TrustZone versus Hypervisor

2019-01-18 17:16发布

问题:

I am just reading this document from ARM on TrustZone and some things are unclear to me.

The fact that a Hypervisor offers a special CPU mode and that for the TrustZone, the processor comes with an extra 33rd bit: Isn't mode also a particular bit setting? How is then an extra bit making all that difference in terms of security. I do understand that the extra bit makes way for two separate 32 bit address spacing, but apart from that I am unable to put two and two together. Can someone clearly explain why TrustZone is more secure than a Hypervisor??

回答1:

A typical Hypervisor is limited to the CPU only. It does not protect against other DMA masters. See the Wikipedia DMA Attack web page for more on this. Other attack, such as a Cold boot, need other mechanism such as zeroizable memory to prevent exploitation. That is TrustZone is not a total security solution, but a big part of it. As the ARM is only a CPU, the mechanism to control the other BUS Masters is unspecified. Besides DMA Masters, alternate CPUs also pose a threat to memory partitioning. To address this, some secondary CPUs are TrustZone aware. Ie, they will always tag transactions with an NS bit (the 33rd bit).

In contrast, a Hypervisor is rarely limited to two worlds. Hypervisors host any number of OS's. TrustZone only has two worlds; secure and normal. Although each world can have a controlling supervisor OS, with many seperate threads, tasks, or processes as the OS permits.

DMA Attack explanation: In contrast to a hardware bit, a Hypervisor usually uses the CPUs MMU to limit software access. This doesn't prevent alternative BUS Masters from getting at the memory. If Hypervisor restricted software can control a separate BUS masters, then they can grab memory that is to be protected. DMA uses physical addresses and by passes the MMU and so general Hypervisor protection.

The DMA Attack circumvents CPU protection by using something outside the CPU to access memory. With TrustZone, the protection is NOT in the CPU, but in the BUS controller.See: NIC301 for a sample An ARM TrustZone CPU just allows the CPU to support four modes; secure supervisor, secure user, normal supervisor and normal user. An normal ARM CPU only supports user and supervisor separation with all hosted OS's of a hypervisor running in user mode; typically all DMA peripherals run with supervisor privileged and the value is often hard-coded in the SOC.



回答2:

Using IOMMU on Intel and SystemMMU on ARM DMA attacks can be circumvented at least to abroad extent. One of the main differences between a TrustZone based and hypervisor based system security is that hypervisors protect the system at a page granularity typically by modifying the CPU MMU and adding periheral MMUs (IOMMU, SystemMMU)

while in a trustZone based systems each single transaction (access) is marked as secure or non-secure (througth a an additional bus address line 33th bit), thus providing security at finer granularity typically at the processor word-size level.