kvTZ: TrustZone Virtualization for Commodity Arm-based Platforms

Arm TrustZone technology provides hardware features to enable the deployment of security-critical software in trusted execution environments (TEEs). Although TrustZone is widely deployed on physical hardware, it is unavailable to increasingly deployed virtual machines (VMs) running on commodity Arm...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:IEEE transactions on dependable and secure computing s. 1 - 8
Hlavní autoři: Lin, Chun-Yen, Li, Shih-Wei
Médium: Journal Article
Jazyk:angličtina
Vydáno: IEEE 2025
Témata:
Hardware
Kernel
Linux
Microprogramming
Monitoring
Multiplexing
Operating Systems
Security
Software
Virtual machine monitors
Virtual machines
Virtualization
ISSN:1545-5971, 1941-0018
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:Arm TrustZone technology provides hardware features to enable the deployment of security-critical software in trusted execution environments (TEEs). Although TrustZone is widely deployed on physical hardware, it is unavailable to increasingly deployed virtual machines (VMs) running on commodity Arm platforms. These VMs cannot leverage TrustZone's security features, such as secure boot, or deploy trusted applications to secure their systems. To address this limitation, we propose a new design, called kvTZ, that extends commodity hypervisors to expose a virtualized TrustZone to VMs. kvTZ introduces exception-level multiplexing, a novel technique that enables native execution of TrustZone software in the VM environment on the existing Arm hardware. We prototyped kvTZ by extending KVM implementations, including the mainline Linux and Google's Android Linux for pKVM, to support legacy and confidential VMs. kvTZ supports OP-TEE, a de facto open-source TEE for Arm TrustZone. For the first time, we enabled OP-TEE's entire software stack, which encompasses trusted applications (TAs), the kernel, and trusted firmware, to run in a virtualized TrustZone. We show that kvTZ achieves performance efficiency and outperforms the full software emulation-based solution.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2025.3605807