From 31cf0a7db81a4ce808f851577bcc361a3aa00ed3 Mon Sep 17 00:00:00 2001 From: Ravi Sahita Date: Wed, 30 Nov 2022 17:12:46 -0800 Subject: [PATCH] remove ABIs not needed and cleanup summary remove ABIs not needed and cleanup summary --- specification/sbi_atee.adoc | 284 ++++++++++++++---------------------- 1 file changed, 110 insertions(+), 174 deletions(-) diff --git a/specification/sbi_atee.adoc b/specification/sbi_atee.adoc index 01fad71..c1338af 100644 --- a/specification/sbi_atee.adoc +++ b/specification/sbi_atee.adoc @@ -67,7 +67,8 @@ explicitly reclaimed for use in the non-confidential world (this is tracked and The TEE address space can be comprised of confidential and non-confidential regions. The former includes both measured pages (that are part of the initial TVM payload), and confidential zero-pages that can be mapped-in on demand by the VMM following runtime access by the TVM. The non-confidential TVM-defined regions -include those for shared-pages and MMIO. +include those for shared-pages and MMIO. Without direct-IO support to TVMs, MMIO regions are non-confidential. +When direct IO is supported - MMIO page mappings will also be allowed to be in the confidential memory region. == Operational model for the TEE Host Extension Executing confidential workloads in a TEE requires a sequence of one or more of the steps detailed below. @@ -639,7 +640,7 @@ Destroys a confidential TVM previously created using *`sbi_tee_host_create_tvm() Confidential TVM memory is automatically released following successful destruction, and it can be assigned to other TVMs. Repurposing confidential memory for use by non-confidential -TVMs requires an explicit call to *`sbi_tee_reclaim_pages()`* (described below). +TVMs requires an explicit call to *`sbi_tee_host_reclaim_pages()`* (described below). The possible error codes returned in `sbiret.error` are shown below. @@ -657,14 +658,12 @@ The possible error codes returned in `sbiret.error` are shown below. [source, C] ----- struct sbiret sbi_tee_host_add_tvm_memory_region(unsigned long tvm_guest_id, - unsigned long tvm_memory_region_type, unsigned long tvm_gpa_addr, unsigned long region_len); ----- Marks the range of TVM physical address space starting at `tvm_gpa_addr` as reserved -for the mapping of memory. The type of memory is specified by `tvm_memory_region_type` -and the length is specified by by `region_len`. `tvm_memory_region_type` must be a -legal value for the `tvm_memory_region_type` enum type described below. +for the mapping of confidential memory. The memory region length is specified by +`region_len`. Both `tvm_gpa_addr` and `region_len` must be 4kB-aligned, and the region must not overlap with a previously defined region. This call must not be made after calling @@ -728,6 +727,7 @@ The possible error codes returned in `sbiret.error` are shown below. | Error code | Description | SBI_SUCCESS | The operation completed successfully. | SBI_ERR_INVALID_ADDRESS | `base_page_address` was invalid. +| SBI_ERR_OUT_OF_PTPAGES | The operation could not complete due to insufficient page table pages. | SBI_ERR_INVALID_PARAM | `tvm_guest_id` or `num_pages` were invalid, or `tsm_page_type` is invalid. | SBI_ERR_NOT_SUPPORTED | The `tsm_page_type` isn't supported by the TSM. @@ -781,9 +781,8 @@ Maps num_pages zero-filled pages of confidential memory starting at `base_page_a into the TVM's physical address space starting at `tvm_base_page_address`. The `tvm_base_page_address` must lie within a region of confidential memory created with `sbi_tee_host_add_tvm_memory_region()`. The `tsm_page_type` parameter must be a -legal value for the `tsm_page_type` enum. - -Zero pages for non-present TVM-specified GPA ranges may be added at any time, and are typically demand faulted on TVM access. +legal value for the `tsm_page_type` enum. Zero pages for non-present TVM-specified GPA +ranges may be added only post TVM finalization, and are typically demand faulted on TVM access. The possible error codes returned in `sbiret.error` are shown below. @@ -1180,7 +1179,9 @@ The possible error codes returned in `sbiret.error` are shown below. == TEE Guest Extension (EID 0x54454547) The TEE Guest extension supplements the TEE Host extension, and TVMs to communicate with TSM. A typical -usecase for this extension is to relay information to the host. +usecase for this extension is to relay information to the host. +TEE-Guest calls cause a trap to the TSM which may exit to the host with +scause set to ECALL, a6 set to FID, a0-a5 set to ECALL args. === Function: TEE Guest Add Memory Region (FID #0) [source, C] @@ -1210,86 +1211,23 @@ host on success. | SBI_ERR_FAILED | The operation failed for unknown reasons. |=== -=== Function: TEE Guest Flush Pages (FID #1) -[source, C] -------- -struct sbiret sbi_tee_guest_flush_pages(unsigned long tvm_gpa_addr, - unsigned long region_len); -------- -Begins the process of invalidating pages in the TVM physical address space range -spanned by `region_len` starting with `tvm_gpa_addr`. All pages spanned by the range -must be of the same type, i.e., either `SHARED_MEMORY_REGION` or `CONFIDENTIAL_MEMORY`. - -This must be must followed by a call to `sbi_tee_guest_global_fence()`, and then `sbi_tee_guest_local_fence()` on all TVM VCPUs to complete the invalidation. - -On success, the GPA range should be considered as unmapped, and attempts to access a page -in the range will result in a fatal page fault. - -[#table_sbi_tee_guest_flush_pages_errors] -.TEE Guest Flush Pages -[cols="2,3", width=90%, align="center", options="header"] -|=== -| Error code | Description -| SBI_SUCCESS | The invalidation operation was successfully started. - | This implies an exit to the host, and a subsequent resume of execution. -| SBI_ERR_INVALID_ADDRESS | `tvm_gpa_addr` was invalid. -| SBI_ERR_INVALID_PARAM | `region_len` was invalid, or the range spanned a region - of another type. -| SBI_ERR_FAILED | The operation failed for unknown reasons. -|=== - -=== Function: TEE Guest Initiate Global Fence (FID #2) -[source, C] ------ -struct sbiret sbi_tee_guest_global_fence(void); ------ -Initiates a TLB invalidation sequence for all pages marked for conversion via -calls to `sbi_tee_host_convert_pages()`. The TLB invalidation sequence is completed -when `sbi_guest_host_local_fence()` has been invoked on all other CPUs. An error is -returned if a TLB invalidation sequence is already in progress. - -The possible error codes returned in `sbiret.error` are shown below. - -[#table_sbi_sbi_tee_guest_global_fence_errors] -.TEE Host Initiate Fence -[cols="2,3", width=90%, align="center", options="header"] -|=== -| Error code | Description -| SBI_SUCCESS | The operation completed successfully. -| SBI_ERR_ALREADY_STARTED | A fence operation is already in progress. -| SBI_ERR_FAILED | The operation failed for unknown reasons. -|=== - -=== Function: TEE Guest Local Fence (FID #3) -[source, C] ------ -struct sbiret sbi_tee_guest_local_fence(void); ------ -Invalidates TLB entries for all pages pending conversion by an in-progress TLB -invalidation operation on the local CPU. - -The possible error codes returned in `sbiret.error` are shown below. - -[#table_sbi_tee_guest_local_fence_errors] -.TEE Guest Local Fence -[cols="2,3", width=90%, align="center", options="header"] -|=== -| Error code | Description -| SBI_SUCCESS | The operation completed successfully. -| SBI_ERR_FAILED | The operation failed for unknown reasons. -|=== - -=== Function: TEE Guest Share Memory Region (FID #4) +=== Function: TEE Guest Share Memory Region (FID #1) [source, C] ------- struct sbiret sbi_tee_guest_share_memory_region(unsigned long tvm_gpa_addr, unsigned long region_len); ------- -Marks the range of TVM physical address space starting at `tvm_gpa_addr` as reserved for the mapping of non-confidential memory. The entire range must reside in a region of -type `CONFIDENTIAL_REGION`, and all pages must have been previously unmapped and flushed (using `sbi_tee_guest_flush_pages()`, followed by a fence). - -Both `tvm_gpa_addr` and `region_len` must be 4kB-aligned. This call will result in an exit to the -host on success. Following successful completion, the TVM can access all any page in the range. +Initiates the conversion of TVM physical address space starting at `tvm_gpa_addr` from confidential to non-confidential/shared memory. +The requested range must lie within an existing region of confidential address space, and may or may not be populated. +If the region of address space is populated, the TSM invalidates the pages and marks the region as pending conversion to shared. +The host must complete a TVM TLB invalidation sequence, initiated by tee_host_tvm_initiate_fence(), in order to complete the conversion. +The calling TVM vCPU is considered blocked until the conversion is completed; attempts to run it with tee_host_tvm_run() will fail. +Any guest page faults taken by other TVM vCPUs in this region prior to completion of the conversion are considered fatal. The host may +not insert any pages in the region prior to completion of the conversion. Upon completion, the host may reclaim the confidential pages +that were previously mapped in the region using tee_host_tsm_reclaim_pages() and may insert shared pages into the region using tee_host_tvm_add_shared_pages(). +If the range of address space is completely unpopulated, the region is immediately converted to shared and the host may insert shared pages. + +Both `tvm_gpa_addr` and `region_len` must be 4kB-aligned. [#table_sbi_tee_guest_share_memory_region_errors] .TEE Guest Share Memory Region @@ -1299,23 +1237,27 @@ host on success. Following successful completion, the TVM can access all any pag | SBI_SUCCESS | The operation completed successfully. | This implies an exit to the host, and a subsequent resume of execution. | SBI_ERR_INVALID_ADDRESS | `tvm_gpa_addr` was invalid. -| SBI_ERR_INVALID_PARAM | `region_len` was invalid, or the entire range doesn't - span a `CONFIDENTIAL_REGION` +| SBI_ERR_INVALID_PARAM | `region_len` was invalid, or the entire range does not map to a `CONFIDENTIAL_REGION` | SBI_ERR_FAILED | The operation failed for unknown reasons. |=== -=== Function: TEE Guest Unshare Memory Region (FID #5) +=== Function: TEE Guest Unshare Memory Region (FID #2) [source, C] ------- struct sbiret sbi_tee_guest_unshare_memory_region(unsigned long tvm_gpa_addr, unsigned long region_len); ------- -Marks the range of TVM physical address space starting at `tvm_gpa_addr` as reserved for the mapping of confidential memory (the contents will be guaranteed to be zeroes on the first -access). The entire range must reside in a region of type `SHARED_MEMORY_REGION`, and all -pages must have been previously unmapped and flushed (using `sbi_tee_guest_flush_pages()`, followed by a fence). - -Both `tvm_gpa_addr` and `region_len` must be 4kB-aligned. This call will result in an exit to the -host on success. Following successful completion, the TVM can access any page in the range. +Initiates the conversion of TVM physical address space starting at `tvm_gpa_addr` from shared to confidential. +The requested range must lie within an existing region of non-confidential address space, and may or may not be populated. +If the region of address space is populated, the TSM invalidates the pages and marks the region as pending conversion to confidential. +The host must complete a TVM TLB invalidation sequence, initiated by tee_host_tvm_initiate_fence(), in order to complete the conversion. +The calling TVM vCPU is considered blocked until the conversion is completed; attempts to run it with tee_host_tvm_run() will fail. +Any guest page faults taken by other TVM vCPUs in this region prior to completion of the conversion are considered fatal. The host may +not insert any pages in the region prior to completion of the conversion. Upon completion, the host may (if required) convert host memory pages +using tee_host_convert_pages() and may insert un-assigned confidential pages into the region using sbi_tee_host_add_tvm_zero_pages(). +If the range of address space is unpopulated, the host may insert zero pages on faults during TVM access. + +Both `tvm_gpa_addr` and `region_len` must be 4kB-aligned. [#table_sbi_tee_guest_unshare_memory_region_errors] .TEE Guest Share Memory Region @@ -1331,65 +1273,76 @@ host on success. Following successful completion, the TVM can access any page in |=== |=== -| *TSM load and initialization operations* | +| *Summary of TSM load and initialization operations* | -| teecall_tsm_info | Used by the OS/VMM to +| sbi_tee_host_get_tsm_info | Used by the OS/VMM to discover if a TSM is loaded and initialized else returns an error. If a TSM is loaded and initialized, this operation is used to enumerate TSM information such as: TEE-capable memory regions, Size of static memory to allocate per TVM, Size of memory to allocate per TVM Virtual Hart and so on. -| teecall_tsm_load | Used by the OS/VMM to load +| sbi_tee_host_tsm_load | Used by the OS/VMM to load a TSM binary image into TSM-memory region. Pages used for TSM will be declared as part of this function to load the TSM. Loading and updates -to the TSM should be done via the TSM-driver teecall_tsm_update interface. +to the TSM should be done via the TSM-driver. This interface is TBD. -| teecall_tsm_init_global | Perform a global state +| sbi_tee_host_tsm_init_global | Perform a global state initialization of the TSM after a load or update. This operation and the following should succeed before the TSM is