MPU and TrustZone


I am trying to configure MPU on Cortex-M23 processor with TrustZone enabled. I would like to assign an MPU region for a user-level application running in the non-secure side of TrustZone-M.

I know that there are two copies of MPU, one (NS_MPU) for non-secure state and one (S_MPU) for the secure state.

Here is what I wanted to do. 

1. I want NS_MPU configuration not to be modified by the non-secure world, even any privilege level code such as the OS kernel.

2. I want to assign an NS_MPU region for an application running in the non-secure world and protect this MPU region from being access/modified by any privileged code (such as OS kernel) in the non-secure world. 

I would be grateful if you have any pointers on how to do that. 

Thanks and best regards,