ARM Security Technology Building a Secure System using TrustZone® Technology

Table of Contents

About this document
Intended audience
Using this document
Further reading
ARM publications
External publications
Feedback on this document
1. Introduction
1.1. What is security?
1.1.1. Fundamental security properties
1.1.2. Limitations of security solutions
1.2. The need for security
1.2.1. Hardware enforced security
1.3. What are the threats?
1.3.1. Market sector overview
1.3.2. Economic value in security issues
1.3.3. How are devices attacked?
1.3.4. Who attacks devices?
2. System Security
2.1. System security
2.1.1. External hardware security module
2.1.2. Internal hardware security module
2.1.3. Software virtualization
2.2. TrustZone hardware security
2.2.1. System-wide security
3. TrustZone Hardware Architecture
3.1. Overview
3.2. System architecture
3.2.1. The AMBA3 AXI system bus
3.2.2. The AMBA3 APB peripheral bus
3.2.3. Memory aliasing
3.3. Processor architecture
3.3.1. Switching worlds
3.3.2. Securing the level one memory system
3.3.3. Secure interrupts
3.3.4. Secure processor configuration
3.3.5. Multiprocessor systems with the Security Extensions
3.4. Debug architecture
3.4.1. Processor debug control
3.4.2. System debug control
4. TrustZone Hardware Library
4.1. System IP
4.1.1. PrimeCell High-Performance Matrix - PL301
4.1.2. PrimeCell Level 2 Cache Controller - PL310
4.1.3. PrimeCell DMA Controller - PL330
4.1.4. PrimeCell TrustZone Address Space Controller - PL380
4.1.5. PrimeCell Infrastructure AMBA3 AXI TrustZone Memory Adapter - BP141
4.1.6. PrimeCell Generic Interrupt Controller - PL390
4.1.7. PrimeCell Infrastructure AMBA3 TrustZone Protection Controller - BP147
4.2. Processor IP
4.2.1. ARM1176JZ(F)-S processor
4.2.2. Cortex-A8 processor
4.2.3. Cortex-A9 processor and Cortex-A9 MPCore processor
4.2.4. ARM1156T2(F)-S processor
4.2.5. Cortex-R4 processor
4.2.6. SecurCore smartcard processors
4.3. Reuse of AMBA2 AHB IP
4.3.1. Reuse of AHB masters
4.3.2. Reuse of AHB slaves
5. TrustZone Software Architecture
5.1. Software overview
5.1.1. Secure world processing resources
5.1.2. Software architecture
5.2. Booting a secure system
5.2.1. Boot sequence
5.2.2. Secure boot
5.3. Monitor mode software
5.3.1. Context switching
5.3.2. Interrupt model - monitor requirements
5.3.3. Interrupt latency impact
5.4. Secure software and multiprocessor systems
5.4.1. Secure world processor affinity
5.4.2. Secure world interrupt usage
5.5. The TrustZone API
5.5.1. API availability
6. TrustZone System Design
6.1. Gadget2008 product design brief
6.2. Example use cases
6.2.1. Content management
6.2.2. Mobile Payment
6.3. Gadget2008 specification
6.3.1. General specification
6.3.2. Content management specification
6.3.3. Mobile payment specification
6.3.4. Putting the hardware together
7. Design Checklists
7.1. Use case checklist
7.2. Hardware design checklist
7.2.1. Multiprocessor design
7.3. Software design checklist
7.3.1. Multiprocessor design

Proprietary Notice

Words and logos marked with or are registered trademarks or trademarks owned by ARM Limited, except as otherwise stated below in this proprietary notice. Other brands and names mentioned herein may be the trademarks of their respective owners.

Neither the whole nor any part of the information contained in, or the product described in, this document may be adapted or reproduced in any material form except with the prior written permission of the copyright holder.

The product described in this document is subject to continuous developments and improvements. All particulars of the product and its use contained in this document are given by ARM in good faith. However, all warranties implied or expressed, including but not limited to implied warranties of merchantability, or fitness for purpose, are excluded.

This document is intended only to assist the reader in the use of the product. ARM Limited shall not be liable for any loss or damage arising from the use of any information in this document, or any error or omission in such information, or any incorrect use of the product.

Confidentiality Status

This document is Non-Confidential. The right to use, copy and disclose this document may be subject to license restrictions in accordance with the terms of the agreement entered into by ARM and the party that ARM delivered this document to.

Unrestricted Access is an ARM internal classification.

Product Status

This document is an informative whitepaper related to ARM security technology, and is not directly related to any individual product.

Revision History
Revision ADecember 2008First release
Revision BJanuary 2009Minor language clarificationsFixed monitor latency calculation onpage 5‑12
Revision CApril 2009Added information related to multiprocessor systems:Accelerator Coherency Port on page 3‑10Multiprocessor systems with the Security Extensions on page 3‑13Multiprocessor debug control on page 3‑18Secure software and multiprocessor systems on page 5‑13Hardware design checklist on page 7‑3Software design checklist on page 7‑5
Copyright © 2005-2009 ARM Limited. All rights reserved.PRD29-GENC-009492C