ARM

TRUSTZONE &
SECURE
ELEMENT

CONFIDENTIAL AND PROPRIETARY 1

 STORE SECRETS
Internal HW Secure block +
Trustzone
ARM MCU / MPU
Internal Flash with
Firewall / MPU Trustzone

Higher security level

Lower security level

Secure Block
TPM
External Flash Internal Flash MCU / MPU
Flash Flash MCU / MPU
MCU / MPU / MPU
Secure Block
FPGA Firewall
MCU / MPU / Trustzone
FPGA QSPI /
Flash External Secure
Flash Flash
OSPI
Element MCU / MPU

Very Low attack level Low attack level (not Low level of SW attacks TPM
Trustzone
connected, not easily
reachable)
High level of physical
Secure attacks
Element

Low level of physical attacks

High level of SW attacks (Internet
connected, high value or easily
reachable device)

Selection guide : MCU / MPU / FPGA / SE CONFIDENTIAL AND PROPRIETARY 2

 EQUIVALENCE BETWEEN SESIP/PSA/CC
This is a high-level equivalence for simplified comparison.
SESIP PSA Common Criteria
SESIP Level PSA Level JIL Rating EAL Resistance
Assurance against Attack
Potential
1 1 AVA.VAN.1 EAL1-3 Basic
MCU / MPU market
2 2 AVA.VAN.2 Basic
3 2+SE (physical) AVA.VAN.3 EAL4 Enhanced Basic
or
3 SIM card, Secure
Element & TPM
4 AVA.VAN.4 EAL5 Moderate
market
5 AVA.VAN.5 EAL6-7 High

EAL4+: + means that AVA.VAN may be higher than 3.

CONFIDENTIAL AND PROPRIETARY 3
Source: GPT_SESIP_Profile_Secure_MCU_MPU_v1.0_PublicRelease
 SECURE ELEMENT FAMILY

Higher Cost
TPM use cases
Full security companion (TCG
use cases)
Gateway
Network Equipment
Secure Element
Communication use cases
1 USD Complex Authentication (TLS)
Identity
Certificate / Key Store Communication Devices
Simple Gateway
Authenticator
Simple use case optional
Authentication
Identity accessories
Lower Cost
Simple use cases & Complex use cases &
limited Memory Size CONFIDENTIAL AND PROPRIETARY
Big Memory Size 4
 SECURE ELEMENT TYPICAL ARCHITECTURE

communication

Coincell Communication Chipset

Power SE to detect
attack even when
product powered I2C / SPI
off MCU/MPU

- Authentication of the Cloud (Private, AWS, Azure) or accessories

- Secure boot of the MCU/MPU (authentication)
- Secure storage (keys, certificates, data)
- Detection of box opening (anti-tampering)

CONFIDENTIAL AND PROPRIETARY 5

 KEY/CERTIFICATE PROVISIONING
Solution A

▪ For several technology there is a key provisioning to manage during Manufacturing

▪ Root of Trust
▪ Secure Boot
▪ Cloud connection
▪ Specific application…

HSM is an equipment generating

and storing keys securely (before
pushing it to cloud).

provisioning
(Private) Cloud
/ Internet
provisioning HSM

Manufacturing / Assembly
Device

CONFIDENTIAL AND PROPRIETARY 6

 PROVISIONING WITHOUT HSM
Solution B : Provisioning before soldering parts

▪ When using Secure Element, provisioning may be done before

mounting the component. It may remove the need of an HSM.

provisioning
(Private) Cloud
/ Internet SE provisioning

Component
delivery
List of
Manufactured Component
devices assembly

ID
Manufacturing / Assembly
Device

CONFIDENTIAL AND PROPRIETARY 7

 PROVISIONING WITHOUT HSM
Solution C : Zero-touch onboarding
Bootstrap Devices Your Cloud
✓ Provision on the field, device needs a TCP/IP 2
Server Certificates
connection using public Internet.
Push
certificates*
✓ No need for specific provisioning during
manufacturing, neither specific part number.
1 3 Application
First Connection
✓ Need to pay for the bootstrap server. connection get Use specifics
your specifics secrets &
certificate.
✓ Can be used for certificate renewal. secrets/certificates

Your
Device

Boostrap server along SE provided by

Secure Element with
Certificate for Bootstrap
connection.

CONFIDENTIAL AND PROPRIETARY * If PKI is in bootstrap side. 8

 SECURE ELEMENT
Key Points

▪ Pro ▪ Cons
▪ Provisioning options ▪ Memory limitation

▪ Isolation of security functions in ▪ FW Update of the Secure element not

dedicated chipset always possible (mitigated by strong
security)
▪ Strong security level, best in class attack
resistance ▪ Bandwidth limited (I2C / SPI)

▪ Solution independant from main MCU /

MPU

CONFIDENTIAL AND PROPRIETARY 9

 TRUSTZONE

▪ ARM Technology
▪ Available on Cortex-A and Cortex-M23 / 33 / 35 / 55
▪ Optional ARM Feature : not all Cortex A or M xx have Trustzone enabled.

▪ Concept are the same on MCU & MPU but SW implementation is different.

CONFIDENTIAL AND PROPRIETARY 10

 TRUSTZONE ON CORTEX-M

▪ Separate execution of
Non-Secure (NS) and
Secure code.

▪ Interrupts can be
executed from Secure or
NS.

▪ TrustZone can be
propagated into internal
peripherals and memories
to give access to only
Secure world to some Cortex M4 / M7
registers or memory area.
CONFIDENTIAL AND PROPRIETARY 11
 RAM ISOLATION

▪ TrustZone ensures that Function calls between RAM Dedicated

Non-Secure and Secure are limited. memory map RAM map
Non Secure
▪ To ensure a pointer or any direct memory Secure Memory block Non Secure RAM1

access to secure RAM doesn’t access the Non Secure

secure area, memory isolation is needed.
Secure
Secure Secure RAM2

External RAM Non Secure

Usage of external RAM is possible. For Non Secure RAM3

high security level, bus should be

encrypted.
Easier SW
management of RAM
shutdown
CONFIDENTIAL AND PROPRIETARY 12
 TRUSTZONE TRUSTED FIRMWARE-M

▪ To simplify SW development on top of

the Cortex M TrustZone, TFM SW is
available from ARM
▪ TFM is available for
▪ ST Micro (STM32 U5, L5)
▪ NXP (LPC5S Family)
▪ Renesas (RA Family)
▪ Infineon (PSoC)
▪ Microchip (ARM PIC32)
▪ It includes several SW services

▪ https://tf-m-user-guide.trustedfirmware.org/index.html
CONFIDENTIAL AND PROPRIETARY 13
 TRUSTZONE ON CORTEX-M

Development in NS
looks like a different
OS is running only in
Function table to communicate OS.
NS world
between NS & Secure World. Not Most of the time
possible to call directly any Secure separate binary.
function. CONFIDENTIAL AND PROPRIETARY 14
 MBEDTLS WITH TFM

dataflow Non Secure Secure Processing Environment

LWM2M
MQTT stack
stack

PSA API
mbedTLS Mbed Crypto

UDP/TCP/IP Stack
Secure Storage Drivers
Connectivity driver
AES / PKA
Accelerator

Work in the same way with other TLS stack vendors

CONFIDENTIAL AND PROPRIETARY 15
 MCUBOOT

▪ Open Source project for bootloader

Boot ROM

▪ Already integrated with TFM Secure

MCU Boot
Processing
Environment
▪ Compatible with all major RTOS
(Zephyr, Azure RTOS/ThreadX, TFM
Free/AWS RTOS…)

OS NS

(called also SFI in ST Micro vocabulary) CONFIDENTIAL AND PROPRIETARY 16

 TRUSTZONE ON CORTEX-A

▪ Separate execution of Non Secure

(Normal World) and Secure World.

