Login

TrustZone

TrustZone Image
ARM TrustZone® technology is a system-wide approach to security on high performance computing platforms for a huge array of applications including secure payment, digital rights management (DRM), enterprise and web-based services.

TrustZone technology, tightly integrated tightly into Cortex™-A processors, extends throughout the system via the AMBA® AXI™ bus and specific TrustZone System IP blocks. This system approach means that it is possible to secure peripherals such as secure memory, crypto blocks, keyboard and screen to ensure they can be protected from software attack.

Devices developed according to the recommendations of the TrustZone Ready Program and utilize TrustZone technology, deliver a platform that is capable of supporting a full Trusted Execution Environment (TEE) and security aware applications and secure services. 

 


Mobile devices have evolved into open software platforms capable of downloading a huge variety of applications from the internet. These applications are often validated by the device OEM to ensure quality, however not all functionality can be tested and increasingly malicious code is being created to target this class of devices.

In parallel, the demand for mobile devices to handle high-value services is gaining significant momentum. New business models are emerging, from the capability to pay for, download and view the latest Hollywood blockbuster for a specific period, or the ability to pay bills and manage bank accounts remotely from a handset.

These trends have the potential to make the mobile handset the next frontier for software attack vectors such as malware, trojans and rootkits. However, through the application of advanced security technology based on ARM TrustZone technology and integrating SecurCore™ tamper resistant elements it is possible to develop devices that can offer both a feature-rich open operating environment and robust security solutions.

Application Examples

• Secured PIN entry for enhanced user authentication in mobile payments & banking
• Anti-malware that is protected from software attack
• Digital Right Management
• Software license management
• Loyalty-based applications
• Access control of cloud-based documents
• e-Ticketing Mobile TV

Trusted applications that work on a TrustZone technology-based SoC running a Trusted Execution Environment, separated from the main OS, protect from software/malware attack. The TrustZone switch into secure mode provides hardware backed isolation. Trusted applications are typically containerized allowing for example trusted applications from different payment companies to co-exist on a device. Processor Support

ARM TrustZone technology is an integral feature of all Cortex-A class processors and was introduced through the ARM Architecture Security Extensions. These extensions provide a consistent programmers model across vendors, platforms, and applications while providing a true hardware backed security environment.

ARM processors supporting TrustZone include:

GlobalPlatform API Support

ARM has donated its TrustZone API to GlobalPlatform and this has developed into the TEE Client API. ARM has also been working with other leading companies to develop the TEE Internal API that interfaces between the Trusted OS and the Trusted Application. Please see the GlobalPlatform website for more details. The expectation is that the standardization of the TEE will lead to a rapid growth in the deployment of trusted applications. 


 

TrustZone Hardware Architecture

The TrustZone hardware architecture aims to provide a security framework that enables a device to counter many of the specific threats that it will experience. Instead of providing a fixed one-size-fits-all security solution, TrustZone technology provides the infrastructure foundations that allow a SoC designer to choose from a range of components that can fulfill specific functions within the security environment.

The primary security objective of the architecture is to enable the construction of a programmable environment that allows the confidentiality and integrity of assets to be protected from specific attacks. A platform with these characteristics is suited to building a wide-ranging set of security solutions that are not cost-effective with traditional methods. 

The security of the system is achieved by partitioning all of the SoC hardware and software resources so that they exist in one of two worlds - the Secure world for the security subsystem, and the Normal world for everything else. Hardware logic present in the TrustZone-enabled AMBA3 AXI™ bus fabric ensures that Normal world components do not access Secure world resources, enabling construction of a strong perimeter boundary between the two. A design that places the sensitive resources in the Secure world, and implements robust software running on the secure processor cores, can protect assets against many possible attacks, including those which are normally difficult to secure, such as passwords entered using a keyboard or touch-screen. By separating security sensitive peripherals through hardware, a designer can limit the number of sub-systems that need to go through security evaluation and therefore save costs when submitting a device for security certification.

The second aspect of the TrustZone hardware architecture is the extensions implemented in some of the ARM processors. These additions enable a single physical processor core to execute code safely and efficiently from both the Normal world and the Secure world in a time-sliced fashion.This removes the need for a dedicated security processor core, which saves silicon area and power, and allows high performance security software to run alongside the Normal world operating environment.

The two virtual processors context switch via a new processor mode called monitor mode when changing the currently running virtual processor.

The mechanisms by which the physical processor can enter monitor mode from the Normal world are tightly controlled, and are all viewed as exceptions to the monitor mode software. Software executing a dedicated instruction can trigger entry to monitor, the Secure Monitor Call (SMC) instruction, or by a subset of the hardware exception mechanisms. Configuration of the IRQ, FIQ, external Data Abort, and external Prefetch Abort exceptions can cause the processor to switch into monitor mode.

The software that executes within monitor mode is implementation defined, but it generally saves the state of the current world and restores the state of the world at the location to which it switches. It then performs a return-from-exception to restart processing in the restored world. The final aspect of the TrustZone hardware architecture is a security-aware debug infrastructure that can enable control over access to Secure world debug, without impairing debug visibility of the Normal world.


TrustZone Software Architecture

 

The implementation of a Secure world in the SoC hardware requires some secure software to run within it and to make use of the sensitive assets stored there.

Secure Software Architecture

There are many possible software architectures which a Secure world software stack on a TrustZone-enabled processor core could implement. The most advanced is a dedicated Secure world operating system; the simplest is a synchronous library of code placed in the Secure world. There are many intermediate options between these two extremes.

Secure Kernel

A dedicated secure kernel is potentially a complex yet powerful design. It can simulate concurrent execution of multiple independent Secure world applications, run-time download of new security applications, and Secure world tasks that are completely independent of the Normal world environment.

