ARM TrustZone 的安全/正常世界 vs. 操作系统的内核/用户模式或 x86 的 Ring0/1/2/3? [英] ARM TrustZone's Secure/Normal world vs. OS's kernel/user mode or x86's Ring0/1/2/3?

问题描述

我阅读了这样的文档 TrustZone 安全白皮书.

I read document like this TrustZone Security Whitepaper.

它描述了CPU、内存等所有资源都被安全世界和普通世界划分.Normal World 中的程序无法访问 Secure World 中的资源.您必须调用特殊的信任 SMC 才能从正常世界切换到安全世界(通过监控模式).

It describles that all resources like CPU, memory and others are divided by Secure World and Normal World. Programs in Normal World can not access resources in Secure World. You must call a special instrustion SMC to switch from Normal to Secure world (go through Monitor Mode).

据我所知，像 Linux 这样的现代操作系统提供了内核模式和用户模式.用户进程不能访问位于内核空间的资源，但可以调用系统调用.

As I know, modern OS like Linux provides Kernel Mode and User Mode. User processes can not access resources located in kernel space, but invoke system calls.

我也知道 x86 的 Ring0/1/2/3 可以保护资源免受来自较低权限级别进程的无效访问.

I also know x86's Ring0/1/2/3 can protect resources from invalid access from lower privilege level processes.

我的问题是 ARM TrustZone 的安全/正常世界和内核/用户模式之间有什么区别.或者TrustZone和x86的ring0/1/2/3有什么区别?

My question is what is the difference between ARM TrustZone's Secure/Normal World and kernel/user mode. Or what is the difference between TrustZone and x86's ring0/1/2/3?

谢谢

编辑问题:在我的问题中用 Ring0/1/2/3 替换保护模式.

Edit Question: Replace Protected Mode with Ring0/1/2/3 in my question.

感谢您的帮助.我花了一些时间来理解和阅读更多的文档.总结，TZ 通过总线、外设和 CPU 上的 NS 位标志提供资源隔离.

Thanks for your help. I spent some time to understand and read more documents. Summary, TZ provides insulation of resources by NS bit flags on bus, peripheral, and CPU.

推荐答案

你在这里混淆了 3 个完全不同的东西.

You've conflated 3 totally different things here.

内核模式/用户模式是关于执行特权:x86使用环"这个术语，而ARM有特权其处理器模式中的级别 - 您可以在环 3 和 USR 模式之间以及环 0 和 SVC 模式之间进行粗略的对比(显然架构差异意味着它远没有那么简单).

Kernel mode/user mode is about execution privilege: x86 uses the terminology of "rings", whereas ARM has privilege levels baked into its processor modes - you can draw a rough parallel between ring 3 and USR mode, and ring 0 and SVC mode (obviously architectural differences mean it's nowhere near that straightforward really).

内存保护是一个不同的概念，涉及将硬件固定在 CPU 上以限制其内存和 MMIO 访问定义的映射，或以其他方式引发错误(然后允许进一步的开发，如按需分页虚拟内存).在这方面，x86 上的保护模式"与实模式"几乎等同于打开或关闭 MMU/MPU.显然，将这​​个想法与第一个想法结合起来是很有意义的，允许特权/非特权内存的概念，但是 x86 架构及其进化传统使得这种耦合人为地强大——在 ARM 上，当 MMU 时，您仍然拥有所有处理器模式已关闭.

Memory protection is a different concept, involving having hardware bolted to the CPU to restrict its memory and MMIO accesses to within defined mappings, or raise faults otherwise (which then enables further developments like demand-paged virtual memory). In this regard, "Protected mode" vs. "Real mode" on x86 is pretty much just the equivalent of having the MMU/MPU turned on or off. Obviously it makes plenty of sense to couple this idea with the first, to allow the notion of privileged/unprivileged memory, but the x86 architecture and its evolutionary heritage makes that coupling artificially strong - on ARM you still have all your processor modes when the MMU is off.

另一方面，TrustZone 是关于完全不同级别的安全和身份验证 - 在系统供应商/运营商和用户之间.在 x86 系统上，您通常可能有一个硬件 TPM 用于诸如安全密钥存储或启动验证之类的事情 - 主处理器可以访问的任何东西都不能被视为安全，因为用户可以替换在那里运行的任何软件(正常的执行特权机制无济于事，因为用户可以简单地将整个内核切换为恶意内核).TrustZone 的重点是整个系统的硬件支持，它可以在正常"系统之上虚拟化安全处理器/内存/外设，而不需要塞进一大堆额外的硬件来实现它.例如，您可以简单地将一块 RAM 分区，使其在物理上^*无法从正常世界访问，并实现TPM"纯粹作为经过验证的安全世界软件，即使是最有特权的正常世界代码不能干扰.

TrustZone, on the other hand, is about security and authentication at a whole different level - between the system vendor/operator and the user. On x86 systems you typically might have a hardware TPM for things like secure key storage or boot verification - anything the main processor can access cannot be considered secure since the user could replace any software running there (the normal execution privilege mechanism doesn't help since the user can simply switch the whole kernel for a malicious one). The point of TrustZone is hardware support throughout the whole system which enables virtualising that secure processor/memory/peripherals on top of the "normal" system, instead of needing to cram in a whole load of extra hardware for it. For example, you can simply partition off a chunk of RAM to be physically^* inaccessible from the normal world, and implement a "TPM" purely as verified secure-world software which even the most privileged normal-world code cannot interfere with.

在 x86 世界中，您应该将英特尔的可信执行技术视为最相关的事物，它解决了(给定外部 TPM 支持)一些在 ARM SoC 中使用 TrustZone 的用例.请注意，这不是直接比较 - TXT 以 CPU 为中心的性质意味着它实际上只是一个安全启动解决方案.TrustZone 是系统范围的，更像是一个基本的构建块 - 您可以在其上构建安全启动解决方案和/或 TPM，但您也可以构建诸如 end 之类的东西以 CPU 为中心的方法根本无法实现的端到端安全内容路径.

In x86-world, you should look at Intel's Trusted Execution Technology as the closest relevant thing, which addresses (given external TPM support) some of the use-cases for which TrustZone is employed in ARM SoCs. Note that it's not a direct comparison - the CPU-centric nature of TXT means it's really just a secure boot solution. TrustZone is system-wide and more of a fundamental building block - you can build a secure boot solution and/or a TPM on it, but you can also build things like end-to-end secure content paths which a CPU-centric approach simply cannot.

_{* 请注意，我的意思是从软件的角度来看物理" - 即它是在硬件中，如果正确实施，则没有软件可以绕过它.TrustZone 明确不是一个实际的物理安全解决方案 - 它没有，也不打算提供任何保护，以防止坚定的人从芯片上拆下包装并直接探测硅片.}

_{* note that I mean "physical" from the software point of view - i.e. it is in hardware and there is nothing software can do to get around it if it is properly implemented. TrustZone is explicitly not an actual physical security solution - it does not, and is not intended to, offer any protection against determined people taking the packaging off the chip and probing the silicon directly.}

这篇关于ARM TrustZone 的安全/正常世界 vs. 操作系统的内核/用户模式或 x86 的 Ring0/1/2/3?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！