#### **TRUSTZONE TECHNOLOGY**

NOVEMBER, 2018





SECURE CONNECTIONS FOR A SMARTER WORLD

EXTERNAL USE

#### Content

- TrustZone Technology Overview
- Memory Configuration
- Switching between Secure and Non-secure
- Exceptions



# TRUSTZONE TECHNOLOGY OVERVIEW



#### **IoT Will Be Everywhere**

 In recent years, the Internet of Things (IoT) has become a hot topic for embedded system developers.



- Iot system products have become more complex, and better solutions are needed to ensure system security.
- Traditional solution: By dividing software into privileged and non-privileged parts, privileged software uses MPU to prevent unprivileged applications from accessing critical system resources, including security-sensitive information.



#### **ARM TrustZone technology**

- TrustZone technology for ARMv8-M is an optional Security Extension that is designed to provide a
  foundation for improved system security in a wide range of embedded applications.
- TrustZone technology divides the system into two states, safe and non-secure, and can switch between the two states through corresponding commands.





#### Switching between Secure and Non-secure

- The Secure memory space is further divided into two types:
  - Secure and Non-secure Callable(NSC)





#### Cortex-M and Cortex-A TrustZone technology comparison

- In both designs, the processor has Secure and Non-secure states.
- There are several differences in the implementation:
  - TrustZone technology for ARMv8-M supports multiple Secure function entry points, whereas in TrustZone technology for Cortex-A processors, the Secure Monitor handler is the sole entry point.
  - Non-secure interrupts can still be serviced when executing a Secure function.







#### Features of TrustZone technology

- Allows user to divide memory map into Secure and Non-Secure regions
- Allows debug to be blocked for Secure code/data when not authenticated
- CPU includes Security Attribution Unit (SAU) as well as a duplication of NVIC, MPU, SYSTICK, core control registers etc. such that Secure/Non-Secure codes can have access to their own allocated resources
- Stack management expands from two stack pointers in original Cortex-M (Main Stack Pointer (MSP) and Process Stack Pointer (PSP)) to four, providing the above pair individually to both Secure and Non-Secure
- Introduces the concept of **Secure Gateway** opcode to allow secure code to define a strict set of entry points into it from Non-secure code.



#### **Stack limit checking**

 As part of ARM TrustZone technology for ARMv8-M, there is also a stack limit checking feature. For ARMv8-M Mainline, all stack pointers have corresponding stack limit registers.



#### **General-purpose register banking**

| <ul> <li>Most general-purpose registers are common to both</li> </ul> |        |          |
|-----------------------------------------------------------------------|--------|----------|
| • • • •                                                               |        | r0       |
| security states                                                       |        | rl       |
| Registers R0-R7                                                       |        | r2       |
| <ul> <li>Accessible to all instructions</li> </ul>                    |        | r3       |
| Registers R8-R12                                                      |        | r4       |
| <ul> <li>Accessible to a few 16-bit instructions</li> </ul>           |        | r5       |
|                                                                       |        | r6       |
| <ul> <li>Accessible to all 32-bit instructions</li> </ul>             |        | r7       |
| R14 is the link register(LR)                                          |        | r8       |
| <ul> <li>R15 is the program counter(PC)</li> </ul>                    |        | r9       |
|                                                                       |        | r10      |
| <ul> <li>R13 is the stack pointer(SP)</li> </ul>                      | MSP NS | r11      |
| <ul> <li>Banked by security state</li> </ul>                          | PSP_NS | r12      |
|                                                                       | }      | r13 (SP) |
| <ul> <li>Floating-point register D0-D15 are not banked</li> </ul>     | MSP_S  | r14 (LR) |
| CONTROL and some other special-purpose registers                      | PSP_S  | r15 (PC) |

are also banked by security...

#### **Special-purpose register banking**

- Special-purpose registers are accessed using special instructions
  - MSR/MRS/CPS
- Some registers are security banked
- Non-secure code can only access Non-secure registers
- Secure code can access Secure and Non-secure instances



Not banked







#### Security requirements addressed by TrustZone technology

- Data protection
- Firmware protection
- Operation protection
- Secure boot

Communication protection is not addressed





## MEMORY CONFIGURATION



#### Memory system and memory partitioning

- If the Security Extension is implemented the 4GB memory space is partitioned into Secure and Non-secure memory regions.
- The Secure memory space is further divided into two types:
  - Secure and Non-secure Callable(NSC)





### Trustzone Memory Regions : Secure/Non-Secure/Non-Secure Callable

- Secure (S) For Secure code/data
  - Secure data can only be read by secure code
  - Secure code can only be executed by CPU in secure mode
- Non-Secure (NS) For non-Secure code/data
  - NS Data can be accessed by both secure state and non-secure state CPU
  - Cannot be executed by Secure code
- Non-Secure Callable (NSC)
  - This is a special region for NS code to branch into and execute a Secure Gateway (SG) opcode.





#### Non-Secure Callable (NSC) Memory

- Certain portion of Secure memory should be marked as Non-Secure Callable (NSC) memory for crossdomain calls.
- NSC memory regions contain tables of small branch veneers (entry points).
  - The first instruction in API must be **SG instruction**
  - NSC memory is to prevent hackers to use binary data matching SG opcode value





#### **Secure gateway veneers**



| Secure region                                                                                             |  |
|-----------------------------------------------------------------------------------------------------------|--|
| Secure entry<br>functions<br>acle_se_entry1:<br>/* Function Body */<br>BXNS Ir<br><br>acle_se_entry2:<br> |  |
| Secure code                                                                                               |  |
| Secure data                                                                                               |  |



16 EXTERNAL USE

#### Secure CPU State

- CPU in secure state can only execute from Secure Program memory.
- CPU in secure state can access data from both secure and NS memory.





#### Non-Secure CPU State

- CPU in non-secure state can only execute from non-secure program memory.
- CPU in non-secure state can access data from NS memory only.





#### **Memory security determination**

 The security state of a memory region is controlled by a combination of the internal Secure Attribution Unit (SAU) or an external Implementation Defined Attribution Unit (IDAU).





#### IDAU

 The IDAU is used to indicate to the processor if a particular memory address is Secure, Non-secure Callable (NSC), or Non-secure, and provides the region number within which the memory address resides. It can also mark a memory region to be exempted from security checking, for example, a ROM table.





#### IDAU

• For example, a designer could use bit [28] of the address to define if a memory is Secure or Non-secure, resulting in the following example memory map.







#### LPC55Sxx IDAU

- Simple IDAU, without creating a critical timing path. (CM33 does allows little for IDAU function)
  - Addresses 0x0000\_0000 to 0x1FFF\_FFFF are NS
  - Addresses 0x2000\_0000 to 0xFFFF\_FFF
    - If Address Bit\_28 = 0 Non-Secure
    - If Address Bit\_28 = 1 Secure
- All peripherals and memories are aliased at two locations.







- The SAU define region numbers for each of the memory regions. The region numbers are 8-bit, and are used by the Test Target(TT) instruction to allow software to determine access permissions and security attribute of objects in memory.
- The number of regions that are included in the SAU can be configured to be either 0, 4 or 8.

#### Note

When programming the SAU Non-secure regions, you must ensure that Secure data and code is not exposed to Non-secure applications.



#### Security Attribution Unit

- 8 regions are supported
- Used to override IDAU's fixed map
- Used to define NSC regions
- By default all memory is set to secure
  - At least one SAU descriptor should be used to make IDAU effective. Or set ALLNS bit in SAU control.





#### **Security Attribution Unit Violation**

- An attribution unit (AU) violation is raised by either the SAU or the IDAU.
  - All boundaries between address ranges with different security attributes must be aligned to 32-byte boundaries.
  - The behavior of the following address ranges is fixed, so SAU and IDAU can't change:
    - 0xF0000000 0xFFFFFFF
      - On LPC55Sxx it is always marked as Secure and not Non-secure callable for instruction fetches.



