Inferensys

Glossary

ARM TrustZone

ARM TrustZone is a system-wide hardware security technology integrated into ARM processors that creates two isolated execution environments—a Secure World for trusted software and a Normal World for the general-purpose operating system—protected by hardware.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
HARDWARE SECURITY

What is ARM TrustZone?

ARM TrustZone is a foundational hardware security technology for system-on-chip (SoC) designs, creating isolated execution environments to protect sensitive operations and data.

ARM TrustZone is a system-wide hardware security technology integrated into ARM Cortex processors that creates two isolated execution environments—a Secure World for trusted software and a Normal World for the general-purpose operating system—protected by hardware-enforced boundaries. This architectural separation, managed by a secure monitor at the highest processor privilege level, ensures that critical security functions like cryptographic key storage, secure boot, and firmware attestation are physically isolated from the potentially compromised rich OS and applications, establishing a hardware root of trust.

For TinyML deployment on microcontrollers, TrustZone enables secure on-device inference by isolating the machine learning model, its parameters, and input sensor data within the Secure World. This prevents extraction of proprietary models or exposure of sensitive inference data, even if the application processor is compromised. It forms the core of a Trusted Execution Environment (TEE) on ARM-based MCUs, allowing secure key management for authenticated encryption of model updates and providing a protected vault for Hardware Security Module (HSM)-like functions directly on the main CPU, which is essential for embedded security in IoT and edge devices.

HARDWARE ISOLATION

Key Features of ARM TrustZone

ARM TrustZone is a system-wide hardware security technology integrated into ARM processors that creates two isolated execution environments—a Secure World for trusted software and a Normal World for the general-purpose operating system—protected by hardware.

01

Hardware-Enforced World Separation

The core of TrustZone is a hardware-enforced security state bit (the NS bit) that tags every transaction on the system bus. This single bit creates two virtual processors: the Secure World and the Normal World. All memory, peripherals, and interrupts are partitioned based on this state, preventing any Normal World software from directly accessing Secure World resources. This isolation is maintained at the CPU, bus, and memory controller level, providing a robust foundation for a Trusted Execution Environment (TEE).

02

Secure Monitor & Context Switching

Transition between the Secure and Normal Worlds is strictly controlled by a dedicated exception level called the Secure Monitor. A special instruction (SMC - Secure Monitor Call) or configured hardware interrupt triggers a world switch. The Secure Monitor saves the entire CPU context of the exiting world before restoring the context of the entering world. This process ensures complete isolation; the Normal World OS is entirely unaware of the Secure World's execution, treating the switch as a simple exception.

03

Memory & Peripheral Partitioning

TrustZone extends isolation to the entire system-on-chip (SoC):

  • Memory: Physical memory is partitioned using the TrustZone Address Space Controller (TZASC) or TrustZone Memory Adapter (TZMA). Secure memory is inaccessible to the Normal World.
  • Peripherals: The TrustZone Protection Controller (TZPC) configures peripherals (like crypto accelerators, GPIO, or UART) as Secure, Non-Secure, or configurable. A secure UART, for example, can be used for a trusted debug interface invisible to the main OS. This granular control allows architects to create a secure silo for keys, biometric data, or proprietary algorithms.
04

Trusted Boot & Chain of Trust

TrustZone establishes a hardware root of trust for secure boot. The first code executed from immutable ROM (the Boot ROM) runs in the Secure World. It authenticates the next boot stage (e.g., a Secure World bootloader) using cryptographic signatures before executing it. This process continues, creating a chain of trust that eventually authenticates the Normal World OS kernel. This ensures the device only runs verified, unmodified software from the moment of power-on.

05

Cryptographic Isolation & Secure Services

The Secure World hosts Trusted Applications (TAs) and Trusted Services that provide critical security functions to the Normal World via a defined API. Common services include:

  • Secure Key Storage: Cryptographic keys are generated, stored, and used exclusively within the Secure World, never exposed in plaintext to the Normal World.
  • Hardware Crypto Acceleration: Dedicated crypto cores are often configured as Secure-only peripherals.
  • Device Attestation: The Secure World can generate a signed report proving the device's identity and software integrity to a remote server. This enables features like secure mobile payments, DRM, and enterprise device management.
COMPARISON

ARM TrustZone vs. Other TEE Implementations

A feature comparison of hardware-based Trusted Execution Environment (TEE) technologies relevant for securing TinyML workloads on embedded systems and microcontrollers.

Feature / CharacteristicARM TrustZoneIntel SGXDedicated Secure Element

Core Isolation Principle

Hardware-enforced separation of CPU into Secure and Normal Worlds via a security state bit.

Creation of private memory enclaves within user-space applications, protected by CPU microcode.

Physically separate, tamper-resistant silicon chip (e.g., iSIM, embedded SE) connected via bus.

Typical Deployment Scope

System-on-Chip (SoC) wide; secures peripherals, memory, and interrupts across the main processor.

Application-focused; secures specific code and data segments within a host OS process.

Discrete component; provides a dedicated, certified secure subsystem independent of the main CPU.

Memory Protection Granularity

Coarse-grained (world-level) with optional finer-grained control via TrustZone-aware Memory Protection Unit (TZ-MPU).

Fine-grained at the page level for enclave memory.

Complete physical separation; the main CPU only accesses the SE via a defined command interface.

Cryptographic Acceleration

Often integrated into the Secure World via a TrustZone CryptoCell or similar hardware block.

Relies on main CPU instructions or external co-processors; not inherently provided by SGX.

Built-in, certified cryptographic coprocessors (e.g., for AES, ECC, SHA, TRNG).

Certification Commonality

Common basis for platform-level certifications (e.g., PSA Certified, SESIP).

Used in data-center applications; less common for embedded device certification.

Often holds high-assurance certifications (e.g., Common Criteria EAL5+, EMVCo, IoT SAFE).

Attack Surface for TinyML

Protects the entire model execution pipeline if deployed in Secure World. Vulnerable to world-switch corruption.

Protects only the model/weights inside an enclave. Vulnerable to side-channel attacks on enclave execution.

Offloads only specific ops (e.g., key storage, inference). Model execution often remains on the main, unprotected CPU.

Hardware Dependency

Requires ARM cores with the TrustZone extension (Cortex-A, Cortex-M23/33/35P/55/85).

Requires specific Intel CPUs with SGX support (not common in microcontroller-class devices).

Agonistic to main CPU architecture; can be paired with any microcontroller via I2C, SPI, or USB.

Development Complexity

Moderate to High. Requires managing two software worlds, secure monitor, and potentially a separate toolchain.

High. Requires specific SDK, enclave definition language (EDL), and attestation integration.

Low to Moderate. Interacts via a standardized command API (e.g., APDU, IoT SAFE). Model partitioning is required.

ARM TRUSTZONE

Frequently Asked Questions

ARM TrustZone is a foundational hardware security technology for modern embedded systems and IoT devices. These questions address its core mechanisms, applications, and relevance to securing TinyML deployments.

ARM TrustZone is a system-wide hardware security technology integrated into ARM Cortex-A and Cortex-M processors that creates two isolated execution environments—a Secure World for trusted software and a Normal World for the general-purpose operating system—protected by hardware-enforced boundaries. It works by extending the concept of privilege levels with an additional secure (NS) bit on the system bus. This single bit tags all memory accesses, peripheral accesses, and CPU states as either secure or non-secure. A secure monitor, triggered by a dedicated instruction (SMC) or hardware interrupt, controls context switching between the two worlds, ensuring the Normal World cannot access Secure World resources without explicit, controlled entry points. This hardware isolation forms the basis for a Trusted Execution Environment (TEE) on the same physical core.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.