Arm TrustZone is a technology that offers built-in security features for Arm Cortex M Microcontrollers.
Up to now, TrustedFirmware-M has been offering a programming model for TrustZone developers; a minimal supervisor firmware running in the TrustZone Secure World and allows User Applications to run in the Non-Secure World securely.
Arm TrustZone technology offers a flexible architecture that developers could develop their custom designs. This flexibility is crucial if we consider hundreds of IoT Verticals with different characteristics and needs flexibility in the programming model as well.
For these purposes, ZAYA now offers an alternative programming model for Arm TrustZone technology.
Please see the one-minute introductory video for a fast start.
A brief introduction about ZAYA Secure OS
ZAYA Secure OS is a Secure Operating System for IoT Devices and designed according to IoT Security Certifications and Regulations. ZAYA is a PSA Certified Level 1 and PSA Functional API Certified Operation system that provides security mechanisms to meet PSA 10 Security Goals.
ZAYA Secure OS basically creates an isolated Trusted Execution Environment(TEE) on the running environment and handles all security mechanisms in the TEE space for the whole IoT device which custom users’ implementations cannot violate. This approach makes the user applications security-free and the application developer can focus on only custom device features.
ZAYA offers a certification friendly environment, thanks to its modular model. Certified ZAYA Kernel/TEE and ZAYA User Executions are independent executions that have separate signatures. Any modification on a Certification-Free User execution does not change the Certified Kernel/TEE, therefore there is no need for a new assessment on the Certified TEE.
ZAYA is a “Configureless” Operating System that does not modify the Certified Kernel/TEE for changing User Execution configurations, so any configuration modification in User Space does not need a new assessment on the Certified Kernel/TEE.
ZAYA Secure OS is also a rich operating system that provides multiple multi-threaded executions with process isolation and primitives. ZAYA brings Rich OS features such as Containerisation into MMU-less Microcontrollers for security and functional safety purposes.
ZAYA Secure Microcontainers
ZAYA Secure OS offers containerisation for Armv7-m and Armv8-m Microcontrollers, called ZAYA Secure Microcontainers. ZAYA Microcontainers are containers for MMU-less Microcontrollers; they have similar capabilities to Rich OS Containerisation such as Linux or Docker Containers.
ZAYA Secure Microcontainers offer
Platform-Agnostic Development Environment: A mutual development environment and easy user application migration from one architecture to another.
Independent Design & Development: ZAYA Secure OS and Containers can be designed & developed using different toolchains and IDEs.
Multi-Threaded Environment: Each ZAYA Microcontainer is also multi-threaded like an individual application.
An isolated execution environment: Microcontainers cannot violate each other.
Deployment-Friendly: Any size container can be installed and upgraded individually in the field.
ZAYA Secure Microcontainer provides a secure development environment for IoT Developers and ZAYA Microcontainers are protected using PSA Security Goals by ZAYA Secure OS.
Secure Install/Update: An individual ZAYA MicroContainer can be installed/upgraded using signed and encrypted OTA Packages in the field.
Anti-Rollback: ZAYA MicroContainer upgrades, ZAYA Device Security Lifecycle Update Requests and Access Policy Update Requests are protected against anti-rollback attacks.
Secure Boot: ZAYA MicroContainers are authenticated at each device startup.
Isolation: ZAYA Microcontainers are isolated from each other in run-time.
Interaction: ZAYA Microcontainers can securely interact with ZAYA Secure OS and other Microcontainers.
Secure Storage: ZAYA Microcontainer sensitive data is stored in Isolated ZAYA TEE space accessible from PSA Functional API.
Cryptography Services: ZAYA Microcontainers make use of Cryptography Services from Certified ZAYA TEE space accessible from PSA Functional API.
Attestation: ZAYA Secure OS keeps Microcontainer details in the secure Attestation Token.
Lifecycle: ZAYA Microcontainers are parts of the Security Lifecycle.
In addition to PSA Security Goals, ZAYA also manages Microcontainer accesses using Container Access Policy.
ZAYA Secure OS allows developers to define Resources to perform access right checks on entities. A ZAYA resource can be a logical (e.g., a logical/SW operation) or physical (HW Peripheral). Logical resources are accessible by a System Call request to ZAYA Secure OS, while Physical Resources are directly accessible by ZAYA Microcontainers using the HW Peripheral register addresses.
A ZAYA resource can also have different access levels (no-access/restricted, high privilege, low privilege etc.). A ZAYA Microcontainer can access a Resource only if the Microcontainer privilege level is equal or higher than the Resource Privilege Level, and it is not a restricted resource. Otherwise, the Microcontainers is terminated due to a violation attempt.
