Difference between revisions of "Trustzone environment"

[quality revision] [quality revision]
(Created page with "== Article purpose == The purpose of this article is to explain how the TrustZone execution context is used for on an STM32 MPU-based platform.<br> == Introduction == The STM...")
 
m
 

1 Article purpose[edit]

The purpose of this article is to explain This article explains how the Arm® TrustZone® execution context is used for on an STM32 MPU-based platform.

2 Introduction[edit]

The STM32 MPU is based on the Arm® Cortex®-A core, which is using the Arm® TrustZone[1] architecture that enables context isolation: the normal world holds the applications whereas the secure world isolates all the trusted applications and core secure services so that they can safely manipulate platform secret data. The MPU includes Firewall firewall mechanisms that allow the secure world to forbid read/write accesses from the normal world to given peripherals.

Arm-v7A defines PL0, PL1 and PL2 privilege levels:

  • PL0 is the lowest software execution level (unprivileged calls allowed for applications).
  • PL1 is the execution level for the OS.
  • PL1 (secure) is also the privilege level for secure monitor execution, to switch from the secure to the normal world.
  • PL2 is dedicated to the hypervisor (only non-secure).

Trustzone.png

The normal world is used to run rich OSs such as the Linux Kernel® kernel and its applications framework.
The secure world runs a TEE as the secure OS (i.e. for example OP-TEE OS), including a secure monitor.

The TrustZone environment is a complete system solution that is not limited to the Cortex® context. It provides a bus and peripheral infrastructure to the MPU in order to ensure that the secure world relies on a completely secured pipe when it controls a secure peripheral. The assignment of the peripherals to a given world is done thanks to through a firewall mechanism, which is set up during the secure world initialization.

Dedicated secure and normal contexts also impact the debugging facilities: depending on the targeted user, the debug can be opened to both worlds (e.g. for instance for a secure-aware developer), to the normal world only (for a Linux® developer), or completely closed (for the end user). This is achieved by configuring the Debug debug control.

Some internal or external peripherals can be used by the secure world to support cryptographic operations. Refer to security peripherals for an introduction.

3 References[edit]


== Article purpose ==The purpose of this article is to explain how the TrustZoneThis article explains how the Arm<sup>&reg;</sup> TrustZone<sup>&reg;</sup> execution context is used for on an STM32 MPU-based platform.<br>


== Introduction ==
The STM32 MPU is based on the Arm<sup>&reg;</sup> Cortex<sup>&reg;</sup>-A core, which is using the Arm<sup>&reg;</sup> TrustZone<ref>https://www.arm.com/why-arm/technologies/trustzone-for-cortex-a</ref> architecture that enables context isolation: the '''normal world''' holds the applications whereas the '''secure world''' isolates all the trusted applications and core secure services so that they can safely manipulate platform secret data. The MPU includes [[#Firewall|Firewall]]firewall mechanisms that allow the secure world to forbid read/write accesses from the normal world to given peripherals.<br>


Arm-v7A defines PL0, PL1 and PL2 privilege levels:
* PL0 is the lowest software execution level (unprivileged calls allowed for applications).
* PL1 is the execution level for the OS.
* PL1 (secure) is also the privilege level for secure monitor execution, to switch from the secure to the normal world.
* PL2 is dedicated to the hypervisor (only non-secure).

[[File:Trustzone.png|link=]]
{{ReviewsComments | [[User:Ludovic Bergonzi|Ludovic Bergonzi]] ([[User talk:Ludovic Bergonzi|talk]]) 19:25, 13 November 2022 (CET) <br /> In the figure, consider using fewer capital letters: "Normal world", "Secure world", "Trusted applications", Secure monitor", "TrustZone<sup>®</sup> environment".}}The '''normal world''' is used to run rich OSs such as the [[STM32 MPU Linux kernel overview|Linux Kernel<sup>&reg;</sup> kernel]] and its [[Linux application frameworks overview|applications framework]].<br>

The '''secure world''' runs  a TEE as the secure OS (i.e. [[#OP-TEE_OS|OP-TEE OS]])for example [[OP-TEE_overview|OP-TEE OS]]), including a secure monitor.

The TrustZone environment is a complete system solution that is not limited to the Cortex<sup>&reg;</sup> context. It provides a bus and peripheral infrastructure to the MPU in order to ensure that the secure world relies on a completely secured pipe when it controls a secure peripheral. The assignment of the peripherals to a given world is done thanks to through a [[#Firewall|firewall]] mechanism, which is set up during the secure world initialization.

Dedicated secure and normal contexts also impact the debugging facilities: depending on the targeted user, the debug can be opened to both worlds (e.g. for instance for a secure -aware developer), to the normal world only (for a Linux<sup>&reg;</sup> developer), or completely closed (for the end user). This is achieved by configuring the [[#Secure_debug|Debug]] control.

Some internal or external peripherals can be used by the secure world to support cryptographic operations.Refer to [[#Security peripherals|security peripherals]] for an introduction.

