CMSIS-Zone  Version 1.2.0-alpha
System Resource Management
 All Files Pages

This single processor demo application shows how to do the TrustZone Partitioning. It is split into a secure and non-secure part. Using CMSIS-Zone, it generates:

  • A header file that contains #defines to control the various linker scatter files (and might be used in other parts of the application).
  • Memory protection controller (MPC) setup.
  • Peripheral protection controller (PPC) and related interrupt setup.
  • Secure attribution unit (SAU) setup.

The application itself shows how to implement calls between the secure and the non-secure part.

Using the CMSIS-Zone project

  • Import the project "Examples\LPC55S69\Zone" into the CMSIS-Zone utility
  • Open the LPC55S69.azone file
  • Generate the related output files

The LPC55S69.azone file of that project has the following configuration settings:

  • Added the zones hello_world_s and hello_worls_ns
  • Created the memory regions CODE_NS, Config, CODE_S, Veneer, DATA_NS, and DATA_S
  • Selected various memory regions and peripherals for using in the different zones:

The zones use different Flash and SRAM regions for code and data, but share Flash configuration registers. Peripherals, such as the system and IO configuration, as well as an UART are available in the secure world only. To generate the output, click on the Generate button in the Zone Editor tool bar. This creates the following files in the ftl_gen directory:

Template File Generated File Description
dump_fzone.txt.ftl dump_fzone.txt Contains the complete model
helper.ftlinc N/A Helper template file with FTL functions.
mem_layout.h.ftl mem_layout.h Header file that contains the memory region definitions, for example for the linker scatter file.
scatter_ns.sct.ftl scatter_ns.sct Example scatter file for the non-secure zone (currently not used in MDK).
scatter_s.sct.ftl scatter_s.sct Example scatter file for the secure zone (currently not used in MDK).
tzm_config_mpc.c.ftl tzm_config_mpc.c Setup of the memory protection controller (MPC).
tzm_config_ppc.c.ftl tzm_config_ppc.c Setup of the peripheral protection controller (PPC).
tzm_config_sau.c.ftl tzm_config_sau.c Configuration of the secure attribution unit (SAU) and the NVIC interrupt assignment.

These files can be used in any IDE to create the final application. In the following, the usage in Arm Keil MDK is described.

Using the MDK project

The example project can be loaded, built and debugged in ┬ÁVision by performing the following steps:

  1. Navigate to Examples/LPC55S69/MDK
  2. Open the multi-project workspace hello_world.uvmpw
  3. Optional: Update the generated files by executing the copy_gen.bat scripts in hello_world_s\mdk and hello_world_ns\mdk folders.
  4. Run the batch build in MDK. Both projects, hello_world_s and hello_world_ns need to be compiled in order.
  5. Set hello_world_s as active project.
  6. Connect the LPC55S69-EVK using a Micro-USB cable at Debug Link (P6).
  7. Open Options for Target - Debug and make sure that the CMSIS-DAP ARMv8-M Debugger is selected and the LPC-LINK2 is used.
  8. Optional: Open a serial terminal program (i.e. PuTTY) on the virtual serial port provided in parallel to the debugger (e.g. USB Serial Device). Configure the port to 115200/8N1.
  9. Launch a debug session and watch the serial console output:

MDK project setup

The multiproject workspace contains the secure hello_world_s project and the non-secure hello_world_ns project:


The projects use the files generated in CMSIS-Zone as follows:

File Used in Description
mem_layout.h hello_world_s, hello_world_ns Input for the scatter files.
tzm_config_mpc.c hello_world_s Functions called from tzm_config.c
tzm_config_ppc.c hello_world_s Functions called from tzm_config.c
tzm_config_sau.c hello_world_s Functions called from tzm_config.c

The scatter files hello_world_s.sct and hello_world_ns.sct are based on the original scatter files from NXP and are using a preinclude to mem_layout.h to get the information about the different memory regions.

If you want to learn more about the general project layout for an Armv8-M project using TrustZone, refer to Application Note 291.


As explained previously, the #defines in mem_layout.h can be used to create generic scatter files that are easy to update once changes in the CMSIS-Zone project happen. Using the mem_layout.h file from CMSIS-Zone, the following scatter file is used in the secure hello_world project:

; Use Arm compiler 6 to pre-process the scatter file and pull in the defines from the mem_layout.h file:
#! armclang -E --target=arm-arm-none-eabi -mcpu=cortex-m33 -I../ -xc
#include "mem_layout.h"
; *------- <<< Use Configuration Wizard in Context Menu >>> ------------------
;<h> Stack Configuration
; <o> Stack Size (in Bytes) <0x0-0xFFFFFFFF:8>
#define STACK_SIZE 0x400
;<h> Heap Configuration
; <o> Heap Size (in Bytes) <0x0-0xFFFFFFFF:8>
#define HEAP_SIZE 0xC00
; *-------------- <<< end of configuration section >>> -----------------------
.ANY (+RO, +XO)
.ANY (+RW +ZI)

TrustZone Setup at Startup

During the system initialization, the function SystemInitHook is called. This is used when application specific code needs to be called as close to the reset entry as possible. In this example, this function calls BOARD_InitTrustZone, which calls the three TZM_Config_* functions: