Why should we call secure function in handler mode? What is the design purpose for this? As we know, none-secure side can also call secure function in thread mode.
While ARMv8M architecture does allow calling a secure function from non-secure code both in thread mode and handler mode, there are benefits to requiring certain types of secure functions to be called exclusively from either one or the other.
In the current trusted-firmware-m implementation handler mode calls are enforced so that the non-secure privileged code that has ownership of the SVC handler can provide access control to secure resources for non-secure threads, associate an identity with each caller thread and/or perform any other administrative tasks associated with a function call. Similarly, upon entering the secure veneer, tfm_core_sfn_request_function() is run in privileged mode to prepare the execution context for the secure function and potentially perform sanitization of its input parameters.
We have also been looking at the benefits of thread mode transitions for regular secure function calls. Ongoing/proposed tasks can be queried on trustedfirmware.org, specifically:
https://developer.trustedfirmware.org/T66 is a task dedicated to addressing this specific topic.
We will also be posting more design details on developer.trustedfirmware.org/ so I suggest you keep an eye on that.
Thanks Miklos a lot.