction while executing the RG call function interface. Conversely, when the RG call is processed in the GPOS, the GPOS may also cause the CPU to immediately switch to the TEE environment by calling "software-generated interrupt" or proactively generating an exception, and notify the caller that the result has been returned.
In this embodiment, an SGI (Software Generated Interrupt) Interrupt on the ARM architecture is used as a notification mechanism for an RG Call request, and an SMC (Secure Monitor Call) is used as a notification mechanism for an RG Call return. The RG calls are packaged in the RTOS in the form of library functions, which implement C-language pseudo code:
RG_func_call( )
{
write _ data _ to _ shared _ memory (), write data to be transferred to shared memory buffer
Send _ SGI _ interrupt (), send/Send SGI interrupt to GPOS
Yield CPU, sleep
}
The return of the RG call is also implemented in the GPOS kernel as a generic interface function, whose C language pseudo code is:
RG_func_return( )
{
write _ data _ to _ shared _ memory (), write data to be transferred to shared memory buffer
SMC _ call (),/trigger SMC call request, switch to TEE
}
After finishing RG calling service, the service program in GPOS calls RG _ func _ return () to switch to EL3 immediately, and the Monitor module recovers the field of RTOS.
Further, the present embodiments also provide a way to enhance the cross-secure-world real-time function calls on TEE-enabled computing platforms based on the execution of the (called) function of the interrupt service: in this embodiment, when the GPOS executes the RG call, the service code of the called function is directly executed in the interrupt service of the GPOS or indirectly called by the interrupt service. The method and the device directly execute the service code of the called function in the interrupt service function of the GPOS or indirectly call the interrupt service function, can reduce the uncertain time caused by scheduling, and can avoid page missing overhead caused by the service code being swapped out of a memory system, thereby realizing the time certainty from the recovery execution of the GPOS to the execution of the service code.
Specifically, the GIC interrupt controller of the ARM platform supports priority setting for interrupts, and by setting the SGI interrupt to the interrupt of the highest priority (in the GPOS), the system can detect the arrival of the interrupt at the first time after switching to the GPOS. In the embodiment, the service function called by the RG is implemented in a corresponding SGI Interrupt service function (Interrupt Handler), which can avoid many time uncertainties including page faults, and if the service calling time of the RG is long, it can be considered to implement the service function in a softirq part with a higher priority. It should be noted that there may also be a time period TIM of interrupt mask (interrupt mask) after the GPOS is loaded by Monitor into the CPU for execution, and before the SGI interrupt is received by the CPU, for example, the GPOS is just in a hardirq part of the interrupt process, or a critical section of a piece of kernel code. The interrupt masking code segment, which is typically the case in Linux systems, is limited and may be enumerated to find the maximum time that the interrupt is masked, thereby making the TIM time-deterministic. In this embodiment, the priority of the task of the calling party is added to the parameter transmitted by the RG call, and when multiple calls arrive at the same time, the RG call service program selects a call request with a high priority to be processed preferentially.
In summary, the embodiment guarantees the real-time performance of the RG call from the TEE to the REE through three main mechanisms: g-priority interchange mechanism, notification mechanism based on software interrupts, methods for interrupt service based (called) function execution. Through the comprehensive application of the 3 mechanisms, the RG calling processing process and the return priority system meeting the RTOS can be realized. That is, the RG call process is integrated with other operations of its caller, and it is guaranteed to the maximum extent that only real-time tasks (or RG calls issued by them) with high priority can be executed preemptively. Even inside the GPOS, the RG call is in the priority state. Through the three comprehensive measures, the system can be guaranteed to be preferentially switched to the GPOS when a task with high priority sends an RG request; after switching, the RG request service can be executed as a part of an interrupt service function at the first time, and the request of the real-time task with the highest priority can be preferentially executed; the system will switch to the RTOS immediately after the service is completed and wake up the caller task of the returned RG call. Therefore, the whole RG calling process has time certainty and keeps compatible with the priority system of the RTOS subsystem. Therefore, the method for calling the real-time function across the secure world on the computing platform with the TEE extension has the following advantages: (1) The RTOS of the TEE-based hybrid system can obtain services from the GPOS, and the services can be utilized by the GPOS; (2) Enabling service requests issued by the RTOS across the environment to be executed within a deterministic time, thereby still meeting the real-time requirements of the RTOS subsystem; (3) The mechanism of the invention has little influence on the operation and efficiency of the original system, and can still maximally utilize the CPU resource on the premise of ensuring the real-time performance of the RTOS.
In addition, the embodiment also provides a device for calling the function in real time across the secure world on the computing platform with the TEE extension, which includes a computer device, on which a GPOS and an RTOS are simultaneously run, wherein the GPOS is located in an REE environment, and the RTOS is located in a TEE environment, the computer device is programmed or configured to execute the step of the method for calling the function in real time across the secure world on the computing platform with the TEE extension, or a memory of the computer device stores a computer program programmed or configured to execute the method for calling the function in real time across the secure world on the computing platform with the TEE extension. In addition, the present embodiment also provides a computer readable storage medium, which stores thereon a computer program programmed or configured to execute the cross-secure-world real-time function call method on the computing platform with TEE extension.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The present application is directed to methods, apparatus (systems), and computer program products according to embodiments of the application wherein instructions, which execute via a flowchart and/or a processor of the computer program product, create means for implementing functions specified in the flowchart and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above embodiments, and all technical solutions belonging to the idea of the present invention belong to the protection scope of the present invention. It should be noted that modifications and embellishments within the scope of the invention may occur to those skilled in the art without departing from the principle of the invention, and are considered to be within the scope of the invention.

Claims (10)

1. A cross-secure-world real-time function calling method on a computing platform with TEE extension is characterized by comprising the following implementation steps:
1) System task tau specified in RTOS in TEE real-time subsystem G The initial priority of (2) is set to be the same as the idle task;
2) Detecting RG call sent to GPOS in REE general subsystem in RTOS, and skipping to execute the next step when RG call is sent by task in RTOS;
3) Changing system tasks τ G The priority of the system is made to be the task with the highest priority in all the tasks which send the RG call and do not receive the return result in the RTOS;
4) Checking whether a return result from GPOS exists, if so, setting the RG-called task corresponding to the return result to a ready state, and correcting the system task tau G The priority of the system is made to be the task with the highest priority in all the tasks which send the RG call and do not receive the return result in the RTOS;
5) Judging whether all RG calls have received the return result, if all RG calls have received the return result, the system task tau is processed G The priority of the system is restored to the initial levelStarting priority, jump execution step 2).
2. The method for invoking real-time functions across secure worlds on a computing platform with TEE extensions according to claim 1, wherein the step 2) of detecting RG calls in the RTOS to GPOS in the REE generic subsystem further comprises the step of recording the issue time of the RG calls, the step 4) further comprises the step of judging whether the time difference between the current system time and the issue time of the RG calls exceeds a preset threshold for all RG calls for which a return result has not been received, if so, waking up the task of the RG call and notifying the RG call of occurrence of timeout error, and then correspondingly correcting the system task τ G The priority of (2) makes it the highest priority task among all tasks in the RTOS that issued the RG call and have not received the return result.
3. The method for invoking a function in real time across a secure world on a computing platform with a TEE extension according to claim 2, wherein step 4) further comprises the step of counting the number of timeout errors of the RG call.
4. The method for invoking the real-time function across the secure world on the computing platform with the TEE extension according to claim 3, wherein the step 4) further comprises suspending GPOS, broadcasting the error and assigning the system task τ to the RTOS kernel when the number of timeout errors exceeds a preset threshold G The priority of (1) is restored to the original priority.
5. The method of claim 1, wherein the system task τ is a function call across a secure world on a TEE extended computing platform G The execution steps are as follows: and entering a critical zone, judging whether the GPOS operates, if the GPOS operates, calling the request monitor to switch to the GPOS through the SMC, and exiting the critical zone.
6. The method for invoking the real-time function across the secure world on the computing platform with the TEE extension according to claim 1, wherein the steps 3) -5) are executed by scheduling in a clock interrupt processing function.
7. The method as claimed in claim 1, wherein the RG call sent to the GPOS in the REE generic subsystem in step 2) is specifically a notification delivery RG call sent to the GPOS in a software interrupt manner, so that the RG call is processed at the first time of online execution of the GPOS, and after the execution of the RG call by the GPOS is completed, the CPU is immediately switched to the TEE environment by invoking software interrupt or actively generating an exception, and the execution result of the caller is notified to be returned.
8. The cross-secure-world real-time function call method on a TEE-enabled computing platform of claim 7, wherein when the GPOS executes the RG call, the service code of the called function is directly executed in the interrupt service of the GPOS or indirectly called by the interrupt service.
9. A cross-secure-world real-time function calling apparatus on a computing platform with TEE extension, comprising a computer device, on which a GPOS and an RTOS are simultaneously run, wherein the GPOS is located in an REE environment, and the RTOS is located in a TEE environment, wherein the computer device is programmed or configured to execute the steps of the cross-secure-world real-time function calling method on the computing platform with TEE extension according to any one of claims 1 to 8, or a computer program programmed or configured to execute the cross-secure-world real-time function calling method on the computing platform with TEE extension according to any one of claims 1 to 8 is stored on a memory of the computer device.
10. A computer-readable storage medium having stored thereon a computer program programmed or configured to perform the cross-secure-world real-time function call method on a TEE-extended computing platform of any one of claims 1 to 8.
CN202010251385.4A 2020-04-01 2020-04-01 Cross-secure-world real-time function calling method and device on computing platform with TEE extension Active CN111414246B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010251385.4A CN111414246B (en) 2020-04-01 2020-04-01 Cross-secure-world real-time function calling method and device on computing platform with TEE extension

