Chapter 1 Arm TrustZone technology
TrustZone technology for Armv8-M is an optional Security Extension that is designed to provide a foundation for improved system security in a wide range of embedded applications.
The concept of TrustZone technology is not new. The technology has been available on Arm Cortex-A series processors for several years and has now been extended to cover Armv8-M processors.
At a high level, the concepts of TrustZone technology for Armv8-M are similar to the TrustZone technology in Arm Cortex-A processors. In both designs, the processor has Secure and Non-secure states, with Non-secure software able to access to Non-secure memories only. TrustZone technology for Armv8-M is designed with small energy-efficient systems in mind. Unlike TrustZone technology in Cortex-A processors, the division of Secure and Normal worlds is memory map based and the transitions takes place automatically in exception handling code.
However, there are several differences in the implementation:
- TrustZone technology for Armv8-M supports multiple Secure function entry points, whereas in TrustZone technology for Cortex-A processors, the Secure Monitor handler is the sole entry point.
- Non-secure interrupts can still be serviced when executing a Secure function.
As such TrustZone technology for Armv8-M is optimized for low-power microcontroller type applications:
- In many microcontroller applications with real-time processing, deterministic behavior and low interrupt latency are important requirements. The ability to service interrupt requests while running Secure code is critical.
- By allowing the register banks to be shared between Secure and Non-secure states, the power consumption of Armv8-M implementations can be similar to Armv6-M or Armv7-M implementations.
- The low overhead of state switching allows Secure and Non-secure software to interact frequently, which is expected to be common place when Secure firmware contains software libraries such as GUI firmware or communication protocol stacks.
Arm TrustZone technology enables the system and the software to be partitioned into Secure and Normal worlds. Secure software can access both Secure and Non-secure memories and resources, while Normal software can only access Non-secure memories and resources. These security states are orthogonal to the existing Thread and Handler modes, enabling both a Thread and Handler mode in both Secure and Non-secure states.
Note: Thread mode can also be either Privileged or Unprivileged.
If the Security Extension is implemented, the system starts up in Secure state by default. If the Security Extension is not implemented, the system is always in Non-secure state. TrustZone technology enables the processor to be aware of the security states available. Arm TrustZone technology does not cover all aspects of security. For example, it does not include cryptography.
The following figure shows how TrustZone technology for Armv8-M adds Secure and Non-secure states to processor operation:
Figure 1-1 Secure and Non-secure states
In designs with the Armv8-M architecture Security Extension, components that are critical to the security of the system such can be placed in the Secure world. These critical components include:
- A Secure boot loader.
- Secret keys.
- Flash programming support.
- High value assets.
The remaining applications are placed in the Normal world.
Figure 1-2 Secure world assignment of critical components
Secure (Trusted) and Non-secure (Non-trusted) software can work together, but Non-secure applications cannot access Secure resources directly. Instead, any access to Secure resources can go through APIs provided by Secure software, and these APIs can implement authentications to decide if the access to the Secure service is permitted. By having this arrangement, even if there are vulnerabilities in the Non-secure applications, hackers cannot compromise the whole chip.