Upload
others
View
47
Download
0
Embed Size (px)
Citation preview
Working effectively with
Arm Cortex-M TrustZone
Kyota Yokoo, Field Application Engineer
Agenda
• Introduction of Arm v8-M MCU
• Overview of Arm v8-M TrustZone
• Getting started with IAR Embedded Workbench for Arm
and TrustZone
• Demo
Introduction of Arm v8-M MCU
Arm Cortex-M Lineup
Cortex-M3
Cortex-M4
Cortex-M0/M0+
Cortex-M7
Cortex-M23
Cortex-M33
v6-M v7-M v8-M
What is new about v8-M
• The keyword is “Security”
• Still 32-bit architecture
• Stack Limitation
– Now, Stack overflow can enter Fault handler
• Improved MPU(Memory Protection Unit)
– Now, MPU Range selection is flexible
• TrustZone for Cortex-M!
Overview of Arm v8-M TrustZone
TrustZone adds Secure state
• In addition to privilege level, security state is also added.
Thread mode
Privileged/Unprivileged
Handler mode
Privilege
Secure State
Thread mode
Privileged/Unprivileged
Handler mode
Privilege
Thread mode
Privileged/Unprivileged
Handler mode
Privilege
Non-Secure State
Armv7-M(Cortex-M3/M4) Armv8-M TrustZone
Memory-map with TrustZone
• Security attributes are mapped to regions
Secure
Non-Secure
Secure
Non-Secure
Secure
Non-Secure
Flash
SRAM
Peripherals
Privileged
Unprivileged
Privileged
Unprivileged
Privileged
Unprivileged
Similar concept to v7-M MPU
How to configure Secure regions?
• Use SAU and/or IDAU
Address
SAU *Option
(Security Attribute Unit)
IDAU *Option
(Implementation Defined Attribute Unit)
Com
pare
Address
Security
4 Types of v8-M Devices - / - SAU / - - / IDAU SAU /
IDAU
Switching Secure states
• Using function call to switch secure states
Secure State Non-Secure State
Thread mode
Privileged/Unprivileged
Handler mode
Privilege
Thread mode
Privileged/Unprivileged
Handler mode
Privilege
NSCNon Secure
Callable
SG
SG
Some more information
• Function call from Secure State to Non-Secure state
should also be handled with special keywords
• Programs will always start from Secure state
• SAU can be configured only with Secure State
Getting started with IAR Embedded
Workbench for Arm and TrustZone
Guideline for security design
• Make the “Secure code” smaller
• Reduce the number of call for “Secure code”
• Try not to let “Secure code” talk to the external world
More code, More risks
Non-Secure StateSecure State NSC
Workflow for TrustZone
Secure state Non-Secure state
Create a project for Secure state Create a project for Non-Secure state
Set project options for Secure state
Configure SAU / IDAU
Implement NSC functions
Generates code and NSC library
Set project options for Non-Secure state
Import NSC library
Implement calls for Secure codeImplement calls for Non-Secure code
Project Options for Secure State
Secure state
This enables to generate secure codes
Configure SAU / IDAU
SAU *example IDAU *example (SAML11)
#define SAU_CTRL (*((volatile unsigned int *) 0xE000EDD0))
#define SAU_RNR (*((volatile unsigned int *) 0xE000EDD8))
#define SAU_RBAR (*((volatile unsigned int *) 0xE000EDDC))
#define SAU_RLAR (*((volatile unsigned int *) 0xE000EDE0))
static void SAU_setup(void)
{
/* region #0: non-secure callable, 0x000000C0 - 0x000000DF */
SAU_RNR = 0;
SAU_RBAR = 0x000000C0;
SAU_RLAR = 0x000000C3;
/* region #1: non-secure, 0x00200000 - 0x003fffff */
SAU_RNR = 1;
SAU_RBAR = 0x00200000;
SAU_RLAR = 0x003fffe1;
/* region #2: non-secure, 0x20200000 - 0x203fffff */
SAU_RNR = 2;
SAU_RBAR = 0x20200000;
SAU_RLAR = 0x203fffe1;
/* Enable SAU */
SAU_CTRL = 1;
}
IDAU and its configurations are vary
between device families.
Implement calls for Non-Secure code
#define NON_SECURE_START (0x00000C00ul) // Start address of Non-Secure State
typedef __cmse_nonsecure_call void (*NonSecure_fpVoid) (void);
int main(void)
{
NonSecure_fpVoid NonSecure_ResetHandler;
NonSecure_ResetHandler = (NonSecure_fpVoid)(*((uint32_t *)(NON_SECURE_START + 4u)));
NonSecure_ResetHandler(); // jump to Reset Handler of Non Secure state
}
main_s.c
• Declare function pointers with cmse_nonsecure_call”
BLXNS instruction will be generated to switch states
Implement NSC Functions
Secure_Functions.h#define CMSE_NS_CALL __cmse_nonsecure_call
#define CMSE_NS_ENTRY __cmse_nonsecure_entry
CMSE_NS_ENTRY uint32_t secure_toupper(uint32_t i);
#include “Secure_Functions.h”
CMSE_NS_ENTRY uint32_t secure_toupper(uint32_t i)
{
return( toupper( i ) );
}
Secure_Functions.c
define symbol NSC_start = 0x00000800;
define symbol NSC_end = 0x000008FF;
define region NSC_region =
mem:[from NSC_start to NSC_end];
place in NSC_region { section Veneer$$CMSE };
Linker Configuration file
SG instructions for the functions will be generated in NSC region
• Declare and Define the function with “__cmse_nonsecure_entry”
Generates code and NSC library
Non-Secure project will link the library
• “Make” will generate execution file and NSC library
Project Options for Non-Secure State
Non-Secure state
Imports NSC library
• Link the import library generated in Secure project
Implement calls for Secure code
#include “Secure_Functions.h”
void main(void)
{
char t;
while(1){
t = secure_toupper(s);
}
}
main_ns.c
• Include the header file for the secure function declaration*The file should be shared with Secure and Non-Secure projects
main_ns.c (Non-Secure State)
import_lib.o (NSC)
Secure_Functions.c (Secure State)
Demonstration
Demo settings and program
I-jet
UART
Reset Handler
Reset Handler
Initialize
Jump to “Non-Secure”
Initialize
Receive from UART
Call secure code
ToUpper()
Send to UARTMicrochip SAML11(Cortex-M23: - / IDAU)
Summary
• The keyword of v8-M is security, especially TrustZone
• To use TrustZone, you should create and configure two
projects for Secure and Non-Secure
• IAR Embedded Workbench provides a support for
Secure and Non-Secure code communicates easily
Thank you for your attention!
www.iar.com