# CS 453/698: Software and Systems Security # **Module: Hardware & Mobile Security** Lecture: Android & ARM TrustZone Adam Caulfield *University of Waterloo*Spring 2025 # Reminders & Recap ### **Reminders:** - A4 is released - Due July 25th - Send your research project proposals to Meng and me! # Recap – last time we covered: ### Intro to Trusted Execution Environments (TEE) - Separate, isolated, and minimal execution environmet - Enabled as a part of the CPU arch. itself (not a separate external module) ### Intel SGX - User-space TEE → enclaves - Architecture details → Isolation, life cycle, address translation, attestation # Today # **Continue: Hardware and Mobile Security** ### Different TEE architecture and real-world use case ### ARM TrustZone - System-level or "split world" architecture - Overview - Architectural details ### **Android OS** - How it uses TrustZone (particular focus on KeyStore) - Other security features # **ARM Processors** # A few family of CPUs provided by ARM ### ARM Cortex-A family - Application processors - Supports OS and high-performance apps - This is the CPU in smart phones, smart tv ### ARM Cortex-R family - Real-time processors with highperformance and reliability - Support real-time processing and mission-critical control ### **ARM Cortex-M family** - Microcontrollers - Cost-sensitive, SoC, low-power processing # **ARM Processors** # A few family of CPUs provided by ARM ARM® Cortex® Processors across the Embedded Market # **ARM Processors** # A few family of CPUs provided by ARM # ARM® Cortex® Processors across the Embedded Market 6 ### What is TrustZone? ARM Processors' TEE - Splits the system into two worlds - From ARM: - "The security of the system is achieved by partitioning all (...) hardware and software resources so that <u>they exist in one of two worlds</u> <u>the Secure world for the security subsystem</u>, and the <u>Normal world for everything else."</u> ### Some visualizations.... ### Some visualizations.... ### Some visualizations.... # Runtime System with SGX ### Some visualizations.... ### Some visualizations.... Split everything between two worlds ### Some visualizations.... Runtime System with TrustZone? # Process 1 Process 2 Rich OS (e.g., Linux) TrustZone-capable CPU ### Some visualizations.... ### **TrustZone's Guarantee:** Even if the Normal World is fully compromised, the Secure World remains safe, confidential, isolated, etc. ### Some visualizations.... # **Topics:** Isolation in TrustZone Secure Monitor Calls (SMC) – Invocation of Secure World code Android # **Topics:** Isolation in TrustZone Secure Monitor Calls (SMC) – Invocation of Secure World code Android - Store and manipulate security-critical info within the Secure World - Passwords, biometrics, private data, etc. - Store and manipulate security-critical info within the Secure World - Passwords, biometrics, private data, etc. - Keep the code inside the Secure World minimal $\rightarrow$ small TCB - Store and manipulate security-critical info within the Secure World - Passwords, biometrics, private data, etc. - Non-security tasks stay out in the Normal World - E.g., network stack, device drivers, UI implementation, etc. - Store and manipulate security-critical info within the Secure World - Passwords, biometrics, private data, etc. - Non-security tasks stay out in the Normal World - E.g., network stack, device drivers, UI implementation, etc. - Normal World Apps make requests to Secure World apps via well-defined APIs - E.g., request decryption, check this biometric input, etc... ### **Memory Translation in Intel SGX Revisited....** ### **Memory Translation in Intel SGX Revisited....** # Similar idea -> CPU is now involved in the memory translation # TrustZone approach: - Two worlds $\rightarrow$ two page tables - Both are active in an MMU at a given time # Similar idea -> CPU is now involved in the memory translation ### **TrustZone approach:** - Two worlds $\rightarrow$ two page tables - Both are active in an MMU at a given time - Normal world page table → managed by the Rich OS - Secure world page table → managed by the Trusted OS #### Similar idea -> CPU is now involved in the memory translation #### **TrustZone approach:** - Two worlds $\rightarrow$ two page tables - Both are active in an MMU at a given time - Normal world