This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TrustZone switching worlds

Hi,

Arm documentation "ARM Security Technology Building a Secure System using TrustZone Technology" says: The mechanisms by which the physical processor can enter monitor mode from the Normal world are tightly controlled, and are all viewed as exceptions to the monitor mode software. The entry to monitor can be triggered by software executing a dedicated instruction, the Secure Monitor Call (SMC) instruction, or by a subset of the hardware exception mechanisms. The IRQ, FIQ, external Data Abort, and external Prefetch Abort exceptions can all be configured to cause the processor to switch into monitor mode.

What control do you do?
If an attacker obtains root privileges, can he access the safe world? Is the secure monitor only protected by privilege level?

Thanks

Parents
  • An attacker with root privilge may provoce an exception or do an SMC to enter monitor mode. But in general, that is where it ends.

    But if the attacker could gather enough information to do a valid SMC then security is corrupted.

Reply
  • An attacker with root privilge may provoce an exception or do an SMC to enter monitor mode. But in general, that is where it ends.

    But if the attacker could gather enough information to do a valid SMC then security is corrupted.

Children