These designs closely resemble the software stacks that would be seen in a SoC with two separate physical processors in an Asymmetric Multi-Processing (AMP) ( or download TrustZone Security White Paper, 685 KB 685 KB PDF File Download) configuration. The software running on each virtual processor is a standalone operating system, and each world uses hardware interrupts to pre-empt the currently running world and acquire processor time.

A tightly integrated design, which uses a communications protocol that associates Secure world tasks with the Normal world thread that requested them, can provide many of the benefits of a Symmetric Multi-Processing (SMP) design. In these designs a Secure world application could, for example, inherit the priority of the Normal world task that it is assisting. This would enable some form of soft real-time response for media applications.

The Security Extensions are an open component of the ARM architecture, so any developer can create a custom Secure world software environment to meet their requirements.

Due to the inherent complexity of implementing a full Secure OS, and the potential need to certify its capabilities and performance, ARM recommends Trusted OS solutions from Trusted OS suppliers that are members of GlobalPlatform and are working towards standardizing TEE APIs and libraries.


TrustZone System Examples

There are limitless ways of implementing a TrustZone enabled device, however these break down into three major groups, or tiers of solutions, based upon the target application and engineering trade-off for performance, power and cost.

Tier One

TrustZone Tier One System Architecture Block Diagram- Click for larger version

TrustZone Tier One System Architecture Block Diagram (1200px wide)

The Tier One solution represents a baseline solution that is intended to secure the keypad and screen to enable personal identification numbers (PINs) to be entered on an open software platform device. In none-secure mode the keyboard and screen operate as usual under the control of the OpenOS, such as WindowsCE, Linux or Symbian, however when an application requests payment these peripherals are placed under the control of the Secure Kernel.

With the desire that this type of solution be as low cost as possible, only the addition of TrustZone Memory Adaptor fabric component is required, to secure a contiguous block of on chip SRAM. The Master Key and SIM interface blocks are secured by tying their AXI2AHB bridge to secure state. Similarly, the bridge for the Keyboard Master Interface and LEC Controller can be dynamically controlled by the processor; setting the entire region into either Secure or None-Secure modes.

It is suggested that in booting the device, a complete “root of trust” process be used. In many cases, this would be done via an integrated Boot ROM that runs the base OS and then loads the monitor and SecureOS. Once completed the SecureOS would then launch the traditional OpenOS, ensuring that no malicious code can enter the process.

Tier Two

TrustZone Tier Two System Architecture Block Diagram- Click for larger version

TrustZone Tier Two System Architecture Block Diagram (1200px wide)

The Tier Two solution is a complete superset of the Tier One system, ensuring that code portability and payment services are easily incorporated.The Tier Two system provides a cost-effective platform for basic digital rights management (DRM), with integration of the TrustZone Address Space Controller (TZASC) to protect areas of the RAM used to hold valuable content. Furthermore an off-chip decoder engine may be used to minimize costs or provide specific decode technology, while also being secured against access from non-secure software.

To enable full DRM, the size of the on-chip SRAM would normally need to increase to provide a secure space for dynamic code execution. Potentially an E2PROM would integrate to hold details on what content is accessible, for what period, or for the number of plays remaining.

More peripherals would normally also need to be dynamically secured in this type of solution, under the control of the TrustZone Protection Controller to avoid streaming-off of intermediate or decrypted content, or control of the media by non-secured code and peripherals.

Tier Three

Tier Three

TrustZone Tier Three System Architecture Block Diagram (1200px wide)

Tier Three builds on the existing solutions to deliver a high performance DRM solution capable of supporting video streaming and on-the-fly decompression. In this case, the device is fully securable to provide a platform that a content provider can authenticate to ensure full protection of keys and only that authorized viewing of material occurs. In many ways, this is a similar, but far more cost-effective, that providing a two-core implementation with fully parallel secure and non-secure worlds.

In addition to more dynamically secured peripherals, this solution includes a DMA Controller and Media Accelerators connected to a multi-core processor via the Accelerator Coherence Port (ACP).

 


System IP Support

Security is an attribute of a whole system, not just a single component. ARM® TrustZone® technology allows the system to be more easily partitioned for security while maintaining hardware-backed protection for the security sub-system. Designing the security sub-system using TrustZone technology requires not only a TrustZone technology-enabled processor core, but also the bus fabric, secure memory and secure peripherals. ARM provides a range of System IP to provide the foundation of security sub-systems:

 

 TrustZone System IP Components
CoreLink Interconnect CoreLink Interconnect provides on-chip AMBA® connectivity and includes the features needed to create a system secured with TrustZone

CCI-400

NIC-400

 Advanced AMBA 3 Interconnect NIC-301 The ARM AMBA® 3.0 AXI bus can propagate the secure status of the processor core to the memory and peripherals in the SoC and beyond NIC-301 
TrustZone Address Space Controller (TZC-400) The latest ARM TZC provides enhanced capabilites for protecting data held in off chip DRAM.  This includes support for the AMBA4 protocols and the ability to protect content in DRM use cases.  TZC-400
 TrustZone Address Space Controller (TZC-380)  The TZ ASC acts as a security enhanced memory protection unit ensuring areas of DRAM are only accessible in secure state  TZC-380
 TrustZone Memory Adaptor   The TZ MA acts as a single region TZ ASC for on-chip memory which needs to be access only in secure mode  BP141
 TrustZone Protection Controller   The TZ PC acts to dynamically secure peripherals via software control  BP147
 TrustZone Interrupt Controller  Enables normal and secure interrupt prioritization if GIC (MPCore capable processor) not present  

 


Maximise