Scribd
Upload
40 views12 pages

FFRI PPT ARMv8-M TrustZone A New Security Feature For Embedded Systems

Uploaded by

drawnpoetry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views12 pages

FFRI PPT ARMv8-M TrustZone A New Security Feature For Embedded Systems

Uploaded by

drawnpoetry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

FFRI, Inc.

ARMv8-M TrustZone:
AFourteenforty
New Security Feature for Embedded
Research Systems
Institute, Inc.

FFRI, Inc.
http://www.ffri.jp

Confidential
FFRI, Inc.

ARMv8-M Architecture
• Architecture for embedded devices (Cortex-M Processor family)
which was announced in Nov 2015.

• In order to comprehensively support for embedded systems that


require the characteristics of the conventional ARMv6-M/ARMv7-M
architecture, ARMv8-M has prepared 2 sub-profiles.
– Baseline
• For Ultra-low-power products (Optional) (Optional)
DSP Floating-Point
• Similar to the ARMv6-M
– Mainline ARMv8-M
• A full-featured, microcontroller Mainline
products and high-performance
ARMv8-M
embedded systems.
Baseline
• Similar to the ARMv7-M

Confidential 2
FFRI, Inc.

TrustZone
• Security features that ARM processor provides.
– Cortex-A family or next-generation Cortex-M processors

• It is possible to separate/isolate the security level by adding


the security state.
– e.g. Normal World & Secure World

• ARMv8-M architecture has a different mechanism than


TrustZone to provide traditional ARMv8-A architecture, which
is optimized for embedded systems.

Confidential 3
FFRI, Inc.

TrustZone (ARMv7, ARMv8-A, etc…)


• Add a monitor mode, it is separated into “Normal World” and
“Secure World”.
– To transition monitor mode, Normal World Secure World
use SMC instruction. User Mode User Mode
– A kind of virtualization feature using
the OS monitor. Priv Mode Priv Mode

Monitor
• iPhone of Secure Enclave ARMv8-A
are known to have been using
the TrustZone.

• For more information, please refer to the our research paper,


which was published in March 2013. (Japanese only)

Confidential 4
FFRI, Inc.

TrustZone (ARMv8-M)
• Add a secure state, it is possible into Non-secure Handler/Thread
mode and Secure Handler/Thread mode.
– The state transition to use the branch instruction.
– System rises by default in the “Secure” state.

• Throughout the reminder of this article describes ARMv8-M TrustZone.

Handler Non-secure Secure


Mode Handler Handler
Mode Mode
Thread
Thread Thread
Mode
Mode Mode

ARMv7-M ARMv8-M

Confidential 5
FFRI, Inc.

ARMv8-M TrustZone - Memory space separation


• In addition to the definition by the developer of microcontrollers and
SoC, it can also be defined the software by utilizing the SAU and
IDAU interfaces. 0xffffffff

• Memory spaces can be Code Stack

divided into three. Secure Data Heap, etc…


(See the figure on the right)
Non-Secure Vector of Entry to
• State of the processor is Callable secure Secure
gateway Code
dependent on definition of
the memory space.
Non-Secure
Code Stack

Data Heap, etc…

SAU: Software Attribution Unit 0x00000000


IDAU: Implementation Defined Attribution Unit

Confidential 6
FFRI, Inc.

ARMv8-M TrustZone – Secure Gateway


• To call processing of the Secure region from the Non-Secure
region, it is necessary to relay a secure gateway.
– The first instruction of the function to be called from Non-Secure
region MUST always SG (Secure Gateway) instruction.
– SG instruction MUST be present in the NSC (Non-Secure Callable)
region.

• In case of call processing of the Non-Secure region from the


Secure region, push current state to stack and then branch to
Non-Secure region.
– When processing branch to the Non-Secure region, reserved value
FNC_RETURN is set to Link Register. (LR)
– When returning to Secure region branches to this Link Register.
(FNC_RETURN)

Confidential 7
FFRI, Inc.

ARMv8-M TrustZone - Secure Gateway


• If Non-Secure region program accessed directly to address of
the Secure region occurs following exception.
– In Mainline SecureFault(7), in Baseline HardFault(3) is an
exception occurs in Secure State.
0xffffffff Exception
/* Secure */ /* Secure */
(3), (4) Func_A: Func_A:
(1) ;Secure Routine (5) ;Secure Routine
blxns r0 bxns lr
(1) …
/* NSC */
Secure Non-Secure /* NSC */ Func_A_Entry:
State State
Func_A_Entry:
SG
SG (4)
b Func_A
b Func_A
(2) /* Non-Secure */ /* Non-Secure */
Func_B: (3)
;Non-Secure Routine bl Func_A_Entry
(5) bx lr …

State transition of the processor (2)


0x00000000

Confidential 8
FFRI, Inc.

ARMv8-M TrustZone - Test Target


• Region number is assigned in the memory space defined by the
aforementioned SAU and IDAU.
– Possible to know whether 0xffffffff

it has the security attribute Secure


target is continuous by the Secure
Start-End address range is
same region.
Region
region number. #4

Non- Non-Secure Start-End address is


• New TestTarget (TT) instruction Secure
Region#3
across the different
regions.
to return security attributes and Secure
region number from the address. Secure
Region
– By using TT instruction, it is #2

possible to know address Non-Secure


Non-
range of the array or structure Secure Start-End address range is
is belong to the same region. Region
#1
same region.

0x00000000

Confidential 9
FFRI, Inc.

ARMv8-M TrustZone - example usage for


embedded systems
• Even for embedded device architecture that supported the TrustZone,
protection of data it is realistic also due to this technology for a variety
of IoT and in-vehicle devices.

• For example, IoT device vendors by storing in advance the firmware in


the Secure region, it can be expected that the reverse engineering
measures.

TrustZone enabled processor


in embedded device
ARMv8-M
IoT/M2M Secure Non-Secure
Devices
ARMv8-M FW
ECU ECU Libraries User Data

Key Drivers, etc…

Confidential 10
FFRI, Inc.

Summary
• In this paper, we introduce the TrustZone of information that has
published at this time in relation to ARMv8-M.
– There is a specification change possibility in the future because some
document is still Beta.

• In Febrary 2016, the processor and evaluation board of ARMv8-M


architecture has not been confirmed in the market.
– For even compiler, GCC and Clang is currently working.

• For automotive, already HSM (Hardware Security Module) is present as


a standard.
– Therefore, semiconductor manufactures are mainly shipped microcontroller
products that conform to this standard as automotive.
– With the advent of the ARMv8-M, the future there is a possibility that
products utilizing the TrustZone is announced.

Confidential 11
FFRI, Inc.

References
• Whitepaper – ARMv8-M Architecture Technical Overview
– https://community.arm.com/docs/DOC-10896
• ARM® コンパイラ ソフトウェア開発ガイド バージョン6.3
– http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui
0773dj/pge1446115999905_00009.html
• (動画) ARMv8-M architecture: what’s new for developers
– https://youtu.be/V5zr5mPjAvU
• FFRI Monthly Research – セキュアハードウェアの登場とその分析
– http://www.ffri.jp/assets/files/monthly_research/MR201303_Trust
Zone.pdf

ARM® and TrustZone® are trademarks of ARM Ltd.

Confidential 12

You might also like