LPC55Sxx: Securing Digital IO Pins 

This tutorial explains why you must secure digital IO pins and how to utilize MCUXpresso Config Tools.

Risk of Secure information leakage 

GPIO (General Purpose Input Output) is the most common digital peripheral in a microcontroller. GPIO of LPC MCU is very flexible and powerful.  Below you can see a simple block diagram of  GPIO (Figure 1).  GPIO can read a pin state regardless of the pin function configured. For example, if this pin is configured as UART, then the pin state can be read via a  GPIO read.[1]

Figure 1 GPIO [1] 

Due to the architecture of GPIO, all digital IO pins states are readable through the GPIO module from the GPIO read path. It does not depend on what function is chosen for this pin as aforementioned. As a result, there is a possibility of information leakage from a Secure resource (S).  

For example, when you configure a UART as a Secure peripheral, it means that only the Secure world can access this UART. 

However, in this case, the Non-Secure world can monitor the UART pin states through the GPIO read path as shown in Figure 1. Hence, the Non-Secure world can get all the Secure information from the UART.[1] 

To prevent the leakage of information from the Secure world by GPIO, the Secure GPIO Mask is implemented on LPC55Sxx devices with TrustZone®.  This mask disallows the use of GPIO for a pin in both the Secure and the Non-Secure world. LPC55Sxx devices with TrustZone® implement a new NXP peripheral named Secure GPIO that can operate GPIO in the Secure world.

Figure 2 Secure GPIO and Secure GPIO Mask [1] 

Securing digital IO pins in MCUXpresso Config Tools 

MCUXpresso Config Tools contain everything you need to create a Secure configuration. You can do a pins configuration in the Pins tool, configure peripherals in the Peripherals tool, enable clocks in the Clocks tool, and set up the Secure aspects in the Trusted Execution Environment (TEE) tool.

Prerequisites 

• MCUXpresso IDE – v11.3.0 is used in this tutorial,
• LPCXpresso55S69 SDK – v2.9.0 is used in this tutorial,
• An application that uses TrustZone and Secure USART,
• LPCXpresso55S69 Development Board 

Application setup 

• The project uses TrustZone. 
• FLEXCOMM0 is used as USART. 
• FLEXCOMM0 is configured as Secure in the TEE tool. 
• FLEXCOMM0 uses non-blocking transfer. 

Reading digital IO state from the Non-Secure world 

You can create a simple example to test that the Non-Secure world can access information from the Secure world by reading the state of a GPIO pin. 

Assuming the Secure application uses FLEXCOMM0 to communicate and GPIO0.30 pin for TX signal, you can add a code to a Non-Secure application that can read the communication. To use GPIO macros from the example code, make sure the “board.h” header file of LPC55S69 board is added in the include section of the file.

When you run the application, the Non-Secure world reads the state of the GPIO pin and changes the state of the blue LED accordingly. You can achieve it without any additional modification to a configuration generated by MCUXpresso Config Tools. There is no need to configure the pin to GPIO. It demonstrates that the state can be read from the Non-Secure world and communication is not Secure.

Securing the pin in the TEE tool 

1. Open MCUXpresso Config Tools for the Secure project. 
2. In the example, pin 94 is used as TX pin of FLEXCOMM0 (See Figure 3) as shown in the picture of Pins view from the Pins tool below. The pin is shared with the GPIO0.30 signal.
   
   Figure 3 Digital IO pin configured in the Pins tool 
3. Open the TEE tool to configure pin masking  (See Figure 4).
   
   Figure 4 Open the Pins tab in the TEE tool 
4. When FLEXCOMM0 is Secure, the TEE tool reports a warning on the GPIO0.30 pin as there is a risk of Secure information leakage.  
5. Change the value of the Reading GPIO state column from Allow to Deny. 
6. To update project files with files generated from the MCUXpresso Config Tools, click the Update Code button.
   
7. Initialization code generated for a trust zone configuration now masks the read of pin 94 using GPIO. 

Verify that the pin cannot be read from the Non-Secure world 

You can run the same example to verify that reading a state of the pin, that is routed to the FLEXCOMM0 TX signal, from the Non-Secure world always returns the same value. Running the application, you can see that the blue LED is not changing color based on the communication of the FLEXCOMM peripheral. 

[1] 2020. AN12326: Secure GPIO And Usage. 1st ed. [ebook] NXP B.V. 2019, pp.3-4. Available at: <https://www.nxp.com/doc/AN12326> [Accessed 15 December 2020].