developing secure software for trustzone for...

Title 44pt sentence case

Affiliations 24pt sentence case

20pt sentence case

© ARM 2016

ARM TrustZone for ARMv8-M for software engineers

David Xia

Technical Specialist

© ARM 2016 2


Bullets 24pt sentence case

Sub-bullets 20pt sentence case

The need for security

Communication protection

Cryptography, authentication

Data protection

Secret data (keys, personal information)

Firmware protection

IP theft, reverse engineering

Operation protection

Maintaining service and revenue

Anti-tamper protection

Related to all other protections

© ARM 2016 3




Connection

Potential security threats

Malicious firmware

updates

Device access

via debug port

Random

communication traffic

Device access via

communication channel

© ARM 2016 4

Text 54pt sentence case ARM TrustZone for ARMv8-M

Security foundation in hardware

© ARM 2016 5




Text 30pt sentence case

ARMv6-M, ARMv7-M, and ARMv8-M architecture

ARMv8-M baseline (Cortex-M23)

Lowest cost and smallest

implementations

ARMv8-M mainline (Cortex-M33)

For general purpose microcontroller

products

Highly scalable

Optional DSP and floating-point

extensions

Scalable architecture for microcontrollers

ARMv6-M Cortex-M0, M0+

ARMv7-M Cortex-M3, M4, M7

ARMv8-M

Baseline

Cortex-M23

ARMv8-M

Mainline

Cortex-M33

ARMv8-M Today

© ARM 2016 6




TrustZone for ARMv8-A TrustZone for ARMv8-M

Secure states Non-secure states Secure states Non-secure states

TrustZone for ARMv8-M

Secure transitions handled by the processor

to maintain embedded class latency

Secure

app/libs

Secure OS Non-secure

OS

Non-secure

app

Secure

app/libs

Secure OS

Rich OS,

e.g. Linux

Secure monitor

© ARM 2016 7





Security defined by memory map

All addresses are either secure or non-secure

Policing managed by Secure Attribution Unit (SAU)

Internal SAU similar to MPU

Supports use of external system-level definition

For example, based on flash blocks or per peripheral

Banked MPU configuration

Independent memory protection per security state

Load/stores acquire non-secure (NS) attribute

based on address

Non-secure access to secure address memory fault

All transactions from core and debugger are checked

Non-secure

MPU

Secure

MPU

Security

Attribution

Unit

System

level

control

Request from CPU

Request to system

© ARM 2016 8





ARMv8-M additional states

Secure and non-secure code runs on a single CPU

For efficient embedded implementation

Secure state for trusted code

New secure stack pointers for robust operation

Addition of stack-limit checking

Dedicated resources for isolation between domains

Separate memory protection units for secure and non-secure

Private SysTick timer for each state

Secure side can configure target domain of interrupts

Existing handler and thread modes are mirrored

ARMv7-M

Non-secure

handler

mode

Non-secure

thread

mode

Secure

handler

mode

Secure

thread

mode

Handler

mode

Thread

mode

ARMv8-M

© ARM 2016 9





High performance cross-domain calls

Security inferred from instruction address

Secure memory considered to hold secure code

Direct function calls across boundary

High performance and high security

Multiple entry points

No need to go via ‘monitor’ for transitions

Uses Secure Gateway (SG) instruction

Only permitted in special secure memory with

non-secure callable (NSC) attribute

Efficient implementation focused on microcontroller

Secure Non-secure

Secure

handler

mode

Secure

thread

mode

Non-

secure

handler

mode Non-

secure

thread

mode

Calls

Calls

R0

R1

R13

R14

R15

MSPLIM_S

PSPLIM_S

MSPLIM_NS

PSPLIM_N

S

MSP_S

PSP_S

MSP_NS

PSP_NS

© ARM 2016 10




ARMv8-M programmer’s model: Memory map

Non-secure memory

view is identical with

Cortex-M

Branches to fixed

memory locations

access secure firmware

Secure memory is

invisible

Non-secure state

Flash

RAM

Peripherals

Off-chip memory

Off-chip peripherals

System control and debug

ROM tables

0x00000000

0xFFFFFFFF

0xF0000000

0xE0000000

0xA0000000

0x60000000

0x40000000

0x20000000

Vector table for

Non-secure handlers

ITM/DWT/FBP

SysTick

NVIC

SCB

MPU

Debug

© ARM 2016 11




ARMv8-M programmer’s model: Memory map

Non-secure flash

Secure flash

Non-secure RAM

Secure RAM

Non-secure peripherals

Secure peripherals

Off-chip memory

Off-chip peripherals

System control and debug

ROM tables

0x00000000

0xFFFFFFFF

0xF0000000

0xE0000000

0xA0000000

0x60000000

0x40000000

0x20000000 ITM/DWT/FBP

Secure SysTick

NVIC

Secure SCB

Secure MPU

SAU

Debug

Non-secure SysTick alias

Non-secure SCB alias

Non-secure MPU alias

Secure state

Vector table for

secure handlers

Secure memory view

shows additional Flash,

RAM, and peripherals

Access to all regions is

possible in secure state

Regions can be

configured in secure

state using the SAU

© ARM 2016 12





Firmware project User project

A simplified use case

Non-secure projects

cannot access secure

resources

Secure project can

access everything

Secure and

non-secure projects may

implement independent

time scheduling

Composing a system with secure and non-secure projects

Non-secure state Secure state

System start

Firmware

Communication

stack

User application

I/O driver

Function calls

Start

Function calls

Function calls

© ARM 2016 13


Software development tools and software components

Accelerate software creation

for ARMv8-M devices with TrustZone

© ARM 2016 14




Tools and components for software development

Keil MDK IDE & debugger

ARM Compiler 6

ULINK debug adapters

CMSIS v5

Fast Models MPS2

Cortex-M Prototyping System

© ARM 2016 15




CMSIS: Pathway to the ARM ecosystem

1.2M+ source files on

GitHub

3M+ downloads in past

six months

3668 devices supported

Vendor-independent hardware abstraction layer for Cortex-M series Open source software framework with processor HAL, DSP library, and RTOS kernel

Consistent, generic, and standardized software building blocks Optimized API that software creation, code portability, and middleware interfaces

Infrastructure to accelerate time to market for device deployment Software Packs to distribute device support, board support, and software building blocks

© ARM 2016 16




Keil MDK Microcontroller Development Kit

www.keil.com/mdk

MD

K t

ools

So

ftw

are p

acks

MDK-Core ARM C/C++ Compiler DS-MDK

Device

µVision IDE with pack management

ARM Compiler 5 with qualification kit

µVision Debugger with streaming trace

Startup

Device HAL

CMSIS driver

CMSIS

CMSIS-

Core

CMSIS-DSP

CMSIS-

RTOS

DS-5 IDE with pack management

DS-5 Debugger with streamline

Middleware

USB host

File system Graphics

USB device

IPv6 network IPv4

Network

ARM Compiler 6 LLVM technology

mbed TLS encryption

mbed Client IoT connector

CMSIS defines software

packs that are created by

ARM, silicon vendors, and

middleware partners

For each project the

version of the Software

Packs may be specified

Most comprehensive development solution supporting over 3600 devices

http://www.keil.com/mdk

© ARM 2016 17




ARM C/C++ Compiler extensions for ARMv8-M

C-Preprocessor macro __ARM_FEATURE_CMSE indicates secure or non-secure mode

Function attributes to support calls between secure and non-secure mode

__attribute__((cmse_nonsecure_entry)) Secure function that can be call by non-secure code

__attribute__((cmse_nonsecure_call)) Call to non-secure function from secure code

Non-secure

user

project

Secure project

Linker generates a export file with secure

function entries

Export of secure

function entries

int SecureFunc (int v)

attribute ((cmse_nonsecure_entry))

{

SecureFunc PROC

SG

return v+1;

ADDS r0,r0,#1

}

BXNS lr

ENDP

© ARM 2016 18




CMSIS-CORE for secure mode projects

startup_<device>.c

CMSIS device startup

system_<device >.c

CMSIS system and

clock configuration

<user >.c/c++

User application main() { ... }

<device >.h

CMSIS

device peripheral access

partitions.h

Secure attributes and

interrupt assignment

CMSIS-CORE device files

CMSIS-CORE header files

generated from CMSIS-SVD

User program

Files relating to CMSIS-CORE

including device specific files

partitions.h provides initial

setup for SAU and configures

non-secure mode memory areas

and interrupts

© ARM 2016 19




CMSIS-CORE extensions

Partition setup and verification

Setup for SAU

Secure/non-secure Pointer validation

Additional Functions to access:

New NVIC features

Secure and Non-secure MPU

Non Secure SysTick

New Special Registers

API for RTOS interface

Management of secure stack memory

© ARM 2016 20




API for RTOS interface to secure state: CMSIS


RTOS running in non-secure state: RTOS

functionality available to non-secure and secure

software

Full-featured RTOS for non-secure application

Supports function calls to secure state

Callback events from secure state

Application Library functions

CMSIS-CORE provides TrustZone extensions:

