ARM TrustZone for ARMv8-M for software engineers

Similar documents
Implementing Secure Software Systems on ARMv8-M Microcontrollers

Arm TrustZone Armv8-M Primer

IoT and Security: ARM v8-m Architecture. Robert Boys Product Marketing DSG, ARM. Spring 2017: V 3.1

The Next Steps in the Evolution of ARM Cortex-M

The Next Steps in the Evolution of Embedded Processors

ARMv8-M Architecture Technical Overview

Designing Security & Trust into Connected Devices

the ARMv8-M architecture

A Developer's Guide to Security on Cortex-M based MCUs

Designing, developing, debugging ARM Cortex-A and Cortex-M heterogeneous multi-processor systems

M2351 Security Architecture. TrustZone Technology for Armv8-M Architecture

Designing Security & Trust into Connected Devices

M2351 TrustZone Program Development

Securing IoT with the ARM mbed ecosystem

Building mbed Together: An Overview of mbed OS and How To Get Involved

Resilient IoT Security: The end of flat security models

Designing Security & Trust into Connected Devices

Bringing the benefits of Cortex-M processors to FPGA

Kinetis Software Optimization

How to protect Automotive systems with ARM Security Architecture

TrustZone technology for ARM v8-m Architecture

Secure software guidelines for ARMv8-M. for ARMv8-M. Version 0.1. Version 2.0. Copyright 2017 ARM Limited or its affiliates. All rights reserved.

Trustzone Security IP for IoT

Beyond Hardware IP An overview of Arm development solutions

Introduction to Keil-MDK-ARM. Updated:Monday, January 22, 2018

ARM mbed mbed OS mbed Cloud

Cortex-M3/M4 Software Development

ECE254 Lab3 Tutorial. Introduction to MCB1700 Hardware Programming. Irene Huang

Introduction to Keil-MDK-ARM. Updated:Thursday, February 15, 2018

Beyond TrustZone PSA Reed Hinkel Senior Manager Embedded Security Market Development

mbed OS Update Sam Grove Technical Lead, mbed OS June 2017 ARM 2017

Accelerating IoT with ARM mbed

New Approaches to Connected Device Security

ARM processors driving automotive innovation

ARM mbed Technical Overview

Accelerating IoT with ARM mbed

ARM Cortex-M and RTOSs Are Meant for Each Other

Cortex-M Software Development

Create an USB Application Using CMSIS-Driver. Klaus Koschinsky Senior Field Applications Engineer

Resilient IoT Security: The end of flat security models. Milosch Meriac IoT Security Engineer

Implementing debug. and trace access. through functional I/O. Alvin Yang Staff FAE. Arm Tech Symposia Arm Limited

AN301, Spring 2017, V 1.0 Ken Havens

Accelerating IoT with ARM mbed

ARM Security Solutions and Numonyx Authenticated Flash

Migrating to Cortex-M3 Microcontrollers: an RTOS Perspective

2017 Arm Limited. How to design an IoT SoC and get Arm CPU IP for no upfront license fee

Profiling and Debugging OpenCL Applications with ARM Development Tools. October 2014

ARM mbed Technical Overview

The Changing Face of Edge Compute

MDK-ARM Version 5. ULINK Debug Adapters. Microcontroller Development Kit.

Cortex-M Processors and the Internet of Things (IoT)

Getting Started with MCUXpresso SDK CMSIS Packs

Heterogeneous multi-processing with Linux and the CMSIS-DSP library

Experiment 1. Development Platform. Ahmad Khayyat, Hazem Selmi, Saleh AlSaleh

MDK-Professional Middleware Components. MDK-ARM Microcontroller Development Kit MDK-ARM Version 5. USB Host and Device. Middleware Pack.

Practical real-time operating system security for the masses

Kinetis SDK Release Notes for the TWR-K24F120M Tower System Module

Innovation is Thriving in Semiconductors

Accelerating intelligence at the edge for embedded and IoT applications

Component-based Software Development for Microcontrollers. Zhang Zheng FAE, ARM China

ARM architecture road map. NuMicro Overview of Cortex M. Cortex M Processor Family (2/3) All binary upwards compatible

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

ARM instruction sets and CPUs for wide-ranging applications

ARM mbed Towards Secure, Scalable, Efficient IoT of Scale

ELC4438: Embedded System Design ARM Cortex-M Architecture II

Kinetis KE1xF512 MCUs

The ARM Cortex-M0 Processor Architecture Part-1

Getting Started with FreeRTOS BSP for i.mx 7Dual

AN316 Determining the stack usage of applications

Internet of Things (IoT)