page table → managed by the Rich OS - Secure world page table → managed by the Trusted OS - One additional bit in the CPU tells MMU which table to load #### Similar idea -> CPU is now involved in the memory translation #### **TrustZone approach:** - Two worlds $\rightarrow$ two page tables - Both are active in an MMU at a given time - Normal world page table → managed by the Rich OS - One additional bit in the CPU tells MMU which table to load - Non-Secure (NS) bit: #### Similar idea -> CPU is now involved in the memory translation #### TrustZone approach (part 1): - Two worlds $\rightarrow$ two page tables - Both are active in an MMU at a given time - Normal world page table → managed by the Rich OS - One additional bit in the CPU tells MMU which table to load - Non-Secure (NS) bit: - NS = 1 → currently in Normal World, Secure World access is blocked - NS = 0 → currently in Secure World, Secure World access is allowed #### The details... #### Now, the CPU also passes the NS bit to the MMU # And the MMU has two page tables. NS bit tells MMU which to use #### Now, the CPU also passes the NS bit to the MMU ### TrustZone approach (continued..) - Physical Memory Partitioning in addition to the modified MMU! - TrustZone enables configuration of specific <u>physical</u> memory regions as <u>secure</u> or <u>non-secure</u>, such that applications can only access memory assigned to their world - How? - Two hardware controllers: - TrustZone Address Space Controller (TZASC) → on chip memory (SoC) and DRAM - TrustZone Memory Adapter (TZMA) → off-chip memory (e.g., external peripherals SRAM) - TZASC and TZMA have the same function applied to different resources #### Where are the TZASC/TZMA? #### Instead of the MMU accessing the BUS directly... #### TrustZone-A MMU + TZASC/TZMA Together provide isolation in TrustZone #### TZASC/TZMA: Implement physical isolation between the worlds - Isolate physical memory, peripherals, and hardware resources - Provides system-level isolation #### MMU: - Virtual isolation between processes running in each world - Provides process-level isolation #### Some visualizations.... ### Runtime System with TrustZone? #### Some visualizations.... #### Some visualizations.... #### Some examples.... Access 1: NS = 1; Virt Addr = 0x00002123 **Access 2:** NS = 0; Virt Addr = 0x00003456 **Access 3:** NS = 1; Virt Addr = 0x00004789 **Access 4:** NS = 1; Virt Addr = 0x00006333 **Access 5:** NS = 0; Virt Addr = 0x00002123 | Memory | |--------| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | #### Some examples.... **Access 1:** NS = 1; Virt Addr = 0x00002123 **Access 2:** NS = 0; Virt Addr = 0x00003456 **Access 3:** NS = 1; Virt Addr = 0x00004789 **Access 4:** NS = 1; Virt Addr = 0x00006333 **Access 5:** NS = 0; Virt Addr = 0x00002123 Memory 56 ## ARM TrustZone – Memory Translation #### Some examples.... **Access 4:** NS = 1; Virt Addr = 0x00006333 **Access 5:** NS = 0; Virt Addr = 0x00002123 Memory **Access 5:** NS = 0; Virt Addr = 0x00002123 #### Some examples.... | / | Ner | no | ry | | |---|-----|----|----|--| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | **Access 4:** NS = 1; Virt Addr = 0x00006333 **Access 5:** NS = 0; Virt Addr = 0x00002123 #### Some examples.... **Discarded by MMU** | Memory | | |--------|--| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | #### Some examples.... **Access 2:** NS = 0; Virt Addr = 0x00003456 **Access 3:** NS = 1; Virt Addr = 0x00004789 **Access 4:** NS = 1; Virt Addr = 0x00006333 **Access 5:** NS = 0; Virt Addr = 0x00002123 **Accesses 0xFFF8F456** **Discarded by TZASC/TZMA** **Discarded by MMU** Accesses 0x045E2123 Memory #### Two key questions: Who configures the TZASC/TMA table? • Who controls the NS bit value? #### Two key questions: - Who configures the TZASC/TMA table? - Secure World code: first configuration after boot! It is more privileged than Normal World - Secure world executes first and configures TZMA/TZASC before launching the normal world and rich OS. - Security of TrustZone requires TrustZone-aware Secure boot! - Who controls the NS bit value? #### Two key questions: - Who configures the TZASC/TMA table? - Secure World code: first configuration after boot! It is more privileged than Normal World - Secure world executes first and configures TZMA/TZASC before launching