如何确定是否ARM处理器在通常锁定的＆QUOT运行;世界＆QUOT;或Secore＆QUOT;世界＆QUOT;？ [英] How to determine if ARM processor running in a usual locked-down "world" or in Secore "world"?

问题描述

例如，的virt-什么显示了在内部硬件虚拟化的沙箱运行。

For example, virt-what shows if you are running inside hardware virtualization "sandbox".

如何，如果你在ARM的TrustZone沙箱中运行检测？

How to detect if you are running in ARM "TrustZone" sandbox?

推荐答案

的TrustZone 也许比你想象的不同。有模式的连续体。从以双操作系统'在每个世界运行的功能，值得信赖的一个简单的API。

TrustZone maybe different than what you think. There is a continuum of modes. From 'a simple API of trusted functions' to 'dual OSs' running in each world.

如果有给这个问题更多的背景下，这会很有帮助。这是对编程确定或逆向工程的考虑？对于当前的Linux用户空间，答案是否

If there was more context given to the question, it would be helpful. Is this for programatically determining or for reverse engineering considerations? For the current Linux user-space, the answer is no.

• 没有当前的用户空间的工具。


• 基于时间的分析。


• code为基础的分析。


• CPU排斥和 SCR 。


• ID_PRF1 位[7：4]。

• No current user space utility.
• Time based analysis.
• Code based analysis.
• CPU exclusion and SCR.
• ID_PRF1 bits [7:4].

的virt-什么 是不是发现如果你是一个超遮阳板下运行的很简单的方法。这是的编写的程序的Linux用户空间的。大多数情况下，这些都是 shell脚本其中检查的/ proc内/ cpuinfo 等的 PROCFS 的是它运行在内核上下文code和报告，以一个伪文件系统的用户空间的。有没有这样的检测的TrustZone 在主线的ARM Linux操作系统。在设计上， ARM 使得难以察觉。一个设计意图是在code中的的正常的世界的运行未经修改。

virt-what is not a fool-proof way of discovering if you are running under a hyper-visor. It is a program written for linux user-space. Mostly, these are shell scripts which examine /proc/cpuinfo, etc. procfs is a pseudo-file system which runs code in the kernel context and reports to user space. There is no such detection of TrustZone in the main line ARM linux. By design, ARM has made it difficult to detect. An design intent is to have code in the normal world run unmodified.

为了去跟安全的世界，正常的世界需要 SMC 的说明。如果您的用户空间可以访问内核code或的vmlinux 的形象，你可以尝试分析code段为的 SMC 指令。然而，这code $也许在图像P中$ psent，但从未激活。至少，这是否说的的的Linux 的内核对的的TrustZone 的一些支持。你可以写一个内核模块这将陷阱的 SMC 指令的任何执行，但也有可能是更好的解决方案。

In order to talk to the secure world, the normal world needs SMC instructions. If your user space has access to kernel code or the vmlinux image, you can try to analyze the code sections for an SMC instruction. However, this code maybe present in the image, but never active. At least this says whether the Linux kernel has some support for TrustZone. You could write a kernel module which would trap any execution of an SMC instruction, but there are probably better solutions.

如果操作系统是在安全的世界运行的的，一段时间后分析将表明，如果的频率缩放不活跃一些CPU周期都被偷走了。我想，这是不是在原来的问题的精神答案。这依赖于明知的安全的世界的是一个成熟的操作系统有一个计时器（或至少pre清空的中断）。

If an OS is running in the secure world, some time analysis would show that some CPU cycles have been stolen if frequency scaling is not active. I think this is not an answer in the spirit of the original question. This relies on knowing that the secure world is a full-blown OS with a timer (or at least pre-emptible interrupts).

的 SCR （安全配置寄存器的）是不是在正常的世界提供。在ARM Cortex-A5 MPCore的手册（pg4-46）

The SCR (Secure configuration register) is not available in the normal world. From the ARM Cortex-A5 MPcore manual (pg4-46),

使用限制的SCR是：

           •只有在特权模式下访问

           •只有在安全状态下访问。

  试图从比安全特权以外的任何国家访问SCR
  导致未定义的指令异常。

Usage constraints The SCR is:
• only accessible in privileged modes
• only accessible in Secure state.
An attempt to access the SCR from any state other than secure privileged results in an Undefined instruction exception.

在一些的的Cortex-A 的系列，指令，

ID_PRF1 bits [7:4].

On some Cortex-A series, the instruction,

mrc p15, 0, r0, c0, c1, 1

将得到一个值，其中位[7：4]指示CPU是否支持的安全扩展的，也被称为的TrustZone 。非零值表示它是支持的。许多早期的CPU可能不支持此CP15寄存器。因此，它是很像 SCR 和处理的未定义指令的。此外，它不会告诉你，code是的有效的在的TrustZone 模式。

will get a value where bits [7:4] indicate whether the CPU supports Security Extensions, also known as TrustZone. A non-zero value indicates it is supported. Many early CPUs may not support this CP15 register . So, it is much like the SCR and handling the undefined instruction. Also, it doesn't tell you that code is active in the TrustZone mode.

这是可能的，你可以写一个的内核模块的这将尝试该指令办理的未定义例外的。这将检测到的正常的相对的安全的世界。但是，你必须排除那些不包含CPU 的TrustZone 的。

It is possible that you could write a kernel module which would try this instruction and handle the undefined exception. This would detect a normal versus secure world. However, you would have to exclude CPUs which don't have TrustZone at all.

如果该设备不是ARMv6的或更好的，然后点击的TrustZone 是不可能的。了大量的的Cortex-A 的设备有的TrustZone 在CPU中，但它不活动。

If the device is not an ARMv6 or better, then TrustZone is impossible. A great deal of Cortex-A devices have TrustZone in the CPU, but it is not active.

合并 SMC 测试和CPU ID，还不够充分。部分的引导加载程序的在安全的世界运行的，然后过渡到的正常的世界的。所以的安全的引导过程中才有效。

The combined SMC test and a CPU id, is still not sufficient. Some boot loaders run in the secure world and then transition to the normal world. So secure is only active during boot.

理论上，有可能知道，尤其是该系统的更多的知识。也许有许多迹象，比如伪中断的从GIC等，但我不认为任何的用户空间的Linux的工具，如存在2014年一月的这病毒/ rootkit的作家和恶意软件检测软件之间升级的一个典型的战争。^{的 TZ的Rootkits}

Theoretically, it is possible to know, especially with more knowledge of the system. There maybe many signs, such as spurious interrupts from the GIC, etc. However, I don't believe that any user space linux tool exists as of Jan 2014. This is a typical war of escalation between virus/rootkit writers and malware detection software.^{TZ Rootkits}

这篇关于如何确定是否ARM处理器在通常锁定的＆QUOT运行;世界＆QUOT;或Secore＆QUOT;世界＆QUOT;？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！