ARMv8 Cortex-M TrustZone configuration


Johnny Daniels
 

Hello Zephyr devel universe,

I have an NXP LPC55S69-EVK development board. It is based on an ARMv8 Cortex-M CPU with the TrustZone extension. Zephyr officially supports this board.

I want to run Zephyr OS inside the Non-Secure World and have the Secure World free for other services.
Question 1: Is this possible with the current version of the Zephyr project?

If the answer to the above question is yes, then
Question 2: How to achieve this separation using Zephyr's build system? Can you point me to a documentation? I can see GitHub issues and KConfig parameters which suggest that this should theoretically be possible.

What I expect is something similar to:
- The Zephyr build system should produce 2 binaries (for the Secure and Non-Secure worlds respectively) and 1 shared library, which is statically linked to the Non-Secure binary (for the Non-Secure-Callable veneers).
- The Secure binary is the bootloader, the code which configures the TrustZone separation and then starts the Non-Secure kernel.
- The Non-Secure binary starts with the kernel initialisation and continues until the execution of the application threads.
- Executing `west flash` should be able to flash the Secure and Non-Secure binaries independently from one another.

Question 3: From the kernel developer's perspective: What do you guys expect from Zephyr's users? How should users configure the Secure/Non-Secure domains?

Regards,
Johnny


Kevin Townsend
 

Hi Johnny,

This doesn't use the LPC55S69-EVK at the moment -- it's based on a development board designed by ARM -- but it is relevant to your question and gives an initial example of TF-M in the secure processing environment (SPE) and Zephyr in the NSPE:


This PR in it's current state can't be merged since there are some CI issues to resolve (work ongoing there), but if you look at samples/tfm_integration you will find a basic example that documents how the image merge and signing process works for this setup.

If you're interested in getting involved with TF-M and Zephyr, any participation and contributions are of course always welcome, and I would suggest joining the Zephyr Slack where most of the adtive contributors are day to day. #general is a good place to start, but #memoryprotection may be of interest to you as well.

Best regards,
Kevin


On Tue, 6 Aug 2019 at 14:17, Johnny Daniels via Lists.Zephyrproject.Org <0x450=protonmail.ch@...> wrote:
Hello Zephyr devel universe,

I have an NXP LPC55S69-EVK development board. It is based on an ARMv8 Cortex-M CPU with the TrustZone extension. Zephyr officially supports this board.

I want to run Zephyr OS inside the Non-Secure World and have the Secure World free for other services.
Question 1: Is this possible with the current version of the Zephyr project?

If the answer to the above question is yes, then
Question 2: How to achieve this separation using Zephyr's build system? Can you point me to a documentation? I can see GitHub issues and KConfig parameters which suggest that this should theoretically be possible.

What I expect is something similar to:
- The Zephyr build system should produce 2 binaries (for the Secure and Non-Secure worlds respectively) and 1 shared library, which is statically linked to the Non-Secure binary (for the Non-Secure-Callable veneers).
- The Secure binary is the bootloader, the code which configures the TrustZone separation and then starts the Non-Secure kernel.
- The Non-Secure binary starts with the kernel initialisation and continues until the execution of the application threads.
- Executing `west flash` should be able to flash the Secure and Non-Secure binaries independently from one another.

Question 3: From the kernel developer's perspective: What do you guys expect from Zephyr's users? How should users configure the Secure/Non-Secure domains?

Regards,
Johnny