CN113791898A - TrustZone-based trusted microkernel operating system - Google Patents

TrustZone-based trusted microkernel operating system Download PDF

Info

Publication number
CN113791898A
CN113791898A CN202110974579.1A CN202110974579A CN113791898A CN 113791898 A CN113791898 A CN 113791898A CN 202110974579 A CN202110974579 A CN 202110974579A CN 113791898 A CN113791898 A CN 113791898A
Authority
CN
China
Prior art keywords
module
task
world
service
tee
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110974579.1A
Other languages
Chinese (zh)
Other versions
CN113791898B (en
Inventor
肖堃
张文
罗蕾
李允�
陈丽蓉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN202110974579.1A priority Critical patent/CN113791898B/en
Publication of CN113791898A publication Critical patent/CN113791898A/en
Application granted granted Critical
Publication of CN113791898B publication Critical patent/CN113791898B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5016Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5022Mechanisms to release resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • G06F9/5038Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the execution order of a plurality of tasks, e.g. taking priority or time dependency constraints into consideration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/52Program synchronisation; Mutual exclusion, e.g. by means of semaphores
    • G06F9/526Mutual exclusion algorithms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/544Buffers; Shared memory; Pipes

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a TrustZone-based trusted microkernel operating system, which comprises a service module, a microkernel module and a safety monitoring module, wherein the root service module is an application layer root task and is used for managing all resources of a user mode, the microkernel module is a trusted kernel based on a microkernel architecture and comprises a capability subsystem, an address space management module, an inter-task communication module, a system calling module, an interrupt management module and a task management module, the safety monitoring module is a safety component operating in a Monitor working mode and is used as a communication medium of TEE and REE and used for power supply management, interrupt routing and world context management and switching, and the safety monitoring module operates in a shielded external interrupt environment. The invention adopts the micro-kernel architecture, and enhances the reliability and the expansibility of the system.

Description

TrustZone-based trusted microkernel operating system
Technical Field
The invention belongs to the technical field of microkernel operating systems, and particularly relates to a TrustZone-based trusted microkernel operating system.
Background
With the gradual development of the embedded system towards networking and openness, the defect of insufficient capability of the embedded device when dealing with security attacks is increasingly highlighted, and the security of the device is more and more emphasized. However, the general operating system is dedicated to performance and constructs rich ecological environment, the system is large and bloated, and the potential security defects and wide attack surface make the general operating system difficult to adapt to some application occasions for executing operations with higher security level. Therefore, the ARM promotes a TrustZone system-level isolation scheme, and constructs a safe and reliable trusted execution environment by means of the non-bypassable security extension in the aspects of a processor, a virtual memory, a cache system, an interrupt, a peripheral and the like and by matching with corresponding trusted software. And the general operating system migrates the sensitive data access and the sensitive operation to a TrustZone-based trusted operating system for execution so as to ensure the security of the sensitive data or the sensitive operation.
At present, a mainstream trusted operating system still uses a macro kernel architecture, a device driver and core services are brought into a kernel, execution efficiency is improved, but the kernel is extremely expanded, and maintenance and thorough search of a code base are difficult, so that the architecture is not beneficial to building the trusted operating system. In addition, the Trusted operating system is dedicated to processing sensitive data or executing sensitive operations, and therefore security should be emphasized more, but some open source TEE (Trusted Execution Environment) schemes still remain in the aspects of imperfect memory isolation and Trusted boot. Meanwhile, when the C/S architecture is adopted for CA (client application) and TA (trusted peer credit) interaction data, the TA function is generally single, and the TA lacks cooperation. When new functionality is developed, the TA or kernel has to be modified to provide the new features. This will lead to frequent upgrade of kernel or redundant TA function, and the extensibility is limited.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a TrustZone-based trusted microkernel operating system which adopts a microkernel architecture to enhance the reliability and expansibility of the system.
