TrustZone, which already is used in ARM's high-end Cortex-A SoCs, is designed to separate and isolate non-trusted resources from trusted hardware, software and data by creating an area on the chip to house the trusted code. It includes hardware-assisted cryptography with secure access validation built into the chip, and now includes a technology called CrytopCell, for faster data encryption. The ARMv8-M architecture also will support the AMBA 5 AHB5 interconnect protocol, which extends security from the ARM-embedded SoC to other components in the system, such as memory, storage and connected peripherals, both trusted and untrusted.
It will be later next year or into 2017 that TrustZone technology begins to appear in devices, according to ARM. However, it is in the foundation of the layered approach ARM is taking with security, they said. It starts with the hardware, which includes TrustZone, mbedOS and SecurCore, then moves into communications software with features like mbed TLS and lifecycle security with mbed Device Server.
What’s important is realizing that security in the IoT can't be addressed in the same way as it has been addressed with PCs, ARM and its partners said. There are too many devices and too many potential access points for hackers to attack.
"A lot of times, security is an afterthought," Balaji Yelamanchili, executive vice president and general manager of Symantec's enterprise security business, said during the panel. "You buy a device … and bolt on security afterwards. In the IoT, you can't do that."
"It's got to be pervasive and it has to be part of the development process," ARM's Muller said in a round-table discussion with journalists.
"You can't have security and trust as an extra," he said. "To work, you've got to have it on everything. Once you make it optional, some people won't use it."
Muller said ARM will introduce other security services for IoT devices, such as secure firmware updates. However, it's unclear when that will be available, according to CEO Segars. Company officials are determining whether ARM would run the service itself or license it to partners, which would put it in their products themselves.