# TEEを中心とするCPUセキュリティ 機能の動向 (RISC-V, ARM, etc)

国立研究開発法人 産業技術総合研究所 サイバーフィジカルセキュリティ研究センター 須崎有康

#### Do you know TEE?

- I asked same question at RISC-V Day Tokyo 2018 and MICRO51 RISC-V workshop 2018.
- Only 10% attendees know it.

#### Do you know there words?

- Real Product
  - TPM (Trusted Platform Module)
  - ARM TrustZone
  - ARM SCP (System Co Processor)
  - Intel SMM (System Management Mode)
  - Intel TXT (Trusted Execution Technology)
  - Intel SGX (Software Guarded Extension)
  - Intel ME (Management Engine)
  - AMD PSP (Platform Security Processor)
  - Google Titan
  - MS Azure Pluton
  - Apple Secure Enclave
  - Apple T2

- Research \*
  - IBM 4765 Secure Coprocessor
    - FIPS 140-2 level 4
      - Wikipeida: FIPS 140-2 Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.
  - MIT Aegis Secure Processor [ICS'03]
  - MIT Sanctum [USENIX Sec'15]

\* Secure Processors Part I: Background, Taxonomy for Secure Enclaves and Intel SGX Architecture [2017, Srinivas Devadas]

#### Contents

- What is CPU Security?
- What is TEE?
- Implementation
- Related topic (TEEP)
- Intel ME, Google NERF, Google Titan, MS Azure, etc. (Messy)

## Why is CPU Security needed?

- Application is not trustable.
  - Quality is not managed.
- OS kernel is not trustable.
  - Too large for TCB.
  - Security function (e.g., Reference Monitor) is a part of OS.
  - Hardware isolation (privilege) is not enough.
- Hypervisor is not trustable.
  - Hardware isolation (virtualization) is not enough.

CPU which runs apps, kernel, and hypervisor is not trustful.



# HIEE (Hardware-assisted Isolated Execution Environments) is required.

\* SoK : A Study of Using Hardware-assisted Isolated Execution Environments for Security[HASP16]



#### Comparison of HIEE

#### Table 2: Summary of HIEEs

|                       | $\mathbf{SMM}$ | ME            | $\mathbf{PSP}$ | DRTM          | SGX          | TrustZone            |
|-----------------------|----------------|---------------|----------------|---------------|--------------|----------------------|
| Timelines             | ~1993          | $^{\sim}2007$ | $\tilde{2013}$ | $^{\sim}2005$ | ~2013        | ~2002                |
| Supported hardware    | $\mathbf{x86}$ | Intel         | AMD            | Intel/AMD     | Intel        | $\operatorname{ARM}$ |
| Sharing main CPU      | $\checkmark$   |               |                | $\checkmark$  | $\checkmark$ | $\checkmark$         |
| High privilege        | $\checkmark$   | $\checkmark$  | $\checkmark$   |               |              | $\checkmark$         |
| Zero overhead         |                | $\checkmark$  | $\checkmark$   |               |              |                      |
| Designed for security |                | $\checkmark$  | $\checkmark$   | $\checkmark$  | $\checkmark$ | $\checkmark$         |

From: SoK : A Study of Using Hardware-assisted Isolated Execution Environments for Security[HASP16]

