secure initialization of tees...secure initialization of tees euskalhack 2017 • cristofaro mune...
TRANSCRIPT
![Page 1: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/1.jpg)
Cristofaro Mune (@pulsoid)
Eloi Sanfelix (@esanfelix)
when secure boot falls short…
Secure Initialization of TEEs
EuskalHack 2017
![Page 2: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/2.jpg)
• Cristofaro Mune
− Embedded Security Consultant (Independent)
− Keywords: TEEs, IoT, Embedded SW & HW, Fault Injection
− Previous work: WBC, IoT, Embedded Exploitation, Mobile
• Eloi Sanfelix
− Principal Security Analyst @Riscure
− Keywords: Software security, TEE, RE, Exploiting, SCA/FI, CTF
− Previous work: WBC, DRM, PayTV, Smart Cards
Who?
![Page 3: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/3.jpg)
• TEEs Increasingly relevant in security solutions
…Basically everywhere
• Research:
• Interesting but limited in amount and scope
• Lack of a generic TEE security modeling
• Components and Mechanisms
• Attack surfaces
• Attack vectors
What and why…
![Page 4: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/4.jpg)
TEEs: Fundamentals
![Page 5: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/5.jpg)
• Aimed at providing a secure environment for execution of
security critical tasks:
− Payment applications
− DRM applications
− …
• Separated from Rich execution environment (REE)
− Non-secure, untrusted environment
• Support for Trusted Application (TAs):
− Separated from each other
− Typically implementing one single use case
Trusted Execution Environment (TEE)
![Page 6: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/6.jpg)
System overview1
2
3
source: globalplatform.org
![Page 7: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/7.jpg)
1. TEE separations:
1. Separation from the Rich Execution Environment (REE)
2. Separation between TAs and the TEE OS
3. Separation between TAs
TEE Critical items
Strong cooperation between HW & SW
We focus on this…
…but concepts also apply to these.
![Page 8: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/8.jpg)
HW & SW roles
Hardware protecting
Software
Software protecting
secrets
![Page 9: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/9.jpg)
A TEE reference frame (runtime)
H/W Platform
TEE OSDrivers
SDK
TA
System TAs
1
2
3
46
5
REE TEE
Execution Memory I/O Inter-process
(MMU)
HW primitives
for separations
TEE Trusted Code Base
(TCB):
Can remove any protection
![Page 10: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/10.jpg)
ARM TrustZone
![Page 11: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/11.jpg)
Example SoC: CPU
![Page 12: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/12.jpg)
CPU Security State
NS=1 NS=0
![Page 13: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/13.jpg)
Security State propagation
ARM TZ
core
AMBA AXI3 bus
DDR Flash GPU...
AxPROT[1] indicates if transaction
Secure or Non-Secure
![Page 14: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/14.jpg)
• All AXI slaves are memory mapped
− Including DDR, HW registers, etc.
− Page Table Entries include an NS-bit
• AxPROT[1] depends on CPU and PTE NS bits
How is AxPROT[1] determined?
CPU NS PTE NS AxPROT[1]
0 0 0
0 1 1
1 x 1
![Page 15: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/15.jpg)
Example SoC: protection enforcement
![Page 16: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/16.jpg)
Example: Protecting DDR memory
![Page 17: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/17.jpg)
Example: Protecting peripherals
![Page 18: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/18.jpg)
• AXI slaves in charge of enforcing transaction security
• Can be done with:
− Controllers (TZASC, TZPC, etc)
− Hardcoded logic in bus matrix
• Controllers MUST be configured by SW
What about other slaves?
![Page 19: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/19.jpg)
Secure Boot
![Page 20: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/20.jpg)
Why Secure Boot?
− Integrity and confidentiality of flash contents not assured
• TEE security is not established!
− Secure Boot provides this assurance
CPUFLASH DDR
ROM OTP
Debug
BL1.2
…
BL1.1
SRAMBL1.1
STACK
BL1.2
…
Generic Embedded System
![Page 21: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/21.jpg)
Typical Secure Boot implementation
Internal ROM
Bootloader 1 (BL1)
RSA key
signature
…
− Assures integrity (and confidentiality) of flash contents
− Root of trust composed of immutable code and data
![Page 22: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/22.jpg)
SB vulnerability: Samsung Galaxy S4
1. aboot copies header, then kernel
2. Signature is verified and kernel booted if OK.
CPUFLASH DDR
ROM OTP
Debug
Generic Embedded System
Header
…
aboot
SRAMaboot
STACK
Header
…
Source: Azimuth Security, Exploiting Samsung Galaxy S4 Secure Boot
Kernel
Kernel
![Page 23: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/23.jpg)
Any problems?
Untrusted Arbitrary memory corruption
Source: Azimuth Security, Exploiting Samsung Galaxy S4 Secure Boot
![Page 24: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/24.jpg)
So what?
− aboot smashes its own code with attacker-supplied code!
− Alternatively, attacker could target return address on stack
Source: Azimuth Security, Exploiting Samsung Galaxy S4 Secure Boot
CPUFLASH DDR
ROM OTP
Debug
Header
…
aboot
SRAMaboot
STACK
Header
Kernel
Kernel
Generic Embedded System
![Page 25: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/25.jpg)
SB vulnerability: AMLogic S905 SoC
Source: http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
Untrusted data used to determine
whether signature check is enabled!
![Page 26: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/26.jpg)
• Secure Boot makes sure code is authentic
− You still need to set up the REE and TEE!
• In particular:
− Initialize separations (TZASC, TZPC, … )
− Load TEE OS into Secure World
− Initialize other SoC components
Beyond Secure Boot
The TEE needs to be securely initialized before
running any REE code!
![Page 27: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/27.jpg)
“Time”:
TEE initialization
![Page 28: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/28.jpg)
• TEE initialization is based on Secure Boot.
• TEE initialization must also protect, load, verify, initialize
and configure the TEE.
• Then demote to REE.
TEE initialization
![Page 29: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/29.jpg)
A TEE reference frame (full)
H/W PlatformRoot of
Trust
Boot stages
TEE OSDrivers
SDK
TA
System TAs
1
2
3
46
5
7
8REE TEE
Execution Memory I/O Inter-process
(MMU)
HW primitives
for separations
TEE Trusted Code Base
(TCB):
Can remove any protection
![Page 30: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/30.jpg)
• Demotion point:
− The point (in time & code) in a boot process, where ALL the
privileges for configuring a TEE are given up
− …and REE is started.
• Critical path(s):
− The set of all the code paths that can be executed before the
Demotion point
− Parts of the TEE attack surface
Some definitions
![Page 31: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/31.jpg)
How it works: Old Samsung phone
iROM
BL1
BL2
PBL
TZSW
Signed/encrypted
Signed
Signed
Android
SECKEYRestricted
External
Load + Exec
Exec
Load
Signed
REE execution
Critical paths
Demotion to REE
![Page 32: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/32.jpg)
• The following must be executed before Demotion point
• For each TEE-related boot stage:
− Identify WHERE to load the stage in memory
− Protect memory from REE
- E.G. configure TZASC
− Load and Verify.
− Run any stage initialization code
• Configure (…more to come…)
− Other IPs
− Other Protection Controllers
Just “Secure Boot”?
![Page 33: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/33.jpg)
• Reference implementation for trusted TEE initialization
− ARMv8-A architecture
− ATF v1.3 now released
- Security improvements over v1.2
• Customizations needed:
− Highly dependent on memory layout (and design)
− Examples:
- Configuration of TZASC and TZPC
…or equivalent controllers
- Initialization routines for BL31 and BL32
ARM Trusted Firmware
![Page 34: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/34.jpg)
Example: ARM Trusted Firmware
![Page 35: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/35.jpg)
• One of TEE security foundations
− Is it Secure or Non-Secure Memory?
Range checks
How difficult can it be?
![Page 36: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/36.jpg)
• TEE ranges can be dynamic (and scattered)
− Hardcoded values may be difficult to handle
• Logical mistakes may happen….
Real world example
https://atredispartners.blogspot.com.mt/2014/08/here-be-dragons-vulnerabilities-in.html
![Page 37: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/37.jpg)
• Multiple memories:
− Not everything is DDR
• Layout can be dynamic:
− Example: Video Memory
• Proper check location and API design are fundamental
• System-level consistency of view is needed for proper
enforcement:
− Across every SW runtime component
− Across the whole SoC HW.
Range checks not so easy…
![Page 38: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/38.jpg)
“Space” dimension:
Not just the ARM CPU
![Page 39: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/39.jpg)
Remember?
![Page 40: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/40.jpg)
• SoC much more than the ARM CPU
• DMA engines
− Crypto accelerators
− PCI/PCIe devices
• Other processing engines
− Audio/Video CPUs
− Modem and WiFi controllers
− Power management MCUs
Potential attack surface
Any IP with access to the bus MUST be considered!
![Page 41: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/41.jpg)
• Most masters are also slaves
− DMA transactions configured through the bus
− Auxiliary CPUs expose APIs through the bus
− …
• Need to take care of configuration
− Secure bus masters should not be driven by non-secure
processing engines
− Firmware running on secure bus masters should be
authenticated and secured!
Buses, masters and slaves
![Page 42: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/42.jpg)
Example: HW crypto engine
DDR
REE Apps
Secure DDR
REE Code/Data
HW AESEngine
Encryptedcontent
TEECode/Data
Decrypted content
REE OS
TAs
TEE OS
“Decrypt
from A to B”
SecureNon-secure
![Page 43: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/43.jpg)
What if… ?
DDR
REE Apps
Secure DDR
REE Code/Data
HW AESEngine
Encryptedcontent
TEECode/Data
REE OS
TAs
TEE OS
“Decrypt
from A to B”
SecureNon-secure
![Page 44: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/44.jpg)
• Some use cases might require isolating peripherals
− Secure display to show mobile payment data
− Secure touch sensor for PIN entry
− Secure fingerprint sensor
• But some peripherals need to be available to both worlds
Runtime configuration required
Securing peripherals
State transitions must be carefully considered
![Page 45: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/45.jpg)
“Time and Space”:
TEE Warm Boot
![Page 46: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/46.jpg)
• Simply put: Boot after “Suspend-To-RAM”
− Typically requested from REE
• Only some parts of the SoC are powered down:
− DDR in self-refresh mode
− Some limited parts always-on for restore
• Restore/reuse saved execution contexts
− E.g: Entry points
Warm Boot
![Page 47: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/47.jpg)
• Contexts are not fully stored in TEE memory?
• Protection controllers are shutdown as well?
• Contexts are stored in non-DDR memory?
− E.G. some on-chip SRAM
• Remaining execution cores are non-secure?
− Do they have access to memory storing contexts?
What if…
![Page 48: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/48.jpg)
Conclusion
![Page 49: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/49.jpg)
• TEE security can be complex:
− Full HW & SW cooperation continuously required
• TEE initialization is critical
• HW can also be an attacker…
• More accurate TEE security model needed:
− Properly frame attacks, discussions and design choices
• Holistic view required
Conclusion
TEE is an environment… …not “just” a feature.
![Page 50: Secure Initialization of TEEs...Secure Initialization of TEEs EuskalHack 2017 • Cristofaro Mune − Embedded Security Consultant (Independent) − Keywords: TEEs, IoT, Embedded SW](https://reader033.vdocuments.site/reader033/viewer/2022060302/5f08a4367e708231d42302d6/html5/thumbnails/50.jpg)
Thank you!!
Cristofaro Mune (@pulsoid)
Eloi Sanfelix (@esanfelix)