The basis of the TrustZone model is that the computing environment splits into two isolated states, the Secure state and the Nonsecure state, with no leakage of secure data to the Nonsecure state. Software Secure Monitor code, running in the Monitor mode, links the two states and acts as a gatekeeper to manage program flow. The system can have both secure and nonsecure peripherals that is suitable to secure and nonsecure device drivers control. Figure 2.7 shows the relationship between the Secure and Nonsecure states. The Operating System (OS) splits into the secure OS, that includes the secure kernel, and the nonsecure OS, that includes the nonsecure kernel. For details on modes of operation, see Operating modes.
In normal nonsecure operation, the OS runs tasks in the usual way. When a User process requires secure execution it makes a request to the secure kernel, that operates in privileged mode. This then calls the Secure Monitor to transfer execution to the Secure state.
This approach to secure systems means that the platform OS that works in the Nonsecure state, has only a few fixed entry points into the Secure state through the Secure Monitor. The trusted code base for the Secure state, that includes the secure kernel and secure device drivers, is small and therefore much easier to maintain and verify.
For more information on how TrustZone works in the architecture, see the ARM Architecture Reference Manual, Security Extensions supplement.