https://stackoverflow.com/questions/17485367
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianA typical Hypervisor is limited to the CPU only. It does not protect against other DMA masters. See the Wikipedia DMA Attack web page for more on this. Other attack, such as a Cold boot, need other mechanism such as zeroizable memory to prevent exploitation. That is TrustZone is not a total security solution, but a big part of it. As the ARM is only a CPU, the mechanism to control the other BUS Masters is unspecified. Besides DMA Masters, alternate CPUs also pose a threat to memory partitioning. To address this, some secondary CPUs are TrustZone aware. Ie, they will always tag transactions with an NS bit (the 33rd bit).
In contrast, a Hypervisor is rarely limited to two worlds. Hypervisors host any number of OS's. TrustZone only has two worlds; secure and normal. Although each world can have a controlling supervisor OS, with many separate threads, tasks, or processes as the OS permits.
DMA Attack explanation: In contrast to a hardware bit, a Hypervisor usually uses the CPUs MMU to limit software access. This doesn't prevent alternative BUS Masters from getting at the memory. If Hypervisor restricted software can control a separate BUS masters, then they can grab memory that is to be protected. DMA uses physical addresses and by passes the MMU and so general Hypervisor protection.
The DMA Attack circumvents CPU protection by using something outside the CPU to access memory. With TrustZone, the protection is NOT in the CPU, but in the BUS controller.See: NIC301 for a sample An ARM TrustZone CPU just allows the CPU to support four modes; secure supervisor, secure user, normal supervisor and normal user. An normal ARM CPU only supports user and supervisor separation with all hosted OS's of a hypervisor running in user mode; typically all DMA peripherals run with supervisor privileged and the value is often hard-coded in the SOC.
Update: The original question did not include IOMMU.
| Type | Merits |
|---|---|
| TZ | Bus switch, mitigates master and peripherals |
| HV | No DMA mitigation, single master (CPU) |
| IOMMU | IOMMU is a slave mitigation, requiring updates on 'world switch' |
The Hypervisor + IOMMU can accomplish some protection against DMA attacks. However, it means on a 'world switch' the IOMMU table must be updated. This will prevent DMA attacks against that peripheral. Every peripheral that needs this protection requires an IOMMU.
There can be instances where a 'normal world' device might access a secure device to perform a 'secure operation'. For example, requesting a decryption of data without access to the keys.
The hypervisor + IOMMU is not equivalent to trust zone. Trustzone is protection by the bus matrix and includes all peripherals and masters. Masters can be in either world state; Ie, on a multi-cpu system one can be in normal and another secure. Meaning computations can take place on both. The HV+IOMMU solution is equivalent to pre-emptive multi-tasking. The IOMMU must be switch as the system enters that mode.
Again, the weakness of TZ is only two 'worlds' are supported. The HV+IOMMU can support several 'guests'.
