Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into...

24
Designing Security & Trust into Connected Devices Eric Wang Shenzhen / ARM Tech Forum / The Ritz-Carlton Senior Technical Marketing Manager June 14, 2016

Transcript of Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into...

Page 1: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

Designing Security & Trust into Connected Devices

Eric Wang

Shenzhen / ARM Tech Forum / The Ritz-Carlton

Senior Technical Marketing Manager

June 14, 2016

Page 2: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 2

Agenda

Introduction

Security Foundations on Cortex-A

Security Foundations on Cortex-M

Use cases

Certification

Summary

Page 3: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 3

ARM TrustZone Technology – A Security Foundation

Content Protection Mobile Payment Authentication Enterprise Security

Today

Page 4: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 4

Security is a Balance

HW Attacks • Physical access to device – JTAG, Bus, IO

Pins,

• Well resourced and funded

• Time, money & equipment.

Software Attacks • Buffer overflows

• Interrupts

• Malware

Communication Attacks •Man In The Middle

•Weak RNG

•Code vulnerabilities

Cost/Effort

To Attack

Cost/Effort

to Secure

Level 1

Level 3

Level 2

Page 5: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 5

ARM Builds Layers of Hardware Security - Hierarchy of Trust

Secure Domain Security Subsystem or SE

Isolated & small security boundary

Trusted Domain Trusted code and data

with TrustZone & Trusted Software

Protected Domain Hypervisor, Virtual Machines

Rich Domain Rich OS and user applications

Page 6: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 6

Security Foundations for Cortex-A

Software – ARM Trusted Firmware & 3rd party TEE ecosystem

Security certification for TEE via GlobalPlatform

TrustZone for ARMv8-A & ARMv7-A

Established architecture protecting billions of devices and services

TrustZone Media Protection Architecture

TrustZone CryptoCell-710

Configurable security subsystem adds a deep layer of hardware based security easily

integrated into SoC

Page 7: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 7

TrustZone Based Trusted Execution Environment

Hardware root of trust

A basis for system integrity

Integrity through Trusted Boot

Secure peripheral access

Screen, keypad , fingerprint sensor etc.

Secure application execution

Technology called TrustZone

Trust established outwards

With normal world apps

With internet/cloud apps

Mobile devices with integrated HW security

ARM Trusted Firmware CryptoCell

Page 8: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 8

Cortex-A: Putting it All Together

ARM Trusted FirmwareEL3

SoC/platform port

Normal World OSEL1/EL2

Trusted OSSecure-EL1

Trusted OS Dispatcher

TOS

spec

ific

p

roto

col a

nd

m

ech

anis

m

Trusted AppSecure-EL0

AppEL0

TOS driver

TOS library

TOS specific protocol via SMC

via

ioct

l

Porting interface between Trusted

Firmware and SoC/platform

Interface between Trusted Firmware and Trusted OS Dispatcher

OSS or

TEE Vendor

Trusted

Peripherals

Security

Subsystem

Crypto

HDMI

HDCP Security Platform Design Documents Mali GPU

TrustZone

CryptoCell

Page 9: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 9

TEE has a Protection Profile Certified by

Common Criteria

Proposed scheme has Security Certification

of a Reference Implementation… AND

OEM product – looking at the deltas

Objective is to reduce time to certification

by OEM to 2-3 months

Independent security assessment vs. “Trust

Me”

GlobalPlatform TEE Certification

Secure boot

HW features

Trusted OS

Evaluation scope

Page 10: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 10

IOT Security Enables New Business Opportunities

If you can trust devices and the little data you can

transform industries

Electricity meter example – if you can trust a

remote meter reading on a consumer meter…

No need to send someone to the house

Billing costs are reduced

Home security example – if you can trust a

connected security system …

You will be more likely to purchase and enable remote

monitoring

Page 11: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 11

How Do We Build the Internet of Trustworthy Things?

Make end to end security easier by providing right sized secure

foundations that scale for different use cases and market needs

Make it easier

Build security in or enable easy integration of subsystems

Trusted software that is free and easy to use

Make it right sized

Security for any ARM platform

Provide multiple solutions

Keep it agile

Page 12: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 12

Security Foundations for Cortex-M

Software - mbed OS, mbed uVisor, mbed TLS & 3rd party ecosystem

TrustZone for ARMv8-M

New microcontroller architecture gains TrustZone

TrustZone CryptoCell-310

Adds a configurable security system close to the root of trust suitable for

microcontrollers

Page 13: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 13

Security Foundations for Cortex-M

Software - mbed OS, mbed uVisor, mbed TLS & 3rd party ecosystem

TrustZone for ARMv8-M

New microcontroller architecture gains TrustZone

TrustZone CryptoCell-310

Adds a configurable security system close to the root of trust suitable for

microcontrollers

Page 14: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 14

TrustZone for ARMv8-A TrustZone for ARMv8-M

Non Secure

App

Secure

App

Secure Monitor

SECURE WORLD NORMAL WORLD

Rich OS. e.g.

