# Operate peripherals under TrustZone

Some users cannot access MCU peripherals normally by adding peripheral initialization code to MCUXpresso SDK TrusZone demo. For example, when add Flash operation code in the security world, the program code jumps to HardFault\_Handler after running to function FLASH\_INIT(), and the execution of Flash erase and Flash program operations fails also, as follows:



Figure 3



Figure 4



Figure 5

## **Diagnosis**

As shown in figure 2 and figure 3, when the program code runs to code return VERSION\_FLASH\_API\_TREE->flash\_init(config), it automatically jumps to HardFault\_Handler. VERSION\_FLASH\_API\_TREE is located in the 0x1301fe00 address of the boot rom, the flash erase api is located in address 0x1300413bU, and the flash program api is located in address 0x1300419dU (the corresponding program code is shown in figure 6). All above addresses are not security privilege.

```
#define BOOTLOADER_API_TREE_POINTER ((bootloader_tree_t *)0x130010f0U)
runCmdFuncOption.commandAddr = 0x1300413bU; /*!< get the flash erase api location address in rom */
runCmdFuncOption.commandAddr = 0x1300419dU; /*!< get the flash program api location address in rom*/</pre>
```

Figure 6

From 7.5.3.1.2 TrustZone preset data chapter in user manual, after enabling the TrustZone configuration, users must configure the security level of the entire ROM address space to security priority (S-Priv) in order to ensure that the ROM area can be accessed normally by the security area code.

Table 212. TZM Preset value

| TZM_PRESET value (offset 24, bit 13) |                            |
|--------------------------------------|----------------------------|
| 0                                    | TrustZone data not present |
| 1                                    | TrustZone data present     |

Note: Since the TrustZone configuration is enabled before a jump to the user application, the user's TrustZone configuration data must allow ROM code execution for successful transition from secure to normal mode and jump to user application. This means that user's TrustZone settings must include:

- The whole ROM space (0x13000000-0x1301FFFF) must be configured as secure privilege.
- When a secure MPU is used, the whole ROM space (0x13000000-0x1301FFFF) must be configured for code execution.

Figure 7

## **Solutions**

Below is the steps of how to resolve this issue. The demo is based on MCUXpresso SDK demo hello\_world\_s.

**Step 1**: firstly we use the TEE tool integrated with MCUXpresso IDE to configure the security level of the Boot ROM address area, as shown in Figure 8, double-click the Boot-ROM area in the Memory attribution map window, and configure the sector's security level in the corresponding Security access configuration window on the left.



**Step 2:** Second, when operating Flash or other peripherals in the security area, users must configure the security level of correlative peripherals to the security priority(S-Priv).

When operating flash in the SDK TrustZone demo, the MCU uses two slave peripherals, so users must configure their security level to S-Priv.

SysTick->CTRL = 0; /\* Prevent generator systick handler \*/



Figure 9

#### **Please Note:**

- 1. From the usermanual, when operating flash, the system clock frequency cannot exceed 100MHZ.
- 2. When using the function of FLASH\_Program(), because the s\_buffer is 512-byte aligned, the BUFFER\_LEN is equal to 512/N.

```
#define BUFFER_LEN 512 / 4
const uint32_t s_buffer[BUFFER_LEN]={1,2,3,4};
```

The above configuration of the security level can be configured through the TEE tool integrated the MCUXpresso IDE. After completing configuration, click Update Code to automatically update the relevant code in the tzm\_config.c file, as shown in Figure 10.



Figure 10

The updated code is shown in Figure 11 below. It is obvious that the security level settings of boot rom memory and peripheral (FLASH, SYSCTRL) have changed. If you do not use the TEE tool, you can also manually modify tzm\_config.c to configure the same security options.

```
On disk: trustzone\tzm_config.c
171/* Security level configuration of memories *
172 AHB_SECURE_CTRL->SEC_CTRL_FLASH_ROM[0].SEC_CTRL_FLASH_MEM_RULE[0] = 0x000000033U;
173 AHB_SECURE_CTRL->SEC_CTRL_FLASH_ROM[0].SEC_CTRL_FLASH_MEM_RULE[1] = 0;
174 AHB_SECURE_CTRL->SEC_CTRL_FLASH_ROM[0].SEC_CTRL_FLASH_MEM_RULE[2] = 0;
175 AHB_SECURE_CTRL->SEC_CTRL_FLASH_ROM[0].SEC_CTRL_ROM_MEM_RULE[0] = 0x3333333333;
176 AHB_SECURE_CTRL->SEC_CTRL_FLASH_ROM[0].SEC_CTRL_ROM_MEM_RULE[1] = 0x33333333333;
177 AHB_SECURE_CTRL->SEC_CTRL_FLASH_ROM[0].SEC_CTRL_ROM_MEM_RULE[2] = 0x3333333333;
178 AHB_SECURE_CTRL->SEC_CTRL_FLASH_ROM[0].SEC_CTRL_ROM_MEM_RULE[3] = 0x333333333U;
179 AHB_SECURE_CTRL->SEC_CTRL_RAMX[0].MEM_RULE[0] = 0;
180 AHB_SECURE_CTRL->SEC_CTRL_RAM0[0].MEM_RULE[0] = 0x333333333;
181 AHB_SECURE_CTRL->SEC_CTRL_RAM0[0].MEM_RULE[1] = 0;
182 AHB_SECURE_CTRL->SEC_CTRL_RAM1[0].MEM_RULE[0] = 0;
183 AHB_SECURE_CTRL->SEC_CTRL_RAM1[0].MEM_RULE[1] = 0;
184 AHB_SECURE_CTRL->SEC_CTRL_RAM2[0].MEM_RULE[0] = 0;
185 AHB_SECURE_CTRL->SEC_CTRL_RAM2[0].MEM_RULE[1] = 0;
186 AHB_SECURE_CTRL->SEC_CTRL_RAM3[0].MEM_RULE[0] = 0;
187 AHB_SECURE_CTRL->SEC_CTRL_RAM3[0].MEM_RULE[1] = 0;
188 AHB_SECURE_CTRL->SEC_CTRL_RAM4[0].MEM_RULE[0] = 0;
189 AHB_SECURE_CTRL->SEC_CTRL_USB_HS[0].MEM_RULE[0] = 0;
190
191/* Security level configuration of peripherals */
192 AHB_SECURE_CTRL->SEC_CTRL_APB_BRIDGE[0].SEC_CTRL_APB_BRIDGE0_MEM_CTRL0 = 0x00000033U;
193 AHB_SECURE_CTRL->SEC_CTRL_APB_BRIDGE[0].SEC_CTRL_APB_BRIDGE0_MEM_CTRL1 = 0;
194 AHB_SECURE_CTRL->SEC_CTRL_APB_BRIDGE[0].SEC_CTRL_APB_BRIDGE0_MEM_CTRL2 = 0x00003000U;
195 AHB_SECURE_CTRL->SEC_CTRL_APB_BRIDGE[0].SEC_CTRL_APB_BRIDGE1_MEM_CTRL0 = 0x00003000U;
196 AHB SECURE CTRL->SEC CTRL APB BRIDGE[0].SEC CTRL APB BRIDGE1 MEM CTRL1 = 0;

197 AHB SECURE CTRL->SEC CTRL APB BRIDGE[0].SEC CTRL APB BRIDGE1 MEM CTRL2 = 0x00030000U;

198 AHB SECURE CTRL->SEC CTRL APB BRIDGE[0].SEC CTRL APB BRIDGE1 MEM CTRL3 = 0;
199 AHB_SECURE_CTRL->SEC_CTRL_AHB_PORT8_SLAVE0_RULE = 0x030000000U;
200 AHB SECURE CTRL->SEC CTRL AHB PORT8 SLAVE1 RULE = 0x000300000U;
```

Figure 11

### Third-party tools users:

Because many users are accustomed to using third-party development tools such as Keil or IAR, but these IDEs do not integrate the TEE tool, users need to check the configuration

requirements of related registers in user manual when modifying the security level of related areas and peripherals in TrusZone, and update the associated code in the tzm\_config.c file (similar to Figure 11) to complete the related configuration. In addition, NXP released the MCUXpresso Config Tools, which integrates MCU-related configuration functions. Users can download and install this tool to perform configurations and update codes. The download link is as follows:

https://www.nxp.com/design/software/development-software/mcuxpresso-software-and tools/mcuxpresso-config-tools-pins-clocks-peripherals:MCUXpresso-Config-Tools

## **Introduction of MCUXpresso Config Tools**

After the tool is installed, open the configuration tool, select *Create a new configuration based on an SDK example or hello world project*, click Next, as shown in Figure 12:



Figure 12

In *Start Development* window, follow below steps to generate project. As shown in Figure



Figure 13

After the tzm\_config.c file is updated, copy or import it to the corresponding folder of KEIL or IAR third-party development tools, and it can be used normally.