In order to achieve the above object, the TrustZone-based trusted microkernel operating system of the present invention includes a root service module, a microkernel module and a security monitoring module, wherein:
the root service module is an application layer root task and is used for managing all resources of a user mode; the root service module comprises a memory management module, a file service module and a service management module, wherein:
the memory management module is used for managing all memory resources of a user mode, including memory allocation and recovery;
the file service module is used for performing file operation on the REE file system, and comprises the following two conditions:
when loading TEE service, the TEE service image file is pre-stored in a specific directory of an REE file system as an ELF file, and corresponding ELF file content is read under the assistance of an REE daemon process through an RPC request;
in the TEE service execution process, the IPC interface is used for encapsulating new creation, reading, writing, deletion and positioning operations of a preset file and a directory according to actual needs in advance, and the TEE service application uses the IPC interface to request file service;
the service management module is used for loading and guiding the TEE service, and the specific method comprises the following steps: when the mirror image is guided, according to a preset credible guiding mode, verifying the integrity of the ELF file of the mirror image and checking the format of the ELF file, wherein the ELF file comprises an ELF head, a program head and a section head; secondly, distributing memories for the program Segment one by one, and correcting symbols in the global offset table GOT and the program link table PLT one by one according to the redirection section; then, a TCB structure is distributed for the mirror image, and task identification, scheduling data, hardware context, address space and energy space are initialized; finally, setting the task as a ready state and inserting the task into a corresponding Per-CPU queue;
the microkernel module is a trusted kernel based on a microkernel architecture and comprises a capability subsystem, an address space management module, an inter-task communication module, a system calling module, an interrupt management module and a task management module, wherein:
the energy subsystem is used for performing fine-grained access control based on energy and limiting the access of tasks to key kernel objects, so that the TEE service is restricted from executing specific operations; when each TEE service is loaded, the capability subsystem allocates a capability space for the TEE service, wherein the capability space is a set of resources which the TEE service has the right to access, in the execution process of the TEE service, a kernel object referred by the capability pointer is called and operated through the capability pointer, and the capability subsystem carries out validity check on the calling operation;
the address space management module is used for setting memory mapping and page attributes, a two-level page table structure is adopted, the microkernel adopts identity mapping, the whole virtual address space is covered, and all tasks share the same kernel mapping;
the inter-task communication module is used for transmitting data and performing task collaboration when the TEE service is executed on the multi-core in parallel, and comprises four communication mechanisms:
1) message transmission: the method is used for exchanging short messages and transmitting the energy among the TEE services and is realized based on an Endpoint kernel object;
2) asynchronization: the system is used for ensuring that a plurality of tasks are executed according to a preset sequence and is realized based on a Notification kernel object;
3) mutual exclusion: serialized access for shared resources, implemented based on Mutex kernel objects;
4) sharing the memory: the system is used for realizing memory sharing among different TEE services and realizing the GTS based on a subsystem of the TEE;
the system calling module is an interface for interaction between an application layer and a kernel, and supports two types of system calling: the system call module distributes the capability according to the capability types and dispatches the capability to a corresponding kernel object module for processing;
the interrupt management module is used for forwarding the FIQ class interrupt and the IRQ class interrupt to the security monitoring module;
the task management module is used for managing tasks by relying on organization of a TCB structure, task management information comprises task identification, task state, scheduling information, task hardware context and task control information, and a task scheduling strategy adopts a mode of preemptible time slice rotation with the same priority based on priority;
the safety monitoring module is a safety component operating in a Monitor working mode, is used as a communication medium of TEE and REE, and is used for power supply management, interrupt routing and world context management and switching, wherein the world context of each processor is respectively stored in a Per-CPU queue of each processor, and the safety monitoring module operates in a condition of shielding an external interrupt environment; the safety monitoring module comprises a power management module, an interrupt routing module and a world switching module, wherein:
the power management module is used for providing dynamic add-delete processor, low power consumption state management and slave core guide functions for the multi-core;
the interrupt routing module is used for carrying out interrupt routing processing on the received FIQ type interrupt and IRQ type interrupt, wherein the FIQ type interrupt occurs in the common world, the IRQ type interrupt occurs in the safe world, and when the IRQ type interrupt occurs in the safe world, the interrupt routing module enables the world switching module to be switched to the common world to carry out interrupt response; when FIQ interruption occurs in the common world, the interruption routing module enables the world switching module to be switched to the safe world for interruption response, and enables the world switching module to be switched back to the common world after interruption processing is finished;
the world switching module is used for switching the secure world and the common world, context data of both sides of the world are stored to the top of the Per-CPU queue, the context of the current world is stored according to the security state of the current processor, and the context of the world on the other side is recovered.
