3.11.1. TrustZone hardware architecture overview

The TrustZone hardware architecture provides a security framework that enables a device to counter specific threats. Instead of providing a fixed one-size-fits-all security solution, TrustZone technology provides the infrastructure foundations that enable a System on Chip (SoC) designer to choose from a range of components that can fulfill specific functions within the security environment.

The primary security objective of the architecture is to enable the construction of a programmable environment that protects the confidentiality and integrity of assets from specific attacks. A platform with these characteristics is suited to building a wide-ranging set of security solutions that would not be cost-effective with traditional methods.

The security of the system is achieved by partitioning all of the SoC hardware and software resources so that they exist in one of two states:

TrustZone enables a single physical processor core to execute code safely and efficiently from both the Non-secure state and the Secure state. This removes the need for a dedicated security processor core. Therefore, it saves silicon area and power, and enables high performance security software to run alongside the Non-secure state operating environment.

Figure 3.21. Non-secure and Secure states

To view this graphic, your browser must support the SVG format. Either install a browser with native support, or install an appropriate plugin such as Adobe SVG Viewer.

Figure 3.21 shows the two virtual processors that perform context switches via a new processor mode called Mon mode, when changing the currently running virtual processor.

The mechanisms by which the physical processor can enter Mon mode from the Non-secure state are tightly controlled, and are all viewed as exceptions to the Mon mode software. Software can trigger an entry into Mon mode, by executing the SMC instruction, or by a subset of hardware exception mechanisms. Configuration of the IRQ, FIQ, external Data Abort, and external Prefetch Abort exceptions can cause the processor to switch into Mon mode.

The software that executes in Mon mode is implementation-defined. However, it saves the current state and restores the state at the location to which it switches. It then performs a return-from-exception to restart processing in the restored state.

Broad SoC security is achieved via the security state that TrustZone aware processors propagate into ARM® AMBA® AXI bus fabric. This ensures that Non-secure state components cannot access Secure state resources, and constructs a strong perimeter boundary between the two. If a design places sensitive resources in the Secure state and implements robust software running on the Secure processor cores, it can protect assets against many possible attacks. For example, it can protect the passwords you enter using a keyboard or touchscreen. Normally, these assets are hard to secure. By separating security sensitive peripherals through hardware, a designer can limit the number of subsystems that must go through security evaluation. Therefore, it saves costs when submitting a device for security certification.

The final aspect of the TrustZone hardware architecture is a security-aware debug infrastructure that can enable control over accesses to Secure state debug, without impairing debug visibility of the Non-secure state.

Copyright © 2014 ARM. All rights reserved.ARM DAI0425