Creating a non-TrustZone ARMv8 image

[kjbracey]

Description

This is prompted by #9446

There seems to be no way to create a simple non-TrustZone ARMv8 image - the tooling is assuming a binary choice between

• Cortex-M23: make a secure TrustZone library
• Cortex-M23-NS: make a non-secure TrustZone image (which must link in a secure library, maybe generated by the above)

There needs to be a third choice - make a simple non-TrustZone image. (That image would work either on a chip without TrustZone extension, or work on a TrustZone-capable chip by running entirely in Secure state).

We could adjust the core suffix to be 3-way. For that, this naming would make sense:

• Cortex-M33: make a non-TrustZone image
• Cortex-M33-S: make a secure TrustZone library
• Cortex-M33-NS: make a non-secure TrustZone image (which must link in a secure library, maybe generated by the above)

But it seems that the CPU options are starting to multiply out-of-hand there, what with the need to select DSP and FP too.

So, why is the secure choice part of the core name? It seems to me that it would be better handled like the SPE/NSPE choice for PSA - extra labels to indicate the "-S" and "-NS" variants, and the core is always just "Cortex-M33" (plus FP/DSP flags).

If you do that, the existing Python checks for "-NS" suffix or not convert like this:

    if target.is_TZ_secure_target:
        self.flags['cxx'].append("-mcmse")
        self.flags['c'].append("-mcmse")

    # Create Secure library
    if (target.is_TZ_secure_target and
        kwargs.get('build_dir', False)):
        build_dir = kwargs['build_dir']
        secure_file = join(build_dir, "cmse_lib.o")
        self.flags["ld"] += ["--import_cmse_lib_out=%s" % secure_file]

    # Add linking time preprocessor macro DOMAIN_NS
    if target.is_TZ_nonsecure_target:
        define_string = self.make_ld_define("DOMAIN_NS", "0x1")
        self.flags["ld"].append(define_string)

Both conditions are false if it's a non-TrustZone image, making the build system act like ARMv7.

Issue request type

[ ] Question
[X] Enhancement
[ ] Bug

[deepikabhavnani]

So, why is the secure choice part of the core name? It seems to me that it would be better handled like the SPE/NSPE choice for PSA - extra labels to indicate the "-S" and "-NS" variants, and the core is always just "Cortex-M33" (plus FP/DSP flags).

In tools we did not have mechanism to build secure + non-secure binaries with single command or same core. Ideally it should be core selection - build SPE TF-M and NSPE mbed-os and merge binaries along with post build / pre-build operations.

S/NS variants were provided as a way to build secure / non-secure binaries separately with the help of .mbedignore

[kjbracey]

We don't need to build everything with a single command - I didn't think the SPE/NSPE does either. But it would be cute.

Having the secure+nonsecure halves remain built as separate targets that select different options seems fine to me - it just would be nice to make the option they specify separate from the core name, reducing the multiplications in the core-related stuff.

Using an extra label would still let you do "TARGET_TZ_NS" or "TARGET_TZ_S" for selection at the tree level. "DOMAIN_NS" as an option lets you do most of the logic you need in the Mbed OS code. The flags you'd have to play with would be:

• Non-secure: TARGET_TZ_NS, DOMAIN_NS=1, TARGET_TFM=10
• Secure: TARGET_TZ_S, DOMAIN_NS=0, TARGET_TFM=1
• Non-TrustZone: DOMAIN_NS=0, TARGET_TFM=0

(If I'm understanding TARGET_TFM correctly?).

[deepikabhavnani]

I am confused here for TARGET_TFM. Also we have COMPONENT_SPE / COMPONENT_NSPE coming in.
Should it be:

Non-secure: TARGET_NSPE, DOMAIN_NS=1, TARGET_TFM=0
Secure: TARGET_SPE, DOMAIN_NS=0, TARGET_TFM=1
Non-TrustZone: DOMAIN_NS=0, TARGET_TFM=0

[deepikabhavnani]

I am yet to understand this #9221, but I am not sure of COMPONENT_SPE / NSPE / PSA - and TFM as target... Should all that be Target as well (my brain says), but need to understand the reason to have them as component + target combination.
This will also play the role here, as we have more flags and combination

[kjbracey]

I just corrected (hopefully) what I put for TARGET_TFM, possibly while you were writing that.

Most code (drivers, OS) shouldn't care about the distinction, and DOMAIN_NS will be sufficient. But some code might need to tell the difference between "I'm the complete image" and "I'm the security library for the main image", so DOMAIN_NS isn't enough for them. Presumably the "TFM" flag covers that, but maybe you need something else.

The SPE/NSPE security distinction is higher level than the TrustZone thing - it might be implemented using TrustZone, but could actually be a completely different core. I'm not sure it's wise to borrow that option for the TrustZone S/NS split. It wouldn't work for the python tests I suggested above. I think we need a separate specific option. (Similarly you could be using TrustZone but without the PSA NSPE/SPE split).

[ciarmcom]

Internal Jira reference: https://jira.arm.com/browse/MBOCUSTRIA-784

[jeromecoutant]

+1 for Kevin's proposition:

• Cortex-M33: make a non-TrustZone image
• Cortex-M33-S: make a secure TrustZone library
• Cortex-M33-NS: make a non-secure TrustZone image

[deepikabhavnani]

Cortex-M33: make a non-TrustZone image
Cortex-M33-S: make a secure TrustZone library
Cortex-M33-NS: make a non-secure TrustZone image

This will impact all Armv8M targets in development or in Mbed OS. We need broad audience here to confirm. More information #9446 (comment)
@alzix @mikisch81 @jeromecoutant @cyliangtw @mmahadevan108

[cmonr]

@deepikabhavnani Should @SenRamakri reach out to others?

[deepikabhavnani]

@cmonr - Internal discussions on this are in progress