If you were lucky enough to attend ARM TechCon in Santa Clara last month, you may have spotted a big red flashing light on the ARM® booth. It was a convenient way to show that a system was in a non-secure mode and was now vulnerable to attacks. Fortunately the ARM CoreLink™ SSE-200 subsystem demo had a big orange lever, which allowed developers to re-enter a secure mode and turn off the alarm!
When we hear scary news about IoT security, we often wish we had a big orange lever to enable better protection - sadly it’s something developers can only dream of. The good news is that there is an even better way to get the protection, without the need for a big control switch! The protection is called ARM TrustZone® and in this blog I will demonstrate how you can implement it in a system.
To protect an embedded device, we ideally need to start at the heart of the system – the processor. Typically the processor runs a collection of many different sections of software. Sometimes this software features many different layers which have accumulated over several revisions of the product. In the past this was normally not an issue, especially when the device was not connected. However as soon as this system connects to the outside world, nobody can guarantee that the resulting code will be completely free of security holes.
Do we have to rewrite everything from scratch?
Luckily, security experts have created a solution which means you don’t need to rewrite all your code. Instead, you can partition software operation between a secure domain (handling very sensitive information, or accessing features that need to be protected) and a normal domain (running all other software components). In this use case, the secure domain is kept to the bare minimum, in order to allow it to be finely inspected. This ensures that it can be trusted to handle the system’s secrets and sensitive features, plus protect the system from being accessed by any other source.
This solution has been used in large systems with TrustZone technology for more than 10 years, so it is well proven. In the past TrustZone required a security monitor to run on the CPU, which handled the software domain separation. This is perfect when your system has plenty of processing power, but is an issue for more energy-constrained systems. The recently announced ARM Cortex®-M33 and Cortex-M23 processors implement TrustZone separation in hardware, making them a great choice for creating embedded secure systems.
Protecting secrets from the normal software domain is great, but what happens if we have several masters in our system? How can we ensure that all the masters are not corrupted and stop them from copying a secret data buffer to another location?
The solution is to implement a control of all accesses, which secures areas in the address map of the device. This security solution guarantees that the system hardware, enforces the rules set by the architects of the system. The real problem is that an SoC doesn’t have a single bus that in turn could be monitored to tell whether the access is authorized or not. In fact, the reality is much more complex, as a single SoC could have multi-layered interconnects with complex cross-communication schemes and a hierarchy of sub-interconnects.
If we wanted to secure a city, would we stand on the highway and check every car?
Since we are unable to ensure central control, the only answer is to mount locks on all the doors. In embedded systems implementing TrustZone security, these locks take the form of filters in front of all memories and peripherals, while also instructing masters (including legacy masters) to behave correctly.
These filters are not simple to design, as considerable care has to be taken to validate that they behave correctly, with safe and secure operation. Fortunately, ARM has developed ARM CoreLink SIE-200, a collection of system IP blocks which can to be used for extending TrustZone security to the system. This saves time and effort for the designers of secure embedded systems – however getting the security architecture right still requires a lot of work.
We have a solution to this dilemma! With the new ARM CoreLink SSE-200 subsystem, all the security infrastructure is pre-built into the system. Filters, security control and key components are already integrated within an architecture, designed by the same architects that invented the ARM TrustZone technology.
In the CoreLink SSE-200 subsystem each part of the address map is split in two parts: one secure and one non-secure. This high-level security memory mapping is defined by the IDAU (Implementation Defined Attribution Units) connected to the two Cortex-M33 processors. These partitions are predefined in hardware.
In order to allow memories to contain secure or non-secure buffers, the CoreLink SSE-200 subsystem uses the MPC (AHB5 Memory Protection Controller) from the CoreLink SIE-200 System IP. This MPC is controlled by the secure software, which sets the status (secure or not) of each region of the memory. The granularity is configurable, but the default value is to configure the memory by blocks of 256 bytes (which makes porting the software a little easier). This ensures that almost no memory is wasted (it is not necessary to reserve a huge zone for a few stored bytes).
The subsystem also contains a few peripherals, that are secured by a PPC (AHB5 or APB Peripheral Protection Controller). This ensures that certain sensitive controls are kept out of reach from potentially unsafe software. This protects against several use cases which include;
The picture would not be complete without talking about debug. In most use cases, we want to prohibit people from observing the inside of the device once it is deployed in the field. However, we may still want to enable trusted agents, to get access to the debug capabilities of the chip. When you choose to include ARM TrustZone CryptoCell-312 in the CoreLink SSE-200 subsystem, a certificate-based secure debug can be put in place. Trusted agents can then each have their own certificate, giving them access to selected features (including debug visibility on some secure information). Processing the certificate with TrustZone CryptoCell ensures that it is possible to hide some information, or even to wipe out personal data (e.g. when a returned product contains customer private data).
Making use of all these hardware features is not easy, but the CoreLink SSE-200 subsystem comes with a layer of software, which makes this task significantly easier for firmware developers. The subsystem is integrated with TrustZone CryptoCell's secure libraries and with ARM mbed™ OS. This IoT software framework is already adopted by more than 200,000 developers, which makes the subsystem software extremely valuable for all embedded product developers.
This subsystem software is currently reserved for lead partners, and it will be distributed as open-source, to enable you to easily port it to derivative devices or other RTOS environments.
This is not just added value for the chip manufacturers, it is also a great way to ensure that future embedded devices (especially in the IoT mark) benefit from a higher level of security. The true benefits of IoT will come to fruition, if we manage to bring this high level of trust to the users.
The bright future of IoT is waiting for us, all we need to do is make it happen - the first step on this journey is to concentrate on your next product design! It is possible to build a secure system very quickly with the help of the CoreLink SSE-200 subsystem, you can even expand security and connect many other masters and peripherals, using CoreLink SIE-200 System IP.
Obviously care should be taken at each stage of the design, but all the foundation elements are available to build efficient secure systems, it is now up to us all to enable a secure IoT!
Learn more about CoreLink SSE-200
Learn more about CoreLink SIE-200
If you're looking for more information on ARM's new launches you can check out these other blog posts:
Accelerating the deployment of secure IoT: From chip to cloud
The six things you need to know about ARM CoreLink SSE-200 subsystem & ARM CoreLink SIE-200 system IP
ARM TrustZone CryptoCell-312: Simplifying the design of secure IoT systems
Cortex-M23 and Cortex-M33 - Security foundation for billions of devices
For more information about SSE-200 and SIE-200 please attend our webinar https://attendee.gotowebinar.com/rt/7780462415814350593?source=SSGacc