RTOS Context Management for th

Secure state provide/s data and firmware protection

System monitor

TurstZone RTOS Context Management

© ARM 2016 21




MDK offers debugging with:

Fast Model simulation environment

for software development prior silicon

MPS2 target connection for testing

with microcontroller prototypes

Secure & Non Secure Debug Access

Enter password for Secure Debug Access

Debugging of software projects

© ARM 2016 22




System visibility to processor and peripherals

MDK Debugger provides detailed dialogs for processor, core peripherals, and device peripherals

CMSIS-SVD delivers information

about device specific peripherals

© ARM 2016 23




System visibility to software components

Software

Component

Event Recorder

Status and Event

Views

XML File

+

+ Execution Status Event Information

Software components are “black box” for the application programmer

MDK Debugger gives visibility to status and events of software components

Supports secure firmware and requires no source and debug information

MDK

Debugger

© ARM 2016 24




CMSIS-RTOS2 Secure system demo on Cortex-M33


System restart secure fault handlers

Incident log

Secure watchdog

CMSIS-RTOS2 based on RTX5

Test case execution

User interface display thread

Demonstration of ARMv8-M security features and system recovery

MSP2 running Cortex-M33 system

Full source code is part of AppNote 291: Using TrustZone on ARMv8-M

© ARM 2016 26




Potential attacks

Return from secure to non-secure state

CPU Registers may still contain secret information

Data pointers that obtain ‘trusted’ data in non-secure state

Non-secure code may provide incorrect pointers that address secure memory

Asynchronous modifications to data processing in secure state

Non-secure interrupts could change values that are being processed in secure state

How to avoid software design flaws in secure applications

© ARM 2016 27




Return from secure to non-secure state CPU registers may contain secret information

Secure Non-secure

R0

R1

R13

R14

R2

R3

R4

R12

R15

R0

R1

R13

R14

R2

R3

R4

R12

R15

Returned

Secure mode

Non-secure mode

Read secret data left

© ARM 2016 28




Return from secure to non-secure state

cmse_nonsecure_entry attribute

Clear R0-R3 when used

Clear status flags

ARM Compiler does not leak

secure CPU register data to non-

secure mode

decrypt:

SG

MOV r3, #SECRET

@ do the work

MOV r3, #0

MSR APSR_flags, r3

BXNS lr

Secure state

Non-secure state

Clear shared CPU register content to avoid information leakage

SECURITY RISK – Solved!

ARM Compiler clears CPU registers

that may contain secure data.

© ARM 2016 29




Obtain ‘trusted’ data in non-secure code

Non-secure Secure

Get data

function

Call

Secure

RAM

Access

function

Secure

MPU

SECURITY RISK!

Is this a valid address to non-secure memory?

If not, secure data may get corrupted.

Secure state

Call Secure function and provide a data pointer

© ARM 2016 30



Sub-bullets 20pt sentence case ARMv8-M provides Test Target (TT) instruction to check memory attributes:

Returns MPU and SAU configuration information

ARM Compiler provides intrinsic functions for pointer validation:

Obtain ‘trusted’ data in non-secure code Check for valid non-secure memory addresses

Secure state


Verify pointer target addresses with

ARM Compiler intrinsic functions.

© ARM 2016 31




Asynchronous modifications to data processing

Secure code should never trust non-secure data

Non-secure memory may be modified by interrupt handlers

High priority interrupt is non-secure state can interrupt secure code execution

A debugger access restriction can still change non-secure memory

SECURITY RISK!

Non-secure data may be altered during

secure code execution

Non-secure interrupt functions may corrupt data currently processed

Secure state

© ARM 2016 32



Sub-bullets 20pt sentence case Copy non-secure data before validation

Use ‘volatile’ attribute to disable potential compiler access optimizations

Asynchronous modifications to data processing Ensure data processing in secure memory


Object is ‘volatile’ to avoid value propagation

and value is validated.

Secure state

© ARM 2016 33




Summary

ARMv8-M provides the architecture for the next generation of

secure connected embedded devices

Software and tools make it easy for developers to use secure mode

CMSIS provides software building blocks for faster time to market of

embedded applications that require security

The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM Limited

(or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be

trademarks of their respective owners.

Copyright © 2016 ARM Limited

© ARM 2016

developing secure software for trustzone for...

Documents