Trustzone

References:

Normal world vs Secure World:

  • Embeded OS vs Secure OS

  • Context Switch

    • normal world use SMC (secure monitor call) instruction to call secure world. ==> exception into the monitor mode (TrustZone kernel)

  • Non-secure bit in Secure Configuration Register;

  • Non-secure bit in the main memory;

To use

  • re-implement a secure world.

Usage examples

References:

  • Dan Rosenberg, Reflections on Trusting TrustZone

  • DRM (WideVine, PlayReady, DTCP-IP)

  • Secure key storage (dm-verify)

  • Mobile payments

  • Protected hardware (framebuffer, PIN entry)

  • Management of secure boot (via QFuses)

  • Kernel integrity monitoring (TIMA)

Single point failure in QSEE

In Qualcomm implementation, Qualcomm Secure Execution Environment (QSEE), to leverage TrustZone vulnerabilities:

  • By Gal Beniamini, several vulnerabilities were found.
    • “Code execution in Secure World userland privilege escalation (CVE-2015-6639) to gain code execution in Secure World kernel via SMC handler or via SVC handler (CVE-2016-2431) allowing KeyMaster Keys extraction, Linux Kernel hijacking from TrustZone, and bootloader unlocking”

  • By Azimuth Security, two vulnerabilities were found.

  • A vulnerability allows to write a zero dword to any address in the TrustZone Kernel. It can be used to disable memory boundary validation on TrustZone memcpy function, crafting an arbitrary write primitive.

  • Using signed comparison instead of unsigned comparison leads to leaking information from Secure World to Normal World.

Trustonic TrustZone

The Trustonic implementation, t-base, or Kinibi.

It has a micro-kernel, thus no single point of failure.

Created Oct 2, 2019 // Last Updated Jul 4, 2021

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?