与TrustZone的虚拟机管理程序 [英] TrustZone versus Hypervisor

问题描述

我正在看的从ARM本文上的的TrustZone 并有些事情我不清楚。

I am just reading this document from ARM on TrustZone and some things are unclear to me.

事实上，一个管理程序提供了一个特殊的CPU模式，对于在的TrustZone ，处理器配备了一个额外的第33位的：难道不是T模式也是特定位的设置？那么如何是一个额外位使得在安全性方面的所有差异。我也明白，额外位让位给两个独立的32位地址的间距，但除此之外，我无法把两者结合。有人能解释清楚为什么的TrustZone 比管理程序更安全？

The fact that a Hypervisor offers a special CPU mode and that for the TrustZone, the processor comes with an extra 33rd bit: Isn't mode also a particular bit setting? How is then an extra bit making all that difference in terms of security. I do understand that the extra bit makes way for two separate 32 bit address spacing, but apart from that I am unable to put two and two together. Can someone clearly explain why TrustZone is more secure than a Hypervisor??

推荐答案

一个典型的管理程序仅限于CPU中。它不保护其他的 DMA主。更多关于此请参见维基百科的 DMA攻击的网页。其他的攻击，如冷启动，需要其他的机制，例如的 zeroizable内存以prevent剥削。这就是的TrustZone 不是的总的安全解决方案，但它的一个重要组成部分。由于ARM只有一个CPU，该机制其他控制的总线主控器是不确定的。除了 DMA大师，备用的CPU也带来的威胁的内存分区。为了解决这个问题，一些二级CPU都的TrustZone 了解。也就是说，他们将始终以 NS 位（ 33 ^RD 位的）。

A typical Hypervisor is limited to the CPU only. It does not protect against other DMA masters. See the Wikipedia DMA Attack web page for more on this. Other attack, such as a Cold boot, need other mechanism such as zeroizable memory to prevent exploitation. That is TrustZone is not a total security solution, but a big part of it. As the ARM is only a CPU, the mechanism to control the other BUS Masters is unspecified. Besides DMA Masters, alternate CPUs also pose a threat to memory partitioning. To address this, some secondary CPUs are TrustZone aware. Ie, they will always tag transactions with an NS bit (the 33^rd bit).

相反，管理程序很少限制的两个世界的。 管理程序主机任意数量的操作系统的的。 的TrustZone 只有两个的世界的;安全和正常的。虽然每个全球的可以有控制的主管的OS，许多独立的线程的任务或流程的作为操作系统许可证。

In contrast, a Hypervisor is rarely limited to two worlds. Hypervisors host any number of OS's. TrustZone only has two worlds; secure and normal. Although each world can have a controlling supervisor OS, with many seperate threads, tasks, or processes as the OS permits.

DMA攻击的解释：与硬件位，一个管理程序通常采用的CPU的 MMU 来限制软件访问。这确实从内存获取未prevent替代总线主控。如果管理程序限制软件可以控制一个单独的总线主控器，那么他们可以抓住存储器要被保护。 DMA使用物理地址，并通过了MMU等一般的管理程序保护。

DMA Attack explanation: In contrast to a hardware bit, a Hypervisor usually uses the CPUs MMU to limit software access. This doesn't prevent alternative BUS Masters from getting at the memory. If Hypervisor restricted software can control a separate BUS masters, then they can grab memory that is to be protected. DMA uses physical addresses and by passes the MMU and so general Hypervisor protection.

在 DMA攻击通过使用CPU之外的东西来访问内存绕过CPU保护。随着的TrustZone ，保护是不会在CPU中，而是在总线控制器^{参见：<一href=\"http://infocenter.arm.com/help/topic/com.arm.doc.ddi0397g/DDI0397G_amba_network_interconnect_nic301_r2p1_trm.pdf\"相对=nofollow>为样本NIC301} 一个ARM的的TrustZone CPU只允许CPU支持四种模式;的安全监控的用户安全的正常主管的和的普通用户的。一个正常的ARM CPU只支持的用户的和的主管的所有分离主办的系统管理程序的操作系统的中的运行用户的模式;通常所有DMA外设与主管的特权运行，该值通常在SOC硬codeD。

The DMA Attack circumvents CPU protection by using something outside the CPU to access memory. With TrustZone, the protection is NOT in the CPU, but in the BUS controller.^{See: NIC301 for a sample} An ARM TrustZone CPU just allows the CPU to support four modes; secure supervisor, secure user, normal supervisor and normal user. An normal ARM CPU only supports user and supervisor separation with all hosted OS's of a hypervisor running in user mode; typically all DMA peripherals run with supervisor privileged and the value is often hard-coded in the SOC.

这篇关于与TrustZone的虚拟机管理程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！