Beyond TrustZone Security Enclaves Reed Hinkel Senior Manager Embedded Security Market Develop

Similar documents
Beyond TrustZone PSA. Rob Coombs Security Director. Part1 - PSA Tech Seminars Arm Limited

Beyond TrustZone Part 1 - PSA

Beyond TrustZone PSA Reed Hinkel Senior Manager Embedded Security Market Development

A Developer's Guide to Security on Cortex-M based MCUs

Designing Security & Trust into Connected Devices

How to protect Automotive systems with ARM Security Architecture

Trustzone Security IP for IoT

Designing Security & Trust into Connected Devices

Designing Security & Trust into Connected Devices

Implementing debug. and trace access. through functional I/O. Alvin Yang Staff FAE. Arm Tech Symposia Arm Limited

New Approaches to Connected Device Security

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Fundamentals of HW-based Security

A Secure and Connected Intelligent Future. Ian Smythe Senior Director Marketing, Client Business Arm Tech Symposia 2017

The Next Steps in the Evolution of Embedded Processors

Connect your IoT device: Bluetooth 5, , NB-IoT

Accelerating intelligence at the edge for embedded and IoT applications

2017 Arm Limited. How to design an IoT SoC and get Arm CPU IP for no upfront license fee

Connect Your IoT Device: Bluetooth 5, , NB-IoT

The Changing Face of Edge Compute

Mobile & IoT Market Trends and Memory Requirements

Mobile & IoT Market Trends and Memory Requirements

A New Security Platform for High Performance Client SoCs

Mobile & IoT Market Trends and Memory Requirements

Compute solutions for mass deployment of autonomy

Designing, developing, debugging ARM Cortex-A and Cortex-M heterogeneous multi-processor systems

WAVE ONE MAINFRAME WAVE THREE INTERNET WAVE FOUR MOBILE & CLOUD WAVE TWO PERSONAL COMPUTING & SOFTWARE Arm Limited

Securing the System with TrustZone Ready Program Securing your Digital World. Secure Services Division

Tailoring TrustZone as SMM Equivalent

Provisioning secure Identity for Microcontroller based IoT Devices

Using Virtual Platforms To Improve Software Verification and Validation Efficiency

Resilient IoT Security: The end of flat security models

Cortex-A75 and Cortex-A55 DynamIQ processors Powering applications from mobile to autonomous driving

What s In Your e-wallet? Using ARM IP to Enable Security in Mobile Phones. Richard Phelan Media Processing Division TrustZone Security Technology

Cortex-A75 and Cortex-A55 DynamIQ processors Powering applications from mobile to autonomous driving

OP-TEE Using TrustZone to Protect Our Own Secrets

The Next Steps in the Evolution of ARM Cortex-M

Building firmware update: The devil is in the details

Protecting your system from the scum of the universe

Azure Sphere Transformation. Patrick Ward, Principal Solutions Specialist

New STM32WB Series MCU with Built-in BLE 5 and IEEE

Innovation is Thriving in Semiconductors

Advanced IP solutions enabling the autonomous driving revolution

ARM Trusted Firmware Evolution HKG15 February Andrew Thoelke Systems & Software, ARM

Designing with ALTERA SoC Hardware

Design Process. in an embedded system. Kasper Ornstein Mecklenburg SW/HW development engineer Arm Limited

DynamIQ Processor Designs Using Cortex-A75 & Cortex-A55 for 5G Networks

TZMP-1 Software Reference Implementation. Ken Liu 2018-Mar-12

Arm TrustZone Armv8-M Primer

ARM Security Solutions and Numonyx Authenticated Flash

Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft

EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE PUBLIC

ARM instruction sets and CPUs for wide-ranging applications

Date: 13 June Location: Sophia Antipolis. Integrating the SIM. Dr. Adrian Escott. Qualcomm Technologies, Inc.

Protecting your system from the scum of the universe

Confessions of a security hardware driver maintainer

Copyright 2016 Xilinx

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

M2351 Security Architecture. TrustZone Technology for Armv8-M Architecture

Arm Mbed Edge. Shiv Ramamurthi Arm. Arm Tech Symposia Arm Limited

Windows IoT Security. Jackie Chang Sr. Program Manager

ARM Trusted Firmware From Embedded to Enterprise. Dan Handley

Lecture 3 MOBILE PLATFORM SECURITY

New STM32WB Series MCU with built-in Bluetooth 5 and IEEE

CCIX: a new coherent multichip interconnect for accelerated use cases

ARM mbed Technical Overview

Embedded System Security Mobile Hardware Platform Security

Interconnects, Memory, GPIO

Securing IoT with the ARM mbed ecosystem

Embedded System Security Mobile Hardware Platform Security

Implementing Secure Software Systems on ARMv8-M Microcontrollers

Optimizing Cache Coherent Subsystem Architecture for Heterogeneous Multicore SoCs

