Think about the possibility of attacking secure memory through mmu/tlb/cache

Quick links :
.
Personal blog notes guide Directory ( All )


explain ：
By default , This article is all about ARMV8-aarch64 framework


Related links :
ARM trustzone Learning and summary - One is enough

When designing the security architecture , We are Core and DDR There's an extra TZC As memory filter, The data stream is :Core ---> TZC---->DDR, Under this structure ,core Read / write to secure memory initiated as an unsecure , Will be TZC Block .

But this is in the ideal situation , in fact Core Initiate read / write to memory , Not necessarily through TZC Not necessarily DDR, It is possible to arrive at cache The stage is over , That is, data flow becomes Core ---> MMU(TLB+Addtress Translation)---->Cache, So in this case , No, TZC Thing , You might say MMU/Cache There are NS The bit , But you really understand here NS The use of bits ？ If core When a read or write is initiated to a secure memory as an unsecure , I force MMU The security attribute flag bit in the page table is forcibly changed to NS=0, How will? ？

In fact, we just need to figure out the principle 、 Clear the data flow , Would not ask the above question S13 The problem. . Let's begin to analyze :

Suppose a security core Read a secure physical memory 0x2000_0000 data ( The virtual address may be 0x_xxxx_xxxx), Then there will be a behavior ：

• Before reading and writing , It must be done MMU map, Such as physical address 0x2000_0000 MAP a 0x_xxxx_xxxx Address , here Page Descriptor Medium atrribute Medium NS=0
• TLB Cache the translation , namely TLB Of entry Contained in the : 0x2000_0000、0x_xxxx_xxxx、NS=0
• Safe memory 0x2000_0000 The data will be cached to cache in ,entry Medium TAG contain 0x2000_0000、NS=0

meanwhile , I have a non safe core Initiate read / write virtual address 0x_yyyy_yyyy, I modify the table on this page by myself , Give Way 0x_yyyy_yyyy Force mapping to secure physical memory 0x2000_0000, There are two configurations :
(1)、0x_yyyy_yyyy—0x2000_0000, NS=0
(2)、0x_yyyy_yyyy—0x2000_0000, NS=1
Let's look at the two configurations respectively , Whether the safe memory can be read ：
in the light of (1), Not safe core Initiate a visit , Find out TLB The entry in is 0x_yyyy_yyyy—0x2000_0000, NS=0, Nature will not be hit , And then use Address Translation transformation ,MMU Unsafe... Found Core To access security properties NS=0 Will be rejected directly .
in the light of (2), Not safe core Initiate a visit , because NS=1,TLB May be hit , That is, it can translate 0x2000_0000 Physical address , Even if you don't get hit , after Address Translation transformation , because NS=1, At this time, you can also correctly convert the correct 0x2000_0000 Physical address . Then I will go to cache Query this address in , But at this time cache Of entry Medium NS=0, therefore cache Will not be hit , The next step is to go TZC The flow , Obviously , You are a non safe core Want to access safe memory ,TZC Will stop you .

in summary ： Safety is safety , Stop thinking about loopholes .