5 Tips for Using Arm TrustZone in Cortex-M Processors

Just like with any new tool, there are several tips that developers should follow in order to make sure they improve their system security.

As embedded system developers transition to creating connected IoT devices, security has become one of the most important issues they face. The ARMv8-M processors do support TrustZone, which provides developers with a new mechanism to help them isolate their secure software from more general user software. Just like with any new tool, there are several tips developers should follow in order to make sure they improve their system security.

Tip 1 — Perform A Security Audit to Understand Security Needs

Before attempting to use TrustZone, it is imperative that developers perform a security audit and identify what in their system needs to be protected. This can vary dramatically from application to application, but may include:

  • Keys
  • Data
  • Libraries
  • Application code
  • Peripherals
  • Memory locations
  • Communications
  • Etc.

Depending on the resource that needs to be protected, there will be different ways to protect that resource, such as using encryption or isolation. TrustZone is designed to help developers isolate their design.

Tip 2 — Minimize Access to Non-secure Memory Using Secure Code

TrustZone separates the microcontroller hardware into two zones: secure and unsecure. The unsecure code is able to access the secure memory only to execute “exposed” functions. This allows the user application to invoke the secure functionality. But attempting to access anything outside those exposed functions will result in a fault. This is great, but a potential problem for developers is that the secure code can access all of the non-secure memory regions.

Developers need to take care when using the secure code to access non-secure memory. A developer can use a TT instruction to check the permissions for the region. This will prevent accidental execution of unsecure code in the secure region. Developers should use the secure code to access secure code and minimize access to non-secure memory.

Tip 3 — Clear Secret Information from Unbanked Registers

In the TrustZone implementation, there are secure registers that are not viewable if the processor is running in the non-secure mode. However, there are processor registers that are banked and shared between both the secure and the non-secure modes. This means that if a secure operation is performed, and part of the data is stored in the banked register, the process then switches to the non-secure mode. Secure data may then be made available through the banked register. In order to prevent this from happening, developers need to make sure that any unbanked registers that were used are cleared before jumping back to the non-secure execution mode. Otherwise, this could become a way for hackers to gain insight or even access to the secure code regions.

Tip 4 — Authenticate The Non-Secure Image at Start-Up

When the TrustZone processor boots, the secure mode is entered into automatically. This provides developers with the opportunity to not just initialize their processor, but to also boot the processor securely. Developers can authenticate their user applications and make sure that everything is in order before jumping to the unsecure mode and running the user applications. If an attacker had managed to insert their own code or application into memory, the secure code could detect this at start-up and take the necessary actions to thwart the attempt to use the system. This might lead a developer to wonder: What happens if the secure code region changes? The secure regions are locked down and cannot be modified without special tools. 

Tip 5 - Use Both Non-Secure and Secure MPUs

One additional feature that is quite interesting about TrustZone is that it provides a Memory Protection Unit (MPU) for the unsecure memory region and also the secure region. This means that developers can take the extra precaution of protecting memory even within secure memory. The MPU could be set up to monitor secure tasks that are executing within an RTOS or to detect an attempt to overflow a task stack. This provides developers with quite a bit of flexibility in terms of how they can implement their secure solution.

Conclusion

Adding security to a connected device will undoubtedly be a challenging endeavor for many development teams. TrustZone provides developers with an additional tool to help improve security. Just like any tool, it needs to be used properly in order to be effective. We’ve looked at a few simple tips in this article, but there is still far more that needs to be done in order to secure an embedded system.

Jacob Beningo is an embedded software consultant who currently works with clients in more than a dozen countries to dramatically transform their businesses by improving product quality, cost, and time to market. He has published more than 200 articles on embedded software development techniques, is a sought-after speaker and technical trainer, and holds three degrees, which include a Masters of Engineering from the University of Michigan. Feel free to contact him at [email protected], at his website www.beningo.com/, and sign-up for his monthly Embedded Bytes Newsletter.

ESC, Embedded Systems ConferenceToday's Insights. Tomorrow's Technologies.
ESC returns to Minneapolis, Oct. 31-Nov. 1, 2018, with a fresh, in-depth, two-day educational program designed specifically for the needs of today's embedded systems professionals. With four comprehensive tracks, new technical tutorials, and a host of top engineering talent on stage, you'll get the specialized training you need to create competitive embedded products. Get hands-on in the classroom and speak directly to the engineers and developers who can help you work faster, cheaper, and smarter. Click here to register today!

 

Comments (0)

Please log in or to post comments.
  • Oldest First
  • Newest First
Loading Comments...