ARMv8 Cortex-M TrustZone configuration
Hello Zephyr devel universe,
I have an NXP LPC55S69-EVK development board. It is based on an ARMv8 Cortex-M CPU with the TrustZone extension. Zephyr officially supports this board.
I want to run Zephyr OS inside the Non-Secure World and have the Secure World free for other services.
Question 1: Is this possible with the current version of the Zephyr project?
If the answer to the above question is yes, then
Question 2: How to achieve this separation using Zephyr's build system? Can you point me to a documentation? I can see GitHub issues and KConfig parameters which suggest that this should theoretically be possible.
What I expect is something similar to:
- The Zephyr build system should produce 2 binaries (for the Secure and Non-Secure worlds respectively) and 1 shared library, which is statically linked to the Non-Secure binary (for the Non-Secure-Callable veneers).
- The Secure binary is the bootloader, the code which configures the TrustZone separation and then starts the Non-Secure kernel.
- The Non-Secure binary starts with the kernel initialisation and continues until the execution of the application threads.
- Executing `west flash` should be able to flash the Secure and Non-Secure binaries independently from one another.
Question 3: From the kernel developer's perspective: What do you guys expect from Zephyr's users? How should users configure the Secure/Non-Secure domains?