Introduction to ARMV8/ARMV9 Security Architecture

Author | lvy
Source | Arm Selected

1. Terminology

Realm Management Monitor (RMM) Realm Management Interface (RMI) Realm Services Interface (RSI) Realm Management Extension (RME) Granule Protection Check (GPC) Kernel-based Virtual Machine (KVM) Virtual Machines (VMs) Realm Descriptor (RD) Realm Execution Context (REC) Virtual CPU (VCPU) Realm Translation Table (RTT) Secure Monitor Call (SMC) High Level Operating System (HLOS) Physical Address Spaces (PAS) Granule Protection Check (GPC) Granule Protection Table (GPT) Granule Protection Fault (GPF) Translation Table Descriptor (TTD) Granule Protection Table Descriptor (GPTD)

2. Architecture Overview

Before learning about the new CCA/RME architecture of ARMV9, let’s recall the previous ARM TrustZone architecture.

2.1. ARMV7 Software Model

In December 2008, ARM released the first TrustZone technology white paper. (TrustZone white paper – ARM TrustZone security white paper download link, password: 1234)In 2013, Apple launched the first iPhone with fingerprint unlocking: the iPhone 5s, which utilized the Secure Enclave technology to ensure the security of fingerprint information, deeply customizing the ARM TrustZone architecture. This was likely the first time TrustZone technology entered the public eye. Today, TrustZone technology has become a fundamental technology in the field of mobile security. You may not understand its technical principles, but it has been silently protecting your fingerprint information, account passwords, and various sensitive data.Introduction to ARMV8/ARMV9 Security ArchitectureAdditionally, in earlier ARM books or blogs, it was often mentioned that ARM has several modes, with some stating 7 modes, others 8, and some even 9. The latest official documentation states there are 9 modes.Introduction to ARMV8/ARMV9 Security ArchitectureSo why are there inconsistent statements? This is because different ARM cores have varying support for Monitor/Hyp modes; some support it, while others do not. The following lists the support status of ARM cores for Monitor/Hyp modes:Introduction to ARMV8/ARMV9 Security ArchitectureTherefore, regarding different cores, the statement about how many modes ARM has can vary. All are correct, haha!!

2.2. ARMV8-arch32 Software Model

In ARMV8 Cortex-A chips, almost (what the heck, this should be changed to all) support the ARM TrustZone security extension, as shown in the security architecture diagram of ARMV8-aarch32.Under the ARMV8 architecture, the concept of modes has become blurred (what does blurred mean? It actually means it no longer exists), and there is no longer talk of 7, 8, or 9 modes. The most commonly used terms are the four exception levels: EL0/EL1/EL2/EL3.Introduction to ARMV8/ARMV9 Security ArchitectureIn the ARMV8-aarch32 architecture, there are certain peculiarities, perhaps to maintain compatibility with V7. It can be seen that in this architecture, there is no S-EL1, and both the Trust OS and Secure Monitor run at EL3 level.

2.3. ARMV8-arch64 Software Model

Now let’s look at the ARMV8-aarch64 architecture, which is almost the most common architecture we encounter today.Introduction to ARMV8/ARMV9 Security Architecture

2.4. ARM with S-EL2

In ARMV8.4, S-EL2 support was introduced (MD, so far, no such ARMV8 core has appeared, and V9 has already been released, so it seems this architecture will not appear on V8). The architecture diagram is shown below. The firmware can be ARM’s TF-A, and the SPM can be ARM’s Hafnium firmware. Why use “can”? Because ARM has not explicitly stated that its ATF/Hafnium firmware must be used; of course, one can also write one according to its standards.Introduction to ARMV8/ARMV9 Security Architecture

2.5. ARM with FF-A

With the arrival of S-EL2, in order to cope with increasingly complex software, ARM defined the FF-A architecture (which is essentially an ABI standard), as shown in the architecture diagram below. This architecture has been discussed in ARM PPT for over two years. I initially thought this was the final architecture diagram, but with the arrival of ARMV9 at the end of March 2021, ARM released a bombshell!!! (ARM CCA)Introduction to ARMV8/ARMV9 Security Architecture

2.6. ARM CCA/RME

What? What?Introduction to ARMV8/ARMV9 Security Architecture

How many security levels does ARM have? Two, right? Secure and Non-secure × Classmates, keep up with the times. There are now four: Root, Realm, Secure, Non-secure

In the ARMV9/CCA architecture, ARM has added support for Realm.

References:

Introducing Arm Confidential Compute Architecture Introducing Arm’s dynamic TrustZone technology AArch64 exception model AArch64 memory management AArch64 virtualization

Introduction to ARMV8/ARMV9 Security Architecture

Alright, that’s all for today’s content sharing. If you found it useful, remember to share and like it!PS: On weekdays at 8:30, CSDN corporate recruitmentcontinues to share valuable content related to programmer learning and interviews, see you there!



Share

Collect

Like

View




Leave a Comment