#### **SAU Register**

#### • The SAU can only be programmed in Secure state.

| Address           | Name     | Description                       |
|-------------------|----------|-----------------------------------|
| 0xE000EDD0        | SAU_CTRL | SAU Control register              |
| 0xE000EDD4        | SAU_TYPE | SAU Type register                 |
| 0xE000EDD8        | SAU_RNR  | SAU Region Number Register        |
| 0xE000EDDC        | SAU_RBAR | SAU Region Base Address Register  |
| <b>0xE000EDE0</b> | SAU_RLAR | SAU Region Limit Address Register |



#### **SAU region configuration**

- Regions are enabled individually using SAU\_RLAR.
- The region is Non-secure when SAU\_RLAR.ENABLE = 1 and SUA\_RLAR.NSC=0.
- The region is Secure and Non-secure callable when SAU\_RLAR.ENABLE = 1 and SUA\_RLAR.NSC=1.





#### **Configuring the SAU with CMSIS**

- CMSIS-CORE now provide partition\_<device>.h
  - TZ\_SAU\_Setup() used to configure SAU regions
- Some software tools provide SAU configuration wizards

| Project 🕈 🛽 | partition_ARMCM33.h                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 3.s 📄 system_ARMCM33.c |  |  |  |  |
|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|--|--|--|--|
|             | partition_ARMCM33.h       startup_ARMCM33         Expand All       Collapse All       Help         Option       Initialize Security Attribution Unit (SAU) CTRL regi         Initialize Security Attribution Unit (SAU) Address       Initialize Security Attribution Unit (SAU) Address         Initialize Security Attribution Unit (SAU) Address       Initialize SAU Region 0         Start Address       End Address         Region is       Initialize SAU Region 1         Start Address       End Address         Region is       Initialize SAU Region 2         Start Address       End Address         Region is       Initialize SAU Region 2         Start Address       End Address         Region is       Initialize SAU Region 3 | Show Grid              |  |  |  |  |
|             |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                        |  |  |  |  |



#### **SAU Configuration example**

The following example CMSIS code shows how the you can configure the SAU for two regions

```
// Configure SAU using CMSIS
```

- // Configure SAU Region 0
- // Start Address 0x00200000
- // Limit Address 0x003FFFE0
- // Secure non-scure callable

```
// Use CMSIS to access SAU Region Number Register (SAU_RNR)
// Select region 0
SAU->RNR = (0);
// Set SAU Region Base Address Register (SAU_RBAR)
SAU->RBAR = (0x00200000U & SAU_RBAR_BADDR_Msk);
// Set SAU Region Limit Address Register (SAU_RLAR)
SAU->RLAR = (0x003FFFE0U & SAU_RLAR_LADDR_Msk) | 1U << SAU_RLAR_NSC_Pos) &
SAU_RLAR_NSC_Msk) | 1U
```



#### **SAU Configuration example**

// Configure SAU Region 1

30

```
// Start Address 0x20200000
// Limit Address 0x203FFFE0
// Non-secure
// Select region 1
SAU->RNR = (1);
// Set SAU Region Base Address Register (SAU_RBAR)
SAU->RBAR = (0x20200000U & SAU_RBAR_BADDR_Msk);
// Set SAU Region Limit Address Register (SAU_RLAR)
SAU->RLAR = (0x203FFFE0U & SAU_RLAR_LADDR_Msk) | 0U << SAU_RLAR_NSC_Pos) &
SAU_RLAR_NSC_Msk) | 1U
```



#### Security Defined by Address

- All address are either Secure or Nonsecure.
- Security Attribution Unit (SAU)
  - SAU inside ARMv8M is similar to MPU
  - By default all memories are secure
  - LPC55S supports 8 SAU regions to define
- NXP's Device Attribution Unit
  - connects through Implementation Defined Attribution Unit (IDAU) interface
- Independent memory protection unit (MPU) per security state
  - Secure OS can be completely decoupled from



