【转】TEE

Overview

/*出处:http://blog.csdn.net/almight_/article/details/38920383*/

 

/***

总结几个TEE的实现项目

 [2014/5/31]http://blog.csdn.net/trustkernel/article/details/27856173

 

国外:

 

    Global Platform:www.globalplatform.org。 已经作为TrustZoneTEE的一个标准了。

    Trustonic:www.trustonic.com。很有名的TEE厂商,在目前TrustZone市场上占据着大部分江山。

    OpenVirtualization:www.openvirtualization.org。开源的TEE实现,经过测试发现其代码写得极其糟糕,核心TrustZone相关保护的代码不开源,作为商业版本出售。

    Linaro TEE: 正在开发中。

    Google TEE:正在开发中,据说以后会开源。

    safeG:www.toppers.jp开源,严格说不算TEE或TrustZone安全内核。

 

还有其他几个小众的trusted OS,相关信息不多,不详举。

 

国内:

 

    银联TEE:秘密进行中,信息不详。

    T6:www.liwenhaosuper.com/projects/t6/。开源,国内上海交大SE一个研究生开发,基于Xv6,今年5月份刚出来。

    华为RTOS:已基本完成,离部署到华为手机上还需一段时间。

***/

 

Li Wenhao’s comments

I pick out main key points from the following article

 

TEE may want to achieve:

1.     isolated execution

2.     secure storage

3.     remote attestation

4.     secure provisioning

5.     trusted path

 

Two main and famed idea to implement TEE, one is Hypervisor-based(Virtualization)TEE and ARM TrustZone.

 

TrustZone were designed as fixed-function devices with apredefined feature set. To do that, ARM introduced a special CPU mode called“secure mode” in addition to the regular normal mode, thereby establishing thenotions of a “secure world” and a “normal world”. Furthermore, it is notlimited to the CPU but propagated over the system bus to peripheral devices andmemory controllers. When secure mode is active, the software running on the CPUhas a different view on the whole system than software running in non-securemode. This way, system functions, in particular security functions andcryptographic credentials, can be hidden from the normal world

 

there is a higher privilege mode called TrustZone monitormode that is usually used for switching between the two worlds either byexecuting the Secure Monitor Call(SMC) instruction or external interruptsand is responsible for banking the CPU state.

 

/***http://www.liwenhaosuper.com/blog/2014/05/26/tee-and-arm-trustzone/

 

TEE and ARM TrustZone

In this article, I will give an introduction of TEE (trusted executionenvironment) and ARM TrustZone based on my one and a half year experimentationon several ARM platforms when implementingT6.

 

What is TEE ?

To begin with, let’s first identify the slight difference between theword Trusted and Trustworthy. Trustedmeans someone or something you rely upon to not compromise your security whileTrustworthymeans someone or something will not compromise your security. Or in other wordsyou could treatTrusted as how you use something while Trustworthyis about whether it is safe to use something. So Trusted Execution Environmentsare what you may choose to rely upon to execute sensitive tasks and of coursehopefully they are trustworthy too!  General speaking, there are fivesecurity properties that TEE may want to achieve:

  • Isolated Execution
  • Secure Storage
  • Remote Attestation
  • Secure Provisioning
  • Trusted Path

What kinds of TEEs are now available ?

Nowadays, there are several TEE platforms available for both researchcommunity and industry, including:

  • TPM (Trusted Platform Module). TPM is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices and is available in many modern computers. To utilize the secure primitives of TPM, applications usually combine the TPM (hardware) and the TXT (software) to provide a strong isolation. One thing needs to be pointed out is that, TPM is really SLOW, vendors does not have any motivations to keep it faster, they just make sure it works with low cost!
  • Intel’s TXT (Trusted Execution Technology) or AMD’s SVM (Secure Virtual Machine).  To use the TXT, there are several steps: 1. Suspend OS 2. Execute small amount of code (trusted code) on main CPU 3.Restore OS. While these three steps seem to be simple, actually there is no commercial applications using these technology with several reasons: firstly, when the TXT is on, only one CPU is allowed to execute even in a multicore  machine while other cores are suspended; secondly, there is no interrupt and IO operation in TXT and to keep the TCB as small as possible,  no OS libs are available, that means, you need to take huge efforts in order to run rich functionality applications.
  • Hypervisor-based TEE. Virtualization is a straightforward method to implement TEE and there are large number of systems using hypervisor based solution to provide TEE like functionalities.
  • ARM TrustZone. ARM TrustZone is thought to be the most promising technology to implement TEE in mobile devices (or ARM devices).

 What is ARM TrustZone ?

ARM TrustZone technology aimed at establishing trust in ARM-based platforms.In contrast to TPMs, which were designed as fixed-function devices with apredefined feature set, TrustZone represented a much more flexible approach byleveraging the CPU as a freely programmable trusted platform module. To dothat, ARM introduced a special CPU mode called “secure mode” in addition to theregular normal mode, thereby establishing the notions of a “secure world” and a“normal world”. The distinction between both worlds is completely orthogonal tothe normal ring protection between user-level and kernel-level code and hiddenfrom the operating system running in the normal world. Furthermore, it is notlimited to the CPU but propagated over the system bus to peripheral devices andmemory controllers. This way, such an ARM-based platform effectively becomes akind of split personality. When secure mode is active, the software running onthe CPU has a different view on the whole system than software running innon-secure mode. This way, system functions, in particular security functionsand cryptographic credentials, can be hidden from the normal world. It goeswithout saying that this concept is vastly more flexible than TPM chips becausethe functionality of the secure world is defined by system software instead ofbeing hard-wired.

