developing secure software for trustzone for...
TRANSCRIPT
Title 44pt sentence case
Affiliations 24pt sentence case
20pt sentence case
© ARM 2016
ARM TrustZone for ARMv8-M for software engineers
David Xia
Technical Specialist
© ARM 2016 2
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
The need for security
Communication protection
Cryptography, authentication
Data protection
Secret data (keys, personal information)
Firmware protection
IP theft, reverse engineering
Operation protection
Maintaining service and revenue
Anti-tamper protection
Related to all other protections
© ARM 2016 3
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Connection
Potential security threats
Malicious firmware
updates
Device access
via debug port
Random
communication traffic
Device access via
communication channel
© ARM 2016 4
Text 54pt sentence case ARM TrustZone for ARMv8-M
Security foundation in hardware
© ARM 2016 5
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Text 30pt sentence case
ARMv6-M, ARMv7-M, and ARMv8-M architecture
ARMv8-M baseline (Cortex-M23)
Lowest cost and smallest
implementations
ARMv8-M mainline (Cortex-M33)
For general purpose microcontroller
products
Highly scalable
Optional DSP and floating-point
extensions
Scalable architecture for microcontrollers
ARMv6-M Cortex-M0, M0+
ARMv7-M Cortex-M3, M4, M7
ARMv8-M
Baseline
Cortex-M23
ARMv8-M
Mainline
Cortex-M33
ARMv8-M Today
© ARM 2016 6
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
TrustZone for ARMv8-A TrustZone for ARMv8-M
Secure states Non-secure states Secure states Non-secure states
TrustZone for ARMv8-M
Secure transitions handled by the processor
to maintain embedded class latency
Secure
app/libs
Secure OS Non-secure
OS
Non-secure
app
Secure
app/libs
Secure OS
Rich OS,
e.g. Linux
Secure monitor
© ARM 2016 7
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Text 30pt sentence case
Security defined by memory map
All addresses are either secure or non-secure
Policing managed by Secure Attribution Unit (SAU)
Internal SAU similar to MPU
Supports use of external system-level definition
For example, based on flash blocks or per peripheral
Banked MPU configuration
Independent memory protection per security state
Load/stores acquire non-secure (NS) attribute
based on address
Non-secure access to secure address memory fault
All transactions from core and debugger are checked
Non-secure
MPU
Secure
MPU
Security
Attribution
Unit
System
level
control
Request from CPU
Request to system
© ARM 2016 8
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Text 30pt sentence case
ARMv8-M additional states
Secure and non-secure code runs on a single CPU
For efficient embedded implementation
Secure state for trusted code
New secure stack pointers for robust operation
Addition of stack-limit checking
Dedicated resources for isolation between domains
Separate memory protection units for secure and non-secure
Private SysTick timer for each state
Secure side can configure target domain of interrupts
Existing handler and thread modes are mirrored
ARMv7-M
Non-secure
handler
mode
Non-secure
thread
mode
Secure
handler
mode
Secure
thread
mode
Handler
mode
Thread
mode
ARMv8-M
© ARM 2016 9
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Text 30pt sentence case
High performance cross-domain calls
Security inferred from instruction address
Secure memory considered to hold secure code
Direct function calls across boundary
High performance and high security
Multiple entry points
No need to go via ‘monitor’ for transitions
Uses Secure Gateway (SG) instruction
Only permitted in special secure memory with
non-secure callable (NSC) attribute
Efficient implementation focused on microcontroller
Secure Non-secure
Secure
handler
mode
Secure
thread
mode
Non-
secure
handler
mode Non-
secure
thread
mode
Calls
Calls
R0
R1
R13
R14
R15
MSPLIM_S
PSPLIM_S
MSPLIM_NS
PSPLIM_N
S
MSP_S
PSP_S
MSP_NS
PSP_NS
© ARM 2016 10
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
ARMv8-M programmer’s model: Memory map
Non-secure memory
view is identical with
Cortex-M
Branches to fixed
memory locations
access secure firmware
Secure memory is
invisible
Non-secure state
Flash
RAM
Peripherals
Off-chip memory
Off-chip peripherals
System control and debug
ROM tables
0x00000000
0xFFFFFFFF
0xF0000000
0xE0000000
0xA0000000
0x60000000
0x40000000
0x20000000
Vector table for
Non-secure handlers
ITM/DWT/FBP
SysTick
NVIC
SCB
MPU
Debug
© ARM 2016 11
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
ARMv8-M programmer’s model: Memory map
Non-secure flash
Secure flash
Non-secure RAM
Secure RAM
Non-secure peripherals
Secure peripherals
Off-chip memory
Off-chip peripherals
System control and debug
ROM tables
0x00000000
0xFFFFFFFF
0xF0000000
0xE0000000
0xA0000000
0x60000000
0x40000000
0x20000000 ITM/DWT/FBP
Secure SysTick
NVIC
Secure SCB
Secure MPU
SAU
Debug
Non-secure SysTick alias
Non-secure SCB alias
Non-secure MPU alias
Secure state
Vector table for
