a developer's guide to security on cortex-m based mcus · 2019-12-09 · cortex-m23/cortex-m33...

© 2018 Arm Limited

Nazir SArm Tech Symposia India

A Developer's Guide to Security

on Cortex-M based MCUs

2 © 2018 Arm Limited

Agenda

• Why do we need security?

• Types of attacks and security assessments

• Introduction to TrustZone

• What is physical security?

• Processor selection

• Secure software development

© 2018 Arm Limited

Why do we need security?


Security is not optional anymore

Billions of IoT devices Data integrity, security & privacy

Potential losses of hacks, breaches


Arm CryptoCell

TEE for Cortex-A

Cortex-A with

TrustZone

SecurCore

Security is an integral part of the DNA of Arm

ArmCryptoIsland

Secure Enclave

iSIM technologyKigen family

PlatformSecurity

Architecture (PSA) launched

PSA threat models

PSA Trusted Firmware

(TF-M)

Armv8-M processors:

Cortex-M23 and Cortex-M33 with Arm TrustZone

Arm security

manifesto

Mbed

Physical security enhancements

Arm IP protects againsta wide set of attacks

2004 2018…

Physical vulnerabilities

Communication vulnerabilities

Lifecycle vulnerabilities

Software vulnerabilities


Matching the attack with the right mitigation

Lifecycle

Communication Software

Physical


How much security is needed?

Software & hardware attacks• Physical access to device

– JTAG, Bus, IO Pins,• Time, money & equipment

Software attacks & lightweight hardware attacks• Buffer overflows• Interrupts• Malware

Communication attacks• Man In The Middle• Weak RNG• Code vulnerabilities

Cost/effort to attack

Cost/effort to secure

TLS/SSL

Security subsystem& enclave

TrustZone-based TEE

Secure element

*Trusted Execution Environment/ Secure Partitioning Manager

Secure IoT

© 2018 Arm Limited

Introduction to TrustZone


Efficient TrustZone security isolation

• Comprehensive• Secure, holistic protection across the

entire processor and system

• Simple to use• Transparent to software developer• Same programmers’ model

• Optimized for small embedded• Hardware enforced isolation• Deterministic, low-latency interrupts

Secure servicesFirmware

Secure data

Trustedview

Data

Secure firmware

Two worlds - one CPUReal-time transition*

CPU resources

Non-trusted

Trusted

Memory

Peripherals

Non-trustedview

*≤2 cycles


Security for all embedded applications

• Root of trust applications - IoT IP Protection

Trusted drivers

Trusted hardware

Valuable firmware

Sandboxing

Trusted drivers

Trusted hardware

Certified OS / functionality

Trusted software

Crypto TRNG*

Trusted hardware

Secure system

Securestorage

Trusted Untrusted

* True random number generator


Device security: secure partitioning for MCUs

• Split memory into private secure and public non-secure

• Small private footprint enables exhaustive verification

• Public code never sees keys/secrets

• Vulnerabilities on public side can’t affect private side

• Private side can verify integrity of the public side

• Public code can’t write code directly to Flash

• Private side can reliably recover device to clean state

ApplicationProtocol

SSL Library

Diagnose

WiFi Stack

BLE Stack

Device Management

Secure Storage

Crypto Keys

Secure ID

Crypto API

Firmware Update

RNG

Public Private / Secure

Cloud

© 2018 Arm Limited

Lifecycle & PhysicalSecurity


Lifecycle security

Wafer sort/final test

CM/OEM Customer Repair

Program unique ID,

certificates, secure

bootloader

Disable debug

Encrypted download of secure image, and app image via bootloader

Secure firmware update

Check for rollback, verify


Defending silicon vulnerabilities

Power and EM analysis Fault injection attacks Invasive attacks/tampering

Can we build an IP solution portfolio that can address these threats efficiently at the source?

Can we integrate the solution to these three vulnerabilities into a single IP?


