TrustZone 与 Hypervisor [英] TrustZone versus Hypervisor

问题描述

我只是在阅读 这个文档来自 ARM 的 TrustZone，有些事情我不清楚.

I am just reading this document from ARM on TrustZone and some things are unclear to me.

Hypervisor 提供了一种特殊的 CPU 模式，而对于 TrustZone，处理器带有一个额外的第 33 位:是't mode 也是一个特定的位设置?那么，额外的一点如何在安全性方面产生所有这些差异.我确实理解额外的位为两个单独的 32 位地址间距让路，但除此之外，我无法将两个和两个放在一起.有人能清楚地解释为什么 TrustZone 比 Hypervisor 更安全吗?

The fact that a Hypervisor offers a special CPU mode and that for the TrustZone, the processor comes with an extra 33rd bit: Isn't mode also a particular bit setting? How is then an extra bit making all that difference in terms of security. I do understand that the extra bit makes way for two separate 32 bit address spacing, but apart from that I am unable to put two and two together. Can someone clearly explain why TrustZone is more secure than a Hypervisor??

推荐答案

典型的 Hypervisor 仅限于 CPU.它不能防止其他 DMA 主设备.请参阅 Wikipedia DMA Attack 网页了解更多信息.其他攻击，例如 冷启动，需要其他机制，例如 可归零内存以防止利用.也就是说，TrustZone 不是一个全部 安全解决方案，而是其中的一个重要部分.由于 ARM 只是一个 CPU，因此未指定控制其他 BUS Masters 的机制.除了 DMA Masters，备用 CPU 也对内存分区构成威胁.为了解决这个问题，一些辅助 CPU 具有 TrustZone 感知能力.即，他们将始终使用 NS 位(33^rd 位)标记交易.

A typical Hypervisor is limited to the CPU only. It does not protect against other DMA masters. See the Wikipedia DMA Attack web page for more on this. Other attack, such as a Cold boot, need other mechanism such as zeroizable memory to prevent exploitation. That is TrustZone is not a total security solution, but a big part of it. As the ARM is only a CPU, the mechanism to control the other BUS Masters is unspecified. Besides DMA Masters, alternate CPUs also pose a threat to memory partitioning. To address this, some secondary CPUs are TrustZone aware. Ie, they will always tag transactions with an NS bit (the 33^rd bit).

相比之下，Hypervisor 很少局限于两个世界.Hypervisors 托管任意数量的操作系统.TrustZone只有两个世界；安全和正常.虽然每个世界都可以有一个控制supervisor操作系统，有许多独立的线程、任务或进程 在操作系统允许的情况下.

In contrast, a Hypervisor is rarely limited to two worlds. Hypervisors host any number of OS's. TrustZone only has two worlds; secure and normal. Although each world can have a controlling supervisor OS, with many seperate threads, tasks, or processes as the OS permits.

DMA 攻击解释:与硬件位相比，Hypervisor 通常使用 CPU MMU 来限制软件访问.这不会阻止其他 BUS Masters 访问内存.如果 Hypervisor 受限软件可以控制单独的 BUS 主控器，那么它们可以获取要保护的内存.DMA 使用物理地址并绕过 MMU 等一般 Hypervisor 保护.

DMA Attack explanation: In contrast to a hardware bit, a Hypervisor usually uses the CPUs MMU to limit software access. This doesn't prevent alternative BUS Masters from getting at the memory. If Hypervisor restricted software can control a separate BUS masters, then they can grab memory that is to be protected. DMA uses physical addresses and by passes the MMU and so general Hypervisor protection.

DMA 攻击 通过使用 CPU 外部的东西访问内存来绕过 CPU 保护.使用 TrustZone，保护不是在 CPU 中，而是在 BUS 控制器中.^{参见:NIC301 示例} ARM TrustZone CPU 只允许 CPU支持四种模式；安全主管、安全用户、普通主管和普通用户.一个普通的 ARM CPU 只支持 user 和 supervisor 分离，所有托管操作系统的 hypervisor 都在 user 模式下运行；通常，所有 DMA 外设都以 supervisor 特权运行，并且该值通常在 SOC 中硬编码.

The DMA Attack circumvents CPU protection by using something outside the CPU to access memory. With TrustZone, the protection is NOT in the CPU, but in the BUS controller.^{See: NIC301 for a sample} An ARM TrustZone CPU just allows the CPU to support four modes; secure supervisor, secure user, normal supervisor and normal user. An normal ARM CPU only supports user and supervisor separation with all hosted OS's of a hypervisor running in user mode; typically all DMA peripherals run with supervisor privileged and the value is often hard-coded in the SOC.

这篇关于TrustZone 与 Hypervisor的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！