ARM TrustZone

ARM TrustZone is a collection of hardware IP blocks that enable the instantiation of a TEE on ARM-based SoCs. Fundamentally, TrustZone establishes ‘secure’

and ‘non-secure’ worlds¹⁶intended to host security-sensitive and non-sensitive applications respectively. This is maintained through a separate NS register bit that denotes the world in which execution is currently occurring. The NS bit is propagated through the SoC’s bus transactions to memory, peripheral and debug controllers for providing hardware-enforced access control to sensitive memory regions, debug interfaces and I/O devices. As a result, each world may only access the resources, namely memory resources and peripherals, associated with it; non-secure applications may not arbitrarily access secure world RAM and sensitive I/O peripherals unless configured to do so. This is illustrated at a high-level in Figure2.9.

The creation and maintenance of the worlds is handled primarily by the processor and SoC bus components. On the processor, each physical core is asso-ciated with two virtual cores for secure and non-secure execution that operate in a time-sliced fashion. For Cortex-A CPUs, world context switches are mediated by a secure monitor that enforces that the departing and arrival worlds are be-ing correctly saved and restored. Monitor mode is entered, for software-based switching, using Secure Monitor Call (smc) instructions, or by using a small set

16Also referred to as ‘trusted’ and ‘untrusted’ worlds.

FIGURE2.9: TrustZone separates trusted and untrusted system components using the NS-bit [90].

of pre-configured hardware exceptions (see [91]). SMC instructions generate an exception that takes the processor’s execution mode into Secure Monitor mode, which is code that is part of ARM’s Trusted Firmware framework¹⁷running at a higher privilege level (EL3 in ARM nomenclature) and outside the untrusted world’s context (operating at EL1). The monitor saves the current world’s pro-cessor context, such as register banks, switches to the other world, and sets the NS-bit accordingly if successful.

Further IP cores, such as the TrustZone Address Space (TZASC) and Trust-Zone Protection Controllers (TZPC) are used in enforcing access control to secure memory regions and I/O peripherals based on SoC bus transactions. TZASC is used to program the partitioning of DRAM into secure and non-secure memory address regions. Meanwhile, TZPC is used to assign protection bits to peripherals to mark them as available to either the only the secure or both worlds, which is used to prevent unauthorised accesses to protected peripherals from the un-trusted world by the AXI-to-APB SoC bus bridge. Lastly, the TrustZone Memory Adapter (TZMA) is used to protect sensitive static memory modules, like secure SRAM and ROM, contained within the SoC.

To fully implement the TEE, additional software is necessary for securely boot-ing the secure world, configurboot-ing the protection controllers, implementboot-ing the secure monitor, a trusted OS, and trusted applications. TrustZone’s authenticated boot sequence operates similarly to the TPM’s by measuring a chain of trusted components from secure ROM. A TrustZone OS is also necessary to enable the hosting of multiple applications, as well as associated APIs with the untrusted world, which are standardised in the GlobalPlatform TEE specifications (Section 2.4.7). Derivative technologies have been developed that use TrustZone as a

17ARM Trusted Firmware: https://github.com/ARM-software/

arm-trusted-firmware

root of trust (RoT) on other processor architectures, as well as providing addi-tional features, such as remote attestation, which are not provided natively by TrustZone. An example TrustZone-based SoC is illustrated in Figure2.10.

FIGURE2.10: Example ARM-based SoC with TrustZone, showing non-secure and security-aware IP blocks [92].

TrustZone for ARMv8-M (TrustZone-M)

The previous discussion pertains to ARM TrustZone as originally realised for Cortex-A application processors using the ARMv8-A architecture (TZ-A). Trust-Zone technology has also been extended to the ARM Cortex-M processor family, marketed for use in embedded microcontroller units. Here, TrustZone for ARMv8-M [93], or TrustZone-ARMv8-M (TZ-ARMv8-M), shares the same high-level security features as TZ-A in dividing execution and physical memory into secure and non-secure worlds; however, they feature significant differences in how it is realised.

For world switching, as stated previously, TZ-A uses enters secure world functions via secure monitor code in EL3 that mediates the final world switch;

that is, the secure monitor is the sole access point for performing world transitions.

In comparison, TZ-M uses a memory map-based approach, where secure and non-secure regions are defined in a programmable or fixed fashion using the Secure Attribution Unit (SAU) and Implementation Defined Attribution Unit (IDAU) aboard the Cortex-M [93]. World context switches occur automatically without the need for an secure monitor exception handler as program execution

flows from non-secure to secure regions and vice-versa. To prevent unauthorised secure world accesses, transitions from non-secure memory must first follow a Secure Gateway (sg) instruction held in Non-Secure Callable (NSC) memory – a separate region initialised by the SAU or IDAU containing ‘secure gate veneers’

that point to valid entry points that secure world code can be branched into [94].

Attempting to access secure memory without a preceding sg instruction triggers an exception handled in the secure world. Unlike TZ-A, TZ-M shares all general purpose registers except the stack pointer (sp) registers during world switches to further minimise switching latency and energy consumption [93]. These differences accumulate to a reduction from “thousands” to a “few” processor cycles when comparing TZ-A to TZ-M for performing world switches [94].

AMD Secure Processor

AMD Secure Processor, formerly AMD PSP, is a technology for AMD chipsets for executing sensitive software in a TEE. AMD Secure Processor uses an ARM-based SoC packaged into the AMD chipset that uses TrustZone for establishing secure and untrusted worlds for realising secure application execution [95]. Besides marketing material [95] and technical presentation slides [96], few published details exist regarding the actual functionality and capability of AMD Secure Processor. However, it is known to contain a Trustonic TEE kernel, and is used to implement a TEE-based TPM and host DRM, payment and identity applications from trusted third-party providers on commercially-available AMD chipsets [96].

Samsung KNOX

Samsung KNOX is a mobile-based security platform built upon a TrustZone TEE. The secure boot process of the untrusted and trusted worlds is enhanced to set a KNOX Warranty Bit in one-type programmable ROM if boot component measurements deviate from their expected values. This terminates the KNOX platform indefinitely, which is persists across device reboots and resets [97], [98].

KNOX also offers remote attestation using a device-specific root key for signing attestation quotes [97]. KNOX is underpinned by a Trustonic TEE, which uses ARM TrustZone, on all flagship Samsung handsets, e.g. Galaxy S6–S9 smart-phones [99]. However, few publicly-available technical details exist, particularly regarding the secure boot process and attestation protocol.