[PR] ZAYA OS expands support for Arm TrustZone technology for Armv8-M to include the “Secure World”.

Updated: Jan 28

Cambridge, UK - January 28, 2022. ZAYA Secure OS and ZAYA Secure Microcontainers (ZAYA μContainers), an initial supporter of the PSA Certified security framework and evaluation initiative, today announce that they have expanded their support for Arm® TrustZone® technology for Armv8-M, enabling a deployment friendly environment for secure IoT development.

Enhanced Support for Arm TrustZone

Arm TrustZone technology offers an efficient, system-wide approach to security with hardware-enforced isolation built into Armv8-M based CPUs (including the Arm Cortex®-M23, Cortex-M33 and Cortex-M55 processors). TrustZone provides a hidden hardware isolated region in the processor and across the SoC that is often referred to as the Secure Processing Environment (SPE) or “Secure World”. It is used with Trusted Firmware to create a Root of Trust that provides a source of confidentiality and integrity for the system. For a number of years, ZAYA has supported Arm TrustZone in the Non-Secure World, but by announcing an expansion to the Secure World, they are offering a unique solution, continuing their mission to produce high-quality, secure solutions, including secure software development environments for IoT vendors and developers.


ZAYA OS creates Trusted Execution Environment (TEE) on the running environment, and ZAYA TEE handles all security requirements and sensitive operations/resources in the isolated TEE space. ZAYA’s Secure Operating System is designed according to IoT security legislation and certifications and was one of the world-first companies to achieve PSA Certified Level 1, an independent evaluation of security best practice.


Containerisation Technology

ZAYA Secure OS also offers Containerisation for MMU-less microcontrollers, called ZAYA Microcontainers. ZAYA Microcontainers are isolated multi-thread executables running on top of the ZAYA TEE. ZAYA Microcontainers are also independent binaries, so a stand-alone container can be upgraded in the field as a deployment friendly solution.


A Closer Look at the ZAYA Secure OS

ZAYA Secure OS splits TrustZone’s Secure World (PSA SPE) into different privilege levels. ZAYA TEE provides a space for the highest privileged operations and resources in the Secure World; it is the space called PSA Root of Trust (RoT). ZAYA Microcontainers run as lower privilege executables in the Secure World. There can be more than one Microcontainer in the Secure World, and all Microcontainers are isolated from each other. Microcontainers in Secure World can be used for different security-related purposes, which, in the PSA Certified supporting specifications, are called Application Root of Trust (ARoT)’s, and can be run in different containers.


PSA Certified supporting specifications define three different but incremental isolation boundary types.

  • The minimum required isolation type is already handled by the isolation between Secure and Non-Secure World.

  • In addition, isolation between ZAYA TEE (RoT) and ZAYA Microcontainers (ARoT) in the Secure World is supported in the ZAYA implementation.

  • Finally, isolation between ZAYA Microcontainers in Secure World that runs different Application RoTs is also supported in the ZAYA.

All these methods of isolation offer security to protect Secure World, but also ZAYA Secure OS provides Microcontainers for Non-Secure World. The developer can create multiple isolated Microcontainers in the Non-Secure World. For example, untrusted 3rd Party libraries can be isolated in separate Microcontainers to protect User Applications in the Non-Secure World. Microcontainers can be used to create isolated services such as Cloud or ML Services for User Applications.


Fortunately, there is no need for an additional Real-Time Operating System (RTOS) in the Non-Secure World to have all these functionalities. ZAYA OS running in the Secure World (PSA SPE) offers Micro Containerisation for both the Secure and Non-Secure world at the same time. This reduces the memory footprint (code and ram size) of the Non-Secure World. However, a developer can still run a classical RTOS in a ZAYA Microcontainer like a Virtual Machine.


ZAYA TEE performs security mechanisms on all Microcontainers compliant with PSA Certified requirements like Microcontainer Image Authentication at the device startup (Secure Boot of Microcontainer) and Access Rights check on the requests from Microcontainers using the Container Access Policy; Containers access rights are signed by the manufacturers, and a Container Access Right can be updated in the field with a Secure Policy Update.


ZAYA Microcontainers are independent executables/binaries that can be installed/upgraded individually (only Container Binary with any size), which makes them deployment friendly; reduced OTA Package and Network Traffic.


To learn more about ZAYA Secure OS and Demonstrations, please contact info@za-ya.co



300 views0 comments