peripheral: add SAU init helpers and jump_to_nonsecure for ARMv8-M#648
Open
leftger wants to merge 4 commits intorust-embedded:masterfrom
Open
peripheral: add SAU init helpers and jump_to_nonsecure for ARMv8-M#648leftger wants to merge 4 commits intorust-embedded:masterfrom
leftger wants to merge 4 commits intorust-embedded:masterfrom
Conversation
- Derive Copy, Clone, PartialEq, Eq on SauRegion and SauRegionAttribute - SAU::disable_allns(): set CTRL.ALLNS=1, ENABLE=0 (all memory Non-Secure) - SAU::init(regions): disable SAU, program up to 8 regions, re-enable - jump_to_nonsecure(ns_vtor): Secure→Non-Secure boot handoff via BXNS These cover the remaining ARMv8-M TrustZone boot sequence after SAU region programming: disabling the SAU for NS-only systems, bulk-initialising regions without manually looping set_region, and transferring control to the NS image.
Contributor
I think it should either panic or return an error if you pass too many regions. The aarch32-cpu MPU set-up code returns an error when the slice of region descriptors given is too long. |
Author
|
@jonathanpallant I updated the code to address your concern. Thank you for the feedback 😄 |
Contributor
jonathanpallant
left a comment
jonathanpallant
left a comment
There was a problem hiding this comment.
One question, but otherwise this looks OK to me.
It would be great to see an example of it in action, ideally in the testsuite.
Author
|
I have added it to the |
jonathanpallant
approved these changes
Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR extends the existing SAU peripheral module with higher-level helpers that cover the full ARMv8-M TrustZone boot sequence:
SauRegion/SauRegionAttribute: deriveCopy,Clone,PartialEq,Eq— these are plain data types and the missing impls made bulk operations unnecessarily verbose.SAU::disable_allns(): setsCTRL.ALLNS=1, ENABLE=0, making the entire address space Non-Secure. Useful for systems that run entirely in Non-Secure mode with no security boundary enforcement.SAU::init(regions: &[SauRegion]): convenience wrapper that disables the SAU, programs up to 8 regions (extras silently ignored, matching the hardware maximum), then re-enables it. Callers that wantSecureFaultenabled should follow up withscb.enable(Exception::SecureFault).jump_to_nonsecure(ns_vtor: u32) -> !(#[cfg(armv8m)]): performs the standard Secure→Non-Secure boot handoff — writesSCB_NS->VTOR, loadsMSP_NSfrom the NS vector table, and executesBXNSto atomically switch state and jump to the NS reset handler.Relationship to PR #647
This PR is independent of #647 (SCB NSACR / NVIC ITNS) and can be reviewed separately. Together they cover the complete ARMv8-M TrustZone setup: SAU region programming (this PR), interrupt routing and FPU access (#647), and NS boot handoff (this PR).
Motivation
The downstream motivating use-case is the embassy-stm32 TrustZone/SAU driver. Currently
jump_to_nonsecurelives in that vendor HAL using raw inline assembly. Once this lands it can be replaced with the typed API here, removing duplicated unsafe boot code from every ARMv8-M HAL that needs it.