ARM TrustZone CryptoCell

November 20, 2015

2 minute read time.

ARM TrustZone CryptoCell

CryptoCell is a range of security sub-systems and hardware components that provide platform level security as well as hardware support for security acceleration and offloading.

CryptoCell’s architecture level protection provides tools and building blocks for a wide range of applications including: content protection, IoT security, encryption and provisioning.

CryptoCell digital security subsystem serves as an infrastructure for security related use cases running on the SoC and is comprised of hardware, firmware and SoC-external tools.

CryptoCell includes efficient hardware cryptographic engines, RNG, root of trust/key management, secure boot, secure debug and lifecycle management.

The CryptoCell-300 series of products are usually coupled with ARM Cortex®-M CPUs and the CryptoCell-700 series integrated with Cortex-A application processors.

CryptoCell enables SoC architects to tradeoff area, power, performance or robustness in a very flexible manner. Designs can be optimized to achieve the security vs. cost “sweet spot” appropriate to the target market.

CryptoCell Product Highlights

CryptoCell is an embedded security platform suitable for a wide range of SoC markets including automotive, mobile, IoT and deeply embedded. It is compatible with processors that have TrustZone architectural extensions but can also be used where this is absent (such as Cortex-R processors).
CryptoCell offers an outstanding level of security, while addressing challenging requirements for increased system complexity, high performance, low power consumption and small footprint.
CryptoCell multi-layered hardware and software architecture combines hardware accelerators, root-of-trust control hardware with a rich layer of security software and off chip tools.
The CryptoCell architecture is modular and flexible by design, allowing the security solution to be tailored to meet market requirements (all security services offered by TrustZone CryptoCell can be included or excluded from the final package of hardware and software delivered to customers).
CryptoCell can be configured to address different platform level security requirements as well as specific protocol related requirements (e.g. IPsec, HomeKit).

The CryptoCell-700 series and CryptoCell-300 series address different platform needs: CryptoCell-300 series is usually coupled with Cortex-M CPUs for environments that require a small footprint (e.g. IoT) and CryptoCell-700 series is usually coupled with Cortex-A CPUs for performance intensive use cases (e.g. mobile).

The following diagram (Fig 1.) illustrates the different components in the TrustZone CryptoCell subsystem.

Figure 1. TrustZone CryptoCell High Level Block Diagram

Addressing key security requirements

Digital devices deal with a wide range of possible threats, CryptoCell addresses the different security requirements coming from different stakeholders. Standard bodies and commercial organization, such as Microsoft, Google, Apple, DTLA, DCP LLC, OMTP, CMLA and others, define different attack vectors as pertinent:

Software attacks
Inter-chip signal probing
Board level software-based debug and test attacks
Physical interface attacks
Memory or any other non-SoC element replacement attacks
Off-line modification of the contents of non-volatile storage (e.g., Flash, EPROM)

To enable SOC vendors to address these attack vectors, CryptoCell offers protection of key device assets. Key device assets usually include:

Software code images (system, application, etc.).
Secret data, such as device keys and personal/corporate data.
Protected content, such as DRM audio and video files/stream.

TrustZone CryptoCell facilitates these security requirements and provides the necessary tools and building blocks to mitigate against such attacks.

Security Certification and Compliance

Security certification standards such as FIPS 140-2, Common Criteria and GlobalPlatform TEE certification are all targeted at verifying the security of complete products.

TrustZone CryptoCell provides the tools and building blocks necessary to comply with these standards.

TrustZone CryptoCell provides the security infrastructure to comply with the robustness rules published by many standardization bodies and commercial organizations such as: Microsoft, Apple, Google, CMLA, DTLA, 4C, DCP LLC, Netflix and IETF.

Commercial deployment and market traction

CryptoCell is commercially deployed within chipsets covering many different verticals and markets such as mobile, IoT, home entertainment and automotive.

source: TrustZone - ARM

Architectures and Processors blog

When a barrier does not block: The pitfalls of partial order

Wathsala Vithanage

Acquire fences aren’t always enough. See how LDAPR exposed unsafe interleavings and what we did to patch the problem.
- September 15, 2025
Introducing GICv5: Scalable and secure interrupt management for Arm

Christoffer Dall

Introducing Arm GICv5: a scalable, hypervisor-free interrupt controller for modern multi-core systems with improved virtualization and real-time support.
- April 28, 2025
Getting started with AARCHMRS Features.json using Python

Joh

A high-level introduction to the Arm Architecture Machine Readable Specification (AARCHMRS) Features.json with some examples to interpret and start to work with the available data using Python.
- April 8, 2025

AI blog

Announcements

Architectures and Processors blog

Automotive blog

Embedded and Microcontrollers blog

Internet of Things (IoT) blog

Laptops and Desktops blog

Mobile, Graphics, and Gaming blog

Operating Systems blog

Servers and Cloud Computing blog

SoC Design and Simulation blog

Tools, Software and IDEs blog

ARM TrustZone CryptoCell

When a barrier does not block: The pitfalls of partial order

Introducing GICv5: Scalable and secure interrupt management for Arm

Getting started with AARCHMRS Features.json using Python