The term "TrustZone" is somewhat confusingly used when referring to any of the following:
- The security extensions to the ARM architecture and the protection type signals in the AMBA3 AXI bus.
- The TrustZone Software product.
- TrustZone "support" or TrustZone "enabled".
What are the security extensions?
The security extensions to ARMv6 and later add the concepts of "secure" and "non-secure" states and a "secure monitor mode" used for switching between the two. A new instruction - SMC, Secure Monitor Call - has been added for switching execution from any privileged mode to the entry point of the secure monitor.
The AMBA3 AXI bus implements two new signals - ARPROT and AWPROT, collectively referred to as AxPROT. These indicate, for read and write transactions respectively, whether the current transaction is secure or non-secure.
Note: This does not necessarily indicate the state of the core, as it is possible for the secure world to perform non-secure accesses.
What is TrustZone Software?
TrustZone Software provides a minimal secure kernel which can be run in parallel with a more fully featured "Rich OS", such as Linux, Symbian or Windows CE - on the same core. It also provides drivers for the Rich OS ("normal world") to communicate with the secure kernel ("secure world").
TrustZone Software uses the security extensions to completely protect the secure kernel, and any secure peripherals, from code running in the normal world. This means that even if an attacker manages to obtain full supervisor privileges in the Rich OS, he cannot gain access to the secure world.
It is supplied with a secure monitor, for switching between secure and normal world, and an example secure first-stage bootloader.
For systems without the security extensions, TrustZone Software Emulation Version can be used to provide a software environment fully compatible with the TrustZone Software on systems with security extensions.
Systems with a separate ARM processor dedicated for security can use the TrustZone Software Multicore - running the secure kernel on its own CPU.
The secure operating system contains a STIP (see http://www.globalplatform.org/) interpreter, which can run "stiplets" in a secure sandbox environment. Using the Native Service API, it is also possible to develop native applications for the secure world.
What do the terms "TrustZone support" and "TrustZone enabled" mean?
Simply put, these terms refer to cores or peripherals making use of the AxPROT signals to distinguish between secure and non-secure accesses - and modifying their behaviour accordingly.
For example, the L220 Level 2 cache controller stores an extra bit for each cache line describing whether the line was filled as a result of a secure or non-secure access. It will then return a miss if the non-secure world tries to access data that is in the cache, but tagged as secure.
More information can be found in below: