Porting qca_demo into TrustZone for LPCXpresso55S69

Partners & Sponsors NXP
,
1

Hi Everyone, I have been trying to port the qca_demo (basically for a WiFi connectivity demo that uses FreeRTOS for the WiFi driver) into TrustZone. So, far I have encountered tons of problems because of the TZ scheme that partitions memory. My current setup in the FreeRTOSConfig.h is the following:

#define configENABLE_MPU                                0
#define configENABLE_FPU                                0
#define configENABLE_TRUSTZONE                          1
#define configRUN_FREERTOS_SECURE_ONLY                  0

But, I encountered a hard-fault at this point in driver_main.c when creating the task for the Atheros WiFi driver.

    status = xTaskCreate(Atheros_Driver_Task, "Atheros_Wifi_Task", ATHEROS_TASK_STACKSIZE, pCxt, ATHEROS_TASK_PRIORITY,
                         &atheros_wifi_task_id);

Please let me know if anyone has any experience with the qca_demo and TZ, or has any insights into this issue.

Thank you very much in advance.

2

Hi @rtrimana

Could you please review the following FreeRTOS blog post on using TrustZone with FreeRTOS. It details how to setup your FreeRTOS configs for ports with TrustZone support.

With the current config configRUN_FREERTOS_SECURE_ONLY = 0, FreeRTOS is not configured to run on the TZ secure side. Is the wifi task calling any TZ secure side code?

3

Hi @DavidGC-FreeRTOS ,

Thank you very much for your response. I did read the blogpost carefully while setting this up and that’s why I decided to try to enable it without MPU and FPU to simplify things a bit. The provided example TZ apps were set up with MPU/FPU to begin with so I deactivated them. I think I got it working by now with a few more tweaks actually without calling anything on the TZ secure side. But, previously, I think I called one non-secure callable function (secure side) with this setup and I could do so from the non-secure side. Don’t the following two lines mean that we request for TZ secure support on the non-secure side?

#define configENABLE_TRUSTZONE                          1
#define configRUN_FREERTOS_SECURE_ONLY                  0

And, BTW, I don’t think it is allowed to do the following right?

#define configENABLE_TRUSTZONE                          1
#define configRUN_FREERTOS_SECURE_ONLY                  1

I was wondering why the WiFi driver was actually set up with the following configuration when it was running without TZ at all. Do you have any insights on this too by any chance?

#define configENABLE_TRUSTZONE                          0
#define configRUN_FREERTOS_SECURE_ONLY                  1

I have also been discussing with someone from NXP as I am using their board. Please look for a thread titled “Porting the qca_demo into TrustZone for board lpcxpresso55s69” on NXP forum (sorry I am still not allowed to post links here). This thread documents the problems I had when enabling the RTOS tasks and the WiFi driver.

4

Hi,

Yes this means that FreeRTOS runs on non-secure side, so FreeRTOS tasks are allowed to interact with secure side only through Non-secure callable functions.

Yes, the configuration is mutually exclusive configENABLE_TRUSTZONE enables FreeRTOS on Non-Secure side while configRUN_FREERTOS_SECURE_ONLY means FreeRTOS runs on secure side.

From your setup it seems WiFi driver task is created on Non-Secure side. Can you make sure the driver is accessing any secure side code without using an Non-Secure callable function ?

5

Hi @ravibhagavandas , thanks so much for your response. I actually had to make things accessible from the non-secure side without the help of non-secure callable function. So you’re probably right. With this setup, it is currently working fine.

6

Glad to know it’s working.

7

@rtrimana Its great to heat that you have success with porting qca_demo into TrustZone. Can you please provide some example code?

8

Hi @yuripo , thanks for your text. I got your text as well on NXP forum, but for some reason I could not log in there. There has been some issue that says that the website is under maintenance. Sorry about that. And it looks like I can’t upload anything here as well because I am a new user. Perhaps you can send me an email address that I can send the code to? Sorry and thanks again.

10

Great. I have sent it to you. Please check your mailbox. Thanks.

11

@rtrimana You should now be able to upload files. If you can upload your solution here, it will be useful for others too.

12

Sure, @aggarg . Thanks for allowing me to share. Here’s the sample project files and code.
device_attestation_tz_rtos_merged_wifi_on_nonsecure_adjusted_tee_memory.zip (2.0 MB)

13

Thank you @rtrimana!

14

Actually, there is another code that has been confirmed to work by @yuripo. One has to use the same board, namely LPCXpresso55S69, with MCUXpressoIDE_11.6.0_8187 using SDK 2.12.0 to compile it. Unfortunately, I can’t upload it here (there is a limit of 4MB), so you can let me know if you need one.

15

You can consider putting it in a GitHub repo and sharing the link here.

16

Sure, perhaps the easiest is to just provide a download link. Please feel free to download the code from here.

17

Thank you once again!