7 trustzone technology and security – ARM AMBA NIC-301 User Manual
Page 34
Functional Description
ARM DDI 0397G
Copyright © 2006-2010 ARM. All rights reserved.
2-19
ID031010
Non-Confidential
Note
The NIC supports lock functionality for 32-bit data beat accesses. You can lock beats of other
sizes, but if they are up-sized or down-sized, it is possible that leading write data are output from
the sizing function for the unlocking transaction before all the locked transactions have
completed.
2.3.7
TrustZone technology and security
This section applies if you are building a system based on the secure and non-secure capabilities
that TrustZone technology provides. If the system does not require security using TrustZone
technology, configure all master interfaces to be non-secure.
This section contains the following subsections:
•
•
Slave interface security on page 2-20
•
Internal programmers view on page 2-20
•
Security checking for master interfaces on page 2-20.
TrustZone scope
The security checks that TrustZone technology implements cover the scope of a configured
network.
Note
TrustZone is a brand name that represents aspects of implementing ARM security extensions.
For example, security checks that are not within the scope of the network are:
Physical attack
Physical attack on the device.
Non-TrustZone-aware masters being made secure
A master might require access to the Global Programmers View (GPV) and in this
case, you can tie the security transaction indicator bits so that all accesses by that
master are indicated as secure. This places that master permanently in the secure
domain. However, depending on the other usage of that master, this might mean
that the overall system is not as secure under all circumstances.
System implementation details
If you do not consider all the masters that have access to the GPV, this can
produce security vulnerabilities. For example:
•
If a non-secure state master can set QoS requirements effecting its
non-secure transactions, then that non-secure state master can use this
capability, in conjunction with traffic analysis, to determine the QoS and
priority settings of a secure master. This can be a threat in particular
implementations.
•
A TrustZone-aware slave requires you to set the connecting network as
non-secure so that the network does not filter the secure traffic and leaves
the slave to determine the correct response. Consider the master that can
make this non-secure configuration against and the master, or masters, that
can program the TrustZone-aware slave.