4.5.5. Booting Linux in a Non-secure state

Booting Linux in a Non-secure state requires a number of additional configuration steps. In a system, the boot code performs these steps in a Secure state.

To boot Linux in a Non-secure state, you must configure the system to allow Non-secure (NS) access to the following peripherals and memory used by Linux:

Interrupt controller

If you are using a GIC, you must configure it while still in a Secure state.

  • Interrupt Security Register, ICDISR{n}, used to set which interrupt IDs are available in a Non-secure state.

  • Interrupt Priority Mask Register, ICCPMR, shared between a Non-secure and Secure state. Before the Non-secure state can access the register, the Secure state must write a value greater than 0x80 to it.

    For more information, refer to section 4.2.1 Non-secure access to register fields for Secure interrupt priorities of the ARM® Generic Interrupt Controller Architecture Specification (ARM IHI 0048A).

Memory Map

Most TrustZone-enabled systems include a TrustZone Protection Controller (TZPC) or something similar. You can use it to set which address regions are accessible in the Non-secure state. It must be configured before entering the Non-secure state.

The Real-Time System Models (RTSMs) do not include a TZPC, so this step can be skipped.

CPU Specifics

CP15 includes three TrustZone configuration registers:

  • Non-secure Access Control Register (NSACR).

    This register controls Non-secure state access to coprocessors such as VFP and NEON, and TLB lock down. On the Cortex-A8, it also controls access to the PLE and L2 cache lock down. On Cortex-A5 and Cortex-A9, it controls access to the ACTLR.SMP bit.

    To boot Linux, you must enable access to at least the VFP and NEON if Linux is built to use them.

  • Secure Debug Enable Register (SDER).

    This register controls debug access. You do not have to change the default value to boot Linux on the RTSMs.

  • Secure Configuration Register (SCR).

    This register controls exception behavior and which state the core is currently in. The NS bit must be set to switch the core into the Non-secure state. This step must be performed when you have completed all the other configuration steps.

The core is now in a Non-secure state, with the GIC configured to allow Non-secure state interrupts.

Copyright © 2014 ARM. All rights reserved.ARM DAI0425