Secure Services

ARM takes a system wide approach to security starting at the deepest hardware and software levels. This approach empowers service providers with a secure base for their high value services. At the heart of this is our foundation security technology, TrustZone®.

TrustZone technology-based chipsets enabled with trusted operating software provide consumers and enterprise the secure environment needed to process and protect critical code and information. The Secure Services division works with its partners and standards organizations to:

Make it easier and quicker to develop platforms and devices with robust security based on TrustZone
Make it easy for services providers to embrace these new capabilities and thus deliver new, better, more powerful services to their customer

Why Security Matters

Trusted Applications

About TrustZone & TEE

Chipset Enablement

Software Dev & Resources

Cutting edge devices such as smartphones and tablets, provide consumers with high value experiences based on an expanding set of services. These range from productivity solutions such as access to email and corporate VPN, to online commerce and banking, to entertainment in the form of music and video, and many more.

However, such is the capability and performance of today’s mobile devices that a new approach is required to match the services consumer demand with the risk that asset owners are willing to accept. To realize their fullest potential, mobile devices require not just power efficiency and performance but also security.

ARM is working with its Partners and standards organisations to make it easier and quicker to develop platforms and devices with robust security based on TrustZone® technology. As part of this initiative ARM has created the TrustZone Ready Program which has been designed to simplify the development of chipsets and devices with a hardware-backed Trusted Execution Environment (TEE).

Legacy Approaches

We have become used to the legacy PC user experience where the system is continuously under attack from a wide range of threats such as viruses, malware, man in the middle/browser attacks, keyloggers and zero day attacks (making use of undetected vulnerabilities).

The problem of securing large computing systems has led to the provision of an array of separate trusted hardware such as One Time Password dongles, credit card/PIN derived pass codes and complicated protocols for authentication. This growing array of hardware needed to access your bank or corporate network makes for a poor user experience, for example limiting the access to your bank account to when you have the dongle in reach.

High value services demand trusted platforms that can provide protection from software attack and enable critical code and valuable data to be securely protected. As we move to the “Internet of Things” era with billions of smart connected devices a new approach is required that provides a Trusted Execution Environment built on specialized hardware (TrustZone) available in a wide selection of modern ARM application processors.

Applications such as payment, online banking, content protection and enterprise authentication can improve their integrity, capability, and user experience by making use of three key things TrustZone technology enhanced devices provide:

A secure execution environment for software, safe from malicious software attacks emanating from rich operating systems
A known good hardware root of trust to check the integrity of data and applications in the rich operating world, safe in the knowledge the secure environment cannot be compromised
Access on demand to secure peripherals such as memory, the keyboard/touchscreen, and even the display.

ARM TrustZone technology-based devices combined with open API’s provide the Trusted Execution Environment (TEE) with capabilities and consistency developers need to realize new services through a new type of software: the Trusted Application. A typical trusted application may have part of the code in normal world and part of the code in secure world, for example dealing with key storage and manipulation. The TEE also provides isolation from other trusted applications so that multiple trusted services can co-exist.

The standardization of TEE API’s is being managed by GlobalPlatform which will enable a market for interoperable trusted applications and services from service providers, operators and OEMs.

ARM TrustZone technology removes the need for separate secure hardware to be used to authenticate the integrity of a device or indeed a user. It does this by providing a true hardware root of trust in the main mobile chipset.

To ensure that the integrity of the application making the assertion of trust has not itself been tampered with, TrustZone also provides a secure execution environment where only trusted applications can operate safe from hacker/virus/malware style attacks - a Trusted Execution Environment (TEE).

TrustZone hardware provides the isolation for the TEE from software attack vectors. The hardware isolation extends to securing data input and output all the way to the physical peripheral, including for example, the keypad/touchscreen.

Armed with these key capabilities, chipsets equipped with TrustZone technology provide a wealth of opportunities to redefine the services users can access (more, better), how they access them (faster, easier), and where they can access them (anywhere, anytime).

For more detailed information on TrustZone technology click here
For information on efficiently designing and implementing secure systems go to the TrustZone Ready Program

ARM provides a broad range of technology to enable the development of next-generation secure devices including: processor IP, System IP and development tools (below). In addition to SoC intellectual property, ARM provides the TrustZone Ready Program - a cohesive set of design recommendations and market requirements to help silicon partners and OEMs design the appropriate security features for their platform. For further information it is recommended that organisations looking to develop trusted platforms contact ARM to discuss their development needs.

Processor IP

Cortex-A Series Processors
The ARM Cortex™-A series of applications processors provide an entire range of solutions for devices hosting a rich OS platform and user applications ranging from ultra-low-cost handset through smartphones, mobile computing platforms, digital TV and set-top boxes through enterprise networking, printers and server solutions.

Every Cortex-A series processor includes TrustZone security technology within its architecture.

The Cortex-A series consists of the Cortex-A15, the Cortex-A9, the Cortex-A8, the Cortex-A7 and the Cortex-A5 processors

SecurCore Processors
The ARM SecurCore™ processor family provides powerful 32-bit secure solutions based upon industry leading ARM architecture. SecurCore processors can be used in a wide range of security applications, outperforming legacy 8-bit or 16-bit secure processors.

The ARM SecurCore series consists of the SC000, the SC100 and the SC300 processors.

System IP

ARM CoreLink™ system IP components are essential for building complex system on chips and by utilizing System IP components developers can significantly reduce development and validation cycles, saving cost and reducing time to market.

Description:

CoreLink NIC-301 Network Interconnect
CoreLink DMA-300 DMA Controller
CoreLink L2C-310 Level 2 Cache Controller
CoreLink DMC-340 Dynamic Memory Controller
CoreLink DMC-400 Dynamic Memory Controller
CoreLink TZC-380 CoreSight Address Space Controller
CoreSight CDK-11 CoreSight Design Kit

Tools Support

All ARM processors are supported by the ARM Development Studio 5 (DS-5™) tool suite, as well as a wide range of third party tools, operating system and EDA vendors. ARM DS-5 software development tools are unique in their ability to provide solutions that take full advantage of the complete ARM technology portfolio.

An organisation looking to develop a trusted application will need some target hardware which includes a build of the TEE as well as the normal OS. This could be via a SoC development board from a chip vendor or via an OEM. ARM has partnered with well known Secure OS partners G&D and Trusted Logic Mobility who can provide a small, certifiable and trusted OS as well as Trusted Service Management technology to manage the life cycle of trusted applications. It is likely that legal agreements will be needed (for example an evaluation license to the Trusted OS software, NDA etc).

The designer is also likely to want a JTAG port on the target hardware that allows access to debug the secure world as well as normal world and developer tools that are compatible with the target trusted OS. The latest version of ARM Design Studio 5 (DS-5™) development suite includes functionality to simultaneously debug trusted and normal world code.

Blogs