MultiZone Security for Arm Cortex-M
The quick and safe way to add security and separation to Arm® Cortex®-M processors
MultiZone® software can retrofit existing designs. If you don’t have TrustZone®, or if you require finer granularity than one secure world, you can take advantage of high security separation without the need for hardware and software redesign, eliminating the complexity associated with managing a hybrid hardware/software security scheme.
Securing IoT devices has become increasingly difficult as complex new requirements are often met with the addition of readily available third party components that cannot always be trusted. Legacy designs lack the physical resources to provide the necessary separation, thus leading to larger attack surface and increased likelihood of vulnerability. To shield critical functionality from untrusted third-party components, MultiZone provides hardware-enforced, software-defined separation of multiple trusted execution environments. Unlike traditional solutions, MultiZone is self-contained, presents an extremely small attack surface, and it is policy driven, meaning that no coding is required – or in fact even allowed. MultiZone technology is based on free and open standards, open sourced on GitHub, and licensed free of charge for evaluation and royalty free for commercial use.
MultiZone enables the freedom to innovate with multi sourced components like open source software, third-party libraries, and legacy binaries that can be configured in minutes to achieve an unprecedented level of safety and security.
How it works
- Formally verifiable runtime, minimal attack surface ~2KB, no dynamic data structures like stack, hype, and buffers.
- Zero trust Completely self-contained, no dependencies from libraries , C runtime, linker scripts, and drivers.
- Sealed, pre-built runtime driven by statically defined user-defined policies, the only interaction with the developer is a simple configuration policy file.
- Isolation of programs (text segments) to ensure that user programs run in unprivileged mode so that they can’t compromise the overall system integrity – including drivers and IRQ handlers.
- Isolation of data (data segments) and memory-mapped peripherals (typically I/O) via a hardware unit that prevents access outside statically defined security boundaries.
- Isolation of interrupts so that interrupt handlers are mapped to the respective zone context and executed at a reduced level of privilege, unable to compromise the isolation model.
- Isolation of hardware components including all cores, bus masters, DMA, interrupt controllers, and caches in heterogeneous systems where deterministic and OOO come together in a single SoC.
- Preemptive temporal separation mechanism to ensure that any single thread can’t cause a denial of service by indefinitely holding processing cycles. This is a must for safety-critical applications.
- Secure inter-zone communications infrastructure to allow inter-zone data transfers without relying on shared memory resources such as buffers, stack, and heap.
- Secure inter-processor communications infrastructure to allow zones running on the secure core(s) to send/receive data to/from other low-criticality/non-secure core – i.e. protected split buffers.
- Soft timer facility to multiplex the underlying single hardware timer functionality and make it available to each zone independently from the others.
- Wait for interrupt functionality to allow transparent support for system suspend and low-power states. This is a must for battery-operated devices and low-latency deterministic applications .
- Trap & Emulate functionality for secure execution of privileged instructions. Allows porting of existing application code originally designed to operate in a single unprotected memory space.
- Secure boot 2-stage boot loader to verify the integrity and authenticity of runtime and policies. Should boot the whole system to configure and lock separation policies for all hardware components.
- Toolchain extension cross-platform command line fully integrated with toolchain and IDE, to combine and configure the zones binaries and to produce the signed firmware image for the secure boot of the system.
- Open source API to expose runtime micro-services such as messaging and process scheduling. Optional helper wrappers to reduce system calls overhead. Free and open permissive license.
- GNU-based open source SDK including reference application and board support packages for Microchip, NXP Semiconductors, Renesas, STMicroelectronics, GigaDevice, and others.
- Up to 8 separated Trusted Execution Environments (zones) – hardware-enforced, software-defined
- Up to 16 memory-mapped resources per zone – i.e. flash, ram, rom, i/o, uart, gpio, timers, etc
- Preemptive scheduler for safety-critical applications: cooperative, round robin, configurable tick
- Secure inter-zone communications based on messages – no shared memory, no buffers, no stack, etc.
- Built-in trap & emulation for all privileged instructions – i.e. SVC, MRS, MSR, CPS, WFE, WFI
- Full support for secure user-mode interrupt handlers mapped to zones – up to 128 interrupt sources
- Full support for Wait For Interrupt and CPU suspend mode for low power applications
- Formally verifiable runtime ~2KB, 100% written in assembly, zero 3rd party dependencies
- C library wrapper for protected mode execution – optional for high speed / low-latency
- Hardware requirements: Arm Cortex-M0+/M3/M4/M7 processor w/ Memory Protection Unit
- System requirements: 4KB for program, 2KB for data – CPU overhead < 0.01%
- Development environment: any versions of Linux, Windows, Mac running Java 1.8 or greater
- GNU-based Open source SDK freely available at https://github.com/hex-five/multizone-sdk-arm
Patent pending US 16/450,826 PCT US19/38774