secure handlers
Secure memory view
shows additional Flash,
RAM, and peripherals
Access to all regions is
possible in secure state
Regions can be
configured in secure
state using the SAU
© ARM 2016 12
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Text 30pt sentence case
Firmware project User project
A simplified use case
Non-secure projects
cannot access secure
resources
Secure project can
access everything
Secure and
non-secure projects may
implement independent
time scheduling
Composing a system with secure and non-secure projects
Non-secure state Secure state
System start
Firmware
Communication
stack
User application
I/O driver
Function calls
Start
Function calls
Function calls
© ARM 2016 13
Text 54pt sentence case
Software development tools and software components
Accelerate software creation
for ARMv8-M devices with TrustZone
© ARM 2016 14
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Tools and components for software development
Keil MDK IDE & debugger
ARM Compiler 6
ULINK debug adapters
CMSIS v5
Fast Models MPS2
Cortex-M Prototyping System
© ARM 2016 15
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
CMSIS: Pathway to the ARM ecosystem
1.2M+ source files on
GitHub
3M+ downloads in past
six months
3668 devices supported
Vendor-independent hardware abstraction layer for Cortex-M series Open source software framework with processor HAL, DSP library, and RTOS kernel
Consistent, generic, and standardized software building blocks Optimized API that software creation, code portability, and middleware interfaces
Infrastructure to accelerate time to market for device deployment Software Packs to distribute device support, board support, and software building blocks
© ARM 2016 16
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Keil MDK Microcontroller Development Kit
www.keil.com/mdk
MD
K t
ools
So
ftw
are p
acks
MDK-Core ARM C/C++ Compiler DS-MDK
Device
µVision IDE with pack management
ARM Compiler 5 with qualification kit
µVision Debugger with streaming trace
Startup
Device HAL
CMSIS driver
CMSIS
CMSIS-
Core
CMSIS-DSP
CMSIS-
RTOS
DS-5 IDE with pack management
DS-5 Debugger with streamline
Middleware
USB host
File system Graphics
USB device
IPv6 network IPv4
Network
ARM Compiler 6 LLVM technology
mbed TLS encryption
mbed Client IoT connector
CMSIS defines software
packs that are created by
ARM, silicon vendors, and
middleware partners
For each project the
version of the Software
Packs may be specified
Most comprehensive development solution supporting over 3600 devices
© ARM 2016 17
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
ARM C/C++ Compiler extensions for ARMv8-M
C-Preprocessor macro __ARM_FEATURE_CMSE indicates secure or non-secure mode
Function attributes to support calls between secure and non-secure mode
__attribute__((cmse_nonsecure_entry)) Secure function that can be call by non-secure code
__attribute__((cmse_nonsecure_call)) Call to non-secure function from secure code
Non-secure
user
project
Secure project
Linker generates a export file with secure
function entries
Export of secure
function entries
int SecureFunc (int v)
attribute ((cmse_nonsecure_entry))
{
SecureFunc PROC
SG
return v+1;
ADDS r0,r0,#1
}
BXNS lr
ENDP
© ARM 2016 18
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
CMSIS-CORE for secure mode projects
startup_<device>.c
CMSIS device startup
system_<device >.c
CMSIS system and
clock configuration
<user >.c/c++
User application main() { ... }
<device >.h
CMSIS
device peripheral access
partitions.h
Secure attributes and
interrupt assignment
CMSIS-CORE device files
CMSIS-CORE header files
generated from CMSIS-SVD
User program
Files relating to CMSIS-CORE
including device specific files
partitions.h provides initial
setup for SAU and configures
non-secure mode memory areas
and interrupts
© ARM 2016 19
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
CMSIS-CORE extensions
Partition setup and verification
Setup for SAU
Secure/non-secure Pointer validation
Additional Functions to access:
New NVIC features
Secure and Non-secure MPU
Non Secure SysTick
New Special Registers
API for RTOS interface
Management of secure stack memory
© ARM 2016 20
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
API for RTOS interface to secure state: CMSIS
Non-secure state Secure state
RTOS running in non-secure state: RTOS
functionality available to non-secure and secure
software
Full-featured RTOS for non-secure application
Supports function calls to secure state
Callback events from secure state
Application Library functions
CMSIS-CORE provides TrustZone extensions:
RTOS Context Management for th
Secure state provide/s data and firmware protection
System monitor
TurstZone RTOS Context Management
© ARM 2016 21
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
MDK offers debugging with:
Fast Model simulation environment
for software development prior silicon
MPS2 target connection for testing
with microcontroller prototypes
