Keystone Enclave An Open-Source Secure Enclave for RISC-V Dayeol Lee 1,2 , David Kohlbrenner, Kevin Cheang 1 , Cameron Rasmussen 1 , Kevin Laeufer 1 , Ian Fang, Akash Khosla, Chia-Che Tsai 2 , Sanjit Seshia 1 , Dawn Song 2,3 , and Krste Asanovic 1,2 University of California, Berkeley ※ Collaborators: Ilia Lebedev 4 , and Srinivas Devadas 4 4 3 ※ All authors are affiliated with the UCB 2 1
34
Embed
Keystone Enclave An Open-Source Secure Enclave for RISC-VKeystone Enclave An Open-Source Secure Enclave for RISC-V Dayeol Lee1,2, David Kohlbrenner, Kevin Cheang1, Cameron Rasmussen1,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Keystone EnclaveAn Open-Source Secure Enclave for RISC-V
Dayeol Lee1,2, David Kohlbrenner, Kevin Cheang1, Cameron Rasmussen1, Kevin Laeufer1, Ian Fang, Akash Khosla, Chia-Che Tsai2, Sanjit Seshia1,
Dawn Song2,3, and Krste Asanovic1,2
University of California, Berkeley ※
Collaborators: Ilia Lebedev4, and Srinivas Devadas4
43
※All authors are affiliated with the UCB
21
What is a Secure Enclave?
OS
Applications
TrustworthyHardware
User Program and Data
Enclave contents
Integrity Confidentiality
Remote Attestation
Secure Enclave as a Cornerstone Security Primitive
Keystone Security Monitor (SM)- Stored in tamper-proof hardware- Zeroth-stage bootloader (ZSBL)- Tamper-proof platform key store
(preferably a crypto engine)
Silicon Root of Trust
- Untrusted app hosting an enclave
Host Application
- Untrusted device driver- Allocates contiguous memory- Provides the interface to user
Operating System
- A part of the enclave running in S-mode
Enclave Runtime
- The application to execute in the enclave
Enclave Application
Trus
ted,
Isol
ated
Unt
rust
ed U-m
ode
S-m
ode
M-m
ode
ioctl()syscalls, traps,…
SBI
measure,sign (T
rust
ed)
Keystone Overview (Simplified)
10
Keystone Security Monitor
HostOS
EnclaveRuntime
Untrusted Network
You
Remote Machine
PMPRoot of Trust
measuressigns
measuressigns
EnclaveApplication
HostApplication
controls
Keystone Overview (Simplified)
11
Keystone Security Monitor
HostOS
EnclaveRuntime
Untrusted Network
You
Remote Machine
PMPRoot of Trust
measuressigns
measuressigns
EnclaveApplication
HostApplication
controls
How does PMP work?
Memory Isolation with RISC-V PMP● Physical Memory Protection (PMP)
o Special registers to control permissions of U- and S-mode accesses to a specified memory region
o # of PMP entries can vary (e.g., default Rocket has 8)o Statically prioritized by the order of entry indiceso Whitelist-basedo Dynamically configurable by M-modeo Addressing modes: NAPOT (>= 4-bytes), Base/Bound
12
● How Keystone uses PMP○ Top/bottom PMP entries are reserved for SM/OS○ 1 PMP entry for each “active” enclave○ NAPOT > 4KB (fragmentation / Linux buddy allocation)
Isolation via Switching PMP Permission Bits
13
not accessible
pmp0
pmp1
pmp2
pmpN
…
S/U accessibility
PMP
entri
es
accessible
DRAM(0x80000000-)
OS
111
address range rwx permissions
000
SM
Prio
rity
SM Boots OS Boots
Creating an Isolated Enclave
14
not accessible
pmp0
pmp1
pmp2
pmpN
…
S/U accessibility
PMP
entri
es
accessible
DRAM(0x80000000-)
OS
111
000
SM free pages
OS allocates a contiguous chunk of memory using __get_free_pages() and initializes the free pages with the enclave page table, and the enclave program (runtime + enclave application)
PT RT ELF
Creating an Isolated Enclave
15
not accessible
pmp0
pmp1
pmp2
pmpN
…
S/U accessibility
PMP
entri
es
accessible
DRAM(0x80000000-)
OS
111
000
SM free pagesPT RT ELF
000
Enclave 1Memory
SM sets PMP entry and finalizes the enclave hash
000
Enclave 2Memory
Creating an Isolated Enclave
16
not accessible
pmp0
pmp1
pmp2
pmpN
…
S/U accessibility
PMP
entri
es
accessible
DRAM(0x80000000-)
OS
111
000
SM free pagesPT RT ELF
000
Enclave 1Memory
000
Enclave 2Memory
OS can ask SM to create as many enclaves as the number of remaining PMP entries
Executing an Enclave
17
not accessible
pmp0
pmp1
pmp2
pmpN
…
S/U accessibility
PMP
entri
es
accessible
DRAM(0x80000000-)
OS
111
000
SM free pagesPT RT ELF
000
Enclave 1Memory
000
Enclave 2Memory
Executing an Enclave
18
not accessible
pmp0
pmp1
pmp2
pmpN
…
S/U accessibility
PMP
entri
es
accessible
DRAM(0x80000000-)
OS
111
000
SM free pagesPT RT ELF
000
Enclave 1Memory
000
Enclave 2Memory
SM flips the PMP permission bits of pmp2 and pmpN to execute Enclave 2
Executing an Enclave
19
not accessible
pmp0
pmp1
pmp2
pmpN
…
S/U accessibility
PMP
entri
es
accessible
DRAM(0x80000000-)
OS
000
000
SM
000
Enclave 1Memory
111
Enclave 2Memory
SM flips the PMP permission bits of pmp2 and pmpN to execute Enclave 2
(Asynchronous) Exit and Resume
20
not accessible
pmp0
pmp1
pmp2
pmpN
…
S/U accessibility
PMP
entri
es
accessible
DRAM(0x80000000-)
OS
111
000
SM free pagesPT RT ELF
000
Enclave 1Memory
000
Enclave 2Memory
The enclave can only exit by an SM SBI call.The SM flips the permissions before entering the untrusted context.
Destroying an Enclave
21
not accessible
pmp0
pmp1
pmp2
pmpN
…
S/U accessibility
PMP
entri
es
accessible
DRAM(0x80000000-)
OS
111
000
SM free pagesPT RT ELF
000
Enclave 1Memory
Untrusted Shared Buffer
22
not accessible
pmp0
pmp1
pmp2
pmpN
…
S/U accessibility
PMP
entri
es
accessible
DRAM(0x80000000-)
OS
000
SM
000
Enclave 1Memory
111
Enclave 2Memory
The OS can allocate a shared buffer in OS memoryThe SM uses the last PMP entry to allow the enclave to access the buffer.