Secure Services¶
Secure Services are functions implemented in the Secure Firmware (Secure Partition Manager), but made available to be called from the Non-Secure Firmware.
Calling functions in this API requires that the service is enabled in the Secure Partition Manager.
See CONFIG_SPM_SECURE_SERVICES in the Secure Partition Manager’s menuconfig.
Some services are enabled by default.
By default CONFIG_SPM_BLOCK_NON_SECURE_RESET is disabled. This is to make sure that your debugger will be able to issue a system reset during the development stage and that devices which do not have pin-reset routed can do a re-flashing routine correctly. This option should be turned off when you are putting a product into production to increase the security of your device.
API documentation¶
include/secure_services.hsubsys/spm/secure_services.c (compiled into the Secure Partition Manager)-
group
secure_services Secure services available to the Non-Secure Firmware.
The Secure Services provide access to functionality controlled by the Secure Firmware.
Defines
-
NRF_NSE(ret, name, ...)¶ Implement a wrapper function around a secure_service.
This function must reside in the non-secure binary. It makes the secure service thread safe by locking the scheduler while the service is running. The scheduler locking is done via TZ_THREAD_SAFE_NONSECURE_ENTRY_FUNC().
The macro implements of the wrapper function. The wrapper function has the same function signature as the secure service.
- Parameters
ret: The return type of the secure service and the wrapper function.name: The name of the wrapper function. The secure service is assumed to be named the same, but with the suffix ‘_nse’. E.g. the wrapper function foo() wraps the secure service foo_nse()....: The arguments of the secure service and the wrapper function, as they would appear in a function signature, i.e. type and name.
Functions
-
void
spm_request_system_reboot(void)¶ Request a system reboot from the Secure Firmware.
Rebooting is not available from the Non-Secure Firmware.
-
int
spm_request_random_number(uint8_t *output, size_t len, size_t *olen)¶ Request a random number from the Secure Firmware.
This provides a True Random Number from the on-board random number generator.
- Note
Currently, the RNG hardware is run each time this is called. This spends significant time and power.
- Parameters
[out] output: The random number. Must be at leastlenlong.[in] len: The length of the output array. Currently,lenmust be 144.[out] olen: The length of the random number provided.
- Return Value
0: If successful.-EINVAL: Iflenis invalid. Currently,lenmust be 144.
-
int
spm_request_read(void *destination, uint32_t addr, size_t len)¶ Request a read operation to be executed from Secure Firmware.
- Parameters
[out] destination: Pointer to destination array where the content is to be copied.[in] addr: Address to be copied from.[in] len: Number of bytes to copy.
- Return Value
0: If successful.-EINVAL: If destination is NULL, or if len is <= 0.-EPERM: If source is outside of allowed ranges.
-
int
spm_firmware_info(uint32_t fw_address, struct fw_info *info)¶ Search for the fw_info structure in firmware image located at address.
- Parameters
[in] fw_address: Address where firmware image is stored.[out] info: Pointer to where found info is stored.
- Return Value
0: If successful.-EINVAL: If info is NULL.-EFAULT: If no info is found.
-
int
spm_prevalidate_b1_upgrade(uint32_t dst_addr, uint32_t src_addr)¶ Prevalidate a B1 update
This is performed by the B0 bootloader.
- Parameters
[in] dst_addr: Target location for the upgrade. This will typically be the start address of either S0 or S1.[in] src_addr: Current location of the upgrade.
- Return Value
1: If the upgrade is valid.0: If the upgrade is invalid.-ENOTSUP: If the functionality is unavailable.
-
void
spm_busy_wait(uint32_t busy_wait_us)¶ Busy wait in secure mode (debug function)
This function is for writing tests that require the execution to be in secure mode
- Parameters
[in] busy_wait_us: The number of microseconds to wait for.
-