By default, A ZAYA Microcontainer cannot access any custom resource. The developer must specify access right for the ZAYA Microcontainer for a specific resource. But; if the resource privilege level is higher than the Microcontainer privilege level, the Microcontainer still cannot access the resource even the developer give access.
ZAYA Microcontainer Access Policies are part of Microcontainer and must be signed by a trusted source. Otherwise, it is rejected, and the Microcontainer cannot access any custom resource.
A Microcontainer access policy can be modified in the field, and the developer can change the access rights by a secure upgrade. It is protected by Anti-Rollback protection that an attacker cannot revert access policy to previous rights.
The idea behind the Access Policy is that simplify the access management and hide complex architectural relations and state changes from the developer. It offers a platform-agnostic logical interface that can be easily migrated from one architecture to another.
ZAYA for Arm TrustZone
ZAYA Secure OS as PSA Root of Trust in TrustZone Secure World
ZAYA Secure OS is now available for Arm TrustZone to enrich the Arm TrustZone SW Ecosystem by offering an alternative Programming Model.
ZAYA Secure OS runs in TrustZone’s Secure World, called PSA Updateable Root of Trust (PSA Updatable RoT). ZAYA offers Rich Operating system features for TrustZone Secure World.
ZAYA is a PSA Certified Level 1 Operating System that meets all PSA 10 Security Goal. ZAYA Secure OS creates an isolated Trusted Execution Environment (TEE) in TrustZone’s Secure World and handles all PSA 10 Goals mechanisms in the isolated TEE.
ZAYA Secure OS creates different privileged spaces in the Secure World.
Highest Privilege World for itself (Root of Trust)
Lower privilege for custom Security Services like Application Root of Trust, which cannot violate ZAYA Secure OS (RoT) space.
ZAYA Secure Microcontainerisation as PSA Application Root of Trust(s)
The TrustZone Secure World developers can use all these secure, user & deployment friendly ZAYA Microcontainers to develop its custom Secure Services such as PSA Application Root of Trust (PSA aRoT).
The developer can implement custom cryptographic algorithms or custom services, like Banking Applications/Services for Payment Terminals in a PSA aRoT.
As mentioned above, PSA Application RoT’s in ZAYA Microcontainers can be installed and upgraded individually in the field, which makes it deployment-friendly, and the access rights of the App RoTs can be securely updated in the field protected by Anti-Rollback protection.
ZAYA Secure Microcontainerisation for TrustZone Non-Secure World
ZAYA Secure OS protects TrustZone’s Secure World but also protects Non-Secure World. ZAYA Secure OS applies PSA 10 Security Goal to Non-Secure World and provides Rich OS features and Microcontainerisation even for Non-Secure World.
Developers can create multiple isolated ZAYA Microcontainers in the TrustZone Non-Secure World. While ZAYA Secure OS (PSA Root of Trust) and ZAYA Secure Microcontainers (PSA Application Root of Trust) handles all security requirements in the secure world, there could be different scenarios for the non-secure world.
A monolithic user application in a single multi-threaded ZAYA Microcontainer that can access Non-Secure Resources. (Herein, Microcontainer still need signed access rights to access even non-secure resource)
The application can be implemented as a bare metal (single thread)
The application can be implemented as multi-threaded in the container (no need for an additional RTOS for multi-tasking)
The application can be implemented using a classical RTOS, called Guest RTOS (Easy migration for existing RTOS applications)
Untrusted third-party libraries/middleware can be isolated in a different Microcontainer to protect user application Microcontainer from potential malfunctioning.
Reusable Turnkey Helper Services (Cloud, Machine Learning etc.) can be run in different Microcontainer to extend the device functionalities easily and re-use in different devices.
ZAYA allows plug & play Microcontainers.
These microcontainers can be upgraded in the field individually.
Interpreters can be run to different programming languages for application developers like Python. A stand-alone python interpreter can interpret python scripts from other microcontainers.
Even local or remote Lambda expressions can be run.
There can be different privilege levels to create Supervisor Executions in a Non-Secure World as well.
If you would like to hear more technical details about ZAYA Arm TrustZone support, please contact firstname.lastname@example.org
ZAYA provides free STM32 Cortex-M33 Evaluation Kits and ZAYA Demonstration Materials (Demonstration Projects with Source Code, Documentation) for IoT Developers. Please request your free Cortex-M33 Evaluation Kit and Demonstration Material using https://www.za-ya.co/zaya-tz-demonstration-request