Building mbed Together: An Overview of mbed OS and How To Get Involved

ARM TrustZone for ARMv8-M for software engineers

ARM CoreLink SDK-100 System Design Kit

Connecting Securely to the Cloud

Arm Mbed Edge. Nick Zhou Senior Technical Account Manager. Arm Tech Symposia Arm Limited

Product Series SoC Solutions Product Series 2016

Oberon M2M IoT Platform. JAN 2016

Zynq-7000 All Programmable SoC Product Overview

HOW TO INTEGRATE NFC CONTROLLERS IN LINUX

SSG Platform Security Division & IOTG Jan Krueger Product Manager IoT Security Solutions

Diversity of. connectivity required for scalable IoT devices. Sam Grove Principal Software Engineer Arm. Arm TechCon 2017.

HOW TO INTEGRATE NFC FRONTENDS IN LINUX

Market Trends and Challenges in Vehicle Security

HW isolation for automotive environment BoF

Securing IoT devices with STM32 & STSAFE Products family. Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region

Accelerating IoT with ARM mbed

T he key to building a presence in a new market

Unleash the DSP performance of Arm Cortex processors

High-Performance, Highly Secure Networking for Industrial and IoT Applications

GlobalPlatform Trusted Execution Environment (TEE) for Mobile

Bringing Intelligence to Enterprise Storage Drives

DesignWare IP for IoT SoC Designs

Exploring System Coherency and Maximizing Performance of Mobile Memory Systems

DynamIQ Processor Designs Using Cortex-A75 & Cortex- A55 for 5G Networks

ARM processors driving automotive innovation

ARM Server s Firmware Security

AMD Security and Server innovation

Zatara Series ARM ASSP High-Performance 32-bit Solution for Secure Transactions

Transcription:

Beyond TrustZone Security Enclaves Reed Hinkel Senior Manager Embedded Security Market Develop Part2 Security Enclaves Tech Seminars 2017

Agenda New security technology for IoT Security Enclaves CryptoIsland System IP for debug Dev boards & chips GlobalPlatform TEE OTA and RoT topics Summary 2

In a connected everything World What level of security robustness do you need? 3

Security is a balance Cost/effort to attack TrustZone based TEE/PSA Security enclave or subystem Secure Element SW & HW Attacks Physical access to device JTAG, Bus, IO Pins, Time, money & equipment TLS/SSL Communication Attacks Man In The Middle Weak RNG Code vulnerabilities Software Attacks & lightweight hardware attacks Buffer overflows Interrupts Malware Cost/effort to secure *Trusted Execution Environment / Secure Partitioning Manager 4

Beyond TrustZone - Security enclaves A programmable security enclave to extend fixed function CryptoCell family. TrustZone CryptoIslands - an additional family of security solutions by Arm. Aimed at providing on-die security services, in a physically isolated manner (host CPU agnostic). Axiom: less sharing of resources leads to smaller attack surface and fewer vulnerabilities. Certification, at a reasonable cost (i.e. reuse). Debug CoreSight SoC TrustZone Filters Flash Controller(s) Flash (internal / external) Host CPU Instruction cache interconnect System SRAM SRAM Cntl TrustZone filters CryptoIsland Isolating I/F Secure CPU Boot ROM Secure RAM Cryptography LCS Mgr Secure Always On Alarms Roots of Trust Debug control SoC Alwayson domain APB bridge APB peripherals Power Control 5

Example: PSA with CryptoIsland on Armv8-M CryptoIsland is providing services to the Trusted Partitions and/or implements some of these trusted functions. Arm v8-m: non-secure processing environment Arm v8-m: secure processing environment Non-secure processing Environment Secure processing environment (SPE) CryptoIsland security enclave 6

Example: PSA with CryptoIsland on Armv7-M The Secure Processing Environment (SPE) is in CryptoIsland. Arm v7-m: non-secure processing environment CryptoIsland security enclave 7

CryptoIsland-300: the first family member We are forming a 1st security enclave out of existing and mature HW components (CPU, CryptoCell, interconnect, filters, mailbox, power control ) The SW and tools is where a lot of the effort is going invested! Key point is preserve an identical touch and feel from the SW perspective, so the isolation/robustness choice explained earlier won t impact the higher layers. Allowing different implementations to be interchangeable Example target applications: LPWAN, Storage, Automotive, General purpose MCUs 8

New solution for authenticated debug access SDC-600 Hackers can abuse debug interfaces to gain access to the chip. Arm addressing this misuse by enabling debug authentication on our partners silicon. Alternative to blowing e-fuse on debug port. Socrates Debug Subsystem CoreSight SoC SoC Host CPU SDC-600 (Secure Debug Channel) enables certificate based authentication handshake with external agent. SDC-600 Secure Debug Channel Isolating I/F Secure CPU CryptoIsland Debug control Certificate Boot ROM Secure RAM Cryptography LCS Mgr Secure Always On Alarms Roots of Trust 9

