TrustedZone, options to access internal flash asynchronously

I am currently working w/ a project that utilizes TrustedZone and PSA Protected Storage to read/write to internal flash that's accessible only in the secure partition (I'm using the flash to store data like states, configurations of peripherals, etc). However, I noticed the writes take a while (around 1-2ish seconds) and seem to be blocking calls. The project I'm working on needs to perform actions every 2-3ms, such as reading from peripherals, encrypting data, sending data w/ the radio, etc. so this behavior will not work for our requirements.

What options for flash read/write are available that are non-blocking, yet also in TrustedZone?

  1. Are there any Kconfig options, flags during function calls, etc. that can fix this issue and allow me to continue using PSA PS?
  2. Does PSA PS handle timeslots i.e., MPSL? Is there anything related to timeslots that I can try on my project to prioritize the 'every 2-3ms activity' over flash reads/writes?
  3. Would NVS be accessible in TrustedZone?
    1. We used NVS in a prototype, before we introduced TrustedZone. It would be ideal to reuse this.
  4. What other options are there that we can consider?
  • Hi,

    Which board and which NCS version do you use?

    How did you measure that 1-2 seconds are required for writing to the flash?

    Which calls get blocked?

    Are there any Kconfig options, flags during function calls, etc. that can fix this issue and allow me to continue using PSA PS?

    Are you not able to use it at all? Can you elaborate how you tried to use PSA PS and why you are not able to use it?

    Does PSA PS handle timeslots i.e., MPSL? Is there anything related to timeslots that I can try on my project to prioritize the 'every 2-3ms activity' over flash reads/writes?

    It does not look like that MPSL (i.e. having PSA calls inside timeslots) could help in this case. MPSL is running on network core which does not have secure/non-secure split. Where are you calling PSA functions from?

    Would NVS be accessible in TrustedZone?
    1. We used NVS in a prototype, before we introduced TrustedZone. It would be ideal to reuse this.

    There is a blog which lists storage alternatives for data.

    Best regards,
    Dejan

  • I'm using an nRF5340DK, Windows 10 machine, VS Code IDE, and NCS v2.5.0. The examples I based my code off of are located at nrf/samples/tfm/tfm_secure_peripheral and at zephyr/samples/tfm_integration/psa_protected_storage

    Time measurements were very rough, but I have a part of the project that writes about 10-15 default values at the very beginning (some are 1-2 bytes, others maybe 100 bytes). It took roughly 30 seconds for all of them to finish, so I estimated roughly 1-2 seconds per write. Still working on getting a logic analyzer hooked up for more detailed timing.

    • I believe the write calls, psa_ps_set(), are doing the blocking. Seems like the read calls, psa_ps_get(), do this as well? Not 100% sure yet; still confirming it w/ logic analyzer, though I'm pretty certain it's the flash reads/writes.
    • It's not that I cannot use PSA PS at all. PSA PS has been used as described above, and works fine, all except for the timing. I'm asking if there are Kconfig options and such to fix my timing issue; otherwise I would be forced to find another library/API. 
    • As I tried to explained in my original post, I'm calling PSA functions from within the secure partition, so that I can read/write to the secure partition.

    I found the blog earlier as well but it seems to imply PSA PS as the only option for what can be used in TrustedZone (i.e., the only one providing isolation and encryption). I wanted to ask if this was accurate. Also, the post is over a year old, so I wanted to see if there have been any updates since then.

  • Hi,

    esmart-engineering said:
    I found the blog earlier as well but it seems to imply PSA PS as the only option for what can be used in TrustedZone (i.e., the only one providing isolation and encryption). I wanted to ask if this was accurate. Also, the post is over a year old, so I wanted to see if there have been any updates since then.

    PSA Crypto persistent keys should be used for key material. Otherwise, PSA PS should be used. There is also PSA ITS, but it is not recommended to be used directly.

    There does not seem to be a way for prioritizing other activities every 2-3 ms over flash read/write operations. It can be expected that there is always some PS/ITS operations that would require more than several ms. Reducing interrupt latency during flash writes would require some changes to the flash driver code in TF-M.

    For potential flash page erase, page erase time should also be taken into account. nRF5340 product specification provides information on erasing secure page in flash. You can look at partial page erase in flash.

    Best regards,
    Dejan

Related