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010251385.4A CN111414246B (en) 2020-04-01 2020-04-01 Cross-secure-world real-time function calling method and device on computing platform with TEE extension

Publications (2)

Publication Number Publication Date
CN111414246A CN111414246A (en) 2020-07-14
CN111414246B true CN111414246B (en) 2022-10-11

Family

ID=71494787

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010251385.4A Active CN111414246B (en) 2020-04-01 2020-04-01 Cross-secure-world real-time function calling method and device on computing platform with TEE extension

Country Status (1)

Country Link
CN (1) CN111414246B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859395B (en) * 2020-07-21 2024-03-26 中国人民解放军国防科技大学 Communication optimization method and system on computing platform with TEE expansion
CN112527478B (en) * 2020-11-30 2023-11-07 成都中科大旗软件股份有限公司 Method and system for realizing automatic registration and asynchronous scheduling of tasks based on distribution
CN113190869B (en) * 2021-05-27 2022-10-11 中国人民解放军国防科技大学 TEE-based mandatory access control security enhancement framework performance evaluation method and system
CN113486355B (en) * 2021-06-29 2023-03-14 北京紫光展锐通信技术有限公司 Information storage device, information storage method, communication device, chip and module equipment thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106547618A (en) * 2016-10-19 2017-03-29 沈阳微可信科技有限公司 Communication system and electronic equipment
CN106845285A (en) * 2016-12-28 2017-06-13 北京握奇智能科技有限公司 A kind of TEE systems coordinate to realize the method and terminal device of service with REE systems

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2126694A2 (en) * 2006-12-22 2009-12-02 VirtualLogix SA System for enabling multiple execution environments to share a device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106547618A (en) * 2016-10-19 2017-03-29 沈阳微可信科技有限公司 Communication system and electronic equipment
CN106845285A (en) * 2016-12-28 2017-06-13 北京握奇智能科技有限公司 A kind of TEE systems coordinate to realize the method and terminal device of service with REE systems

Also Published As

Publication number Publication date
CN111414246A (en) 2020-07-14

Similar Documents

Publication Publication Date Title
CN111414246B (en) Cross-secure-world real-time function calling method and device on computing platform with TEE extension
CN111414626B (en) Real-time guaranteeing method and system based on TEE expansion
US9092356B2 (en) Executing a kernel device driver as a user space process
US9268594B2 (en) Processor extensions for execution of secure embedded containers
EP1899810B1 (en) System and method to optimize os context switching by instruction group trapping
EP2075696A2 (en) Interrupt- related circuits, systems and processes
US9311138B2 (en) System management interrupt handling for multi-core processors
KR100983061B1 (en) Interrupt control function adapted to control the execution of interrupt requests of differing criticality
JP2008513909A (en) Method and apparatus for providing support for a timer associated with a virtual machine monitor
CN111324432B (en) Processor scheduling method, device, server and storage medium
WO2023274027A1 (en) User mode interrupt request processing method and apparatus
GB2579682A (en) Trusted execution environment migration method
Zuepke et al. AUTOBEST: a united AUTOSAR-OS and ARINC 653 kernel
Van Bulck et al. Towards availability and real-time guarantees for protected module architectures
CN109933549B (en) Interrupt controller suitable for RISC-V treater
US7225443B2 (en) Stack usage in computer-related operating systems
CN109445959A (en) A kind of sensing data processing real time operating system
WO2022204873A1 (en) Electronic apparatus, system on chip, and physical core allocation method
CN117407054A (en) Interrupt processing method, electronic device, and storage medium
CN112559136A (en) Method and device for interrupting delivery of computer
Lee et al. Interrupt handler migration and direct interrupt scheduling for rapid scheduling of interrupt-driven tasks
CN117272412B (en) Interrupt control register protection method, device, computer equipment and storage medium
US11461134B2 (en) Apparatus and method for deferral scheduling of tasks for operating system on multi-core processor
CN112462926B (en) Power management method and device in mobile terminal, electronic equipment and computer storage medium
US20210157489A1 (en) Supervisor mode access protection for fast networking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant