Communicating with EL3/Secure-EL1 services from EL0

I’m evaluating moving an existing project to seL4. We have a hardware driver that would need to remain in as part of the Secure World firmware. What would be the intended way for an seL4 EL0 process to communicate with a firmware service?

seL4_ARM_SMC_Call would seem to be half of the puzzle, allowing the EL0 thread with the correct capabilities to send a message to the Secure Monitor.

What I’m not sure about is how the Secure Monitor would signal the EL0 thread. The obvious solution would be to use an SGI.

1. Unless I’ve missed something, it’s not clearly documented which SGIs are used by the kernel and which would be available to be used by the rest of the system? Old release notes for seL4 6.0.0 state it’s SGI 0-1 so I would assume the rest are safe to use.

2. It’s also not clear to me how the SGI should be routed. Would be be sufficient to route it to Core 0, or should the SGI be routed to all cores to ensure a signal isn’t missed?

1. I’m not entirely sure user space can receive SGIs currently, it might need a small kernel modification to make it work, at least for GICv2. Looks like GICv3 should work. If the kernel uses the SGI creating the IRQ handler will fail, so you could just try till it succeeds (or start backwards).
2. You should let user space configure this via the SMC call. Whether you want to support more than one target core or not is up to your secure monitor software.

An alternative to SGI is passing the actual hw IRQ to EL2.