#### Comparison of CPU mechanism

| Attack                 | TrustZone                               | TPM                 | TPM+TXT               | SGX                            | Aegis                 | Sanctum               |
|------------------------|-----------------------------------------|---------------------|-----------------------|--------------------------------|-----------------------|-----------------------|
| Malicious              | N/A (secure world is                    | N/A (The whole      | N/A (Does not al-     | Access checks on               | Security kernel sepa- | Access checks on      |
| containers             | trusted)                                | computer is one     | low concurrent con-   | TLB misses                     | rates containers      | TLB misses            |
| (direct prob-          |                                         | container)          | tainers)              |                                |                       |                       |
| ing)                   |                                         |                     |                       |                                |                       |                       |
| Malicious OS           | Access checks on                        | N/A (OS measured    | Host OS preempted     | Access checks on               | Security kernel mea-  | Access checks on      |
| (direct probing)       | TLB misses                              | and trusted)        | during late launch    | TLB misses                     | sured and isolated    | TLB misses            |
| Malicious              | Access checks on                        | N/A (Hypervi-       | Hypervisor pre-       | Access checks on               | N/A (No hypervisor    | Access checks on      |
| hypervisor             | TLB misses                              | sor measured and    | empted during late    | TLB misses                     | support)              | TLB misses            |
| (direct probing)       |                                         | trusted)            | launch                |                                |                       | 112 110000            |
| Malicious              | N/A (firmware is a                      | CPU microcode mea-  | SINIT ACM signed      | SMM handler is sub-            | N/A (Firmware is not  | Firmware is mea-      |
| firmware               | part of the secure                      | sures PEI firmware  | by Intel key and mea- | ject to TLB access             | active after booting) | sured and trusted     |
|                        | world)                                  |                     | sured                 | checks                         | ×                     |                       |
| Malicious              | N/A (secure world is                    | N/A (Does not al-   | N/A (Does not al-     | ×                              | ^                     | Each enclave its gets |
| containers             | trusted)                                | low concurrent con- | low concurrent con-   |                                |                       | own cache partition   |
| (cache timing)         |                                         | tainers)            | tainers)              |                                |                       |                       |
| Malicious OS           | Secure world has own                    | N/A (OS measured    | Host OS preempted     | ×                              | ×                     | Per-enclave page ta-  |
| (page fault            | page tables                             | and trusted)        | during late launch    |                                |                       | bles                  |
| recording)             |                                         | 1111 /00            |                       |                                |                       | I                     |
| Malicious OS           | ×                                       | N/A (OS measured    | Host OS preempted     | ×                              | ×                     | Non-enclave software  |
| (cache timing)         |                                         | and trusted)        | during late launch    |                                |                       | uses a separate cache |
| DMA from mali-         | On-chip bus bounces                     | ×                   | IOMMU bounces         | IOMMU bounces                  |                       | partition             |
| cious peripheral       | secure world accesses                   |                     | DMA into TXT          | DMA into PRM                   | Equivalent to physi-  | MC bounces DMA        |
|                        |                                         |                     | memory range          |                                | cal DRAM access       | outside allowed range |
| Physical DRAM          | Secure world limited                    | ×                   | ×                     | Undocumented mem-              | DRAM encryption       | ×                     |
| read                   | to on-chip SRAM                         |                     |                       | ory encryption engine          |                       |                       |
| Physical DRAM          | Secure world limited                    | ×                   | ×                     | Undocumented mem-              | HMAC of address,      | ×                     |
| write<br>Physical DRAM | to on-chip SRAM<br>Secure world limited |                     |                       | ory encryption engine          | data, timestamp       |                       |
| rollback write         | to on-chip SRAM                         | ×                   | ×                     | Undocumented mem-              | Merkle tree over      | ×                     |
|                        |                                         |                     |                       | ory encryption engine          | HMAC timestamps       | 0                     |
| Physical DRAM          | Secure world in on-                     | ×                   | ×                     | ×                              | ×                     | ×                     |
| address reads          | chip SRAM                               | Mathematic (CDU     | Matherine (CB)        | (IDU able as done              |                       | ^                     |
| Hardware TCB           | CPU chip package                        | Motherboard (CPU,   | Motherboard (CPU,     | CPU chip package               | CPU chip package      |                       |
| size                   | 0                                       | TPM, DRAM, buses)   | TPM, DRAM, buses)     | And Real from the second state | or o only provide     | CPU chip package      |
| Software TCB           | Secure world                            | All software on the | SINIT ACM + VM        | Application module             | Application module    |                       |
| size                   | (firmware, OS,                          | computer            | (OS, application)     | + privileged module            |                       | Application module    |
|                        | application)                            |                     |                       | + containers                   | + security kernel     | + security monitor    |

From: Secure Processors Part I: Background, Taxonomy for Secure Enclaves and Intel SGX Architecture [2017, Srinivas Devadas]

#### Stakeholder map



## What is TEE?

- TEE: Trusted Execution Environment.
  - TEE separates computing world into "normal" and "secure".
    - Secure world is used to run a critical code (e.g., authentication, DRM, etc).



