Hardware-assisted Isolated Execution Environment to run trusted OS and applications on RISC-V
1. Hardware-assisted Isolated Execution
Environment to run trusted OS and
applications on RISC-V
(@MICRO51 RISC-V Workshop)
1
National Institute of Advanced Industrial Science and Technology(AIST)
Kuniyasu Suzaki, Akira Tsukamoto
2. Contents
• What is HIEE? What is TEE?
• Implementation of Trusted OS on TEE
• Different implementation of TEE hardware
– TEE Differences on ARM Cortex-M, Cortex-A 32, and Cortex-A 64.
– RISC-V’s TEE
– Other (FPGA, GPU, virtualization, etc)
• IETF’s TEEP
• Conclusions
2
The difference from RISC-V Day Tokyo 2018.
Software view (RISC-V day Tokyo), Hardware view (Micro51 workshop)
Slides will be opened at https://www.slideshare.net/suzaki
3. HIEE: Hardware-assisted Isolated Execution Environments*
• HIEE is used for important process which is independent of OS.
• Current CPU has HIEE.
– SMM: System Management Mode
• Used by BIOS/UEFI for ACPI, etc.
– Intel’s ME: Management Engine.
• Run MINIX. Used for remote wakeup.
– Intel SGX
– ARM TrustZone
3
* SoK:A Study of Using Hardware-assisted Isolated Execution Environments for Security[HASP16]
On RISC-V
⇒ Machine Mode
⇒ ???
⇒・ Sanctum of MIT
・ Keystone of UCB
⇒・ MultiZone of Hex-Fife
・ TEE WG of RISC-V
Foundation
They are not
programmable for a
user.
They are
programmable for a
user.
They are used for
TEE.
4. What is TEE?
• TEE: Trusted Execution Environment.
– TEE separates computing world into “normal” and “secure”.
• Secure world is used to run a critical code (e.g., authentication, DRM, etc).
– GlobalPlatform defines TEE specification.
• https://globalplatform.org/technical-committees/trusted-execution-environment-tee-committee/
4
CPU
TEE
Secure World Normal World
App
Normal OS
5. Privileges for TEE
• Global Platform's TEE specification assumes plural privileges on both
worlds.
– Normal world runs normal applications on a normal OS.
– Secure world runs trusted applications (TAs) on a trusted OS.
• ARM Trust Zone offers same privileges to normal and secure world.
• Intel SGX has only one privilege (enclave).
– Enclave is different from Ring architecture.
5
CPU
Trusted OS
Secure World Normal World
App
Normal OS
Trusted Application (TA)
POSIX APIGP TEE API
6. ARM
Trusted OS on ARM Trust Zone
• GlobalPlatform model
6
Secure world Normal world
Normal Applications
Normal OS
NIC
Core
Trusted OS
Trusted Applications (TA)
Core
Secure
Monitor
Hard
eMMCUART
Exception Level
EL0: User
EL1: Privilege
EL2: Hypervisor
EL3: Secure
SMC (Secure Monitor Call)
instruction
Memory
Static allocate
Dynamic allocate
7. ARM
Trusted OS on ARM Trust Zone
• GlobalPlatform model
– Interrupt is also separated. (depending on configurations)
–
7
Secure world Normal world
Normal Applications
Normal OS
NIC
Core
Trusted OS
Trusted Applications (TA)
Core
Secure
Monitor
Hard
eMMCUART
Exception Level
EL0: User
EL1: Privilege
EL2: Hypervisor
EL3: Secure
SMC (Secure Monitor Call)
instruction
Memory
Static allocate
Dynamic allocate
FIQ IRQ IRQ
8. Difference of Implementation of Trusted OS
https://www.slideshare.net/linaroorg/arm-trusted-firmareforarmv8alcu13
• Cortex-A 32bit and 64bit
Different
EL
Layered Architecture
Security is important
Same
EL
Response is
important for
safety
9. Comparing Cortex-A and Cortex-M
• Cortex-A follows the layer architecture of GlobalPlatform TEE.
• Cortex-M’s mode (thread or handler) can be privilege or unprivileged.
• Cortex-M TrustZone doesn’t provide monitor mode, because latency is important for safety.
Cortex-MCortex-A
Bernard Ngabonziza, Daniel Martin, Anna Bailey, Haehyun Cho and Sarah Martin, “TrustZone Explained: Architectural Features and Use Cases”,IEEE
International Conference on Collaboration and Internet Computing (2016)
10. OP-TEE on RISC-V using seL4
• Rahul Mahadev’s Google Summer of Code
• http://mahadevrahul.blogspot.com/
– The TrustZone features and secure monitor
must be implemented as a seL4 library.
– OPTEE is paravirtualized, all calls referencing
ARM Trusted Firmware and secure monitor are
replaced with new calls.
10
seL4
Rich OS
(Linux) Library to
emulate
TrustZone
VMM
Paravirtualized OPTEE
TAApp
11. MultiZone of Hex-Five
• MultiZone is announced
• MultiZone is based on nanokernel.
– https://hex-five.com/wp-
content/uploads/2018/09/hex_five_multizone_datasheet.20180920.pdf
– System Requirements
• 32 bit or 64 bit RISC-V ISA with ‘S’ or ‘U’ extensions
• Physical Memory Protection compliant with Ver. 1.10
• 4KB FLASH and 1KB RAM
11
12. Sanctum [USENIX Sec’16]
• Figure of software stack
– Enclave is created o User Mode.
– Secure Monitor on Machine
mode helps the secure creation
of enclave.
12
https://www.usenix.org/sites/default/files/conference/protected-files/security16_slides_costan.pdf
13. Other Implementation of TEE
• Hardware
– FPGA TEE “Iso-X” (SUNY at Binghamton) [Micro47 2014]
– GPU TEE “Graviton” (Microsoft Research) [OSDI’18]
• Requires NVIDIA GPU extension
• Software
– TrustZone virtualization “vTZ” (Shanghai Jiao Tong University) [USENIX Sec’17]
• Virtualize TrustZone for VMs
– TEE delegation “DelegaTEE” (ETH Zurich) [USENIX Sec’18]
• DelegaTEE is implemented by Intel SGX
– TEE Migration (INRIA) [IFIP WISTP’15]
• privacy-preserving TEE profile migration protocol
13
14. IETF’s TEEP
• Trusted Execution Environment Provisioning
– https://datatracker.ietf.org/wg/teep/about/
– Protocol to mange TA: Trusted Application.
• TAM(Trusted Application Manager) controls life cycle of TA (create,
update, and delete).
• TEE’s API (Trusted OS) is important.
14
15. Conclusions
• RISC-V TEE from the view of hardware
• Hardware TEE has many implementations and software
implementation follows them.
• We must evaluate the security cost for assets.
15
See RISC-V Day Tokyo 2018 for software view
Slide of RISC-V Day Tokyo 2018 and Micro51 RISC-V workshop will be opened at
https://www.slideshare.net/suzaki