Overview of TrustZone‑Based SoC Components and CryptoCell Architecture

TrustZone is ARM's security extension providing a system‑level secure environment. In SoCs that support TrustZone, the hardware IP includes CPUs (Cortex‑A series), system IP such as MMU, cache, bus, GIC, TZASC, TZPC, and security IP like CryptoIsland and CryptoCell.

CryptoCell was introduced to off‑load cryptographic operations from the Secure World, allowing the Non‑Secure World to issue commands that are executed entirely in hardware without exposing secret data to the CPU. Two product families exist: CryptoCell‑700 (high‑performance, paired with Cortex‑A) and CryptoCell‑300 (low‑power, paired with Cortex‑M).

A high‑level diagram shows CryptoCell hardware services interfacing with firmware, which in turn provides APIs to Linux (REE) and the Trusted Execution Environment (TEE). The TEE side offers the CRYS cryptographic library, while the REE side uses a Crypto API driver.

Internally, CryptoCell consists of “Shared Hardware” and “TEE Hardware”. Shared hardware provides symmetric encryption engines and hardware key slots. The symmetric engine supports AES, AES‑CMAC, DES, MD5, HMAC, DMA transfers, and hardware‑isolated key storage.

Hardware key slots are dedicated registers that allow the TEE to create and store symmetric keys securely; CryptoCell provides four slots supporting 128‑, 192‑, and 256‑bit keys.

TEE hardware includes an asymmetric crypto accelerator, NVM manager, OTP, true‑random‑number generator, and status interfaces (LCS, DCU registers, secure timers, etc.).

The CRYS library is the runtime software component that drives CryptoCell IP. It is used throughout the secure‑boot flow, including lifecycle state retrieval, secure‑boot initialization, certificate verification, error‑code handling, SecureDebug configuration, key derivation, and hash calculation.

In secure‑boot, the system progresses through BL1‑BL5 stages on ARMv8 platforms. CryptoCell accelerates image signing, encryption, verification, and decryption, and can be combined with OTP‑based key storage and BootROM code.

Beyond secure‑boot, CryptoCell is applied to device lifecycle management, key management, secure debugging (via DCU registers), and data backup/recovery using KBKDF‑derived AES‑128 keys.

References: ARM documentation links.