Hi Erik,

 

Really great to see your involvement.  Let me share my view on a TF-M execution model for constrained single core v8-M with TrustZone using Secure Function Call (aka library) mode:

 

On secure side:  single thread execution only.  Not stack swapping. NS to S calls are blocking until secure execution completes.

On non-secure side: RTOS with threaded execution.  Entry to secure side protected with Mutex.

 

This structure is explain on page 27 of https://github.com/ARM-software/CMSIS_5/blob/develop/CMSIS_Review_Meeting_2020.pdf

 

IMHO, there are various benefits:

• Overall less complexity, no need of tz_context, any RTOS would work, less memory overhead (i.e. single stack at secure side)
• No impact to time deterministic execution on the NS side unless two threads call secure services
• Conflict of mulitple threads calling secure services could be minimized with RTOS that offers priority inversion

 

Are there any obvious problems with the above model?

Thanks

Reinhard Keil – Sr. Director Embedded Tools, Arm

 

P.S. maybe you read also https://lists.trustedfirmware.org/pipermail/tf-m/2020-March/000805.html

IMHO we need to simplify the NS to S call entry to speed-up the overall system