The Next Steps in the Evolution of ARM Cortex-M Joseph Yiu ARM Tech Symposia China 2015 Senior Embedded Technology Manager CPU Group November 2015
The Next Steps in the Evolution of ARM Cortex-M
Joseph Yiu
ARM Tech Symposia China 2015
Senior Embedded Technology Manager
CPU Group
November 2015
2 © ARM 2015
Trust & Device Integrity from Sensor to Server
3 © ARM 2015
Device Security Fundamentals
Separation
Isolate trusted resources from non-trusted
Isolate non-trusted software
Reduce attack surface of key components
trusted software
crypto TRNG
Trusted Software
Provision of security services
Small, well reviewed code
Trusted Hardware
Hardware assist for cryptography
Secure access validation built into SoC
non-trusted
trusted
trusted hardware secure
system
secure
storage
4 © ARM 2015
Bringing Security to the Smallest Devices
ARMv8-M architecture The ARM architecture for ARM® Cortex® -M processors
New AMBA® 5 AHB5 specification
Extends the security foundation through the ultra-low power SoC
Tomorrow
Provides a security foundation with TrustZone®
5 © ARM 2015
ARMv8-M: Taking Embedded to the Next Level
Making scalable software development even easier
Taking TrustZone security to the smallest devices
Bringing security within reach of all developers
Security
Productivity
© ARM 2015 7
Introducing ARMv8-M
8 © ARM 2015
ARMv8-M Sub-profiles
ARMv8-M Baseline:
Lowest cost, smallest, ARMv8-M
implementations.
ARMv8-M Mainline:
For general purpose microcontroller
products
Highly scalable
Optional DSP and floating-point
extensions.
Scalable architecture
ARMv6-M
ARMv7-M
BASELINE
MAINLINE
ARMv8-M Today
9 © ARM 2015
ARMv8-M Baseline Performance & Scalability
Feature Key benefits
Hardware divide Faster integer divide operation in hardware.
Removes need for library code.
Compare and branch Combined compare-with-zero and branch.
Faster control code.
Long branch Long non-linking branch to compliment branch with link.
Enables support for cross unit tail calls.
Wide immediate moves Pointer and large immediate creation without needing a literal load.
Provides a linking mechanism for execute-only code.
Exclusive accesses Load-link / store-conditional support for semaphore use.
Enables common semaphore handling between CPUs.
Interrupt active bits Active status of all interrupts individually tracked.
Offers dynamic re-prioritization of interrupts.
Instruction set feature uplift for baseline microcontroller
10 © ARM 2015
ARMv8-M Mainline Variants
Retains Baseline fundamentals.
Adds extensive 32-bit instruction set
~ 40% performance uplift over Baseline.
Optional integer digital signal processing (DSP) extension
~ 80 saturating arithmetic and SIMD operations.
Optional floating-point (FP) extension
~ 45 instructions, IEEE754 compatible single, and/or
double precision floating-point operations.
Comprehensive instruction set support with optional DSP and floating-point extensions
DSP
FP
BASE
LINE
MAINLINE
11 © ARM 2015
ARMv8-M adopts base and limit style comparators for regions Replaces previous power-of-two size, sized aligned scheme
Simplifies software development, encouraging creation of safer software
Accelerates programming, potentially reducing context switch times.
MPU configurable down to 32-byte granularity.
Debug variable watchpoints also enhanced to support more flexible scheme.
Memory Protection and Watchpoints Improved programmability and flexibility
1kB 16kB 256kB 1kB
SINGLE 274kB REGION
PMSAv7
PMSAv8
0x3BC00 0x80400
© ARM 2015 12
Introducing ARM TrustZone for ARMv8-M
13 © ARM 2015
ARM TrustZone Technology
Optional security extension for the ARMv8-M architecture
Security architecture for deeply embedded processors
Enables containerisation of software
Simplifies security assessment of embedded devices.
Conceptually similar and compatible with existing TrustZone technology
New architecture tailored for embedded devices
Preserves low interrupt latencies of Cortex-M
Provides high performance cross-domain calling.
Bringing ARM security extensions to the embedded world
14 © ARM 2015
ARMv8-M Additional States
Secure and Non-Secure code run on a single CPU For efficient embedded implementation.
Secure state for trusted code New Secure stack pointers for robust operation
Addition of stack-limit checking.
Dedicated resources for isolation between domains Separate memory protection units for Secure and Non-secure
Private SysTick timer for each state.
Secure side can configure target domain of interrupts.
Existing handler and thread modes mirrored with secure and non-secure states
ARMv7-M
Non-secure
Handler
Mode
Non-secure
Thread
Mode
Secure
Handler
Mode
Secure
Thread
Mode
Handler
Mode
Thread
Mode
ARMv8-M
15 © ARM 2015
ARMv8-M Interrupt Security
Subject to priority, Secure can interrupt Non-secure and vice versa Secure can boost priority of own interrupts
Uses current stack pointer to preserve context.
Uses ARMv7-M exception stacking mechanism Hardware pushes selected registers.
Non-secure interruption of Secure code CPU pushes all registers and zeroes them
Removes ability for Non-secure to snoop Secure register values.
High-performance interrupt handling with register protection
Non-secure Interrupt Running Secure
Code
Switch to
Non-secure
Run Non-Secure
Handler
Push All Registers
Zero All Registers Pop All Registers
Return from Interrupt
Switch to
Secure
16 © ARM 2015
Security Defined by Address
All addresses are either Secure or Non-secure.
Policing managed by Secure Attribution Unit (SAU) Internal SAU similar to MPU
Supports use of external system-level definition
E.g. based on flash blocks or per peripheral.
Banked MPU configuration Independent memory protection per security state.
Load/stores acquire NS attribute based on address Non-secure access attempts to Secure address = memory fault.
All transactions from core and debugger checked
Non-Secure
MPU
Secure
MPU
Security
Attribution
Unit (SAU)
System
Level
Control
Request from CPU
Request to System
17 © ARM 2015
High Performance Cross-Domain Calls
Security inferred from instruction address
Secure memory considered to hold Secure code.
Direct function calls across boundary
High performance and high security
Multiple entry points
No need to go via “monitor” for transitions.
Uses Secure Gateway instruction “SG”
Only permitted in special Secure memory with
Non-secure-callable attribute (NSC).
Efficient microcontroller focussed implementation
Non-secure
Handler
Mode
Non-secure
Thread
Mode
Secure
Handler
Mode
Secure
Thread
Mode
Calls
Calls
18 © ARM 2015
TrustZone for ARMv8-A TrustZone for ARMv8-M
SECURE STATES NON-SECURE
STATES
SECURE STATES NON-SECURE
STATES
TrustZone for ARMv8-M
Secure transitions handled by the processor
to maintain embedded class latency
Secure
App/Libs
Secure OS
Non-
secure
OS
Non-
secure
App
Secure
App/Libs
Secure OS
Rich OS,
e.g.Linux
Secure Monitor
19 © ARM 2015
Cross-Domain Function Calls
Guard instruction (SG) polices entry point Placed at the start of function callable from non-secure code.
Non-secure secure branch faults if SG isn’t at target address Can’t branch into the middle of functions
Can’t call internal functions.
Code on Non-secure side identical to existing code.
Secure memory (Non-secure callable)
NonSecureFunc: BL SecureFunc
<Non-secure code>
SecureFunc: SG <Secure code> BXNS lr
Non-secure memory
Enter Secure state
Call
Return to NS
An assembly code level example
21 © ARM 2015
FIRMWARE PROJECT USER PROJECT
Non-secure project cannot access Secure resources.
Secure project can access everything.
Secure and Non-secure projects may implement independent time scheduling.
A Simplified Use Case Composing a system from Secure and Non-secure projects
Non-secure state Secure state
System start
Firmware
Communication
stack
User application
I/O driver
Function calls
Start
Function calls
Function calls
22 © ARM 2015
Microcontroller System
Security driven from master
Dynamically from an ARMv8-M CPU
Statically from a simple DMA.
Propagated by AHB5 interconnect
Compatible with existing Cortex-A.
Enables selective access
Individual flash pages
Regions of memory
Peripherals.
With TrustZone technology
Non-secure
Peripheral B
Secure
Peripheral A
Flash
AHB5 Interconnect
SRAM
CPU
Non-
Secure
DMA
23 © ARM 2015
ARMv8-M Ecosystem Development Underway
ARMv8-M provides the standard for the extensive Cortex-M ecosystem to
create the security solutions needed in a connected world
Contact us to start your ARMv8-M development
24 © ARM 2015
Hardware
based security
state switch
ARMv8-M: Security in Small, Real-time Embedded
Transparent to
the software
developer
Efficient – every cycle counts No hypervisor code
and processing overhead
Transition via a standard function call
Optimised
for small
real-time
processors
Low, deterministic interrupt latency
Fully
programmable
in C
Easy to program easy to debug
25 © ARM 2015
ARMv8-M: Increased Software Productivity
Enhanced
debug
Improved trace
Easier,
standardised
device
protection
Improved
scalability
Continuum across
product family
TrustZone security
Simplified MPU More flexible
breakpoints/watchpoints
26 © ARM 2015
The Next Steps in the Evolution of Cortex-M
ARMv8-M Provides a continuum of performance and compatibility
ARM TrustZone Technology Simplifies and accelerates security in the microcontroller space
AMBA 5 AHB5 Extends security to the system
The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM Limited (or
its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be trademarks of
their respective owners.
Copyright © 2015 ARM Limited
Thank you