Reputation: 71
Trustzone: CPU0 non-secure and CPU1 Secure in
I am using zynq-7000(zed board) with A9 processor (dual core). I am trying to work with the Trustzone.
I want to configure cpu1 to be running only in the secure world and cpu0 to be running a normal world application (petalinux). I read ug1019 and some other documents, but I could not get an idea about how to achieve this. I found this,
MRC p15,0,<Rt>,c1,c1,0 ; Read SCR into Rt
MCR p15,0,<Rt>,c1,c1,0 ; Write Rt to SCR
where I can configure the NS bit, but I am not sure if it will work and it will put which cpu to secure/non-secure state. If some one can guide me to some example or idea.
Upvotes: 2
Views: 473
Answers (1)
Reputation: 22430
I want to configure cpu1 to be running only in the secure world and cpu0 to be running a normal world application (petalinux).
It is typical that CPU0 is a boot CPU and you need to start CPU1 during boot. Normally nothing needs to be done to boot in secure mode. So the steps during CPU0 boot I see needed are,
- partition memory between secure/normal world.
- create monitor vectors/code to handle normal world requests.
- boot CPU1 in secure mode.
- boot petalinux in normal world
You need to prevent the normal world from accessing memory in the secure world (or there is little point to this). This can include devices that the secure world needs.
There are a few registers that Linux need to update that can only be accessed via the secure world. For example the cache-l2x0 needs to write a few secure only registers. You will need to ultimately use an SMC instruction to change worlds on CP0 to get permission to alter these registers and then return to Linux in the normal world. The SMC will also be useful if you wish to communicate between the CPU0 and CPU1 Linux.
You will probably have to turn on early boot debugging to find all of the issues where Linux may need secure access. Part of this could be due to driver on the Zync system and secure/normal world issue. Other issues are that the banked normal world CP15 registers are normally garbage on booting whereas the secure banked registers have known values.
You will also need to alter the device tree with any changes you make in the partition memory step. For instance, you may want timers, etc to have an RTOS on CPU1. Linux obviously can not use these.
The boot petalinux in normal world needs to be just like uboot would provide.
- ARM Trusted firmware on github.
- ARM Trusted firmware on trustedfirmware.org
- www.trustedfirmware.org
- What is the cost of a world switch
- Trustzone monitor mode switch design
- Banked registers and monitor mode - not obvious in any documents I read.
Upvotes: 2
Related Questions
- How is an ARM TrustZone secure OS secure?
- How to setup a TrustZone development environment
- Where is ARM TrustZone api?
- ARM TrustZone development
- I need to know ARM Trustzone Usecases
- Handling ARM TrustZones
- Trust Zone on Raspberry Pi unexpected behaviour?
- ARM trustzone usage
- ARM TrustZone - Behaviour of the scheduler in Secure and Non-Secure OS
- Running ARM TrustZone Secure/Normal world"example on the ZedBoard