The invention relates to a TrustZone-based trusted microkernel operating system, which comprises a service module, a microkernel module and a safety monitoring module, wherein the root service module is an application layer root task and is used for managing all resources of a user mode, the microkernel module is a trusted kernel based on a microkernel architecture and comprises a capability subsystem, an address space management module, an inter-task communication module, a system calling module, an interrupt management module and a task management module, the safety monitoring module is a safety component operating in a Monitor working mode and is used as a communication medium of TEE and REE for power management, interrupt routing and world context management and switching, and the safety monitoring module operates in a shielded external interrupt environment.
The invention has the following beneficial effects:
1) according to the invention, the trusted operating system is constructed by using the microkernel architecture, so that the problem of kernel expansion is effectively solved, and the security risk of the trusted kernel is reduced;
2) the invention uses the access control strategy based on the authority to carry out security reinforcement on the trusted operating system;
3) the present invention provides a re-entrant TEE service interface, i.e., a re-entrant security monitoring module, so that CA program requests running on multiple processors can be executed in parallel.
Drawings
FIG. 1 is a diagram of a trusted microkernel operating system based on TrustZone according to an embodiment of the present invention;
fig. 2 is a flowchart of the processing of the CA request in the present embodiment.
Detailed Description
The following description of the embodiments of the present invention is provided in order to better understand the present invention for those skilled in the art with reference to the accompanying drawings. It is to be expressly noted that in the following description, a detailed description of known functions and designs will be omitted when it may obscure the subject matter of the present invention.
Examples
Fig. 1 is a structural diagram of a specific embodiment of the TrustZone-based trusted microkernel operating system according to the present invention. As shown in fig. 1, the TrustZone-based trusted microkernel operating system of the present invention includes a Root service (Root server) module 1, a microkernel (Micro Kernel) module 2, and a security Monitor module (security Monitor)3, and each module is described in detail below.
The root service module 1 is an application layer root task (i.e. the first user-mode task created at system boot time) for managing all resources of the user mode. The root service module 1 of the invention comprises a memory management module 11, a file service module 12 and a service management module 13, wherein:
the memory management module 11 is configured to manage all memory resources in the user mode, including memory allocation and memory recovery. In the embodiment, a Buddy + Slab allocation strategy is adopted during memory allocation, large-block memories are allocated according to pages, and small-block memories are allocated according to bytes.
The file service module 12 is used to perform a file operation on a REE (Rich Execution Environment) file system. There are two cases of file services:
one is when loading the TEE service, the TEE service includes trusted application program TA and extended service Server application, the TEE service image file is pre-stored in the REE file system specific directory as ELF (Executable and Linkable Format) file, and reads the corresponding ELF file content with the help of the REE daemon process through the RPC (Remote Procedure Call) request.
One is that some files may be read and written during the execution of the TEE service, so the present invention encapsulates the new creation, read and write, delete and location operations of the preset files and directories by the IPC interface in advance according to the actual needs, and the TEE service application uses the IPC interface to request the file service.
The service management module 13 is configured to load and guide a TEE service, and the specific method includes: when the mirror image is guided, according to a preset credible guiding mode, verifying the integrity of the ELF file of the mirror image and checking the format of the ELF file, wherein the ELF file comprises an ELF head, a program head and a section head; secondly, allocating memories for the program Segment one by one, and correcting symbols in entries of a Global Offset Table (GOT) (global Offset table) and a Program Link Table (PLT) (procedure link table) one by one according to the redirection section; then, allocating a TCB (task control blocks) structure for the mirror image, and initializing task identification, scheduling data, hardware context, address space and energy space; finally, the task is set to be in a ready state and is inserted into a corresponding Per-CPU queue. The Per-CPU queue contains a number of Per-CPU variables, for each Per-CPU variable, there is a copy of the variable on each processor, and each processor works on its own copy.
