Security requirements addressed by TrustZone technology for ARMv8-M
The word security can mean many different things in embedded system designs. In most embedded systems, security can include, but is not limited to:
This protection prevents data transfers from being visible to, or intercepted by unauthorized parties and might include other techniques such as cryptography.
This protection prevents unauthorized parties accessing secret data that is stored inside devices.
This protection prevents on-chip firmware from being reverse engineered.
This protection prevents critical operations from malicious intentional failure.
In many security sensitive products, anti-tampering features are required to prevent the operation or protection mechanisms of the device from being overridden.
TrustZone technology can address some of the following security requirements of embedded systems directly:
Sensitive data can be stored in Secure memory spaces and can only be accessed by Secure software. Non-secure software can only gain access to Secure APIs providing services to the Non-secure domain, and only after security checks or authentication.
Firmware that is preloaded can be stored in Secure memories to prevent it from being reverse engineered and compromised by malicious attacks. TrustZone technology for ARMv8-M can also work with extra protection techniques. For example, device level read-out protection, a technique that is commonly used in the industry today, can be used with TrustZone technology for ARMv8-M to protect the completed firmware of the final product.
Software for critical operations can be preloaded as Secure firmware and the appropriate peripherals can be configured to permit access from the Secure state only. In this way, the operations can be protected from intrusion from the Non-secure side.
The Secure boot mechanism enables you to have confidence in the platform, as it will always boot from Secure memory.
Since TrustZone technology for ARMv8-M is only a barrier between security domains, some security requirements cannot be addressed by TrustZone technology alone. For example:
- Communication protection still requires cryptography techniques which might be handled by software or assisted by hardware crypto-accelerators, for example, ARM TrustZone Cryptocell products. TrustZone technology can help support such techniques, as certain crypto-software and hardware can be configured to only be accessible within the Secure state.
- Anti-tampering, if necessary in a product, still requires specialized design techniques and product level design arrangements, for example, circuit boards and product enclosures. Whether anti- tampering is applied depends on system requirements and the value of the assets being protected.
Nonetheless, TrustZone technology for ARMv8-M enables a better foundation for system level security. In the simplest example, TrustZone technology for ARMv8-M can be used to protect firmware from being reverse engineered, as the following figure shows:
Many microcontrollers already have built-in firmware such as USB or Bluetooth stacks, and TrustZone technology makes the firmware protection implementation easier and more Secure, by ensuring that untrusted software cannot branch to the middle of Secure APIs to bypass any initial checking.
Security for IoT products
TrustZone technology for can also be used with the additional protection features used in advanced microcontrollers targeting the next generation Internet of Things (IoT) products. For example, a microcontroller that is developed for IoT applications can include a range of security features.
The use of TrustZone technology can help ensure that all those features can only be accessed using APIs with valid entry points, as the following figure shows:
By using TrustZone technology to safe guard these security features, designers can:
- Prevent untrusted applications from directly accessing security critical resources.
- Ensure that a Flash image is reprogramed only after authentication and checking.
- Prevent firmware from being reverse engineered.
- Store secret information with protection at the software level.
Security for wireless communication interface
In some other application scenarios, such as a wireless SoC with a certified built-in radio stack, TrustZone technology can protect the standardized operations, such as wireless communication behavior.
TrustZone technology can ensure that customer defined applications cannot void the certification, as the following figure shows.