Hi Jonatan,

 

The enhancement of this TZ_SAU_Setup() sounds reasonable, and there are more background items to be considerate:

 

 

So if we do the fundamental security setup in SystemInit(), the advantage is the protection is already enabled between SystemInit() exits and SPM_Init() (There are platform init process in this stage). The cons are SPM may not check the isolation status. And if we do isolation in SPM_Init(), the advantage is SPM can know the status and the cons are Platform Init is not restricted (It could access anywhere).

 

I would suggest not to propose the calling time strictly for this new enhanced API.

 

I know cypress uses customized protection initialization mechanism so any ideas?

 

BR

 

/Ken

 

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Jonatan Antoni via TF-M
Sent: Tuesday, March 3, 2020 11:09 PM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] TrustZone initialisation procedure

 

Hi all,

 

I am trying to align TrustZone initialisation procedure between TF-M and CMSIS.

 

In CMSIS the approach from the early v8-M days is to have a “partition.h” file providing “TZ_SAU_Setup()” function. This function is called during low level “SystemInit()” which runs as part of the pre-main (called from ResetHandler and before running C lib init).

 

In contrast TF-M calls “tfm_spm_hal_init_isolation_hw()” (which is similar to “TZ_SAU_Setup()” plus PPC/MPC configuration) during “tfm_core_init()” (which runs in secure “main()”).

 

The advantage of “TZ_SAU_Setup()” is that this function is available by standard for all TrustZone devices. The shortcoming is it doesn’t cover MPC/PPC configuration, yet. Ideally we can enhance CMSIS standard to offer a “TrustZone_Setup()” function (the name is still to be defined) that does all this. That would simplify the TF-M HAL to just one single function call that should be provided by each TrustZone-Device low level init code.

 

The final question is: When does this function need to be called? Are you aware of any reason why we should not configure the “system isolation” already during low level init (pre-main)? This could simplify TF-M code even more. In TF-M we could simply rely on a properly configured TrustZone isolation before running any TF-M code.

 

Cheers,

 

Jonatan Antoni

Senior Engineering Manager - CMSIS Germany on Google Android 8.0United Kingdom on Google Android 8.0

 

Arm Germany GmbH
Phone:
+49 (0)89 262 029 618 | Fax: +49 (0)89 456 040-19

Email: jonatan.antoni@arm.com | Visit: www.keil.com | Address: Bretonischer Ring 16, 85630 Grasbrunn, Germany
Sitz der Gesellschaft: Grasbrunn | Handelsregister: München (HRB 175362) | USt-IdNr.: DE 187925309

Geschäftsführer: Joachim Krech, Reinhard Keil

 

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.