5 Tips for using Arm TrustZone in Cortex-M Processors

As embedded system developers transition to creating connected, IoT devices, security has become one of the most important issues they face. The ARMv8-M processors do support TrustZone® which provides developers with a new mechanism to help them isolate their secure software from more general user software. Just like with any new tool, there are several tips that developers should follow in order to make sure that they improve their system security.

 

Tip #1 – Perform a security audit to understand security needs

Before attempting to use TrustZone, it is imperative that developers perform a security audit and identify what in their system needs to be protected. This can vary dramatically from application to application but may include:

  • Keys
  • Data
  • Libraries
  • Application code
  • Peripherals
  • Memory locations
  • Communications
  • Etc

Depending on the resource that needs to be protected, there will be different ways to protect that resource such as using encryption or isolation. TrustZone is designed to help developers isolate their design.

 

Tip #2 – Minimize Access to Non-secure memory using Secure Code

TrustZone separates the microcontroller hardware into two zones, secure and unsecure. The unsecure code is able to access the secure memory only to execute “exposed” functions. This allows the user application to invoke the secure functionality but attempting to access anything outside those exposed functions will result in a fault. This is great but a potential problem for developers is that the secure code can access all of the non-secure memory regions.

Developers need to take care when using the secure code to access non-secure memory. A developer can use a TT instruction to check the permissions for the region. This will prevent accidental execution of unsecure code in the secure region. Developers should use the secure code to access secure code and minimize access to non-secure memory.

 

Tip #3 – Clear secret information from unbanked registers

In the TrustZone implementation, there are secure registers that are not viewable if the processor is running in the non-secure mode. However, there are processor registers that are banked and shared between both the secure and the non-secure modes. This means that if a secure operation is performed, and part of the data is stored in the banked register, the process then switches to the non-secure mode, secure data may be made available through the banked register. In order to prevent this from happening, developers need to make sure that any unbanked registers that were used are cleared before jumping back to the non-secure execution mode. Otherwise, this could become a way for hackers to gain insight, or even access to the secure code regions.

 

Tip #4 – Authenticate the non-secure image at start-up

When the TrustZone processor boots, the secure mode is entered into automatically. This provides developers with the opportunity to not just initialize their processor but to also boot the processor securely. Developers can authenticate their user application and make sure that everything is in order before jumping to the unsecure mode and running the user applications. If an attacker had managed to insert their own code or application into memory, the secure code could detect this at start-up and take the necessary actions to thwart the attempt to use the system. This might lead a developer to wonder about what happens if the secure code region changes? The secure regions are actually locked down and cannot be modified without special tools.

 

Tip #5 – Use both Non-Secure and Secure MPU’s

One additional feature that is quite interesting about TrustZone is that it provides a Memory Protection Unit (MPU) for the unsecure memory region and also the secure region. This means that developers can take the extra precaution of protecting memory even within secure memory. The MPU could be setup to monitor secure tasks that are executing within an RTOS or to detect an attempt to overflow a task stack. This provides developers with quite a bit of flexibility on how they can implement their secure solution.

Conclusions

Adding security to a connected device will undoubtedly be a challenging endeavor for many development teams. TrustZone provides developers with an additional tool to help improve security. Just like any tool, it needs to be used properly in order to be effective. We’ve looked at a few simple tips in this article but there is still far more than needs to be done in order to secure an embedded system.

Share >

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.