TrustZone is a security extension developed by ARM for their Cortex-M series of microcontrollers. It provides isolation and security capabilities to enable trusted execution environments on ARM-based devices. The main goals of TrustZone for Cortex-M are:
- Provide hardware enforced isolation between trusted and non-trusted software execution
- Enable secure boot to ensure only trusted code executes on start up
- Allow confidential data like keys and credentials to be stored and processed in an isolated secure world
- Enable trusted applications to provide secure services to non-trusted apps
TrustZone Security Concepts
TrustZone divides processing into two worlds or states called secure and non-secure. The secure world has full access to system resources and peripherals. The non-secure world has restricted access enforced by hardware. Switching between these worlds is controlled using monitor mode software.
Some key concepts in TrustZone for Cortex-M include:
- Secure and Non-Secure Memory – Memory regions are designated as secure or non-secure. Non-secure software cannot access secure memory.
- Bus Masters – Bus masters used for DMA transfers are configured as secure or non-secure to control access.
- Peripheral Access – Peripherals like GPIO and timers can be configured per register as secure or non-secure access.
- Interrupts – Interrupts are configured as secure or non-secure. Non-secure interrupts can preempt non-secure execution only.
- Monitor Mode – Special privileged mode for switching between secure and non-secure states.
TrustZone Hardware Capabilities
TrustZone introduces some new hardware capabilities to Cortex-M devices for enforcing security:
- Secure Attribution Unit (SAU) – Controls security attributes of memory regions.
- Flash Patch and Breakpoint Unit (FPB) – Used to patch flash memory and set breakpoints.
- Execution Never (XN) Attribute – Prevents instruction execution from memory regions like RAM.
- Secure Fault Handling – Exceptions that occur in secure execution are handled in secure mode only.
- Cryptographic Acceleration – Hardware crypto provides efficient secure services.
These hardware capabilities are controlled by monitor mode software to provide the secure and non-secure worlds.
TrustZone Software Components
Software components included with TrustZone provide initialization, runtime libraries, and services.
- Secure Startup Code – Runs on reset to initialize TrustZone hardware.
- Runtime Library – Software interface for monitor mode and world switching.
- Secure Context Management – Save, clear, and restore secure context on world switches.
- Crypto Libraries – Software crypto implementation using hardware acceleration.
- Secure Storage – Encrypted data storage for keys or credentials.
These software components allow developers to leverage TrustZone capabilities. The runtime library and secure context management handle most of the work for world switching.
Using TrustZone in Applications
Here are some examples of how TrustZone can be used in embedded applications on Cortex-M devices:
- Secure Boot – Authenticate and verify firmware before execution. Ensures only trusted code runs at startup.
- IP Protection – Sensitive algorithms and code run in secure world isolated from rest of system.
- Secure Storage – Encrypted storage in secure world for keys, credentials, and sensitive data.
- Secure Communication – Secure world performs cryptographic operations to enable communication protocols like TLS.
- Attestation – Provide proof-of-execution evidence for trusted applications.
These kinds of use cases enable embedded devices to offer trusted services for applications like payments, authentication, and intellectual property protection.
Design Considerations with TrustZone
Here are some important considerations when designing with TrustZone technology:
- Threat Model – Identify assets, security goals, and potential attacks to inform architecture.
- Minimal Trusted Code Base – Reduce amount of code running in secure world to only what is necessary.
- Hardware Resources – Account for split of resources like RAM between secure and non-secure worlds.
- Boot Flow – Design a secure boot process to establish root of trust.
- Information Leakage – Prevent unintended data leaks between worlds via timing, power, etc.
Following security best practices in the design process helps ensure a robust, trusted architecture.
TrustZone Development Process
Here is an overview of the typical development process when using TrustZone:
- Create threat model and define architecture partitioning into secure and non-secure domains.
- Allocate system resources like RAM and peripherals to each world.
- Implement secure monitor mode software for world switching, context save/restore, etc.
- Write or port trusted applications to run in the secure world.
- Implement non-secure application functionality, making use of secure services.
- Verify security policy enforcement and do vulnerability testing.
- Optimize system performance with profiling and load testing.
Both hardware configuration and software design considerations are important in the development process. Following a security-focused approach helps guard against vulnerabilities.
TrustZone Security Certification
TrustZone enabled devices can go through security certification to validate the isolation and protection capabilities. Some common options include:
- ARM Platform Security Architecture (PSA) – ARM’s security framework with defined models and threat assessments.
- Common Criteria – Third-party evaluation of compliance with defined security requirements.
- FIPS 140-2 – Validation of cryptographic implementations for government use.
Certification provides assurance that security claims have been independently verified. It demonstrates due diligence for customers deploying TrustZone products.
TrustZone extends ARM Cortex-M devices to enable trusted execution environments for secure services. The hardware and software capabilities allow isolation of sensitive applications from the rest of the system. With careful architecture and design considerations, TrustZone helps protect intellectual property, data, and application integrity. Going through security certification demonstrates that protections have been implemented and validated effectively. Overall, TrustZone is an important security technology for deploying trusted embedded and IoT devices using ARM Cortex-M processors.