considered ready to service -other TVM operations. +other TVM operations. This interface is TBD. -| teecall_tsm_init_local | Perform a local +| sbi_tee_host_tsm_init_local | Perform a local (per-hart) initialization of TSM after the global init has been performed.This operation and the above should succeed before the TSM is considered ready to service other TVM operations. -| teecall_tsm_update | Update TSM binary and/or +| sbi_tee_host_tsm_update | Update TSM binary and/or configuration. Ideally this operation should be performed without shutting down the TVMs, however all TVMs have to be paused before an update can be -issued. The TSM update process description is -TBD. +issued. The TSM update process description is TBD. -| teecall_tsm_shutdown | Shuts down the TSM.All +| sbi_tee_host_tsm_shutdown | Shuts down the TSM. All TVMs must be shutdown and all TVM memory must be reclaimed before this -operation can -succeed. +operation can succeed. -| *TVM global operations* | +| *Summary of TVM global operations* | -| teecall_tvm_create_init | TVM creation (static) +| sbi_tee_host_create_tvm | TVM creation (static) process where a set of TEE pages are assigned for a TVM to hold a TVM’s global state. This routine also configures the global configuration that applies to the TVM and affects all TVM hart settings. For example, features enabled for this TVM, perfmon enabled, debug enabled etc. -| teecall_tvm_shutdown | TVM shutdown verifies VMM +| sbi_tee_host_destroy_tvm | TVM shutdown verifies VMM has stopped all virtual hart execution for the TVM. The TVM virtual hart may not be entered after this point. The VMM may start reclaiming TVM memory after this point. -| teecall_tvm_destroy | Verifies that the VMM has -reclaimed all memory for the TVM and destroys the TVM - this operation -returns the last allocated global structure page for the TVM - note that -the page remains a page tracked by the TSM for TEE usage (for another -TVM). +| *Summary of TVM Global memory management operations* | + +| sbi_tee_host_convert_pages | Begins the process of converting memory +to be used as confidential memory. The region consists of one or more contiguous +4KB memory naturally aligned regions. + +| sbi_tee_host_global_fence | This operation initiates TLB version tracking of pages +in the region being converted to confidential. The TSM enforces that the VMM performs +invalidation of all harts (via IPIs and subsequent sbi_tee_host_local_fence) to remove any cached mappings to the memory +regions blocked for conversion via the sbi_tee_host_convert_pages. + +| sbi_tee_host_local_fence | This operation completes the TLB version tracking of pages +in the region being connverted to confidential. The TSM tracks that all available physical harts have executed +this operation before it considers the TLB version updated. The last local fence completes the conversion of a +memory region from non-confidential to confidential for a set of TVM pages. + +| sbi_tee_host_reclaim_pages | VMM may unassign memory for TVMs by destroying them. +All confidential-unassigned memory may be reclaimed back as non-confidential using this interface. -| *TVM memory management* *operations* | +| *Summary of TVM memory management operations* | -| teecall_tvm_page_convert_range | Convert a memory region +| sbi_tee_guest_unshare_memory_region | Convert a memory region from non-confidential to confidential for a set of TVM pages.This operation initiates TSM tracking of these pages and also changes the encryption properties of these pages. These pages can then be selected by the VMM to @@ -1397,18 +1350,13 @@ allocate for TVM control structure pages, second stage page table pages, and TVM pages. -| teecall_tvm_page_map_add_range | Add one or more page +| sbi_tee_host_add_tvm_page_table_pages | Add one or more page mappings to the second stage translation structure for a TVM. The pages to be used for the second stage page table structures must have been converted (and tracked) by the TSM as TEE pages; otherwise this operation will not succeed. -| teecall_tvm_page_map_remove | Remove a page mapping for -a TVM page. The page mappings to be removed must be blocked before the -remove operation will -succeed. - -| teecall_tvm_page_add_pre_init | Add a page for an +| sbi_tee_host_add_tvm_measured_pages | Add a page for an existing mapping for a TVM page - this add_pre must be performed before finalization of the TVM measurement via teecall_tvm_msmt_commit. For this operation, the VMM must provide the page contents that get copied into @@ -1418,72 +1366,59 @@ including the GPA at which the page is mapped. After the TVM msmt is finalized via teecall_tvm_msmt_commit, no more pre-add pages are allowed by the TSM for that TVM. -| teecall_tvm_page_add_post_init | Add a zero page for an +| sbi_tee_host_add_tvm_zero_pages | Add a zero page for an existing mapping for a TVM page (post initialization). This operation adds a zero page into a mapping and keeps the mapping as pending (i.e. access from the TVM will fault until the TVM accepts that GPA -| teecall_tvm_page_range_block | Blocks a set of page +| sbi_tee_guest_global_fence | Blocks a set of page mappings for an existing mapping for a TVM page. This operation prevents new TLB mappings from being created for a particular TVM page mapping. Note that stale TLB mappings may exist and those are invalidated by the TSM. The -TSM enforces that mappings are blocked by the VMM before allowing any page -relocation and/or page fragmentation -operations. +TSM enforces that mappings are blocked and flushed by the VMM before allowing any page +relocation and/or page fragmentation operations. -| teecall_tvm_page_range_unblock | Unblock a set of page -mappings for an existing mapping for a TVM page. Allows new TLB entries to -be created - the VMM may perform this operation after it has invalidated -the last set of mappings it had blocked via the teecall_tvm_fence -operation. +| sbi_tee_guest_local_fence | Issue a TVM TLB +invalidation (for the relevant harts) after a set of changes to the TVM +mappings for confidential pages. The TSM enforces a hfence.gvma for the +affected TVM vmid/asid to enforce stale tlb mappings are flushed. For +implementations using memory tracking, this operation should also +invalidate additional caching structures for page +meta-data. -| teecall_tvm_page_relocate | Relocate a page for an +| sbi_tee_guest_page_relocate | Relocate a page for an existing mapping for a TVM page. This operation allows the VMM to reassign a new SPA for an existing TVM page mapping. The page mapping must be blocked and fenced before the page mapping can be -relocated. +relocated. This interface specification is TBD. -| teecall_tvm_page_promote | Promote a set of small +| sbi_tee_guest_page_promote | Promote a set of small page mappings (existing mappings) for a set of TVM pages to a large page mapping. The affected mappings must be blocked before the promote operation can succeed. The VMM may reclaim the freed second stage page table page if the operation succeeds. -| teecall_tvm_page_demote | Demote a large page +| sbi_tee_guest_page_demote | Demote a large page mapping for an existing mapping to a set of TVM pages and corresponding small page mappings. The affected mapping must be blocked before the operation can succeed. The VMM must provide a free TEE-capable page to the TSM to use as a new second stage page table in the fragmented mapping. -| teecall_tvm_page_reclaim | Reclaim a page (TVM page -or second stage page table page). If the page being reclaimed is for an -existing mapping, the mapping must be blocked (and invalidate mapping). The -pages for a second stage page table structure may only be reclaimed after -all mappings at that page table level have been -reclaimed. - -| teecall_tvm_fence | Issue a TVM TLB -invalidation (for the relevant harts) after a set of changes to the TVM -mappings for confidential pages. The TSM enforces a hfence.gvma for the -affected TVM vmid/asid to enforce stale tlb mappings are flushed. For -implementations using memory tracking, this operation should also -invalidate additional caching structures for page -meta-data. +| *Summary of TVM virtual hart management operations* | -| *TVM virtual hart management operations* | - -| teecall_tvm_vhart_add_init | This operation allows the +| sbi_tee_host_create_tvm_vcpu | This operation allows the VMM to assign TEE pages for a virtual hart context structure (VHCS) for a specific TVM. This routine also initializes the hart-specific fields of this structure.Note that a virtual hart context structure may consist of more than 1 4KB page. The number of pages are enumerated via the tsm_info call. -| *TVM measurement operations* | -| teecall_tvm_msmt_extend | This operation is used to +| *Summary of TVM measurement operations* | + +| sbi_tee_host_add_tvm_measured_pages | This operation is used to extend the static measurement for a TVM for added page contents.The operation performs a SHA384 hash extend to the measurement