Arm Hypervisor and Trustzone Alternatives

Arm Hypervisor and Trustzone Alternatives

Nezer Jacob Zaidenberg (College of Management, Israel), Raz Ben Yehuda (University of Jyväskylä, Finland) and Roee Shimon Leon (University of Jyväskylä, Finland)
Copyright: © 2020 |Pages: 13
DOI: 10.4018/978-1-5225-9715-5.ch079

Abstract

Many scenarios such as DRM, payments, and homeland security require a trusted and verified trusted execution environment (TEE) on ARM. In most cases such TEE should be available in source code mode. The vendor cannot conduct code review and ensure that the operating system is trustworthy unless source code is available. Android and other rich execution environments (REEs) support various TEE implementations. Each TEE implementation has its own unique way of deploying trusted applications and features. Most TEEs in ARM can be started at TrustZone™ or Hyp (Hypervisor) mode. Choosing a proper TEE operating system can be a problem for trusted application developers and hardware vendors. This article discuss the hypervisor vs. TrustZone™ implementation dilemma. Furthermore, the article surveys multiple ARM TrustZone™ TEE solutions and ARM virtualization solutions that are available today with source code. This article allows IoT vendors and SoC manufacturer to select a suitable TEE for their platform needs based on their criteria.
Chapter Preview
Top

Background

Trusted Execution Environment

The ARM architecture allows for co-existence of a Trusted Execution Environment (TEE) and Rich Execution Environment (REE). Trusted Execution Environment is a secure area inside the central processor unit (hereby CPU). The Trusted Execution Environment runs its own operating system. The TEE operating system is a separate operating system that is running in parallel with the REE(main) operating system, in an isolated environment. The Trusted Execution Environment guarantees that the code and data loaded in the TEE are protected concerning confidentiality and integrity.

Rich Execution Environment is another area inside the CPU. The Rich Execution Environment runs a separate operating system. Usually, Google’s Android or Apple’s iOS. The Rich Execution Environment refers to the standard operating system that the device is running. The Rich Execution Environment offers significantly more features and applications and as a result, is vulnerable to attacks. In most cases, the Rich Execution Environment is the environment where most applications are running. The Rich Execution Environment receive services such as decryptions keys from the Trusted Execution Environment.

The Trusted Execution Environment usually act as a monitor for the Rich Execution Environment.

The Trusted Execution Environment has higher permissions and usually have access to read the Rich Execution Environment memory and data structures. The Rich Execution Environment should not have access to the trusted Execution environment memory and data structures. The two worlds, the secured and the normal (not trusted, non-secured) worlds, can switch through the strict supervision of a Secure Monitor running in monitor mode. Switching between the secure and normal world can be done through a special instruction called “secure monitor call” or SMC. Software use SMC to communicate between the secure and normal worlds shared memory is used. TrustZone™ splits the SOC devices to the secure and normal worlds. TrustZone™ control the device hardware interrupts. TrustZone™ can route an interrupt to the secure world or the normal world. Like in the memory case, I/O and interrupts routing may change dynamically. TrustZone™ uses its own MMU. Operating systems and processes that execute in TrustZone™ do not share the same address space with their normal world counterparts. Thus, there is no need to have distinct TrustZone™ for each processor. A single TrustZone™ OS across multiple ARM processors/cores can manage all the device Trusted computing needs. The cryptographic keys are accessible only in TrustZone™. The manufacturer can burn platform-specific keys using fuses. These platform-specific keys are device specific, thus enabling protection in the end unit level.

Booting a Trusted Execution Environment must form a chain of trust in which a trust nexus verifies the next component on the boot chain. Each component verifies the next component until the system. Many vendors proposed.

Key Terms in this Chapter

ARM Virtualization: ARM offered virtualization extensions to ARM7 architecture and virtualization instructions as part of ARM8 architecture.

Board Support Package (BSP): A minimal set of drivers and boot loader to boot the operating system.

L4: A family of microkernel operating systems by Liedtke initially. OKL4 and seL4 are operating systems that were derived from L4.

TrustZone™: An ARM Exception level that allows running TEE in a secure environment in parallel to the normal ARM environment.

ARM Architecture: ARM (previously advanced RISC machine, Acron RISC machine) is a 32 or 64 bit RISC CPU architecture that is by far the most common architecture in use today in mobile devices and IoT. ARM architecture includes TrustZone™ since the 7 th generation of the ARM architecture.

Hypercall: The term is analogous to System call. A call by a user process or the operating system for the hypervisor to perform some service required by the operating system of process.

GlobalPlatform: Is an organization that publishes the standard for secure mobile and embedded platform

Secure World: Secure world is the name for the secure, trusted execution environment (TEE) on ARM Architecture. It is running concurrently, on the same CPU as the normal world. However, ARM provides hardware and software mechanisms to ensure that the normal world and secure worlds are running on separate environments.

Rich Execution Environment (REE): Rich Execution Environment is another area inside the main processor. The Rich Execution Environment runs a separate operating system. Usually, Google’s Android or Apple’s iOS. The Rich Execution Environment refers to the standard operating system that the device is running. The Rich Execution Environment offers significantly more features and applications and as a result, is vulnerable to attacks.

Trusted Execution Environment (TEE): A Trusted Execution Environment (TEE) is a secure area inside the main processor. The trusted execution environment runs a separate operating system in parallel to the main operating system in an isolated environment. The trusted execution environment guarantees the confidentiality and integrity of the code and data loaded in the TEE.

Hypervisor: The hypervisor is the software component that is responsible for running multiple operating systems on the same hardware.

Normal World (Insecure World): The normal operating system that the given platform is running for normal applications. In most cases, this refers to Google’s Android or Apple’s IOS.

Chain of Trust: Group of computer components that starts at a trust nexus. Through a series of operations, each component in the chain adds functionality and verifies the next component. The final component is trusted if all components in the chain complete successful verification and then the nexus can indeed be trusted.

Complete Chapter List

Search this Book:
Reset