TrustZone

TrustZone Hardware Architecture

The TrustZone hardware architecture aims to provide a security framework that enables a device to counter many of the specific threats that it will experience. Instead of providing a fixed one-size-fits-all security solution, TrustZone technology provides the infrastructure foundations that allow a SoC designer to choose from a range of components that can fulfill specific functions within the security environment.

The primary security objective of the architecture is to enable the construction of a programmable environment that allows the confidentiality and integrity of assets to be protected from specific attacks. A platform with these characteristics is suited to building a wide-ranging set of security solutions that are not cost-effective with traditional methods. 

The security of the system is achieved by partitioning all of the SoC hardware and software resources so that they exist in one of two worlds - the Secure world for the security subsystem, and the Normal world for everything else. Hardware logic present in the TrustZone-enabled AMBA3 AXI™ bus fabric ensures that Normal world components do not access Secure world resources, enabling construction of a strong perimeter boundary between the two. A design that places the sensitive resources in the Secure world, and implements robust software running on the secure processor cores, can protect assets against many possible attacks, including those which are normally difficult to secure, such as passwords entered using a keyboard or touch-screen. By separating security sensitive peripherals through hardware, a designer can limit the number of sub-systems that need to go through security evaluation and therefore save costs when submitting a device for security certification.

The second aspect of the TrustZone hardware architecture is the extensions implemented in some of the ARM processors. These additions enable a single physical processor core to execute code safely and efficiently from both the Normal world and the Secure world in a time-sliced fashion.This removes the need for a dedicated security processor core, which saves silicon area and power, and allows high performance security software to run alongside the Normal world operating environment.

The two virtual processors context switch via a new processor mode called monitor mode when changing the currently running virtual processor.

The mechanisms by which the physical processor can enter monitor mode from the Normal world are tightly controlled, and are all viewed as exceptions to the monitor mode software. Software executing a dedicated instruction can trigger entry to monitor, the Secure Monitor Call (SMC) instruction, or by a subset of the hardware exception mechanisms. Configuration of the IRQ, FIQ, external Data Abort, and external Prefetch Abort exceptions can cause the processor to switch into monitor mode.

The software that executes within monitor mode is implementation defined, but it generally saves the state of the current world and restores the state of the world at the location to which it switches. It then performs a return-from-exception to restart processing in the restored world. The final aspect of the TrustZone hardware architecture is a security-aware debug infrastructure that can enable control over access to Secure world debug, without impairing debug visibility of the Normal world.

The implementation of a Secure world in the SoC hardware requires some secure software to run within it and to make use of the sensitive assets stored there.

Secure Software Architecture

There are many possible software architectures which a Secure world software stack on a TrustZone-enabled processor core could implement. The most advanced is a dedicated Secure world operating system; the simplest is a synchronous library of code placed in the Secure world. There are many intermediate options between these two extremes.

Secure Kernel

A dedicated secure kernel is potentially a complex yet powerful design. It can simulate concurrent execution of multiple independent Secure world applications, run-time download of new security applications, and Secure world tasks that are completely independent of the Normal world environment.

These designs closely resemble the software stacks that would be seen in a SoC with two separate physical processors in an Asymmetric Multi-Processing (AMP) ( or download TrustZone Security White Paper, 685 KB ) configuration. The software running on each virtual processor is a standalone operating system, and each world uses hardware interrupts to pre-empt the currently running world and acquire processor time.

A tightly integrated design, which uses a communications protocol that associates Secure world tasks with the Normal world thread that requested them, can provide many of the benefits of a Symmetric Multi-Processing (SMP) design. In these designs a Secure world application could, for example, inherit the priority of the Normal world task that it is assisting. This would enable some form of soft real-time response for media applications.

The Security Extensions are an open component of the ARM architecture, so any developer can create a custom Secure world software environment to meet their requirements.

Due to the inherent complexity of implementing a full Secure OS, and the potential need to certify its capabilities and performance, ARM recommends Trusted OS solutions from Trusted OS suppliers that are members of GlobalPlatform and are working towards standardizing TEE APIs and libraries.

TrustZone System Examples

There are limitless ways of implementing a TrustZone enabled device, however these break down into three major groups, or tiers of solutions, based upon the target application and engineering trade-off for performance, power and cost.

Tier One

TrustZone Tier One System Architecture Block Diagram (1200px wide)

The Tier One solution represents a baseline solution that is intended to secure the keypad and screen to enable personal identification numbers (PINs) to be entered on an open software platform device. In none-secure mode the keyboard and screen operate as usual under the control of the OpenOS, such as WindowsCE, Linux or Symbian, however when an application requests payment these peripherals are placed under the control of the Secure Kernel.

With the desire that this type of solution be as low cost as possible, only the addition of TrustZone Memory Adaptor fabric component is required, to secure a contiguous block of on chip SRAM. The Master Key and SIM interface blocks are secured by tying their AXI2AHB bridge to secure state. Similarly, the bridge for the Keyboard Master Interface and LEC Controller can be dynamically controlled by the processor; setting the entire region into either Secure or None-Secure modes.

It is suggested that in booting the device, a complete “root of trust” process be used. In many cases, this would be done via an integrated Boot ROM that runs the base OS and then loads the monitor and SecureOS. Once completed the SecureOS would then launch the traditional OpenOS, ensuring that no malicious code can enter the process.

Tier Two

TrustZone Tier Two System Architecture Block Diagram (1200px wide)

The Tier Two solution is a complete superset of the Tier One system, ensuring that code portability and payment services are easily incorporated.The Tier Two system provides a cost-effective platform for basic digital rights management (DRM), with integration of the TrustZone Address Space Controller (TZASC) to protect areas of the RAM used to hold valuable content. Furthermore an off-chip decoder engine may be used to minimize costs or provide specific decode technology, while also being secured against access from non-secure software.

To enable full DRM, the size of the on-chip SRAM would normally need to increase to provide a secure space for dynamic code execution. Potentially an E2PROM would integrate to hold details on what content is accessible, for what period, or for the number of plays remaining.

More peripherals would normally also need to be dynamically secured in this type of solution, under the control of the TrustZone Protection Controller to avoid streaming-off of intermediate or decrypted content, or control of the media by non-secured code and peripherals.

Tier Three

TrustZone Tier Three System Architecture Block Diagram (1200px wide)

Tier Three builds on the existing solutions to deliver a high performance DRM solution capable of supporting video streaming and on-the-fly decompression. In this case, the device is fully securable to provide a platform that a content provider can authenticate to ensure full protection of keys and only that authorized viewing of material occurs. In many ways, this is a similar, but far more cost-effective, that providing a two-core implementation with fully parallel secure and non-secure worlds.

In addition to more dynamically secured peripherals, this solution includes a DMA Controller and Media Accelerators connected to a multi-core processor via the Accelerator Coherence Port (ACP).

System IP Support

Security is an attribute of a whole system, not just a single component. ARM^® TrustZone^® technology allows the system to be more easily partitioned for security while maintaining hardware-backed protection for the security sub-system. Designing the security sub-system using TrustZone technology requires not only a TrustZone technology-enabled processor core, but also the bus fabric, secure memory and secure peripherals. ARM provides a range of System IP to provide the foundation of security sub-systems: