Operation of execution between secure and non secure code In Trust-zone MCU(STM32U5)

HirenThumar2702 · ‎2023-05-02

Hello Support Team,

Good day,

we are working on the Code Isolation activities on the STM32U585ZIT6Q controller

While creating sample code with enabled trust zone, It is divided into the two-part,

a. Secure code, It has own while loop but before that, control is transferred to the Non-Secure code through "NonSecure_Init()"

b. Non-Secure code, It will run after the secure control is transferred to the non-secure code through the "NonSecure_Init()" call in secure

We have some of the queries as per below,

As per the sample code, Secure fw does not performing any operation inside the while() loop and all operations take care of in the non-secure while() loop,

1. Can we write a code in a while () loop in the Secure firmware?

2. Can we change the state of the control of the operation access like secure and nonsecure code execution at any point of time?

ex. Non-secure code performing in data collection operation and after some time we have to perform the separate code execution which is part of the Secure fw (assume in while(1) handling) which is isolated from the Non-Secure fw, so How can we perform?

It would be appreciated to share the possible solution so, we can do better development.

Thanks

Hiren R. Thumar

Pierre_Paris · ‎2023-05-09

Hello Hiren R. Thumar @HirenThumar2702 ,

Have you read this document ?

Here is the guidance you ask for :

You always boot in secure code
Secure can always access non secure BUT Non Secure can't access secure directly
Non Secure callable (NSC) is the interface for accessing Secure code from Non Secure code thanks to the SG
TrustZone is composed of 2 applications
- Secure application (Metrology + Monitoring + Relay) that implements Non Secure Callable API
- Non-Secure application (Display + LED + Communication) that potentially calls to the Non Secure Callable API
Define the NSC API in the "secure_nsc.c / .h"
Add the attribute CMSE_NS_ENTRY to allow the compiler to add the SG instruction.

You can find here a video on how to develop TrustZone applications

If you don't have anymore question, please click on best answer.

Regards

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

View solution in original post

Pierre_Paris · ‎2023-05-04

Hello Hiren R. Thumar @HirenThumar2702 ,

Thank you for your question!

In fact, the example you mentionned shows how to switch from secure application to non-secure application. The secure application is responsible for launching the non-secure application.

1/ You can write in the while() loop. In the example code, it doesn't really make sense because this part isn't executed.

2/ Yes you can change from secure to non-secure and opposite at any time. You can find more information here.

Can you tell me more about your application ?

Have a great day !

Regards

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

HirenThumar2702 · ‎2023-05-08

Hello PARIS,

Thanks for your support and guidance to us.

Our project includes different peripherals as listed below,

1. Display

2. LED Indication

3. Microprocessor Communication

4. Metrology IC communication

5. Relay

6. Monitoring operation

Based on the Secure and Non-Secure architecture peripherals are divided as below,

Secure Region

1. Metrology IC communication

2. Relay

3. Monitoring operation

Non-Secure Region

1. Display

2. LED Indication

3. Microprocessor Communication

According to our requirements, we can design our architecture in two ways,

1. RTOS-based Non-Secure code control the Secure firmware through non-secure callable routines(In this instance, a secure application executes when a call is made through a Non-secure ->non-secure callable function->secure Region application.)

2. Secure and Non-Secure code run independently (Isolated execution)

Secure Code, Timer interrupt based will perform the secure Region application
Non-Secure code, RTOS-based feature will take care of operation execution of the non-secure Region application
Non-Secure callable, design callback function which performs the required operation.

According to product safety certification, secure code runs independently(Metrology + Monitoring + Relay) and it is not dependent on non-secure Regions. Is it right? What we think in option 2 of the above case?

Pierre_Paris · ‎2023-05-09

Hello Hiren R. Thumar @HirenThumar2702,

Both approaches can theoretically works. However, the first method looks like the best way in your case. Please make sure to always boot in secure and then run RTOS/ThreadX in non-secure.

Can you please indicate me what certification are you talking about ?

Regards

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

HirenThumar2702 · ‎2023-05-09

Hello PARIS,

Thanks for your support and guidance to us

Have a great day

We'll want UL1998/IEC60730 certification. Therefore, we want to certify only secure region codes because product safety-related responsibilities are taken into consideration in a secure region code.

The first method In this situation, The secure region job is dependent on the non-secure region trigger means Non-secure region -> Non-secure callable function -> Secure region.

Considering product safety the Secure Region application runs independently, could you provide guidance to me on how to run the secure region application independently through the first method?

Reguard's

Hiren R. Thumar

Pierre_Paris · ‎2023-05-09

Hello Hiren R. Thumar @HirenThumar2702 ,

Have you read this document ?

Here is the guidance you ask for :

You always boot in secure code
Secure can always access non secure BUT Non Secure can't access secure directly
Non Secure callable (NSC) is the interface for accessing Secure code from Non Secure code thanks to the SG
TrustZone is composed of 2 applications
- Secure application (Metrology + Monitoring + Relay) that implements Non Secure Callable API
- Non-Secure application (Display + LED + Communication) that potentially calls to the Non Secure Callable API
Define the NSC API in the "secure_nsc.c / .h"
Add the attribute CMSE_NS_ENTRY to allow the compiler to add the SG instruction.

You can find here a video on how to develop TrustZone applications

If you don't have anymore question, please click on best answer.

Regards

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

HirenThumar2702 · ‎2023-05-15

Hello PARIS,

Thanks for your support and guidance to us

Have a great day

As per your suggestion, I have seen that the secure application depends on the non-secure application calling function, which means Non-secure region -> Non-secure callable function -> Secure region.

Have any method to execute the secure region while() loop so put my Secure application in the secure region and it runs independently,

Thanks

Hiren R. Thumar

Pierre_Paris · ‎2023-05-16

Hello Hiren R. Thumar @HirenThumar2702 ,

You're welcome!

Have a great day too

Secure and non-secure code will work in independent regions. Only certain calls/interrupts will be able to switch applications.

Regards

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.