 Reminder of MOOC, software security based on isolation. I would now like to review the key points that were covered by this MOOC. Mainly, what is isolation and why is it important? What means of isolation we have currently with STM32 and introduce TrustZone, which is a new feature coming from ARM that is integrated on STM32 L5. I would like to introduce the development flow of the TrustZone application and also the language extension for C. The purpose of creating isolation barrier between the secure and user project is to protect the key secrets and assets. If Hacker gains access to the user application they will still be able to cause mischief in those regions but they will not be able to access any resource that is behind the isolation barrier. They cannot compromise the key, they cannot bypass the authentication checks, for example. To achieve this level of isolation there needs to be a support on a hardware level. There is no way to do this purely on a software basis. In a typical application scenario when the microcontroller resets it boots into the secure part of memory and it executes the secure boot. This is a immutable piece of firmware that checks integrity and authenticity of user application and if everything is okay, the execution is passed to the user project. A second thing which is also very desirable is export some of the secure functionality to the user project. These are so-called legal API. An example of this can be, for example, crypto operations or secure storage. And it's these interactions between the secure and user applications that are especially difficult and trust zones bring real benefit into this. One of the key requirements for isolating the secure and non-secure application is to be able to restrict access to memory regions and peripherals. There are various ways to do this on different STM32 families. One of the most available, one of the most common is MPU-based together with privilege and non-privilege level of execution of the Cortex Core. MPU is a core periphery that allows to define regions inside the memory map and restrict access to these defined regions for the core that is running with non-privileged. Another way to achieve the same goal is thanks to the firewall. Firewall is an ST periphery that can be found on STM32 L0 and L4. It snoops bus transactions towards the target memories, towards Flash and SRAM. If the firewall is closed and the non-secure application tries to access the protected region, the firewall will detect it and it will generate a reset. Because it snoops the transaction close to the target memories, this approach works also for other busmasters such as the DMA. When a non-secure application tries to call a legal API, when it tries to access some functionality of the secure project, it needs to open the firewall, it needs to jump to a very specific location inside the protected region. And it is this well-defined entry point that makes this mechanism secure. Jumping anywhere else inside the secure protected region would be detected by the firewall and it would generate a reset. Another way of isolation is secure flash, which is implemented only at the level of the flash interface. So after the microcontroller resets, it boots into the secure part of memory. It usually executes the secure boot and once the integrity and authenticity of the user application is checked, it will pass the execution to the non-secure and the secure part of memory simply disappears until the next reset. There is no way for the non-secure to read or execute from that region anymore. The obvious disadvantage of this approach is that it's very difficult to have interactions between the secure and non-secure applications, because these interactions have to go through reset and full reinitialization of both applications. A one step further is Trustzone, which is a new concept from ARM. It's based on filtering bus transactions based on the security level of the core. This really allows the full flexibility in assigning memory regions or peripherals, even individual GPIOs, either to the secure or non-secure application. Let's now have a look at Cortex M33 and Trustzone. Cortex M33 is a part of ARM V8 architecture, which adds an extra security state of execution. When the core is running in secure state, it has access to all the resources in the microcontroller. On the other hand, when the core is running in non-secure state, it has limited visibility of resources. And there is a great granularity in which these resources can be restricted. This, of course, is a job of the secure application running in secure state to define the split between the secure and non-secure world. It's possible to restrict access to multiple regions in Flash and RAM. It's possible to restrict access to individual peripherals, even also to individual GPIO pins. Some of the core registers, some of the core peripherals are banked, which means they exist in two instances. One for the secure state, the other one for non-secure. So there are two cystics, two vector tables, there are two MPUs and two stacks with two separate stack pointers. The state switch is driven by hardware, which brings the benefit of real-time execution, meaning there is low interrupt latency, low switching overhead, and the state switch is deterministic. The development flow with trust zone is also something new. The secure and non-secure projects are built separately. They are often developed by different teams, possibly also by different companies. The secure project can optionally export some legal API to the non-secure. And in this case, the output of the build of secure project is a secure gateway library and the associated library headers. The non-secure project is then linked against this library. So obviously the order of build is secure project first, non-secure as second. So this table summarizes the isolation features with respect to different STM32 families. The secure memory also called HGP is present on L5, H7, G0 and G4. MPU is on every family except F0. Firewall is present on L0 and L4. And the new microcontroller STM32 L5 has secure memory, MPU and also trust zone, which is by far the best solution to isolate the secure and non-secure application. In this quick summary we had a look on various ways of isolation on STM32 families, including MPU, Firewall, secure memory and trust zone. You can find much more information in security part 3 STM32 security features. I also invite you to have a look on the YouTube video how to enable trust zone and start a project with STM32 L5, which configures simple secure and non-secure project in QPyDE. Thank you for your attention.