Presented by

Date

HKG15-307: OP-TEE pager

Jens Wiklander

11-Feb-15

Introduction

● The pager enables OP-TEE to run when not enough secure physical RAM is available to have the entire OP-TEE loaded in secure memory

● All needed virtual memory is not mapped at the same time

● DDR is used as backing store

Partitioning

● The OP-TEE memory is partitioned into several areas○ Unpaged code and data○ Initialization code○ Paged code and read-only data○ Unpaged memory for heap, exception stacks and

translation tables

Paging

● A page fault is handled as followsa. Validate the addressb. Find a free page and map it at the required addressc. Populate the free page with new content from DDRd. Validate the content against a precomputed hashe. Resume execution

Paging - validate an address

● A list of address ranges defines valid addresses

● Each address range has a flags field which can be used to tell how the page should be mapped, read-only, read-write or executable

Paging - find a free page

● An approximation of the Least Recently Used (LRU) algorithm is used to find the oldest page

● Since only read-only pages are paged there’s no need to save any data before the page is freed

Paging - populate a page

● A new page is populated with data from backing store

● Before the page can be used it has to be validated against a precomputed hash which is stored in secure RAM

Page replacement algorithm 1● All physical pages are kept in a queue, with the oldest

page first● When a free page is needed the first page is removed

from the queue and added at the end of the queue when remapped

“no access”

a b c d e f g h i

youngerolder

Page replacement algorithm 2● One third of the pages at the beginning of the queue are

mapped with “no access” to trigger an abort when referenced

● When a “no access” page is referenced it’s removed from the queue and added at the end of the queue with its original access rights restored

“no access”

a b c d e f g h i

youngerolder

Thread stacks● The thread stacks are also served by the pager● When an additional page is needed by a thread stack, a

page is removed from the list of physical pages used by the pager and remapped to the stack

● When the thread is terminated or suspended the pages no longer needed for the stack are returned to the pager

Limitations

● Only read-only code/data is paged to avoid expensive cryptographic operation

● Some initialization code and exception handling code can’t be paged

● No support to page trusted applications

Booting

● Only a part of the OP-TEE binary have to fit in secure RAM

● Binary has three parts○ Header - only used by the loader○ Initialization - loaded into secure RAM by the loader○ Paged - loaded into DDR by the loader

Links

● OP-TEE https://github.com/OP-TEE● Pager documentation

http://shorl.com/vajekivyjyte