USD

How to Use TrustZone to Secure IoT Devices with Minimal Hardware Complexity and Cost

By Jacob Beningo

Contributed By Digi-Key's North American Editors

IoT devices at the edge require additional security measures to be taken than have traditionally been required by embedded products. Understanding and getting started with security is often difficult for teams and developers that have backgrounds in electrical engineering that don’t have expertise in cryptography or system security.

In a modern development cycle, there is little time and budget available for developers to start from scratch or become security experts. Instead, developers can leverage existing security solutions and tailor them to their specific needs.

This article will introduce Arm’s® TrustZone, an interesting solution that has been gaining momentum among microcontroller-based systems designers. By way of example, the article will introduce STMicroelectronics’ STM32L5 series of microcontrollers which support TrustZone, and show how to get started with TrustZone using associated development kits.

Security through isolation

The core foundational element to a secure embedded system is to have security through isolation. The idea is that important data assets such as private keys, user data, secure functions and so forth should be isolated from generic data and functions like graphical user interface elements or the real-time operating system (RTOS). While there are methods that can be used to create software isolation, security experts agree that an embedded system needs to utilize security through hardware-based isolation.

There are several ways that hardware can be used to create isolation, such as using a microcontroller and security processor or using a multicore processor where one core is dedicated to secure processing. The newer Arm Cortex®-M23, Cortex-M33 and Cortex-M55 processors support an optional hardware-based isolation feature known as TrustZone.

What is Arm TrustZone?

TrustZone is a hardware mechanism implemented in single-core microcontrollers that breaks the execution environment into secure and non-secure memory, peripherals, and functions. Each execution environment then also contains a memory protection unit (MPU) which can be used to further isolate memory regions to provide “more layers in the onion” to act as a deterrent to would-be attackers trying to access data assets.

In general, an embedded developer will partition their system into at least two projects, the non-secure execution project, which is often referred to as the user project, and the secure execution project, which is often referred to as the firmware project. A microcontroller that enables TrustZone will boot into the secure state and start the system before jumping into the non-secure state to execute the user application (Figure 1).

Diagram of TrustZone projects achieve isolation through a hardware mechanismFigure 1: TrustZone projects achieve isolation through a hardware mechanism that breaks the embedded software into a user project (non-secure) and a firmware project (secure). (Image source: Arm)

The user project can only access secure functions through a secure gateway that is created between the firmware project and the user project and is unable to access secure memory locations without triggering an exception.

Selecting a TrustZone enabled development board

The easiest way to get started understanding TrustZone is to simply jump in and start working with it. To do that, a developer must first select a development board. There are several different development boards to choose from via various microcontroller suppliers, but be careful: they do not all implement TrustZone the same way, which can make it a little bit tricky.

A good development board example that can be used to get started with TrustZone is the STMicroelectronics STM32L562E Discovery Kit (Figure 2).

Image of STMicroelectronics STM32L562E Discovery KitFigure 2: The STM32L562E Discovery Kit includes numerous on-board sensors, Bluetooth, and an I/O expansion board which makes getting started with TrustZone applications easy. (Image source: STMicroelectronics)

The kit comes with a lot of supporting features that can be useful when working with TrustZone for the first time. For example, the development kit includes a 1.54” 240 x 240 pixel TFT LCD module that includes a touch control panel, a Bluetooth v4.1 low energy module, an iNEMO 3D accelerometer and gyroscope, and an on-board STLINK-V3E, among many other features for I/O and peripheral expansion.

A second development board that can be used to get started with TrustZone is the STMicroelectronics NUCLEO-L552ZE-Q Nucleo board (Figure 3).

Image of STMicroelectronics STM32L552ZE-Q NUCLEO development boardFigure 3: The STM32L552ZE-Q NUCLEO development board provides a TrustZone enabled processor, ST-LinkV3, and expansion headers for custom development activities. (Image source: STMicroelectronics)

Unlike the STM32L562E Discovery Kit, the NUCLEO-L552ZE-Q is a basic development board that includes the ST-LinkV3, the STM32L552VET6 microcontroller, expansion ports, and an LED. This development board is great for developers who want to play with TrustZone and start integrating their own hardware components as quickly as possible.

Even though the NUCLEO-L552ZE-Q does not include all the bells and whistles, the STM32L552VET6 is quite impressive. This is an Arm Cortex-M33 processor with a floating-point unit (FPU), up to 512 kilobytes (Kbytes) of flash memory and 256 Kbytes of SRAM. It includes several additional security features above TrustZone, such as a root of trust with unique boot entry, secure firmware installation and secure firmware upgrade support with trusted firmware for Cortex-M (TF-M).

