ARM TrustZone CryptoCell

November 20, 2015

2 minute read time.

ARM TrustZone CryptoCell

CryptoCell is a range of security sub-systems and hardware components that provide platform level security as well as hardware support for security acceleration and offloading.

CryptoCell’s architecture level protection provides tools and building blocks for a wide range of applications including: content protection, IoT security, encryption and provisioning.

CryptoCell digital security subsystem serves as an infrastructure for security related use cases running on the SoC and is comprised of hardware, firmware and SoC-external tools.

CryptoCell includes efficient hardware cryptographic engines, RNG, root of trust/key management, secure boot, secure debug and lifecycle management.

The CryptoCell-300 series of products are usually coupled with ARM Cortex®-M CPUs and the CryptoCell-700 series integrated with Cortex-A application processors.

CryptoCell enables SoC architects to tradeoff area, power, performance or robustness in a very flexible manner. Designs can be optimized to achieve the security vs. cost “sweet spot” appropriate to the target market.

CryptoCell Product Highlights

CryptoCell is an embedded security platform suitable for a wide range of SoC markets including automotive, mobile, IoT and deeply embedded. It is compatible with processors that have TrustZone architectural extensions but can also be used where this is absent (such as Cortex-R processors).
CryptoCell offers an outstanding level of security, while addressing challenging requirements for increased system complexity, high performance, low power consumption and small footprint.
CryptoCell multi-layered hardware and software architecture combines hardware accelerators, root-of-trust control hardware with a rich layer of security software and off chip tools.
The CryptoCell architecture is modular and flexible by design, allowing the security solution to be tailored to meet market requirements (all security services offered by TrustZone CryptoCell can be included or excluded from the final package of hardware and software delivered to customers).
CryptoCell can be configured to address different platform level security requirements as well as specific protocol related requirements (e.g. IPsec, HomeKit).

The CryptoCell-700 series and CryptoCell-300 series address different platform needs: CryptoCell-300 series is usually coupled with Cortex-M CPUs for environments that require a small footprint (e.g. IoT) and CryptoCell-700 series is usually coupled with Cortex-A CPUs for performance intensive use cases (e.g. mobile).

The following diagram (Fig 1.) illustrates the different components in the TrustZone CryptoCell subsystem.

Figure 1. TrustZone CryptoCell High Level Block Diagram

Addressing key security requirements

Digital devices deal with a wide range of possible threats, CryptoCell addresses the different security requirements coming from different stakeholders. Standard bodies and commercial organization, such as Microsoft, Google, Apple, DTLA, DCP LLC, OMTP, CMLA and others, define different attack vectors as pertinent:

Software attacks
Inter-chip signal probing
Board level software-based debug and test attacks
Physical interface attacks
Memory or any other non-SoC element replacement attacks
Off-line modification of the contents of non-volatile storage (e.g., Flash, EPROM)

To enable SOC vendors to address these attack vectors, CryptoCell offers protection of key device assets. Key device assets usually include:

Software code images (system, application, etc.).
Secret data, such as device keys and personal/corporate data.
Protected content, such as DRM audio and video files/stream.

TrustZone CryptoCell facilitates these security requirements and provides the necessary tools and building blocks to mitigate against such attacks.

Security Certification and Compliance

Security certification standards such as FIPS 140-2, Common Criteria and GlobalPlatform TEE certification are all targeted at verifying the security of complete products.

TrustZone CryptoCell provides the tools and building blocks necessary to comply with these standards.

TrustZone CryptoCell provides the security infrastructure to comply with the robustness rules published by many standardization bodies and commercial organizations such as: Microsoft, Apple, Google, CMLA, DTLA, 4C, DCP LLC, Netflix and IETF.

Commercial deployment and market traction

CryptoCell is commercially deployed within chipsets covering many different verticals and markets such as mobile, IoT, home entertainment and automotive.

source: TrustZone - ARM

Architectures and Processors blog

Using SVE in C#

Alan Hayward

.NET 9 introduces SVE support on Arm, allowing users to write simplified vectorised code. This blog gives examples in C# and compares it to C++.
- November 20, 2024
Part 3: Enabling PAC and BTI on AArch64 for Linux

Bill Roberts

Supporting C++ style exceptions and DWARF for Pointer Authentication Codes (PAC) signed pointers.
- November 20, 2024
Part 2: Enabling PAC and BTI on AArch64 for Linux

Bill Roberts

Utilizing Pointer Authentication Codes (PAC) and Branch Target Instructions (BTI) together and optimizations in instruction counts.
- November 19, 2024

AI and ML blog

Announcements

Architectures and Processors blog

Automotive blog

Embedded blog

Graphics, Gaming, and VR blog

High Performance Computing (HPC) blog

Infrastructure Solutions blog

Internet of Things (IoT) blog

Operating Systems blog

SoC Design and Simulation blog

Tools, Software and IDEs blog

ARM TrustZone CryptoCell

Using SVE in C#

Part 3: Enabling PAC and BTI on AArch64 for Linux

Part 2: Enabling PAC and BTI on AArch64 for Linux