- GlobalPlatform defines TEE specification.
  - <u>https://globalplatform.org/technical-committees/trusted-execution-environment-tee-committee/</u>

# GlobalPlatfrom TEE

- Requirements:
  - <u>https://globalplatform.org/wp-content/uploads/2018/05/Introduction-to-Trusted-Execution-Environment-15May2018.pdf</u>
- 1. Isolation from the Rich OS
  - all trusted applications and their related data are separated from the rich environment.
- 2. Isolation from other TAs
  - TAs are isolated within the TEE, and from the TEE itself.
- 3. Application management control
  - any modification of the TA and the TEE can only be performed by the authenticated entity.
- 4. Identification and binding
  - where the boot process is bound to the System-onChip (SoC), enforcing authenticity and integrity of TEE firmware and TAs.
- 5. Trusted storage
  - TA and TEE data is stored security to ensure integrity, confidentiality and binding to the TEE (or anticloning).
- 6. Trusted access to peripherals
  - the TEE offers APIs access to trusted peripherals such as the screen, biometric sensors and SEs, under the control of the TEE.
- 7. State of the art cryptography
  - random number generation, cryptography and monotonic time stamps are key assets for value added services.

## Privileges for TEE

- Global Platform's TEE specification assumes plural privileges on both worlds.
  - Normal world runs normal applications on a normal OS.
  - Secure world runs trusted applications (TAs) on a trusted OS.



- ARM Trust Zone offers same privileges to normal and secure world.
- Intel SGX has only one privilege (enclave).
  - Enclave is different from Ring architecture.

## Trusted OS on ARM Trust Zone

#### • GlobalPlatform model



# Trusted OS on ARM Trust Zone

GlobalPlatform model

#### • Interrupt is also separated. (depending on configurations)



## Difference of Implementation of Trusted OS

• Cortex-A 32bit (ARMv7) and 64bit (ARMv8)



https://www.slideshare.net/linaroorg/arm-trusted-firmareforarmv8alcu13

#### Comparing Cortex-A and Cortex-M





Cortex-M

- Cortex-A follows the layer architecture of GlobalPlatform TEE.
- Cortex-M's mode (thread or handler) can be privilege or unprivileged.
- Cortex-M TrustZone doesn't provide monitor mode, because latency is important for safety.

Bernard Ngabonziza, Daniel Martin, Anna Bailey, Haehyun Cho and Sarah Martin, "TrustZone Explained: Architectural Features and Use Cases", IEEE International Conference on Collaboration and Internet Computing (2016)

### Hardware components to build TrustZone

- TZASC: TrustZone Address Space Controller
- TZPC: TrustZone Protection Controller
- TZMA: TrustZone Memory Adapter

- Each Peripheral has **Non-Secure bit** 
  - IRQ for Normal World
  - FIQ for Secure World



OP-TEEのソースでは Address Space ControllerにTZC-380とTZC-400の記述がありました。 ARM Trusted FirmwareではTZC-400はありますが、TZC-380が見つからない。

#### Boot Sequence on ARM Trust Zone

- BL: Boot Loader
- EL: Exception Level



#### Trusted OS

- Trusted OS is not a normal OS
  - Trusted OS is TCB (Trusted Computing Base). It must be secure (small).
  - No POSIX API, No dynamic link library
    - TA becomes a static linked binary.
- Trusted OS needs the help of normal OS
  - Because Trusted OS has no File System, no device driver (except some special devices, e.g., UART)
    - When a TA want to save a data, the data is encrypted and saved on FS of normal OS.

# Implementation of Trusted OS

- Open Source Trusted OS
  - OP-TEE (Linaro) <u>https://github.com/OP-TEE</u>
  - Open-TEE (Aalto University[TrustCom15]) <a href="https://open-tee.github.io/">https://open-tee.github.io/</a>
  - Trusty (Google) <a href="https://source.android.com/security/trusty/index.html">https://source.android.com/security/trusty/index.html</a>
  - SierraTEE (Sierra) <u>https://www.sierraware.com/open-source-ARM-TrustZone.html</u>
  - SafeG (Nagoya University) <u>https://www.toppers.jp/en/safeg.html</u>
- Enterprise Trusted OS
  - Apple's Secure Enclave
  - Qualcomm's QTEE, ex. QSEE <u>https://www.qualcomm.com/solutions/mobile-computing/features/security</u>
  - Samsung's Knox <a href="https://www.samsungknox.com/en">https://www.samsungknox.com/en</a>
  - Samsung's Teegris <u>http://developer.samsung.com/teegris</u>
  - Trustonic's Kinibi OS, ex. Mobicore/t-base/G&D
  - Huawei's TrustedCore

## How to run a TA on OP-TEE



## Memory Map of OP-TEE



- ARM 96Board Hikey 2GB
  - SoC: Kirin 620
  - Cortex-A53 Octa-core 64-bit 1.2GHz (ARM v8 instruction set)
- Software size: Our experience
  - Secure world
    - Secure Monitor 33KB
    - OP-TEE 281KB
    - TA 1,200KB
  - Normal World (on Linux)
    - TA-Client 17KB
    - TEE-Supplicant 197KB

