Understanding ARM TrustZone: Enhancing Security for Embedded Systems

In today's interconnected world, security for embedded systems has become paramount. ARM TrustZone is one of the leading technologies designed to address this need, providing a robust framework for creating secure execution environments on ARM architectures. At Coderion Labs, we aim to leverage advanced technologies like ARM TrustZone to enhance performance, and ensure the security of our clients' embedded systems. In this blog post, we'll dive into the architectural features of ARM TrustZone, its implementation, and how it stands out compared to other trusted execution environments (TEEs). Recently, we have developed a trusted video pipeline that runs in ARM TrustZone on our custom kernel alongside Linux.

What is ARM TrustZone?

ARM TrustZone is a hardware security extension that creates two separate execution environments: the normal world and the secure world. This separation ensures that sensitive operations can be carried out in a secure environment, isolated from the rest of the system, thus protecting against a wide range of attacks. TrustZone is supported across various ARM architectures, including those used in mobile devices and microcontrollers, making it a versatile solution for securing different types of embedded systems.

TrustZone features a Secure Boot Sequence that verifies boot images, ensuring their authenticity through cryptographic methods using public and private keys. After booting, communication between the two operating systems is facilitated via a monitor kernel mode, similar to a context switch. Software in the non-secure world can request resources from the secure world using the TrustZone-specific Secure Monitor Call (SMC) instruction. Hardware interrupts and external abort signals can trigger a complete context switch, where the kernel suspends one CPU process to resume another.

While no device can be made completely hack-proof, TrustZone significantly enhances security. However, this added security comes with increased development complexity, especially when running a full OS in the secure world alongside a separate OS in the normal world. This dual-OS setup requires meticulous engineering to ensure seamless security integration. Operational modes and transitions between them must be thoroughly validated. TrustZone, although robust, relies on developers to write intelligent, secure code and implement common-sense security practices.

Key Architectural Features

Dual Execution Environments
TrustZone splits the system's resources into two worlds:

- Normal World: Where the regular operating system and applications run.

- Secure World: Dedicated to security-sensitive tasks and operations.

This split allows the secure world to maintain integrity and confidentiality even if the normal world is compromised.

Processor Modes and States

TrustZone introduces new processor modes and states to handle security operations. The ARMv7 architecture, for instance, supports multiple processor modes (e.g., User, Supervisor, Monitor), and the secure state is indicated by the Secure Configuration Register (SCR).

Memory and Peripherals Protection

TrustZone includes hardware components such as the TrustZone Address Space Controller (TZASC) and TrustZone Protection Controller (TZPC), which help partition memory and control access to peripherals. This ensures that secure memory regions and peripherals cannot be accessed by the normal world.

Secure Boot Process

To ensure that the device boots securely, TrustZone implements a secure boot process that verifies each step cryptographically, starting from the bootloader. This process establishes a chain of trust that prevents unauthorized code from executing during startup.

TrustZone in Action: Use Cases and Implementation

In practical terms, TrustZone can be used to implement secure payment systems, digital rights management (DRM), and other sensitive applications. For example, on ARM-based mobile devices, TrustZone enables secure PIN entry and biometric authentication by isolating these processes from the main operating system.

Secure OS and Real-Time OS Coexistence

One innovative use of TrustZone is running a general-purpose OS in the normal world while a real-time OS operates in the secure world. This setup allows for secure, high-priority processing of real-time tasks without interference from less critical processes running in the normal world.

Comparison with Other TEEs

TrustZone vs. TPM

Trusted Platform Modules (TPMs) provide a root of trust for cryptographic operations but are separate hardware components with limited computational capabilities. TrustZone, on the other hand, integrates security directly into the main processor, offering better performance and tighter integration.

TrustZone vs. Intel SGX

Intel Software Guard Extensions (SGX) creates secure enclaves for code execution, similar to TrustZone's secure world. However, SGX is primarily focused on secure application code, while TrustZone offers a more comprehensive system-wide security solution, including secure boot and peripheral protection.

Trusted Hardware

ARM TrustZone provides a powerful framework for enhancing the security of embedded systems. By creating isolated execution environments, it ensures that sensitive operations remain protected from potential threats. At Coderion Labs, we harness the capabilities of TrustZone to deliver optimized and secure solutions for our clients, whether they're looking to secure mobile devices, IoT systems, or other embedded applications. As the landscape of embedded systems continues to evolve, technologies like ARM TrustZone will remain crucial in safeguarding data and maintaining the integrity of our digital world.