使用Arm TrustZone for Cortex-M保护IoT设备安全的指南

您可以通过以下链接访问网络研讨会录像:

网络研讨会录音

网络研讨会说明

保护嵌入式系统已成为开发人员的一项关键任务。几乎不可能打开新闻,而又不会听到另一个重大的安全漏洞。在本次网络研讨会中,与会者将熟悉使用用于Cortex®-M处理器的新型Arm®TrustZone®保护嵌入式系统所必需的设计方法。我们将研究重要概念,例如安全域和非安全域,设置TrustZone 实时操作系统 并调试安全应用程序。

这是  网络研讨会将提供由Arm Cortex-M23处理器提供支持的动手演示,这是第一款支持TrustZone的Cortex-M处理器。我们将使用Arm Keil MDK来演示如何使用虚拟处理器在硬件上以及仿真中启动TrustZone并使其运行。

本次网络研讨会涉及的主题包括:
–TrustZone简介
–定义安全和非安全世界
– Example use cases to 安全 an application with TrustZone
–实施FreeRTOS™在TrustZone环境中
–如何调试基于TrustZone的应用程序
–保护嵌入式系统的最佳做法
–下一步建议

访问下面的网络研讨会录像:

网络研讨会录音

以下是网络研讨会期间提出的问题以及这些问题的答案。随意发表其他问题作为对此帖子的评论。

问题 答案
Are there any disadvantages (in terms of performance) if you configure all peripherals and memory regions as 安全? When switching from non-secure to the 安全 region, there is up to a 3 clock cycle overhead to call a 安全 function. Once in the 安全 region, there is no performance hit to using a 安全 peripheral.
As material level is participating in making of 安全 zone I would want to know if there is separate device(for example memory chip) which could be coupled to 安全 area to increase its capacity in memory sense or in processing sense? memory external to the chip (external memory) can be assigned 安全 region to extend your “secure memory” space.  All 4GB address addressable by the Cortex-M23 must be assigned to either 安全 or non-secure.
Do we have any seperate instructions to access the 安全 region of memory? 是 . When calling a function in the 安全 region, the SG instruction is inserted to tell the CPU that a 安全网关 connection is being used. There is also a new “return” instruction that is used when transitioning from the 安全 world back into the non-secure 上 e.
这是否可以防止软件攻击,例如堆栈/缓冲区溢出漏洞利用和面向返回的编程(ROP)? A developer in these instances should still employ overflow checks and the MPU but since you could have a 安全 data, it can make it harder for a hacker to use these exploits
For examle, regarding smartphone device, key input pad is handled as a 安全 device? It could be put into 安全 code if it was deemed to be required. You might put things such as an 实时操作系统 scheduler, 安全 boot code, TLS and encryption libraries into 安全 flash.
据我了解,TrustZone的主要开发人员将是那些正在开发的OS,只有在后期阶段,应用程序开发人员才需要(如果有的话)直接与TrustZone合作?还是我误解了? 你误会了当您开始开发应用程序时,需要设置安全策略,其中包括确定安全区域中将使用哪些功能。从第一次上电开始’将需要配置您的非安全环境,还需要设置安全启动,并且可能在安全区域中放置了重要功能。
How about I use some part of external memory as 安全 world and while in operation I expereince a power cut then the (external memory)secure world will be erased since it is volatile? (how to handle this, please suggest) At that point, I would expect the MCU to also restart and be in the 安全 flash boot region which would then reinitialize the application. It would be a very rare case for the external memory to lose power while the MCU did not. Othewise you could use a supercap to cover any power loss 上 the MCU and external memory.
how is the non-secured memory region makes a call to 安全d memory region and still remains 安全d? are we referring to similar practise as encapsulation and abstraction? A 安全网关 instruction is used to switch from the non-secure to the 安全d region. Only specific addresses in the 安全d space can be called. Any other address will result in an exception. So there is literally a hardware transition that occurs in the hardware that keeps the two regions isolated from each other.
How the 安全 area and unsecure area comunicate with each other?( if they have to) 安全区域可以访问微控制器中的所有内容,包括非安全区域。非安全区域只能对安全区域进行函数调用。可通过接口指定可以从非安全世界调用的功能,以便创建安全网关或单板区域,以便只能在安全空间中执行特定的内存位置。尝试取消引用未指定的任何区域会导致发生异常。
我的意思是技术手段(例如TrustZone,TrustedPlatformModules,uVisor,…) are still “only tools”需要深入了解应用程序安全性影响的人员(侧通道,存储,…)。如何确保所有参与产品开发的人员(管理人员,开发人员,设计师,开发人员,测试人员,…)意识到并为迎接我们的新挑战做好准备? 是的,因此TrustZone只是拼图中的另一块或洋葱中的另一层。实际上,要对管理人员进行安全性重要性教育,然后进行培训,指导和安全性审查,以正确评估正在开发的应用程序和产品,并为其制定良好的策略。
例如,如果我是mbed-os的用户,我是否可以直接使用TrustZone,还是需要等待mbed-os支持它? 您需要等待支持启用了TrustZOne的Cortex-M的mbedOS。
在演示文稿的某些地方,您将红色用于“安全”,将绿色用于“非安全”,反之则将其用于其他目的。 谢谢。交换它的地方可能是从应用笔记中提取图像的地方。
Is it possible to configure any of the peripherals to be 安全 or non-secure?
Is 安全 storage always included 安全 side 上 M-devices if the device has TrustZone enabled? If not, where is 安全 storage located otherwise?

