Skip to main content
mycall
Associate II
June 29, 2026
Question

Calling secure functions after boot load

  • June 29, 2026
  • 1 reply
  • 17 views

Processor is  STM32U585CIU6Q. I have a trust zone project (STM32IDE) that runs just fine without the boot loader. At reset the secure project runs, transfers control to the non-secure and I can make calls to functions on the secure side just fine. All is good.

This is boot loader development effort. I don’t have code to actually receive images yet. I place the secure and non-secure projects in place with the IDE and run the boot loader. When the boot loader transfers control to the secure application it seems to initially work OK.  I get to the secure application OK, The secure application transfers control to the non-secure project OK. However, as soon as i try to make a call to a secure function the system hangs.

To transfer out of the boot loader I save a flag in protected memory and do a SW reset. I have used this technique on other ST parts as a way to get the processor in a known state. When I come out of reset the boot loader immediately (before any initialization except C init) tests the flag. If set it does (what I thought was) a pretty standard jump to the app via the vector table. As I said this works and I get to the secure app OK then to the non-secure app. As long as I stay in the non-secure code all is well. However, something is obviously not completely initialized because the linkage from non-secure to secure is broken.

I know a SW reset does not completely set everything back to default like a HW reset does. I assume the app code is assuming TrustZode things are in a 100% default state and the secure app does not do a 100% initialization of something -- and I am caring over bad state from the boot loader.

 Thoughts and ideas on what junk I might be carrying over from boot loader to app appreciated -- or a reference to info on how to make the transition properly would be appreciated

Thanks in advance

1 reply

mycall
mycallAuthor
Associate II
July 1, 2026

So I have a solution of sorts. The boot loader is also a TZ project but I am only using the secure side. I never transition to the non-secure. Apparently the unused non-secure code is breaking the Security Attribution Unit which is why I can’t call back to the secure side. The root cause seems to be a linker issue not a code issue. I keep both projects (boot and app) in the IDE at the same time and if I am careful with the load order all is well. I need to chase down the linker issue but the code itself seems to work fine.