▪ Trustzone can be propagated into

internal peripherals and memories to
give access to only Secure world to
some registers or memory area.

CONFIDENTIAL AND PROPRIETARY 17

TEE SECURE BOOT

CONFIDENTIAL AND PROPRIETARY 18

 OP-TEE

▪ OP-TEE is an implementation of
a secure monitor for Cortex A.

▪ API are defined by

GlobalPlatform

▪ Additional services are available

with Trusted Service libs.

▪ OP-TEE and TFM are not

compatible.
CONFIDENTIAL AND PROPRIETARY 19
 TRUSTZONE
Key Points

▪ Pro ▪ Cons
▪ Good SW Isolation between Secure & ▪ Trustzone is an enabler, depends on
non-Secure vendor implementation

▪ SW flexibility to add new algorithm or ▪ (on MCU) Memory consumption of the

specific function TFM library request bigger MCU

▪ Security level certified only on some ▪ Performance to take care on Realtime

vendor (PSA / SESIP certification) application

▪ Same API for all vendor ▪ Ramp up effort and debugging more
complex
▪ Data flow stays in MCU/MPU

CONFIDENTIAL AND PROPRIETARY 20

 TRUSTZONE & SECURE ELEMENT

▪ Can be mixed together.

Secure Element
MCU/MPU

Cloud Authentication Secure Boot

Cloud confidentiality
Secure Storage config
Secure Storage live data
Anti Tampering

Confidential pre-provisioned Self generated or non confidential

element. elements.
Public key

Ephemeral Private key

CONFIDENTIAL AND PROPRIETARY 21
Private key
 TRUSTZONE & SECURE ELEMENT

▪ Or secure element can be integrated in MCU/MPU

Secure Element
MCU/MPU

Cloud Authentication Secure Boot

Cloud confidentiality
Secure Storage config
Secure Storage live data
Anti Tampering

Confidential pre-provisioned Self generated or non confidential

element. elements.
Public key

Ephemeral Private key

CONFIDENTIAL AND PROPRIETARY 22
Private key
 LINE CARD : AUTHENTICATORS
Simple Secure Elements for authentication only.

Optiga Authenticate S Optiga Trust Charge Optiga Authenticate ECC204 / 206 SHA10x
Optiga Authenticate I2C, SWI, 64 bytes,
I2C/SWI/GPO I2C NFC 384 bytes,
ON powered by SWI option
125 / 256 / 625 bytes 10 kB I2C powered by SWI option
SWI HW Protection (JIL)
EAL6+ EAL6+ 8kB RNG
powered by SWI option ECC-256 sign
ECC 163 / 193 ECC P256 NFC field pin Symmetric authentication
256 bytes SHA 256
up to 120°C SHA-2 ECC NIST P256 using SHA 256
ECC 163 RNG
RNG AES 128 Several Packages for non
MAC Several Packages for non
Qi Certificate Chain electronics devices
500µA max electronics devices
130 nA sleep SHA106: SWI, 2 pins, 200
ECC206: 2 pin package nA sleep
Qi Certificate Chain SHA105: I2C
SHA104: SWI, 3 pins,
Signature only 130nA

Asymmetric Symmetric only

Small package Qi Charging NFC Small package Small package

Automotive Following Slide.

SWI: Ideal for non electronic product
CONFIDENTIAL AND PROPRIETARY
(2) RSA 3072 Signature verification only
23
(1) Feature set combination depends on part Number AN12436
 LINE CARD: SECURE ELEMENTS
Secure Elements for (mutual) authentication, secret storage and symmetric crypto.

ST SAFE-A110 A5000 SE051

Optiga Trust M V3 ATECC608C I2C, 8kB, EAL6+ I2C, 46kB – 100 kB
I2C, 6kB,
AES SE050 + Curve448
I2C, 10 kB I2C / SWI EAL5+, AVA.VAN 5
ECC P256/384 Updatable
EAL6+ ECC P256 ECC P256/384
HKDF Matter PPA/SPAKE2+ (1)
RSA 2048 AES 128 GCM ECC p256/384r1
RNG IEC62443-4-1 certified &
ECC P256/384/521, SHA-256 SHA-256/384
SCP03 62443-4-2 ready
ECC p256/384/512r1 Key Derivation (PRF / HKDF) AES-128/256
Key derivation (PRF SHA/ HKDF) RNG UWB
RNG
AES 128/192/256 150 nA sleep Key wrapping
SHA 256/384/512 Qi Certificate Chain
SE050(1) MbedTLS OpenSSL

TLS I2C, 100 kB

RNG
EAL6+, FIPS 140-2 L3(1)
Secure I2C protocol
RSA 2k/4k (1)
IEC 62443-4-1 certified & ST SAFE-A120 ECC P192/256/384/521
62443-4-2 ready I2C, 16kB, ECC p160/256/384/512
Matter Certificates EAL5+, AVA.VAN 5 Ed25519 / Curve 25519 SE052F
ECC P256/384/521 Koblitz 160/256 I2C, 100 kB
ECC p256/384r1/512 SHA 1/224/256/384/512 FIPS 140-3 L3/4
Ed 25519 / Curve 25519 Key DerivationHKDF, PBKDF2, PRF, MIFARE
SE050
Generic Driver Generic Driver SHA-256/384/512 AES 128/192/256 + 3DES 2k/3k
SHA-3 3DES 2K/3K + ECC >= 224 bit
MbedTLS OpenSSL OpenSSL
MbedTLS AES-128/256 RSA 4096 610 µA retention mode
Secure I2C protocol RNG 15 µA deep power down
RNG Secure I2C protocol Updatable
Key wrapping NFC Option V2G 15118-2
62443-4-2 ready
Generic Driver
DLMS/COSEM
MbedTLS OpenSSL
V2G 15118-2 MbedTLS OpenSSL

MbedTLS OpenSSL

CONFIDENTIAL AND PROPRIETARY

(1) Feature set combination depends on part Number AN12436 (2) RSA 3072 Signature verification only Automotive next Slide. 24
 LINE CARD: AUTOMOTIVE
Secure Elements for (mutual) authentication, secret storage and symmetric crypto.

Optiga Trust Charge Auto TA100 STSAFE-V family NCJ37x

TA010 TA101
AEC-Q100 Grade 2 I2C / SPI I2C/SPI I2C/SPI
AEC-Q100 Grade 1 I2C / SPI
I2C/SPI, EAL6+ AECQ-100 SE AECQ-100 EAL6+ AEC-Q100
I2C, SWI, 64 bytes, AECQ-100 Grade 1
4x Certificate (2kB) ECC P224/256/384 JAVA Card 3.0.5 EAL6+
powered by SWI option ECC P224/256/384/521
ECC NIST P256 ECC p256 Secure I2C protocol JAVA Card
HW Protection (JIL) ECC p256
3DES 2K, 3K ECC secp256k1 400 kB
ECC P256 sign ECC secp256k1
AES 128, 192, 256 RSA 2048 / 3072(2) VJ100-CCC: CCC R2/R3
SHA 256 RSA 2048 / 3072 / 4096(2)
HMAC AES 128 (CMAC) V100-Qi : Qi 1.3 & 2 NFC (ISO 14443)
RNG Ed25519
RNG Key Derivation V100-TPM: TPM Option CCC
130 nA sleep X25519
SCP03 (optional) SHA 256 (EAL4+ / AVA_VAN.5) Qi 1.3
AES 128 / 256
In field update (option) RNG ECC P256/384
Key Derivation (PRF, HKDF,
Qi Certificate Chain 2 processing block SHA256) BN-256
HDCP SHA 256 / 384 / 512 RSA 1024/2048/3072/4096
Qi Certificate Chain RNG AES 128/192/256
TLS 1.2 2 processing block RNG
CAN bus HDCP NCJ38A
Qi Certificate Chain I2C/SPI
SEMPER NOR Flash AEC-Q100 Grade 2
TLS 1.2/1.3
AEC-Q100 Grade 1,2,3
CAN bus EAL5+
SPI
Java Card
SafeBoot 750 kB

