如何使用 TrustZone 从安全世界中反省正常世界? [英] How to Introspect normal world from secure world using TrustZone?
问题描述
我了解到安全世界可以保护关键数据不被正常世界访问,我不明白的是我如何从安全世界衡量正常世界的完整性.
我在三星 TZ-RKP 和 SierraTEE 中找到了一些相关工作,其中他们都实现可以衡量正常世界完整性的功能.但他们没有提供技术细节.我有两个问题,如果有人能给我一些线索,我将不胜感激.
假设我想查看正常世界中正在运行哪些进程,我是否必须使用正常世界中的内核模块来帮助我做到这一点?如果是这样,我如何确保它已将正确的结果传递给安全世界?准确地说,我如何检查内核是否已被破解?
假设我有一个 RSA 密钥对并且我将私钥保存在安全世界中.当进程请求解密某些数据时,安全世界如何知道该请求是否来自立法程序?白名单机制可能会有所帮助,但如果正常世界中的内核已被攻陷并且对手假装是立法者怎么办?安全世界似乎对正常世界中发生的事情一无所知.
即使可以确定它来自立法程序并使用私钥解密数据,解密的数据仍然会以某种方式返回到正常的世界区域(即共享内存)和解密的数据仍然可能被泄露.那么在安全世界中保留私钥有什么意义呢?
顺便说一句,我使用的是 armv8 板.
提前致谢.如果你能给我提供一些例子就太好了.
Trust-zone 本身并不是一个安全系统.你必须设计它.此外,还有许多不同类型的安全性.例如,您假设进行了软件攻击,但对系统进行了许多物理攻击(就像我猜您所描述的那样).某些东西必须是可信计算基础 (TCB);即,您认为无法破解的某些代码.一个普通的世界内核可能太大而不能成为 TCB 的一部分,但它可以成为很好的第一道防线.针对它的漏洞利用只是从用户到主管的特权提升.您的 TrustZone API 应该期待不受信任的数据(即,尝试缓冲区溢出和 API 误用等的正常世界内核).
这里的关键点是 TZASC 和其他总线外设可以授予安全世界的访问权限,以读取/写入正常的世界内存.对于像 Linux 这样的成熟操作系统,您必须验证 MMU 表和其他数据结构.模块加载、进程运行等都需要验证.但是,如果您在正常世界中有一个更简单的系统,则可以对其进行验证.很可能你不得不接受其中的一部分.PC 的随机抽样可能是一种威慑;但没有什么是万无一失的,除非正常世界证明携带代码.
<块引用>- 假设我想查看正常世界中正在运行哪些进程,我是否必须使用正常世界中的内核模块来帮助我做到这一点?如果是这样,我如何确保它已将正确的结果传递给安全世界?准确地说,我如何检查内核是否已被破解?
您的安全世界可以包含一个操作系统(或原始调度程序),它会定期检查正常世界代码的完整性.有硬件模块,如 RTIC 等.您还可以使用 TZASC 将内核代码锁定为普通用户(无访问权限)和普通主管作为只读.comprimised 是一个超载的词.在某些时候,您必须信任某些东西.普通的super被盗了,私钥可以复制吗?您必须定义您的安全目标.在任何意义上/意义中,当然可以破坏正常的世界内核.您没有完整的行为规范需要从安全领域进行验证.
<块引用>- 假设我有一个 RSA 密钥对,并且我将私钥保存在安全世界中.当进程请求解密某些数据时,安全世界如何知道该请求是否来自立法程序?白名单机制可能会有所帮助,但如果正常世界中的内核已被攻陷并且对手假装是立法者怎么办?安全世界似乎对正常世界发生的事情一无所知.
您的安全世界可能需要与加密实体进行一些合作.例如,您可以在没有验证的情况下限制解密数量.似乎最有价值的是私有 RSA 密钥.如果您允许正常世界请求解密,那么这是您的问题而不是 Trustzone 的问题?您必须使用具有加密和未知/不受信任主机的正常机制来处理此问题.RSA 密钥对是全局的还是每个设备的?您是否支持撤销等.它在您的系统中,而 TrustZone 只是其中的一部分.
