-
Notifications
You must be signed in to change notification settings - Fork 16
Arm TrustZone project
The Arm TrustZone ®️ technology is a system-wide approach to security for Arm Cortex-A CPUs. Similar capabilities or, namely, the Cortex-M Security Extensions (CMSE), also became available as an optional feature for microcontrollers based on the ARMv8-M (or later) architecture.
Such extensions add memory protection, instructions
for validating memory access, and controlled transition between two modes of execution: secure and non-secure.
CMSE standardizes an interface which requires tool support. The IAR build tools support CMSE via preprocessor symbols, extended keywords, intrinsic functions, compiler options, linker options, and the section Veneer$$CMSE. More information can be found within the <arm_cmse.h> header file installed with the product as well as in the associated IAR C/C++ Development Guide.
A minimalistic project example is provided at examples/trustzone:
| Project files |
|---|
CMakeLists.txt |
non-secure/CMakeLists.txt |
non-secure/non-secure-hello.c |
non-secure/v2m-mps2_ns.icf |
secure/CMakeLists.txt |
secure/secure-hello.c |
secure/secure-hello.h |
secure/v2m-mps2_s.icf |
The focus of this interactive example is on how the CMakeLists can be configured in this particular scenario. This CMake project builds two executable targets: secure and non-secure. The secure target exports function entries that are used in the non-secure target.
There are two functions in the secure executable, callable from the non-secure executable via a secure gateway interface:
-
secure_hello(): Prints a greeting message, inspired in the classic "hello world" style. -
register_secure_goodbye(): A callback function that returns a string which is printed when exiting from thesecureexecutable.
Note
The code needed for the secure gateway interface is automatically generated by the IAR ILINK Linker, and will be placed in the Veneer$$CMSE section.
- Perform the following task in
CMakeLists.txt(click to show/hide answers):
TODO 1: Add secure as a dependency for non-secure
add_dependencies(non-secure secure)- Perform the following tasks in
secure/CMakeLists.txt(click to show/hide answers):
TODO 2: Enable the CMSE in the compiler flags
target_compile_options(secure PRIVATE
--cpu=$<TARGET_PROPERTY:CPU>
--cmse
)TODO 3: Set the linker to produce an import library, consumed by the non-secure target
target_link_options(secure PRIVATE
--semihosting
--cpu=$<TARGET_PROPERTY:CPU>
--config ${CMAKE_CURRENT_SOURCE_DIR}/v2m-mps2_s.icf
--import_cmse_lib_out ${CMAKE_BINARY_DIR}/hello_s_import_lib.o
) - Perform the following tasks in
non-secure/CMakeLists.txt(click to show/hide answers):
TODO 4: Make use of the secure target include directories
target_include_directories(non-secure PRIVATE
$<TARGET_PROPERTY:secure,INTERFACE_INCLUDE_DIRECTORIES>
)TODO 5: Link against the import library generated from the secure target
target_link_options(non-secure PRIVATE
--cpu=$<TARGET_PROPERTY:secure,CPU>
--config ${CMAKE_CURRENT_SOURCE_DIR}/v2m-mps2_ns.icf
--semihosting
${CMAKE_BINARY_DIR}/hello_s_import_lib.o
)TODO 6: Specify no entry point for the non-secure target
target_link_options(non-secure PRIVATE
--cpu=$<TARGET_PROPERTY:secure,CPU>
--config ${CMAKE_CURRENT_SOURCE_DIR}/v2m-mps2_ns.icf
--semihosting
${CMAKE_BINARY_DIR}/hello_s_import_lib.o
--no_entry
)- Finally build and test the project. Refer to the tutorial for more information.
This is the cmake-tutorial wiki. Back to Wiki Home
- Setting language-specific target options
- Selecting build types
- Using Ninja Multi-Config
- Filing a build log
- Multi-file compilation
- Invoking IAR binary utilities