Demystifying the Secure Enclave Processor

Recommendations

Info

SEP Initialization – First Stage • AP comes out of reset. AP BootROM releases SEP from reset. • SEP initialization happens in three stages. ▫ Purpose of first stage is to bootstrap SEP into second stage. • SEP BootROM starts mapped at physical address (PA) 0x0. ▫ Basic exception vector at 0x0 that spins <strong>the</strong> processor upon any exception. ▫ Real exception vector at 0x4000 that is used later. ▫ Reset handler for both at 0x4xxx. • Reset handler sets up address translation to use page tables in BootROM.
SEP Initialization – Page Tables • Required since SEP is 32-bit and all peripherals have high bits. VA PA Size Description 0x0000_4000 0x2_0DA0_4000 0x0000_1000 BootROM fragment (allow first stage to continue executing after address translation is enabled) 0x1000_0000 0x2_0DA0_0000 0x0010_0000 BootROM 0x1018_0000 0x0_8000_0000 0x0000_3000 Window into encrypted external RAM 0x3000_0000 0x2_0000_0000 0x1000_0000 Peripherals
Page 1 and 2: Demystifying the Secure Enclave Pro
Page 3 and 4: Introduction • iPhone 5S was a te
Page 5 and 6: Secure (?) Enclave Processor • Ve
Page 7 and 8: Glossary • AP: Application Proces
Page 11 and 12: Dedicated Hardware Peripherals •
Page 13 and 14: Physical Memory • Dedicated BootR
Page 15: Demystifying the Secure Enclave Pro
Page 19 and 20: SEP Initialization - Second Stage
Page 21 and 22: SEP Boot Flow SEP AP Configure TZ0
Page 23 and 24: Memory Encryption Setup • Use “
Page 25 and 26: • Mode actually used is AES-256-X
Page 27 and 28: SEP Boot Flow: Stage 3 SEP AP Ackno
Page 29 and 30: Sending SEPOS • SEPOS is sent (op
Page 31 and 32: Boot-loading: Img4 • SEP uses the
Page 33 and 34: Img4 - Manifest • The manifest (A
Page 35 and 36: IMG4 - Manifest Properties (2/2) He
Page 37 and 38: Reversing SEP’s Img4 Parser: Stag
Page 39 and 40: Img4 Parsing Flow SEP AP Decode Pay
Page 43 and 44: Secure Mailbox • Actual mailbox i
Page 45 and 46: Interrupt-based Message Passing •
Page 47 and 48: Mailbox Message Format • A single
Page 49 and 50: SEP Endpoint • Each endpoint is r
Page 51 and 52: SEP Endpoints (2/2) Index Name Driv
Page 53 and 54: Control Endpoint Opcodes Opcode Nam
Page 55 and 56: Endpoint Registration (AP) Start Cr
Page 59 and 60: L4-embedded • Modified version of
Page 61 and 62: SEPOS Architecture SEP Applications
Page 63 and 64: System Calls (1/2) Num Name Descrip
Page 65 and 66: Privileged System Calls • Some sy
Page 67 and 68:
SEPOS (INIT) • Initial process on
Page 69 and 70:
Application List • Includes infor
Page 71 and 72:
Bootstrap Server • Implements the
Page 73 and 74:
Privileged Methods • An applicati
Page 75 and 76:
proc_has_privilege( ) int proc_has_
Page 77 and 78:
Entitlement Assignment int proc_cre
Page 79 and 80:
SEP Drivers • Hosts all SEP drive
Page 81 and 82:
Driver Interaction Retrieves SEPD t
Page 83 and 84:
SEP Services • Hosts various SEP
Page 85 and 86:
Service Interaction Retrieves sepS
Page 87 and 88:
Demystifying the Secure Enclave Pro
Page 89 and 90:
Attack Surface: AKF Endpoints • E
Page 91 and 92:
Attack Surface: Endpoint Handler SE
Page 93 and 94:
Address Space Layout - Image • SE
Page 95 and 96:
Stack Corruptions • The main thre
Page 97 and 98:
Stack Corruptions • SEP applicati
Page 99 and 100:
Heap Corruptions: malloc() Free Lis
Page 101 and 102:
No-Execute Protection • SEPOS imp
Page 103 and 104:
Attack Surface: BootROM • Effecti
Page 105 and 106:
Attack Surface: Hardware • Memory
Page 107 and 108:
End Game: JTAG • Glitch the fuse
Page 109 and 110:
Conclusion • SEP(OS) was designed
Page 111 and 112:
Thanks! • Questions?
Page 113 and 114:
SEPOS: System Methods Class Id Meth
Page 115 and 116:
SEPOS: Object Methods (2/2) Class I
show all

Demystifying the Secure Enclave Processor

Create successful ePaper yourself

Delete template?

Save as template?