== References ==<references />

<noinclude>

[[Category:Platform security]]{{PublicationRequestId | 24658 | 2022-09-26}}</noinclude>
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
== Article purpose ==
 
== Article purpose ==
The purpose of this article is to explain how the TrustZone execution context is used for on an STM32 MPU-based platform.<br>
+
This article explains how the Arm<sup>&reg;</sup> TrustZone<sup>&reg;</sup> execution context is used for on an STM32 MPU-based platform.<br>
   
 
== Introduction ==
 
== Introduction ==
The STM32 MPU is based on the Arm<sup>&reg;</sup> Cortex<sup>&reg;</sup>-A core, which is using the Arm<sup>&reg;</sup> TrustZone<ref>https://www.arm.com/why-arm/technologies/trustzone-for-cortex-a</ref> architecture that enables context isolation: the '''normal world''' holds the applications whereas the '''secure world''' isolates all the trusted applications and core secure services so that they can safely manipulate platform secret data. The MPU includes [[#Firewall|Firewall]] mechanisms that allow the secure world to forbid read/write accesses from the normal world to given peripherals.<br>
+
The STM32 MPU is based on the Arm<sup>&reg;</sup> Cortex<sup>&reg;</sup>-A core, which is using the Arm<sup>&reg;</sup> TrustZone<ref>https://www.arm.com/why-arm/technologies/trustzone-for-cortex-a</ref> architecture that enables context isolation: the '''normal world''' holds the applications whereas the '''secure world''' isolates all the trusted applications and core secure services so that they can safely manipulate platform secret data. The MPU includes firewall mechanisms that allow the secure world to forbid read/write accesses from the normal world to given peripherals.<br>
   
 
Arm-v7A defines PL0, PL1 and PL2 privilege levels:
 
Arm-v7A defines PL0, PL1 and PL2 privilege levels:
Line 12: Line 12:
   
 
[[File:Trustzone.png|link=]]
 
[[File:Trustzone.png|link=]]
  +
{{ReviewsComments | [[User:Ludovic Bergonzi|Ludovic Bergonzi]] ([[User talk:Ludovic Bergonzi|talk]]) 19:25, 13 November 2022 (CET) <br /> In the figure, consider using fewer capital letters: "Normal world", "Secure world", "Trusted applications", Secure monitor", "TrustZone<sup>®</sup> environment".}}
  +
The '''normal world''' is used to run rich OSs such as the [[STM32 MPU Linux kernel overview|Linux<sup>&reg;</sup> kernel]] and its [[Linux application frameworks overview|applications framework]].<br>
  +
The '''secure world''' runs a TEE as the secure OS (for example [[OP-TEE_overview|OP-TEE OS]]), including a secure monitor.
   
The '''normal world''' is used to run rich OSs such as [[STM32 MPU Linux kernel overview|Linux Kernel]] and its [[Linux application frameworks overview|applications framework]].<br>
+
The TrustZone environment is a complete system solution that is not limited to the Cortex<sup>&reg;</sup> context. It provides a bus and peripheral infrastructure to the MPU to ensure that the secure world relies on a completely secured pipe when it controls a secure peripheral. The assignment of the peripherals to a given world is done through a firewall mechanism, which is set up during the secure world initialization.
The '''secure world''' runs  a TEE as secure OS (i.e. [[#OP-TEE_OS|OP-TEE OS]]) including a secure monitor.
 
   
The TrustZone environment is a complete system solution that is not limited to the Cortex context. It provides a bus and peripheral infrastructure to the MPU in order to ensure that the secure world relies on a completely secured pipe when it controls a secure peripheral. The assignment of the peripherals to a given world is done thanks to a [[#Firewall|firewall]] mechanism, which is set up during the secure world initialization.
+
Dedicated secure and normal contexts also impact the debugging facilities: depending on the targeted user, the debug can be opened to both worlds (for instance for a secure-aware developer), to the normal world only (for a Linux<sup>&reg;</sup> developer), or completely closed (for the end user). This is achieved by configuring the debug control.
   
Dedicated secure and normal contexts also impact the debugging facilities: depending on the targeted user, the debug can be opened to both worlds (e.g. for a secure aware developer), to normal world only (for a Linux<sup>&reg;</sup> developer) or completely closed (for the end user). This is achieved by configuring the [[#Secure_debug|Debug]] control.
+
Some internal or external peripherals can be used by the secure world to support cryptographic operations.
 
 
Some internal or external peripherals can be used by the secure world to support cryptographic operations. Refer to [[#Security peripherals|security peripherals]] for an introduction.
 
   
 
== References ==
 
== References ==
Line 27: Line 27:
 
<noinclude>
 
<noinclude>
 
[[Category:Platform security]]
 
[[Category:Platform security]]
  +
{{PublicationRequestId | 24658 | 2022-09-26}}
 
</noinclude>
 
</noinclude>