Because of widely available Internet connectivity, nowadays security concerns are not longer limited to PCs, servers and workstations but have become common to many embedded systems as well. Several hardware and software technologies have been developed to deal with this kind of challenges. ARM® TrustZone® technology is one of these.
Even if this technology has been conceived primarily to address security issues, embedded systems designers can leverage it to implement innovative configurations, satisfying different in nature requirements that typically arise in industrial applications and deep embedded systems. Two of such requirements are real-timeness and system integrity.
The following describes the TrustZone-based solution that DAVE Embedded Systems has implemented to meet all these requirements on BORA and BORAX platforms.
Limitations of traditional configurations
Xilinx Zynq AP architecture provides unprecedented possibilities in terms of integration. In industrial world applications, this is often leveraged to combine on a single chip the implementation of real-time tasks with generic software applications and functionalities that don't have specific requirements in terms of real-timeness. In addition, the flexibility offered by the FPGA - known as Programmable Logic or PL for short - allows system designers to implement in hardware custom IPs to add new interfaces and peripherals or to move processing modules from the software to the hardware realm.
For example, the integrity of an application with root privileges could access memory regions that are supposed to be exclusively accessed by code executed in W1. This may lead to unpredictable behaviors and to potentially catastrophic consequences. This is where TrustZone technology comes to help: it establishes a sort of barrier between the two worlds and prevents W2 code from unauthorized accesses to certain regions of the processor's addressing space.
The major difference with respect to the traditional AMP configuration is the use of a software monitor, specifically a customized version of TOPPERS SafeG.
As shown in the picture, the monitor can be viewed as a software layer that lies between Trust/Non-trust worlds and underlying hardware. The monitor is responsible for:
- enabling and initializing TrustZone in order to protect regions that must not be accessible by Non-secure world
- setup data structure and exception handlers needed for context switch and Secure Monitor Call (SMC)
- start the trusted OS
Later, once the trusted OS is ready, it will do a specific SMC that will do the context switch that will start the non-trusted OS.
About operating systems, Linux has been chosen for Non-trust world, while FreeRTOS has been selected for the Trust world. At the time of this design, the Linux/FreeRTOS combination has proven to be the most appealing for the majority of applications that this solution addresses. Nevertheless different combinations are possible.
About the multi-processing scheme, the two Zynq core are assigned statically to the two world (core0 to Linux, core1 to FreeRTOS). This allows to:
- simplify the whole system implementation
- reduce RTOS latency (because there's never need of non-trusted to trusted context switch)
From the memory point of view:
- the main memory is statically partitioned (by the monitor) into tree sections:
- a non-trusted private area (protected at MMU-only level from trusted access)
- a trusted private area (protected at TrustZone level by non-trusted access)
- a shared memory area, marked as non-trusted
System memory partitioning:
The boot process consists of several stages that are detailed in the following list.
- reset signal is deasserted and core #0's Program Counter is set to reset vector address
- The first piece of code executed by the processor is BootROM. Depending on bootstrap configuration pins, First Stage Boot Loader (FSBL in the rest of the document) image is retrieved from a specific non-volatile memory by BootROM and stored into on-chip memory (OCM).
- FSBL performs basic hardware initializations (including SDRAM subsystem) and retrieves U-Boot bootloader image
- completes hardware initializations
- retrieves the following binary images and store them into SDRAM:
- trusted code (FreeRTOS image in our case)
- non-trusted code (linux kernel image and Device Tree Blob in our case).
- gives monitor the control.
- monitor code
- initializes TrustZone subsystem
- enables both cores, setting up all the data structure required by TrustZone
- gives trusted code the control of the machine.
- FreeRTOS kernel is initialized and real-time tasks are started. Under the control of the tasks running on top of the RTOS kernel, the non-trusted (NT for short) code is started.
About DAVE Embedded Systems:
DAVE Embedded Systems based in Italy, was founded in 1998 as an engineering Services Company; devoted to designing highly complex embedded electronic systems from the concept to the end product.
From its inception and the years following, DAVE Embedded Systems has gained lots of expertise; other related know how and design capabilities to offer its customers the leading edge solutions in the embedded market. With its own manufacturing operations, DAVE Embedded Systems has been able to provide in a timely manner the CPU modules and Embedded Electronic systems to its customers.
For more information, please contact us