2.5.1. Security Extensions model

The basis of the Security Extensions model is that the computing environment splits into two isolated states, the Secure state and the Nonsecure state, with no leakage of secure data to the Nonsecure state. Software Secure Monitor code, running in the Monitor mode, links the two states and acts as a gatekeeper to manage program flow. The system can have both secure and nonsecure peripherals that is suitable to secure and nonsecure device drivers control. Figure 2.7 shows the relationship between the Secure and Nonsecure states. The Operating System (OS) splits into the secure OS, that includes the secure kernel, and the nonsecure OS, that includes the nonsecure kernel. For details on modes of operation, see Operating modes.

Figure 2.7. Secure and Nonsecure states


In normal nonsecure operation, the OS runs tasks in the usual way. When a User process requires secure execution it makes a request to the secure kernel, that operates in privileged mode. This then calls the Secure Monitor to transfer execution to the Secure state.

This approach to secure systems means that the platform OS that works in the Nonsecure state, has only a few fixed entry points into the Secure state through the Secure Monitor. The trusted code base for the Secure state, that includes the secure kernel and secure device drivers, is small and therefore much easier to maintain and verify.

See Software consideration for Security Extensions and Hardware consideration for Security Extensions for more details.

Copyright © 2006-2009 ARM Limited. All rights reserved.ARM DDI 0344I
Non-Confidential