Trustzone Required to Work?

cancel
Showing results for 
Search instead for 
Did you mean: 

Trustzone Required to Work?

Jump to solution
296 Views
MattInSeattle
Contributor II

Hi, the Secure Provisioning Tool is very nice. Thanks for bringing all these steps into a single place.

If I take the blinky demo, I can make a signed image and load onto a board and it works. 

But if I take another demo, such as freertos_hello, and make a signed image and load it onto the board it doesn't work. It only works IF TrustZone pre-config is set to "Enabled (preset)" in the provisioning tool.

The freertos_hello project had a TrustZone directory, it was deleted. The "power switch" in the TEE config tools is off. In the Compiler settings, the TrustZone project type is set to "none", and ditto in Linker.

Why must TrustZone be enabled in order for freertos_hello to run?

Thanks

0 Kudos
1 Solution
239 Views
MattInSeattle
Contributor II

OK, thanks for the clue about the start address. That must be the issue I will check next time I'm back at problem. Thanks!

View solution in original post

6 Replies
281 Views
MattInSeattle
Contributor II

Hi Marek,

MCUXpresso IDE 11.2.1, SDK 2.8.2, processor is LPC55s16 64 pin on custom board. Secure Provisioning Tool is Version 2.1.

 

I took the freertos_hello, configured an output pin for an LED, and then toggled that LED in a loop. If signed image is picked in the provisioning tool, the image doesn't run. If I enable TrustZone, then it runs.

 

Thanks!

0 Kudos
246 Views
b23204
NXP Employee
NXP Employee

Hi Matt,

can you please double check what is start address at build page? It is expected to be zero. I'm asking because if TrustZone is used, it forces zero start address using VTOR register.

> The freertos_hello project had a TrustZone directory, it was deleted. 
I do not see any "TrustZone" directory. Could you send a screenshot? May be I do not understand what you mean.

Do other examples work for you? For example hello_world or some other simple example without FreeRTOS?

Regards
Marek

Regards,
Marek
0 Kudos
73 Views
MattInSeattle
Contributor II

Hi @marek, I have confirmed the start address is zero.

I have another problem that might be related. I can build release/debug images and sign as needed with provisioning tool (all required TrustZone = Enabled as previously discussed). I can write the images no problem as long as 'ENABLED SECURITY' isn't checked. Everything works exactly as expected. I can also upgrade with new signed images via my own bootloader. 

For the first time, I ticked 'enable security" and the flash completed and showed green in Provisioning tool, but the image doesn't boot. The target is no longer reachable with "Test Connection" in Provisioning tool, meaning it's not running bootloader code any more. 

I can go back to unsecured board and everything works again as expected. 

Why would ticking "enable security" cause the booting to stop?

0 Kudos
59 Views
b23204
NXP Employee
NXP Employee

Hi MattInSeattle,

"enable security" means the device is sealed. I'm not sure how this can affect your bootloader.

Regards
Marek

Regards,
Marek
0 Kudos
240 Views
MattInSeattle
Contributor II

OK, thanks for the clue about the start address. That must be the issue I will check next time I'm back at problem. Thanks!

View solution in original post

287 Views
b23204
NXP Employee
NXP Employee

Hi Matt from Seattle,

can you please provide additional details:

- what SDK package are you using? What processor or board is it? What version?

- Is this problem related to SDK example "rtos_examples\freertos_hello"?

- What toolchain did you use to build the project?

Thanks, Marek

Regards,
Marek
0 Kudos