## TEE Vulnerabilities

- Many attacks exist on software and hardware.
  - Software
    - Boomerang [NDSS'17]
      - Pointer exploit. TA can access any memory region. Attacker exploits TA to get sensitive data on normal world.
    - QSEE TrustZone Kernel Integer Overflow [BlackHat14]
    - Exploiting Trustzone on Android [BlackHat15]
  - Hardware
    - Foreshadow [USENIX Sec'18] (aka L1TF: L1 Terminal Fault)
      - Intel SGX Vulnerability of out-of-order execution
      - Microcode update mitigate this vulnerability
    - Prime+Count [ACSAC'18] by Samsung
      - ARM Trust Zone Cross-world Covert Channels on using cache.
    - Cache Attack [EuroSec'17] <u>https://www1.cs.fau.de/sgx-timing</u>
      - Intel SGX Cache Timing Attack

23

# Boomerang Flaw[NDSS18]



| TEE name    | Vendor             | Impact                              | Bug Detail    |
|-------------|--------------------|-------------------------------------|---------------|
| TrustedCore | Huawei             | Arbitrary write                     | CVE-2016-8762 |
| QSEE        | Qualcomm           | Arbitrary write                     | CVE-2016-5349 |
| Trustonic   | As used by Samsung | Arbitrary write                     |               |
| SierraTEE   | Sierraware         | Arbitrary write                     |               |
| OP-TEE      | Linaro             | Write to other application's memory |               |

\*Security issues with ARM TrustZone [TestingStage18]

#### HIEE on RISC-V

#### On RISC-V

- SMM: System Management Mode
  - Used by BIOS/UEFI for ACPI, etc.
- Intel's ME: Management Engine.
  - Run MINIX. Used for remote wakeup.
- Intel SGX
- ARM TrustZone

⇒ Machine Mode

 $\Rightarrow$  ???

- $\Rightarrow \cdot$  Sanctum of MIT
  - Keystone of UCB
- ⇒ MultiZone of Hex-Fife
  - TEE WG of RISC-V Foundation



They are programmable for a user. —They are used for TEE.

## RISC-V TEE project

- Rahul Mahadev's OP-TEE on seL4 [Google Summer of Code 2016]
- Sanctum [USENIX Sec'16]
  - KeyStone [2018]
- MultiZone of Hex-Five[Sep/2018]
- TERP of SiFive[RISC-V Summit Dec/2018]
- TEE Working Group of RISC-V foundation

#### OP-TEE on RISC-V using seL4

- Rahul Mahadev's Google Summer of Code 16
- <u>http://mahadevrahul.blogspot.com/</u>
  - The TrustZone features and secure monitor must be implemented as a seL4 library.
  - OPTEE is paravirtualized, all calls referencing ARM Trusted Firmware and secure monitor are replaced with new calls.

| Арр     | ТА                                 |     |  |
|---------|------------------------------------|-----|--|
| Rich OS | Paravirtualized OPTEE              |     |  |
| (Linux) | Library to<br>emulate<br>TrustZone | VMM |  |
|         | seL4                               |     |  |

# Sanctum [USENIX Sec'16]

• Figure of software stack

https://www.usenix.org/sites/default/files/conference/protected-files/security16\_slides\_costan.pdf

- Enclave is created o User Mode.
- Secure Monitor on Machine mode helps the secure creation of enclave.
- Successor project "KeyStone" of UCB and MIT.
- <u>https://keystone-enclave.org/</u>



#### MultiZone of Hex-Five

#### • MultiZone is announced



#### ITRE SOFTWARE SECURITY DEVOPS BUSINESS PERSONAL TECH SCIENCE

#### Security

#### Arms race: SiFive, Hex Five build code safe houses for RISC-V chips

Those developing custom CPUs can now tap a TrustZone-ish trusted execution environment By Thomas Claburn in San Francisco 10 Sep 2018 at 20108 2

#### Hex Five Security Adds MultiZone Trusted Execution Environment to the SiFive Software Ecosystem

Enabling RISC-V Developers to a Robust Trusted Execution Environment without any changes to hardware or software.

