This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to schedule Secure/Normal kernels in TrustZone implementation?

I read TZ whitepaper. TZ's software architecture includes normal OS, secure OS, and a monitor that manages switching between two OS. The notion is clear. But how to implement them confuses me.

Running and managing two kernels on a SoC needs mechanism that scheduling two kernels. So we need a hypervisor to hold two kernels? Is it monitor's responsibility?

  • There are two parts to your question; scheduling the two environments and keeping them isolated from each other.

    The Secure Monitor (running in EL3 on ARMv8-A, Monitor Mode in ARMv7-A) is responsible for the isolation.  That is ensuring information doesn't "leak" between the two Security states.

    There are several different ways you go about scheduling the two environments.  It would depend on what you were using the Secure state for.  Here are a couple of examples:

    • Secure state hosts SoC/board specific firmware.  In this case you probably don't need to actually schedule the Secure state.  You'll enter Secure state as a result of making a call to the firmware (e.g. a power management request using PSCI).
    • Secure state scheduled by Normal world OS.  You could have a dummy task in (say a daemon) running under the Normal world OS.  Whenever it gets scheduled in, it switches to the Secure state.  Execution switches back on the next scheduler tick (or interrupt).
    • Secure state performs background tasks.  Secure interrupt cause entry into Secure state.  Switches back to Normal world when finished dealing with the interrupt.
    • Some combination of the above...
  • Thanks for your reply. In examples you provided, all of them seems to be processes of normal kernel rather than a independent kernel.