Proliferation of the need for physical security

© 2018 Arm Limited

Processor Selection


Security layers

Memory protection unit(MPU)

TrustZone for Armv8-M

Physical security

Cortex-M0

Cortex-M0+

Cortex-M3

Cortex-M4

Cortex-M7

Cortex-M23

Cortex-M33

Cortex-M35P


Cortex-M23: Ultra low power with TrustZone

Enhanced capability▪ Increased performance▪ Multi-core system support▪ 240 interrupts▪ Hardware stack checking

Security foundation▪ System wide security with

TrustZone technology

Ultra-high efficiency▪ Flexible sleep modes▪ Extensive clock gating▪ Optional state retention

Enhanced & secure debug▪ Security aware debug▪ Simplified firmware

development▪ Embedded trace macrocell

Enhanced memory protection▪ Easy to program▪ Dedicated protection for both

secure and non-secure states

Smallest area, lowest power▪ With TrustZone, same energy

efficiency as Cortex-M0+


Cortex-M33: Security for diverse embedded markets

Security foundation▪ System-wide security with

TrustZone technology

Extensible compute▪ Co-processor interface for

tightly-coupled acceleration

Enhanced memory protection▪ Easy to program▪ Dedicated protection for both

secure and non-secure states

32-bit processor of choice▪ Optimal balance between

performance and power▪ 20% greater performance

than Cortex-M4▪ With TrustZone, same energy

efficiency as Cortex-M4

Enhanced & secure debug▪ Security aware debug▪ Simplified firmware

development

Digital signal control▪ Bring DSP to all developers▪ FPU offering up to 10x

performance over software


Cortex-M35P: Physical security for high-value applications

Highest security▪ Customizable anti-tampering

and side channel attack mitigation

Extensible compute▪ Co-processor interface for

tightly-coupled acceleration

Security and safety packages▪ Commercial, automotive▪ Provides basis for certification

Increased performance▪ 5x Flash frequency boost

thanks to instruction cache▪ 3.5x boost for DSP

applications▪ +20% integer performance

boost Enhanced & secure debug▪ Security aware debug▪ Simplified firmware

development

Dual-core lockstep▪ Partial or full lockstep▪ Security and safety


Total security: scalable protection for all attack types

Cortex-M23/Cortex-M33 - First Cortex-M processors with TrustZone

Cortex-M35P - A new Cortex-M processor with tamper resistance and software isolation

CryptoCell-312/P - Cryptography and lifecycle IP with or without physical security mitigation

CryptoIsland-300/P - Secure enclave IP with or without physical security mitigation

Securityis key for IoT to scale

to 1 trillion

Advanced protection

is critical as physical security attacks are getting easier and

cheaper

Designers can use

Arm’s Platform Security

Architecture to assess threats

Arm makes

security accessible

to all embedded and IoT designers


Arm secure foundation solutions

Complete system approach

• CorStone foundation IP (formerly SDKs):• Pre-verified, configurable system and

subsystem IP• Modifiable subsystem IP• Pre-integrated with processor and security IP

• Development tools (including FPGA/test chip boards)

• CorStone-ready software (e.g. Mbed OS)


PROJECT

Existing IoT applicationMixed Secure and Non-secure code

• MPU used for process protection

• Crypto keys & certificates stored in non-readable memory.

• Requires auditing of all code to protect against software vulnerabilities.

Boot & boot loader

Firmware update

Crypto library

User application

RTOSStart

Function calls

Communicationsstack Function calls

Crypto keys, certificates


Secure stateNon-secure state

Developing code for secure IoT applications Composing a system from Secure and Non-secure projects

• Partition project – place minimal security related code in secure project

• Non-secure project cannot access Secure resources.

• Secure project can access everything.

• Secure andNon-secure projects may implement independent time scheduling.

USER PROJECT SECURE PROJECT

Secure boot &bootloader

Firmware update

Crypto library

User application

RTOSStart

Function calls

Communicationsstack Function calls

Crypto keys, certificates


IoT: Secure, Easier and More Scalable with Arm

Scalable | Secure | Consistent programming | Services capable

Secure IoT Platform

Secure foundation IP

Identity Certification of secure platforms

Device management, & provisioning

Diverse partner ecosystem

Operating system


Get started with security on Arm

• IoT security is not optional

• Consider attack types – communication, software, life cycle and physical

• Platform Security Architecture provides a blueprint for secure design

• TrustZone provides software isolation to reduce the attack surface

Visit Arm TrustZone on Arm Community for more information to get started

https://www.arm.com/why-arm/technologies/trustzone-for-cortex-m

2828

The Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners.

www.arm.com/company/policies/trademarks

© 2018 Arm Limited

a developer's guide to security on cortex-m based mcus · 2019-12-09 · cortex-m23/cortex-m33...

Documents