TrustZone® is ARM's hardware solution for security. It is an on-chip security enclave providing hardware isolation and protection for sensitive material such as cryptographic keys, intellectual property and data. TrustZone-enabled SoCs are found in over a billion devices such as payment terminals, set-top boxes and mobile phones. TrustZone is fast becoming a standard way for IoT device makers to implement security. With TrustZone, security is designed into the product and secure functions are propagated throughout the product. This results in a more secure device. It is important to note, that not all SoCs implement TrustZone the same way which can impact your design.
For more details on the TrustZone®, please visit ARM’s website at http://www.arm.com/products/processors/technologies/trustzone.
TEE stands for Trusted Execution Environment. On top of the hardware foundation of the ARM® TrustZone® technology, the TEE adds a functional runtime environment with standards compliant APIs, strong application separation through the security focused microkernel, and strong protection of sensitive assets through access control and cryptography.
While the TrustZone establishes “Normal” (unsecure) and Secure worlds, the TEE moderates communications across these domains. Applications and functions in the Normal world can access secure functions in the TEE through the Secure Monitor which acts as a gatekeeper. This means that only applications with the right credentials have access to resources protected by the TEE.
The Trustzone/TEE combination provides hardware and software isolation from the non-secure operations of the device. This allows for sensitive data to be handled without the risk of exposure. In addition, due to the integrity in the boot process, the functions provided by the TEE are less likely to be compromised by malicious code.
The TEE is also used to secure access to peripherals by implementing peripheral drivers in the TEE. This protects access to peripherals such as persistent storage, memory and displays.
Trusted Applications (TAs) are applications that reside in the TEE. They are resources that applications in the Normal world can access for specific secure functions such as storage and cryptography. There are two types of TAs – Static and Dynamic.
TAs are only accessed through the TEE Internal API and are only active when handling messages. In other words, they are protected by MMU. Each TA exists in a separate address space and can be independently scheduled.
We have made learning about writing TAs easy. OP-TEE is now ported to the Raspberry Pi 3-B! All you have to do is purchase a Raspberry Pi 3-B and get the associated SDK. Please note that while Raspberry Pi 3 does incorporate a TrustZone, the security functions are not propagated through the bus fabric. It should only be used as a learning tool and not for commercial deployment. You can purchase a Raspberry Pi 3 kit here (link Coming Soon!). You can also get the SDK, tutorials and code samples at https://github.com/OP-TEE/optee_os.
For commercial projects, we will soon be releasing a CoreTEE dev kit comprising an Atmel Xplained dev board and the CoreTEE SDK. If you would like to be notified when it becomes available, please send an Email or use our contact form.
OP-TEE is an open source TEE project managed by Linaro. It is managed and promoted by the Security Working Group at Linaro. OP-TEE provides the “base-level” secure kernel along with the basic mechanism for secure interactions between Normal and Secure worlds, and Global Platform compatible APIs for assured interoperability. While access to OP-TEE is free, a considerable amount of work is still required to make it work on a specific SoC. Sequitur Lab’s CoreTEE® is a commercially viable implementation of OP-TEE that represents a significant investment of time and resources and provides several critical enhancements necessary for rapid commercial implementation.
CoreTEE was developed with the specific intent of enhancing IoT and embedded systems security. This required developing specific capabilities to support IoT and embedded use cases as well as recognizing the varied deployment requirements of customers. CoreTEE’s enhancements include services such as:
Want to schedule a one-on-one deep dive on CoreTEE? Click here.
CoreTEE supports multiple security scenarios and use cases and can help to strengthen security across nearly all industries. Take a look at our Use Cases.
CoreTEE—or any TEE for that matter—must be ported to each SoC it supports. As mentioned earlier, not all TrustZone implementations are the same. This deep level of integration is necessary to support the specific architecture of the SOC, including memory subsystems, bus design and supported peripherals. CoreTEE currently supports the following SoCs:
If you would like to know specific aspects of the above SoCs that are supported by CoreTEE, sign up for a briefing HERE.
CoreTEE is packaged flexibly in that there is a base platform and a suite of optional modules that help satisfy your specific use case. To learn more, please call or Email us.
Sequitur Labs licenses CoreTEE under several licensing schemes designed to meet customer needs. These include:
© 2018 by Sequitur Labs Inc. All Right Reserved.