Executing code in the TrustZone land

Recommendations

Info

Chain of Trust ﴾CoT﴿ ‐ Boot ﴾1/2﴿ TrustZone code integrity is protected by secure boot which is based on a Chain of Trust ﴾similar to TPM chipsets﴿: 1. After reset the device starts executing the PBL ﴾Primary Boot Loader﴿ 2. The PBL is stored in read‐only‐memory ﴾ROM﴿ ‐ it is the initial point in the chain ‐ it is a trusted code. 3. Now each step of the boot process will load and authenticate the next step module/code before executing it!
CoT ﴾2/2﴿ 4. The PBL will load and authenticate the Secondary Boot Loader ﴾SBL﴿ 5. The SBL will load and authenticate the TrustZone code 6. SBL will then load the Android kernel ﴾aboot partition﴿ and execute it
Page 1 and 2: Executing code in the TrustZone lan
Page 3 and 4: Agenda What is TrustZone? TZ Applic
Page 5 and 6: TrustZone ﴾TZ﴿ TZ is a set of s
Page 7 and 8: Features
Page 9 and 10: Applications
Page 11 and 12: ARM Execution Levels ﴾EL﴿ 4 exe
Page 13 and 14: Trusted Execution Environment ‐ T
Page 15 and 16: Qualcomm Secure Execution Environme
Page 17 and 18: SCM ‐ Linux kernel http://lxr.fre
Page 19 and 20: NS bit Non‐Secure bit In Secure m
Page 21 and 22: Learning TrustZone What options do
Page 23 and 24: OMAP 4430 ‐ Texas Instrument ﴾T
Page 25 and 26: You'll have a very hard time http:/
Page 27 and 28: QEMU The good folks at Linaro imple
Page 29: TrustZone ‐ Secure Boot "SecureBo
Page 33 and 34: The target device
Page 35 and 36: Xiaomi Redmi A very nice Android ph
Page 37 and 38: Remember Secure Boot? This is how i
Page 39 and 40: Xiaomi Redmi The Xiaomi Redmi secur
Page 41 and 42: What now? We can run our own TZ cod
Page 43 and 44: Reversing Obvious first steps: 1. L
Page 45: TrustZone 2 TrustZone images tz and
Page 48 and 49: System calls TrustZone system calls
Page 50 and 51: Syscalls ‐ no xref
Page 52 and 53: Search result
Page 54 and 55: Pointer to the syscall code
Page 56 and 57: There is a pattern!
Page 58 and 59: Patching ELF headers ﴾segments﴿
Page 60 and 61: Patching get_version
Page 62 and 63: Patching ELF ‐ new executable seg
Page 64 and 65: DACR register Domain Access Control
Page 66 and 67: Patching After disabling DACR, exec
Page 68 and 69: Generating ARM code At the start of
Page 70 and 71: Undocumented That's all you need to
Page 72 and 73: Not all is lost yet Latest version
Page 74 and 75: Search again ...
Page 76 and 77: Next ﴾1/2﴿ I have now full acce
Page 78 and 79: Thank you!
Page 80 and 81:
References 1/2 Best references abou
show all

Executing code in the TrustZone land

Create successful ePaper yourself

Delete template?

Save as template?