Step 1: Armv8-M TrustZone® Security Model, Secure Gateway and Memory Mapping

Last modified by Microchip on 2026/06/30 14:56

Arm® TrustZone® for Armv8-M Security Model

The Armv8-M TrustZone security model provides hardware-based separation between Secure and Non-Secure execution environments within microcontrollers such as the PIC32CM LS00 Curiosity Nano+ Touch Evaluation Kit. It protects critical memory regions, peripherals, and functions from unauthorized access. Secure code manages access through Secure Gateway functions, while Non-Secure code operates with restricted permissions. Any illegal access attempt triggers a Secure or HardFault exception, ensuring robust system isolation. This architecture enhances reliability and security in embedded applications.

Divides the system into Secure and Non-Secure states.

Uses the Implementation Defined Attribution Unit (IDAU) to define memory and peripheral security attributes.

Allows controlled access through Non-Secure Callable (NSC) functions.

Generates hardware faults for unauthorized Secure access attempts.


Secure Gateway on Armv8-M

In the Armv8-M TrustZone architecture, the Secure Gateway (SG) instruction provides a controlled mechanism for Non-Secure code to access approved Secure functions. It ensures that transitions from the Non-Secure state to the Secure state occur only through predefined entry points located in the NSC region. When a Secure function is declared using the cmse_nonsecure_entry attribute, the compiler automatically inserts the SG instruction at the function entry. During execution, the processor validates the transition, switches to the Secure state, and enforces Secure memory access rules. This mechanism prevents unauthorized jumps into Secure memory and maintains strict hardware isolation between the two security domains.

Only functions placed in the Non-Secure Callable (NSC) region and beginning with the SG instruction can be accessed from the Non-Secure domain.

Any attempt by Non-Secure code to directly access Secure memory or functions without passing through the SG instruction results in a SecureFault or HardFault exception.


Memory Mapping on Armv8-M

The Armv8-M architecture on the PIC32CM LS00 Curiosity Nano+ Touch Evaluation Kit provides hardware enforced memory separation for Secure, Non-Secure, and Non-Secure Callable regions. The Flash BOOT region, starting at address 0x00000000, is protected by BOOTPROT and includes both Secure and Non-Secure Callable areas, with the Non-Secure Callable region located adjacent to Secure Flash. The Flash APPLICATION region is used for application code and is similarly divided into Secure and Non-Secure Callable sections. This memory mapping ensures proper isolation and supports TrustZone security, protecting critical resources and enabling controlled cross-domain communication.

The Flash BOOT region contains Secure and Non-Secure Callable memory, starting at 0x00000000.

The Flash APPLICATION region is partitioned into Secure and Non-Secure Callable areas for application code.

Non-Secure Callable regions are placed adjacent to Secure regions to enable controlled access.

TrustZone memory mapping enforces isolation and security between Secure and Non-Secure execution domains.