TrustZone

TrustZone Hardware Architecture

The TrustZone hardware architecture aims to provide a security framework that enables a device to counter many of the specific threats that it will experience. Instead of providing a fixed one-size-fits-all security solution, TrustZone technology provides the infrastructure foundations that allow a SoC designer to choose from a range of components that can fulfil specific functions within the security environment.

The primary security objective of the architecture is to enable the construction of a programmable environment that allows the confidentiality and integrity of assets to be protected from specific attacks. A platform with these characteristics can be used to build a wide ranging set of security solutions which are not cost-effective with traditional methods.

The security of the system is achieved by partitioning all of the SoC hardware and software resources so that they exist in one of two worlds - the Secure world for the security subsystem, and the Normal world for everything else. Hardware logic present in the TrustZone-enabled AMBA3 AXI™ bus fabric ensures that no Secure world resources can be accessed by the Normal world components, enabling a strong perimeter boundary to be built between the two. A design that places the sensitive resources in the Secure world, and implements robust software running on the secure processor cores, can protect assets against many possible attacks, including those which are normally difficult to secure, such as passwords entered using a keyboard or touch-screen. By separating security sensitive peripherals through hardware, a designer can limit the number of sub-systems that need to go through security evaluation and therefore save costs when submitting a device for  security certification.

The second aspect of the TrustZone hardware architecture is the extensions that have been implemented in some of the ARM processor cores. These additions enable a single physical processor core to safely and efficiently execute code from both the Normal world and the Secure world in a time-sliced fashion. This removes the need for a dedicated security processor core, which saves silicon area and power, and allows high performance security software to run alongside the Normal world operating environment.

The two virtual processors context switch via a new processor mode called monitor mode when changing the currently running virtual processor.

The mechanisms by which the physical processor can enter monitor mode from the Normal world are tightly controlled, and are all viewed as exceptions to the monitor mode software. The entry to monitor can be triggered by software executing a dedicated instruction, the Secure Monitor Call (SMC) instruction, or by a subset of the hardware exception mechanisms. The IRQ, FIQ, external Data Abort, and external Prefetch Abort exceptions can all be configured to cause the processor to switch into monitor mode.

The software that executes within monitor mode is implementation defined, but it generally saves the state of the current world and restores the state of the world being switched to. It then performs a return-from-exception to restart processing in the restored world.

The final aspect of the TrustZone hardware architecture is a security-aware debug infrastructure which can enable control over access to Secure world debug, without impairing debug visibility of the Normal world.

The implementation of a Secure world in the SoC hardware requires some secure software to run within it and to make use of the sensitive assets stored there.

Secure Software Architecture

There are many possible software architectures which a Secure world software stack on a TrustZone-enabled processor core could implement. The most advanced is a dedicated Secure world operating system; the simplest is a synchronous library of code placed in the Secure world. There are many intermediate options between these two extremes.

Secure Kernel

A dedicated secure kernel is potentially a complex yet powerful design. It can simulate concurrent execution of multiple independent Secure world applications, run-time download of new security applications, and Secure world tasks that are completely independent of the Normal world environment.

These designs closely resemble the software stacks that would be seen in a SoC with two separate physical processors in an Asymmetric Multi-Processing (AMP) ( or download TrustZone Security White Paper, 685 KB ) configuration. The software running on each virtual processor is a standalone operating system, and each world uses hardware interrupts to pre-empt the currently running world and acquire processor time.

A tightly integrated design, which uses a communications protocol that associates Secure world tasks with the Normal world thread that requested them, can provide many of the benefits of a Symmetric Multi-Processing (SMP) design. In these designs a Secure world application could, for example, inherit the priority of the Normal world task that it is assisting. This would enable some form of soft real-time response for media applications.

The Security Extensions are an open component of the ARM architecture, so any developer can create a custom Secure world software environment to meet their requirements.

Due to the inherent complexity of implementing a full Secure OS, and the potential need to certify its capabilities and performance, many partners will tend to work in partnership with expert companies in this domain, such as Gieseke & Devrient or Trusted Logic.

TrustZone System Examples

There are limitless ways of implementing a TrustZone enabled device, however these break down into three major groups, or tiers of solutions, based upon the target application and engineering trade-off for performance, power and cost.

Tier One

The Tier One solution represents a baseline solution that is intended to secure the keypad and screen to enable personal identification numbers (PINs) to be entered on an open software platform device. In none-secure mode the keyboard and screen operate as usual under the control of the OpenOS, such as WindowsCE, Linux or Symbian, however when an application requests payment these peripherals are placed under the control of the Secure Kernel.

As it is desired that this type of solution be as low cost as possible only the addition of TrustZone Memory Adaptor fabric component is required, to secure a contiguous block of on chip SRAM. The Master Key and SIM interface blocks are secured by tying their AXI2AHB bridge to secure state. Similarly the bridge for the Keyboard Master Interface and LEC Controller can be dynamically controlled by the processor, setting the entire region into either Secure or None-Secure modes.

The device should be booted through a complete “root of trust” process. In many cases this would be done via an integrated Boot ROM which runs the base OS and then loads the monitor and SecureOS. Once completed the SecureOS would then launch the traditional OpenOS, ensuring that no malicious code can enter the process.

Tier Two

The Tier Two solution is a complete superset of the Tier One system, ensuring code portability and payment services to be easily incorporated. The Tier Two system provides a cost-effective platform for basic digital rights management (DRM), with integration of the TrustZone Address Space Controller (TZASC) to protect areas of the RAM used to hold valuable content. Furthermore an off-chip decoder engine may be used to minimize costs or provide specific decode technology, while also being secured against access from non-secure software.

To enable full DRM the size of the on-chip SRAM would normally need to be increased to provide a secure space for dynamic code execution, and potentially an E2PROM would be integrated to hold details on what content can be access, for what time period, or for the number of plays remaining.

More peripherals would normally also need to be dynamically secured in this type of solution, under the control of the TrustZone Protection Controller to avoid streaming-off of intermediate or decrypted content, or control of the media by non-secured code and peripherals.

Tier Three

Tier Three builds on the existing solutions to deliver a high performance DRM solution capable of supporting video streaming and on-the-fly decompression. In this case the device can be fully secured to provide a platform that can be authenticated by a content provider to ensure keys are protected and only authorized viewing of material . In many ways this is a similar, but far more cost-effective, that providing a two-core implementation with fully parallel secure and non-secure worlds.

In addition to more dynamically secured peripherals this solution includes a DMA Controller and Media Accelerators connected to a multi-core processor via the Accelerator Coherence Port (ACP).

System IP Support

Security is an attribute of a whole system, not just a single component. ARM^® TrustZone^® technology allows the system to be more easily partitioned for security while maintaining hardware-backed protection for the security sub-system. Designing the security sub-system using TrustZone technology requires not only a TrustZone technology-enabled processor core, but also the bus fabric, secure memory and secure peripherals. ARM provides a range of fabric and peripheral components to provide the foundation of security sub-systems: