4.1 Using TrustZone

In the printers and cartridges use case, the TrustZone technology tackles printer cartridge cloning.

  • Trusted (Secure) Execution Environment (TEE): TrustZone creates a secure zone within the printer's hardware, isolated from the regular operating system and applications. This TEE handles critical tasks like cartridge authentication and print job processing, protecting them from tampering.
  • Memory Partitioning: TrustZone allows dividing the printer's memory into secure and non-secure regions. Sensitive data and code for cartridge authentication reside in the secure memory, inaccessible to unauthorized access, even if the main system is compromised.
  • Anti-Cloning with Cryptography: Each genuine cartridge gets a unique cryptographic key or identifier during manufacturing. When inserted, the printer's firmware interacts with the secure TEE to verify the cartridge's authenticity using this key.

Crucially, these cryptographic operations occur within a secure environment, ensuring the authentication process itself cannot be tampered with. If the cartridge is genuine, printing proceeds. Otherwise, the printer rejects it and alerts the user.

In the context of the PIC32CM LSx microcontrollers (MCUs), TrustZone creates a secure environment to run both secure and non-secure programs. It achieves this by dividing the memory and peripherals into separate secure and non-secure regions. This isolation protects secure code from unauthorized access by non-secure programs.

Secure vs Non-Secure:

  • Secure: Accessible only by secure software (secret keys, secure boot).
  • Non-Secure: Accessible by all software running on the device (typical applications).
  • Non-Secure Callable (NSC): A special secure memory region that allows controlled transition from non-secure to secure state for authorized tasks.

To ensure complete protection, secure code must follow specific guidelines and utilize special secure instructions to maintain security during transitions between secure and non-secure states. Arm Cortex-M Security Extension (CMSE) provides tools for developers to manage these secure instructions within the secure software environment.

Switching between secure and non-secure code execution in TrustZone is tightly controlled. Non-secure code can only call secure functions that meet specific criteria:

  • Secure Gateway (SG): The first instruction of the secure function must be an SG instruction, indicating a secure entry point.
  • Non-Secure Callable (NSC) memory: The secure function must reside in a designated NSC memory region, accessible by non-secure code for authorized calls.

This separation keeps the majority of secure code isolated within secure memory regions. Only authorized secure functions with SG instructions in NSC memory are accessible by non-secure code. Any attempt to breach these security rules, such as accessing secure regions directly or mismatching code with the current security state, will trigger a HardFault exception, halting program execution.