ARM TrustZone Technology for Cortex-A and Cortex-M Class Processors
ARM TrustZone technology is used on billions of chips to protect valuable services and devices. It is the pre-eminent security solution for applications processors and used in a diverse range of end markets including smartphones, tablets, personal computers, wearables and enterprise systems. With the announcement of TrustZone for ARMv8-M, ARM has extended this technology to microcontrollers helping protect the smallest, resource constrained platforms.
TrustZone technology on Cortex-A based applications processors is commonly used to run trusted boot and a trusted OS to create a Trusted Execution Environment (TEE). Typical use cases in mobile platforms include the protection of authentication mechanisms, cryptography, key material and DRM. Applications that run in the secure world are called Trusted Apps.
ARMv8-M architecture extends TrustZone technology to microcontrollers, enabling robust levels of protection at all cost points. The design is optimized for an efficient, low latency, deterministic interrupt response that is crucial for embedded systems. Interrupts are routed by hardware to the correct handler for both normal and secure worlds thus removing the overhead of a software check before dispatch. To further satisfy real time and low power requirements, the switch between the normal and secure worlds is performed in hardware, removing the need for a hypervisor with its associated code and processing overhead. Software productivity is enhanced as TrustZone for ARMv8-M is fully programmable in C language (in line with the rest of the ARMv8-M architecture) and offers protected debug operations corresponding to the security state of the processor.
Secure memory and secure peripherals can be integrated as the architecture uses ARM AMBA® 5 AHB5 to propagate the secure state signal across the chip.
ARM TrustZone CryptoCell
CryptoCell is a range of security sub-systems and hardware components that provide platform level security as well as hardware support for security acceleration and offloading.
CryptoCell’s architecture level protection provides tools and building blocks for a wide range of applications including: content protection, IoT security, encryption and provisioning.
CryptoCell digital security subsystem serves as an infrastructure for security related use cases running on the SoC and is comprised of hardware, firmware and SoC-external tools.
CryptoCell includes efficient hardware cryptographic engines, RNG, root of trust/key management, secure boot, secure debug and lifecycle management.
CryptoCell enables SoC architects to tradeoff area, power, performance or robustness in a very flexible manner. Designs can be optimized to achieve the security vs. cost “sweet spot” appropriate to the target market.
CryptoCell Product Highlights
- CryptoCell is an embedded security platform suitable for a wide range of SoC markets including automotive, mobile, IoT and deeply embedded. It is compatible with processors that have TrustZone architectural extensions but can also be used where this is absent (such as Cortex-R processors).
- CryptoCell offers an outstanding level of security, while addressing challenging requirements for increased system complexity, high performance, low power consumption and small footprint.
- CryptoCell multi-layered hardware and software architecture combines hardware accelerators, root-of-trust control hardware with a rich layer of security software and off chip tools.
- The CryptoCell architecture is modular and flexible by design, allowing the security solution to be tailored to meet market requirements (all security services offered by TrustZone CryptoCell can be included or excluded from the final package of hardware and software delivered to customers).
- CryptoCell can be configured to address different platform level security requirements as well as specific protocol related requirements (e.g. IPsec, HomeKit).
The CryptoCell-700 series and CryptoCell-300 series address different platform needs: CryptoCell-300 series is usually coupled with Cortex-M CPUs for environments that require a small footprint (e.g. IoT) and CryptoCell-700 series is usually coupled with Cortex-A CPUs for performance intensive use cases (e.g. mobile).
The following diagram (Fig 1.) illustrates the different components in the TrustZone CryptoCell subsystem.
Figure 1. TrustZone CryptoCell High Level Block Diagram
Addressing key security requirements
Digital devices deal with a wide range of possible threats, CryptoCell addresses the different security requirements coming from different stakeholders. Standard bodies and commercial organization, such as Microsoft, Google, Apple, DTLA, DCP LLC, OMTP, CMLA and others, define different attack vectors as pertinent:
- Software attacks
- Inter-chip signal probing
- Board level software-based debug and test attacks
- Physical interface attacks
- Memory or any other non-SoC element replacement attacks
- Off-line modification of the contents of non-volatile storage (e.g., Flash, EPROM)
To enable SOC vendors to address these attack vectors, CryptoCell offers protection of key device assets. Key device assets usually include:
- Software code images (system, application, etc.).
- Secret data, such as device keys and personal/corporate data.
- Protected content, such as DRM audio and video files/stream.
TrustZone CryptoCell facilitates these security requirements and provides the necessary tools and building blocks to mitigate against such attacks.
Security Certification and Compliance
Security certification standards such as FIPS 140-2, Common Criteria and GlobalPlatform TEE certification are all targeted at verifying the security of complete products.
TrustZone CryptoCell provides the tools and building blocks necessary to comply with these standards.
TrustZone CryptoCell provides the security infrastructure to comply with the robustness rules published by many standardization bodies and commercial organizations such as: Microsoft, Apple, Google, CMLA, DTLA, 4C, DCP LLC, Netflix and IETF.
Commercial deployment and market traction
CryptoCell is commercially deployed within chipsets covering many different verticals and markets such as mobile, IoT, home entertainment and automotive.