As can be seen from the above description, the root service module in the present invention is implemented as per-CPU threads, and these threads share the same address space and capability space, and in this design, the number of CPU cores occupied by the client CA determines how many trusted applications TA can be executed in parallel.
The microkernel module 2 is a trusted kernel based on a microkernel architecture, and includes a capability subsystem 21, an address space management module 22, an inter-task communication module 23, a system call module 24, an interrupt management module 25, and a task management module 26, where:
the capability subsystem 21 is used for performing fine-grained access control based on capability, and limiting the access of tasks to key kernel objects, so as to restrict the TEE service to execute specific operations. In the invention, when each TEE service is loaded, the Capability subsystem 21 allocates a Capability space for the TEE service, the Capability space is a set of resources which the TEE service has the right to access, in the execution process of the TEE service, a kernel object referred by a Capability Pointer (CPTR) is called and operated through the Capability Pointer, and the Capability subsystem 21 performs validity check on the calling operation. That is to say, the invention can be stored in the kernel, and is invisible to the user space, thereby preventing the malicious tampering and improving the security.
The address space management module 22 is used to set the memory mapping and page attributes, and adopts a two-level page table structure, the microkernel adopts identity mapping, the whole virtual address space is covered, and all tasks share the same kernel mapping. In addition, in order to further save memory occupied by the page table, the virtual address space of the user mode task can be preset according to needs and is an integral multiple of 32 MB.
The inter-task communication module 23 is configured to transfer data and perform task collaboration when the TEE service is executed in parallel on multiple cores, and includes four communication mechanisms:
1) message transmission: the method is used for exchanging short messages and transferring the capability among the TEE services and is realized based on the Endpoint kernel object. Endpoint is similar to anonymous pipeline communication, and a kernel is responsible for copying a message to a receiving task, is suitable for short messages and only supports blocking type calling. The method is also the only method for transmitting the authority to other tasks, and the kernel is responsible for analyzing the legality of the authority and setting the authority to the authority space of the received task.
2) Asynchronization: the method is used for ensuring that a plurality of tasks are executed according to a preset sequence and is realized based on the Notification kernel object. Notification is similar to counting semaphores, does not carry any payload, supports synchronous and asynchronous interfaces, and is typically used for asynchronous Notification scenarios.
3) Mutual exclusion: serialized access for shared resources is implemented based on the Mutex kernel object. Mutex is a Mutex that is commonly used to serialize access to shared resources.
4) Sharing the memory: for memory sharing among different TEE services, a TEE-based subsystem gts (generic TEE subsystem) is implemented. When multiple TEE services use the same Token tag to dynamically map memories, the memories point to the same Memory Region, so that the services can share the same physical address space, and efficient data exchange is realized.
The system call module 24 is an interface for interaction between an application layer and a kernel, and supports two types of system calls in the invention: the two modes of the traditional system call and the system call based on the energy distribution both use a uniform system call interface, the latter uses energy pointers as system call numbers, the energy pointers refer to the energy in the energy space, and the system call module 24 distributes according to the energy category and sends the energy to the corresponding kernel object module for processing.
The interrupt management module 25 is configured to forward the FIQ class interrupt and the IRQ class interrupt to the security monitoring module 3. Because FIQ is produced asynchronously, each FIQ interrupt source will bind with a asynchronous signal kernel object, and provide interfaces of registration, revocation, enabling, disabling, answering and notification for the same, these interrupts are managed by root service module 1 uniformly, TEE service initiates request by specific IPC mode, and after authorization by root service module 1, TEE service holds corresponding capability pointer to directly operate bound FIQ source.
The task management module 26 is configured to manage tasks by means of an organization of a tcb (task Control block) structure, where the task management message includes a task identifier, a task state, scheduling information, a task hardware context, and task Control information, and a scheduling policy of the tasks is in a manner of preempting based on priority and time slice rotation with the same priority. The task scheduling strategy has the following characteristics:
1) each core has a dedicated root service and an Idle task, wherein the root service is set to be a medium priority, and the Idle task is set to be a lowest priority;
2) the current processor triggers new task creation or task readiness, and the new task creation or task readiness is set into the current Per-CPU queue, and the inter-core migration of the task is prohibited;
3) the Idle task will turn off the timing clock and execute the SMC command, returning to the general world.
