Arm TrustZone Armv8-M Primer

Similar documents
ARM TrustZone for ARMv8-M for software engineers

Implementing Secure Software Systems on ARMv8-M Microcontrollers

IoT and Security: ARM v8-m Architecture. Robert Boys Product Marketing DSG, ARM. Spring 2017: V 3.1

The Next Steps in the Evolution of ARM Cortex-M

The Next Steps in the Evolution of Embedded Processors

ARMv8-M Architecture Technical Overview

A Developer's Guide to Security on Cortex-M based MCUs

Beyond TrustZone PSA Reed Hinkel Senior Manager Embedded Security Market Development

New Approaches to Connected Device Security

Designing Security & Trust into Connected Devices

Implementing debug. and trace access. through functional I/O. Alvin Yang Staff FAE. Arm Tech Symposia Arm Limited

M2351 Security Architecture. TrustZone Technology for Armv8-M Architecture

The Changing Face of Edge Compute

Designing Security & Trust into Connected Devices

Cortex-M3/M4 Software Development

the ARMv8-M architecture

2017 Arm Limited. How to design an IoT SoC and get Arm CPU IP for no upfront license fee

Using Virtual Platforms To Improve Software Verification and Validation Efficiency

Designing Security & Trust into Connected Devices

Accelerating intelligence at the edge for embedded and IoT applications

Kinetis Software Optimization

Resilient IoT Security: The end of flat security models

Bringing the benefits of Cortex-M processors to FPGA

How to protect Automotive systems with ARM Security Architecture

M2351 TrustZone Program Development

Secure software guidelines for ARMv8-M. for ARMv8-M. Version 0.1. Version 2.0. Copyright 2017 ARM Limited or its affiliates. All rights reserved.

Cortex-M Software Development

TrustZone technology for ARM v8-m Architecture

ECE254 Lab3 Tutorial. Introduction to MCB1700 Hardware Programming. Irene Huang

Securing IoT with the ARM mbed ecosystem

Trustzone Security IP for IoT

ARM mbed mbed OS mbed Cloud

Unleash the DSP performance of Arm Cortex processors

Building mbed Together: An Overview of mbed OS and How To Get Involved

ARM Cortex-M and RTOSs Are Meant for Each Other

Beyond TrustZone Security Enclaves Reed Hinkel Senior Manager Embedded Security Market Develop

Migrating to Cortex-M3 Microcontrollers: an RTOS Perspective

Building firmware update: The devil is in the details

WAVE ONE MAINFRAME WAVE THREE INTERNET WAVE FOUR MOBILE & CLOUD WAVE TWO PERSONAL COMPUTING & SOFTWARE Arm Limited

Accelerating IoT with ARM mbed

Bringing Intelligence to Enterprise Storage Drives

Profiling and Debugging OpenCL Applications with ARM Development Tools. October 2014

Create an USB Application Using CMSIS-Driver. Klaus Koschinsky Senior Field Applications Engineer

ARM mbed Technical Overview

AN301, Spring 2017, V 1.0 Ken Havens

Designing, developing, debugging ARM Cortex-A and Cortex-M heterogeneous multi-processor systems

Introduction to Keil-MDK-ARM. Updated:Monday, January 22, 2018

Beyond TrustZone PSA. Rob Coombs Security Director. Part1 - PSA Tech Seminars Arm Limited

mbed OS Update Sam Grove Technical Lead, mbed OS June 2017 ARM 2017

Introduction to Armv8.1-M architecture

Introduction to Keil-MDK-ARM. Updated:Thursday, February 15, 2018

Advanced IP solutions enabling the autonomous driving revolution

Cortex-A75 and Cortex-A55 DynamIQ processors Powering applications from mobile to autonomous driving

5/11/2012 CMSIS-RTOS. Niall Cooling Feabhas Limited CMSIS. Cortex Microcontroller Software Interface Standard.

Beyond Hardware IP An overview of Arm development solutions

Practical real-time operating system security for the masses

ARMv8-A Software Development

Cortex-M3/M4 Software Desig ARM

Accelerating IoT with ARM mbed

MDK-ARM Version 5. ULINK Debug Adapters. Microcontroller Development Kit.

Accelerating IoT with ARM mbed

Cortex-M Processors and the Internet of Things (IoT)

ARM architecture road map. NuMicro Overview of Cortex M. Cortex M Processor Family (2/3) All binary upwards compatible

Heterogeneous multi-processing with Linux and the CMSIS-DSP library

ECE254 Lab3 Tutorial. Introduction to Keil LPC1768 Hardware and Programmers Model. Irene Huang

MDK-Professional Middleware Components. MDK-ARM Microcontroller Development Kit MDK-ARM Version 5. USB Host and Device. Middleware Pack.

