TrustZone/TEE – Role and Position within the IoT Security Framework

An IoT product should integrate several layers of security considering all the components involved, hops (i.e. device-to-edge-to-cloud), protocol layers, users and use cases. At the end of the chain, and on the edge of the network, we find the devices. Generically, a device integrates a microprocessor or a microcontroller that would carry most of the application logic implemented via the firmware. In a typical IoT application, a device establishes secure communication channels, stores data, identifies and authenticates itself with other devices or a public cloud, authenticates users, protects data at rest and in transit etc.

Technologies such as cryptographic tools, keys and certificates provide the underlying security to run services such as TLS/SSL, encryption/decryption, digital data signing and verification. Silicon providers typically have implemented several hardware features in microprocessors and advertise them as security features (i.e. hardware crypto accelerator, hardware true number generator) or offer external components such as the Trusted Platform Module (TPM) and hardware Crypto Authenticators. A commonly seen example is the use of Open SSL tools in conjunction with the above technologies. That said, developers for the most part still rely on the primary OS, such as Linux, to supply baseline security. Linux, however, only allows developers to segregate security assets and operations under root access. This level of security is fast becoming obsolete and unacceptable because of the risk of exposing keys and certificates, in turn leading to compromised systems. Hardware security technologies supplied by silicon vendors used in conjunction with tools such as OpenSSL are a much better option but even this approach has limited benefits so long as the primary method of deriving security relies on Linux user/kernel mode isolation.

However, developers need tools to access these capabilities in order to store and manipulate cryptographic keys and certificates and perform cryptographic operations. This is where ARM? TrustZone? adds tremendous value. TrustZone is a mature, proven technology and has been adopted in devices such as mobile phones, set top boxes and payment terminals. In these devices, TrustZone has facilitated secure transactions, secure identities and DRM applications. TrustZone allows a dual OS coexistence by supplying software and hardware isolation to applications via a root of trust guaranteed by secure boot technology. By flipping a bit, code can run in secure mode or non-secure mode and peripherals, memory, memory controllers, buses etc. can be configured to clearly segregate access to specified resources and peripherals only in secure mode. The “normal world” / “secure world” paradigm thus offers a powerful tool to approach security for IoT. The TEE—Trusted Execution Environment—refers to the secure world OS and all necessary assets to facilitate applications in the normal world to execute secure world functions.

As an example, imagine running Linux with Open SSL in normal world but the Open SSL Engine is implemented in the TEE by the secure world. All drivers for the hardware security functions supplied by the microprocessor are loaded and accessible only by the TEE. With this approach, cryptographic keys are stored in a secure world keystore; the TEE can also generate keys and certificates, but most importantly, all cryptographic operations are executed in secure world. Linux as a normal world OS, and any applications running on top of it, do not have access to isolated security features or keys.

This is a simple illustrative example. The TEE, however, can be used to solve very complex requirements given its ability to monitor the OS, applications, processes or memory regions in the normal world and applying remediation when intrusions/malware are detected. Another example of the TEE’s usefulness utilizes its ability to isolate critical processes from the normal world OS and applications, thereby preventing complete system compromise. For instance, when the normal world application is compromised or hacked, the critical process controlling an actuator (such as a connected door lock) remains unaffected and the hacker cannot interfere with its intended operation. Most use cases that require strong security in IoT fall into three main categories: secure communication, secure storage and secure payload verification. A TEE can improve security for all these use cases.

In practical terms, this dual OS paradigm requires developers to build applications for the two domains. The TEE and TrustZone remains a new frontier for developers and there are ongoing efforts to ease adoption. The role of a mature TEE offering is to expose APIs and libraries to application development in the normal world that abstract the complexity of the dual OS paradigm.

The chosen TEE should cover these categories—and more— out of the box.