Secure & Non Secure Debug Access
Enter password for Secure Debug Access
Debugging of software projects
© ARM 2016 22
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
System visibility to processor and peripherals
MDK Debugger provides detailed dialogs for processor, core peripherals, and device peripherals
CMSIS-SVD delivers information
about device specific peripherals
© ARM 2016 23
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
System visibility to software components
Software
Component
Event Recorder
Status and Event
Views
XML File
+
+ Execution Status Event Information
Software components are “black box” for the application programmer
MDK Debugger gives visibility to status and events of software components
Supports secure firmware and requires no source and debug information
MDK
Debugger
© ARM 2016 24
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
CMSIS-RTOS2 Secure system demo on Cortex-M33
Non-secure state Secure state
System restart secure fault handlers
Incident log
Secure watchdog
CMSIS-RTOS2 based on RTX5
Test case execution
User interface display thread
Demonstration of ARMv8-M security features and system recovery
MSP2 running Cortex-M33 system
Full source code is part of AppNote 291: Using TrustZone on ARMv8-M
© ARM 2016 25
Text 54pt sentence case Writing secure code for ARMv8-M processors
© ARM 2016 26
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Potential attacks
Return from secure to non-secure state
CPU Registers may still contain secret information
Data pointers that obtain ‘trusted’ data in non-secure state
Non-secure code may provide incorrect pointers that address secure memory
Asynchronous modifications to data processing in secure state
Non-secure interrupts could change values that are being processed in secure state
How to avoid software design flaws in secure applications
© ARM 2016 27
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Return from secure to non-secure state CPU registers may contain secret information
Secure Non-secure
R0
R1
R13
R14
R2
R3
R4
R12
R15
R0
R1
R13
R14
R2
R3
R4
R12
R15
Returned
Secure mode
Non-secure mode
Read secret data left
© ARM 2016 28
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Return from secure to non-secure state
cmse_nonsecure_entry attribute
Clear R0-R3 when used
Clear status flags
ARM Compiler does not leak
secure CPU register data to non-
secure mode
decrypt:
SG
MOV r3, #SECRET
@ do the work
MOV r3, #0
MSR APSR_flags, r3
BXNS lr
Secure state
Non-secure state
Clear shared CPU register content to avoid information leakage
SECURITY RISK – Solved!
ARM Compiler clears CPU registers
that may contain secure data.
© ARM 2016 29
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Obtain ‘trusted’ data in non-secure code
Non-secure Secure
Get data
function
Call
Secure
RAM
Access
function
Secure
MPU
SECURITY RISK!
Is this a valid address to non-secure memory?
If not, secure data may get corrupted.
Secure state
Call Secure function and provide a data pointer
© ARM 2016 30
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case ARMv8-M provides Test Target (TT) instruction to check memory attributes:
Returns MPU and SAU configuration information
ARM Compiler provides intrinsic functions for pointer validation:
Obtain ‘trusted’ data in non-secure code Check for valid non-secure memory addresses
Secure state
SECURITY RISK – Solved!
Verify pointer target addresses with
ARM Compiler intrinsic functions.
© ARM 2016 31
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Asynchronous modifications to data processing
Secure code should never trust non-secure data
Non-secure memory may be modified by interrupt handlers
High priority interrupt is non-secure state can interrupt secure code execution
A debugger access restriction can still change non-secure memory
SECURITY RISK!
Non-secure data may be altered during
secure code execution
Non-secure interrupt functions may corrupt data currently processed
Secure state
© ARM 2016 32
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case Copy non-secure data before validation
Use ‘volatile’ attribute to disable potential compiler access optimizations
Asynchronous modifications to data processing Ensure data processing in secure memory
SECURITY RISK – Solved!
Object is ‘volatile’ to avoid value propagation
and value is validated.
Secure state
© ARM 2016 33
Title 40pt sentence case
Bullets 24pt sentence case
Sub-bullets 20pt sentence case
Summary
ARMv8-M provides the architecture for the next generation of
secure connected embedded devices
Software and tools make it easy for developers to use secure mode
CMSIS provides software building blocks for faster time to market of
embedded applications that require security
The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM Limited
(or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be
trademarks of their respective owners.
Copyright © 2016 ARM Limited
© ARM 2016