ARM Cortex-M55 TrustZone Secure-to-Non-Secure Transition Overhead

The ARM Cortex-M55 processor, with its TrustZone security extension, provides a robust mechanism for isolating secure and non-secure worlds. A common use case involves calling secure services from the non-secure world, which is facilitated by the cmse_ns_entry function and the BXNS instruction. However, when the same secure service is called from the secure world, the overhead of the secure-to-non-secure transition mechanisms becomes redundant and impacts performance. This issue arises because the cmse_ns_entry function and its associated assembly instructions are designed to handle the transition between secure and non-secure states, which is unnecessary when the caller is already in the secure state.

The core of the problem lies in the fact that the BXNS instruction, along with its associated context-saving and restoration instructions (such as STCL, VLDM, and LDCL), are executed even when the caller is in the secure state. These instructions are essential for ensuring a safe transition between security states but are redundant when the caller and callee are both in the secure state. This redundancy introduces unnecessary performance overhead, particularly when the secure service is called frequently from the secure world.

Redundant Execution of BXNS and Context-Saving Instructions

The BXNS instruction is designed to conditionally transition from the secure to the non-secure state based on the value of the least significant bit (LSB) of the target address register (Rm). When the LSB of Rm is 0, the processor transitions to the non-secure state. When the LSB is 1, the processor remains in the secure state. In the case of a secure function call from the secure world, the LSB of the return address (LR) is set to 1, indicating that the processor should remain in the secure state. However, the BXNS instruction and its associated context-saving instructions are still executed, even though the security state does not change.

The STCL, VLDM, and LDCL instructions are part of the context-saving and restoration process that ensures the secure state is preserved during a transition to the non-secure state. These instructions save and restore the secure context, including registers and stack pointers, to prevent leakage of secure information to the non-secure world. While these instructions are critical for maintaining security during a state transition, they are unnecessary when the caller and callee are both in the secure state. Executing these instructions in such scenarios introduces unnecessary overhead, which can degrade performance, especially in time-sensitive applications.

Implementing Conditional Execution of Secure-to-Non-Secure Transition Code

To address the performance overhead caused by the redundant execution of BXNS and context-saving instructions, a conditional execution mechanism can be implemented. This mechanism ensures that the secure-to-non-secure transition code is only executed when the caller is in the non-secure state. When the caller is in the secure state, the transition code is bypassed, and the secure function is called directly.

One approach to implementing this mechanism is to use a runtime check to determine the security state of the caller. The TT (Test Target) instruction can be used to check the security state of the return address (LR). If the return address is in the secure state, the transition code is bypassed, and the secure function is called directly. If the return address is in the non-secure state, the transition code is executed to ensure a safe transition to the non-secure state.

The following table summarizes the key steps involved in implementing this conditional execution mechanism:

Step Description
1 Use the TT instruction to check the security state of the return address (LR).
2 If the return address is in the secure state, branch directly to the secure function.
3 If the return address is in the non-secure state, execute the STCL, VLDM, and LDCL instructions to save and restore the secure context.
4 Execute the BXNS instruction to transition to the non-secure state.

By implementing this conditional execution mechanism, the performance overhead associated with redundant secure-to-non-secure transition code can be significantly reduced. This approach ensures that the transition code is only executed when necessary, preserving the security of the system while optimizing performance.

In addition to the runtime check, the use of compiler attributes can further optimize the execution of secure functions. The cmse_ns_entry attribute can be used to indicate that a function is intended to be called from the non-secure world. When this attribute is applied, the compiler generates the necessary transition code for calls from the non-secure world. However, when the function is called from the secure world, the compiler can generate a direct call to the secure function, bypassing the transition code.

The following example demonstrates the use of the cmse_ns_entry attribute to optimize secure function calls:

// Secure function intended to be called from the non-secure world
__attribute__((cmse_ns_entry)) void secure_service(void) {
    // Secure service implementation
}

// Secure function called from the secure world
void secure_service_direct(void) {
    // Direct call to the secure service implementation
    secure_service();
}

In this example, the secure_service function is marked with the cmse_ns_entry attribute, indicating that it is intended to be called from the non-secure world. When secure_service is called from the non-secure world, the compiler generates the necessary transition code. However, when secure_service_direct is called from the secure world, the compiler generates a direct call to secure_service, bypassing the transition code.

By combining runtime checks and compiler attributes, the performance overhead associated with redundant secure-to-non-secure transition code can be effectively minimized. This approach ensures that the transition code is only executed when necessary, preserving the security of the system while optimizing performance.

Conclusion

The ARM Cortex-M55 TrustZone security extension provides a robust mechanism for isolating secure and non-secure worlds. However, the overhead associated with redundant secure-to-non-secure transition code can impact performance, particularly when secure functions are called frequently from the secure world. By implementing a conditional execution mechanism and leveraging compiler attributes, the performance overhead can be significantly reduced. This approach ensures that the transition code is only executed when necessary, preserving the security of the system while optimizing performance.

Similar Posts

ARMv8 A72 Cortex Level 1 Translation Fault During MMU Enable

ARMv8 A72 Cortex Level 1 Translation Fault During MMU Enable

BySystem on Chips

ARM Cortex-A72 MMU Configuration and Level 1 Translation Fault When enabling the Memory Management Unit (MMU) on an ARM Cortex-A72 processor, a Level 1 translation fault can occur if the translation tables are not correctly configured or if the memory regions are not properly mapped. In this scenario, the fault is indicated by the ESR_EL3

AXI Interconnect Address Decoding and Slave Routing in Multi-Slave Systems

AXI Interconnect Address Decoding and Slave Routing in Multi-Slave Systems

BySystem on Chips

AXI Interconnect Address Decoding Mechanism for Slave Routing In a multi-slave AXI (Advanced eXtensible Interface) system, the routing of packets from a master to the correct slave is a critical function of the AXI interconnect. The AXI interconnect relies on address decoding to determine which slave device is being addressed by a transaction. Each slave

Optimizing Cortex-M0 Verilog Design for FPGA Pin Constraints

Optimizing Cortex-M0 Verilog Design for FPGA Pin Constraints

BySystem on Chips

Cortex-M0 Signal Requirements and FPGA Pin Limitations When implementing an ARM Cortex-M0 design in an FPGA, such as the TerAsic DE10-Lite, one of the primary challenges is managing the limited number of input/output (IO) pins available on the FPGA device. The Cortex-M0, being a 32-bit microcontroller, has a rich set of signals that are essential

Write Interleaving Exclusion in AXI4 Protocol: Performance and Complexity Trade-offs

Write Interleaving Exclusion in AXI4 Protocol: Performance and Complexity Trade-offs

BySystem on Chips

Write Interleaving Exclusion in AXI4: Impact on Bandwidth and Throughput The exclusion of write data interleaving in the AXI4 protocol is a design decision that has significant implications for system performance, particularly in scenarios involving multiple masters with varying transmission speeds. Write interleaving, which was supported in the earlier AXI3 protocol, allows data from different

and Troubleshooting ARMv8.7 FEAT_AFP: FPCR.NEP Bit Use Cases and Implementation

and Troubleshooting ARMv8.7 FEAT_AFP: FPCR.NEP Bit Use Cases and Implementation

BySystem on Chips

ARMv8.7 FEAT_AFP and FPCR.NEP Bit Behavior in Floating-Point Operations The ARMv8.7 architecture introduces the FEAT_AFP (Additional Floating-Point) extension, which includes the FPCR.NEP (Non-standard Extended Precision) bit in the Floating-Point Control Register (FPCR). This bit, when enabled, modifies the behavior of certain floating-point operations, particularly those involving fused multiply-add (FMADD) instructions. The FPCR.NEP bit is located

ARM Cortex-R5 Coredump Backtrace Incomplete Frames and Parameter Order Reversal

ARM Cortex-R5 Coredump Backtrace Incomplete Frames and Parameter Order Reversal

BySystem on Chips

ARM Cortex-R5 Coredump Backtrace Incomplete Frames and Parameter Order Reversal Issue Overview: Incomplete Backtrace Frames and Parameter Order Reversal in ARM Cortex-R5 Coredump Analysis When analyzing a coredump generated from an ARM Cortex-R5 processor running FreeRTOS, two primary issues arise. First, the backtrace generated by GDB only displays the top two frames from the point

Leave a Reply

Your email address will not be published. Required fields are marked *