ARM TrustZone
What is ARM TrustZone?
ARM TrustZoneA hardware security extension on ARM CPUs that partitions the SoC into a Secure World and a Normal World, providing a TEE for keys, DRM, and biometric data.
ARM TrustZone is a system-wide security architecture introduced in ARMv6 (TrustZone-A for Cortex-A and TrustZone-M for Cortex-M). The SoC is split into two worlds - Secure and Non-Secure - signalled by the NS bit, with the CPU, memory controller, bus fabric, and peripherals aware of the partition. The Secure World runs a small trusted OS (e.g. OP-TEE, Qualcomm QSEE, Samsung TEEgris, Trustonic Kinibi) that exposes Trusted Applications via SMC calls (GlobalPlatform TEE API). TrustZone hosts the Android Keystore, iOS Secure Enclave-equivalent flows, Widevine L1 DRM, fingerprint matchers, fTPMs, and mobile-payment crypto. Recent attacks (CLKSCREW, downgrade flaws in vendor TAs) have shown that Secure World code still needs careful auditing.
● Examples
- 01
Android Keystore-bound credentials are sealed inside TrustZone.
- 02
Widevine L1 DRM decoding runs inside a TrustZone Trusted Application.
● Frequently asked questions
What is ARM TrustZone?
A hardware security extension on ARM CPUs that partitions the SoC into a Secure World and a Normal World, providing a TEE for keys, DRM, and biometric data. It belongs to the Cryptography category of cybersecurity.
What does ARM TrustZone mean?
A hardware security extension on ARM CPUs that partitions the SoC into a Secure World and a Normal World, providing a TEE for keys, DRM, and biometric data.
How does ARM TrustZone work?
ARM TrustZone is a system-wide security architecture introduced in ARMv6 (TrustZone-A for Cortex-A and TrustZone-M for Cortex-M). The SoC is split into two worlds - Secure and Non-Secure - signalled by the NS bit, with the CPU, memory controller, bus fabric, and peripherals aware of the partition. The Secure World runs a small trusted OS (e.g. OP-TEE, Qualcomm QSEE, Samsung TEEgris, Trustonic Kinibi) that exposes Trusted Applications via SMC calls (GlobalPlatform TEE API). TrustZone hosts the Android Keystore, iOS Secure Enclave-equivalent flows, Widevine L1 DRM, fingerprint matchers, fTPMs, and mobile-payment crypto. Recent attacks (CLKSCREW, downgrade flaws in vendor TAs) have shown that Secure World code still needs careful auditing.
How do you defend against ARM TrustZone?
Defences for ARM TrustZone typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ARM TrustZone?
Common alternative names include: TrustZone, ARM TEE.
● Related terms
- cloud-security№ 1177
Trusted Execution Environment (TEE)
A secure, isolated execution context within a processor where code and data are protected in confidentiality and integrity, even from the host OS and hypervisor.
- cryptography№ 546
Intel SGX
Intel Software Guard Extensions, a CPU instruction set that creates encrypted memory enclaves to protect code and data from a compromised OS or hypervisor.
- cryptography№ 044
AMD SEV / SEV-SNP
AMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor.
- cryptography№ 679
Microsoft Pluton
A Microsoft-designed security processor integrated into the CPU die that implements a firmware TPM 2.0, key isolation, and identity attestation for Windows 11.
- cryptography№ 460
Hardware Attestation
A cryptographic protocol by which a device proves its identity and software measurements to a remote verifier using a key rooted in tamper-resistant hardware.
- cryptography№ 981
Secure Boot
UEFI feature that verifies the cryptographic signature of every boot component, refusing to launch a bootloader, kernel, or driver not signed by a trusted authority.