Effectively Manipulation In Enclave Execution For MCU Class

T-HEAD Alibaba Group Vincent Cui cxx194832@alibaba-inc.com

Outline

To guarantee all enclaves execute in authentic and trustworthy platform separately, we shall assure the attestation chain of trust is provable security from power on to system running even there exists with vulnerability inside in constrained resource chip. Beside from those known issue, there is still not a better scheme to manipulate device arbitrarily in enclave, it might result in user sensitive and privacy data generated from the device leakage when the device is also shared to other enclave. RISC-V offers a classical U/M secure program mode for embedded device. Obviously, the ZSBL (Zero Stage Boot Loader) and privilege code running in machine mode are our TCB (Trusted Computing Base), the other parts belongs to user mode scope. In addition to RISC-V inherence security, we are desired to support secure boot、secure enclave execution and secure device manipulation in enclave. We specially introduce a proposal which allows one enclave could own and operate specific-peripheral arbitrarily. It is very practical functionality in IoT product because amount of data generated by specific device in product is too valuable and private for user to be revealed by itself share to other application.

Secure Boot

The ZSBL is responsible for generating a couple of key and certification will be used In sequence operation. It mainly includes RISC-V core attestation key and certification aside from a storage symmetric key. The symmetric key is derived from a temper-resistant device secret in hardware. Some attestation key and certification are derived from processor attestation key and certification.

Secure Enclave Execution

Enclaves usually run on SEP (Secure Enclave Platform) which must be provable authenticity. Its properties could be decomposed into Execution Integrity, I/O Data Confidentiality and Program Measurement. With that alone, SEP provides a small set of primitives for enclave, all outside software could only interact with enclave via those primitives without any information leakage. To enable efficient I/O interaction with host program, SEP allows enclave to access the entire address space of host program. Once SEP verifies the desired enclave measurement correctly, host program can only transfer its control to the enclave at statically-define location named “entrypoint”. Due to constraint resource, all enclave should be linked with system program statically. Beyond enabling isolated execution, SEP implements primitive to provide attestation information for enclave in need.

Secure Device Manipulation with DEVPMP In Enclave

One enclave could manipulate a specific-device arbitrarily by setting the device register address space into DEVPMP register in privilege software in RISC-V core. But privilege software attacker can allocate same resource for other enclave. To address the need, we require extent a bit of DEVPMP register and PMP checker policy to protect it against access by other enclaves. The configuration of DEVPMP register like this will remain effective until next reboot. Consequently, the device interrupt is handled in the enclave else.

Above three aspect of enclave implementation could make sure enclave runs at secure platform and execution without sensitive information disclosure.

原文作者：cui_632
点击查看原文