Operate peripherals under TrustZone

cancel
Showing results for 
Search instead for 
Did you mean: 

Operate peripherals under TrustZone

No ratings

Operate peripherals under TrustZone

Symptoms

Some users cannot access MCU peripherals normally by add peripheral initialization code to MCUXpresso SDK TrusZone demo. For example, when add Flash operation code in the security world, the program code jumps to HardFault_Handler after running to function FLASH_INIT(), and the execution of Flash erase and Flash program operations fails also, as follows:

ZhangJennie_0-1626094337296.png

Figure 1

ZhangJennie_1-1626094366792.png

Figure 2

ZhangJennie_2-1626094403905.png

Figure 3

ZhangJennie_3-1626094433578.png

Figure 4

ZhangJennie_4-1626094459350.png

Figure 5

Diagnosis

As shown in figure 2 and figure 3, when the program code runs to code return VERSION_FLASH_API_TREE->flash_init(config), it automatically jumps to HardFault_Handler. VERSION_FLASH_API_TREE is located in the 0x1301fe00 address of the boot rom, the flash erase api is located in address 0x1300413bU, and the flash program api is located in address 0x1300419dU (the corresponding program code is shown in figure 6). All above addresses are not security privilege.

ZhangJennie_5-1626094593831.png

Figure 6

       From the 7.5.3.1.2 TrustZone preset data chapter in user manual, after enabling the TrustZone configuration, users must configure the security level of the entire ROM address space to security priority (S-Priv) in order to ensure that the ROM area can be accessed normally by the security area code.

ZhangJennie_6-1626094696010.png

Figure 7

Solution

Below is the steps of how to resolve this issue. The demo is based on MCUXpresso SDK demo hello_world_s.

Step 1: firstly we use the TEE tool integrated with MCUXpresso IDE to configure the security level of the Boot ROM address area, as shown in Figure 8, double-click the Boot-ROM area in the Memory attribution map window, and configure the sector’s security level in the corresponding Security access configuration window on the left.

ZhangJennie_7-1626094813414.png

Figure 8

Step 2: Second, when operating Flash or other peripherals in the security area, users must configure the security level of correlative peripherals to the security priority(S-Priv).

       When operating flash in the SDK TrustZone demo, the MCU uses two slave peripherals, so users must configure their security level to S-Priv.

ZhangJennie_8-1626094858634.pngZhangJennie_9-1626094879100.png

Figure 9

Please Note:

  1. From the usermanual, when operating flash, the system clock frequency cannot exceed 100MHZ.
  2. When using the function of FLASH_Program(), because the s_buffer is 512-byte aligned, the BUFFER_LEN is equal to 512/N.

 

The above configuration of the security level can be configured through the TEE tool integrated the MCUXpresso IDE. After completing configuration, click Update Code to automatically update the relevant code in the tzm_config.c file, as shown in Figure 10.

ZhangJennie_10-1626094907208.png

Figure 10

The updated code is shown in Figure 11 below. It is obvious that the security level settings of boot rom memory and peripheral (FLASH, SYSCTRL) have changed. If you do not use the TEE tool, you can also manually modify tzm_config.c to configure the same security options.

ZhangJennie_11-1626094930609.png

Figure 11

Third-party tools users:

Because many users are accustomed to using third-party development tools such as Keil or IAR, but these IDEs do not integrate the TEE tool, users need to check the configuration requirements of related registers in user manual when modifying the security level of related areas and peripherals in TrusZone, and update the associated code in the tzm_config.c file (similar to Figure 11) to complete the related configuration. In addition, NXP released the MCUXpresso Config Tools, which integrates MCU-related configuration functions. Users can download and install this tool to perform configurations and update codes. The download link is as follows:

https://www.nxp.com/design/software/development-software/mcuxpresso-software-and tools/mcuxpresso-config-tools-pins-clocks-peripherals:MCUXpresso-Config-Tools

 

Introduction of MCUXpresso Config Tools

After the tool is installed, open the configuration tool, select Create a new configuration based on an SDK example or hello world project, click Next, as shown in Figure 12:

ZhangJennie_13-1626095038662.png

Figure 12

 

In Start Development window, follow below steps to generate project. As shown in Figure 13.

ZhangJennie_12-1626094993331.png

Figure 13

After the tzm_config.c file is updated, copy or import it to the corresponding folder of KEIL or IAR third-party development tools, and it can be used normally.

 

 

 

 

 

Attachments
Version history
Revision #:
2 of 2
Last update:
‎07-12-2021 06:16 AM
Updated by: