aboutsummaryrefslogtreecommitdiff
path: root/docs/design_documents/secure_enclave_solution.rst
blob: ce665ac2294199ff80539d48ffb3ca48c6c114d8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
##############################################
Secure Enclave solution for Trusted Firmware-M
##############################################

:Author: Mark Horvath
:Organization: Arm Limited
:Contact: Mark Horvath <mark.horvath@arm.com>
:Status: Draft

********
Abstract
********

This document summarizes the design goals and one possible implementation
of the TF-M Secure Enclave solution.

************
Introduction
************

If a separate subsystem can provide the PSA Root of Trust (RoT) in a system
then an additional physical separation exists between the most trusted and
other domains. In such a system at least two subsystems are present, a Secure
Enclave (SE) whose only task is to provide PSA RoT and an application core
where any other application specific functionality can be placed. The latter
core (or cores) are referred as *Host* in this document.

The current design assumes that Host is a v8-m core with security extension.

************
Requirements
************

- Secure Enclave shall implement secure boot-flow (start-up first at reset and
  validate its own and the Host image or images before release Host from reset)
- Secure Enclave shall provide the PSA RoT services
- Host shall provide not just the non-secure context but the Application RoT as
  well
- It shall be transparent to the (secure or non-secure) applications running on
  host whether the RoT services are provided by the same subsystem or by a
  Secure Enclave.

.. Note::

   In comparison, in a Dual Core system the whole secure context is placed on a
   separate subsystem, while a Secure Enclave only implements the PSA RoT
   security domain.

***************
Proposed design
***************

As the clients and the services are running on different cores only the IPC
model can be used on both Secure Enclave and Host.

Secure Enclave
==============

To provide the required functionality it is enough to run the current PSA RoT
secure partitions on the Secure Enclave, so no need for non-secure context
there. (It is enough if the Secure Enclave's architecture is v6-m, v7-m or v8-m
without the security extension.)

Secure Enclave can treat all clients running on Host as non-secure (even the
services running on Host's secure side). This means that fom Secure Enclave's
point of view all Host images, Host's RAM and shared memory between Host and
Secure Enclave if present are treated as non-secure. (Just like in the Dual CPU
solution.) But the clients need to be distinguished, otherwise some
functionalities are not working, for example:
- Protected Storage partition shall run on Host, but the PS area is handled by
Internal Trusted Storage partition (running on Secure Enclave). ITS partition
decides whether it should work on PS or ITS assets by checking the client ID.
- If a secure partition on host creates a crypto key, no other client shall be
able to destroy it.

Communication
=============

To communicate between Host and Secure Enclave, the existing mailbox solution
can be reused as it is.

Host
====

On Host the current TF-M software architecture can be placed to provide
non-secure context and Application RoT domain.

One solution to forward a PSA RoT IPC message from a client running on Host to
the Secure Enclave is to add a proxy partition to the secure side. This PSA
Proxy partition can provide all the RoT services to the system by forwarding
the messages over the mailbox solution.

If the new partition's manifest contains all the PSA RoT service IDs SPM will
deliver all IPC messages there. Then the messages just must be blindly copied
into the mailbox. PSA proxy can use the non-secure interface of the mailbox,
but it is placed on the secure side of Host. (From SE's point of view this is
in fact the non-secure side of the mailbox as whole Host is treated as
non-secure.)

It is important to verify IOVECs before forwarding them to SE, otherwise a
malicous actor could use SE to access a memory area otherwise unaccessable. If
PSA proxy uses the current secure partition interface then this is ensured by
Host's SPM.

SE treats all clients of Host as non-secure, so all PSA messages shall have a
negative client ID when pushed into SE's SPM. This is given for the clients on
the non-secure side of Host, but the secure side clients of Host have positive
client IDs. The straightforward solution is to translate the positive client
IDs into a predefined negative range in PSA proxy, and push the translated
values into the mailbox. Of course this range shall be reserved for this use
only and no clients on non-secure side of Host shall have client ID from this
range.

To avoid blocking Host when a message is sent PSA Proxy shall handle the
service requests in non-blocking mode. And to maximize bandwidth PSA Proxy
shall be able to push new messages into the mailbox, while others still not
answered. To achieve these the mailbox interrupts needs to be handled in the
PSA Proxy partition.

--------------

*Copyright (c) 2020, Arm Limited. All rights reserved.*