hkg15-307: op-tee paging
TRANSCRIPT
Introduction
● The pager enables OP-TEE to run when not enough secure physical RAM is available to have the entire OP-TEE loaded in secure memory
● All needed virtual memory is not mapped at the same time
● DDR is used as backing store
Partitioning
● The OP-TEE memory is partitioned into several areas○ Unpaged code and data○ Initialization code○ Paged code and read-only data○ Unpaged memory for heap, exception stacks and
translation tables
Paging
● A page fault is handled as followsa. Validate the addressb. Find a free page and map it at the required addressc. Populate the free page with new content from DDRd. Validate the content against a precomputed hashe. Resume execution
Paging - validate an address
● A list of address ranges defines valid addresses
● Each address range has a flags field which can be used to tell how the page should be mapped, read-only, read-write or executable
Paging - find a free page
● An approximation of the Least Recently Used (LRU) algorithm is used to find the oldest page
● Since only read-only pages are paged there’s no need to save any data before the page is freed
Paging - populate a page
● A new page is populated with data from backing store
● Before the page can be used it has to be validated against a precomputed hash which is stored in secure RAM
Page replacement algorithm 1● All physical pages are kept in a queue, with the oldest
page first● When a free page is needed the first page is removed
from the queue and added at the end of the queue when remapped
“no access”
a b c d e f g h i
youngerolder
Page replacement algorithm 2● One third of the pages at the beginning of the queue are
mapped with “no access” to trigger an abort when referenced
● When a “no access” page is referenced it’s removed from the queue and added at the end of the queue with its original access rights restored
“no access”
a b c d e f g h i
youngerolder
Thread stacks● The thread stacks are also served by the pager● When an additional page is needed by a thread stack, a
page is removed from the list of physical pages used by the pager and remapped to the stack
● When the thread is terminated or suspended the pages no longer needed for the stack are returned to the pager
Limitations
● Only read-only code/data is paged to avoid expensive cryptographic operation
● Some initialization code and exception handling code can’t be paged
● No support to page trusted applications
Booting
● Only a part of the OP-TEE binary have to fit in secure RAM
● Binary has three parts○ Header - only used by the loader○ Initialization - loaded into secure RAM by the loader○ Paged - loaded into DDR by the loader
Links
● OP-TEE https://github.com/OP-TEE● Pager documentation
http://shorl.com/vajekivyjyte