As IoT Devices Proliferate, ARM introduces the Next Stage of Security
Debuted at ARM® TechCon 2015, (http://semimd.com/blog/2015/11/10/arm-debuts-embedded -architecture-new-64-bit-processor/), the ARMv8-M architecture addresses the embedded devices used in the billions of endpoint devices in the Internet of Things.
Caroline Hayes (CH), European Editor, Extension Media asks ARM’s Thomas Ensergueix how this new architecture meets the security needs of embedded devices.
CH: How is the ARMv8-M architecture optimised for low power, embedded applications? What are its target applications?
Thomas Ensergueix (TE), Director Product Marketing, CPU Group, ARM: Ten years ago, the design of the first ARM architecture for the embedded profile was created. The focus was on creating a rich solution focused on the best possible energy efficiency. The driving principal was the concept of “run fast then sleep”. 32-bit processing at lower clock frequencies yields the lowest possible system power. The resulting processor implementations utilised various low power techniques including sleep modes, deep sleep modes, clock gating, and software controlled power modes that are used today to build systems that last years on coin cell batteries.
ARMv8-M expands that heritage by adding ARM TrustZone®, the security foundation that will be the basis for future secure embedded designs. The same principles of energy efficiency have been applied to ARMv8-M, and hence, despite the changes in the architecture to support security, energy consumption is minimised as only a single instruction is required for user code to transition from the non-secure to the secure. The established low power architecture is fully maintained and extended to support security.
A key benefit of TrustZone for ARMv8-M is that it does not require a software-based hypervisor solution to implement security. Although hypervisors may have their place as part of a wider TrustZone-based system in application processors (depending on the needs of the application), they are not appropriate for microcontroller type applications where energy efficiency and real-time response are typically essential.
The embedded profile is used for all imaginable scenarios where a processor is used to perform a job autonomously, efficiently and often in energy-sipping applications. Target markets include general purpose and custom microcontrollers, mixed-signal devices for IoT, smart analog, connectivity, motor control, smart metering, human interface devices, automotive and industrial control systems, domestic household appliances, consumer products and medical instrumentation.
The ARMv8-M architecture targets the same markets. Embedded firmware is becoming a major part of the value add of the final product and a new architecture is a step in unifying how that firmware is distributed and protected against all sorts of attacks.
CH: What extensions have been added to create TrustZone for ARMv8-M?
TE: The focus of TrustZone is to create a separate trusted zone within the CPU and SoC, providing protection for the most valuable assets within a device. The focus for the implementation within ARMv8-M is to implement this security without moving away from the aims of very low energy and hard real time performance. In addition, TrustZone for ARMv8-M works with the new AMBA 5 AHB5 standard to extend the security separation to the rest of the SoC system.
The key addition for TrustZone is the hardware enforced security state transitions. Up to now, the embedded profile architecture had a Memory Protection Unit (MPU) that was used by the processor to police access to memory regions by different tasks or routines based on user defined configurations. The operation of the MPU is fully dynamic and is available to all code with the right level of privilege.
TrustZone was created for the processor to police access to secure and non- secure regions of memory. Software in the secure side creates the various regions with the required attributes at either start up or dynamically depending on the application requirements. In order to achieve fast transitions new instructions were added such as the “secure gateway” instruction. Other instructions were introduced as required to complete the security implementation, such as instructions to test memory before using pointers and other such addresses passed to routines on the secure side. Of course, TrustZone also takes into account interrupts from the secure and non-secure sides with the required register clean up and transitions.
CH: What benefits or features does each bring?
TE: The new Security Attribution Unit (SAU) works with the existing memory system, and therefore requires no new memory types or resources. Existing memory is sectioned into different regions with different security attributes with an external over-ride scheme. The arrangement may be static at start-up time or dynamic during operation. The key benefit is the separation between software modules running on the same device in a hermetic fashion. The non-secure side can no longer impact the operation of the secure side. The secure side is now a trusted piece of code that is used as the base of many services that will be offered at the system level. Introducing this unit within the ARM Cortex®-M product line will help the ARM ecosystem develop security software and tools and thus help product developers create secure products.. The single instruction for transitions keeps the very low power profile of Cortex-M processors and yields a fast transition time.
CH: What power advantages can be gained with the ARMv8-M over the earlier ARMv6-M, with regards to code execution and handling?
TE: The power advantages in ARMv6-M and ARMv7-M carry over to ARMv8-M (Figure 2).
It retains the 32-bit architecture and the ARM Thumb®-2 technology, for code density. Like the earlier versions, it is a ‘C’ friendly exception model and has a protected memory system support for use with Real-Time Operating Systems (RTOS) and the same real-time, deterministic interrupt response. It also shares the wide ARM ecosystem, a community of partners to support development.
The addition of system-wide security does not affect the key aim of keeping extreme high energy efficiency. Thus even with the system wide security, the architecture continues to offer the best in power efficiency. The ability to transition across to the trusted secure zone in one instruction is a major boost to low power for secure embedded systems and sets the bar for security in embedded systems.
CH: What software extensions are there for increased productivity?
TE: The MPU programmers model is now much more programmer friendly. Specifying a region is as simple as setting the start and end of the region. There is no longer a need to use multiple contiguous regions to create a custom sized one. The TrustZone programmer model should set a standard in the market for secure embedded solutions. This will bring more software investment from ARM’s ecosystem partners into developing secure solutions. In addition, the programmer’s model for TrustZone is such that the majority of developers can continue to use the programming model that Cortex-M offers, without needing to understand how TrustZone works.
ARMv8-M also makes it much easier to transition the software across product lines that use Cortex-M processors, thus improving overall productivity.
CH: What are the features developed for ARM AMBA® 5 AHB5 (Advanced Microcontroller Bus Architecture, Advanced High-performance Bus 5) that can be exploited by the ARMv8-M architecture and for what ends?
TE: With AHB5, every memory address now holds a security state attribution that is used to create TrustZone-aware systems. This security state is propagated across the device with AHB5 signals that were not present in AHB-Lite.
In addition, the bus attributes were extended to support cache allocation/look-up and shareable memory types supporting more complex higher performance multi master systems.
All implementations of the ARMv8-M architecture will have support for exclusive access operations, which alongside AHB5, reduces the complexity of creating multi-core embedded solutions.
AHB5 also supports user-defined signals for propagating additional information across an interface.
Finally, AHB5 builds upon the previous generation AHB-Lite specification, is backwards compatible and enables easy migration to support the ARMv8-M architecture.