Secure Services¶
Secure Services are functions implemented in the Secure Firmware (Secure Partition Manager), but made available to be called from the Non-Secure Firmware.
Calling functions in this API requires that the service is enabled in the Secure Partition Manager.
See CONFIG_SPM_SECURE_SERVICES
in the Secure Partition Manager’s menuconfig.
Some services are enabled by default.
By default CONFIG_SPM_BLOCK_NON_SECURE_RESET
is disabled. This is to make sure that your debugger will be able to issue a system reset during the development stage and that devices which do not have pin-reset routed can do a re-flashing routine correctly. This option should be turned off when you are putting a product into production to increase the security of your device.
API documentation¶
include/secure_services.h
subsys/spm/secure_services.c
(compiled into the Secure Partition Manager)-
group
secure_services
Secure services available to the Non-Secure Firmware.
The Secure Services provide access to functionality controlled by the Secure Firmware.
Defines
-
NRF_NSE
(ret, name, ...)¶ Implement a wrapper function around a secure_service.
This function must reside in the non-secure binary. It makes the secure service thread safe by locking the scheduler while the service is running. The scheduler locking is done via TZ_THREAD_SAFE_NONSECURE_ENTRY_FUNC().
The macro implements of the wrapper function. The wrapper function has the same function signature as the secure service.
- Parameters
ret
: The return type of the secure service and the wrapper function.name
: The name of the wrapper function. The secure service is assumed to be named the same, but with the suffix ‘_nse’. E.g. the wrapper function foo() wraps the secure service foo_nse()....
: The arguments of the secure service and the wrapper function, as they would appear in a function signature, i.e. type and name.
Functions
-
void
spm_request_system_reboot
(void)¶ Request a system reboot from the Secure Firmware.
Rebooting is not available from the Non-Secure Firmware.
-
int
spm_request_random_number
(uint8_t *output, size_t len, size_t *olen)¶ Request a random number from the Secure Firmware.
This provides a True Random Number from the on-board random number generator.
- Note
Currently, the RNG hardware is run each time this is called. This spends significant time and power.
- Parameters
[out] output
: The random number. Must be at leastlen
long.[in] len
: The length of the output array. Currently,len
must be 144.[out] olen
: The length of the random number provided.
- Return Value
0
: If successful.-EINVAL
: Iflen
is invalid. Currently,len
must be 144.
-
int
spm_request_read
(void *destination, uint32_t addr, size_t len)¶ Request a read operation to be executed from Secure Firmware.
- Parameters
[out] destination
: Pointer to destination array where the content is to be copied.[in] addr
: Address to be copied from.[in] len
: Number of bytes to copy.
- Return Value
0
: If successful.-EINVAL
: If destination is NULL, or if len is <= 0.-EPERM
: If source is outside of allowed ranges.
-
int
spm_s0_active
(uint32_t s0_address, uint32_t s1_address, bool *s0_active)¶ Check if S0 is the active B1 slot.
- Parameters
[in] s0_address
: Address of s0 slot.[in] s1_address
: Address of s1 slot.[out] s0_active
: Set to ‘true’ if s0 is active slot, ‘false’ otherwise
- Return Value
0
: If successful.-EINVAL
: If info for both slots are NULL.
-
int
spm_firmware_info
(uint32_t fw_address, struct fw_info *info)¶ Search for the fw_info structure in firmware image located at address.
- Parameters
[in] fw_address
: Address where firmware image is stored.[out] info
: Pointer to where found info is stored.
- Return Value
0
: If successful.-EINVAL
: If info is NULL.-EFAULT
: If no info is found.
-
int
spm_prevalidate_b1_upgrade
(uint32_t dst_addr, uint32_t src_addr)¶ Prevalidate a B1 update
This is performed by the B0 bootloader.
- Parameters
[in] dst_addr
: Target location for the upgrade. This will typically be the start address of either S0 or S1.[in] src_addr
: Current location of the upgrade.
- Return Value
1
: If the upgrade is valid.0
: If the upgrade is invalid.-ENOTSUP
: If the functionality is unavailable.
-
void
spm_busy_wait
(uint32_t busy_wait_us)¶ Busy wait in secure mode (debug function)
This function is for writing tests that require the execution to be in secure mode
- Parameters
[in] busy_wait_us
: The number of microseconds to wait for.
-