Page MenuHomePhabricator

DRTM: include RMM and SPM in measurement
Open, Needs TriagePublic


The security of the normal world is entirely dependent on the security of S-EL2 and R-EL2. If EL3M, S-EL2, and R-EL2 are trusted, the normal world can be protected against a compromised secure partition or realm, but if EL3M, S-EL2, or R-EL2 is compromised, the normal world is helpless.

While integrity of EL3M must be ensured by other means, it is possible for EL3M to include a measurement of S-EL2 and R-EL2 code (SPM and RMM respectively) in the attestation report. This allows a relying party to verify that the code running in S-EL2 and R-EL2 is secure against malicious code in lower secure or realm mode exception levels. In particular, the relying party can verify that realms and secure partitions can only access normal-world memory with the consent of the normal-world hypervisor. This is especially important because Digital Restrictions Management blobs often run in the secure world and have a history of vulnerabilities.

The RMM ensures that realms cannot interfere with the availability of the normal world, but it may be necessary to ensure that the normal world cannot interfere with the availability of the secure world. However, secure-world code typically cannot usefully access normal-world code or data without the normal world’s consent, as doing so would cause undefined behavior in the normal world. Therefore, preventing S-EL1 and S-EL0 from non-consentually accessing NS memory should not normally be a problem in practice.

Event Timeline

DemiMarie created this task.Fri, Jan 6, 7:13 PM