Porting qca_demo into TrustZone for LPCXpresso55S69

Hi Everyone, I have been trying to port the qca_demo (basically for a WiFi connectivity demo that uses FreeRTOS for the WiFi driver) into TrustZone. So, far I have encountered tons of problems because of the TZ scheme that partitions memory. My current setup in the FreeRTOSConfig.h is the following:

#define configENABLE_MPU                                0
#define configENABLE_FPU                                0
#define configENABLE_TRUSTZONE                          1
#define configRUN_FREERTOS_SECURE_ONLY                  0

But, I encountered a hard-fault at this point in driver_main.c when creating the task for the Atheros WiFi driver.

    status = xTaskCreate(Atheros_Driver_Task, "Atheros_Wifi_Task", ATHEROS_TASK_STACKSIZE, pCxt, ATHEROS_TASK_PRIORITY,

Please let me know if anyone has any experience with the qca_demo and TZ, or has any insights into this issue.

Thank you very much in advance.

Hi @rtrimana

Could you please review the following FreeRTOS blog post on using TrustZone with FreeRTOS. It details how to setup your FreeRTOS configs for ports with TrustZone support.

With the current config configRUN_FREERTOS_SECURE_ONLY = 0, FreeRTOS is not configured to run on the TZ secure side. Is the wifi task calling any TZ secure side code?

Hi @DavidGC-FreeRTOS ,

Thank you very much for your response. I did read the blogpost carefully while setting this up and that’s why I decided to try to enable it without MPU and FPU to simplify things a bit. The provided example TZ apps were set up with MPU/FPU to begin with so I deactivated them. I think I got it working by now with a few more tweaks actually without calling anything on the TZ secure side. But, previously, I think I called one non-secure callable function (secure side) with this setup and I could do so from the non-secure side. Don’t the following two lines mean that we request for TZ secure support on the non-secure side?

#define configENABLE_TRUSTZONE                          1
#define configRUN_FREERTOS_SECURE_ONLY                  0

And, BTW, I don’t think it is allowed to do the following right?

#define configENABLE_TRUSTZONE                          1
#define configRUN_FREERTOS_SECURE_ONLY                  1

I was wondering why the WiFi driver was actually set up with the following configuration when it was running without TZ at all. Do you have any insights on this too by any chance?

#define configENABLE_TRUSTZONE                          0
#define configRUN_FREERTOS_SECURE_ONLY                  1

I have also been discussing with someone from NXP as I am using their board. Please look for a thread titled “Porting the qca_demo into TrustZone for board lpcxpresso55s69” on NXP forum (sorry I am still not allowed to post links here). This thread documents the problems I had when enabling the RTOS tasks and the WiFi driver.


Yes this means that FreeRTOS runs on non-secure side, so FreeRTOS tasks are allowed to interact with secure side only through Non-secure callable functions.

Yes, the configuration is mutually exclusive configENABLE_TRUSTZONE enables FreeRTOS on Non-Secure side while configRUN_FREERTOS_SECURE_ONLY means FreeRTOS runs on secure side.

From your setup it seems WiFi driver task is created on Non-Secure side. Can you make sure the driver is accessing any secure side code without using an Non-Secure callable function ?

Hi @ravibhagavandas , thanks so much for your response. I actually had to make things accessible from the non-secure side without the help of non-secure callable function. So you’re probably right. With this setup, it is currently working fine.

Glad to know it’s working.