**SAN MATEO, Calif.** -- **Sept. 10, 2018** -- **<u>SiFive</u>, the leading provider of commercial RISC-V processor IP, today welcomed <u>Hex Five Security</u>, m of MultiZone<sup>™</sup> Security - the first Trusted Execution Environment (TEE) f RISC-V, to the growing SiFive Software Ecosystem. Through the partners' SiFive will incorporate MultiZone<sup>™</sup> Security into its Freedom SDK for easy adoption by SiFive customers seeking a Trusted Execution Environment.** 

#### • MultiZone is based on nanokernel.

- <u>https://hex-five.com/wp-content/uploads/2018/09/hex\_five\_multizone\_datasheet.20180920.pdf</u>
- System Requirements
  - 32 bit or 64 bit RISC-V ISA with 'S' or 'U' extensions
  - Physical Memory Protection compliant with Ver. 1.10
  - 4KB FLASH and 1KB RAM

| Network<br>Stack | Root of Trust | Crypto<br>Libraries | User<br>App / RTOS<br>/ Linux | User<br>App n |
|------------------|---------------|---------------------|-------------------------------|---------------|
| Ļ                | Ļ             | Ļ                   | Ļ                             |               |
| stack            | stack         | stack               | stack                         |               |
| heap             | heap          | heap                | heap                          |               |
| Uninit data      | Uninit data   | Uninit data         | Uninit data                   |               |
| Init. data       | Init. data    | Init. data          | Init. data                    |               |
| text             | text          | text                | text                          |               |
|                  |               |                     |                               |               |

InterZone<sup>™</sup> Secure Communications

MultiZone™ nanoKernel

SiFive TERP: A Trusted Execution Reference Platform for Embedded Secure Applications

- The goal of TERP is to describe all the components necessary to build an embedded RISC-V processor which provides isolated multi-tenancy.
- It will be open at **RISC-V Summit 5/Dec/2018**.

#### TEE Working Group of RISC-V foundation

- Remote conference every week
  - Discuss memory protection, privilege mode, etc.
- When we implement OP-TEE on RISC-V, we must develop
  - Boot sequence: Trusted Boot Firmware, Secure Monitor
  - Linux kernel driver
  - Libraries (libutee.a for TA and libtee.so for Linux Apps)
  - Linux application to assist TA (TEE-supplicant)

# Other Implementation of TEE

- Hardware
  - FPGA TEE "Iso-X" (SUNY at Binghamton) [Micro47 2014]
  - GPU TEE "Graviton" (Microsoft Research) [OSDI'18]
    - Requires NVIDIA GPU extension
- Software
  - TrustZone virtualization "vTZ" (Shanghai Jiao Tong University) [USENIX Sec'17]
    - Virtualize TrustZone for VMs
  - TEE delegation "DelegaTEE" (ETH Zurich) [USENIX Sec'18]
    - DelegaTEE is implemented by Intel SGX
  - TEE Migration (INRIA) [IFIP WISTP'15]
    - privacy-preserving TEE profile migration protocol

#### IETF's TEEP

- Trusted Execution Environment Provisioning
  - <u>https://datatracker.ietf.org/wg/teep/about/</u>
  - Protocol to manage TA: Trusted Application.
    - TAM(Trusted Application Manager) controls life cycle of TA (create, update, and delete).



Figure 1: Notional Architecture of TEEP

• TEE's API (Trusted OS) is important.

33

# Survey papers

- Secure Processors Part I: Background, Taxonomy for Secure Enclaves and Intel SGX Architecture [2017, Srinivas Devadas]
- SoK: A Study of Using Hardware-assisted Isolated Execution Environments for Security[HASP16]
- Security issues with ARM TrustZone [TestingStage18]
- Trusted Execution Environment: What It is, and What it is Not [TrustCom15]
- TrustZone Explained: Architectural Features and Use Cases [CIC16]



- FFRI Monthly Research 「ARMv8-M TrustZone:組み込みデ バイス向けアーキテクチャとセキュリティ機能」
  - <u>https://www.ffri.jp/blog/2016/03/2016-03-18.htm</u>
- セキュアハードウェアの登場とその分析
  - <u>https://www.ffri.jp/assets/files/monthly\_research/MR201303\_Trust</u> <u>Zone.pdf</u>
- TrustZone のユースケースと動向
  - <u>https://www.ffri.jp/assets/files/monthly\_research/MR201703\_Trust</u>
     <u>Zone\_use\_case\_and\_trend\_JPN.pdf</u>