The security monitoring module 3 is a security component operating in a Monitor operating mode, and serves as a communication medium for the TEE and the REE, and is used for power management, interrupt routing and world context management and switching. Because each processor has an independent Monitor working mode in the microkernel operating system, in order to ensure that the CA can make parallel requests under the multi-core, the world context of each processor is respectively stored in the respective Per-CPU queue of each processor and is independent of each other. This way, the re-entrant of the security monitoring module 3 is achieved, i.e. multiple CA programs can enter the security monitoring module 3 in parallel and then forward the requests to the TEE, so that they are executed in parallel in a multi-core environment. The security monitoring module 3 operates in a shielded external interrupt environment to ensure the robustness of the components. The security monitoring module 3 includes a power management module 31, an interrupt routing module 32, and a world switching module 33, wherein:
the power management module 31 is configured to provide dynamic add-drop processor, low power state management, and slave core boot functions for multiple cores.
The interrupt routing module 32 is configured to perform interrupt routing processing on the received FIQ class interrupt and IRQ class interrupt, where the FIQ class interrupt occurs in the general world, and the IRQ class interrupt occurs in the secure world, and when the IRQ class interrupt occurs in the secure world, the interrupt routing module 32 causes the world switching module 33 to switch to the general world to perform interrupt response; when the FIQ interrupt occurs in the normal world, the interrupt routing module 32 switches the world switching module 33 to the secure world for an interrupt response, and switches the world switching module 33 back to the normal world after the interrupt processing is completed.
In order to ensure that the safety interruption can be correctly routed, when the Secure Monitor switches the World, the FIQ bit in a coprocessor sequence Control register SCR (sequence Control register) needs to be set when the Secure Monitor enters the Normal World; when entering Secure World, the FIQ bit in the sequence control register SCR needs to be reset. This allows Normal World to enter Secure Monitor directly when FIQ occurs; and the Secure World can be directly processed without routing when FIQ interruption occurs.
The world switching module 33 is used for switching between the secure world and the common world, and context data of both the worlds are stored to the top of the Per-CPU queue, and according to the security state of the current processor, the context of the current world is stored, and the context of the world on the other side is recovered. When switching the world, besides setting the NS bit in the coprocessor sequence control register SCR, the register set in each operating mode needs to be restored, and the jump address after switching the world and the processor status register CPSR are set, which are all executed in the environment where external interrupts are prohibited.
The following takes the CA request as an example to briefly describe the working process of the trusted microkernel operating system of the present invention. Fig. 2 is a flowchart of the processing of the CA request in the present embodiment. As shown in fig. 2, the processing procedure of the trusted microkernel operating system of the present invention to the CA request includes the following steps:
s201: data packaging and sharing:
data interaction between the TEE and the REE usually uses register transfer or addresses for transmitting packed data, and since two worlds have independent memory management units, shared data can only use physical addresses. 4MB of space is pre-allocated to the shared memory across the world, and the REE kernel is responsible for allocation by page. The transfer data is encapsulated in a struct tee param structure, a service call number is put into an R0 register during world switching, and an R1 register is set as a physical address of the packed data.
S202: and judging whether the CA request is a preset specific service call, if so, entering the step S203, and otherwise, entering the step S204.
S203: specific service distribution and handling:
the preset specific service call is distributed and processed in the security monitoring module, and then the process proceeds to step S211.
In order to process CA requests more efficiently, different types of requests are distinguished by service call numbers, and requests of service classes such as CPU, SiP, OEM, Vendor and the like do not need to be switched to a trusted operating system for processing. Such requests are distributed according to categories in the security monitoring module 3 and returned directly.
S204: switching the world:
the world switching module 33 in the security monitoring module 3 switches the world to the security world.
S205: awakening the root service module:
the root service module 1 is woken up with IPC sending request data.
S206: data parsing and mapping:
and the root service module 1 corresponding to the current core analyzes the data and requests TA identity according to the analyzed UUID identification. Next, the UUID number is used to query the corresponding task TID number in the loaded task hash table. If the task is not loaded, the service management module 13 in the root service module 1 is responsible for loading and booting the TA. Thereafter, the root service module 1 establishes a parameter mapping for this TA and wakes up the task in an asynchronous IPC manner, eventually giving up the CPU on its own initiative.
