TrustZone provides memroy isolation between normal and secure world, I am wondering if TrustZone has flash storage isolation. In other words, application in normal world cannot access the flash belongs to secure world. I would appreciate it if someone could confirm this. Thanks for any input!
»
Quick Links
Page 1 of 1
Does TrustZone provide flash storage isolation
Rate Topic:
1 Votes
#2
ttfn 
- Super Contributor
-
- Group: Members
- Posts: 576
- Joined: 29-September 06
Posted 04 August 2011 - 08:27 AM
Maybe 
TrustZone provides for "secure" and "non-secure" memory accesses. Whether an access is secure or non-secure is signalled on the bus (AxPROT). It is up the memory system designer to decide what to do with this signal. They could just ignore it - in which case you have no protection. Hopefully they won't have ignored it!!!
A possible set up is that out of reset all Flash is secure accessible only, with some mechanism for selectively making areas non-secure accessible. That way you can choose which parts are visible and which protected.
NOTE: It is not always required to prevent the Normal world from reading secure flash. In some cases it is Authenticity (it's genuine) and Integrity (it';s not been messed with) that matter - not Confidentiality (no one else can read it). In such cases you need to prevent tampering and provide a mechanism to detect tampering.
TrustZone provides for "secure" and "non-secure" memory accesses. Whether an access is secure or non-secure is signalled on the bus (AxPROT). It is up the memory system designer to decide what to do with this signal. They could just ignore it - in which case you have no protection. Hopefully they won't have ignored it!!!
A possible set up is that out of reset all Flash is secure accessible only, with some mechanism for selectively making areas non-secure accessible. That way you can choose which parts are visible and which protected.
NOTE: It is not always required to prevent the Normal world from reading secure flash. In some cases it is Authenticity (it's genuine) and Integrity (it';s not been messed with) that matter - not Confidentiality (no one else can read it). In such cases you need to prevent tampering and provide a mechanism to detect tampering.
#3
CodeMonkey
- Member
-
- Group: Members
- Posts: 5
- Joined: 10-June 11
Posted 05 August 2011 - 07:34 AM
ttfn, on 04 August 2011 - 08:27 AM, said:
Maybe
TrustZone provides for "secure" and "non-secure" memory accesses. Whether an access is secure or non-secure is signalled on the bus (AxPROT). It is up the memory system designer to decide what to do with this signal. They could just ignore it - in which case you have no protection. Hopefully they won't have ignored it!!!
A possible set up is that out of reset all Flash is secure accessible only, with some mechanism for selectively making areas non-secure accessible. That way you can choose which parts are visible and which protected.
NOTE: It is not always required to prevent the Normal world from reading secure flash. In some cases it is Authenticity (it's genuine) and Integrity (it';s not been messed with) that matter - not Confidentiality (no one else can read it). In such cases you need to prevent tampering and provide a mechanism to detect tampering.
TrustZone provides for "secure" and "non-secure" memory accesses. Whether an access is secure or non-secure is signalled on the bus (AxPROT). It is up the memory system designer to decide what to do with this signal. They could just ignore it - in which case you have no protection. Hopefully they won't have ignored it!!!
A possible set up is that out of reset all Flash is secure accessible only, with some mechanism for selectively making areas non-secure accessible. That way you can choose which parts are visible and which protected.
NOTE: It is not always required to prevent the Normal world from reading secure flash. In some cases it is Authenticity (it's genuine) and Integrity (it';s not been messed with) that matter - not Confidentiality (no one else can read it). In such cases you need to prevent tampering and provide a mechanism to detect tampering.
Hi ttfn,
Thanks for your reply. I agree we don't need confidentiality in some cases. but I am a little bit confused now. I think TrustZone Techonolgoy could provide confidentiality isolation between Secure and Normal worlds.
If we use SRAM/DRAM as main memory, I think TrustZone Techonology can guarantee the isolation of two worlds (includes confidentiality).
If we use NOR flash as the main memory, it should be same.
However, if we use NAND flash as the secondary memory, does TrustZone Technology provide the isolation of NAND flash between Secure and Normal worlds?
#4
ttfn
- Super Contributor
-
- Group: Members
- Posts: 576
- Joined: 29-September 06
Posted 05 August 2011 - 07:50 AM
The term "TrustZone" is often used in the wrong way - and this leads to confusion.
TrustZone is a set of architectural extension IN THE PROCESSOR. It is these extensions which give you the two worlds (Normal and Secure), and the ability to signal an access as secure and non-secure memory.
So you have a Cortex-A9 (for example) which supports TrustZone. Is this enough to build a trusted system? NO!
When you do an access to your "secure" memory area the processor will generate secure accesses. When you do an access to your "non-secure" memory area the processor will generate non-secure accesses. The security of the access is signalled on the AxPROT signal in AXI. If you memory system ignores this signal (and many designs do) then you have __NO__ protection. This applies equally to RAM, flash and peripherals.
To have a secure system, it is not enough just to have a TrustZone enabled processor. You must also have a TrustZone aware memory system. What this means is logic in the bus to block non-secure accesses to secure memory. The ability to control which interrupts go to which world. And more!
In a TrustZone aware system you would expect the following components:
Protection Controller - Allows you to switch peripherals (e.g. a timer) between secure and non-secure accessible
Address Space Controller - Allows you to configure ranges of addresses (RAM/Flash) as being secure or non-secure accessible
TrustZone "aware" interrupt controller - Allows you control which interrupts are secure and which non-secure
TrustZone is a set of architectural extension IN THE PROCESSOR. It is these extensions which give you the two worlds (Normal and Secure), and the ability to signal an access as secure and non-secure memory.
So you have a Cortex-A9 (for example) which supports TrustZone. Is this enough to build a trusted system? NO!
When you do an access to your "secure" memory area the processor will generate secure accesses. When you do an access to your "non-secure" memory area the processor will generate non-secure accesses. The security of the access is signalled on the AxPROT signal in AXI. If you memory system ignores this signal (and many designs do) then you have __NO__ protection. This applies equally to RAM, flash and peripherals.
To have a secure system, it is not enough just to have a TrustZone enabled processor. You must also have a TrustZone aware memory system. What this means is logic in the bus to block non-secure accesses to secure memory. The ability to control which interrupts go to which world. And more!
In a TrustZone aware system you would expect the following components:
Protection Controller - Allows you to switch peripherals (e.g. a timer) between secure and non-secure accessible
Address Space Controller - Allows you to configure ranges of addresses (RAM/Flash) as being secure or non-secure accessible
TrustZone "aware" interrupt controller - Allows you control which interrupts are secure and which non-secure
#5
isogen74
- Super Contributor
-
- Group: Members
- Posts: 1097
- Joined: 20-March 07
Posted 05 August 2011 - 09:11 AM
If you want more information about the full system view of TrustZone in both the processor and all of the infrastructure around it the following might be of interest:
Iso
Iso
This post has been edited by isogen74: 05 August 2011 - 09:12 AM
When optimizing software, consider that the quickest code to run is the bit you removed from the call path.
Share this topic:
Page 1 of 1
