The IoT is rapidly gathering momentum; estimates of the number of devices connected to the network vary from 20 billion (according to Gartner) to 30 billion (statista) by the end of next year. The exact number is of little consequence, what’s far more important is the value of the data those connected devices accumulate. The higher the value of that data — be it, for example, financial, medical, commercial, or personal — the more it attracts the attention of the bad guys. But that doesn’t mean if a device handles no sensitive data security can be ignored. By connecting devices together life is made easier for the hackers because they can concentrate their efforts on the weakest link in the chain – especially if that link is defenseless. Once hacked, the compromised device offers an unlocked back door into more secure devices elsewhere on the network.
A key challenge for engineers tasked with the protection of hardware and software architectures is to secure valuable data without compromising the flexibility and convenience of a solution by locking down everything. One established solution is to create "Trusted Execution Environments" (TEEs). TEEs are secure areas inside the processor that run in parallel but are isolated from (and often invisible to) the main operating system. Code and data inside TEEs are maintained with the highest level of integrity and confidentiality while elsewhere things can be a little less constrained. Such a system protects the valuable code and data while enabling less valuable code and data to run unencumbered on the main operating system. Commercial implementation of TEEs include TrustZone from Arm, a silicon IP vendor. The company explains that TrustZone technology provides “system-wide hardware isolation for trusted software”.
Flexible and secure
TrustZone represents a flexible approach to high levels of security by enabling an Arm processor to be used as a freely programmable "trusted platform module". This is achieved by adding a “secure” processor operational mode (establishing a “secure world” or a TEE within the processor) in addition to the regular normal mode. By implementing the secure mode, things like security functions and cryptographic credentials can be hidden from the normal processor functions.
When operating in the secure mode, for example to perform a secure boot, the processor runs code from secure memory and can interface with secure peripherals. Upon completion of the boot up, the processor attends to user software such as the application and protocol stack in normal mode. The processor is never simultaneously in secure mode and normal mode.
John Leonard, Nordic’s Senior Product Marketing Manager advises developers to firstly use TrustZone to build a “root-of-trust” for the system comprising everything needed for a secure boot and system recovery. Once that root of trust is established, the elements in normal mode can make function calls to the functions that exist in the secure world. However, the normal mode function calls can only access that which has been exposed for such purposes in the secure code.
To understand how TrustZone works in practice, consider the design of a smartwatch for both collecting exercise data and performing mobile payments. The smartwatch will need a secure mechanism for identifying the user so that payment details can be securely released to the vendor. With TrustZone handling the user identity and payment systems, it becomes very difficult to hijack sensitive data. As soon as a need to use the payment system is triggered, the processor switches from the normal to the secure mode and enables the payment app. Authentication could involve a secure PIN entry or biometric check to ensure the device can only be used by the trusted owner and the payment details are safe from hacking.
While Trustzone does provide a secure basis to protect the most important aspects of the system, Leonard advises “TrustZone isn’t the last word in security and is no substitute for a secure-by-design product development process”. To assist in building protected products, Arm offers its Platform Security Architecture (PSA
) which it describes as a framework for securing connected devices. PSA provides a step-by-step guide to building in the right level of device security, reducing risk associated with data reliability.
In addition, Arm TrustZone CryptoCell IP complements TrustZone by enabling greater separation of assets through hardware.