Figure - ARM ARM1176JZF-S Technical Reference Manual

ARM DDI 0301H
ID012310
System boot sequence
Caution
TrustZone security extensions enable a Secure software environment. The technology does not
protect the processor from hardware attacks and the implementor must make sure that the
hardware that contains the boot code is appropriately secure.
The processor always boots in the privileged Supervisor mode in the Secure world, that is the
NS bit is 0. This means that code not written for TrustZone always runs in the Secure world, but
has no way to switch to the Non-secure world. Because the Secure and Non-secure worlds
mirror each other this Secure operation does not affect the functionality of code not written for
TrustZone. The processor is therefore compatible with other ARMv6 architectures. Peripherals
boot in their most Secure state.
The Secure OS code at the reset vector must:
1. Initialize the Secure OS. This includes normal boot actions such as:
a. Generate page tables and switch on the MMU if the design uses caches or memory
protection.
b. Switch on the stack.
c. Set up the run time environment and program stacks for each processor mode.
2. Initialize the Secure Monitor. This includes such actions as:
a. Allocate TCM memory for the Secure Monitor code.
b. Allocate scratch work space.
c. Set up the Secure Monitor stack pointer and initialize its state block.
3. Program the partition checker to allocate physical memory available to the Non-secure
OS.
4. Yield control to the Non-secure OS. The Non-secure OS boots after this.
The overall security of the software relies on the security of the boot code along with the code
for the Secure Monitor.
Secure interrupts
There are no new pins to deal with Secure interrupts. However the IRQ and FIQ bits in the SCR
can be set to 1, so that the core branches to Secure Monitor mode, instead of IRQ or FIQ mode,
when an interrupt occurs. For more information see c1, Secure Configuration Register on
page 3-52.
FIQ can be used to enter the Secure world in a deterministic way, if it is configured as NMI when
the core is in the Non-secure world,. This configuration is done using the FW and FIQ bits in
SCR. The nIRQ pin can also be used as Secure interrupt and can enter directly monitor mode,
if the IRQ bit in the SCR is set to 1. But it might be masked in the Non-secure world if the I bit
in the CPSR is set to 1.
Secure peripherals
You can protect a Secure peripheral by mapping it to a Secure memory region. In addition, you
can protect Secure peripherals by checking the AxPROT[1] signal and generating an error
response if a Non-secure access attempts to read or write a Secure register.
Copyright © 2004-2009 ARM Limited. All rights reserved.
Non-Confidential, Unrestricted Access
Programmer's Model
2-8