[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC 0/4] TEE mediator framework + OP-TEE mediator

To: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>
From: Julien Grall <julien.grall@xxxxxxx>
Date: Fri, 20 Oct 2017 14:11:14 +0100
Cc: nd@xxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx
Delivery-date: Fri, 20 Oct 2017 13:11:23 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>
Nodisclaimer: True
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

Hi Volodymyr,

On 17/10/17 16:59, Volodymyr Babchuk wrote:

On Mon, Oct 16, 2017 at 01:00:21PM +0100, Julien Grall wrote:



On 11/10/17 20:01, Volodymyr Babchuk wrote:

Hello all,


Hi Volodymyr,

Hi Julien


I want to present TEE mediator, that was discussed earlier ([1]).

I selected design with built-in mediators. This is easiest way,
it removes many questions, it is easy to implement and maintain
(at least I hope so).


Well, it may close the technical questions but still leave the security
impact unanswered. I would have appreciated a summary of each approach and
explain the pros/cons.

This is the most secure way also. In terms of trust between guests and
Xen at least. I'm worked with OP-TEE guys mostly, so when I hear about
"security", my first thoughts are "Can TEE OS trust to XEN as a
mediator? Can TEE client trust to XEN as a mediator?". And with
current approach answer is "yes, they can, especially if XEN is a part
of a chain of trust".

But you probably wanted to ask "Can guest compromise whole system by
using TEE mediator or TEE OS?". This is an interesting question.
First let's discuss requirements for a TEE mediator. So, mediator
should be able to:

  * Receive request to handle trapped SMC. This request should include
    user registers + some information about guest (at least domain id).
  * Pin/unpin domain memory pages.
  * Map domain memory pages into own address space with RW access.
  * Issue real SMC to a TEE.
  * Receive information about guest creation and destruction.
  * (Probably) inject IRQs into a domain (this can be not a requester domain,
    but some other domain, that also called to TEE).

This is a minimal list of requirements. I think, this should be enough to
implement mediator for OP-TEE. But I can't say for sure for other TEEs.

Let's consider possible approaches:

1. Mediator right in XEN, works at EL2.
    Pros:
     * Mediator can use all XEN APIs
     * As mediator resides in XEN, it can be checked together with XEN
       for a validity (trusted boot).
     * Mediator is initialized before Dom0. Dom0 can work with a TEE.
     * No extra context switches, no special ABI between XEN and mediator.

    Cons:
     * Because it lives in EL2, it can compromise whole hypervisor,
       if there is a security bug in mediator code.
     * No support for closed source TEEs.

Another cons is you assume TEE API is fully stable and will not change.Imagine a new function is added, or a vendor decided to hence with a newset of API. How will you know Xen is safe to use it?

If it is not safe, this means you have a whitelist solution andtherefore tie Xen to a specific OP-TEE version. So if you need to use anew function you would need to upgrade Xen making the code of using newversion potentially high.

Also, correct me if I am wrong, OP-TEE is a BSD 2-Clause. This means youimpose anyone wanted to modify OP-TEE for their own purpose can make aclosed version of the TEE. But if you need to introspect/whitelist call,you impose the vendor to expose their API.


2. Mediator in a stubdomain. Works at EL1.
    Pros:
     * Mediator is isolated from hypervisor (but it still can do potentially
       dangerous things like mapping domain memory or pining pages).
     * One can legally create and use mediator for a closed-source TEE.


       * Easier to upgrade to a new version of OP-TEE.

>     Cons:
     * Overhead in XEN<->Mediator communication.
     * XEN needs to be modified to boot mediator domain before Dom0.

Is it a really cons? In the past, we had discussion to allow Xencreating multiple domain, avoiding the overhead of Dom0. This could alsobenefits here.

     * Some extra entity required to check validity of a mediator.

3. Mediator in an EL0 app.
    The same pros and cons as for mediator in a stubdomain + extra code for EL0
    apps, which is needed to be supported and maintained.

Now, back to security questions. There are two possible attacks:
attack at XEN and attack at TEE itself.

If your TEE is vulnerable, then your whole system is compromised anyways.
AFAIK, this approach was used to hack Samsung phones. Some flaw in Qualcom's
TZ implementation.

If your TEE mediator is vulnerable, then your hypervisor and all guests are
compromised. Yes TEE mediator increases attack surface, but the same does
any other XEN<->Guest interface. TEE mediators are expected to be simple
and straightforward, without complex logic. So, I think that they are not
more dangerous than vGIC driver or PL011 emulator.

To be honest when I read the list that a mediator should be able to do,I don't think it is possible to say it will not have complex logic.

For instance, for memory pinning. You need to know the buffers whichlikely means introspection of the calls if there are nested buffers.

This implies that you may tie into a specific version of TEE for aspecific version of Xen.

So how do you expect OP-TEE evolving with Xen support? For example, ifthere is a new function do you expect to work on previous version ofXen? Or shall it wait the next release?


And yes, it seems obvious, but I want to say this explicitly: generic
TEE mediator framework should and will use XSM to control which domain
can work with TEE. So, if you don't trust your guest - don't let it
to call TEE at all.

Correct me if I am wrong. TEE could be used by Android guest whichlikely run the user apps... right? So are you saying you fully trustthat guest and obviously the user installing rogue app?

This feature is not implemented in this RFC only because
currently only Dom0 calls are supported.

This would help to understand that maybe it is an easy way but also still
secure...

In previous discussion we considered only two variants: in XEN or outside
XEN. Stubdomain approach looks more secure, but I'm not sure that it is true.
Such stubdomain will need access to all guests memory. If you managed to
gain control on mediator stubdomain, you can do anything you want with all
guests.

That's slightly untrue. The stubdomain will only be able to mess withdomains using TEE.

To be clear, this series don't look controversial at least for OP-TEE. What
I am more concerned is about DomU supports.

Your concern is that rogue DomU can compromise whole system, right?

Yes. You seem to assume that DomU using TEE will always be trusted, Ithink this is the wrong approach if the use is able to interact directlywith those guests. See above.


Cheers,

--
Julien Grall

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [RFC 0/4] TEE mediator framework + OP-TEE mediator
  - From: Volodymyr Babchuk
- Re: [Xen-devel] [RFC 0/4] TEE mediator framework + OP-TEE mediator
  - From: Tamas K Lengyel

References:
- [Xen-devel] [RFC 0/4] TEE mediator framework + OP-TEE mediator
  - From: Volodymyr Babchuk
- Re: [Xen-devel] [RFC 0/4] TEE mediator framework + OP-TEE mediator
  - From: Julien Grall
- Re: [Xen-devel] [RFC 0/4] TEE mediator framework + OP-TEE mediator
  - From: Volodymyr Babchuk

Prev by Date: Re: [Xen-devel] [OSSTEST PATCH 10/16] ts-debian-fixup: remove extra= before appending our own
Next by Date: Re: [Xen-devel] [OSSTEST PATCH 11/16] ts-debian-fixup: use correct resume device
Previous by thread: Re: [Xen-devel] [RFC 0/4] TEE mediator framework + OP-TEE mediator
Next by thread: Re: [Xen-devel] [RFC 0/4] TEE mediator framework + OP-TEE mediator
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.