提出问题的原因是因为在A架构上,TrustZone通常依赖于非安全环境中的闪存来存储实际数据。

You can use your 安全 flash space to store 安全 data that is non accessible from the non-secure world. Some standard Cortex-M parts also may have special regions designed for 安全 storage. For example, if you look at some of the new ST Micro parts, they include a 安全 memory storage for keys and other 安全 data.
蓝牙模块是ESP8266芯片吗? ESP8266仅限wifi .. 我不确定。我将需要查看原理图并与您联系。
Nuvoton M2351是否可以在某个地方买到(可以’真的不能在他们的页面上找到很多关于它的信息)?大众还可以使用其他Armv8-M设备吗? Nuvoton M2351是首款支持TrustZone的Cortex-M。它目前处于预生产阶段,并将在未来几个月内上市。如果您有兴趣购买一个,可以给Nuvoton支持小组发送电子邮件,也可以在网络研讨会后给jacob发送电子邮件,他将把您定向到可以获取更多信息的人员。
Is there a way to prevent debugger from debugging 安全 world? 是。如果将安全代码编译到库中并分发该库,或者仅将该库闪存到安全空间中的微控制器,则在非安全环境中工作的任何人都将无法在安全区域或安全数据中看到代码。 。因此,如果您要调试非安全代码,那么您将赢得’无法看到安全的世界。
Is there an overhead in terms of power and performance?  Also when transitioning back to 安全 are registers restored/  Finaaly is this webinar available for later reference? 性能下降是3个时钟周期,这将导致最小的电源开销。这取决于您的应用程序在区域之间切换的频率。从安全状态切换到非安全状态时,会清除未注册的银行注册信息,以防止将任何信息暴露给非安全环境。是的,将提供网络研讨会。请在24小时内注意电子邮件。
uVisor和TrustZone之间是否有任何连接? Not necessarily.  uVisor exists for Cortex-M processors without TrustZone as well.  With TrustZone enabled Cortex-M, uVisor will run more efficiently because 安全-non-secure is controlled by HW.
Is there any performance overhead running 安全 code vs running non-secure code? Each transition from non-secure to 安全 world requires up to 3 clock cycles overhead to switch in hardware between these regions.
让’s take the case I distribute a library intented to execute in 安全 area. Can anyone use a debugger to step into the library, as thus trace the execution in the 安全 area ? “Secure debug” that 上 ly allows debug visibility to non-secure region, and 上 ly allow visibility to 安全 region for authorized debug session, is a feature that can be different for each MCU.  For the Nuvoton M2351, 安全 dbug is supported. Please reach out to Nuvoton for more details.
The interface code in the 安全 area is defined az macros. what code is generated for that? Is it different from “normal” function? TZ的宏正在抽象一些复杂性以创建和检查函数指针。 CMSE库中有一些属性,当与函数一起使用时,这些属性告诉编译器该函数可在安全区域之外访问。对于这些功能,在后台生成安全网关(SG)指令。
这促使我认为他们不是对使这种特定的手臂处理器进行特殊的更改或在硬件设计级别上进行更改,对吗? There are changes in the silicon to separate the 安全 and non-secure regions of memory. From an external component stand-point there are no differences. In the microcontroller there are changes to isolate the 安全 and non-secure region through hardware.
什么 about linker script? Is this handled automatically in some way or maybe the user needs to define 安全 memory regions in scatter file manualy? 在Keil中,您可以通过项目选项进行配置,也可以手动创建分散文件
如何在GCC,LLVM等工具链中对此提供支持?支持吗?如果没有任何计划增加支持呢?如果是,大概什么时候? GCC already supports Cortex-M23, which is based 上 Armv8-M architecture.  Please email us for a link.,//developer.arm.com/open-source/gnu-toolchain/gnu-rm
什么 are the main differences in comparision to use a MPU? There is hardware isolation between the 安全 and non-secure region and 上 ly specific function executable regions are made available in the 安全 region. The 安全 and non-secure world can still both have an MPU.
什么 do I need to do to control ( to protect is more suitable) this particular communication with 安全 and unsecure region?( Just to say a dedicated program to handle it) You would identify functions and data that need to be 安全 and have restricted access and those would then be placed into the 安全 world.
我该怎么做才能增加安全区域?(有什么办法,如果可以,请提出建议) You can use the SAU to set the 安全 regions and also adjust the scatter plot (linker file) to set the 安全 memory areas that are needed for an application.
When combining 实时操作系统 in 正常 state with library functions called in 安全 state, is the system still fully preemptible? Or should 安全 function first run to completion? 一切仍然是先发制人