The ARM Cortex-M0 Processor Architecture Part-1

ARM mbed Technical Overview

Resilient IoT Security: The end of flat security models. Milosch Meriac IoT Security Engineer

Component-based Software Development for Microcontrollers. Zhang Zheng FAE, ARM China

AN4838. Managing memory protection unit (MPU) in STM32 MCUs. Application note. Introduction

ARM CORTEX-R52. Target Audience: Engineers and technicians who develop SoCs and systems based on the ARM Cortex-R52 architecture.

Kinetis SDK Release Notes for the TWR-K24F120M Tower System Module

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Cortex-A75 and Cortex-A55 DynamIQ processors Powering applications from mobile to autonomous driving

Embedded System Design

AN316 Determining the stack usage of applications

Keil TM MDK-ARM Quick Start for. Holtek s HT32 Series Microcontrollers

Diversity of. connectivity required for scalable IoT devices. Sam Grove Principal Software Engineer Arm. Arm TechCon 2017.

ARM Cortex -M for Beginners

Deep Learning on Arm Cortex-M Microcontrollers. Rod Crawford Director Software Technologies, Arm

Innovation is Thriving in Semiconductors

Getting Started with MCUXpresso SDK CMSIS Packs

Getting Started with FreeRTOS BSP for i.mx 7Dual

ARM processors driving automotive innovation

Mobile & IoT Market Trends and Memory Requirements

ARM Processors for Embedded Applications

Cortex-R5 Software Development

Beyond TrustZone Part 1 - PSA

Running ARM7TDMI Processor Software on the Cortex -M3 Processor

A Secure and Connected Intelligent Future. Ian Smythe Senior Director Marketing, Client Business Arm Tech Symposia 2017

Arm Cortex -M33 Devices

Kinetis KE1xF512 MCUs

Using the MPU with an RTOS to Enhance System Safety and Security

Connect your IoT device: Bluetooth 5, , NB-IoT

Getting Started with Kinetis SDK (KSDK) v.1.2

Compute solutions for mass deployment of autonomy

Getting Started with Kinetis SDK (KSDK) v.1.3

Kinetis SDK v Release Notes for KV5x Derivatives

RM3 - Cortex-M4 / Cortex-M4F implementation

Transcription:

Arm TrustZone Armv8-M Primer Odin Shen Staff FAE Arm Arm Techcon 2017

Security

Security technologies review Application Level Security Designed with security in mind: authentication and encryption Privilege Level Security OS kernel and apps partitioned Privileged and Unprivileged states Access restrictions on unprivileged using Memory Management Unit (MMU) or Memory Protection Unit (MPU) Arm TrustZone Full isolation 2 security levels Secure and Non-Secure states Non-secure prevented to access/modify Secure. Root of Trust Anti-Tampering Security Secur-Core Prevents physical attacks 3

Meet Arm v8m

Arm v8-m sub-profiles Scalable architecture ARMv8-M Baseline: ARMv8-M Lowest cost, smallest, ARMv8-M implementations. MAINLINE ARMv6-M ARMv7-M BASELINE ARMv8-M Mainline: For general purpose microcontroller products Highly scalable Optional DSP and floating-point extensions. 5

Arm v8-m baseline performance & scalability Instruction set feature uplift for baseline microcontroller Feature Hardware divide Compare and branch Long branch Wide immediate moves Exclusive accesses Interrupt active bits Key benefits Faster integer divide operation in hardware. Removes need for library code. Combined compare-with-zero and branch. Faster control code. Long non-linking branch to compliment branch with link. Enables support for cross unit tail calls. Pointer and large immediate creation without needing a literal load. Provides a linking mechanism for execute-only code. Load-link / store-conditional support for semaphore use. Enables common semaphore handling between CPUs. Active status of all interrupts individually tracked. Offers dynamic re-prioritization of interrupts. 6

TrustZone TrustZone Options Arm v8-m mainline variants Comprehensive instruction set support with optional DSP and floating-point extensions Retains Baseline fundamentals. Adds extensive 32-bit instruction set ~ 40% performance uplift over Baseline. Optional integer digital signal processing (DSP) extension ~ 80 saturating arithmetic and SIMD operations. Baseline Hardware divide, mutually exclusive access, cond. branch, imm. move Mainline Co-processor support Single Precision Floating Point DSP Enhanced functionalities Optional floating-point (FP) extension ~ 45 instructions, IEEE754 compatible single, and/or double precision floating-point operations. Standard functionalities Baseline 7

TrustZone for Armv8-M NON-SECURE STATES SECURE STATES Non-secure App Secure App/Libs Non-secure OS Secure OS TrustZone for Armv8-M 8

Arm TrustZone technology Bringing ARM security extensions to the embedded world New instructions: SG, BXNS, BLXNS, MOVW, MOVT, TT and a few more. New style Memory Protection Unit (MPU) granularity of 32 bytes. Separate MPU for Secure and Non-secure modes. S and NS memory and peripherals. Secure stack pointers + stack limit checking. Private SysTick timer for each state. Secure (S) and Non-Secure (NS) states: on one CPU. TrustZone and SecurCore are different technologies. 9

Arm v8-m additional states Existing handler and thread modes mirrored with secure and non-secure states Secure and Non-Secure code run on a single CPU For efficient embedded implementation. Secure state for trusted code New Secure stack pointers for robust operation Addition of stack-limit checking. Handler Mode Thread Mode ARMv7-M Dedicated resources for isolation between domains Separate memory protection units for Secure and Non-secure Private SysTick timer for each state. Secure side can configure target domain of interrupts. Non-secure Handler Mode Non-secure Thread Mode ARMv8-M Secure Handler Mode Secure Thread Mode 10

A simplified use case Non-secure projects cannot access secure resources. Non-secure state User project Secure state Firmware project User application Start System start Secure projects can access everything. Function calls Firmware Secure and non-secure projects may implement independent time scheduling. I/O driver Function calls Function calls Communication stack 11

Security defined by address All transactions from core and debugger checked All addresses are either Secure or Non-secure. Request from CPU Policing managed by Secure Attribution Unit (SAU) Internal SAU similar to MPU Supports use of external system-level definition E.g. based on flash blocks or per peripheral. Security Attribution Unit (SAU) System Level Control Banked MPU configuration Independent memory protection per security state. Load/stores acquire NS attribute based on address Non-secure access attempts to Secure address = memory fault. Non-Secure MPU Request to System Secure MPU 12

Same address map, different access permissions Configured into Secure and Nonsecure regions Defines access control to all regions including peripherals and memory No change for developers on the Non-secure side 0xFFFFFFFF 0xE0000000 0xA0000000 0x60000000 0x40000000 0x20000000 0x00000000 Cortex-M standard 4GB linear address map System region Device region RAM region Peripheral region SRAM region CODE region System components and debug Off-chip peripherals Off-chip memory Peripherals SRAM Program flash Example partition with TrustZone Various, CPU controlled Secure Non secure Secure Non secure Secure Non secure Secure Non secure Secure Non secure 13

High performance cross-domain calls Efficient microcontroller focussed implementation Security inferred from instruction address Secure memory considered to hold Secure code. Direct function calls across boundary High performance and high security Multiple entry points No need to go via monitor for transitions. Uses Secure Gateway instruction SG Only permitted in special Secure memory with Non-secure-callable attribute (NSC). Secure Secure handler mode Secure thread mode MSP_S MSPLIM_S PSP_S PSPLIM_S Calls Calls R0 R1 R13 R14 R15 Non secure Nonsecure handler mode Nonsecure thread mode MSP_NS MSPLIM_NS PSP_NS PSPLIM_N S 14

Privileged Unprivileged Privileged Unprivileged Privileged Unprivileged Retain the familiar programmers model Classic embedded design ARMv7-M Secure embedded design ARMv7-M Secure embedded design with TrustZone for ARMv8-M Untrusted Trusted Firmware Firmware Firmware Trusted libraries RTOS RTOS Trusted resource manager and libs RTOS Trusted resource manager and libs 15

Typical software generation flow Based on proposed update to ARM C Language Extension (ACLE) NSC contains branch veneers Automatically generated by tool chains (linker) main(). func1(); Linkage Symbol file / export library Non-secure callable SG B.W func1 SG B.W func2 SG B.W func3 Secure APIs func1:. func2:. func3:. 16 attribute ((cmse_nonsecure_entry))

Stack and Stack Pointer Armv8-M processor has four stack pointers 1. MSP_S (Secure Main Stack Pointer) 2. PSP_S (Secure Process Stack Pointer) 3. MSP_NS (Non-Secure Main Stack Pointer) 4. PSP_NS (Non-Secure Process Stack Pointer) Stack Checking Limit: if more stack used than expected. Armv8-M Mainline: SP have stack limit registers. Armv8-M Baseline: Secure SP have stack limit registers. Non-Secure SP use the MPU for stack overflow 17

Example compiler interaction Coding a Non-Secure Callable function Ability to mark Secure code as Non-secure callable. int MySecureFunc(int v) attribute(nsentry) { return v + 1; } Code generation produces: SG at entry, or an SG veneer BXNS to permit return to Non-secure Header file or linker script to support calling from Non-secure state MySecureFunc: SG ADDS r0,r0,#1 BXNS lr extern MySecureFunc(); 18

Tools and components for software development

Tools and components for software development Keil MDK v5.22 IDE & debugger arm Compiler 6.6 CMSIS v5.0.0 Fast Models ULINK debug adapters MPS2 Cortex-M Prototyping System 20

Software packs MDK tools Keil MDK Microcontroller Development Kit Complete support for Cortex-M23 and Cortex-M33 MDK-Core arm C/C++ Compiler DS-MDK µvision IDE with pack management ARM Compiler 5 with qualification kit DS-5 IDE with pack management µvision Debugger with streaming trace ARM Compiler 6 LLVM technology DS-5 Debugger with streamline Device Startup Device HAL CMSIS driver CMSIS CMSIS-Core CMSIS-DSP CMSIS-RTOS IPv4 network USB device File system Middleware IPv6 network USB host Graphics mbed TLS encryption mbed Client IoT connector CMSIS defines software packs that are created by ARM, silicon vendors, and middleware partners For each project the version of the Software Packs may be specified 21 www.keil.com/mdk

CMSIS: Pathway to the Arm ecosystem Vendor-independent hardware abstraction layer for Cortex-M series Open source software framework with processor HAL, DSP library, and RTOS kernel Consistent, generic, and standardized software building blocks Optimized API that software creation, code portability, and middleware interfaces Infrastructure to accelerate time to market for device deployment Software Packs to distribute device support, board support, and software building blocks 22 3668 devices supported 1.2M+ source files on GitHub 3M+ downloads in past six months

What s new in CMSIS v5 Cortex-M23 and Cortex-M33 support Complete with examples for Fast Model (FVP) and MPS2 TrustZone for Armv8-M extensions Access to all new CPU registers Partitioning for Secure / Non-Secure access RTOS stack context management (generic) DSP Library adapted for Cortex-M23 and Cortex-M33 CMSIS-RTOS2 and RTX implementation Supports TrustZone for Armv8-M 23 Development public on GitHub https://github.com/arm-software/cmsis_5 3M+ downloads in past six months

CMSIS-RTOS2 new in CMSIS v5 Compatible with CMSIS-RTOS (v1) mbedos is using RTX Enhanced RTOS2 API with more flexibility: Dynamic and static object allocation Extended features, i.e. flag events Fixed API, no implementation specifics Armv8-M support for secure mode libraries Multi-processor communication support C++ API wrapper (in development) Addresses weaknesses of CMSIS-RTOS API v1 CMSIS-RTOS2 reference implementations: RTX v5 implements native RTOS2 API FreeRTOS (in development) Application Code cmsis_os.h CMSIS-RTOS API Object definition via macros Function call translation cmsis_os2.h CMSIS-RTOS2 API Real Time Kernel 25

Debugging of software projects MDK offers debugging with: Fast Model simulation environment for software development prior silicon MPS2 target connection for testing with microcontroller prototypes Secure & Non Secure Debug Access 26 Enter password for Secure Debug Access

System visibility to processor and peripherals MDK Debugger provides detailed dialogs for processor, core peripherals, and device peripherals CMSIS-SVD delivers information about device specific peripherals 27

System visibility to software components XML File Status and Event Views Software components are black box for the application programmer MDK Debugger gives visibility to status and events of software components Supports secure firmware and requires no source and debug information + Execution Status Event Information MDK Debugger + Event Recorder Software Component 28

CMSIS-RTOS2 Secure system demo on Cortex-M33 Demonstration of ARMv8-M security features and system recovery Non-secure state Secure state CMSIS-RTOS2 based on RTX5 User interface display thread Test case execution System restart secure fault handlers Incident log Secure watchdog MSP2 running Cortex-M33 system Full source code is part of AppNote 291: Using TrustZone on ARMv8-M 29

Debugging Debugging can see everything (it has to have this ability). Obvious security breaches easily done via JTAG. Allowing access to NS only is a benefit. Debuggers must securely blocked. 30

MDK Target Toolkits for ARMv8-M MDK targeted toolkits are based on DS-MDK (Eclipse) and indented for free to use toolkits provided by SiPs for their customers Initially only for global SiPs with huge customer base (> 10.000) and multi-year budgets Requires co-operation with SiP engineering teams as it needs to match in existing infrastructure Contact odin.shen@arm.com 31

Next steps in the evolution of Armv8-M Compilers must be upgraded for new instructions etc. RTOS to take advantage of new features. Middleware upgrades. Tools partners must update their tools. Arm MDK already capable of Armv8-M development. Arm already started on compilers. Others are in the same situation. 32

Further documentation https://community.arm.com/docs/doc-10896 Whitepapers: Armv8-M Architecture Technical Overview.pdf, Joseph Yiu Cortex-A TrustZone: PRD29-GENC-009492C_trustzone_security_whitepaper.pdf www.arm.com/trustzone Appnote 291 33

Thank You! Danke! Merci! 谢谢! ありがとう! Gracias! Kiitos! 34

The Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners. www.arm.com/company/policies/trademarks 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback