ARM introduces TrustZone for ARMv8-M to bring mobile style security to microcontrollers and provides a new family of security subsystems: TrustZone CryptoCell
I’m at Techcon in Santa Clara this week and will be giving a talk on designing trustworthy devices later today. On the exhibition floor are 3 flavours of TrustZone technology: two of them are brand new and I would like to spend this blog introducing them to you.
Security is a major theme of the show and two of the biggest announcements for me are the extension of TrustZone security to microcontrollers and the addition of a new, deeper layer of security with the introduction of TrustZone CryptoCell.
The number of devices that connect to the internet in your home is set to soar. Strategy Analytics forecasts that by 2020 there will be over 30 billion connected gadgets. Today’s smart connected devices are based on applications processors such as ARM’s Cortex-A family. They run major OS such as Linux and are protected by multiple layers of hardware based security, including TrustZone technology. However, much of the future growth will come from simpler, lower cost microcontroller based devices. Traditionally microcontrollers have had little built-in security but now that a modern Cortex-M based chip can run sophisticated internet protocols such as Transport Layer Security (TLS, formerly known as SSL) they also require a hardware based security architecture.
Our growing reliance on technology requires that security be deeply integrated at multiple levels to protect users, services and devices. The Internet of Things revolution will need to be built on trustworthy devices. Service providers need to trust the data and this in turn means that the end points need to be secure from malicious attack. Consumers who buy a connected gadget will expect them not to be hacked. So the pressure will be on OEMs to deliver secure devices that can provide an appropriate level of security robustness to the assets they are protecting.
TrustZone today
Security on applications processors has been maturing over the last ten years originally driven by the needs of smartphones and more recently enterprise platforms. TrustZone technology is used on billions of devices to provide the hardware isolation for a Trusted Execution Environment (TEE). A TEE provides a secure enclave to protect sensitive code and data with the security promises of integrity and confidentiality, for example, a malicious application should not be able to read the private keys stored on the device. The TEE is designed to protect against scalable software attacks and if someone has stolen your device, from common hardware attacks sometimes referred to as “shack attacks” (attacks from a knowledgeable attacker with access to normal electronic enthusiast type of equipment).
The TrustZone based TEE provides a “Secure World“ where the security boundary is small enough to offer a route to certification and provable security. It is typically used for securing cryptographic keys, credentials and other secure assets. TrustZone offers a number of system security features not available to the hypervisor: it can support secure debug, offer secure bus transactions and take secure interrupts directly into the Trusted World (useful for trusted input). There is an argument to restrict the amount of security functionality in the trusted world to limit the attack surface and make certification a practical proposition.
The TrustZone security extensions work by providing the processor with an additional ‘secure state’ that allows secure application code and data to be isolated from normal operations. This partitioning enables a protected execution environment where trusted code can run and have access to secure hardware resources such as memory or peripherals. Conventionally, the Trusted World is used with its own dedicated secure operating system and a trusted boot flow to form a TEE that works together with the conventional operating system, such as Linux® or Android™, to provide secure services.
A TrustZone based Trusted Execution Environment has become a popular security building block of modern applications processors.
Anyway, on to the new stuff…
The IOT Challenge:
The success of the Internet of Things depends on consumers and services being protected: this requires security to be designed into the hardware and firmware of chips from the outset rather than being bolted on later. Now that even low cost ARM microcontrollers are capable of internet protocols it is clear that hardware based security needs to be present in the tiniest IOT platforms. The challenge then is how we bring high quality security solutions to all platforms and price points and help ensure the success of IOT.
Two New TrustZone Technologies
Getting chip based security right is difficult and requires an unbroken chain of well engineered hardware and software that works together. By providing specialized engineering in the form of TrustZone technology, ARM enables this chain to be established so that all platforms can benefit from high quality security solutions.
To enable layers of hardware based security across all devices ARM is expanding and deepening its security technology with the announcement that ARM TrustZone technology will be included in new ARMv8-M microcontrollers and TrustZone CryptoCell security subsystems will be available to work with any ARM processor:
TrustZone technology is now available for microcontrollers, as a security extension for the ARMv8-M architecture. It brings many of the familiar concepts such as a secure and normal world; a system-wide approach extending beyond the processor and secure interrupts. Since microcontrollers often require deterministic interrupt responses and fast context switching, hardware optimizations have been added to make switching between the two worlds quick and energy efficient. TrustZone for ARMv8-M expands integrated hardware security to low cost, resource constrained Internet of Things.
TrustZone for ARMv8-M brings familiar security architecture to microcontrollers.
ARM TrustZone Cryptocell is a family of security processors that provides a security sub-system and trust anchor. It provides a hardware based multi-layer approach to protect the most valuable assets and acts as a co-processor speeding up complex algorithms. In a typical system Cryptocell manages keys and critical processes such as secure boot. As the product name suggests this family is derived from the recent acquisition of Sansa Technology. TrustZone CryptoCell can be used on both applications processors and on more resource constrained microcontrollers.
TrustZone CryptoCell acts as a security subsystem and root of trust
Technology Model
The picture below shows multiple layers of hardware based security for an applications processor, including the new TrustZone CryptoCell subsystem providing enhanced security functions close to the root of trust.
The chain of trust starts with some immutable hardware e.g. Hardware Unique Keys, ROM code and secure hardware resources. TrustZone CryptoCell interfaces to the ROT, performs secure boot and a set of trusted functions such as crypto and key management. Then the authenticated Trusted boot starts at the highest level of privilege – Secure EL3
This will include the setup of trusted peripherals and establish a secure runtime (Calledl BL3-1 in the ARM Trusted Firmware implementation).
The Trusted OS is started which establishes the trusted services and then
Normal world boot is started. If a hypervisor is present at EL2 this might be integrity checked by the TrustZone based TEE. The hypervisor might have multiple VMs for separating large chunks of code. Next, the guest OS will boot – this might be integrity checked by the TrustZone based TEE and finally Apps are enabled
A well designed chip or platform can use this chain of trust to be “secure by default” and can connect to cloud based services via encrypted links using standard internet protocols (such as TLS – Transport Layer Security) that consumers will be familiar with from the padlock symbol used to secure their online banking. With these low level hardware and software security features in place the system becomes trustable by higher level services.
The Outlook:
We now have expanded and deepened TrustZone technology to cover all ARM based platforms. We have taken years of experience providing the security foundations to mobile into the smallest platforms for future IOT devices. Consumers, service providers, OEMs and silicon vendors will benefit from these technology advances by enabling devices and services they can trust. We hope that you can build on these security foundations to enable a new era of trustworthy IOT devices.
Hi,Have you got the it ?thanks