What is TrustZone on Cortex-M33, and when would you use it?

TrustZone for Cortex-M (ARMv8-M architecture) provides hardware-enforced isolation between a Secure world and a Non-Secure world within a single processor. Unlike software-only isolation (MPU regions, privilege levels), TrustZone partitions the entire memory map, peripherals, and interrupt system into secure and non-secure domains at the bus level. The Secure Attribution Unit (SAU) and Implementation-Defined Attribution Unit (IDAU) define which address ranges are secure, non-secure, or non-secure callable (NSC — the entry points for secure API calls). When non-secure code attempts to access a secure memory region, the hardware generates a SecureFault exception — no software check is needed, and no software bug can bypass it.

The security model works like this: secure firmware runs first after reset, configures the security boundaries, exposes a set of secure gateway functions (marked with the SG instruction in NSC regions), then boots the non-secure application. The non-secure application can call secure services only through these gateways — it cannot read secure memory, access secure peripherals, or modify the security configuration. Secure and non-secure code each have their own stack pointers, and the hardware automatically saves and clears secure registers during world transitions to prevent information leakage. Secure interrupts can preempt non-secure code, but non-secure interrupts cannot access secure state.

Use TrustZone when your product needs to protect cryptographic keys, firmware update verification, secure boot chains, or sensitive data processing from potentially untrusted application code. Concrete examples: payment terminals (PCI-DSS compliance requires key isolation), medical devices (FDA cybersecurity guidance recommends hardware-enforced partitioning), IoT devices with OTA updates (secure bootloader verifies firmware signatures in the secure world, preventing a compromised application from modifying the update process), and multi-tenant industrial controllers (different vendors' application code runs in the non-secure world while the platform owner controls the secure services). The M33 also includes an optional MPU in each world, so you can combine TrustZone (secure vs non-secure) with MPU (privilege levels within each world) for defense-in-depth.