CCC
Qi 1.3

CONFIDENTIAL AND PROPRIETARY

25
(1) Feature set combination depends on part Number AN12436 (2) RSA 3072 Signature verification only
 LINE CARD : TPM

Optiga TPM SLB9672 Optiga TPM AT97SC3205 SW TPM ST33GTPMA ST33TPHF2X ST33KTPM2X
FW16 SLI/SLM9670 FW13.11 SPI / I2C / LPC Software TPM AEC-Q100 SPI / I2C SPI / I2C
50 kB AEC-Q100 FIPS 140-2 emulating TCG SPI / I2C EAL4+ / FIPS140-2 level 3 EAL4+ / FIPS140-3*
SPI 50 kB 2kB interface EAL4+ / FIPS140-2 level 3 TCG 2.0 rev 1.38 TCG 2.0 rev 1.59
EAL4+ / FIPS140-2 level 3 SPI TCG 1.2 TCG 2.0 rev 1.38 ECC P256/384 ECC P256/384
TCG 2.0 rev 1.59 EAL4+ / FIPS140-2 level 3 RSA ECC P256/384 ECC BN256 ECC BN256
ECC P256/384 TCG 2.0 rev 1.38 AES ECC BN256 RSA 1024/2048/3072 RSA 1024/2048/3072/4096
ECC BN256 ECC P256/384 SHA RSA 1024/2048/3072 AES 128/192/256 AES 128/192/256
RSA 1024/2048/3072/4096 ECC BN256 RNG AES 128/192/256 TDES 192 SHA 1/256/384
AES 128/192/256 RSA 1024/2048 TDES 192 SHA 1/256/384 3x EK / EK Certificates
SHA2-384 SHA1/256 SHA 1/256/384 3x EK / EK Certificates
FPGA TPM
4x EK / EK Certificates RNG 3x EK / EK Certificates
PQC
RNG
Post Quantum FW Update

Optiga TPM SLB9673

FW26
I2C

CONFIDENTIAL AND PROPRIETARY 26

(*) target, not certified
 MCU WITH SECURITY FOR MASS MARKET
MCU with certified security features against PSA / SESIP
Wireless MCU Basic MCU Mid-Range MCU Advanced MCU

MCXN
SESIP/PSA L3
ES
Basic STM32U0 LPC55S36 STM32U585 RA8 STM32N6
PSA L1 / SESIP L3* PSA/SESIP L3 SESIP/PSA L3 PSA L2+SE
Physical STM32WBA RW610 ES
Attacks SESIP/PSA L3 STM32L4 STM32L5 STM32H573 PSOC EDGE
SESIP/PSA L3 PSA L1 / SESIP L3* PSA L1 / SESIP L3 SESIP/PSA L3
Apollo 5 SAML11 PIC32CM PIC32CK PIC32CZ i.MX RT1180
Advanced PSA L2 HSM HSM SESIP/PSA L2
HSM
Logical
Attacks LPC55S1 PSoC 64S
SESIP/PSA L2 PSA L2
KW45
STM32L4+ i.MX RT
Logical STM32G4 SESIP/PSA L1 PSA L1
Attacks Apollo 4 PSA L1 RA6Mx STM32H7
PSA L1 SESIP L1
LPC55S0 PSA L1
RSL15 SESIP/PSA L1 PSoC 64Bx
PSA L1 PSA L1
STM32G0
PSA L1
DA16xxx
PSA L1

