4

I am just reading this document from ARM on TrustZone and some things are unclear to me.

The fact that a Hypervisor offers a special CPU mode and that for the TrustZone, the processor comes with an extra 33rd bit: Isn't mode also a particular bit setting? How is then an extra bit making all that difference in terms of security. I do understand that the extra bit makes way for two separate 32 bit address spacing, but apart from that I am unable to put two and two together. Can someone clearly explain why TrustZone is more secure than a Hypervisor??

artless noise
  • 21,212
  • 6
  • 68
  • 105
user489152
  • 907
  • 1
  • 23
  • 42

2 Answers2

6

A typical Hypervisor is limited to the CPU only. It does not protect against other DMA masters. See the Wikipedia DMA Attack web page for more on this. Other attack, such as a Cold boot, need other mechanism such as zeroizable memory to prevent exploitation. That is TrustZone is not a total security solution, but a big part of it. As the ARM is only a CPU, the mechanism to control the other BUS Masters is unspecified. Besides DMA Masters, alternate CPUs also pose a threat to memory partitioning. To address this, some secondary CPUs are TrustZone aware. Ie, they will always tag transactions with an NS bit (the 33rd bit).

In contrast, a Hypervisor is rarely limited to two worlds. Hypervisors host any number of OS's. TrustZone only has two worlds; secure and normal. Although each world can have a controlling supervisor OS, with many separate threads, tasks, or processes as the OS permits.

DMA Attack explanation: In contrast to a hardware bit, a Hypervisor usually uses the CPUs MMU to limit software access. This doesn't prevent alternative BUS Masters from getting at the memory. If Hypervisor restricted software can control a separate BUS masters, then they can grab memory that is to be protected. DMA uses physical addresses and by passes the MMU and so general Hypervisor protection.

The DMA Attack circumvents CPU protection by using something outside the CPU to access memory. With TrustZone, the protection is NOT in the CPU, but in the BUS controller.See: NIC301 for a sample An ARM TrustZone CPU just allows the CPU to support four modes; secure supervisor, secure user, normal supervisor and normal user. An normal ARM CPU only supports user and supervisor separation with all hosted OS's of a hypervisor running in user mode; typically all DMA peripherals run with supervisor privileged and the value is often hard-coded in the SOC.

Update: The original question did not include IOMMU.

Type Merits
TZ Bus switch, mitigates master and peripherals
HV No DMA mitigation, single master (CPU)
IOMMU IOMMU is a slave mitigation, requiring updates on 'world switch'

The Hypervisor + IOMMU can accomplish some protection against DMA attacks. However, it means on a 'world switch' the IOMMU table must be updated. This will prevent DMA attacks against that peripheral. Every peripheral that needs this protection requires an IOMMU.

There can be instances where a 'normal world' device might access a secure device to perform a 'secure operation'. For example, requesting a decryption of data without access to the keys.

The hypervisor + IOMMU is not equivalent to trust zone. Trustzone is protection by the bus matrix and includes all peripherals and masters. Masters can be in either world state; Ie, on a multi-cpu system one can be in normal and another secure. Meaning computations can take place on both. The HV+IOMMU solution is equivalent to pre-emptive multi-tasking. The IOMMU must be switch as the system enters that mode.

Again, the weakness of TZ is only two 'worlds' are supported. The HV+IOMMU can support several 'guests'.

artless noise
  • 21,212
  • 6
  • 68
  • 105
  • 1
    artless noise: So the extra bit is also acontrol signal for the buses and therefore nullifying DMA attacks for the Trustzone based solution as opposed to using a Hypervisor, isn't it? – user489152 Jul 09 '13 at 11:22
  • Yes, that is the major difference. For multiple CPUs, it also has an advantage of one centralized place to restrict access so it is simpler. It is not impossible to do with a Hypervisor; just each untrusted hosted-OS must have no DMA peripherals that can access critical memory; easier said than done. – artless noise Jul 09 '13 at 13:39
  • Thank you artless noise. Your explanation is simple and very clear. Do you have any online articles on this topic? Or have you written any faq on this topic so I can refer to? If not please do!! – user489152 Jul 11 '13 at 07:31
2

Using IOMMU on Intel and SystemMMU on ARM DMA attacks can be circumvented at least to abroad extent. One of the main differences between a TrustZone based and hypervisor based system security is that hypervisors protect the system at a page granularity typically by modifying the CPU MMU and adding periheral MMUs (IOMMU, SystemMMU)

while in a trustZone based systems each single transaction (access) is marked as secure or non-secure (througth a an additional bus address line 33th bit), thus providing security at finer granularity typically at the processor word-size level.

Mazen Ezzeddine
  • 662
  • 1
  • 8
  • 28
  • The point about 'transaction' size is pragmatically true. However, there is nothing to prevent someone from lowering IOMMU granularity. Also some trustzone elements such as the TZASC are much like an IOMMU and only partition large portions of memory. As TZ bakes this into the hardware, it can **not** support multiple guests. – artless noise Feb 06 '22 at 16:07