Linux

Secure

OS

Non Secure

App

Secure

App/Libs

SECURE WORLD NORMAL WORLD

Non Secure

RTOS

Secure

RTOS

TrustZone

ARMv8-M

Microcontroller

TrustZone for ARMv8-M

Applications

Processors

Page 15: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 15

Feature/Architecture TrustZone® ARMv7-A & ARMv8-A TrustZone® for ARMv8-M

Additional Security States SEL0* – Trusted Apps

SEL1 – Trusted OS

EL3 – Trusted Boot & Firmware (ARMv8-A)

Secure Thread – Trusted code/data

Secure Handler – Trusted device drivers,

RTOS, Library managers…

Secure Interrupts Yes

Yes (Fast)

State Transition (Boundary crossing) Software transition

Hardware transition (Fast)

Memory Management Virtual Memory MMU with secure attributes Secure Attribution Unit (SAU) &

MPU memory partitions

System Interconnect Security Yes Yes

Secure Code, Data and Memory? Yes Yes

Trusted Boot Yes Yes

Software ARM Trusted Firmware (+ 3rd party TEEs) Keil CMSIS, ARM mbed OS, mbed uVisor

+ 3rd party software

ARM TrustZone Architecture Extensions

*Secure Exception Level

Page 16: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 16

Privileged

Hardware Interfaces

Normal World Code Trusted Software

Device Drivers

Unprivileged

RTOS

Security on Next Generation Cortex-M

Platform Code

ARM Cortex-M

v8-M Microcontroller

TRNG

Unique ID

Accel/ Services

Secure Storage

Physical IP

CryptoCell

uVisor

Secure

Libs

Crypto

Trusted App

Trusted Firmware

Comms Stack

Apps/User

TLS/Crypto Libs

Trusted Apps

TrustZone based uVisor is key building block

Page 17: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 17

AMBA 5 AHB5: Extending Security to the System

Flash Flash Trusted

Peripheral B

Trusted region

CPU

Non-Trusted

Peripheral A

Non-trusted region

DMA

AMBA 5 AHB5 Interconnect

SRAM

Extends security

foundation to the SoC

Efficient security control

across all of the SoC

Optimized for embedded

SoCs

Security state extends

across Cortex-A and

Cortex-M systems

Page 18: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 18

AMBA 5 AHB5: Extending Security to the System

Flash Flash TrustZone

CryptoCell-310

Trusted region

CPU

Non-Trusted

Peripheral A

Non-trusted region

DMA

AMBA 5 AHB5 Interconnect

SRAM

Extends security

foundation to the SoC

Efficient security control

across all of the SoC

Optimized for embedded

SoCs

Security state extends

across Cortex-A and

Cortex-M systems

Page 19: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 19

Software / OS

Communication protocols, Secure authentication

Resource sharing, Key management, Protect system

Resources

Communication

Hardware/System

mbed TLS

mbed OS, mbed uVisor

TrustZone, CryptoCell (Root of Trust), System IP, AMBA 5

Secure Foundations for Services

Page 20: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 20

CryptoCell acts as a trust anchor and security subsystem for the platform

TrustZone CryptoCell for Every Platform

Non Secure

App

Secure

App

Secure Monitor

SECURE WORLD NORMAL WORLD

Rich OS. e.g.

Linux Secure

OS

Non Secure

App

Secure

App/Libs

SECURE WORLD NORMAL WORLD

Non Secure

RTOS

Secure

RTOS

TrustZone

Asymmetric

Crypto

Symmetric

Crypto

Data

interfac

e

Security

resources Ro

ots

of tr

ust

Alw

ays

On

Control interface

CryptoCell-310

Asymmetric

Crypto

Symmetric

Crypto

Data

interfac

e

Security

resources Ro

ots

of tr

ust

Alw

ays

On

Control interface

CryptoCell-710

Page 21: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 21

Chain of Trust Starts with Initial ROT

Apps

Guest OS

Hypervisor

(Cortex-A)

TrustZone

TEE or uVisor

iROT

TrustZone

CryptoCell

Keys Provisioned keys/data at factory

Initial Root of Trust: e.g. CryptoCell Security functions

Extended Root of Trust e.g. TrustZone based TEE

Launch of authenticated Hypervisor

OS / App Integrity

Page 22: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 22

Secure Foundations From Sensor to Servers

Connectivity Efficiency Management Productivity Security

mbed OS

mbed TLS

mbed OS uVisor

TrustZone for ARMv8-M

TrustZone CryptoCell

Page 23: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

© ARM 2016 23

Summary

Security is a place where partners can differentiate e.g. certification, provisioning, services…

ARM provide the building blocks for security on Cortex-A: Security Platform Design Docs

Standards e.g. GlobalPlatform

Open source e.g. ARM Trusted Firmware, uVisor & Linaro OP-TEE

Ecosystem e.g. Trustonic, BeanPod and other commercial TEE providers

TrustZone for v8-M brings familiar security architecture to lowest cost points TrustZone based uVisor & CMSIS-RTOS provide useful building blocks

CryptoCell provides Root of Trust to system & a toolbox of security functions

Page 24: Designing Security & Trust into Connected Devices - Arm · Designing Security & Trust into Connected Devices Eric Wang ... RTOS Security on Next Generation Cortex-M Platform Code

The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM

Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured

may be trademarks of their respective owners.

Copyright © 2016 ARM Limited

© ARM 2016

Thank you!