End-Device Security and Privacy are of Paramount Importance to IoT Consumers
TrustZone is a security software technology created by ARM for their Cortex-M processors. This has been adopted by Silicon Labs and has been integrated with our protocol stacks to create a secure system that can hide key material from the wireless stack while still providing customers the same stack API.
How does TrustZone work?
TrustZone is the logical separation of the memory into a secure processing environment (SPE) and non-secure processing environment (as shown in the figure below).
There is a predefined, restricted list of commands that can be passed from the NSPE to the SPE. This is done to minimize exposure to the SPE and keep the data stored here, secure.
For example, if a wireless stack wanted to store keys in the SPE, the specific PSA Crypto API commands can be passed to the security subsystem through a PSA driver, where these keys will be wrapped using a hardware-unique TrustZone storage key. The encrypted keys are then stored in the NVM3 storage.
Vault Mid Parts with TrustZone capabilities
Vault High Parts with TrustZone capabilities
Why is TrustZone important for securing IoT devices?
The most demanding IoT product development challenges today revolve around security.
Security and Privacy
TrustZone provides a secure way of storing wireless cryptographic keys and other firmware used by the device from application vulnerabilities.
For example, our Bluetooth Low Energy (LE) medical devices such as glucose meters - which use Secure Vault mid security - do not have secure key storage capabilities. Keys are stored in plaintext in flash which is not a secure way to store keys.
With TrustZone, these cryptographic keys will be stored in an encrypted way, thereby ensuring the security of your end-device.
To learn more about what differentiates Secure Vault™ Mid and Secure Vault™ High parts, please refer to the Silicon Labs IoT Product Security table.
PSA Level 2-Certifiable
One of the requirements for the PSA Level 2 certification is for the SPE to be isolated by hardware mechanisms to protect critical services and related assets from the Non-Secure Processing Environment. With the introduction of TrustZone, Vault-Mid parts now offer protection against logical software attacks and are PSA Level-2 certifiable.
Trusted Security at No Additional Cost
TrustZone APIs will be available for installation and use on Secure Vault-Mid and Secure Vault-High parts at no additional cost to the customer.
More than 50% of attack vectors against IoT end devices are remote logical attacks.
What Protocol Stacks Will be Supported with TrustZone?
TrustZone will now be available for all Bluetooth Low Energy and Bluetooth mesh devices that use Secure Vault-Mid and Secure Vault-High security features.
Benefits of TrustZone Security
TrustZone can be used in all Bluetooth LE applications, and any application using cryptographic keys, some examples include: