如何使用TrustZone从安全世界中反思正常世界? [英] How to Introspect normal world from secure world using TrustZone?

问题描述

我了解到安全世界可以保护关键数据免受正常世界访问，我不了解的是，我如何从安全世界衡量正常世界的完整性.

I have learned that secure world can protect critical data from being accessed by normal world, What I don't understand is that how do I measure the integrity of normal world from secure world.

我在Samsung TZ-RKP和 SierraTEE 中找到了一些相关的工作，实施可以衡量正常世界完整性的功能.但是他们没有提供技术细节.我有两个问题，如果有人可以给我一些线索，我将不胜感激.

I find some relevant work in the Samsung TZ-RKP and SierraTEE, in which they both implement a feature that could measure the integrity of normal world. But they didn't give technical details. I have two questions and I'd appreciate it very much if anyone could give me some clues.

1. 假设我想看看正常世界中正在运行哪些进程，是否需要在正常世界中使用内核模块来帮助我做到这一点?如果是这样，我如何确保它已将正确的结果传递给安全的世界?确切地说，我如何检查内核是否已被压缩?

1. Suppose I want to see what processes are running in the normal world, do I have to use a kernel module in the normal world to help me do this? If so, how do I make sure that it has passed the right result to the secure world? To be precise, how do I check that wether the kernel has been comprimised?

假设我有一个RSA密钥对，并且我将私钥保存在安全的世界中.当流程请求解密某些数据时，安全世界如何知道该请求是否来自立法流程?白名单机制可能会有所帮助，但是如果正常世界的内核遭到破坏，而对手却冒充立法机构怎么办?安全世界似乎对正常世界中发生的事情一无所知.

Suppose I have a RSA key pair and I keep the private key in the secure world. When a process request to decrypt some data, how does secure world get to know whether the request is from a legislative process? A whitelist mechanism might help, but what if the kernel in normal world has been compromised and the adversary pretend to be legislative? The secure world seems to know nothing about what is happening in the normal world.

即使可以确定它来自立法程序并且使用私钥解密数据，解密后的数据仍将以某种方式返回到正常的世界区域(即共享内存)，并且解密后的数据仍然可能被泄漏.那么在安全的世界中保留私钥有什么意义呢?

Even if it can be sure that it is from a legislative process and it decrypts the data using the private key, the decrypted data would still be returned back to the normal world region somehow(ie. shared memory) and the decrypted data could still be leaked. So what is the point of keeping a private key in secure world?

顺便说一句，我正在使用armv8板.

BTW, I'm using an armv8 board.

先谢谢了.如果您能提供一些示例，那就太好了.

Thanks in advance. It would be great if you could provide me with some examples.

推荐答案

信任区域本身并不是安全系统.您必须进行设计.同样，有许多不同类型的安全性.例如，您假设发生了软件攻击，但是针对系统的物理攻击却很多(就像我想您所描述的那样).某些东西必须是受信任的计算库(TCB)；即，您假设无法破坏某些代码.普通的世界内核可能太大了，无法成为TCB的一部分，但它可能是很好的第一道防线.针对它的攻击只是从用户到管理员的特权提升.您的TrustZone API应该包含不受信任的数据(例如，正常世界的内核尝试缓冲区溢出和API错误使用等).

Trust-zone is not by itself a security system. You have to engineer that. Also, there are many different types of security. For instance, you are assuming a software attack yet there are many physical attacks against a system (like I guess you describe). Something must be a trusted computing base (TCB); Ie, some code that you assume can not be compromised. A normal world kernel is probably too large to be part of the TCB, yet it can be a good first line of defence. An exploit against it is only a priveledge elevation from user to supervisor. Your TrustZone API should expect untrusted data (Ie, the normal world kernel trying buffer overflows and API mis-use, etc).

这里的关键点是TZASC和其他总线外围设备可以授予对安全世界的访问权限，以读取/写入普通世界内存.对于像Linux这样的功能强大的OS，您将必须验证MMU表和其他数据结构.模块加载，进程运行等都需要验证.但是，如果您的系统在正常情况下要简单得多，则可以进行验证.您最有可能必须满足其中的一部分.对PC进行随机抽样可能会起到威慑作用；但是除非正常世界是带有证明的代码，否则没有什么会是万无一失的.

The key point here is that TZASC and other bus peripherals can grant access for the secure world to read/write normal world memory. You would have to verify MMU tables, and other data structures for the case of a full blown OS like Linux. Module loading, processes running, etc. all need verification. However, if you have a much simpler system in the normal world it may be possible to verify it. Most likely you have to settle for a portion of it. Random sampling of the PC might be a deterrent; but nothing will be fool-proof unless the normal world is proof carrying code.

1. 假设我想看看正常世界中正在运行哪些进程，是否需要在正常世界中使用内核模块来帮助我做到这一点?如果是这样，我如何确保它已将正确的结果传递给安全的世界?确切地说，如何检查内核是否已被压缩?

您的安全世界可以包含一个OS(或原始调度程序)，该OS将定期检查正常世界代码的完整性.有一些硬件模块，例如RTIC等.您也可以使用TZASC将内核代码锁定为普通用户(无访问权限)和普通管理员(只读). comprimized 是重载的单词.在某些时候，您必须信任一些东西.如果普通的超级目录遭到破坏，可以复制私钥吗?您必须定义您的安全目标.在任何意义上，当然，正常世界的内核都可能受到损害.您没有完整的规范可以从安全世界进行验证.

Your secure world can contain an OS (or primitive scheduler) which will periodically check the normal world code integrity. There are hardware modules like an RTIC, etc. You can also use the TZASC to lock the kernel code to normal user (no access) and normal supervisor as read-only. comprimised is an overloaded word. At some point you must trust something. Can the private key be replicated if the normal super is compromised? You have to define your security goals. In the any sense/meaning, of course the normal world kernel can be compromised. You don't have a complete specification of its behaviour to verify from the secure world.

1. 假设我有一个RSA密钥对，并且我将私钥保存在安全的世界中.当流程请求解密某些数据时，安全世界如何知道该请求是否来自立法流程?白名单机制可能会有所帮助，但是如果正常世界的内核遭到破坏，而对手却冒充立法机构怎么办?安全世界似乎对正常世界中发生的事情一无所知.

您的安全世界可能必须与加密实体进行一些合作.例如，您可以限制解密的数量，而无需进行一些验证.似乎最有价值的是RSA私钥.如果允许正常世界请求解密，那么这是您的问题，而不是Trustzone的问题?您必须使用具有加密功能和未知/不受信任的主机的常规机制来处理此问题. RSA密钥对是全局的还是每个设备?您是否支持撤销等.它在您的系统中，而TrustZone只是其中的一部分.

Your secure world probably has to have some co-operation from the encrypting entity. You could limit the amount of decrypts without some from of verification for instance. It seems that the most valuable thing is the private RSA key. If you allow the normal world to request decryption, then that is your issue and not Trustzone's? You have to handle this using normal mechanisms with cryptography and unknown/untrusted hosts. Is the RSA key pair global or per device? Do you support revocation, etc. It is in your system and TrustZone is only part of it.

这篇关于如何使用TrustZone从安全世界中反思正常世界?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！