# Intel ME (Management Engine)

- Micro controller on chipset
- MINIX runs
  - HTTPS server runs
- Intel AMT (Active Management Technology)
  - Remote boot which works as IPMI
- Update with BIOS (Size info <a href="https://github.com/corna/me\_cleaner">https://github.com/corna/me\_cleaner</a>)
  - Generation 2 (Nehalem-Broadwell, ME version 6 -10)
    - 1.5 MB (non-AMT firmware) 5 MB (AMT firmware)
  - Generation 3 (from Skylake onwards, ME version >= 11)
    - 2 MB (non-AMT firmware) 7 MB (AMT firmware)

#### Position of Intel ME



| Cadayay                                                                         |                                              |                                                                                               |  |
|---------------------------------------------------------------------------------|----------------------------------------------|-----------------------------------------------------------------------------------------------|--|
| Code you<br>know<br>about                                                       | Ring 3 (User)                                |                                                                                               |  |
|                                                                                 | Ring 0 (Linux)                               |                                                                                               |  |
|                                                                                 | Ring -1 (Xen etc.)                           |                                                                                               |  |
| Ring -2 kernel and ½ kernelControl all CPU resources.Invisible to Ring -1, 0, 3 |                                              | Ring -3 kernels                                                                               |  |
| you<br>don't<br>know                                                            | SMM ½ kernel. Traps to 8086 16-bit mode.     | Management Engine, ISH, IE.<br>Higher privilege than Ring -2.<br>Can turn on node and reimage |  |
| about                                                                           | UEFI kernel running in<br>64-bit paged mode. | disks invisibly. Minix 3.                                                                     |  |
| X86                                                                             | CPU you know about                           | X86 CPU(s) you don't know about                                                               |  |

Intel ME: The Way of the Static Analysis [TROOPERS17]

Replace your exploit-ridden firmware with a Linux kernel [LinuxCon17]

#### Overview of Intel ME



https://itsfoss.com/fact-intel-minix-case/

Igor Skochinsky, Intel ME Secrets, CODE BLUE 2014

#### Network of Intel ME



- HECI: Host Embedded Controller Interface
  - communication using a PCI memory-mapped area
- Network protocol is SOAP(HTTP or HTTPS)

Igor Skochinsky, Intel ME Secrets, CODE BLUE 2014

## Vulnerability of Intel ME

- Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability, CVE-2018-4251
  - <u>http://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html</u>
- Intel ME 11.x Firmware Images Unpacker
  - <u>https://github.com/ptresearch/unME11</u>
- Vulnerability INTEL-SA-00086 allows to activate JTAG for Intel Management Engine core.
  - <u>https://github.com/ptresearch/IntelTXE-PoC</u>
- "Silent Bob is Silent", Escalation of privilege vulnerability on Intel AMT, CVE-2017-5689

## Google's stance

- Ring2-3 has many functions (in MINIX)
  - IP stacks (4 and 6)
  - File systems
  - Drivers (disk, net, USB, mouse)
  - Web servers

They work even if the main OS is terminated.





Replace your exploit-ridden firmware with a Linux kernel [LinuxCon17]

#### Googles Answer NERF: Non-Extensible Reduce Firmware

- De-blobbed ME
- UEFI reduced to its most basic parts
- SMM disabled or vectored to Linux
- Userland written in Go (<u>http://u-root.tk</u>)
  - u-root [USENIX'15]

Replace your exploit-ridden firmware with a Linux kernel [LinuxCon17]

## Google's Titan

• Google proposes "secure chip" which integrated between chipset and boot flash.

**Titan system integration** 





# MS Azure Pluton

- MediaTek MT3620The first Azure Sphere class Microcontroller
  - Securely isolated subsystems.
  - Units has HW firewalls.
  - HW based attestation
  - Security processor is first to boot
    - Initial code is in ROM.
  - Software is signed.
  - SW rollback protection.



The Hardware Security Platform Behind Azure Sphere [HotChips 18]

#### Conclusions

- Many CPU security faculties.
  - The common feature is "HIEE: Hardware-assisted Isolated Execution Environments".
- Related Talks
  - 29/Nov 第7回サイバーセキュリティ国際シンポジウム@慶応大学
    - RISC-V Panel
    - <u>https://cysec-lab.keio.ac.jp/sympo1811/index-j.html</u>
  - 13/Dec ハードウェアセキュリティフォーラム2018 @東大
    - <u>http://www.ieice.org/~hws/</u>