First 32-Bit Microcontrollers to Support Arm TrustZone

In the past a great deal of computer security has assumed that the end user will have no physical access to the computer. That if an attacker has physical access, then there is no way to stop them compromising what security does exist. But that’s something that’s just not possible when you’re building a smart connected device.

Everybody knows that there is a security problem with the Internet of Things. Nobody in the industry you should be paying attention to will be saying anything else. Some people in the security community are suggesting hardware obfuscation might be a way forward to try and protect consumer IoT devices. Although at best this will slow attackers down, or discourage the less persistent, that might be all that’s needed in many cases.

Security of connected devices was always going to be about defence in depth rather than any one magic bullet, and chip-level security is an important part of the defence. Which makes Microchip’s announcement that their latest Cortex-M23-based 32-bit microcontrollers feature Arm TrustZone for ARMv8-M more important than it might seem on the surface.

Effectively Arm TrustZone is a feature of the processor architecture, allowing “hardware-separation” of a rich operating system from a much smaller and more audit-able, secure operating system. It provides a way to partition physical memory, helping avoid DMA attacks, and to limit access to the physical hardware from the “unsecure” parts of the operating system. With the system software running in the secure-side able access hardware hidden from the normal operating system. Similar sorts of architectures are used elsewhere. Apple’s “Secure Enclave,” an Arm-based coprocessor used to enhance security on iPhone, is one example.

Designed for low power, the SAM L11, and the more lightweight SAM L10, are the first 32-bit MCUs to implement TrustZone. Alongside this, they possess security features such as an on-board cryptographic module supporting Advanced Encryption Standard (AES), Galois Counter Mode (GCM), Secure Hash Algorithm (SHA), and secure key storage—with tamper detection capabilities—to establish a hardware root of trust. The chips also offer a secure bootloader for secure firmware upgrades.

However like all security, you have to look at the threat model you’re trying to protect against. Security is all about the design of the product, and seemingly innocuous design choices can lead to it being insecure and vulnerable.

The ability to implement security doesn’t mean it has been implemented. When talking about security, it’s important to look at the entire life cycle of a smart device. From manufacture, to final disposal, and to encourage our industry to make different and more ethical design choices.

Both the Microchip SAM L10 and SAM L11 are available today in a range of package options in volume production quantities, with the L10 starting at $1.09 each in 10,000-unit quantities and the L11 starting at $1.22 each in 10,000-unit quantities, while samples can be obtained through normal channels. The SAM L10 and SAM L11 Xplained Pro evaluation kits are available for $58.00 each.