I have learned that secure world can protect critical data from being accessed by normal world, What I don't understand is that how do I measure the integrity of normal world from secure world.
I find some relevant work in the Samsung TZ-RKP and SierraTEE, in which they both implement a feature that could measure the integrity of normal world. But they didn't give technical details. I have two questions and I'd appreciate it very much if anyone could give me some clues.
Suppose I want to see what processes are running in the normal world, do I have to use a kernel module in the normal world to help me do this? If so, how do I make sure that it has passed the right result to the secure world? To be precise, how do I check that wether the kernel has been comprimised?
Suppose I have a RSA key pair and I keep the private key in the secure world. When a process request to decrypt some data, how does secure world get to know whether the request is from a legislative process? A whitelist mechanism might help, but what if the kernel in normal world has been compromised and the adversary pretend to be legislative? The secure world seems to know nothing about what is happening in the normal world.
Even if it can be sure that it is from a legislative process and it decrypts the data using the private key, the decrypted data would still be returned back to the normal world region somehow(ie. shared memory) and the decrypted data could still be leaked. So what is the point of keeping a private key in secure world?
BTW, I'm using an armv8 board.
Thanks in advance. It would be great if you could provide me with some examples.
Trust-zone is not by itself a security system. You have to engineer that. Also, there are many different types of security. For instance, you are assuming a software attack yet there are many physical attacks against a system (like I guess you describe). Something must be a trusted computing base (TCB); Ie, some code that you assume can not be compromised. A normal world kernel is probably too large to be part of the TCB, yet it can be a good first line of defence. An exploit against it is only a priveledge elevation from user to supervisor. Your TrustZone API should expect untrusted data (Ie, the normal world kernel trying buffer overflows and API mis-use, etc).
The key point here is that TZASC and other bus peripherals can grant access for the secure world to read/write normal world memory. You would have to verify MMU tables, and other data structures for the case of a full blown OS like Linux. Module loading, processes running, etc. all need verification. However, if you have a much simpler system in the normal world it may be possible to verify it. Most likely you have to settle for a portion of it. Random sampling of the PC might be a deterrent; but nothing will be fool-proof unless the normal world is proof carrying code.
- Suppose I want to see what processes are running in the normal world, do I have to use a kernel module in the normal world to help me do this? If so, how do I make sure that it has passed the right result to the secure world? To be precise, how do I check that whether the kernel has been comprimised?
Your secure world can contain an OS (or primitive scheduler) which will periodically check the normal world code integrity. There are hardware modules like an RTIC, etc. You can also use the TZASC to lock the kernel code to normal user (no access) and normal supervisor as read-only. comprimised is an overloaded word. At some point you must trust something. Can the private key be replicated if the normal super is compromised? You have to define your security goals. In the any sense/meaning, of course the normal world kernel can be compromised. You don't have a complete specification of its behaviour to verify from the secure world.
- Suppose I have a RSA key pair and I keep the private key in the secure world. When a process request to decrypt some data, how does secure world get to know whether the request is from a legislative process? A whitelist mechanism might help, but what if the kernel in normal world has been compromised and the adversary pretend to be legislative? The secure world seems to know nothing about what is happening in the normal world.
Your secure world probably has to have some co-operation from the encrypting entity. You could limit the amount of decrypts without some from of verification for instance. It seems that the most valuable thing is the private RSA key. If you allow the normal world to request decryption, then that is your issue and not Trustzone's? You have to handle this using normal mechanisms with cryptography and unknown/untrusted hosts. Is the RSA key pair global or per device? Do you support revocation, etc. It is in your system and TrustZone is only part of it.
这篇关于如何使用 TrustZone 从安全世界中反省正常世界?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
