The ARM Security Extensions extend the processor architecture to provide hardware security features that support the development of secure applications, by providing two processor security states. Rich OS Execution Environment is running in Normal World when the processor is in Non-secure state. A Trusted Execution Environment (TEE) and its trusted applications are running in Secure World when the processor is in Secure state. The most important system control resources are only accessible from the TEE. Each security state has its own system registers and memory address space. The execution privilege levels are defined independently in each security state.
The Virtualization Extensions further extend the processor architecture to provide virtualization capabilities. Some of the ARM processor implementations do not include the Virtualization Extensions. The present invention does not require Virtualization Extensions, however it includes embodiments both with and without Virtualization Extensions.
Some of the ARM processor implementations do not include the Security Extensions. The present invention is applicable only to computer systems based on ARM processors with Security Extensions.
While the main purpose of ARM Security Extensions is isolation between Normal and Secure Worlds, the present invention provides the innovative approach of using these Security Extensions to isolate and protect an embedded security perimeter which is used to control all external network communications of a computer system.
In order to achieve memory separation between two execution environments, memory access rights are configured through ARM Memory Management Unit (MMU) (see ARM Cortex-A series processor Technical Reference Manuals), TrustZone Address Space Controller (TZASC) (see CoreLink TrustZone Address Space Controller TZC-380 Technical Reference Manual) and TrustZone Protection Controller (TZPC) (see PrimeCell Infrastructure AMBA 3 TrustZone Protection Controller Technical Overview) or through vendor specific Security Extension hardware modules, for example Central Security Unit (CSU) in iMX6 Freescale processor (see i.MX 6Dual/6Quad Applications Processor Reference Manual).
FIG. 5 illustrates a generic method of memory access control. In ARM architecture, it is possible to set access rights to different memory regions (503, 507) for different processor mode sets. To achieve this, several hardware modules are integrated into the processor: MMU, TZASC and TZPC. Additionally, several processor manufacturers added their own extensions to enhance memory control functionality. For example, Freescale iMX6 processor uses CSU instead of TZPC to provide more granular access control and additional security functionality.
The most common memory access control mechanism is the MMU and it is currently used in popular OSs to separate system and user applications memory. The MMU is controlled by system control registers that can also disable the MMU. When the MMU is enabled, the processor works with virtual addresses and MMU works with memory system to translate virtual addresses to physical addresses. MMU divides memory into pages (4 KB, 64 KB, 1 MB, and 16 MB) and each page can have its own memory access attributes. The ARM processor enhanced with Security Extensions has a separate and independent MMU for Secure and Normal World execution environments.
The purpose of a TZASC module is separation of TEE memory from Rich OS Execution Environment. It works with random-access memory (RAM) only and can be configured from TEE only. As the MMU, it divides memory into regions and each region has its own memory access control attributes. The TZASC works totally independently of MMU even when MMU is disabled. The TZASC works with physical addresses and doesn't have any MMU virtual address awareness.
Since the TZASC module works only with RAM, the TZPC is used to control access between the Rich OS Execution Environment and TEE for memory regions where peripheral hardware device controllers and interfaces (504, 509, 505 and 511) are mapped. Also TZPC is used to control on-chip RAM access control in some ARM processors implementations. The TZPC could be configured from TEE only. Different ARM processors have different peripheral devices and interfaces, so TZPC regions are predefined and implementation dependent and only access rights to these regions can be changed in the runtime.
The present invention uses TZPC to provide controlled access to peripheral devices (504, 509, 505 and 511). The main TZPC function in preferred embodiments is to make hardware network interface as it's shown on FIG. 2 accessible only from TEE (206), while Rich OS Execution Environment (201) uses Virtual Network Interface (203) for network communications.