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability

AN4624 Application note

ARM mbed Enabled. Mihail Stoyanov Partner Enablement Team Lead, ARM mbed. Xiao Sun Partner Enablement Engineer, ARM mbed

Keil TM MDK-ARM Quick Start for. Holtek s HT32 Series Microcontrollers

Connecting Securely to the Cloud

Getting Started with Kinetis SDK (KSDK) v.1.2

Kinetis SDK v Release Notes for KV5x Derivatives

Design and Implementation Interrupt Mechanism

Hands-On Workshop: ARM mbed

AN4838. Managing memory protection unit (MPU) in STM32 MCUs. Application note. Introduction

5/11/2012 CMSIS-RTOS. Niall Cooling Feabhas Limited CMSIS. Cortex Microcontroller Software Interface Standard.

Tutorial. How to use Keil µvision with Spansion templates Spansion Inc.

Getting started with X-CUBE-LED channel LED driver software expansion based on LED1642GW for STM32Cube

CMPE3D02/SMD02 Embedded Systems

WAVE ONE MAINFRAME WAVE THREE INTERNET WAVE FOUR MOBILE & CLOUD WAVE TWO PERSONAL COMPUTING & SOFTWARE Arm Limited

Getting Started with Kinetis SDK (KSDK) v.1.3

ARM Cortex -M for Beginners

CODE TIME TECHNOLOGIES. Abassi RTOS. Porting Document. ARM Cortex-M3 CCS

Using Virtual Platforms To Improve Software Verification and Validation Efficiency

Embedded System Design

Freescale Kinetis Software Development Kit Release Notes

Provisioning secure Identity for Microcontroller based IoT Devices

UM2045 User manual. Getting started with the X-CUBE-NFC3 near field communication transceiver software expansion for STM32Cube.

Kinetis KV5x Real-Time Control MCUs with Ethernet Up to 1 MB Flash and 256 KB SRAM

Cortex-M3/M4 Software Desig ARM

智能互联推动嵌入式系统创新. March 2015

L2 - C language for Embedded MCUs

So you think developing an SoC needs to be complex or expensive? Think again

GET STARTED FAST WITH THIS COMPREHENSIVE ENABLEMENT OFFERING FOR LPC800 MCUS

Cortex-A9 MPCore Software Development

Transcription:

ARM TrustZone for ARMv8-M for software engineers Ashok Bhat Product Manager, HPC and Server tools ARM Tech Symposia India December 7th 2016

The need for security Communication protection Cryptography, authentication Data protection Secret data (keys, personal information) Firmware protection IP theft, reverse engineering Operation protection Maintaining service and revenue 2 Anti-tamper protection Related to all other protections

Potential security threats Connection Device access via communication channel Random communication traffic Device access via debug port Malicious firmware updates 3

ARM TrustZone for ARMv8-M Security foundation in hardware 4

ARMv6-M, ARMv7-M, and ARMv8-M architecture Scalable architecture for microcontrollers ARMv7-M Cortex-M3, M4, M7 ARMv6-M Cortex-M0, M0+ Today ARMv8-M Mainline Cortex-M33 ARMv8-M Baseline Cortex-M23 ARMv8-M ARMv8-M baseline (Cortex-M23) Lowest cost and smallest implementations ARMv8-M mainline (Cortex-M33) For general purpose microcontroller products Highly scalable Optional DSP and floating-point extensions 5

TrustZone for ARMv8-A TrustZone for ARMv8-M Non-secure states Secure states Non-secure states Secure states Rich OS, e.g. Linux Secure app/libs Non-secure app Secure app/libs Secure OS Non-secure OS Secure OS Secure monitor TrustZone for ARMv8-M Secure transitions handled by the processor to maintain embedded class latency 6

Security defined by memory map All transactions from core and debugger are checked All addresses are either secure or non-secure Request from CPU Policing managed by Secure Attribution Unit (SAU) Internal SAU similar to MPU Supports use of external system-level definition For example, based on flash blocks or per peripheral Security Attribution Unit System level control Banked MPU configuration Independent memory protection per security state Non-secure MPU Secure MPU Load/stores acquire non-secure (NS) attribute based on address Non-secure access to secure address memory fault Request to system 7

