![Page 1: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/1.jpg)
Openvirtualization Project for ARM Trustzone
Simply Secure
![Page 2: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/2.jpg)
Sierraware Software Suite
SierraTEE
– TrustZone/GlobalPlatform TEE
– True 64 bit TEE
SierraVisor: Bare Metal Hypervisor
– Hypervisor for ARM
– Paravirtualization for ARM11, A8, A9
– Hardware Virtualization for 64bit and 32bit SOCs.
– Multi Core ready
SierraOS: Secure RTOS/uKernel
– Small and Simple
– POSIX compliant
DRM and Content Protection Toolkits:
– Hardware accelerated media streaming and HDCP toolkit
![Page 3: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/3.jpg)
SierraTEE: TrustZone Environment
ARM SOC
Crypto Engine Secure Memory Secure
External bus
Secure Peripherals: Flash, Keyboard, Display
Normal World OS (Android/uCOS/RTOS)
Kernel
Secure Driver
Global Platform Client API
Secure OS
Dispatcher
Kernel
Monitor/Real Time Scheduler
Media Playback with DRM
Crypto Display File System
DASM Services
Mgr Trustlet
Secure Tasks
Global Platform Internal API
Java Payment With Secure Input/Output
![Page 4: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/4.jpg)
Powerful, Purpose-built OS
Flexible with Neon and VFP
– Fully shared mode
– Supports both “Secure” or “Normal” world
Thwarts side channel attacks by protecting branch target buffers, TLBs, etc
Supports several interrupt models
– FIQ & IRQ in dedicated secure cores
– FIQ only mode when sharing cores
– Interrupt routing from secure to non-secure world
![Page 5: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/5.jpg)
Simple, Small, Easy-to-Use
Image can fit in small on-chip ROM
Flexible scheduler: preemptive, cooperative
Supports asynchronous IPC
Stack overflow detection and profiling support
High performance architecture with zero copy device drivers, fast context switching and cache lock down
![Page 6: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/6.jpg)
Flexible Resource Control
Supports:
– Queues
– Binary semaphores
– Counting semaphores
– Recursive semaphores
– Mutexes with priority inheritance
– Efficient software timers
![Page 7: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/7.jpg)
Multi-core Ready: AMP/SMP
Dedicated Cores for Secure and Normal World Satisfies size and performance
constrained designs
Ideally suited for high performance applications like media playback, transcoding
Secure and Non-secure Kernels Share Cores
Provides maximum peak CPU bandwidth
Both secure and non-secure kernels can utilize all available cores
ARM MP Core
Core0 Core1 Core2 Core3
Normal World
Secure World
Open Virtualization
ARM MP Core
Normal World
Secure World
Open Virtualization
Core0 Core1 Core2 Core3
![Page 8: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/8.jpg)
Mixed mode architecture
– Supports C, C++ and Java
– Easy to integrate with Android
and other mobile platforms
Can be customized to fit on resource-
constrained platforms
Portable, Small Footprint
![Page 9: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/9.jpg)
TrustZone/GlobalPlatform
Ready-to-use modules
Open Virtualization API is available for both Bootloader and Linux
Secure tasklets can perform key operations like decrypting OS images and upgrading firmware
Multiple modes of operation support both TrustZone enabled and normal processors
![Page 10: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/10.jpg)
Easy to develop and integrate with
platforms like Linux, Android & BSD
Written in C with GNU tools
Supports Leading Platforms
![Page 11: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/11.jpg)
Security Starts from Boot
Secure perimeter starts with the bootloader
Users can continue to use their preferred bootloader
Security established before activating the bootloader
– Keys, media and other assets are fully protected
BootROM
Open Virtualization OS
Establish Security Perimeter
Normal World
Power On
Secure BootTasklet
Non Secure Bootloader
OS Like Linux/BSD
Secure Services
![Page 12: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/12.jpg)
Digital Rights Management
Open Virtualization enables DRM, secure payment, and secure WiFi
– Crypto and integrated with Linux OCF
– Secure keypad and display
– Protected key and content storage, authenticated flash
![Page 13: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/13.jpg)
DRM Media Playback
Secure World
Normal World
DRM Decrypt
Audio/Video Decoding
2
5
Android DRM Framework
DRM Plugin (OMA, PlayReady)
2
3 4
Input Source (Streaming/File)
1
![Page 14: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/14.jpg)
Trusted HDCP Architecture
Android
libstagefright
WIFI Display
HDCP API
Libstagefright_hdcp.so
Controller & Session
TEE Shared Queue
Sierra Secure OS
Crypto – RNG, RSA, AES, SHA256
Shared IPC Queue
HDCP 2.0
SKE Locality Check
Cipher
AKE
Session
![Page 15: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/15.jpg)
Secure Input
Android Java App • Secure World UI
![Page 16: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/16.jpg)
Applications
1. Headless Gateway
Secure transcoding prevents valuable content from being snooped
2. Residential Gateway
Secure BSSID and other network provisioning
Defend against hackers and intrusions
![Page 17: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/17.jpg)
Applications
1. Mobile Phones
Secure Payments
DRM Content protection
Isolate secure OS from normal world OS
2. IP Set-top-box, Media Players
DRM, Content Protection
![Page 18: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/18.jpg)
Professional Services
Porting software to
unique processors
Integrating TEE
and SierraVisor
with applications
Developing drivers,
encoders or apps
Extensive
experience with
ARM processors
and kernel code
Android, Linux,
BSD, and VxWorks
development
Hardware & FPGA
Phased approach
from planning and
development to
testing & certification
Carefully defined
schedules and
communication with
customers to avoid
surprises & delays
Custom
Services
ARM Design
Expertise
Project
Management
![Page 19: Open Virtualization Project for ARM TrustZone](https://reader034.vdocuments.site/reader034/viewer/2022052600/55759166d8b42ae7708b4f7c/html5/thumbnails/19.jpg)
Technical Support
Telephone and Email Support
Online technical documentation
Software updates for commercial products
Previews of upcoming releases
Ability to influence feature enhancements
Commitment to Quality
– Service Level Agreement (SLA) details support response
times and escalation levels