What is TrustZone, and how is it implemented on STM32 microcontrollers?
ampheo
TrustZone is a hardware-based security feature developed by ARM to support secure and non-secure execution environments on the same processor. It's a key part of ARMv8-M architecture, used to build secure embedded applications.
🔐 What is ARM TrustZone?
TrustZone creates two separate security domains:
Secure World – runs sensitive code (e.g., cryptography, secure boot, key management)
Non-Secure World – runs regular application code (e.g., UI, communication)
Each world:
Has its own memory, peripherals, and interrupts
Can’t access the Secure World unless explicitly allowed
This separation is enforced by the processor, memory protection units (MPUs), and bus-level access rules.
🧠 Key Concepts of TrustZone
| Concept | Description |
| Secure Attribution | Determines whether a memory region or peripheral is secure |
| NSC (Non-Secure Callable) | Gateway functions callable from the Non-Secure side |
| TZ-M | TrustZone for ARM Cortex-M (used in STM32) |
| SAU/IDAU | Secure Attribution Unit (SAU) defines secure/non-secure regions |
| Secure Boot | Ensures device starts in a known secure state |
🧩 TrustZone in STM32 Microcontrollers
Only STM32 microcontrollers based on ARM Cortex-M33, like the STM32L5, STM32U5, or STM32H5 series, support TrustZone.
✅ Supported STM32 Families:
🧱 STM32 Implementation Highlights:
| Feature | Description |
| Dual Image Firmware | Application split into Secure and Non-Secure binaries |
| Secure Boot (SBSFU) | ST’s Secure Boot and Secure Firmware Update (part of X-CUBE-SBSFU) |
| TrustZone-Aware IDE | STM32CubeIDE allows configuration of Secure/Non-Secure regions |
| Memory Isolation | Flash and RAM regions configured via SAU/IDAU |
| Peripheral Isolation | Only secure code can access secure peripherals unless explicitly exposed |
🛠️ How to Implement TrustZone on STM32
1. Enable TrustZone
Select a TrustZone-capable MCU (e.g., STM32L552)
In STM32CubeMX, enable TrustZone support
2. Configure Secure and Non-Secure Worlds
Define memory regions as Secure or Non-Secure
Setup peripherals similarly
Configure NSC region for callable secure APIs
3. Develop Secure/Non-Secure Firmware
In STM32CubeIDE:
Create two separate projects:
SecureandNon-SecureSecure firmware can expose APIs using
__attribute__((cmse_nonsecure_entry))
4. Use Secure Boot (Optional but recommended)
- ST provides SBSFU (Secure Boot and Secure Firmware Update) as middleware
5. Debug and Test
- STM32CubeIDE supports debugging of both Secure and Non-Secure contexts
📦 ST Resources
X-CUBE-TZ: TrustZone demo projects
X-CUBE-SBSFU: Secure Bootloader package
AN5394: Guidelines for TrustZone on STM32
🛡️ Advantages of TrustZone
| Benefit | Why it matters |
| Hardware-level security | Not just software isolation |
| Protect sensitive code | Keep keys, crypto functions in secure world |
| Mitigate attacks | Stops buffer overflow or firmware injection from reaching critical functions |
| No need for dual-core | Achieves isolation on a single core |
Subscribe to my newsletter
Read articles from ampheo directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by