ARMv8 Cortex-M TrustZone configuration

Johnny Daniels

Hello Zephyr devel universe,

I have an NXP LPC55S69-EVK development board. It is based on an ARMv8 Cortex-M CPU with the TrustZone extension. Zephyr officially supports this board.

I want to run Zephyr OS inside the Non-Secure World and have the Secure World free for other services.
Question 1: Is this possible with the current version of the Zephyr project?

If the answer to the above question is yes, then
Question 2: How to achieve this separation using Zephyr's build system? Can you point me to a documentation? I can see GitHub issues and KConfig parameters which suggest that this should theoretically be possible.

What I expect is something similar to:
- The Zephyr build system should produce 2 binaries (for the Secure and Non-Secure worlds respectively) and 1 shared library, which is statically linked to the Non-Secure binary (for the Non-Secure-Callable veneers).
- The Secure binary is the bootloader, the code which configures the TrustZone separation and then starts the Non-Secure kernel.
- The Non-Secure binary starts with the kernel initialisation and continues until the execution of the application threads.
- Executing `west flash` should be able to flash the Secure and Non-Secure binaries independently from one another.

Question 3: From the kernel developer's perspective: What do you guys expect from Zephyr's users? How should users configure the Secure/Non-Secure domains?


Join to automatically receive all group messages.