same-bank exitSecureArea details on h755

smnhff · ‎2024-04-10

Hello,

I have two applications: one at 0x08000000 and one at 0x08080000. Both run fine individually (when setting the boot config bytes to the fitting offset). Now I want to use the one at 0x08000000 as secure area and escape it by using exitSecureArea. In the debugger, I can observe that the code runs fine until the very call to exitSecureArea. Now my questions are:

1. Is there something else I need to to? This seems to suggest that I need to set the VTOR register. I currently (try to) do it before the call to exitSecureArea.

2. If I need to setup the VTOR register, is my code below correct? Or do I need to do it differently/at a different place?

3. Does exitSecureArea also work when the secure area is not set? I only tried without setting it as not to brick the device.

4. Is there a way to debug this nicely?

Spoiler

typedef struct

{

uint32_t sizeInBytes; /*!< pass 0 for an empty secure area */

uint32_t startAddress; /*!< pass NULL for an empty secure area */

uint32_t removeDuringBankErase; /*!< if 0, keep area during bank/mass erase. else area will be removed */

} RSS_SecureArea_t;

typedef struct

{

/**

* This service is used to exit from secure user software and jump to user main application.

* There is no system reset triggered by this service

*/

// vectors is the base of the other app

// build the other app, but for a different starting address

void (*exitSecureArea)(uint32_t vectors, uint32_t jtagState);

/**

* This service sets Secure user area boundaries.

* This service can be used only when a secure area is set for the first time.

* A system reset is triggered after service completion.

*/

void (*resetAndInitializeSecureAreas)(uint32_t nbAreas, RSS_SecureArea_t *areas); /*!< nbAreas=1 or 2;

1 per bank */

} RSS_API_Table_t;

#define RSS_API ((RSS_API_Table_t*)0x1FF09514)

void main(){
[...]
__disable_irq();

SCB->VTOR = 0x08080000;

__enable_irq();

RSS_API->exitSecureArea(0x08080000, 1);
}

typedef struct{uint32_t sizeInBytes; /*!< pass 0 for an empty secure area */uint32_t startAddress; /*!< pass NULL for an empty secure area */uint32_t removeDuringBankErase; /*!< if 0, keep area during bank/mass erase. else area will be removed */} RSS_SecureArea_t; typedef struct{/*** This service is used to exit from secure user software and jump to user main application.* There is no system reset triggered by this service*/// vectors is the base of the other app// build the other app, but for a different starting addressvoid (*exitSecureArea)(uint32_t vectors, uint32_t jtagState);/*** This service sets Secure user area boundaries.* This service can be used only when a secure area is set for the first time.* A system reset is triggered after service completion.*/void (*resetAndInitializeSecureAreas)(uint32_t nbAreas, RSS_SecureArea_t *areas); /*!< nbAreas=1 or 2;1 per bank */} RSS_API_Table_t; #define RSS_API ((RSS_API_Table_t*)0x1FF09514)void main(){[...]__disable_irq();SCB->VTOR = 0x08080000;__enable_irq();RSS_API->exitSecureArea(0x08080000, 1);}

Thanks for your help!

Pavel A. · ‎2024-04-10

> In the debugger, I can observe that the code runs fine until the very call to exitSecureArea

Really? Debugger does not work while the program runs in the secure area.

Setting the VTOR to the non-secure program before jump is not needed, IIRC. The non-secure program can set it later. Make sure you call exitSecureArea correctly.

@Jocelyn RICARD could you look at this, please?

smnhff · ‎2024-04-11

Let me be more precise: I want to use the application at 0x08000000 as secure area. To that end, I follow this application note, which suggests to run the setup before to ensure it works fine. As I have not completed this step, I did not set the secure area bytes yet and as such can still use the debugger. Your point raises a great question though: does exitSecureArea work if the secure configuration is not setup (question 3 in the original post)?

The code that sets the VTOR and calls exitSecureArea is hidden under the spoiler above. I hope it is correct.

When is the non-secure program later supposed to set it? Some time in the starting process? Or is main good enough?

Thanks for your help!

Pavel A. · ‎2024-04-11

> does exitSecureArea work if the secure configuration is not setup

Yes it should work. At least it worked on H753, and even on H743 without secure area function at all.

> When is the non-secure program later supposed to set it?

Both variants are good, just make sure that systick or other interrupts don't occur before VTOR is set.

smnhff · ‎2024-04-12

I tried both versions and neither worked for me. Again, I can run both apps fine alone. I modified the second app (located at 0x08080000) in two ways, as follows:

1. I added SCB->VTOR = 0x08080000; in the very first line in main. App still runs fine, exitSecureArea still does not work.

2. I added the following assembly to the start of the reset vector:

  mov   r3, 0x0808
  lsl   r3, 0x10
  mov   r2, 0xe
  lsl   r2, 0x1c
  orr   r2, 0xed00
  orr   r2, 0x8
  str   r3, [r2]

Again, app runs fine alone but exitSecureArea still does not run the app.

Are these two options implemented correctly? Otherwise, what do I need to change?

smnhff · ‎2024-04-15

Any new ideas? @Pavel A. @Jocelyn RICARD

Jocelyn RICARD · ‎2024-04-18

Hello @smnhff ,

I'm sorry, I'm very busy and don't have time to check what could go wrong with your setup.

Now, I made some time ago an example for using secure mem.

I share it here so you can have a look and test it on your board.

Best regards

Jocelyn