1

I would like to ask some questions about ARM trustzone.

1.) Can anyone give me the concrete example: when trustzone is needed and how it helps to solve security problems?

2.) I heared that FIQs could be configured as "secure interrupts". Does it mean that my FIQ handlers will be situated in secure world?

3.) When this FIQ secure / non secure configuration is done? I think the answer is somewhere in the GIC registers. Could i read this registers to be sure about secure / non secure FIQ configuration?

Thanks.

Alex Hoppus
  • 3,821
  • 4
  • 28
  • 47
  • Can you pare your list from what is in [Handling ARM TrustZones](http://stackoverflow.com/questions/12334069/handling-arm-trustzones)? Specifically, I think it has answers to point one. There are various other questions on TrustZone interrupts and another answer could be give on the configuration options and performance implications, etc. Also, why tagged with 'linux-kernel'? – artless noise Oct 14 '14 at 16:34
  • I thought there could be some GIC configuration steps during kernel booting, which are related to secure / non secure FIQ configuration – Alex Hoppus Oct 14 '14 at 18:09
  • 1
    The Linux GIC driver is specifically written to avoid **secure-only** registers. It will work in either the secure or the normal world (at least with the latest mainline); some random Linux kernel maybe different. I would add that to the question or remove the tag. I think your question would be better if it only focused on TrustZone interrupts and maybe the GIC specifically; personally I don't know of other TrustZone aware interrupt controllers. – artless noise Oct 14 '14 at 18:11
  • I saw this before http://stackoverflow.com/questions/12334069/handling-arm-trustzones but it is not about my 1 question. Maybe my english is not good enough, but i will try to explain it in other way. In 1 i tried to ask about use cases, concrete examples - what and when happens during using this secure calls. I don't see the whole picture how this security technology works. How it could be used, i think the good description of real life example could be helpfull here ... – Alex Hoppus Oct 14 '14 at 18:39
  • Well, that question is probably **too broad**. You question is like *How do you use SE-linux (security enhanced)?* There are many answers and mechanism. Like *How do you use an MMU?* Other people have flagged your question as **too broad** and this aspect of it I would have to agree is very broad. I do understand you; there are many uses for security. Your best read is [ARM's TrustZone Whitepaper](http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf) for an overview. – artless noise Oct 14 '14 at 19:12

1 Answers1

3

  1. It provides an additional level of privilege separation, extended into the interconnect, permitting some other software to run more privileged than (and hence protected from) the main operating system.

  2. If you configure Secure interrupts to be delivered as FIQs to Secure world, then the Secure world exception vector table is the one that is used.

  3. Whenever you feel like, but generally as part of a Secure OS startup. You can read these registers from Secure world - the Secure registers are not readable from Normal world.

The GIC architecture specification can be downloaded (with registration) from http://infocenter.arm.com/help/topic/com.arm.doc.ihi0048b/index.html

unixsmurf
  • 5,852
  • 1
  • 33
  • 40
  • 1 this software (including secure os) is something that coming with the board and can't be changed at any cost? – Alex Hoppus Oct 14 '14 at 04:23
  • That would depend on the board. If there is going to be any real value to the security, then there needs to be some sort of chain-of-trust authentication of the software loaded, with some minimal component being fixed in ROM. – unixsmurf Oct 14 '14 at 08:14
  • I read a lot like 1, but please can you give a concrete real-life example how security for particular case is ensured. Can you give more concrete answer on 1? Thank you. – Alex Hoppus Oct 14 '14 at 13:32
  • Basically, it is to your operating system what your operating system is to your application. It lets you, for example, have cryptographic keys stored somewhere that cannot be directly accessed if your main operating system is compromised. – unixsmurf Oct 14 '14 at 15:44
  • Okay, i will share with you my interpretation of your answer, can you please confirm it or not. For example in SSH we have private key, which could be placed in TrustZone with a software, which decrypts some data using this key. When data is arriving we copying this data to secure (if yes, how it is done?) world and decrypting it using secure software. Because of hardware protection, private key couldn't be accessed directly with any software including kernel code. – Alex Hoppus Oct 14 '14 at 18:54
  • 2
    Correct. Although because the operation takes place within the same processor, there is no need for copying - secure world can read the Normal world's buffers directly and write directly to Non-secure output buffers. – unixsmurf Oct 14 '14 at 19:03