______________是否见过Keil特定的__属性? gcc中有支持吗? 是的,这是keil的特定语法。在gcc中,csme属性与使用gcc版本相同。
可以将ARM SecureZone与其他第三方编译器一起使用吗? 是的,任何可以处理armv8-m的编译器。
您如何保护信任代码本身的根?反对被修改 The application boots directly into the 安全 memory. Secure zone also has an MPU and cannot be accessed from outside the 安全 world. Someone with access to 安全 code could update that code from within the 安全 zone.
深度嵌入式处理器的固件升级如何工作? 您可以使用引导加载程序来更新固件。
如果项目中没有分区文件,那么m23和m33的行为是否与常规Cortex-M处理器相同?如果您不打算将TrustZone用于项目,是否需要? An MCU that includes TrustZone will always boot in 安全 mode.  It is then possible to set all memory map with non-secure attribute.  You still need the first transition from 安全 boot into non-secure.
开始了吗听不到任何声音…just screen “Questions” I’很抱歉通知您您错过了!录音将在接下来的24小时内发送出去。
是否通过nuvoton上的软件或硬件完成到/从的转换? 在任何M23 / M33部件上的转换都是通过硬件完成的。
看起来甚至很多printfs甚至用于打开/关闭LED灯,他们都打算将dev / null掉吗? Yea it was just part of the example to show that you could have a non-secure UART that is controlled in both the 安全 and non-secure zones.
什么 is a Keil FVP? 固定虚拟处理器
You mentioned if  you try to execute 安全 code from non-secure execution, you get a fault.  How does the 安全 code handle this.  Is it simply an ISR, and then decision made, or is it possible to RESET the device and kill the threat? 是 so trying to execute a function or dereference memory outside defined 安全网关 addresses causes a fault. These show up as an interrupt and then a developer can take whatever course of action they deem fit to avert the threat.
初始代码存储在哪里?如果您希望它仅通过某种身份验证才能运行。 是的,它们将在本周末或下周初发布在beningo.com上。
How can I look at memory in the 安全 zone with SWD?
When compared with software how many cycles does it typically take to switch to/from 安全/non-secure state? I heard hardware takes 3 cycles. 哦。它’一个模拟。没有硬件,只有模拟处理器。
I know what it stands for.  什么 does that mean?
The code starts in the 安全 zone as we saw in the previous demonstration. it starts in 安全 zone, but it has to be stored in some kind of NVM. how do I block an attacker from replacing ny root of trust code with malicious code?
You can isolate and protect those memroy regions with a 安全 key that must be entered to program the flash. 谢谢。这种机制对NVM上的虚假出轨有效吗?
您是否在本演示中使用了freeRTOS? 是。也可以使用其他RTOS,例如embedOS或RTX。
什么’s the overhead for calling into the 安全 state from the non-secure state? 最多3个时钟周期
不仅仅是核心?
trustzone是否仅适用于闪存?是否可以保护RAM功能? 它适用于闪存,内存,中断和外围设备
Do you have to clear the pipeline with an 为B instruction after going from 安全 to insecure? No. You attach an attribute from the csme library and it will automatically clear the nonbanked registers when going from 安全 to non-secure
谢谢。非存储区寄存器是否包括Cortex M33的3级流水线? Cortex-M33 contains the same 16 32-bit non-banked registers, except for the stack pointers (R13) that is banked for non-secure and 安全 domains.  Same for Cortex-M23.
好吧,我’我不熟悉非银行注册簿是否包括哪些内容’在3级管道中。 v7M技术参考手册建议在切换特权位以从管道中清除特权指令时发出ISB()。对于TrustZones而言,这不是必需的,因为管道被视为非银行注册者?还是我误会了… 是 the TrustZone piece has separate registers that are banked separate from the non-secure zone. The 共享 registers when using the attribute))((cmse_nonsecure_entry)) will clear the banked registers upon 返回ing to the non-secure world.
有趣,谢谢。所以三级管道是’t 共享 between the 安全 and non-secure states? If not, does this mean that there’对于任何状态都不影响性能’使用管道?还是每个州都有两条单独的管道? There is a single pipeline for the processor.  安全 and non-secure code cannot run concurrently.  So I think you misunderstood.  The pipeline is “shared”.
谢谢– re the pipeline: If you move from 安全 to non-secure and there are two instructions from the 安全 world in the 3-stage pipeline, do you have to issue an 为B to clear them? v7m suggests you do this when switching between priviledged and non privileged execution mode. 从安全代码过渡到非安全代码不需要‘ISB’一个简单的分支指令就足够了。目标分支地址必须包含一个‘SG’ <secure gateway>允许进入安全域的指令。该函数返回会自动清除寄存器以免泄漏‘secure’数据发送到不安全的世界。

发表评论

您的电子邮件地址不会被公开。 必需的地方已做标记 *

该网站使用Akismet减少垃圾邮件。 了解如何处理您的评论数据.