ur机械臂 控制器_用于微控制器的非机械臂信任区和防锈说明

ur机械臂 控制器

TrustZone is different from that of a separate physical security co-processor (like a TPM or a secure element) with a pre-defined set of features. You can think of it as a virtualization technology for ARM CPUs i.e. it virtualizes a physical ARM CPU core — a TrustZone enabled ARMv8 core can exist in one of 2 states Secure OR Non-Secure. This, in turn, allows us to partition all system HW and SW resources so that they exist in 1 of the 2 worlds.

TrustZone与具有一组预定义功能的单独的物理安全协处理器(例如TPM或安全元素)不同。 您可以将其视为用于ARM CPU的虚拟化技术，即它可以虚拟化物理ARM CPU内核-启用TrustZone的ARMv8内核可以以“ 安全”或“不安全”两种状态之一存在。 反过来，这又使我们可以划分所有系统硬件和软件资源，以便它们存在于2个世界中的1个世界中。

TrustZone for Armv8-M has been designed for ARM microcontrollers (Cortex-M). At a high level, this variant of TrustZone is similar to the variant in Arm Cortex-A processors i.e.

用于Armv8-M的TrustZone已设计用于ARM微控制器(Cortex-M)。 从较高的角度来看，TrustZone的此变体与Arm Cortex-A处理器中的变体相似，即

1. In both cases, secure and non-secure code runs on the same physical processor core.
   在这两种情况下，安全代码和非安全代码都在同一物理处理器内核上运行。
2. Execution happens in a time sliced manner (Secure <-> Normal) with non-secure software blocked from accessing secure resources directly.
   执行以时间片方式(安全<->正常)进行，阻止了非安全软件直接访问安全资源。
3. But there are differences between the 2 processor families
   但是2个处理器系列之间存在差异
4. TrustZone in Cortex-M has been optimized for faster context switching and low power, keeping in mind real-time processing requirements of microcontrollers. To achieve this, Cortex-M excludes the monitor mode (of Cortex-A) and the need for any secure monitor software, reducing world switch latency. For bridging software between both worlds, TrustZone for Cortex-M instead relies on a few secure function entry points. Access to/from secure function entry points is controlled via a set of special instructions: SG, BXNS, BLXNS
   Cortex-M中的TrustZone已针对快速上下文切换和低功耗进行了优化，同时考虑了微控制器的实时处理要求。 为此，Cortex-M不包括(Cortex-A的)监视模式，也不需要任何安全的监视软件，从而减少了世界切换延迟。 为了在两个世界之间架起桥梁，TrustZone for Cortex-M依赖于一些安全功能入口点。 通过一组特殊指令来控制对安全功能入口点的访问/访问：SG，BXNS，BLXNS

TrustZone-M processor specific instructions for context switching

用于上下文切换的TrustZone-M处理器特定指令

** TrustZone for Cortex-A processors specifies a separate processor mode called monitor mode for running a ‘secure monitor handler’ (a piece of software running in the secure world that mediates all access between worlds) as the sole entry point.

**用于Cortex-A处理器的TrustZone指定了一个单独的处理器模式，称为监视模式，以运行“安全监视器处理程序”(在安全世界中运行的软件，可在世界之间进行所有访问)作为唯一入口点。

它是如何工作的？ (How does it work?)

After a power on or reset, an Armv8-M system begins executing code in the `secure state`. This usually involves secure booting of the system along with some level of system initialization. In a TrustZone enabled system/MCU, the system needs to perform additional initialization — a few configuration routines are used to divide the system’s entire memory-map into non-overlapping secure, non-secure and non-secure-callable regions. The result is a ‘security attribution map’ (for the entire system).

上电或重置后，Armv8-M系统开始以“安全状态”执行代码。 这通常涉及系统的安全启动以及某些级别的系统初始化。 在启用了TrustZone的系统/ MCU中，系统需要执行其他初始化-使用一些配置例程将系统的整个内存映射划分为非重叠的安全，非安全和非安全可调用区域。 结果是一个“安全归因图”(针对整个系统)。

Configuration of `memory security attributes` is done via 2 HW blocks called `security attribution unit` (SAU) and/or ‘implementation defined attribution unit` (IDAU).

内存安全属性的配置是通过2个硬件模块完成的，分别称为“安全属性单元”(SAU)和/或“实现定义属性单元”(IDAU)。

1. Implementation Defined Attribution Unit (IDAU), which is a fixed hardware unit external to the processor core that provides a fixed security status of the memory map as defined by the manufacturer. (i.e. an immutable background attribution map implemented by the vendor in hardware for their specific chip.)
   实施定义的属性单元(IDAU)，它是处理器核心外部的固定硬件单元，可提供制造商定义的内存映射图的固定安全状态。 (即，卖方针对特定芯片在硬件中实现的不变背景归因图。)
2. Secure Attribution Unit (SAU), which is a programmable unit integrated in the processor core used to define the security status of up to eight memory regions. Note — SAU’s registers can be set to configure non-secure memory, peripheral and interrupt access.
   安全归因单元(SAU)是集成在处理器内核中的可编程单元，用于定义多达八个内存区域的安全状态。 注—可以设置SAU的寄存器来配置非安全存储器，外设和中断访问。

Key-point to remember: Security is defined by address i.e. memory security attributes are really what define security states of the processor.

要记住的要点：安全性由地址定义，即内存安全性属性实际上是定义处理器安全性状态的条件。

Code executing in ‘Non-Secure’ state cannot access the secure memory map. But secure code can access both secure and non-secure memory. As some peripherals are duplicated (MPU, SCB, SysTick), HW uses an aliased secure memory map to shift them by an offset (say 0x20000) when executing in the secure state.

在“非安全”状态下执行的代码无法访问安全内存映射。 但是安全代码可以访问安全和非安全内存。 由于某些外设是重复的(MPU，SCB，SysTick)，因此在安全状态下执行时，硬件使用别名安全存储器映射将其偏移一个偏移量(例如0x20000)。

After assigning ‘security attributes’ to system memory, every memory access by the processor, whether it’s a memory read, write or execute is tested for its `memory security attributes` (i.e. is it a secure or non-secure address). SAU and IDAU work together to enforce memory access restrictions at runtime. Note — While the IDAU and SAU directly enforce secure and non-secure access restrictions, they work with secure and non-secure memory protection units (MPUs) to determine the access rights associated with the target resource.

在为系统内存分配“安全属性”之后，处理器对每个内存访问的访问(无论是读，写还是执行)都会对其“内存安全属性”(即，它是安全地址还是非安全地址)进行测试。 SAU和IDAU共同努力在运行时强制执行内存访问限制 。 注—尽管IDAU和SAU直接实施安全和非安全访问限制，但它们与安全和非安全内存保护单元(MPU)一起确定与目标资源关联的访问权限。

SAU + IDAU + MPU together enforce privilege and security levels.

SAU + IDAU + MPU共同执行特权和安全级别。

The IDAU, SAU, and MPU features of these processors provide a flexible foundation for protecting runtime execution of both system software and applications, but these capabilities are limited to the processor itself.

这些处理器的IDAU，SAU和MPU功能为保护系统软件和应用程序的运行时执行提供了灵活的基础，但是这些功能仅限于处理器本身。

1. In order to carry `the secure and privilege capabilities` over to other memory systems and interfaces, we use logic present in system’s bus (AMBA AHB 5/APB4) fabric i.e. the privilege attribute (HPRIV) and secure attribute (HNONSEC) are carried across the internal Advanced High-performance Bus (AHB) matrix to reach memory protection checkers (MPCs), peripheral protection checkers (PPCs), and master security wrappers (MSWs) for other bus masters.
   为了将“安全和特权功能”传递到其他内存系统和接口，我们使用系统总线(AMBA AHB 5 / APB4)结构中存在的逻辑，即，特权属性(HPRIV)和安全属性(HNONSEC)相互传递内部高级高性能总线(AHB)矩阵可以访问其他总线主控器的内存保护检查器(MPC)，外围保护检查器(PPC)和主安全包装器(MSW)。
2. In other words, the core’s security state information propagates via hardware logic present in the TrustZone-enabled AMBA AHB5 / APB4 bus fabric (an extra signal (HNONSEC[1] = 0) on the AHB bus indicates a secure transaction and vice versa).
   换句话说，内核的安全状态信息通过启用TrustZone的AMBA AHB5 / APB4总线结构中存在的硬件逻辑传播(AHB总线上的额外信号(HNONSEC [1] = 0)表示安全交易，反之亦然)。
3. This allows extending security to memories and peripherals through bus filters also known as TrustZone-aware peripherals which are directly connected to AHB — MPCs, PPCs, AHB/APB bridge (used as secure gate to block or propagate secure/non-secure transaction towards APB agents).
   这样可以通过直接连接到AHB-MPC，PPC，AHB / APB桥(用作安全门来阻止或向APB传播安全/非安全事务的安全门)的总线过滤器(也称为TrustZone感知外围设备)将安全性扩展到内存和外围设备。代理商)。
4. Ensuring that no secure world resources can be accessed by the non-secure world components, enabling a strong security perimeter to be built between the 2.
   确保非安全世界组件无法访问任何安全世界资源，从而在2个之间建立强大的安全边界。

Simplified View of TrustZone-M

TrustZone-M的简化视图

开发人员工作流程： (Developer Workflow:)

Every TrustZone implementation will have 2 separate projects

每个TrustZone实施将有2个独立的项目

1. One for the secure world and
   一个为了安全的世界
2. The other for the non-secure world
   另一个针对不安全的世界

• After power on or reset, code from the secure project runs first i.e. the processor core is executing in the ‘secure state’.
  上电或重置后，安全项目中的代码将首先运行，即处理器内核正在“安全状态”下执行。

• While in this state, configuration routines in the secure code project (either hand written or generated via built-in IDE tools) configure regions of memory to either be non-secure or non-secure callable. No need to explicitly attribute a ‘secure’ tag to a region of memory. Everything’s secure by default.

  在这种状态下，安全代码项目中的配置例程(通过手写或通过内置IDE工具生成或配置)将内存区域配置为非安全或非安全可调用的。 无需将“安全”标签显式地分配给内存区域。 默认情况下，所有内容都是安全的。

• As secure and non-secure projects are (pretty much) independent of each other, we must provide a way for code in one project to call code in the other. 2 compiler attributes are provided to achieve this -
  由于安全项目和非安全项目之间(几乎)是彼此独立的，因此我们必须为一个项目中的代码提供一种在另一个项目中调用代码的方式。 提供2个编译器属性来实现此目的-

(cmse_nonsecure_ entry): Functions in the secure world are decorated with this attribute to indicate that it is an entry point for non-secure calls.

(cmse_nonsecure_ entry) ： 安全世界中的函数都使用此属性修饰，以指示它是非安全调用的入口点。

(cmse_ nonsecure_call): Functions or rather function pointers in the secure world are decorated with this attribute to indicate that the secure world wants to call into the non-secure world.

(cmse_ nonsecure_cal l)： 安全世界中的函数或函数指针装饰有此属性，以指示安全世界要调用非安全世界。

Linking the secure and non-secure project:

链接安全和非安全项目：

• Any function (in the secure world) decorated with the above compiler attributes will be exported to an object file upon building the secure project. (Usually the object file is named PROJECTNAME_CMSE_lib.o)
  在构建安全项目时，用上述编译器属性修饰的任何函数(在安全领域中)都将导出到目标文件。 (通常，目标文件名为PROJECTNAME_CMSE_lib.o)
• The non-secure project will use this object file and a `veneer_table.h` header file in its build process
  非安全项目将在其构建过程中使用此目标文件和`veneer_table.h`头文件

总而言之，我们需要以下补充(硬件+软件) 才能完全支持TrustZone-M： (In summary, we’ll need the following additions (HW +SW) to fully support TrustZone-M:)

1. 2 new HW blocks or on-chip peripherals called memory attribution units — SAU and IDAU (optional)

   2个新的硬件模块或片上外围设备，称为内存属性单元-SAU和IDAU(可选)

2. TrustZone-aware peripherals (or controllers) to extend security to memories, peripherals and other bus masters.

   支持TrustZone的外围设备 (或控制器)将安全性扩展到内存，外围设备和其他总线主控器。

3. System bus AHB5/ABP4. The AHB protocol up to AMBA4 does not support security attribute (HNONSEC) signal.

   系统总线AHB5 / ABP4 。 高达AMBA4的AHB协议不支持安全属性(HNONSEC)信号。

4. 3 new instructions — SG, BLXNS, BXNS and 2 Interrupt vector tables
   3条新指令— SG，BLXNS，BXNS和2个中断向量表

Additionally, there are duplicated CPU peripherals (one for each world via register banking):

此外，还有重复的CPU外设(通过寄存器组用于每个世界一个)：

1. 2 Memory Protection Units
   2个内存保护单元
2. 2 System Control Blocks
   2个系统控制块
3. 2 SysTick’s: Interrupts are routed to their respective sides.
   2 SysTick's：中断被路由到它们各自的一侧。

关于中断处理的注意事项： (A note on Interrupt Handling:)

The Nested Vectored Interrupt Controller (NVIC) is also extended for security as state transitions can also happen due to exceptions and interrupts.

