You copied the Doc URL to your clipboard.

5.1.2. Software architecture

There are many possible software architectures which a Secure world software stack on a TrustZone-enabled processor core could implement. The most complex is a dedicated Secure world operating system: the simplest is a synchronous library of code placed in the Secure world. There are many intermediate options between these two extremes.

Secure operating system

A dedicated operating system in the Secure world is a complex, but powerful, design. It can simulate concurrent execution of multiple independent Secure world applications, run-time download of new security applications, and Secure world tasks that are completely independent of the Normal world environment.

The most extreme version of these designs closely resembles the software stacks that would be seen in a SoC with two separate physical processors in an Asymmetric Multi-Processing (AMP) configuration. The software running on each virtual processor is a standalone operating system, and each world uses hardware interrupts to preempt the currently running world and acquire processor time.

A tightly integrated design, which uses a communications protocol that associates Secure world tasks with the Normal world thread that requested them, can provide many of the benefits of a Symmetric Multi-Processing (SMP) design. In these designs a Secure world application could, for example, inherit the priority of the Normal world task that it is assisting. This would enable some form of soft real-time response for media applications.

Figure 5.1. : A possible architecture with an independent Secure world OS

Figure 5.1. : A possible architecture with an independent Secure
world OS

One of the advantages of a design based on operating system principles is the use of the processor MMU to separate the Secure world memory space into multiple user-space sandboxes. Provided that the Secure world kernel software is correctly implemented, security tasks from independent stakeholders can execute at the same time without needing to trust each other. The kernel design can enforce the logical isolation of secure tasks from each other, preventing one secure task from tampering with the memory space of another.

Synchronous library

Many use cases do not need the complexity of a Secure world operating system. A simple library of code in the Secure world which can handle one task at a time is sufficient for many applications. This code library is entirely scheduled and managed using software calls from the Normal world operating system.

The Secure world in these systems is a slave to the Normal world and cannot operate independently, but can consequently have a much lower level of complexity.

Intermediate options

There is a range of options that lies between these two extremes. For example, a Secure world multi-tasking operating system may be designed to have no dedicated interrupt source, and as such could be provided with a virtual interrupt by the Normal world. This design would be vulnerable to a denial-of-service attack if the Normal world operating system stopped providing the virtual interrupt, but for many cases this is not a problematic attack. Alternatively, the MMU could be used to statically separate different components of an otherwise synchronous Secure world library.

Was this page helpful? Yes No