Hi,
Arm documentation "ARM Security Technology Building a Secure System using TrustZone Technology" says: The mechanisms by which the physical processor can enter monitor mode from the Normal world are tightly controlled, and are all viewed as exceptions to the monitor mode software. The entry to monitor can be triggered by software executing a dedicated instruction, the Secure Monitor Call (SMC) instruction, or by a subset of the hardware exception mechanisms. The IRQ, FIQ, external Data Abort, and external Prefetch Abort exceptions can all be configured to cause the processor to switch into monitor mode.
What control do you do?If an attacker obtains root privileges, can he access the safe world? Is the secure monitor only protected by privilege level?
Thanks
An attacker with root privilge may provoce an exception or do an SMC to enter monitor mode. But in general, that is where it ends.
But if the attacker could gather enough information to do a valid SMC then security is corrupted.
¿Por qué dices que termina allí? ¿Qué mecanismos tiene TrustZone para detener el ataque? He leído los manuales pero no tengo nada claro, ¿pueden ayudarme a entenderlo mejor?
Atentamente
Of course it depends on the kind of attack. But the Monitor might inform the secure software about the exception (any kind) and the secure software will handle it accordingly.
But how do you know that exception is from an attacker? Is there any way to verify it?
No, you cannot know if this is an attack or just a programming error. But who cares? The secure SW knows the non-secure one is misbehaving so must take measures.