How does ARM TrustZone provide security in embedded systems?

TrustZone creates hardware-enforced isolation between Secure and Non-Secure worlds. The NS bit tags all bus transactions, and memory controller enforces access permissions. Secure world runs trusted code (secure boot, cryptography, DRM); Non-Secure runs normal OS/applications. Transitions via Secure Monitor Call (SMC) instruction. TrustZone-M (Cortex-M) adds: Secure Attribution Unit (SAU) and Implementation Defined Attribution Unit (IDAU) for memory security configuration, configurable secure/non-secure peripherals and interrupts. Used for: secure boot chain, hardware root of trust, secure key storage, and trusted execution environment (TEE).