ARMv8-M additional states Existing handler and thread modes are mirrored Secure and non-secure code runs on a single CPU For efficient embedded implementation Secure state for trusted code New secure stack pointers for robust operation Addition of stack-limit checking Handler mode Thread mode ARMv7-M Dedicated resources for isolation between domains Separate memory protection units for secure and non-secure Private SysTick timer for each state Secure side can configure target domain of interrupts Non-secure handler mode Non-secure thread mode ARMv8-M Secure handler mode Secure thread mode 8

High performance cross-domain calls Efficient implementation focused on microcontroller Security inferred from instruction address Secure memory considered to hold secure code Direct function calls across boundary High performance and high security Multiple entry points No need to go via monitor for transitions Uses Secure Gateway (SG) instruction Only permitted in special secure memory with non-secure callable (NSC) attribute Secure Secure handler mode Secure thread mode MSP_S MSPLIM_S PSP_S PSPLIM_S Calls Calls R0 R1 R13 R14 R15 Non-secure Nonsecure handler mode Nonsecure thread mode MSP_NS MSPLIM_NS PSP_NS PSPLIM_N S 9

ARMv8-M programmer s model: Memory map 0xFFFFFFFF 0xF0000000 0xE0000000 0xA0000000 0x60000000 0x40000000 0x20000000 0x00000000 Non-secure state ROM tables System control and debug Off-chip peripherals Off-chip memory Peripherals RAM Flash Debug MPU SCB NVIC SysTick ITM/DWT/FBP Vector table for Non-secure handlers Non-secure memory view is identical with Cortex-M Branches to fixed memory locations access secure firmware Secure memory is invisible 10

ARMv8-M programmer s model: Memory map 0xFFFFFFFF 0xF0000000 0xE0000000 0xA0000000 0x60000000 0x40000000 0x20000000 0x00000000 Secure state ROM tables System control and debug Off-chip peripherals Off-chip memory Non-secure peripherals Secure peripherals Non-secure RAM Secure RAM Non-secure flash Secure flash Non-secure MPU alias Non-secure SCB alias Non-secure SysTick alias Debug SAU Secure MPU Secure SCB NVIC Secure SysTick ITM/DWT/FBP Vector table for secure handlers Secure memory view shows additional Flash, RAM, and peripherals Access to all regions is possible in secure state Regions can be configured in secure state using the SAU 11

A simplified use case Composing a system with secure and non-secure projects Non-secure state User project User application Start Secure state Firmware project System start Non-secure projects cannot access secure resources Function calls Firmware Secure project can access everything I/O driver Function calls Function calls Communication stack Secure and non-secure projects may implement independent time scheduling 12

Software development tools and software components Accelerate software creation for ARMv8-M devices with TrustZone 13

Tools and components for software development Keil MDK IDE & debugger ARM Compiler 6 CMSIS v5 Fast Models ULINK debug adapters MPS2 Cortex-M Prototyping System 14

CMSIS: Pathway to the ARM ecosystem Vendor-independent hardware abstraction layer for Cortex-M series Open source software framework with processor HAL, DSP library, and RTOS kernel Consistent, generic, and standardized software building blocks Optimized API that software creation, code portability, and middleware interfaces Infrastructure to accelerate time to market for device deployment Software Packs to distribute device support, board support, and software building blocks 15 3668 devices supported 1.2M+ source files on GitHub 3M+ downloads in past six months

Software packs MDK tools Keil MDK Microcontroller Development Kit Most comprehensive development solution supporting over 3600 devices MDK-Core ARM C/C++ Compiler DS-MDK µvision IDE with pack management ARM Compiler 5 with qualification kit DS-5 IDE with pack management µvision Debugger with streaming trace ARM Compiler 6 LLVM technology DS-5 Debugger with streamline Device Startup Device HAL CMSIS driver CMSIS CMSIS- Core CMSIS-DSP CMSIS- RTOS IPv4 Network USB device File system Middleware IPv6 network USB host Graphics mbed TLS encryption mbed Client IoT connector CMSIS defines software packs that are created by ARM, silicon vendors, and middleware partners For each project the version of the Software Packs may be specified 16 www.keil.com/mdk

ARM C/C++ Compiler extensions for ARMv8-M C-Preprocessor macro ARM_FEATURE_CMSE indicates secure or non-secure mode Function attributes to support calls between secure and non-secure mode attribute ((cmse_nonsecure_entry)) Secure function that can be call by non-secure code attribute ((cmse_nonsecure_call)) Call to non-secure function from secure code int SecureFunc (int v) attribute ((cmse_nonsecure_entry)) { SecureFunc PROC SG return v+1; ADDS r0,r0,#1 } BXNS lr ENDP Linker generates a export file with secure function entries Non-secure user project Secure project Export of secure function entries 17

CMSIS-CORE for secure mode projects startup_<device>.c CMSIS device startup system_<device >.c CMSIS system and clock configuration partitions.h Secure attributes and interrupt assignment Files relating to CMSIS-CORE including device specific files partitions.h provides initial setup for SAU and configures non-secure mode memory areas and interrupts <user >.c/c++ User application main() {... } <device >.h CMSIS device peripheral access CMSIS-CORE device files CMSIS-CORE header files generated from CMSIS-SVD User program 18

CMSIS-CORE extensions Partition setup and verification Setup for SAU Secure/non-secure Pointer validation Additional Functions to access: New NVIC features Secure and Non-secure MPU Non Secure SysTick New Special Registers API for RTOS interface Management of secure stack memory 19

Debugging of software projects MDK offers debugging with: Fast Model simulation environment for software development prior silicon MPS2 target connection for testing with microcontroller prototypes Secure & Non Secure Debug Access Enter password for Secure Debug Access 21

System visibility to processor and peripherals MDK Debugger provides detailed dialogs for processor, core peripherals, and device peripherals CMSIS-SVD delivers information about device specific peripherals 22

System visibility to software components XML File Status and Event Views Software components are black box for the application programmer MDK Debugger gives visibility to status and events of software components Supports secure firmware and requires no source and debug information + Execution Status Event Information MDK Debugger + Event Recorder Software Component 23

CMSIS-RTOS2 Secure system demo on Cortex-M33 Demonstration of ARMv8-M security features and system recovery Non-secure state Secure state CMSIS-RTOS2 based on RTX5 User interface display thread Test case execution System restart secure fault handlers Incident log Secure watchdog MSP2 running Cortex-M33 system Full source code is part of AppNote 291: Using TrustZone on ARMv8-M 24

Writing secure code for ARMv8-M processors 25

Potential attacks How to avoid software design flaws in secure applications Return from secure to non-secure state CPU Registers may still contain secret information Data pointers that obtain trusted data in non-secure state Non-secure code may provide incorrect pointers that address secure memory Asynchronous modifications to data processing in secure state Non-secure interrupts could change values that are being processed in secure state 26

Return from secure to non-secure state CPU registers may contain secret information Secure mode Secure Non-secure Non-secure mode R0 R1 R2 R3 R4 Returned R0 R1 R2 R3 R4 Read secret data left R12 R13 R14 R15 R12 R13 R14 R15 27

Return from secure to non-secure state Clear shared CPU register content to avoid information leakage Secure state Non-secure state decrypt: SG MOV r3, #SECRET @ do the work MOV r3, #0 MSR APSR_flags, r3 BXNS lr cmse_nonsecure_entry attribute Clear R0-R3 when used Clear status flags ARM Compiler does not leak secure CPU register data to nonsecure mode 28 SECURITY RISK Solved! ARM Compiler clears CPU registers that may contain secure data.

Obtain trusted data in non-secure code Call Secure function and provide a data pointer Non-secure Get data function Call Secure Access function Secure state Secure MPU SECURITY RISK! Is this a valid address to non-secure memory? If not, secure data may get corrupted. Secure RAM 29

Obtain trusted data in non-secure code Check for valid non-secure memory addresses ARMv8-M provides Test Target (TT) instruction to check memory attributes: Returns MPU and SAU configuration information ARM Compiler provides intrinsic functions for pointer validation: Secure state SECURITY RISK Solved! Verify pointer target addresses with ARM Compiler intrinsic functions. 30

Asynchronous modifications to data processing Non-secure interrupt functions may corrupt data currently processed Secure code should never trust non-secure data Non-secure memory may be modified by interrupt handlers High priority interrupt is non-secure state can interrupt secure code execution A debugger access restriction can still change non-secure memory Secure state SECURITY RISK! Non-secure data may be altered during secure code execution 31

Asynchronous modifications to data processing Ensure data processing in secure memory Copy non-secure data before validation Use volatile attribute to disable potential compiler access optimizations Secure state SECURITY RISK Solved! Object is volatile to avoid value propagation and value is validated. 32

Summary ARMv8-M provides the architecture for the next generation of secure connected embedded devices Software and tools make it easy for developers to use secure mode CMSIS provides software building blocks for faster time to market of embedded applications that require security 33

The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners. Copyright 2016 ARM Limited

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback