Secure Partition Manager (SPM)¶
The Secure Partition Manager (SPM) provides functionality for the Trusted Execution Environment of the nRF9160 and the nRF5340.
The Cortex-M33 CPU in the nRF9160 and nRF5340 devices implements ARM TrustZone, which means it can run a “secure” and a “non-secure” app side by side. The SPM, being the secure app, is responsible for configuring the permissions and resources of the non-secure app and then booting it. Such configuration is required to run non-secure apps. The SPM also provides the non-secure app with access to features (Secure Services) that are normally only available to secure apps.
The SPM library is used in the Secure Partition Manager sample.
The Secure Partition Manager (SPM) uses the SPU peripheral to configure security attributions for the flash, SRAM, and peripherals. Note that the SPU peripheral is the nRF version of an IDAU (Implementation-Defined Security Attribution Unit).
Use Kconfig to configure the security attributions for the peripherals.
Modify the source code of the SPM subsystem to configure the security attributions of SRAM.
If Partition Manager is used, the security attributions of the flash regions are deduced from the generated file
Otherwise, the security attributions of the flash regions are deduced from devicetree information.
For SRAM and peripherals, the following security attribution configuration is applied:
- SRAM (256 kB)
Lower 64 kB: Secure
Upper 192 kB: Non-Secure
- Peripherals configured as Non-Secure
GPIO (and GPIO pins)
The SPM by default provides certain Secure Services to the Non-Secure Firmware. See Secure Services for more information.
Secure Partition Manager (SPM).
The Secure Partition Manager (SPM) provides functions for configuring the security attributes of flash, RAM, and peripherals.
Jump to non-secure partition.
This function extracts the VTOR_NS from DT_FLASH_AREA_IMAGE_0_NONSECURE_OFFSET_0 and configures the MSP accordingly before jumping to VTOR_NS.
Configure security attributes of flash, RAM, and peripherals.
This function reads the security attribute options set for peripherals in Kconfig. The RAM and flash partitioning is configured statically.