Security of embedded devices is becoming more and more important. The requirement for good protection increases as devices become more interconnected: wearable medical devices that connect to the cloud, mobile base stations that are no longer up poles but in much less physically secure areas, cars that communicate among themselves. A programmable device is especially vulnerable since not only can the software running on the Soc potentially be compromised, so can the very hardware on which it is running if the programming bitstream itself is replaced. Your base station router no longer just processes the packets, it also sends a copy to the Chinese military, the NSA or Google. Pick your bogeyman.
To further compound the problem, many devices are open platforms on which additional software such as apps can be run. Your smartphone probably runs a mixture of stuff you don’t care about much, like games, to things that you probably have some concern about, such as your WhatsApp chat history, to things you certainly care a lot about like access to your bank. There are compromises involved in security: very high security may be too complex for the average use to install and maintain, and it may be too expensive (in terms of power dissipation or FPGA fabric use). Minimal security may stop the clueless but it is a waste of time against anyone knowledgeable.
One solution is ARM TrustZone. This is widely used because of the near ubiquity, or at least widespread use, of ARM processors in embedded and other systems. This is a combined hardware/software solution to security that builds up in layers.
The Zynq-7000 AP SoC architecture integrates a dual-core ARM Cortex-A9 along with Xilinx FPGA programmable fabric into a single device built on top of TSMC’s 28nm HPL (low power) process. Like traditional SoCs, the processor-centric approach allows the processor to boot first and then bring up the rest of the device. This approach also allows control and partial reconfiguration of the programmable logic by running software on the processor. In turn, this enables the user to optimize system performance and power management to meet varying operating environments.
The ARM TrustZone architecture makes trusted computing within the embedded world possible by establishing a trusted platform, a hardware architecture that extends the security infrastructure throughout the system design. Instead of protecting all assets in a single dedicated hardware block, the TrustZone architecture runs specific subsections of the system either in a “normal world” or a “secure world.” Such an approach, when combined with software designed to leverage its advantages, enables creation of an end-to-end security solution that includes functional units as well as debug infrastructure.
In the Zynq-7000 AP SoC, a normal world might be defined as a hardware subset consisting of memory regions, caches and specific devices. This non-trusted software can be limited to an environment that prevents access to, or even knowledge of, the additional hardware dedicated to the support of the TrustZone architecture in the secure world. Trusted applications run on a TrustZone based ssystem tat implements a trusted execution environment. On the Zynq SoC further system-wide security is provided by integrating the TrustZone framework into the processor interconnects and system peripherals.
A key part of ARM’s TrustZone approach is that all AXI interfaces contain an additional bit known as the Non-Secure (NS) bits. During a transaction all masters assign an appropriate value to this bit and all slaves must interpret them to ensure that security separation is not violated, so, in particular, a non-secure master cannot access a secure slave.
It is beyond the scope of an introductory blog entry to go into all the low-level operating details of how a complex SoC design is configured. But luckily Xilinx has a detailed white paper on the subject, TrustZone Technology Suppport in Zynq-7000 All Programmable SoCs. You can download it here.Share this post via: