This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TrustZone with KeyStone II Non-secure Device

Hi,

TI states that secure part is needed to use ARM TrustZone.

http://e2e.ti.com/support/dsp/c6000_multi-core_dsps/f/639/t/325088.aspx

But I suspect that we can use limited TrustZone features with non-secure part. I'd like to make sure it. The reason is the fact that the boot monitor software in MCSDK, is dealing with the switching between the secure world and the non-secure world.

http://processors.wiki.ti.com/index.php/MCSDK_UG_Chapter_Exploring#Boot_Monitor_2

This means that KeyStone II non-secure devices on the EVMs have TrustZone implementations on some level. If the memory space separation feature of TrustZone (dedicated MMU for each world) is available for non-secure device, it will be great usefull for many users. I know that non-secure part doesn't support the secure boot.

Best regards,
Tsutomu Furuse

  • Hi,

    Welcome to the TI E2E forum. I hope you will find many good answers here and in the TI.com documents and in the TI Wiki Pages (for processor issues). Be sure to search those for helpful information and to browse for the questions others may have asked on similar topics (e2e.ti.com).

    Yes. Your understanding is correct.

    There is a secure and non-secure device as you mentioned here, but in ARM A15, there is also a secure and non-secure mode (world). Certain ARM configuration requires to be done in secure mode by issuing a “smc #0” command (That is to clear NS bit in SCR). I believe RBL calls into boot monitor non-secure part which does some initialization, and issues “smc #0” to be in secure world, and then does the rest of configuration in the sec directory of the boot monitor. 

    Please refer thread as well.

    http://e2e.ti.com/support/dsp/c6000_multi-core_dsps/f/639/t/345672.aspx

    Thank you.

  • Rajasekaran,

    Thank you for your quick reply.
    I'd like to know further on this topic.
    Is it feasible for us to create the separate secure environment, which is described in TI's TrustZone whitepaper, with non-secure device?

    http://www.ti.com/lit/wp/spry228/spry228.pdf

    Separate secure environment. TrustZone splits processor cores into two virtual cores, one operating
    in a normal world and the other working in a secure world (Figure 1). This mechanism essentially creates
    another level of execution privilege in addition to the traditional demarcation of user and kernel modes.
    Transitions between the two worlds are carefully controlled by monitor mode software. In addition, each
    virtual processor has access to its own virtual memory management unit (MMU) so that clear separation
    between normal and secure page table translations can be maintained. Cache memories also have additional
    tag bits to distinguish between content cached by either secure or normal world cores. By this
    means, access to secure cached content from normal world masters can be denied.

    Best regards,
    Tsutomu Furuse

  • Tsutomu,

    ARM trustZone security features are intended to be used in secure device environement. In non-secure environment :

    (a)    there is not root of trust  - so no way to verify code that is booted isn’t compromised

    (b)    firewalls  (MPUs) aren’t activated by bootrom – so no way to protect a trusted environment code or memory from being read or modified

    (c)    The NS(non-secure) bit coming out of tetris for each read/write is always 0  (meaning everything is treated as secure).  So no way to differentiate between a real secure secure transaction (one made when ARM is in secure state) from an insecure one.

    (d)    no effuses for storing encryption and public key hashes are blown on non-secure devices.  So these can’t be used in non-secure environment.

    Regards,

    Rahul

     

  • Rahul,

    Thank you very much for the detailed answer.
    Now I understand that secure device is needed for TrustZone.

    Best regards,
    Tsutomu Furuse