Both development boards’ processors include the TrustZone Security Arbitration Unit (SAU) which is used to setup which memories and peripherals will be protected by TrustZone. The SAU is missing in some microcontroller suppliers’ TrustZone implementations. This is not necessarily a problem, but it requires a different procedure to setup TrustZone.

Getting the first TrustZone-based application started

Getting one of the STMicroelectronics development boards up and running requires several steps and software packages. First, a developer will want to download STM32CubeIDE. STM32CubeIDE provides the compiler, microcontroller packages and IDE for application development, and any associated application notes, including STM AN5394.

Using an existing TrustZone example project is the quickest way to get an application up and running. There are several projects that are included as part of the STM32Cube_FW_L5 software package. The software is downloaded as part of the STM32CubeL5 software. Once downloaded, developers can import the TrustZoneEnabled project located in a directory path like the following:

STM32Cube_FW_L5_V1.2.0\STM32Cube_FW_L5_V1.2.0\Projects\STM32L552E-EV\Templates\TrustZoneEnabled\

Once the project is imported, a developer can see that the project has a hierarchical project structure that breaks the application into secure and nonsecure applications (Figure 4).

Image of TrustZone project is implemented in a hierarchical project structureFigure 4: The TrustZone project is implemented in a hierarchical project structure with secure and non-secure projects. (Image source: Beningo Embedded Group)

There are a lot of details that can be explored in these projects. AN5394 can fill in quite a few details, while the readme.txt file in each project’s Doc folder can explain the details for the secure and non-secure projects. For this article’s purposes, we will examine the most important concepts related to TrustZone. Specifically: how TrustZone is configured. The configuration can be found in the partition_stm32L562xx.h file located under:

C:\STM32Cube_FW_L5_V1.2.0\Projects\STM32L562E-DK\Templates\TrustZoneEnabled\Secure\Inc

This file contains the settings for the SAU. For example, Figure 5 shows the settings for SAU region 0. This region is currently configured secure execution. Figure 6 on the other hand, shows SAU region 1 configured as non-secure.

Code of SAU region 0 configured for secure executionFigure 5: The SAU is used to configure which memory regions are secure and non-secure. The above code demonstrates how SAU region 0 is configured for secure execution. (Image source: Beningo Embedded Group)

Image of SAU region 1 configured for non-secure executionFigure 6: The SAU is used to configure which memory regions are secure and non-secure. The above code demonstrates how SAU region 1 is configured for non-secure execution. (Image source: Beningo Embedded Group)

A developer would decide which regions need to be secure and non-secure and use the partition file to configure the SAU. Creating these settings does not guarantee that TrustZone will be enabled! When a TrustZone-based application is programed onto the target, a developer needs to set the TZ option byte to 1 to enable TrustZone. Then during start-up, it will be enabled and the SAU configuration will be read and utilized.

Tips and tricks for working with TrustZone

Getting started with TrustZone is not difficult but does require that developers think about their application’s design a bit differently. Here are a few “tips and tricks” for getting started:

  • All data will not need to be protected. Identify the critical data assets up front that need to be protected.
  • Leverage existing security frameworks such as CMSIS-Zone and Trusted Firmware for Cortex-M (TF-M) to accelerate development.
  • Carefully examine the potential threats to the device and select a microcontroller that supports hardware and software solutions to protect against those threats.
  • TrustZone provides a single layer of isolation. Leverage MPUs and other hardware mechanisms to create multiple hardware-based isolation layers.
  • Identify secure and nonsecure code elements during the architecture phase—not during implementation.

Developers that follow these “tips and tricks” will find that they save quite a bit of time and grief when working towards securing their IoT device.

Conclusion

TrustZone is an important tool available to IoT developers who are looking to secure their devices and protect their data assets. Secure solutions can be implemented in several different ways, but as we have seen, TrustZone offers developers a single core solution which provides a traditional software development model. The only difference is that developers need to start to think in terms of secure and nonsecure components, data, and threads.

Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of Digi-Key Electronics or official policies of Digi-Key Electronics.

About this author

Jacob Beningo

Jacob Beningo is an embedded software consultant. He has published more than 200 articles on embedded software development techniques, is a sought-after speaker and technical trainer, and holds three degrees, including a Masters of Engineering from the University of Michigan.

About this publisher

Digi-Key's North American Editors