Introduction to isolation

1 What is isolation?

Isolation means that a system is subdivided into several subsystems (or partitions). Isolation can protect one subsystem from the other(s). The system to isolate can contain code, secrets, or intellectual properties.

2 Hardware isolation

The hardware isolation mechanisms are used to isolate a subsystems (minimum two). Most of the time, the isolation is implemented by combining it with a software solution.

The hardware isolation mechanisms tasks are the following:

• isolation (access control): secure, nonsecure, privileged, or unprivileged mode
• filtering on memory access

Typical examples of hardware isolation mechanisms are:

• MPU (memory protection unit): isolation in Cortex^®-M cores
• Arm^® TrustZone, available in Cortex^®-A and Arm Cortex^®-M architectures.
• Firewall

3 Temporal isolation

Temporal Isolation is considered only during the boot sequence. It can isolate the different stages executed.

Temporal isolation can protect the device sensitive assets that are used during the secure boot process from being accessed by later stages.

4 Runtime isolation

Considering a platform composed of multiple subsystems, runtime isolation Is the ability to have a system with several subsystems running in parallel.

Isolating two subsystems can be done by using the Arm^® TrustZone technology, but it can also be achieved by the integration of two cores, or by using the MPU on Cortex^®-M cores.

5 IP isolation

IP isolation is the propriety allowing a given IP to run sandboxed from the other IPs.

Arm^® PSA firmware framework defines tree levels of IP isolation: