TrustZone isolation is implemented by the processor. There is no software layer required. In a real time embedded application requiring a deterministic response, every cycle counts hence all transitions between secure and non-secure states are handled directly by the processor. Calls from the non-secure to the secure domain require the addition of only one instruction at the function entry point. The transition overhead is then one instruction. There are other security checks that need to be done on entry of a function in the secure domain, for example, testing the parameters and pointers, but that is application dependent.