### SWITCHING BETWEEN SECURE AND NON-SECURE STATES



#### Switching between Secure and Non-secure states

 The ARMv8-M Security Extensions allow direct calling between Secure and Nonsecure software. Several instructions are available for state transition handling in ARMv8-M processors:

| SG    | Secure gateway.                                                                                                    |                                         | to Non-secure function                                                            |                     |  |
|-------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------|-----------------------------------------------------------------------------------|---------------------|--|
|       | Used for switching from Non-secure to Secure state at the first instruction of Secure entry point.                 |                                         | BL to SG call<br>to entry function                                                |                     |  |
| BXNS  | Branch with exchange to Non-secure state.<br>Used by Secure software to branch or return to<br>Non-secure program. | Secure<br>state                         |                                                                                   | Non-secure<br>state |  |
| BLXNS | Branch with link and exchange to Non-<br>secure state.<br>Used by Secure software to call Non-secure<br>functions. | <br> <br> <br> <br> <br> <br> <br> <br> | BXNS return<br>from entry function<br>X to FNC_RETURN re<br>from Non-secure funct | turn                |  |



#### **Entry function**

- An entry function can be called from non-secure state or secure state.
- \_\_attribute\_\_((cmse\_nonsecure\_entry))

/\* Non-secure callable (entry) function \*/ int func1(int x) \_\_attribute\_\_((cmse\_nonsecure\_entry)) { return x+3;

/\* Call non-secure callable function func1 \*/ \_\_\_\_\_ val1 = func1 (1); func1() is defined at secure project

func1() is executed in non-secure projects



}

#### **Non-secure function call**

- A call to a function that switches state from secure to non-secure is called a nonsecure function call.
- Define a Non-secure function pointer using:

\_\_attribute\_((cmse\_nonsecure\_call))

#### For example

- Typedef void \_\_attribute\_((cmse\_nonsecure\_call)) nsfunc(void);
- *Nsfunc \*FunctionPointer;*
- FunctionPointer=cmse\_nsfptr\_create((nsfunc \*)(0x21000248u));
- *lf(cmse\_is\_nsfptr(FunctionPointer))* 
  - FunctionPointer();



### Calling secure code from non-secure code

 A direct API function call from Non-secure to Secure software entry points is allowed if the first instruction of the entry point is SG, and it is in a Non-secure callable memory location.





### Calling secure code from non-secure code

- Non-secure code can branch into secure code
  - This allows secure libraries to be used by non-secure applications
- The branch target address:
  - Must be mapped as Secure and Non-secure Callable by the SAU/IDAU
  - Must contain a Secure Gateway(SG) instruction
- When executed from Secure, NSC memory, the SG instruction
  - Changes the security state to Secure
  - Sets Ir[0] to 0 to allow the secure code to return using a BXNS instruction



### Calling non-secure code from secure code





### Calling non-secure code from secure code

- Before executing a BXNS or BLXNS instruction
  - Save all active non-banked registers by copying them to secure memory
  - 2. The branch target address must have the LSB set to 0 and reside in non-secure memory
  - Clear all non-banked registers except: Link register(BLXNS only) Register that hold arguments for the call Register that do not hold secret information

|   | PUSH<br>MOVW<br>MOVT     | {r0-r12}<br>r0, #0x0<br>r0, #0x2100  | <ul><li>Push r0-r12 onto secure stack</li><li>Move address into r0(LSB=0)</li></ul> |
|---|--------------------------|--------------------------------------|-------------------------------------------------------------------------------------|
| t | MOV<br>MOV<br>MOV<br>MOV | r1, r0<br>r2, r0<br>r3, r0<br>r4, r0 |                                                                                     |
|   | MOV<br>MOV<br>MOV<br>MOV | r5, r0<br>r6, r0<br>r7, r0<br>r8, r0 | <ul> <li>Clear registers(overwrite with<br/>Non-secure branch address)</li> </ul>   |
|   | MOV<br>MOV<br>MOV        | r9, r0<br>r10, r0<br>r11, r0         |                                                                                     |
|   | MOV<br>MSR<br>BLXNS      | r12, r0<br>APSR_nzcvq, r0<br>r0      | Non-secure branch                                                                   |



### TT Instruction – Test Target

- SAU/IDAU generate a Region Number for each region.
  - Software can check a region to determine security
- TT returns RN and Attribute (NS or secure) on an address
  - -Use TT on start and end address
  - Can determine whether memory has required security attributes.
- LPC55xxx IDAU returns region number as below
  - -IDAU\_RN[7:0] = ({4'h0, idau\_addr\_a[31:28]})
- Usage examples
  - When setting secure DMA for data transfers, secure code can check attributes of buffer pointer passed by NS code



## **TT** instruction

- New Test Target(TT) instruction returns the MPU and SAU configuration for an address
- TT {cond} {q} Rd, Rn
  - Rn contains the address to be tested
  - Rd returns the attributes of the address
- Secure functions may be passed pointers when called from Non-secure code
  - TT can validate that the calling function has the rights to access the memory
  - TT can validate that the address is Non-secure

| [7:0]   | MREGION | MPU region                 |
|---------|---------|----------------------------|
| [15:8]  | SREGION | SAU region                 |
| [16]    | MRVALID | Is MREGION valid?          |
| [17]    | SRVALID | Is SREGION valid?          |
| [18]    | R       | Is address readable?       |
| [19]    | RW      | Is address RW?             |
| [20]    | NSR     | Is Non-secure && readable? |
| [21]    | NSRW    | Is Non-secure && RW?       |
| [22]    | S       | Is address Secure?         |
| [23]    | IRVALID | Is IREGION valid?          |
| [31:24] | IREGION | IDAU region                |



### How TT works



#### Note

The MPU, SAU and IDAU in ARMv8-M do not allow regions to overlap.



# **TT instruction example**

- PRINTF\_NSE("Welcome in normal world!\r\n");
- /\* Check whether string is located in non-secure memory \*/
   if (cmse\_check\_address\_range((void \*)s, string\_length, CMSE\_NONSECURE |
   CMSE\_MPU\_READ) == NULL)

PRINTF("String is not located in normal world!\r\n");
abort();



Non-secure

world

# EXCEPTIONS



### **Interrupts and exceptions**

- Interrupt can be programmed as secure or non-secure interrupts
- Some system exceptions are banked(e.g. Systick)
- New SecureFault exception
- Banked System Control Block(SCB) registers
  - Two VTOR- Separate vector tables for Secure exceptions and Non-Secure exceptions
  - Non-Secure SCB registers can be accessed from Secure side via alias address
- Priority of Secure exceptions/interrupts can share same levels as Nonsecure's, or can be higher priority(programmable)



### **Exception priorities overview**

| Name                         | Exception # | Exception Priority #   | Security     |
|------------------------------|-------------|------------------------|--------------|
| Interrupts #0-N              | 16 to 16+N  | 0-255(programmable)    | Configurable |
| SysTick                      | 15          | 0-255(programmable)    | Banked       |
| PendSV                       | 14          | 0-255(programmable)    | Banked       |
| DebugMonitor                 | 12          | 0-255(programmable)    | Configurable |
| SVCall                       | 11          | 0-255(programmable)    | Banked       |
| SecureFault                  | 7           | 0-255(programmable)    | Secure       |
| UsageFault                   | 6           | 0-255(programmable)    | Banked       |
| BusFault                     | 5           | 0-255(programmable)    | Configurable |
| MemManage                    | 4           | 0-255(programmable)    | Banked       |
| Non-secure HardFault         | 3           | -1                     | Non-secure   |
| Secure HardFault             | 3           | -3 or -1(programmable) | Secure       |
| Non Maskable Interrupt (NMI) | 2           | -2                     | Configurable |
| Reset                        | 1           | -4                     | Secure       |

- The lower the priority number, the higher the priority level
- NMI, HardFault and BusFault default to be Secure, but can be set to NS



### **Secure exception prioritization**

- Non-secure exception can be forced into the lower half of the priority range
  - Using AIRCR\_S.PRIS





### **Interrupts and exceptions**

• State transitions can also happen due to exceptions and interrupts.





### **TrustZone interrupt security**

 The processor automatically pushes all Secure information onto the Secure stack and erases the contents from the register banks, therefore avoiding an information leak.





# 恩智浦MCU加油站

- · 恩智浦工程师原创技术分享
- · 欢迎关注,欢迎投稿







# SECURE CONNECTIONS FOR A SMARTER WORLD