The Secure Debug Manager knows how to do the crypto to generate an unlock certificate for CryptoCell or other unlock technology the target supports 10 Following certificate installation the APs are enabled, allowing external debug access

New dev board for PSA development - Musca-A1! Ready for PSA development Musca-A1 boards Cortex-M33 based dev board. Used for internal software development. Test chip built on PSA recommendations. Come to Arm booth to see Musca-A1! PSA development platform Prototype your system Available now 11

RTC SPI I2S UART PWM I2C master APB Bridge QSPI GPIO IDAU IDAU Musca-A1 PSA development platform Other Arm IP Secure Debug CoreSight SoC Cortex-M33 Instruction Cache Cortex-M33 Instruction Cache TrustZone Filters Local SRAM Always-on domain Power Control Arm CoreLink SDK-200 IP Cadence IP Other Multi-layer AHB5 interconnect AHB5 code interface TrustZone Filters SRAM Controller Code SRAM TrustZone Filters SRAM Cntl System SRAM TrustZone Filters TrustZone Cryptocell TrustZone Filters Cordio BLE / 802.15.4 (digital part) APB Bridge APB Peripherals CoreLink SSE-200 subsystem AHB5 interconnect PLL 32kHz oscillator 32MHz oscillator 32 khz 32 MHz Cordio BLE / 802.15.4 (RF part) Musca-A1 12

Agenda New security technology for IoT Security Enclaves CryptoIsland System IP for debug Dev boards & chips GlobalPlatform TEE OTA and RoT topics Summary 13

Arm TrustZone based TEE architecture A reminder of the architecture Normal world code Trusted software Apps EL1 EL2 Device drivers Rich OS Hypervisor Payment DRM Trusted_Apps Secure device drivers Trusted OS GlobalPlatform standardization TrustZone-based TEE Arm Trusted Firmware SMCCC PSCI Trusted Boot Payload Dispatcher Common foundation Key Trusted SW/HW Arm Cortex-A Hardware Interfaces SoC Subsystem Physical IP Graphics Video CryptoCell Secure store Initial ROT and security subsystem 14

GlobalPlatform & TEE GlobalPlatform is a Standards Defining Organisation: it is the home of TEE. OTA management of TEE is a market requirement Defines APIs and Trusted services Compliance program TEE Protection Profile Security certification program Over the Air TEE management Trusted Management Framework & Open Trust Protocol (PKI & JSON based) 15

A new capability standards based OTA TEE management OTrP* is being developed as an option in TMF & compatible with GlobalPlatform TEE System Architecture. Secure Code Image Dev Image Delivery Server TEE Device Main features: A specific PKI architecture and trust anchors TAM A high level (JSON-based) message protocol A REE Agent for communication with TAM/TSMs A set of mandatory services from the Boot TEE and Bootstrap Domain TEE Device Certificate Authority *Open Trust Protocol is being developed as an option for Trusted Management Framework 16

Root of Trust is the foundation for secure services TPM PC RoT = Trustworthy hardware & security functions Mobile & IoT TEE & / or Security subsystem / SE Cloud HSM A Root of Trust, is a hardware device and a runtime environment that provide a set of trusted functions from which an initial chain or trust can be derived. It is the trust anchor for the system 17

TrustZone based TEE + extended Root of Trust example Normal World IoT developer writes Apps on top of his/her chosen OS Secure World = Trusted code (Trusted OS/Libs) + Trusted Apps/functions + Trusted hardware 18 Security subsystem Reduced attack surface Protection from physical & side channel attacks Developed by security specialists

TrustZone based TEE + security subsystem option An additional security layer Applications Arm TrustZone based TEE for trusted functions RoT mgmt Rollback protection SW updates validation RNG Execution environment isolation Lifecycle management Data protection (off-line, runtime) SW validation & decryption Debug authentication Secure manufacturing Cryptography Persistent trusted storage Security subsystem e.g. Arm CryptoCell for RoT services TrustZone family of security IPs provides protection from physical & SW attacks 19

Summary

Key take-aways Arm has launched CryptoIsland - a new family of Security enclaves by Arm Provides a robust Root of Trust with some programmability Creates another layer of hardware security beyond TrustZone Arm has launched SDC-600 for certificate based control of debug The TrustZone based TEE for Cortex-A is gaining a simple OTA management protocol OTrP provides a PKI based trust architecture and high level JSON protocol Arm is making robust security easier, quicker and cheaper to implement! 21

Thank You! Danke! Merci! 谢谢! ありがとう! Gracias! Kiitos! 22

The Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners. www.arm.com/company/policies/trademarks 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback