Trustzone with virt_qemu_arm_v8a

Stefan Kalkowski stefan.kalkowski at genode-labs.com
Wed Mar 1 11:19:36 CET 2023


Hello Divya,

my colleague Norman raised the reasonable question, why don't you use
virtualization for your use-case instead of TrustZone? It is much more
appropriated, and already supported.

Regards
Stefan

On Tue, Feb 28, 2023 at 02:28:14PM +0100, Stefan Kalkowski wrote:
> Hello,
> 
> On Tue, Feb 28, 2023 at 06:26:06PM +0530, Divya Sharma wrote:
> > To be more specific we want to create an app/program on Linux/Android and
> > for cryptographic work, we want to switch to a trusted os, Genode.
> > so we need to work on 2 things
> > 1) switching between Normal os to secure os and vice versa
> > 2) set up Linux/android on top of genode.
> 
> Okay. Please be aware, that you have to partition the devices to be
> used by either side, only TrustZone-aware devices can get "shared"
> resp. used by both sides, e.g., the CPU and interrup-controller.
> 
> > 
> > please suggest something for 2nd option.
> 
> The steps necessary for this use-case I've already sketched in my last
> response. Please read that carefully. If you have more specific
> implementation and design questions regarding our software stack,
> please feel free to ask.
> 
> Regards
> Stefan
> 
> > 
> > Regards
> > Divya
> > 
> > 
> > On Mon, Feb 27, 2023 at 4:45 PM Stefan Kalkowski <
> > stefan.kalkowski at genode-labs.com> wrote:
> > 
> > > Hello Divya,
> > >
> > > On Mon, Feb 27, 2023 at 02:53:43PM +0530, Divya Sharma wrote:
> > > > Dear Genodians,
> > > >
> > > > I hope this message finds you well. I am writing to follow up on our
> > > > previous discussion regarding running kernels in secure mode using QEMU.
> > > >
> > > > As per your suggestion, we have investigated the use of QEMU for this
> > > > purpose and found that it does support the required kernels. However, we
> > > > require further guidance on setting up an exception vector for the EL3.
> > > > Could you kindly provide us with the necessary steps to accomplish this
> > > > task?
> > > >
> > >
> > > This goes _far_ beyond the scope of an easy to answer "How to..."
> > > question.
> > >
> > > My first counter question would be: what do you want to achieve?
> > > What is your goal: do you want different fully functional OSes on both
> > > sides: secure world and normal world, or "just" some library OS
> > > functionality on the secure side for doing for instance some
> > > cryptographic work? Is Genode running on both sides, or what is
> > > running in the normal world?
> > >
> > > If you only want to "play" with the current possibilities of the
> > > Genode framework only, this goes far beyond this scope. You would need
> > > to develop certain functionalities not yet implemented for ARMv8. In
> > > that case, much more knowledge about your envisioned system is needed.
> > >
> > > > Additionally, we are interested in running a simple program similar to
> > > the
> > > > one demonstrated in the IMX demo. Could you please suggest any relevant
> > > > documents or threads that could assist us in achieving this objective?
> > >
> > > I don't know which "simple program" you mean actually? The only
> > > visible TrustZone examples for i.MX53 I'm aware of are Linux or
> > > Android running in the normal world, and Genode's base-hw kernel,
> > > some drivers and a kind of TrustZone VMM running in the secure
> > > world. This is actually no simple scenario at all.
> > >
> > > If you want to re-produce this scenario, you have to:
> > >
> > > * Analyze functionality and security-wise, which system registers have
> > >   to be saved / restored by the secure-monitor on ARMv8
> > > * Implement (in assembler) a world-switch routine from the
> > >   normal-to-secure world (this is the exception vector), and
> > >   vice-versa
> > > * Setup the secure-monitor mode, e.g. by setting the exception
> > >   vector's address in EL3 mode
> > > * Re-write or extend the TrustZone VMM to handle ARMv8
> > >
> > > Regards
> > > Stefan
> > >
> > > >
> > > > Thank you for your time and assistance.
> > > >
> > > > Sincerely,
> > > >
> > > > Divya
> > > >
> > > > On Wed, Feb 22, 2023 at 2:30 PM Stefan Kalkowski <
> > > > stefan.kalkowski at genode-labs.com> wrote:
> > > >
> > > > > Hello Devashish,
> > > > >
> > > > > in its currently used form on ARMv8: if Genode's own kernel variant
> > > > > "base-hw" gets booted into TrustZone's secure mode at all, it leaves
> > > > > it without doing any additional setup into the normal world resp.
> > > > > directly into EL2 hypervisor mode to prepare that.
> > > > >
> > > > > With other words, without modifications you can't use the secure world
> > > > > right now. On most platforms this is actually already in use by ARM's
> > > > > Trusted Firmware (ATF), which implements things like multi-processor
> > > > > wakeup, suspend etc., so we can't make use of it without replacing the
> > > > > whole ATF.
> > > > >
> > > > > In general it is however possible to do so, but you'll need to do
> > > > > several in-depth modifications to make that work. First you need to
> > > > > find out whether on Qemu the kernel gets started in secure mode. If
> > > > > yes you would need at least to setup an exception vector for the EL3
> > > > > secure-monitor mode, so that you handle for instance SMC-calls.
> > > > > Probably you'll need to setup the MMU for the EL3 mode.
> > > > > To sum it up it is some serious work to do. If you are interested in
> > > > > exploring that, please have a look into the current CPU and
> > > exception-level
> > > > > (EL) setup in file:
> > > > > repos/base-hw/src/bootstrap/spec/arm_64/cortex_a53_mmu.cc
> > > > > That would be a good starting point to hook in.
> > > > >
> > > > > Regards
> > > > > Stefan
> > > > >
> > > > > On Wed, Feb 22, 2023 at 01:40:13PM +0530, Devashish Dewangan cs21m017
> > > > > wrote:
> > > > > > Dear Genodians,
> > > > > > I am working with virt_qemu_arm_v8a, and I read the extensive
> > > > > documentation
> > > > > > on how Genode has experimented with the Trustzone of ARM. I want to
> > > > > explore
> > > > > > the Trustzone and run an application in the secure mode, but I
> > > wanted to
> > > > > > know if it is possible to do with virt_qemu_arm.
> > > > > >
> > > > > > --
> > > > > > Regards,
> > > > > > Devashish Dewangan
> > > > > > CS21M017
> > > > >
> > > > > > _______________________________________________
> > > > > > Genode users mailing list
> > > > > > users at lists.genode.org
> > > > > > https://lists.genode.org/listinfo/users
> > > > >
> > > > >
> > > > > --
> > > > > Stefan Kalkowski
> > > > > Genode labs
> > > > >
> > > > > https://github.com/skalk | https://genode.org
> > > > >
> > > > > _______________________________________________
> > > > > Genode users mailing list
> > > > > users at lists.genode.org
> > > > > https://lists.genode.org/listinfo/users
> > > > >
> > >
> > > > _______________________________________________
> > > > Genode users mailing list
> > > > users at lists.genode.org
> > > > https://lists.genode.org/listinfo/users
> > >
> > >
> > > --
> > > Stefan Kalkowski
> > > Genode labs
> > >
> > > https://github.com/skalk | https://genode.org
> > >
> > > _______________________________________________
> > > Genode users mailing list
> > > users at lists.genode.org
> > > https://lists.genode.org/listinfo/users
> > >
> 
> > _______________________________________________
> > Genode users mailing list
> > users at lists.genode.org
> > https://lists.genode.org/listinfo/users
> 
> 
> -- 
> Stefan Kalkowski
> Genode labs
> 
> https://github.com/skalk | https://genode.org
> 
> _______________________________________________
> Genode users mailing list
> users at lists.genode.org
> https://lists.genode.org/listinfo/users

-- 
Stefan Kalkowski
Genode labs

https://github.com/skalk | https://genode.org



More information about the users mailing list