kvTZ: TrustZone Virtualization for Commodity Arm-based Platforms

Arm TrustZone technology provides hardware features to enable the deployment of security-critical software in trusted execution environments (TEEs). Although TrustZone is widely deployed on physical hardware, it is unavailable to increasingly deployed virtual machines (VMs) running on commodity Arm...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing pp. 1 - 8
Main Authors: Lin, Chun-Yen, Li, Shih-Wei
Format: Journal Article
Language:English
Published: IEEE 2025
Subjects:
Hardware
Kernel
Linux
Microprogramming
Monitoring
Multiplexing
Operating Systems
Security
Software
Virtual machine monitors
Virtual machines
Virtualization
ISSN:1545-5971, 1941-0018
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Arm TrustZone technology provides hardware features to enable the deployment of security-critical software in trusted execution environments (TEEs). Although TrustZone is widely deployed on physical hardware, it is unavailable to increasingly deployed virtual machines (VMs) running on commodity Arm platforms. These VMs cannot leverage TrustZone's security features, such as secure boot, or deploy trusted applications to secure their systems. To address this limitation, we propose a new design, called kvTZ, that extends commodity hypervisors to expose a virtualized TrustZone to VMs. kvTZ introduces exception-level multiplexing, a novel technique that enables native execution of TrustZone software in the VM environment on the existing Arm hardware. We prototyped kvTZ by extending KVM implementations, including the mainline Linux and Google's Android Linux for pKVM, to support legacy and confidential VMs. kvTZ supports OP-TEE, a de facto open-source TEE for Arm TrustZone. For the first time, we enabled OP-TEE's entire software stack, which encompasses trusted applications (TAs), the kernel, and trusted firmware, to run in a virtualized TrustZone. We show that kvTZ achieves performance efficiency and outperforms the full software emulation-based solution.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2025.3605807