PRESS Release
DAVE Embedded Systems
SafeG TOPPERS RTOS on Xilinx Zynq (DAVE Embedded Systems' BORA module) with Trust
Zone support
Porcia, ITALY – November, 2014 - DAVE Embedded Systems is proud to announce the availability of SafeG running
on BORA System On Module.
DAVE Embedded Systems has ported and positively tested the dual-OS monitor SafeG with TrustZone support on
Bora module:
- dual OS SMP (Symmetric Multi Processing) configuration;
- Linux OS running in the untrusted zone;
- FMP running in the trusted zone (FMP is an open-source multicore RTOS compliant to ITRON 4.0 standard Profile).
DAVE Embedded Systems has also successfully carried out the following examples of communication involving two
OS instances (trusted untrusted, both running in Multicore configuration):
- between two FMP istances
- between Linux and FMP instances
SafeG (Safety Gate) is a dual-OS monitor designed to concurrently execute an RTOS (Real-Time Operating System)
and a GPOS (General-Purpose Operating System) on the same hardware platform. SafeG's architecture takes
advantage of the ARM TrustZone security extensions which introduce the concept of Trust and Non-Trust states
Trust state provides similar behavior to existing privileged and user mode levels in ARM processors.
On the other hand, code running under Non-Trust state, even in privileged mode, cannot access memory
space (devices included) that was allocated for Trust state usage, nor can it execute certain instructions that
are considered critical.
In order to control the TrustZone state, a new mode called "Secure Monitor" mode has been added to the processor.
Switching between Trust and Non-Trust state is performed under Security Monitor mode by SafeG with interrupts
disabled.
DAVE Srl, via Talponedo, 29/A, 33080 Porcia (PN), Italy
Tel. +39.0434921215 - Fax +39.04341994030
E-mail: info@dave.eu
http:// www.dave.eu
Fig.1 SafeG architecture
1
2
The following are the main properties of SafeG's architecture:
1. It allows running an RTOS and a GPOS concurrently on top of the same processor.
2. RTOS memory and devices are protected from illegal accesses by the GPOS. This is supported by
configuring resources used by the RTOS to be accessible only from Trust state. The remaining resources are
configured to be accessible both from Trust and Non-Trust state.
3. RTOS real-time requirements are guaranteed. Time isolation of the RTOS activities is supported by carefully
allocating two types of interrupt (i.e.: FIQ and IRQ) to each TrustZone state
FIQ interrupts are forwarded to the RTOS.
IRQ interrupts are forwarded to the GPOS.
In Trust state, IRQs are disabled so that the GPOS cannot interrupt the execution of the RTOS. For that
reason, the GPOS only executes upon an explicit request by the RTOS. This is achieved through the Secure
Monitor Call (SMC) instruction. On the other hand, during the GPOS execution, FIQs are enabled so that the
RTOS can recover the control of the processor (e.g.: through the FIQ associated to the system timer).
TrustZone is configured to prevent the Non-Trust side from disabling FIQ interrupts.
4. It takes advantage of hardware extensions to achieve very low execution overhead.
5. The GPOS does not require major code modifications. Except for device and memory usage configuration,
the GPOS can be considered to be executed under full virtualization.
6. SafeG's code footprint is extremely small and it runs with interrupts disabled which can smooth critical
system's certification.
Trademark:
DAVE Embedded Systems is a well-established and constantly growing Italian company, focused on designing,
manufacturing and selling of miniaturized embedded systems solutions. Since its foundation, back in 1998, DAVE
1 http://www.toppers.jp/en/imgs/safeg-arch-english.png
2 http://www.toppers.jp/en/
DAVE Srl, via Talponedo, 29/A, 33080 Porcia (PN), ITALY
Tel. +39.0434921215 - Fax +39.04341994030
E-mail: info@dave.eu
http:// www.dave.eu