An important step in the technological evolution of microcontroller hardware architecture has been recently achieved with the introduction of a domain separation mechanism, which is already present in other architectures, where it is usually referred to as a Trusted Execution Environment, or TEE.

TEE is an abstraction that provides two or more separated execution domains, or “worlds”, with different capabilities and permissions to access devices, resources, and peripherals.

Isolating the execution environment of one or more software components and modules, also generally known as sandboxing, consists of limiting their view of the system, without impacting their performance and normal operation. This is a requirement for many use cases and domains in computer science, and not only for increasing the security of embedded systems.

Similar hardware-assisted isolation mechanisms in other domains are the building blocks of the cloud server...

In order to run the proposed example available in this book’s repository, an STM32L552 microcontroller is required. The TrustZone-M technology is only supported by the newest family of ARM Cortex-M microcontrollers. The STM32L552 is a Cortex-M33, fully supporting TrustZone-M, which makes it a convenient and affordable choice for taking our first steps when learning about this technology.

The code files for this chapter are available at https://github.com/PacktPublishing/Embedded-Systems-Architecture-Second-Edition/tree/main/Chapter11.

Sandboxing is a generic concept in computer security that refers to a set of hardware and software measures that limit the “view” of the system for one or more of its components, to restrict the area of the system affected by accidental malfunctions or purposedly forged malicious attacks and prevent them from spreading across the entire system. Sandboxing can have different forms and implementations, which may or may not leverage specific hardware functionalities to improve safety and effectiveness.

By the term TEE, we refer to those sandbox mechanisms that involve the CPU keeping track of the secure status of the running code at all times, without significantly impacting the performance of the running application. Due to these TEE mechanisms being intrinsically bonded to the CPU design, TEE behavior, management, and communication models in sandboxes differ across heterogeneous platforms and heavily depend on the architecture. Moreover, TEEs can be used...

ARMv7-M cores, such as the Cortex-M0+ and Cortex-M4 microcontrollers, have dominated the embedded market for decades and are still the most popular choice for many embedded system designs. Although there have been a number of changes and additions, the new Cortex-M23 and Cortex-M33 cores, as well as the newer M35P and M55, have inherited and expanded many of the successful features of the Cortex-M0, Cortex-M4, and Cortex-M7 microcontrollers.

In a typical TrustZone use case, multiple actors may be involved in the distinct phases of software development. The owner of a device may provide a base system, already equipped with all the software authorized to run in the secure world. This would still leave the possibility for a system integrator to customize the non-secure part but with a restricted view of the system, which depends on the configuration of the resources allowed by the secure domain. The system integrator in this case receives a system that is partially locked...

When TrustZone-M is enabled, all areas mapped in memory, including RAM, peripherals, and even FLASH storage, receive a new security attribute. Besides the secure and non-secure domains, a security attribute may assume a third value, Non-Secure Callable (NSC). This last attribute defines special regions of memory used to implement transactions from the non-secure world to the secure world through a specific mechanism, which will be explained in the last section, Building and running the example. An NSC area is used to offer secure APIs that act like system calls with new powers. The secure domain exposes service routines that can perform specific controlled actions while accessing secure resources from its non-secure counterpart.

Security attributes and memory regions

Cortex-M33 microcontrollers offer various levels of protection. The combination of the effects of those levels determines which of the memory-mapped areas associated with a resource on...

Finally, we are putting all we have learned about TrustZone-M into practice, by activating the option flags needed to enable TrustZone-M and running the two software components associated with the execution domains.

Enabling TrustZone-M

By default, TrustZone-M is turned off on our microcontroller when it is in its factory state. Turning on TrustZone is a one-way operation, but it is typically not irreversible unless combined with other hardware-assisted protection mechanisms that make it impossible to disable it when the embedded system is deployed. Disabling TrustZone once enabled, however, requires a more complex procedure than just clearing one bit in a register.

Important note

Please refer to your microcontroller’s reference manual and application notes, and ensure that you understand the procedure and the consequences of enabling or attempting to disable TrustZone-M on your device.

On the reference platform, to enable TrustZone...

ARMv8-M is the newest architecture defined by ARM for modern microcontrollers. It extends and completes the capabilities of its predecessor, ARMv7-M, by integrating several new features. The most important improvement for this novel architecture design is the possibility to implement a TEE by separating the execution domains and creating a sandboxed environment to execute non-secure applications.

In real-life scenarios, this gives flexibility to the deployment of applications from different providers, with distinct levels of trust regarding accessing features and resources on a system.

In this last chapter, we have analyzed the mechanisms available in the TrustZone-M technology. TrustZone-M can be activated on ARMv8-M systems for the purpose of integrating a powerful, hardware-assisted solution, aimed to protect system components from any access that has not been explicitly authorized by a system supervisor component running in the secure domain.