Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
910 views
in Technique[技术] by (71.8m points)

security - TrustZone versus Hypervisor

I am just reading this document from ARM on TrustZone and some things are unclear to me.

The fact that a Hypervisor offers a special CPU mode and that for the TrustZone, the processor comes with an extra 33rd bit: Isn't mode also a particular bit setting? How is then an extra bit making all that difference in terms of security. I do understand that the extra bit makes way for two separate 32 bit address spacing, but apart from that I am unable to put two and two together. Can someone clearly explain why TrustZone is more secure than a Hypervisor??

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

A typical Hypervisor is limited to the CPU only. It does not protect against other DMA masters. See the Wikipedia DMA Attack web page for more on this. Other attack, such as a Cold boot, need other mechanism such as zeroizable memory to prevent exploitation. That is TrustZone is not a total security solution, but a big part of it. As the ARM is only a CPU, the mechanism to control the other BUS Masters is unspecified. Besides DMA Masters, alternate CPUs also pose a threat to memory partitioning. To address this, some secondary CPUs are TrustZone aware. Ie, they will always tag transactions with an NS bit (the 33rd bit).

In contrast, a Hypervisor is rarely limited to two worlds. Hypervisors host any number of OS's. TrustZone only has two worlds; secure and normal. Although each world can have a controlling supervisor OS, with many seperate threads, tasks, or processes as the OS permits.

DMA Attack explanation: In contrast to a hardware bit, a Hypervisor usually uses the CPUs MMU to limit software access. This doesn't prevent alternative BUS Masters from getting at the memory. If Hypervisor restricted software can control a separate BUS masters, then they can grab memory that is to be protected. DMA uses physical addresses and by passes the MMU and so general Hypervisor protection.

The DMA Attack circumvents CPU protection by using something outside the CPU to access memory. With TrustZone, the protection is NOT in the CPU, but in the BUS controller.See: NIC301 for a sample An ARM TrustZone CPU just allows the CPU to support four modes; secure supervisor, secure user, normal supervisor and normal user. An normal ARM CPU only supports user and supervisor separation with all hosted OS's of a hypervisor running in user mode; typically all DMA peripherals run with supervisor privileged and the value is often hard-coded in the SOC.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...