the normal world and rich OS. - Security of TrustZone requires TrustZone-aware Secure boot! - Who controls the NS bit value? - The CPU in hardware - From normal world, NS bit can only be changed (1 $\rightarrow$ 0) by issuing a **Security Monitor Call (SMC)** - SMC atomically gives control to Secure World and sets NS=0 - SMC jumps to **Security Monitor** that performs context switch between the worlds - The NS bit is set back to NS=1 before returning to Normal World ### **Security Monitor and SMC:** Switching between worlds requires a security monitor call (SMC) The Security Monitor is part of the Secure World's TCB ### **Caching in TrustZone** The problem: the CPU, and consequently the cache, must be securely shared between worlds The TZMA/TZASC split physical memory, but not the cache ### **Caching in TrustZone** The problem: the CPU, and consequently the cache, must be securely shared between worlds The TZMA/TZASC split physical memory, but not the cache So without any additional measures, the following is a possibility: - 1. Secure World is running - 2. Secure World transfers context back to the Normal World - 3. Normal World reads the same cached address used by Secure World - Data leaked! → Isolation is broken! ### **Caching in TrustZone** How to handle this problem? Naïve solution: Remove the cache => secure, but extremely slow. <u>Alternative:</u> Always flush the cache when switching worlds => secure, but still pretty slow. ### **Caching in TrustZone** How to handle this problem? Naïve solution: Remove the cache => secure, but extremely slow. <u>Alternative:</u> Always flush the cache when switching worlds => secure, but still pretty slow. #### TrustZone's solution: Include the NS bit in the cache look-up => no need to flush the cache! - Allows for fast world switching - Cached data may be kept across successive switches 72 TZ Cache ### **Caching in TrustZone** cached by the Secure World execution. 77 ### **Caching in TrustZone** Also, the MMU has a cache: - Called the TLB: Translation Lookaside Buffer - Same principle for TrustZone's CPU cache ### **Summary of Isolation in TrustZone:** ### In main memory: Physical isolation implemented by TZMA/TZASC based on NS-bit #### Within CPU cache and TLB: - Propagate NS-bit through every virtual address look-up - NS-bit is "33<sup>rd</sup> bit" #### **Reminder:** • NS bit value is controlled by CPU hardware. Only way to set it to 0 is by calling SMC, which also gives control to TrustZone's trusted Security Monitor ## ARM TrustZone Overview ### **Topics:** Isolation in TrustZone Secure Monitor Calls (SMC) – Invocation of Secure World code Android ### Revisiting the system flow: Controlled enter and exit from the Secure World ### Revisiting the system flow: Controlled enter and exit from the Secure World The moment the CPU Flips the NS-bit - A function identifier (32-bits) is passed using CPU register (R0) - Can be used to tell the security monitor which Trusted App is the destination of this call - A function identifier (32-bits) is passed using CPU register (R0) - Can be used to tell the security monitor which Trusted App is the destination of this call - SMC Arguments are passed in registers R1-R7 - Inputs destined to the secure world - A function identifier (32-bits) is passed using CPU register (R0) - Can be used to tell the security monitor which Trusted App is the destination of this call - SMC Arguments are passed in registers R1-R7 - Inputs destined to the secure world - Results are also returned to normal world using registers R0-R7 - A function identifier (32-bits) is passed using CPU register (R0) - Can be used to tell the security monitor which Trusted App is the destination of this call - SMC Arguments are passed in registers R1-R7 - Inputs destined to the secure world - Results are also returned to normal world using registers R0-R7 - Convention: not enforced by hardware anywhere - It is up to the Security Monitor to define its own behavior - Must then be followed/implemented by the SMC caller #### The whole beast: #### The whole beast: ### Important reminders about TrustZone's design: - Secure boot must guarantee that the Secure World runs first - After Secure World completes secure boot → "ACTIVE" - Availability - Boots first! - Also, resources assigned to secure world have priority (e.g., interrupts via TrustZone's GIC) - Different from TPM and SGX -> Has an "active" characteristic ## ARM TrustZone Overview ### **Topics:** Isolation in TrustZone • Secure Monitor Calls (SMC) – Invocation of Secure World code Android ### Provides runtime environment built atop TrustZone - Android OS & Apps → in the normal world - Trusted OS & Trusted Apps -> in the secure world #### **Features of interest:** Key store ### **Android Key Store:** Protects key material from unauthorized use in two ways. First it .. Prevents the extraction of keys from application processes and from the Android device, and Second it makes apps specify the authorized use of their keys within the device and enforces those restrictions outside of the app's processes. ### **Android Key Store:** Extraction prevention is provided based on two security measures: - Key material never enters the application process - Inputs for a operation that requires the key are fed into a "secure process" - Compromised App can use keys, but cannot extract the key itself - Confidentiality - Keys can be bound to the TEE - Similar to "wrap key" to be used from a particular device - Integrity How does Key store work? First, lets setup the key players... First OSes: Android OS in the Normal World, and a Trusted OS in the Secure World To simplify things, lets assume there is one Android app running in Normal World ### Within the Android OS is the KeyStore API Within the Android OS is the KeyStore API, and a corresponding Keystore TA ### Lets assume the Android App is currently executing ### Android App will call the KeyStore API to request a key **KeyStore API forwards the request to TEE ..... How??** **KeyStore API forwards the request to TEE ..... How??** Security Monitor (atomically) switches from Normal World to Secure World KeyStore TA is invoked. It then generates a key pair (e.g., AES, RSA) – how? KeyStore TA is invoked. It then generates a key pair (e.g., AES, RSA) - how? #### What is the Secure Element? - Dedicated hardware module - Similar idea to TPM or HSM (sometimes is that) - Isolated component designed to handle cryptographic operations - Very version-specific - Examples: - Separate PUF-based logic outside the CPU core but in the SoC (ANI1271): - StrongBox #### Recall: #### The TEE itself could be used for the SE, but less common Generates key blob derived from a root key, stored in KS TA private memory #### Returns a blob handle Atomic context switch, then store blob handle in Android App memory How about using the key? Invoke a KeyStore function, leading to SMC After being invoked, KeyStore TA retrieves key and performs operation After being invoked, KeyStore TA retrieves key and performs operation After being invoked, KeyStore TA retrieves key and performs operation #### Other features of Android: ### App signing - Every app must be signed by the developers - Unsigned apps are rejected by Google play or the package installer #### Biometrics - Part of tiered authentication model fingerprint senors - Relies on the keystore for secure storage #### Other features of Android: Biometrics (continued) #### Other features of Android: - App signing - Every app must be signed by the developers - Unsigned apps are rejected by Google play or the package installer - Biometrics - Part of tiered authentication model fingerprint senors - Relies on the keystore for secure storage - Verified Boot - Rollback prevention - Usable security "Private Space" sandboxed space with separate install of app # Closing thoughts ### Various hardware security paradigms: **Intel SGX** # Closing thoughts ### Various hardware security paradigms: **Intel SGX** We saved the World! # Closing thoughts #### Various hardware security paradigms: **Intel SGX** ARM TrustZone We saved the World! Hopefully, there aren't any problems with these designs.... # That's all for today! ### Coming up.... Attacks on TPMs and TEEs #### **Reminders:** - A4 is due on July 25 - Research project proposal # That's all for today! #### **Resources:** - "Demystifying Arm TrustZone" great one! - "TrustZone Explained: Architectural Features and Use Cases" - ARM Docs on TrustZone-A - Android security resources - Android KeyStore - HSE & SoC as SE - "Safeguarding Crytographic Keys TEE and Strongbox in Android" - "Mobile Platform Security"