 

--------------------------------------------------------------------------------------------------------------------

Missinggraph (could be checkout in ARM website)

--------------------------------------------------------------------------------------------------------------------

 

TrustZone Mode

With TrustZone, the TEE would somehow look like this:

--------------------------------------------------------------------------------------------------------------------

Missinggraph (could be checkout in ARM website)

--------------------------------------------------------------------------------------------------------------------

 

TrustZone TEE

Details of ARM TrustZone

The following figure shows the TrustZone hardware architectureincluding the SoC and peripherals that are connected with SoC. SoCincludes a core processor,Direct Memory Access(DMA), secure RAM, secure bootROM, Generic Interrupt Controller(GIC), TrustZone Address SpaceController(TZASC), TrustZone Protection Controller, DynamicMemory Controller(DMC) and DRAM, they communicate with each other throughAXI bus. SoC communicates with peripherals by  using the AXI-to-APBbridge.

 

missing graph

TrustZone Hardware                      

 Split-World-basedIsolated Execution. A physical core processor withTrustZone support works safely and efficiently in two worlds:normal world(or non-secure world) and secure world. CPU states isbanked between two worlds and by default the secure world can accessall states of normal world but not vice-versa. Below the two worlds, thereis a higher privilege mode called TrustZone monitor mode that is usually usedfor switching between the two worlds either by executing the SecureMonitor Call(SMC) instruction or external interrupts and is responsiblefor banking the CPU state.

 Memoryand Peripheral Protection. TrustZone supportsmemory partition between two worlds by using TZASC and TZPC. TZASCcan partition DRAM into several memory regions, each of which can beconfigured to be used be in normal world or secure world or a more dynamic andcomplicated access permission control. By default secure world applicationscould access normal world memory but not vice-versa. However, by enablingsecurity inversion in TZASC, one normal world memory could also be configuredas normal world accesses only. TZPC is mainly used to configure peripherals assecure or non-secure and the world sensitive AXI-to-APB bridge will denyillegal access to the protected peripherals. Besides above, on-SoC staticmemory like ROM or SRAM also need to be protected. This is done by a SoCperipheral called TrustZone Memory Adapter(TZMA), though no direct softwareconfiguration registers are provided by TZMA. Usually internal ROM is set assecure by hardware design and the partition of secure and nonsecure region inSRAM is configured by setting the R0SIZE register in TZPC. Both TZASC and TZPCcan be accessed and configured only in secure world. A security accessviolation may cause an external abort and trap to either monitor mode orcurrent CPU state mode exception vector, depending on the configuration of theinterrupt behaviour in monitor mode. Besides the physical memory partition,aTrustZone aware MMU enables both worlds with distinct translation tables andwith a tag in TLB to identify the world to avoid flushing TLB when switchingworld. For Direct Memory Access(DMA), there is a multi-channel systemcontroller called Direct Memory Access Controller(DMAC) that moves data aroundthe physical memory system. DMAC is world sensitive and support concurrentsecure and non-secure channels. A normal world DMA tranfer data to or fromsecure memory will be denied, thus avoid security hole.

InterruptIsolation. There are two kinds of interrupts: IRQ(normalinterrupt request) and FIQ(fast interrupt request). GIC with Trust- Zonesupport can configure an interrupt as secure or non-secure. Usually IRQ isconfigured as normal world source and FIQ as secure world source, because IRQis themost common interrupt source in use in modern operating systems. Whenexecuting in secure world, a secure interrupt will be handled by secure worldinterrupt handler; when a non-secure interrupt occurs during secure worldexecution, the interrupt will be transfered to monitor mode interrupt handlerand the software handler can decide whether drops the interrupt or switches tonormal world. The configuration of GIC that is security related can only beconfigured in secure world, thus preventing illegal modification from normalworld. The secure configuration register(SCR), which is in the controlcoprocessor CP15 and is accessible in secure privileged mode only, could beprogrammed as trapping external abort(i.e.memory access permission violation),IRQ or FIQ into monitor mode or handling the interrupt locally in the currentworld.

 Could ARM TrustZone be used to implement or replacevirtualization ?

As many researchers proposed, ARM TrustZone can be viewed from two angles,as virtualization solution and as mechanism to implement functionality similarto Trusted Platform Modules (TPM). When regarded as virtualization solution,TrustZone is severely lacking: 1. The number ofvirtual machines is limited to two, one running in the secure world and onerunning in the non-secure world. 2. trap-and-execute model for emulating devicesis not possible because security violation abort is always asynchronous. So tosupport devices emulation, certain device drivers of the non-secure OS must bemodified and thus running OSes like Windows is not possible (which onlybinaries are available). I dare to say that perceiving TrustZone as avirtualization mechanism is not a good choice! When looking at TrustZone as analternative for TPMs, the motivation behind this technology become much moreclear. In contrast to fixed-function TPMs, TrustZone is a vastly more versatilemechanism with unlimited resources and fast chips.

 Could ARM TrustZone be used as TPM directly? Does ARMTrustZone provide secure key storage?

I am afraid not. The problem is the lack of secure storage, asTrustZone specification doesn’t provide any mechanism to implement securestorage. However,  the TrustZone feature: assigning a specific peripheralto secure world access only is the key point, but it is up to the Soc Vendorsor the TEE developers to decide what peripheral is used as a secure storagemedia.

 

***/

你可能感兴趣的:(_legacy)