Application isolation
Ledger OS isolates each application from the rest of the device’s memory and from other applications. This isolation is the hardware-enforced guarantee that an application — even a malicious one — cannot read your seed, access another application’s data, or interfere with the operating system.
User mode and Supervisor mode
Ledger OS uses two capabilities built into the Secure Element’s ARM core to enforce isolation:
- Memory Protection Unit (MPU): maps each application to its own memory region and blocks access to all other regions at the hardware level. (ARM MPU reference )
- Operating modes: applications run in User mode, while the operating system runs in Supervisor mode. (ARM operating modes reference ) User-mode code cannot directly execute privileged instructions.
Because only one application runs at a time and each is confined to its own memory region, no application can observe or modify another application’s state, even while both are installed on the same device.
Syscalls
When an application needs the operating system to perform a privileged action — accessing hardware peripherals, running hardware-accelerated cryptographic operations, or deriving keys from the master seed — it issues a syscall.
A syscall causes the Secure Element to switch momentarily to Supervisor mode: the OS performs the requested operation, then switches back to User mode and returns control to the application. The SDK exposes wrapper functions for every syscall so applications never call them directly. Common syscall categories include:
- Hardware-accelerated cryptographic primitives (functions defined in
include/cx.h) - Low-level I/O with the MCU (USB, BLE)
- Key derivation from the BIP-32 master seed
Controlled access to cryptographic secrets
Applications cannot access the master seed or derived keys directly. Instead, they call a syscall that asks the OS to derive a node from the seed along a specific BIP-32 path. The OS grants or denies the derivation based on the path allowlist declared in the application’s metadata at load time. (See security requirements for the mandatory derivation-path declaration.)
This means:
- Multiple applications can be installed simultaneously, each restricted to a different subtree of the HD tree.
- An application that is not authorised for a given path cannot derive keys on that path, even if it issues the syscall.
- Deleting and reinstalling an application does not change which paths it is permitted to use — the allowlist is in the metadata, not in the application’s flash storage.
Summary
| Mechanism | What it does |
|---|---|
| Memory Protection Unit | Confines each app to its own memory region at the hardware level |
| User / Supervisor mode | Prevents apps from executing privileged instructions directly |
| Syscall interface | Gives apps controlled access to hardware and OS services |
| Derivation-path allowlist | Limits which BIP-32 paths an app can use to derive keys |
Further reading
- Ledger OS introduction — overview of the operating system and its components.
- Security requirements — the derivation-path declaration and other mandatory security metadata.
- Master seed — how the device generates and serializes the BIP-39 seed.
- HD key generation — how an infinite number of keys is derived from a single seed.
