A Dual-Hypervisor for supporting multiple Trusted Execution Environments on Arm TrustZone

Giorgiomaria Cicero, Alessandro Biondi and Giorgio Buttazzo

Presentation title

A Dual-Hypervisor for supporting multiple Trusted Execution Environments on Arm TrustZone

Authors

Giorgiomaria Cicero, Alessandro Biondi and Giorgio Buttazzo

Institution(s)

Scuola Superiore Sant'Anna, Pisa, Italy

Presentation type

Technical presentation

Abstract

Nowadays, cyber-security is raising awareness in the embedded domain, thus being a strong requirement for applications with mixed criticality and security levels. Virtualization is becoming a widespread solution to provide security by adopting isolation with a multi-OS environment. During the last years, the research community proposed several software-based techniques for achieving isolation, serving Trusted Execution Environments (TEEs) together with the execution of multiple software components on the same platform. However, such a solution, also denoted as Multiple Independent Levels of Security (MILS) systems, requires strong security features that cannot generally be covered by pure software techniques. To fulfill such requirements, hardware-based solutions are the de-facto alternatives for achieving strongly-isolated execution environments. One of the most adopted solution is TrustZone produced by Arm for Cortex-A processors. This technology basically splits the processor into two orthogonal modalities, namely Secure and Non-Secure world, thus replicating a complete processor in favor of a secure environment. This presentation aims at proposing an infrastructure to leverage hypervisor-based virtualization capabilities with Arm TrustZone for the execution of multiple TEEs. In particular, a Dual-Hypervisor design is proposed to allow the execution of multiple stand-alone domains, where each of them can include both a standard (i.e., rich) execution environment and a TEE. The software infrastructure is mainly composed by two jointly-configured hypervisors: one running in the Non-Secure world, hosting the rich parts of the domains within non-secure Virtual Machines (VMs); another running in the Secure world, hosting the corresponding trusted parts within secure VMs. This scenario aims at separately virtualizing both worlds by avoiding a centralized solution (a single hypervisor residing in the Secure world) which can suffer of a single-point-of-failure as well as introducing a considerable overhead due to the onerous cost of switching world at every intervetion of the hypervisor. Furthermore, a minimal software layer with higher privilege has been developed in order to orchestrate the two hypervisors and dispatch interrupts. The proposed design has been developed and tested by properly adapting Xvisor, an open-source monolithic Type-1 hypervisor, on a Cortex-A15 processor with support to hardware-based virtualization and TrustZone.

Additional material

  • Presentation slides: [pdf]

For more details on this presentation please click the button below:

Additional material on this presentation