What is TrustZone, and how is it implemented on STM32 microcontrollers?

ampheoampheo
3 min read

TrustZone is a hardware-based security feature developed by ARM to support secure and non-secure execution environments on the same processor. It's a key part of ARMv8-M architecture, used to build secure embedded applications.


🔐 What is ARM TrustZone?

TrustZone creates two separate security domains:

  1. Secure World – runs sensitive code (e.g., cryptography, secure boot, key management)

  2. Non-Secure World – runs regular application code (e.g., UI, communication)

Each world:

  • Has its own memory, peripherals, and interrupts

  • Can’t access the Secure World unless explicitly allowed

This separation is enforced by the processor, memory protection units (MPUs), and bus-level access rules.


🧠 Key Concepts of TrustZone

ConceptDescription
Secure AttributionDetermines whether a memory region or peripheral is secure
NSC (Non-Secure Callable)Gateway functions callable from the Non-Secure side
TZ-MTrustZone for ARM Cortex-M (used in STM32)
SAU/IDAUSecure Attribution Unit (SAU) defines secure/non-secure regions
Secure BootEnsures device starts in a known secure state

🧩 TrustZone in STM32 Microcontrollers

Only STM32 microcontrollers based on ARM Cortex-M33, like the STM32L5, STM32U5, or STM32H5 series, support TrustZone.

✅ Supported STM32 Families:

🧱 STM32 Implementation Highlights:

FeatureDescription
Dual Image FirmwareApplication split into Secure and Non-Secure binaries
Secure Boot (SBSFU)ST’s Secure Boot and Secure Firmware Update (part of X-CUBE-SBSFU)
TrustZone-Aware IDESTM32CubeIDE allows configuration of Secure/Non-Secure regions
Memory IsolationFlash and RAM regions configured via SAU/IDAU
Peripheral IsolationOnly secure code can access secure peripherals unless explicitly exposed

🛠️ How to Implement TrustZone on STM32

1. Enable TrustZone

  • Select a TrustZone-capable MCU (e.g., STM32L552)

  • In STM32CubeMX, enable TrustZone support

2. Configure Secure and Non-Secure Worlds

  • Define memory regions as Secure or Non-Secure

  • Setup peripherals similarly

  • Configure NSC region for callable secure APIs

3. Develop Secure/Non-Secure Firmware

  • In STM32CubeIDE:

    • Create two separate projects: Secure and Non-Secure

    • Secure firmware can expose APIs using __attribute__((cmse_nonsecure_entry))

  • ST provides SBSFU (Secure Boot and Secure Firmware Update) as middleware

5. Debug and Test

  • STM32CubeIDE supports debugging of both Secure and Non-Secure contexts

📦 ST Resources

  • X-CUBE-TZ: TrustZone demo projects

  • X-CUBE-SBSFU: Secure Bootloader package

  • STM32L5/STM32U5 Reference Manuals

  • AN5394: Guidelines for TrustZone on STM32


🛡️ Advantages of TrustZone

BenefitWhy it matters
Hardware-level securityNot just software isolation
Protect sensitive codeKeep keys, crypto functions in secure world
Mitigate attacksStops buffer overflow or firmware injection from reaching critical functions
No need for dual-coreAchieves isolation on a single core
0
Subscribe to my newsletter

Read articles from ampheo directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

ampheo
ampheo