TrustZone 与虚拟机管理程序 [英] TrustZone versus Hypervisor

问题描述

我只是在阅读 这份文档来自 ARM 在 TrustZone 上，有些事情我不清楚.

I am just reading this document from ARM on TrustZone and some things are unclear to me.

事实上，Hypervisor 提供了一种特殊的 CPU 模式，而对于 TrustZone，处理器带有一个额外的第 33 位:不是模式也是一个特定的位设置吗?那么额外的一点如何在安全性方面产生巨大的影响.我确实理解额外的位让位于两个单独的 32 位地址间距，但除此之外，我无法将两个和两个放在一起.有人能清楚地解释一下为什么 TrustZone 比管理程序更安全吗?

The fact that a Hypervisor offers a special CPU mode and that for the TrustZone, the processor comes with an extra 33rd bit: Isn't mode also a particular bit setting? How is then an extra bit making all that difference in terms of security. I do understand that the extra bit makes way for two separate 32 bit address spacing, but apart from that I am unable to put two and two together. Can someone clearly explain why TrustZone is more secure than a Hypervisor??

推荐答案

典型的 Hypervisor 仅限于 CPU.它不保护其他DMA 主控.请参阅维基百科DMA 攻击 网页了解更多信息.其他攻击，例如 冷启动，需要其他机制，例如 可清零内存 以防止利用.也就是说，TrustZone 不是一个整体 安全解决方案，而是其中的很大一部分.由于ARM只是一个CPU，控制其他BUS Masters的机制是不确定的.除了DMA Masters，备用CPU 也对内存分区构成威胁.为了解决这个问题，一些辅助 CPU 具有TrustZone 感知能力.即，他们将始终使用 NS 位(33^rd 位)标记交易.

A typical Hypervisor is limited to the CPU only. It does not protect against other DMA masters. See the Wikipedia DMA Attack web page for more on this. Other attack, such as a Cold boot, need other mechanism such as zeroizable memory to prevent exploitation. That is TrustZone is not a total security solution, but a big part of it. As the ARM is only a CPU, the mechanism to control the other BUS Masters is unspecified. Besides DMA Masters, alternate CPUs also pose a threat to memory partitioning. To address this, some secondary CPUs are TrustZone aware. Ie, they will always tag transactions with an NS bit (the 33^rd bit).

相比之下，Hypervisor 很少局限于两个世界.Hypervisors 托管任意数量的操作系统.TrustZone 只有两个世界；安全和正常.尽管每个世界都可以有一个控制supervisor的操作系统，有许多独立的线程、任务或进程 在操作系统允许的情况下.

In contrast, a Hypervisor is rarely limited to two worlds. Hypervisors host any number of OS's. TrustZone only has two worlds; secure and normal. Although each world can have a controlling supervisor OS, with many seperate threads, tasks, or processes as the OS permits.

DMA Attack 解释:与硬件位相比，Hypervisor 通常使用 CPU MMU 来限制软件访问.这不会阻止其他 BUS 主站访问内存.如果 Hypervisor 受限软件可以控制单独的 BUS 主控，那么它们就可以获取要保护的内存.DMA 使用物理地址并绕过 MMU 和一般的管理程序保护.

DMA Attack explanation: In contrast to a hardware bit, a Hypervisor usually uses the CPUs MMU to limit software access. This doesn't prevent alternative BUS Masters from getting at the memory. If Hypervisor restricted software can control a separate BUS masters, then they can grab memory that is to be protected. DMA uses physical addresses and by passes the MMU and so general Hypervisor protection.

DMA 攻击通过使用 CPU 之外的东西访问内存来绕过 CPU 保护.使用 TrustZone，保护不是在 CPU 中，而是在 BUS 控制器中.^{请参阅:NIC301 示例} ARM TrustZone CPU 只允许 CPU支持四种模式；安全监管者、安全用户、普通监管者和普通用户.一个普通的 ARM CPU 只支持 user 和 supervisor 分离，hypervisor 的所有托管操作系统都在 user 模式下运行；通常，所有 DMA 外设都以 supervisor 特权运行，并且该值通常在 SOC 中进行硬编码.

The DMA Attack circumvents CPU protection by using something outside the CPU to access memory. With TrustZone, the protection is NOT in the CPU, but in the BUS controller.^{See: NIC301 for a sample} An ARM TrustZone CPU just allows the CPU to support four modes; secure supervisor, secure user, normal supervisor and normal user. An normal ARM CPU only supports user and supervisor separation with all hosted OS's of a hypervisor running in user mode; typically all DMA peripherals run with supervisor privileged and the value is often hard-coded in the SOC.

这篇关于TrustZone 与虚拟机管理程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！