TrustZone security instructions in Arm Cortex-M series processors provide hardware-based security features to enable trusted execution environments and partition sensitive and non-sensitive application code and data. The key capabilities enabled by TrustZone include secure boot, authentication, encryption, and isolated execution of trusted software.
Overview of Arm TrustZone
Arm TrustZone technology creates a hardware-enforced secure world for trusted software alongside the normal world for regular applications. This is achieved by adding security extensions to Arm processors like the Cortex-M series. The secure world has full access to system resources but isolated from the normal world. Sensitive code and data can be stored and processed in the secure world.
A new “NS” bit tag added to registers, buses, and memory spaces allow access control between the two worlds. The secure world can access both tagged and untagged resources while the normal world can only access untagged resources. Switching between the worlds requires a secure monitor mode which saves state and applies access restrictions.
TrustZone Security Extensions in Cortex-M
The TrustZone security extensions in Cortex-M series processors include:
- Secure and Non-secure stack pointers for thread mode
- Banked register support for fast world switching
- Secure and Non-secure memory spaces with configurable splitting
- New secure privileged modes for managing TrustZone
- Secure Fault Handlers to catch secure world exceptions
- Secure SysTick timer for reliable timekeeping
- New TrustZone aware bus interfaces and peripherals
- Crypto extensions for hardware acceleration (in some models)
With these extensions, Cortex-M processors can provide end-to-end security from boot to trusted applications. Sensitive code, data, and peripherals are accessible only from the secure world. The hardware isolation protects against vulnerabilities and malicious attacks from the normal world software.
Cortex-M TrustZone Instructions
The TrustZone specific instructions in Cortex-M processors enable switching between secure and non-secure states, managing interrupt handling, and accessing banked registers:
- SG – Secure Gateway – This triggers a switch from non-secure to secure state via an exception return. The secure context state is saved/restored and system changes to privileged thread mode.
- BXNS – Branch Exchange to Non-Secure – This branches to a non-secure address from secure state. The context state is saved, unprivileged thread mode is set, and execution switches to non-secure.
- BLXNS – Branch with Link Exchange to Non-Secure – Same as BXNS but also saves return address to a non-secure register.
- SMUL/SMULL – Signed Multiply with Exchange – Performs signed multiplication of two operands and exchanges the result between secure and non-secure states.
- SEV/SEVL – Send Event – Triggers secure event or interrupt handling. This is used for secure inter-processing communication.
- SSB – Speculative Store Bypass – Mitigates data leakage across worlds due to speculative execution. It ensures memory accesses are not speculated between worlds.
There are also instructions for managing banked registers used during world switches:
- MRS – Move to Register from Special Register – Moves between banked registers.
- MSR – Move to Special Register from Register – Moves between banked registers.
- RRXNS – Rotate Right with Extend Exchange to Non-Secure – Exchanges value between banked registers during rotation.
Secure Boot Process
The secure boot process utilizes TrustZone instructions and features to establish a Chain of Trust:
- After reset, the processor starts in the secure world with trusted software.
- A secure boot loader or Root of Trust boots up the secure world and validates the next stage boot loader.
- The secure boot loader decrypts and authenticates the next stage loader before execution.
- This process continues in stages with each loader validating the next until the final application.
- The SG instruction is used to switch to non-secure world after validation completes.
- The trusted application executes securely isolated by TrustZone.
TrustZone security prevents tampering with the boot process. The hardware isolation also protects trusted software from access by normal world applications.
Use Cases
Some common use cases for TrustZone on Cortex-M processors include:
- Secure Boot – Validating boot stages to root of trust for software integrity.
- Authentication – Securely storing and processing authentication keys and algorithms.
- Digital Rights Management – Hardware backed security for valuable firmware IP or media.
- Trusted Applications – Isolating and protecting sensitive programs and data.
- Secure Communications – Implementing trusted channels between endpoints.
TrustZone enables building robust end-to-end security without expensive hardware additions. The extensions integrate security deeply into the Cortex-M processor architecture itself. This allows implementation of advanced trusted computing concepts on low cost microcontrollers.
Conclusion
The TrustZone security extensions in Arm Cortex-M series processors enable new trusted execution environments for microcontroller applications. Key instructions provide access control between secure and non-secure worlds, allowing isolation of sensitive code and data. Hardware-backed security capabilities like secure boot, authentication, and encryption protect against vulnerabilities and tampering. With minimal cost increase, TrustZone unlocks advanced trusted computing use cases previously requiring dedicated security chips.
