ARM TrustZone Technology for Cortex-A and Cortex-M Class Processors
ARM TrustZone technology is used on billions of chips to protect valuable services and devices. It is the pre-eminent security solution for applications processors and used in a diverse range of end markets including smartphones, tablets, personal computers, wearables and enterprise systems. With the announcement of TrustZone for ARMv8-M, ARM has extended this technology to microcontrollers helping protect the smallest, resource constrained platforms.
TrustZone technology on Cortex-A based applications processors is commonly used to run trusted boot and a trusted OS to create a Trusted Execution Environment (TEE). Typical use cases in mobile platforms include the protection of authentication mechanisms, cryptography, key material and DRM. Applications that run in the secure world are called Trusted Apps.
ARMv8-M architecture extends TrustZone technology to microcontrollers, enabling robust levels of protection at all cost points. The design is optimized for an efficient, low latency, deterministic interrupt response that is crucial for embedded systems. Interrupts are routed by hardware to the correct handler for both normal and secure worlds thus removing the overhead of a software check before dispatch. To further satisfy real time and low power requirements, the switch between the normal and secure worlds is performed in hardware, removing the need for a hypervisor with its associated code and processing overhead. Software productivity is enhanced as TrustZone for ARMv8-M is fully programmable in C language (in line with the rest of the ARMv8-M architecture) and offers protected debug operations corresponding to the security state of the processor.
Secure memory and secure peripherals can be integrated as the architecture uses ARM AMBA® 5 AHB5 to propagate the secure state signal across the chip.
ARM TrustZone CryptoCell
CryptoCell is a range of security sub-systems and hardware components that provide platform level security as well as hardware support for security acceleration and offloading.
CryptoCell’s architecture level protection provides tools and building blocks for a wide range of applications including: content protection, IoT security, encryption and provisioning.
CryptoCell digital security subsystem serves as an infrastructure for security related use cases running on the SoC and is comprised of hardware, firmware and SoC-external tools.
CryptoCell includes efficient hardware cryptographic engines, RNG, root of trust/key management, secure boot, secure debug and lifecycle management.
CryptoCell enables SoC architects to tradeoff area, power, performance or robustness in a very flexible manner. Designs can be optimized to achieve the security vs. cost “sweet spot” appropriate to the target market.
ARM TrustZone for ARMv8-M
ARM TrustZone for ARMv8-M brings TrustZone technology to low cost and resource constrained microcontrollers. In ARMv8-M a hardware isolated “trusted world” separates trusted software, data and hardware from the non-trusted world. These security states are orthogonal to the existing Thread and Handler modes i.e. a Thread and Handler mode exist in both states.
TrustZone for ARMv8-M enables a “Secure world” for trusted embedded applications.
Secure resources are protected from non-secure access enabling the system designer to isolate and compartmentalize their design. This is achieved through a Secure Attribution Unit (SAU) that is similar to an MPU. Since the transitions between the two states are hardware based they are almost instantaneous and thus maintain the real time performance and reduced software overhead associated with ARM’s microcontroller profile.
TrustZone for ARMv8-M propagates the security state on the bus fabric and is compatible with ARM AMBA® 5 AHB5.
TrustZone for ARMv8-M is a foundation on which the ARM ecosystem will build system IP, middleware and devices for many embedded applications. This foundation will attract developers who will be able to deploy the same application across many systems.
Writing code for the normal world remains the same as before: the application has access to privileged and non-privileged space plus interrupts. To call on libraries in the secure world, function entry points are linked into the project. This design simplifies writing software for Cortex-M processors that incorporate TrustZone technology. Typically system suppliers will supply some secure code to setup and run the security attributes across all components within a system. In a typical implementation the design will be partitioned so that the code in the secure state is kept as small as possible to reduce the attack surface and vulnerabilities. Similar to TrustZone for Cortex-A processors, programs running in secure state can access both secure and non-secure information, whereas non-secure programs can only access non-secure resources.
Interrupts can also be secure or non-secure, as determined by a register which is programmable only from the secure world. TrustZone for ARMv8-M handles all interrupt transitions automatically to maintain security, register protection and to preserve the low latency expected in real time embedded systems.
Example use cases:
- Firmware protection
- Security management
- Root of trust implementation
- Peripheral and I/O protection
- Code isolation between multiple suppliers
- Sandboxing for devices with certified software
- Consolidation of multiple helper processors into one
ARM TrustZone for ARMv8-A/ARMv7-A/ARMv6Z
TrustZone technology is tightly integrated into Cortex®-A processors that propagate the secure state across the chip using the AMBA® AXI™ bus and specific TrustZone System IP blocks. This system approach means that it is possible to secure peripherals such as secure memory, crypto blocks, keyboard and screen to ensure they can be protected from attack.
Devices developed with TrustZone technology, according to the recommendations of the Trusted Base System Architecture specification (available with a NDA), enable the delivery of platforms capable of supporting a full Trusted Execution Environment (TEE). TEEs can be designed to support Over The Air (OTA) downloaded Trusted Apps that enable service providers and device manufacturers to benefit from the integrity and confidentiality that TrustZone provides. ARM and many of its partners support the work of GlobalPlatform to provide compliance and certification schemes for the TEE, enabling interoperability and third party security evaluations.
To help silicon partners port a TEE onto their platform ARM provides a reference implementation of low-level software known as ARM Trusted Firmware. This software is available as open source on GitHub and includes trusted boot and a secure runtime including Secure Monitor Code (SMC).