ARM TrustZone-enabled processors allow secure and non-secure code to run separately on the same physical core by utilising a form of virtualization to create two distinct environments. This ensures robust security without depending on the OS. In Armv8-M systems, the secure world initialises secure memory at boot, defines secure and non-secure access address spaces, and sets up the interrupt controller before switching to the normal world bootloader. There are two types of trusted execution environments (TEE) conceptually established:
- the TEE kernel, which manages memory and communication, and
- TEE services, which handle specific functions without low-level OS logic.
Setting up secure vs. non secure memory spaces and interrupts while boot time is the TEE kernel approach. The TEE service approach does a code separation to enable lesser lines of code for heavy loaded OS such as Linux.
One additional advantage of TrustZone-enabled processors is their use of a cache architecture that tags memory transactions by security state. This improves performance by eliminating the need for cache flushes during world switches, although it can lead to cache contention.