BELK-TN-001: Real-timeness, system integrity and TrustZone® technology on AMP configuration

From DAVE Developer's Wiki
Revision as of 09:39, 18 September 2015 by U0001 (talk | contribs) (Boot process)

Jump to: navigation, search
HOME SOMs SBCs ToloMEO Embedded Assistant Sale-tag.pngGET A QUOTE Customer-service.pngONLINE HELPDESK
Roadmap IoT Services ML/AI services Embedded Design Services
Info Box
Bora5-small.jpg Applies to Bora
BORA Xpress.png Applies to BORA Xpress

History[edit | edit source]

Version Date BELK version Notes
0.9.0 September 2015 3.0.0 Internal draft

Introduction[edit | edit source]

Because of widely available Internet connectivity, nowadays security concerns are not longer limited to PCs, servers and workstations but have become common to many embedded systems as well. To deal with this kind of challenges, several hardware and software technologies have been developed. ARM® TrustZone® technology is one of these. As stated in [1], Xilinx Zynq-7000 AP SoC natively supports TrustZone® technology, since it integrates dual-core ARM® Cortex™-A9 MPCore™ processor.

Even if this technology has been conceived primarily to address security issues, embedded systems designers can leverage it to implement innovative configurations, satisfying different in nature requirements that typically arise in industrial applications and deep embedded systems[a]. Two of such requirements are real-timeness and system integrity[b].

This White Paper describes the TrustZone-based solution that DAVE Embedded Systems has implemented to meet all these requirements on BORA and BORAX platforms. A technical description of the adopted approach is provided. Also, performance and characterization tests are detailed and considerations about future developments and improvements are included.

This solution can be considered as a sort of natural evolution on the traditional AMP configuration described in [3]. For this reason, reading of this document is highly recommended.

Limitations of traditional configurations[edit | edit source]

Xilinx Zynq AP architecture provides unprecedented possibilities in terms of integration. In industrial world applications, this is often leveraged to combine on a single chip the implementation of real-time tasks with generic software applications and functionalities that don't have specific requirements in terms of real-timeness[c]. In addition, the flexibility offered by the FPGA - known as Programmable Logic or PL for short - allows system designers to implement in hardware custom IPs to add new interfaces and peripherals or to move processing modules from the software to the hardware world[d].

The following list recaps the typical requirements that such systems must meet. This list has been compiled on the base of real world use cases (specifically medical, transportation, automation and telecom applications):

  • real-time and non real-time tasks integration: on the same physical component it is required that non real-time and real-time world coexist; this allows overall design simplification, BOM reduction and better integration
  • the non real-time world - denoted as W2 in the rest of the document - is based on a well-known operating system such as linux
  • the real-time world - denoted as W1 in the rest of the document - is based on a RTOS or a bare metal executable
  • inter-world communication and data sharing: the two worlds must have the capability to:
    1. communicate via asynchronous mechanisms
    2. share data
  • integrity: W1 must guarantee a high reliability level, no matter how the other world behaves; in other words, W1 can not be altered by any kind of actions taken by the code executed in W2. W1 is also known as Secure world or Trust world. W2 is also called Non-secure world" or Non-trust world.

The traditional AMP[3] configuration satisfies all of these requirements except the last one. For example an application with root privileges or code executed in kernel space can access memory regions that are supposed to be exclusively accessed by code executed in W1. This may lead to unpredictable behaviors and potentially to catastrophic consequences. This is where TrustZone technology comes to help: it creates a sort of barrier between the two worlds and prevents W2 code from unauthorized accesses to certain regions of the processor's addressing space.


TBD aggiungere analisi delle soluzioni micro grosso+microcontrollore e di quelle big.little ?

TrustZone-based approach[edit | edit source]

Overview[edit | edit source]

The major difference with respect to the traditional AMP configuration is the use of a software monitor, specifically TOPPERS SafeG [4] [5] [6].

Nagoya University TOPPERS SafeG architecture

As shown in the picture, the monitor can be viewed as a software layer that lies between W1/W2 and underlying hardware. The monitor is responsible for:

  • enabling and initializing TrustZone in order to protect memory regions that must not be accessible by Non-secure world
  • TBD

About operating systems, linux has been chosen for Non-trust world, while FreeRTOS has been selected for the Trust world.

About the multi-processing scheme, AMP has been used[e].

These choices lead to the configuration depicted in the following picture.

DAVE Embedded Systems' TrustZone-enabled AMP solution

Inter-world communication[edit | edit source]

dualoscomm

perché abbiamo scelto RPMsg

System memory partitioning[edit | edit source]

System memory partitioning is shown by the following picture.

caption

Boot process[edit | edit source]

The boot process is composed by several stages that are detailed by the following list.

  1. The first piece of code executed by the processor is BootROM. Depending on bootstrap configuration pins, FSBL image is retrieved from a specific non-volatile memory by BootROM and stored into on-chip memory (OCM).
  2. FSBL performs basic hardware initializations (including SDRAM subsystem) and retrieves U-Boot bootloader image
  3. U-Boot
    • completes hardware initializations
    • retrieves the following binary images and store them into SDRAM:
      • monitor
      • trusted code (FreeRTOS image in our case)
      • non-trusted code (linux kernel image and Device Tree Blob in our case).
    • gives monitor the control.
  4. monitor initializes TrustZone subsystem and gives trusted code the control of the machine.
  5. FreeRTOS kernel is initialized and real-time tasks are started. Under the control of the tasks running on top of the RTOS kernel, the non-trusted (NT for short) code is started. Please note that this is done via a Secure Monitor Call (referred as SMC in the rest of the document) that is handled by the monitor.

L2 cache management[edit | edit source]

TBD

Characterization and performance tests[edit | edit source]

TBD

Isolation vs performances[edit | edit source]

TBD

Conclusions[edit | edit source]

TBD

References[edit | edit source]

  1. Yashu Gosain and Prushothaman Palanichamy, Xilinx WP429 - TrustZone Technology Support in Zynq-7000 All Programmable SoCs (v1.0), May 20, 2014
  2. Ed Hallett, Giulio Corradi, Steven McNeil, Xilinx WP461 - Xilinx Reduces Risk and Increases Efficiency for IEC61508 and ISO26262 Certified Safety Applications (v1.0), April 9, 2015
  3. 3.0 3.1 DAVE Embedded Systems, AN-BELK-001: Asymmetric Multiprocessing (AMP) on Bora – Linux FreeRTOS
  4. TOPPERS SafeG home page (English), https://www.toppers.jp/en/safeg.html
  5. TOPPERS SafeG home page (Japanese), https://www.toppers.jp/safeg.html
  6. TOPPERS SafeG (Nagoya University), http://www.wiki.xilinx.com/Multi-OS+Support+%28AMP+%26+Hypervisor%29#Asymmetric%20Multi%20Processing%20%28AMP%29%20Configurations-Open%20Source%20or%20Freely%20Available%20Solutions-TOPPERS%20SafeG%20%28Nagoya%20University%29
  1. These kind of requirements are often totally independent of Internet connectivity
  2. In this context, for the terms integrity and security the definitions provided by [2] are in use:
    • security refers to a system’s immunity to data disclosure or loss as a result of the unlawful electronic penetration of the system’s protections and defenses
    • integrity denotes the certainty that a system cannot be improperly altered.
    For the sake of completeness, definition of security is provided as well:
    • security refers to a system’s immunity to data disclosure or loss as a result of the unlawful
    electronic penetration of the system’s protections and defenses.
  3. Network connectivity is an example of such functionalities.
  4. Powerful tools have been introduced in the market recently that facilitate this process significantly. One of these is SDSoC. Bora and BoraX are two of the supported hardware platforms.
  5. The monitor can support either AMP or SMP configurations.
HOME SOMs SBCs ToloMEO Embedded Assistant Sale-tag.pngGET A QUOTE Customer-service.pngONLINE HELPDESK
Roadmap IoT Services ML/AI services Embedded Design Services
Retrieved from "https://wiki.dave.eu/index.php?title=BELK-TN-001:_Real-timeness,_system_integrity_and_TrustZone®_technology_on_AMP_configuration&oldid=3808"