如何使用TrustZone从安全世界中反思正常世界?
[英]How to Introspect normal world from secure world using TrustZone?
问题描述
I have learned that secure world can protect critical data from being accessed by normal world, What I don't understand is that how do I measure the integrity of normal world from secure world. 
我了解到安全世界可以保护关键数据免受正常世界访问,我不了解的是,我如何从安全世界衡量正常世界的完整性。
I find some relevant work in the Samsung TZ-RKP and SierraTEE , in which they both implement a feature that could measure the integrity of normal world. 我在三星TZ-RKP和SierraTEE中找到了一些相关的工作,它们都实现了可以测量正常世界的完整性的功能。 But they didn't give technical details. 但是他们没有提供技术细节。 I have two questions and I'd appreciate it very much if anyone could give me some clues. 我有两个问题,如果有人可以给我一些提示,我将非常感激。
Suppose I want to see what processes are running in the normal world, do I have to use a kernel module in the normal world to help me do this?
假设我想看看正常世界中正在运行哪些进程,是否需要在正常世界中使用内核模块来帮助我做到这一点? If so, how do I make sure that it has passed the right result to the secure world? 如果是这样,我如何确保它已将正确的结果传递给安全的世界? To be precise, how do I check that wether the kernel has been comprimised? 确切地说,我如何检查内核是否被压缩? Suppose I have a RSA key pair and I keep the private key in the secure world.
假设我有一个RSA密钥对,并且我将私钥保存在安全的世界中。 When a process request to decrypt some data, how does secure world get to know whether the request is from a legislative process? 当流程请求解密某些数据时,安全世界如何知道该请求是否来自立法流程? A whitelist mechanism might help, but what if the kernel in normal world has been compromised and the adversary pretend to be legislative? 白名单机制可能会有所帮助,但是如果正常世界的内核已经受到威胁,而对手却冒充立法机构怎么办? The secure world seems to know nothing about what is happening in the normal world. 安全世界似乎对正常世界正在发生的事情一无所知。
Even if it can be sure that it is from a legislative process and it decrypts the data using the private key, the decrypted data would still be returned back to the normal world region somehow(ie. shared memory) and the decrypted data could still be leaked. 即使可以确定它来自立法程序并且使用私钥解密数据,解密后的数据仍将以某种方式返回到正常世界区域(即共享内存),并且解密后的数据仍然可以泄露。 So what is the point of keeping a private key in secure world? 那么在安全的世界中保留私钥有什么意义呢?
BTW, I'm using an armv8 board. 顺便说一句,我正在使用armv8板。
Thanks in advance. 提前致谢。 It would be great if you could provide me with some examples. 如果您能提供一些示例,那就太好了。
1 个解决方案
解决方案1
0 已采纳 2016-03-29 18:31:18
Trust-zone is not by itself a security system. 信任区本身并不是一个安全系统。 You have to engineer that. 您必须进行设计。 Also, there are many different types of security. 同样,有许多不同类型的安全性。 For instance, you are assuming a software attack yet there are many physical attacks against a system (like I guess you describe). 例如,您假设发生了软件攻击,但是针对系统的物理攻击很多(就像我想您描述的那样)。 Something must be a trusted computing base (TCB); 某些东西必须是受信任的计算库 (TCB); Ie, some code that you assume can not be compromised. 即,您假设无法破坏某些代码。 A normal world kernel is probably too large to be part of the TCB, yet it can be a good first line of defence. 普通的世界内核可能太大了,无法成为TCB的一部分,但它可能是很好的第一道防线。 An exploit against it is only a priveledge elevation from user to supervisor. 对它的利用只是从用户到管理员的特权提升。 Your TrustZone API should expect untrusted data (Ie, the normal world kernel trying buffer overflows and API mis-use, etc). 您的TrustZone API应该期望不受信任的数据(即,正常世界的内核尝试缓冲区溢出和API错误使用等)。
The key point here is that TZASC and other bus peripherals can grant access for the secure world to read/write normal world memory. 这里的重点是TZASC和其他总线外围设备可以授予对安全世界的访问权限,以读取/写入普通世界内存。 You would have to verify MMU tables, and other data structures for the case of a full blown OS like Linux. 对于像Linux这样的功能强大的OS,您将必须验证MMU表和其他数据结构。 Module loading, processes running, etc. all need verification. 模块加载,进程运行等都需要验证。 However, if you have a much simpler system in the normal world it may be possible to verify it. 但是,如果您的系统在正常情况下要简单得多,则可以进行验证。 Most likely you have to settle for a portion of it. 您最有可能必须满足其中的一部分。 Random sampling of the PC might be a deterrent; PC的随机抽样可能会起到威慑作用; but nothing will be fool-proof unless the normal world is proof carrying code. 但是除非正常世界是带有证明的代码,否则没有什么是万无一失的。
- Suppose I want to see what processes are running in the normal world, do I have to use a kernel module in the normal world to help me do this?
Your secure world can contain an OS (or primitive scheduler) which will periodically check the normal world code integrity. 您的安全世界可以包含一个OS(或原始调度程序),该OS将定期检查正常世界代码的完整性。 There are hardware modules like an RTIC, etc. You can also use the TZASC to lock the kernel code to normal user (no access) and normal supervisor as read-only. 有一些硬件模块,例如RTIC等。您也可以使用TZASC将内核代码锁定为普通用户(无访问权限)和普通管理员(只读)。 comprimised is an overloaded word. 妥协是一个重载的词。 At some point you must trust something. 在某些时候,您必须信任一些东西。 Can the private key be replicated if the normal super is compromised? 如果普通超级超级系统受到威胁,可以复制私钥吗? You have to define your security goals. 您必须定义您的安全目标。 In the any sense/meaning , of course the normal world kernel can be compromised. 在任何意义上 ,当然,正常世界的内核都会受到损害。 You don't have a complete specification of its behaviour to verify from the secure world. 您没有完整的行为规范,无法从安全世界进行验证。
- Suppose I have a RSA key pair and I keep the private key in the secure world.
Your secure world probably has to have some co-operation from the encrypting entity. 您的安全世界可能必须与加密实体进行一些合作。 You could limit the amount of decrypts without some from of verification for instance. 例如,您可以限制解密的数量,而无需进行一些验证。 It seems that the most valuable thing is the private RSA key. 似乎最有价值的是RSA私钥。 If you allow the normal world to request decryption, then that is your issue and not Trustzone's? 如果允许正常世界请求解密,那是您的问题,而不是Trustzone的问题? You have to handle this using normal mechanisms with cryptography and unknown/untrusted hosts. 您必须使用具有加密功能和未知/不受信任的主机的常规机制来处理此问题。 Is the RSA key pair global or per device? RSA密钥对是全局的还是每个设备? Do you support revocation, etc. It is in your system and TrustZone is only part of it. 您是否支持撤销等。它在您的系统中,TrustZone只是其中的一部分。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.