Hi,大家好。
我们团队花了很长时间实现了基于ARM TrustZone的安全内核T6:t6_overview,现在代码已进入稳定版本,目前支持三星SoC、ARM Versatile Express,正在支持Freescale,T6正计划开源,但不知道国内这方面的需求怎么样。
板上大神不少,希望大家能给出点意见或批评,让我们能够有动力将T6一直维护下去。
谢谢。
Hi, 你们是在校研究生么,基于哪个ARM内核实现的安全OS,准备在飞思卡尔i.MX6上实现么?
Hi wangyong,
对,团队目前开发人员以研究生为主。最开始设计时是基于X86的XV6,不过在ARM上实现时改动相当大,功能也增加很多,在对lib支持方面,像OpenSSL这种带网络功能的复杂库能够轻松移植过来稳定运行。
在Freescale支持方面,这几天我们刚研究了i.MX6的相关文档,i.MX文档较全,不像三星SoC一样对开发者不友好,实现起来难度较小,这段时间我们着重于对T6的优化。我们目前还没有买到i.MX6开发板,等买好板子再移植过去。
Thanks
很不错,相信你们的开源安全OS能推动trustzone在国内的发展。有没有跟国外的安全OS做过对比,或者对OS的安全级别做过评估呢。如果整个安全OS是完全开源的是否容易被发现易攻击的点。看国外开源的安全OS的商用版本也是需要授权的。
谢谢wangyong。
目前我们收集的国外安全OS信息比较不完整,因为它们几乎都是闭源并且文档API都只对合作伙伴开放,所以跟国外OS对比方面,我们讲得可能不会非常正确;开源安全OS我们知道的有一个open virtualization (OV),但是其代码设计实现实在太糟糕,并且TrustZone核心保护部分代码是不公开的,我们最开始接触时就是试了OV,忍受不了它众多的bug以及混乱的代码才决定重头写的。目前我们将代码分享给了一个著名的漏洞挖掘安全团队,希望能在实现上保证漏洞尽可能少。
不知道你所说的OS安全级别评估是如何进行?
thanks.
不谢。可能安全OS方面的东西本来就不容易收集吧。感觉安全OS的API已经有了global platform的标准,安全OS的评估可能有国外的公司收费在做呢,可能没有公开具体的标准。OV可能是故意把糟糕的代码开源的么,呵呵。已经找了漏洞挖掘团队的话,应该不错。感觉从安卓OS到安全OS之间的切换过程可能是比较被容易攻击的点。另外,国内相关需求的话,感觉还是要从安全应用/trustlet角度看,可能有应用需求才会用到安全OS吧。祝你们的安全OS早日完善、应用。
很好的开源项目!
对于国内工程师熟悉:TEE Architecture / communications between Non-Secure and Secure state是很有帮助的。
I want to download the Open source code, but failed,
git clone git://www.liwenhaosuper.com/t6.git
Cloning into 't6'...
fatal: unable to connect to www.liwenhaosuper.com:
www.liwenhaosuper.com[0: 192.241.224.225]: errno=Connection refused
Anyone can clone the git?
Look at the following decription, it seems that we can't download the source code directly.
Currently, T6 is only available to research teams who we are familiar with and are dedicated in system and mobile security research, because of the board specific TrustZone details that have NDA constraints. We are now trying our best to remove these constraints and full source code will be availble to the public in June, 2014. For those who are interested in T6, we are glad to hear from you.
Contact liwenhaosuper AT gmail.com for getting the souce code.
Thanks for the information. And great work on it. I'm looking forward to the source code when it's available publicly.
I'm also very interested on the Freescale i.MX6 support and what's the status now?
Jason Liu
We still have not got a Freescale i.MX6 board in hand yet. One guy promised to give us his own i.MX6, but several days ago he told us that the board refuses to work. It is embarrassing,
We contact Samsung about the NDA issue and they warned us that publishing those TrustZone details of their products is strictly forbidden. That confuses us a lot: why do they need to keep this information private? Removing those TrustZone protection codes from the public repository violates our initial goal: users don't need to know any details about TrustZone. Does anyone have some helpful advice to work around this issue?
jasonliu, you may contact me for getting the source code if you are a researcher and can't wait for it.
此贴标记为讨论帖,欢迎大家继续讨论,感谢大家的热烈参与
可能三星怕公布了其芯片的TrustZone的细节会容易被攻击者发现其中的漏洞么。感觉操作系统可以独立于硬件,把跟硬件相关的驱动等部分剥离了,由需要使用该操作系统的用户自己移植到其使用的SOC芯片上去。OV好像就是这样的么。
Hi Wenhao,
Great work! I am interested in your work. Some questions:
1) Do you support multi-core for TZ mode? How's your TZ app scheduling work? Is the whole TZ including all apps a single thread in Linux kernel ? or It is separated from Linux scheduling?
2) What's your interrupt handling policy? FIQ for TZ , IRQ for NW? How do you process NW IRQ when ARM is in TZ mode?
3) Is your TZ code, data stacks protected by TZASC secure memory ?
4) Assuming your TZ app has its own memory space, do you have standard interface for shared memory between NW and TZ? Or do you use GP TEE API?
5) Can different TZA talk to each other? Can they share memory?
6) Do you provide periodic timer FIQ to your TZ?
Thanks,
Ochaoboy
so, 这样本质上跟OV有啥区别?
Hi Ochaoboy,
1. Yes. For multicore support, T6 runs in the primary CPU while Rich OS runs in all CPUs. T6 applications are scheduled by a trusted timer separately.
2. Yes, FIQ for TZ and IRQ for NW. In a uniprocessor, T6 maintains a GIC vector table for secure and normal world separately. When in secure world, only the interested interrupts are enabled, all others are disabled until switching back to normal world. Though there is a more elegant way to do this in muliprocessor, we have implemented this yet.
3. Of course they should be protected by TZASC. And the secure peripherals, such as the trusted timer, should be set as secure by TZPC.
4. We have our own shared memory mechanism. GP TEE API is too complex to use, we take a simple way. In T6, communication between NW and SW is like IPC.
5. No, they are totally separated.
6. Yes, the trusted timer mentioned above.