PRESS Release

DAVE Embedded Systems

SafeG TOPPERS RTOS on Xilinx Zynq (DAVE Embedded Systems' BORA module) with Trust

Zone support

Porcia, ITALY – November, 2014 - DAVE Embedded Systems is proud to announce the availability of SafeG running

on BORA System On Module.

DAVE Embedded Systems has ported and positively tested the dual-OS monitor SafeG with TrustZone support on

Bora module:

- dual OS SMP (Symmetric Multi Processing) configuration;

- Linux OS running in the untrusted zone;

- FMP running in the trusted zone (FMP is an open-source multicore RTOS compliant to ITRON 4.0 standard Profile).

DAVE Embedded Systems has also successfully carried out the following examples of communication involving two

OS instances (trusted ↔ untrusted, both running in Multicore configuration):

- between two FMP istances

- between Linux and FMP instances

SafeG (Safety Gate) is a dual-OS monitor designed to concurrently execute an RTOS (Real-Time Operating System)

and a GPOS (General-Purpose Operating System) on the same hardware platform. SafeG's architecture takes

advantage of the ARM TrustZone security extensions which introduce the concept of Trust and Non-Trust states

• Trust state provides similar behavior to existing privileged and user mode levels in ARM processors.

• On the other hand, code running under Non-Trust state, even in privileged mode, cannot access memory

space (devices included) that was allocated for Trust state usage, nor can it execute certain instructions that

are considered critical.

In order to control the TrustZone state, a new mode called "Secure Monitor" mode has been added to the processor.

Switching between Trust and Non-Trust state is performed under Security Monitor mode by SafeG with interrupts

disabled.

DAVE Srl, via Talponedo, 29/A, 33080 Porcia (PN), Italy

Tel. +39.0434921215 - Fax +39.04341994030

E-mail: info@dave.eu

http:// www.dave.eu

Fig.1 SafeG architecture

The following are the main properties of SafeG's architecture:

1. It allows running an RTOS and a GPOS concurrently on top of the same processor.

2. RTOS memory and devices are protected from illegal accesses by the GPOS. This is supported by

configuring resources used by the RTOS to be accessible only from Trust state. The remaining resources are

configured to be accessible both from Trust and Non-Trust state.

3. RTOS real-time requirements are guaranteed. Time isolation of the RTOS activities is supported by carefully

allocating two types of interrupt (i.e.: FIQ and IRQ) to each TrustZone state

• FIQ interrupts are forwarded to the RTOS.

• IRQ interrupts are forwarded to the GPOS.

In Trust state, IRQs are disabled so that the GPOS cannot interrupt the execution of the RTOS. For that

reason, the GPOS only executes upon an explicit request by the RTOS. This is achieved through the Secure

Monitor Call (SMC) instruction. On the other hand, during the GPOS execution, FIQs are enabled so that the

RTOS can recover the control of the processor (e.g.: through the FIQ associated to the system timer).

TrustZone is configured to prevent the Non-Trust side from disabling FIQ interrupts.

4. It takes advantage of hardware extensions to achieve very low execution overhead.

5. The GPOS does not require major code modifications. Except for device and memory usage configuration,

the GPOS can be considered to be executed under full virtualization.

6. SafeG's code footprint is extremely small and it runs with interrupts disabled which can smooth critical

system's certification.

Trademark:

DAVE Embedded Systems is a well-established and constantly growing Italian company, focused on designing,

manufacturing and selling of miniaturized embedded systems solutions. Since its foundation, back in 1998, DAVE

1 http://www.toppers.jp/en/imgs/safeg-arch-english.png

2 http://www.toppers.jp/en/

DAVE Srl, via Talponedo, 29/A, 33080 Porcia (PN), ITALY

Tel. +39.0434921215 - Fax +39.04341994030

E-mail: info@dave.eu

http:// www.dave.eu