Is pre-emption while in secure mode supported? If so, NS RTOS may have to be modified to handle switching from a thread who’s PC and SP are in secure domain.

 

How would a secure service thread block while waiting for a security-protected hardware process to finish (ie what is the secure driver model)?

 

Alan

 

 

Hi Erik,

 

Really great to see your involvement.  Let me share my view on a TF-M execution model for constrained single core v8-M with TrustZone using Secure Function Call (aka library) mode:

 

On secure side:  single thread execution only.  Not stack swapping. NS to S calls are blocking until secure execution completes.

On non-secure side: RTOS with threaded execution.  Entry to secure side protected with Mutex.

 

This structure is explain on page 27 of https://github.com/ARM-software/CMSIS_5/blob/develop/CMSIS_Review_Meeting_2020.pdf

 

IMHO, there are various benefits:

·         Overall less complexity, no need of tz_context, any RTOS would work, less memory overhead (i.e. single stack at secure side)

·         No impact to time deterministic execution on the NS side unless two threads call secure services

·         Conflict of mulitple threads calling secure services could be minimized with RTOS that offers priority inversion

 

Are there any obvious problems with the above model?

Thanks

Reinhard Keil – Sr. Director Embedded Tools, Arm

 

P.S. maybe you read also https://lists.trustedfirmware.org/pipermail/tf-m/2020-March/000805.html

IMHO we need to simplify the NS to S call entry to speed-up the overall system