The new Armv8-M architecture from arm® with its Cortex®-M23 and Cortex®-M33 processors is quickly gaining steam in the industry. The Armv8-M architecture includes a new security extension known as TrustZone that will revolutionize and forever change the way that embedded software developers create microcontroller-based systems. Below are my top seven tips to help you get up to speed on TrustZone as quickly and effectively as possible.
Tip #1 – Split your software personality
TrustZone allows a developer to isolate regions in memory through hardware such that two software domains exist in memory; secure and non-secure domains. The programmers model requires the developer to start thinking about their software in a split manner. On one side, is the new secure region code which is developed in a completely separate project from the non-secure code. On the other side, is the non-secure code, which is basically written the same way we write embedded software today. The main difference being that secure gateways are created to “tunnel” into the secure code and execute exposed functions. Be prepared to start thinking in multiple dimensions!
Tip #2 – Invest in a development board
The ArmV8-M architecture and the TrustZone security extension are literally cutting-edge technologies at the time of this writing. There have been announcements by approximately five microcontroller vendors but there are only two development boards currently available; the Nuvoton NuMicro M2351 and the Microchip SAML11 Xplained development board. Several others will be available starting in 2019 Q1/Q2 including boards from ST Microelectronics and NXP. So far, development boards have been low cost, coming in at less than $50. This makes it very affordable to get at least one board to experiment with.
Tip #3 – Review the FVP examples in Keil
Using the Keil MDK 5 trial version, developers have access to the fixed virtual processor (FVP) that includes Cortex-M23 and Cortex-M33 examples. These examples can be executed without hardware I simulation mode! The examples include baremetal and RTOS which provide a great foundation that can later be adapted to development boards.
Tip #4 – Read the Arm TrustZone application note
Keil put together an application note entitled “Using TrustZone on ARMv8-M” which is an excellent source to understand TrustZone fundamentals. The application note covers important topics such as:
- ARMv8-M programmer’s model
- The difference between secure and non-secure domains
- How to write secure code
- RTOS thread context management in TrustZone
- Debugging secure code
- Creating TrustZone projects
- And more
The application note lays the foundation from which developers can try out new techniques and hone their security skills. The application note can be downloaded from here.
Tip #5 – Explore the Microchip SamL11 security reference guide
The Arm application note provides a lot of fundamental and useful information. The concepts covered though are general concepts and are provided from the perspective of a tool vendor. This helps a lot in our understanding, but it is also useful to have the perspective of a microcontroller vendor. As I mentioned earlier, there have been several recent announcements for TrustZone based microcontrollers but one of the first to market was the Microchip SAML11. As part of the launch, Microchip developed a security reference guide to help developers understand the programming model and how to develop software using TrustZone. I recommend that you review the guide which is located here.
Tip #6 – Attend a webinar on TrustZone
A webinar can be a great way to get a quick overview and see a few technology demonstrations. A webinar typically runs about an hour and often includes time for questions and answers. In case you are wondering where you can watch a TrustZone webinar, I’m going to be hosting a free webinar entitled “Securing the IoT with Arm® TrustZone® for the Cortex®-M” on November 28th, 2018. You can register for the webinar here. If it is past the run date, you will still be able to register to get access to the recording.
Tip #7 – Take a TrustZone Course
There are plenty of sources available for you to learn about TrustZone. For example, you can attend courses, watch YouTube videos, and so forth. If you’re interested in professional training, you can reach out to me at [email protected] or check out my training page to see what is publicly available. If you don’t find what you need, just reach out!
Conclusions
Whether you like it or not, the Armv8-M is here and with it the TrustZone security extension. TrustZone will forever change the way that developers’ architect and implement their embedded software. One could argue that there is still plenty of time before it becomes necessary to learn TrustZone. The fact though is that it is coming far faster than one may realize and the worst time to try to understand TrustZone and its security model is when a team is under pressure to deliver a product. Take the initiative and start digging deeper today, so that when you need TrustZone skills in the future, you are already armed and ready.