Feature Set
ES: Engineering Sample * Only secure boot CONFIDENTIAL AND PROPRIETARY 27
 MPU WITH SECURITY FOR MASS MARKET
PCI / PSA / SESIP Processors
SAMA5D29 STM32MP135 STM32MP2 i.MX95
AECQ-100 Grade 2
SiP with Secure Element : TA100 SESIP L3 PSA L1 UNDER NDA SESIP/PSA L3* FIPS 140-3 L2***
Symetric crypto with SCA EDGELock Enclave
Basic ECC / RSA with SCA
RNG
V2X Accelerator

Physical Trustzone
Secure boot / encrypted
Attacks Tamper pin
Unique ID
Resistant Voltage/Temp/Frequency detection
QSPI decryption
RAM enc. /dec.
Secure storage with HUK

SAMA5D27 SAMA7G54 i.MX8ULP RZG2L/LC/UL/V2L RZG3S i.MX93 / 91

PCI** Symetric crypto
SESIP/PSA L2 FIPS 140-3 L2* SESIP/PSA L2 UNDER NDA SESIP/PSA L2* FIPS 140-3 L2***
Advanced Symetric crypto
RSA/ECC Crypto
RNG EDGELock Enclave Secure Provisioning (Wrap)
EDGELock Enclave
RSA/ECC Crypto Symetric crypto
Logical RNG
Trustzone
RSA/ECC/AES Secure boot / encrypted
Symetric crypto
RSA/ECC Crypto (high perf)
Symetric crypto
RSA/ECC Crypto (high perf) RZV2H RSA/ECC Crypto (high perf)
Trustzone RNG
Attacks RSA/AES Secure boot / encrypted
Tamper pins
Integrity Check Monitor
RNG
Trustzone
RNG
Trustzone UNDER NDA Run Time Integrity Check
Tamper pins Trustzone
RAM & Flash enc./dec. (with TZ support) RSA Secure boot / encrypted Secure boot / encrypted
Integrity Check Monitor RSA Secure boot / encrypted
Voltage/Temp/Frequency detection Tamper pins Secure JTAG
RAM & Flash enc./dec. Tamper pins
Secure JTAG Voltage/Temp/Frequency detection Key Storage
Voltage/Temp/Frequency detection Voltage/Temp/Frequency detection
OTP key storage (11kB) with dedicated Secure JTAG
Secure JTAG Secure JTAG
bus eFUSE key storage
eFUSE key storage eFUSE key storage

STM32MP157 i.MX7ULP i.MX8M family i.MX8 / i.MX8X LayerScape Series

Logical PSA L1 SESIP/PSA L1 PSA L1 PSA L1 PSA L1
Attacks Symetric crypto
ECC / RSA crypto
Symetric crypto
RSA crypto
Symetric crypto
RSA/ECC Crypto
Symetric crypto
RSA/ECC Crypto (high perf)
Symetric crypto
RSA/ECC Crypto (high perf)
RNG Low Power Crypto RNG RNG RNG
Trustzone RNG Run Time Integrity Check Run Time Integrity Check Run Time Integrity Check
Secure boot / encrypted Trustzone Trustzone Trustzone Trustzone
Tamper pin RSA Secure boot / encrypted RSA Secure boot / encrypted RSA Secure boot RSA Secure boot
Unique ID Tamper pins Secure JTAG Tamper pins Tamper pins
Voltage/Temp/32kHz detection Voltage/Temp/Frequency detection eFUSE key storage Voltage/Temp/Frequency detection Secure JTAG
QSPI decryption HDCP QSPI decryption eFUSE key storage
Secure JTAG RAM enc. /dec.
eFUSE key storage Secure JTAG
eFUSE key storage
HDCP (8QM) / DTCP (8QM/8QXP)

Feature Set
CONFIDENTIAL AND PROPRIETARY 28
(*) target, not certified (**) pre-certified (***) FIPS: iMX93 only FIPS 140-3 Level 2: Evidence of the physical attack (no resistance)
 ANY QUESTION ?

CONFIDENTIAL AND PROPRIETARY 29

THANKS

CONFIDENTIAL AND PROPRIETARY