Unfortunately, in a TEE, even with enhanced isolation provided by the Zynq UltraScale+ MPSoC, the system relies on the proper operation of TF-A execution levels. For example, if an exploit is exercised to elevate an untrusted applications execution level, even with the enhanced isolation of Zynq UltraScale+ MPSoC (XMPU), a nefarious application would not be prevented from accessing trusted memory or peripherals. Using the previous figure, if an untrusted application exploits TF-A software and raises its execution level, it can still bypass the XMPU because this transaction is still originating from the APU at EL3. Because the master ID is the same as the APU, the XMPU or XPPU will fail to block the transaction. The secure execution environment (SEE), proposed by iDirect Government’s architecture, provides a physically isolated secure cryptographic sub-system for hosting the systems cryptographic functions. As shown in the following figure, the secure cryptographic sub-system (colored in red) is physically isolated (via XMPU/XPPU) from the rest of the system. Regardless of the state of the TF-A, any transaction originating from the APU is denied access to secure peripherals or memory. This hardware-backed solution leverages Zynq UltraScale+ MPSoC multiprocessor architecture to provide a physically and logically isolated environment for non-secure and secure domains. The physical isolation of the APU and RPU (as well as their associated memories and peripherals) allows the iDirect Government architecture to maintain a strict, logical separation between non-secure application code and secure, FIPS 140-3 certified cryptographic module software.
