Over many years, Arm has developed a range of architecture security features to mitigate against increasingly sophisticated security threats. These architectures address various vulnerabilities in devices across all market areas, from IoT connected devices to large screen mobile computing devices to cloud servers. By incorporating security into the foundational layers of the architecture, devices are better protected against security threats. To help our partners understand the security architectures that apply to their use cases, we have categorized them into four key areas:

Defensive execution technologies | Isolation technologies | Common platform security services | Standard security APIs

Defensive execution technologies

The Arm architecture includes technologies that help to defend against control-flow attacks, data-access attacks, and mitigations against side-channel attacks against speculative execution.

Orange coloured security icon
Feature Description Architecture versions
(A-profile)
Architecture versions
(R-profile)
Architecture versions
(M-profile)
Example use cases More information
Privileged Access Never (PAN)
PAN is an Arm security feature that prevents kernel-mode (or a hypervisor) from accessing memory allocated to user-mode. The idea is that even if the kernel is tricked into accessing a page controlled by user-mode attacker, PAN will prevent the access from occurring. Armv8.1-A
Armv8-R AArch64
PXN introduced in Armv8.1-M
Recommended for all application processors unless all inputs and all software can be controlled and are trusted.
Learn the architecture: AArch64 memory model - Permissions attributes
Pointer Authentication Code (PAC) Pointer authentication or PAC is a feature where the upper bits of a pointer are used to store a PAC. This feature is essentially a cryptographic signature on the pointer value and some additional context. Armv8.3-A
Armv8-R AArch64
Armv8.1-M
CPU architecture: A-profile
Branch Target Identification (BTI)
Systems supporting BTI can enforce that indirect branches only go to code locations where the instruction is one of a small acceptable list. This reduces the ability of an attacker to execute arbitrary code.
Armv8.5-A
No
Armv8.1-M
Arm A-Profile Architecture Developments 2018: Armv8.5-A
Memory Tagging Extension  (MTE)
Memory Tagging enables developers to identify memory safety violations in their programs. MTE is beneficial to security because it locates memory safety vulnerabilities before and after deployment.
Armv8.5-A
No
N/A
Memory Tagging Extension: Enhancing memory safety through architecture

Memory tagging support for OSS
Speculation barriers
Introduction of a new barrier instruction and other features that can be used to block speculative execution and therefore mitigate cache-speculation side-channel attacks. Armv8.5-A Armv8-R AArch64
Armv8.0-M
Threats and countermeasures

Defensive execution technologies, threats and counter measures:
View

Isolation technologies

Arm provides scalable isolation technologies for segregating diverse workloads with minimal performance impact.

Yellow coloured isolation services icon
Feature Description
Architecture versions
(A-profile)

Architecture versions
(R-profile)
Architecture versions
(M-profile)
Example use cases More information
TrustZone
Arm TrustZone technology provides hardware-enforced isolation, built into the CPU. The heart of the TrustZone approach is the concept of Secure and Normal worlds that are hardware separated. Armv8.0-A
No
Armv8.0-M
Implementation of Digital Rights Management Arm TrustZone technology
Secure-EL2
The Secure EL2 extension adds support for virtualization in the Secure world.
Armv8.4-A
Armv8-R AArch64 introduced support for virtualization in the R-profile single security state
No
Whenever multiple trusted applications are required
White paper: Isolation using virtualization in the Secure world
Realm Management Extension (RME)
Part of the Arm Confidential Compute Architecture, the RME establishes a new hardware backed secure environment that extends secure computing to all developers and all workloads.
Armv9-A No No All compute instances in a public cloud that process sensitive or valuable data.

Protection of sensitive personal healthcare data on mobile devices.
Arm Confidential Compute Architecture
Arm dynamic TrustZone technology Moving pages between Normal and Secure world on demand can reduce the overall quantity of DRAM required on a platform when TrustZone is used intermittently for memory-intensive workloads. Armv9-A N/A N/A Larger machine learning models, media decoding and content protection
Blog: Introducing Arm’s Dynamic TrustZone technology

Isolation technologies, threats and counter measures:
View

Common platform security services

Develop and promote standard firmware and software architectures across trust boundaries. This simplifies the adoption of advances in the underlying hardware security architecture and makes the system software more portable.

Security lock green coloured icon
Feature Description Architecture versions
(A-profile)

Architecture versions
(R-profile)
Architecture versions
(M-profile)
Example use cases
More information
Firmware Framework for
A-profile
(FF-A)
FF-A describes a standardized communications interface between software images and fundamental Root of Trust (RoT) for secure applications on an A-profile application.
N/A
N/A
N/A
All devices where communication is required between the Secure world and Normal world and all devices using the Virtualization Extension within the Secure world.
Platform security resources
Firmware Framework for
M-profile
(FF-M)
FF-M describes a standardized communications interface between software images and fundamental Root of Trust (RoT) for secure applications on an M-profile device.
N/A  N/A
N/A
Platform security resources
Trusted Firmware
Arm contributes to open firmware initiatives such as the Linaro Trusted Firmware projects to ensure consistent, high-quality firmware is available across the Arm ecosystem. N/A
N/A
N/A
All new devices benefit from shared, open EL3 firmware.
Trusted Firmware
Veraison
To support the Arm Confidential Compute Architecture, this open software initiative is creating software that supports device attestation verification services. N/A
N/A
N/A
All service providers hosting an attestation verification service.
GitHub: Veraison

Common platform security services, threats and counter measures:
View

Standard security APIs

Application developers can use standard APIs to make use of the most performant and secure features available on any given platform, in a convenient and portable way.

Lightblue coloured puzzle icon
Feature
Description
Architecture versions
(A-profile)

Architecture versions
(R-profile)
Architecture versions
(M-profile)

Example use cases More information
PSA APIs (Crypto, Storage, Attestation) The PSA Functional APIs define the foundations from which security services are built, allowing devices to be secure by design. N/A
N/A
N/A
Optimized for system software and firmware on microcontrollers or application processors.
Platform security resources
Platform Abstraction for Security project (PARSEC)
PARSEC is an open-source project providing a micro-service that maps easy-to-consume security APIs, in the language of choice, to security primitives found in various hardware. N/A  N/A
N/A
Any application running on an application processor server that requires access to security APIs.
PARSEC

Standard security APIs, threats and counter measures:
View