基於KVM Hypervisor虛擬化Arm TrustZone

Abstract

ARM TrustZone是一種硬體安全技術，能夠將中央處理器(CPU)的執行環境切割成普通世界以及安全世界，使較為機密的操作(如加密、身份驗證)能夠在安全世界中執行，從而與較易受到攻擊的普通世界隔離。雖然TrustZone已廣泛部署在實體硬體上，但仍不提供虛擬化技術的支援，無法直接地於虛擬機器(VM)中使用，因此在現在最多人使用的Linux KVM Hypervisor上，執行虛擬機器的使用者無法利用TrustZone功能來保護他們的系統。為了解決這項限制，我們擴充了KVM以支援TrustZone的虛擬化，並將其提供給虛擬機器使用。我們利用攔截並模擬技術，來將敏感指令重新導向至KVM並模擬它們。同時我們開發了一項新技術，例外層級多工(Exception-Level Multiplexing)，這項新穎的技術可安全地讓TrustZone軟體在虛擬機器環境中利用現有的Arm硬體執行。此外，我們基於目前QEMU中的TrustZone硬體模板，創建了一個虛擬的安全記憶體區域，並將安全IO映射到該區域。我們的虛擬化TrustZone支援OP-TEE，OP-TEE是一項需要在Arm TrustZone上的執行可信執行環境(TEE），並允許OP-TEE能夠在虛擬機器中利用我們的虛擬TrustZone中執行包含可信應用(TAs)、TEE核心以及安全監視器等TrustZone的軟體。最後，我們測量了效能，我們在使用KVM虛擬化的TrustZone上執行OP-TE的安全應用，比在QEMU虛擬機器上執行的OP-TEE有約莫十倍的效能優化。

Arm TrustZone technology provides two distinct CPU execution environments: the Normal and the Secure World. Arm enforces resource isolation of the two worlds, ensuring that security-critical operations, such as encryption and authentication, can be executed in the Secure world and thus isolated from the potentially compromised Normal world that hosts a comprehensive software environment. Although TrustZone is widely deployed on physical hardware, it is unavailable to virtual machines (VMs). Notably, users who run VMs on the popular Linux KVM hypervisor cannot leverage TrustZone features to secure their systems. We have extended KVM to expose a virtual TrustZone to VMs to address this limitation. We leverage trap-and-emulate to virtualize sensitive TrustZone operations while introducing exception-level multiplexing, a novel technique that safely enables native execution of TrustZone software on the existing Arm hardware in the VM environment. Our implementation builds on the current TrustZone hardware abstraction in QEMU that exposes a virtualized secure memory and IO devices. Our resulting KVM prototype supports OP-TEE, a de-facto open-source TEE implementation for Arm TrustZone, allowing a comprehensive software environment for OP-TEE that encompasses Trusted Application (TAs), TEE kernel, and the security monitor to execute in a virtualized TrustZone on a VM. Performance evaluation of the OP-TEE prototyped running on a virtualized TrustZone in the VM on our KVM prototype shows that it outperforms OP-TEE running on a QEMU-hosted VM by 10 times.