Security on Arm

OP-TEE

OP-TEE is an open source Trusted Execution Enviroment (TEE) implementing the Arm TrustZone technology. Linaro has a long track record of working with TrustZone and Trusted Execution Environments (TEE). Back in 2013 Linaro, together with STMicroelectronics, started working on preparing STMicroelectronics proprietary TEE solution for Open Source. A couple of months later OP-TEE was published and since then Linaro has been a key contributor both in terms of pushing new features as well as doing roadmap planning, maintenance, release work, vulnerability assessment and mitigation of security issues. We employ several core maintainers for the OP-TEE project as well as maintainers for the TEE framework in the Linux kernel and U-Boot. Since the TEE is a core component in the Arm ecosystem, it is used in a lot of different use cases. As a result, Linaro has developed strong engineering teams who know how to put together efficient and well performing solutions with OP-TEE, no matter how big or small the task. In 2019, OP-TEE was donated to Trusted Firmware, a Linaro Community Project. Linaro is still responsible for driving the roadmap for OP-TEE in sync with the members of Linaro as well as with the TrustedFirmware.org project.

Morello

Morello is a research program led by Arm in association with partners and funded by the UKRI as part of the UK government Digital Security by Design (DSbD) programme. It defines a new prototype security architecture based on CHERI (Capability Hardware Enhanced RISC Instructions). This new research architecture is very different from what we are currently using on our devices as of today. A major difference is that it uses 129bits (128 + 1) rather than the standard 64bit or 32bit. The ultimate goal is to be able to implement compartmentalization with high granularity and with that we should end up with a system that is more robust to well known attacks. For example, buffer overflows, return oriented programming (ROP) and many other known vulnerability classes. Linaro is an active participant in this program with contributions to toolchains, debuggers, infrastructure work as well as pure capability enablement.

EFI enablement on U-Boot

U-Boot is a primary boot loader which is used in embedded devices to package the instructions needed to boot the device’s operating system kernel. StandAloneMM (StMM) is the EDK2 application responsible for storing variables. Since U-Boot has become EFI aware in recent years, there has been a need to store the variables securely. In the first iterations, U-Boot was storing the variables in its environment, which was fine for the initial implementation. However, this offered no security whatsoever. This led to the discussion as to whether it would be possible to leverage existing technology running on the secure side of Arm devices, like for example TEE’s and Secure Partitions. Due to limitations on the current platforms where it is only possible to run a single payload on the secure side (S-EL1), a decision had to be made. As a stepping stone to future architectures, Linaro in collaboration with Arm decided to add support in OP-TEE, so that it is possible to use StMM unmodified.

Combined with OP-TEE’s ability to access an RPMB partition, it is now possible to store EFI variables in a flash on the secure world or an RPMB partition (which is more common on embedded devices). This contribution enables a secure way of storing the EFI variables on current Arm architectures.

Zephyr and MCUboot

Zephyr is a real-time operating system (RTOS) for resource-constrained embedded devices which supports multiple architectures. From the very start, Linaro has worked with the Zephyr project on various technologies, but the security side has been an important area where Linaro has played a key role in the creation of the security architecture. Our work in security architecture ranges from cryptographic algorithm support to be utilized by system and communication protocols, to key management, and tamper/intrusion detection systems. Additionally, our work takes into account the security extensions associated with the ARMv8-M architecture, using Trusted Firmware for Cortex-M and Arm’s Platform Security Architecture (PSA). In October 2019, we built and certified a PSA Level 1 hardware and software platform implementation using Zephyr. The Zephyr Security Architect is a Linaro employee who is heading the security architecture discussions, and has led the team in the creation of various security processes for the project. This includes working with MITRE to bring Zephyr in as a CVE Numbering Authority, and developing the process of handling vulnerabilities. In addition to being the Zephyr Security Architect, this Linaro employee is also a maintainer with the MCUboot project, a Linaro Community Project. MCUboot is a secure bootloader that is used as the primary bootloader for Zephyr. The process of developing several standards (RFCs) relevant to the security of Zephyr has also required work with the IETF.