Hi Erik,

Really great to see your involvement. Let me share my view on a TF-M execution model for constrained single core v8-M with TrustZone using Secure Function Call (aka library) mode:

On secure side: single thread execution only. Not stack swapping. NS to S calls are blocking until secure execution completes. On non-secure side: RTOS with threaded execution. Entry to secure side protected with Mutex.

This structure is explain on page 27 of https://github.com/ARM-software/CMSIS_5/blob/develop/CMSIS_Review_Meeting_20...

IMHO, there are various benefits:

* Overall less complexity, no need of tz_context, any RTOS would work, less memory overhead (i.e. single stack at secure side) * No impact to time deterministic execution on the NS side unless two threads call secure services * Conflict of mulitple threads calling secure services could be minimized with RTOS that offers priority inversion

Are there any obvious problems with the above model?

Thanks Reinhard Keil - Sr. Director Embedded Tools, Arm

P.S. maybe you read also https://lists.trustedfirmware.org/pipermail/tf-m/2020-March/000805.html IMHO we need to simplify the NS to S call entry to speed-up the overall system