register managed by the TSM on a 256 byte block of the page. The page must be added to a @@ -1493,13 +1428,14 @@ state machine that must be faithfully reproduced by the VMM otherwise the attestation evidence verification by the relying party will fail and the TVM will not be considered trustworthy. -| teecall_tvm_msmt_commit | This operation enables a +| sbi_tee_host_finalize_tvm | This operation enables a VMM to finalize the measurement of a TVM (static). The TSM enforces that a TVM virtual harts cannot be entered unless the TVM measurement is committed via this operation. | *TVM runtime operations* | -| teecall_tvm_enter | Enter or resume a TVM + +| sbi_tee_run_vcpu | Enter or resume a TVM virtual hart (on any physical hart). A resume operation is performed via a flag passed to this operation. This operation activates a virtual-hart on a physical hart, and may be performed only on a TVM virtual hart structure @@ -1508,10 +1444,11 @@ verifies if the operation is performed in the right state for that virtual hart. | *TSM runtime operations* | + | teecall_ *tsm* _teeret | This operation is used by a TSM to return control to the OS/VMM via the TSM-driver TEERET flow.This operation may be used by the TSM in various scenarios - in response to a -teecall_tg_* operation for requests to the VMM, or due to an S-mode +sbi_tee_guest_* operation for requests to the VMM, or due to an S-mode interrupt that the TSM must report to the OS/VMM. It is also used to communicate faults in the second stage page table for a TVM etc. @@ -1521,43 +1458,42 @@ communicate faults in the second stage page table for a TVM etc. === TEEI - TG-ABI runtime interface |=== -| teecall_tg_drtm_extend | This intrinsic is used by a TVM component +| sbi_tee_guest_drtm_extend | This intrinsic is used by a TVM component to act as a dynamic root of trust of measurement (DRTM) for the TVM to extend runtime measurements. These measurements are managed by the TSM in the TVM global structure (To be specified TBD). These measurements are used in the TcbEvidenceInfo when the TVM attestation certificate is generated -via teecall_tg_get_evidence. +via teecall_tg_get_evidence. This interface specification is TBD. -| teecall_tg_get_evidence | This intrinsic is used by a TVM to get +| sbi_tee_guest_get_evidence | This intrinsic is used by a TVM to get attestation evidence to report to a (remote) relying party.It is supported by the TSM to provide HW-key-signed measurements of the TVM and the TSM. The attestation key used to sign the evidence is provisioned into the TVM by the TSM. The TSM certificate is provisioned by the FW TCB (TSM-driver -and HW -RoT). +and HW RoT). This interface specification is TBD. -| teecall_tg_page_share | This intrinsic is used by the TVM to +| sbi_tee_guest_share_memory_region | This intrinsic is used by the TVM to request the conversion of the specified GPA to non-confidential (from confidential).The GPA must be mapped to the TVM in a present state, and must be scrubbed by the TVM before it is yielded. The TSM enforces that the page is not-present in the second stage page table and not tracked as a TEE -page. The VMM owns the process of reclaiming the -page. +page. The VMM owns the process of reclaiming the page. -| teecall_tg_host_req | This intrinsic is supported by the TSM to +| sbi_tee_guest_host_invoke | This intrinsic is supported by the TSM to provide the TVM the ability to request host services e.g. para-virt IO.The TVM indicates to the TSM during this operation which x/v/f registers should -be passed to the OS/VMM without clearing. +be passed to the OS/VMM without clearing. The specification of this interface is TBD. -| teecall_tg_enable_debug | This intrinsic is supported by the TSM to +| sbi_tee_guest_enable_debug | This intrinsic is supported by the TSM to enable the TVM to request for debugging to be enabled for the TVM (TSM invokes TSM-driver to enable debugging if the TVM was created with debug -opt-in; TSM enforces state save and restore of debug state for TVM hart). +opt-in; TSM enforces state save and restore of debug state for TVM hart). +The specification of this interface is TBD. -| teecall_tg_enable_pmon | This intrinsic is supported by the TSM to +| sbi_tee_guest_enable_perfmon | This intrinsic is supported by the TSM to enable the TVM to request performance monitoring (where the TSM enforces state save and restore of the performance monitoring inhibit and trigger -controls). +controls). The specification of this interface is TBD. |===