ARM TrustZone的安全/正常世界与OS的内核/用户模式还是x86的Ring0/1/2/3? [英] ARM TrustZone's Secure/Normal world vs. OS's kernel/user mode or x86's Ring0/1/2/3?
问题描述
It describles that all resources like CPU, memory and others are divided by Secure World and Normal World. Programs in Normal World can not access resources in Secure World. You must call a special instrustion SMC to switch from Normal to Secure world (go through Monitor Mode).
据我所知,像Linux这样的现代操作系统提供了内核模式和用户模式.用户进程无法访问位于内核空间中的资源,而是可以调用系统调用.
As I know, modern OS like Linux provides Kernel Mode and User Mode. User processes can not access resources located in kernel space, but invoke system calls.
我还知道x86的 Ring0/1/2/3 可以保护资源免受低权限级别进程的无效访问.
I also know x86's Ring0/1/2/3 can protect resources from invalid access from lower privilege level processes.
我的问题是ARM TrustZone的安全/正常世界和内核/用户模式有什么区别.还是TrustZone和x86的ring0/1/2/3有什么区别?
My question is what is the difference between ARM TrustZone's Secure/Normal World and kernel/user mode. Or what is the difference between TrustZone and x86's ring0/1/2/3?
谢谢
编辑问题:用我的问题中的 Ring0/1/2/3 替换保护模式.
Edit Question: Replace Protected Mode with Ring0/1/2/3 in my question.
感谢您的帮助.我花了一些时间来理解和阅读更多文档.总结,TZ通过总线,外围设备和CPU上的NS位标志来提供资源隔离.
Thanks for your help. I spent some time to understand and read more documents. Summary, TZ provides insulation of resources by NS bit flags on bus, peripheral, and CPU.
推荐答案
您在这里混淆了3种完全不同的东西.
You've conflated 3 totally different things here.
内核模式/用户模式大约具有执行特权:x86使用环"的术语,而ARM具有特权.级别进入其处理器模式-您可以在ring 3和USR模式,ring 0和SVC模式之间进行粗略的并行处理(显然,体系结构上的差异意味着它远没有那么简单).
Kernel mode/user mode is about execution privilege: x86 uses the terminology of "rings", whereas ARM has privilege levels baked into its processor modes - you can draw a rough parallel between ring 3 and USR mode, and ring 0 and SVC mode (obviously architectural differences mean it's nowhere near that straightforward really).
内存保护是一个不同的概念,涉及将硬件固定在CPU上以限制其内存和MMIO访问定义的映射,否则将引发错误(随后可进行进一步开发,例如按需分页的虚拟内存).在这方面,x86上的保护模式"与实模式"几乎等同于打开或关闭MMU/MPU.显然,将这个想法与第一个想法相结合是很有意义的,以允许特权/非特权内存的概念,但是x86架构及其演进的遗产使这种耦合变得人为地强加了-在ARM上,当MMU仍然拥有所有处理器模式关闭.
Memory protection is a different concept, involving having hardware bolted to the CPU to restrict its memory and MMIO accesses to within defined mappings, or raise faults otherwise (which then enables further developments like demand-paged virtual memory). In this regard, "Protected mode" vs. "Real mode" on x86 is pretty much just the equivalent of having the MMU/MPU turned on or off. Obviously it makes plenty of sense to couple this idea with the first, to allow the notion of privileged/unprivileged memory, but the x86 architecture and its evolutionary heritage makes that coupling artificially strong - on ARM you still have all your processor modes when the MMU is off.
TrustZone与系统供应商/运营商和用户之间的安全性和身份验证完全不同.在x86系统上,您通常可能具有用于安全密钥存储或引导验证之类的硬件TPM-主处理器可以访问的任何内容都不能被认为是安全的,因为用户可以替换在那里运行的任何软件(常规执行特权机制无济于事,因为用户只需将整个内核切换为恶意内核即可).TrustZone的重点是整个系统的硬件支持 ,它可以虚拟化安全的处理器/内存/外围设备,使其位于常规"系统之上,而无需为整个系统添加额外的硬件它.例如,您可以简单地划分出一部分RAM,以便从普通世界无法通过物理方式访问 * ,并完全将"TPM"实现为经过验证的安全世界软件,甚至是最特权的普通世界代码不能干扰.
TrustZone, on the other hand, is about security and authentication at a whole different level - between the system vendor/operator and the user. On x86 systems you typically might have a hardware TPM for things like secure key storage or boot verification - anything the main processor can access cannot be considered secure since the user could replace any software running there (the normal execution privilege mechanism doesn't help since the user can simply switch the whole kernel for a malicious one). The point of TrustZone is hardware support throughout the whole system which enables virtualising that secure processor/memory/peripherals on top of the "normal" system, instead of needing to cram in a whole load of extra hardware for it. For example, you can simply partition off a chunk of RAM to be physically* inaccessible from the normal world, and implement a "TPM" purely as verified secure-world software which even the most privileged normal-world code cannot interfere with.
在x86-world中,您应该将Intel的受信任的执行技术视为最接近的相关内容,外部TPM支持)一些用例,在ARM SoC中使用了TrustZone.请注意,这不是直接的比较-TXT以CPU为中心的本质意味着它实际上只是一个安全的启动解决方案.TrustZone是系统范围的,更像是一个基本的构建块-您可以 构建安全的启动解决方案和/或TPM,但是您还可以 构建诸如end之类的东西端安全内容路径,而以CPU为中心的方法根本无法做到.
In x86-world, you should look at Intel's Trusted Execution Technology as the closest relevant thing, which addresses (given external TPM support) some of the use-cases for which TrustZone is employed in ARM SoCs. Note that it's not a direct comparison - the CPU-centric nature of TXT means it's really just a secure boot solution. TrustZone is system-wide and more of a fundamental building block - you can build a secure boot solution and/or a TPM on it, but you can also build things like end-to-end secure content paths which a CPU-centric approach simply cannot.
*请注意,从软件的角度来看,我的意思是物理的"-即,它是在硬件中,并且如果正确实施, 软件将无能为力.TrustZone明确地不是实际的物理安全解决方案-它不会(也不旨在)为确定的人提供任何保护,以免他们被剥夺芯片包装并直接探测芯片.
* note that I mean "physical" from the software point of view - i.e. it is in hardware and there is nothing software can do to get around it if it is properly implemented. TrustZone is explicitly not an actual physical security solution - it does not, and is not intended to, offer any protection against determined people taking the packaging off the chip and probing the silicon directly.
这篇关于ARM TrustZone的安全/正常世界与OS的内核/用户模式还是x86的Ring0/1/2/3?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
