Trusted Execution Environments (TEEs) on low-power microcontrollers (e.g., ARM TrustZone-M) enable isolation of Secure and Non-Secure software but still require both worlds to share resources, including interrupt controllers. In this model, real-time applications and real-time operating systems (RTOS-s) are executed in the Non-Secure sub-system, whereas the Secure sub-system is typically reserved for a small set of pre-defined security (e.g., cryptographic) operations referred to as trusted computing services. However, many RTOS-s rely on periodic interrupts (SysTicks) to advance their own notion of time (time-keeping), and the delivery of this interrupt is essential for preserving real-time behavior. On the other hand, the security of many trusted computing services requires atomicity vis-a-vis the Non-Secure sub-system (where the RTOS resides), precluding SysTick handling. This paper first characterizes this conflict and then introduces a Secure-driven time synchronization mechanism in which the Secure World measures elapsed time and compensates the Non-Secure RTOS by unobtrusively updating the RTOS time-keeping data structures with the appropriate number of missed ticks before re-enabling interrupts and resuming the execution of the Non-Secure system. This approach restores a consistent, monotonic notion of time across worlds and enables secure coexistence of trusted computing services and RTOS-s on microcontrollers. Importantly, the proposed approach requires no modifications to the underlying RTOS and yields no significant run-time overhead.

翻译：可信执行环境（TEE）在低功耗微控制器（如ARM TrustZone-M）上能够隔离安全与非安全软件，但两者仍需共享包括中断控制器在内的资源。在此模型中，实时应用和实时操作系统（RTOS）在非安全子系统中执行，而安全子系统通常保留用于少量预定义的安全操作（如加解密），即可信计算服务。然而，许多RTOS依赖周期性中断（SysTicks）来推进其自身时间概念（计时），而该中断的传递对维持实时行为至关重要。另一方面，许多可信计算服务的安全性要求相对于非安全子系统（RTOS所在位置）具有原子性，从而排除了SysTick处理的可能性。本文首先刻画了这一冲突，然后提出了一种安全驱动的同步机制：安全世界测量已流逝时间，并通过在重新启用中断并恢复非安全系统执行前，以适当数量的缺失时钟周期无干扰地更新RTOS计时数据结构，来补偿非安全RTOS。该方法恢复了跨世界的一致性单调时间概念，并实现了可信计算服务与RTOS在微控制器上的安全共存。重要的是，所提方法无需修改底层RTOS，且不产生显著的运行时开销。