嵌套矢量中断控制器(NVIC)也进行了安全性扩展，因为由于异常和中断也可能发生状态转换。

1. Each interrupt can be configured as Secure or Non-secure, and is determined by the Interrupt Target Non-secure (NVIC_ITNS) register, which is only programmable in the Secure world. There are no restrictions regarding whether a Non-secure or Secure interrupt can take place when the processor is running Non-secure or Secure code.
   每个中断都可以配置为安全或非安全中断，并且由中断目标非安全(NVIC_ITNS)寄存器确定，该寄存器只能在安全环境中进行编程。 当处理器运行“非安全”或“安全”代码时，是否发生非安全或安全中断没有任何限制。
2. If the arriving exception or interrupt has the same state as the current processor state, then the exception sequence is similar to the previous M-series processors.
   如果到达的异常或中断具有与当前处理器状态相同的状态，则异常序列与以前的M系列处理器相似。
3. The main difference occurs when a non-secure interrupt takes place and is handled by the processor during the execution of secure code. In this case, the processor automatically pushes all secure information onto the secure stack and erases the contents from the register banks — this mechanism avoids any leakage of information.
   主要区别发生在发生非安全中断并在安全代码执行期间由处理器处理时。 在这种情况下，处理器会自动将所有安全信息压入安全堆栈，并从寄存器组中擦除内容–这种机制可避免信息泄漏。

**It is possible to deprioritize non-secure interrupts by setting the PRIS bit field of the Application Interrupt and Reset Control Register (AIRCR) or even avoid handling them while the secure software is running (through the PRIMASK_NS register).

**可以通过设置应用程序中断和复位控制寄存器(AIRCR)的PRIS位字段来取消对非安全中断的优先级，甚至可以在安全软件运行时(通过PRIMASK_NS寄存器)避免处理它们。

对TrustZone-M的Rust支持： (Rust Support for TrustZone-M:)

1. For now, TrustZone-M is fully supported by a couple of semiconductor vendors (NXP’s LPCS55S69, Microchip’s SAML11, Nordic’s nRF9160, ST’s STM32L5) but all of them (only) offer ‘C’ toolchains for TZ related development.
   目前，TrustZone-M得到了两个半导体供应商的完全支持(NXP的LPCS55S69，Microchip的SAML11，Nordic的nRF9160，ST的STM32L5)，但所有这些供应商(仅)都提供了与TZ相关的开发的“ C”工具链。
2. In order to better realize the value that TrustZone has to offer, we could combine TrustZone’s HW-based security mechanisms and Rust’s memory safety guarantees to create more secure runtime environments (or Trusted Execution Environments). As an example, think of a scenario where we could host ‘Rusty drivers for secure elements or TPMs’ in the secure world. In theory, we could write memory-safe drivers for security-sensitive applications (assuming no unsafe code is used or formal proofs for the unsafe part of your code exist.)
   为了更好地实现TrustZone必须提供的价值，我们可以结合使用TrustZone的基于硬件的安全机制和Rust的内存安全保证来创建更安全的运行时环境(或Trusted Execution Environments)。 例如，考虑一个场景，我们可以在安全世界中托管“用于安全元素或TPM的Rusty驱动程序”。 从理论上讲，我们可以为对安全敏感的应用程序编写内存安全的驱动程序(假定不使用任何不安全的代码，或者存在代码不安全部分的形式证明)。

3. Rust’s open-source community is working on adding support for the 2 compiler attributes to the Rust compiler and support for new hardware peripherals via additions to the ‘cortex-m’ crate. You can find the first pull request for (cmse_nonsecure_entry) here — https://github.com/rust-lang/rust/pull/75810.

   Rust的开源社区正在努力为Rust编译器添加对2个编译器属性的支持，并通过在'cortex-m'板条箱中添加内容来支持新的硬件外围设备。 您可以在这里找到(cmse_nonsecure_entry)的第一个拉取请求— https://github.com/rust-lang/rust/pull/75810 。

翻译自: https://medium.com/swlh/demystifying-arm-trustzone-for-microcontrollers-and-a-note-on-rust-support-54efc62c290

ur机械臂 控制器