S207: and judging whether to schedule the task, if the task is timed to expire, entering step S208, if the task is normally returned, entering step S209, and if the TA/Server task is ready, entering step S210.
S208: scheduling a timing task:
scheduling a timing task, limiting the TEE running time, and entering step S211 when the timing expires.
S209: scheduling the Idle task:
when the scheduled task returns normally, the Idle task is scheduled, and the process proceeds to step S211.
S210: scheduling other tasks:
the service management module 13 in the root service module 1 schedules other tasks and returns to step S207.
S211: world return:
when the timing task expires, the Idle task is scheduled or the specific service processing is completed, the SMC is triggered to return to the safety monitoring module 3 immediately, the world switching is executed, and the ordinary world is returned. According to the previous flow, the first two are processed in the trusted microkernel, and all timing tasks are closed before returning, and the latter is directly processed in the security monitoring module 3.
Although illustrative embodiments of the present invention have been described above to facilitate the understanding of the present invention by those skilled in the art, it should be understood that the present invention is not limited to the scope of the embodiments, and various changes may be made apparent to those skilled in the art as long as they are within the spirit and scope of the present invention as defined and defined by the appended claims, and all matters of the invention which utilize the inventive concepts are protected.

Claims (2)

1. A trustZone-based trusted microkernel operating system is characterized by comprising a root service module, a microkernel module and a security monitoring module, wherein:
the root service module is an application layer root task and is used for managing all resources of a user mode; the root service module comprises a memory management module, a file service module and a service management module, wherein:
the memory management module is used for managing all memory resources of a user mode, including memory allocation and recovery;
the file service module is used for performing file operation on the REE file system, and comprises the following two conditions:
when loading TEE service, the TEE service image file is pre-stored in a specific directory of an REE file system as an ELF file, and corresponding ELF file content is read under the assistance of an REE daemon process through an RPC request;
in the TEE service execution process, the IPC interface is used for encapsulating new creation, reading, writing, deletion and positioning operations of a preset file and a directory according to actual needs in advance, and the TEE service application uses the IPC interface to request file service;
the service management module is used for loading and guiding the TEE service, and the specific method comprises the following steps: when the mirror image is guided, according to a preset credible guiding mode, verifying the integrity of the ELF file of the mirror image and checking the format of the ELF file, wherein the ELF file comprises an ELF head, a program head and a section head; secondly, distributing memories for the program Segment one by one, and correcting symbols in the global offset table GOT and the program link table PLT one by one according to the redirection section; then, a TCB structure is distributed for the mirror image, and task identification, scheduling data, hardware context, address space and energy space are initialized; finally, setting the task as a ready state and inserting the task into a corresponding Per-CPU queue;
the microkernel module is a trusted kernel based on a microkernel architecture and comprises a capability subsystem, an address space management module, an inter-task communication module, a system calling module, an interrupt management module and a task management module, wherein:
the energy subsystem is used for performing fine-grained access control based on energy and limiting the access of tasks to key kernel objects, so that the TEE service is restricted from executing specific operations; when each TEE service is loaded, the capability subsystem allocates a capability space for the TEE service, wherein the capability space is a set of resources which the TEE service has the right to access, in the execution process of the TEE service, a kernel object referred by the capability pointer is called and operated through the capability pointer, and the capability subsystem carries out validity check on the calling operation;
the address space management module is used for setting memory mapping and page attributes, a two-level page table structure is adopted, the microkernel adopts identity mapping, the whole virtual address space is covered, and all tasks share the same kernel mapping;
the inter-task communication module is used for transmitting data and performing task collaboration when the TEE service is executed on the multi-core in parallel, and comprises four communication mechanisms:
1) message transmission: the method is used for exchanging short messages and transmitting the energy among the TEE services and is realized based on an Endpoint kernel object;
2) asynchronization: the system is used for ensuring that a plurality of tasks are executed according to a preset sequence and is realized based on a Notification kernel object;
3) mutual exclusion: serialized access for shared resources, implemented based on Mutex kernel objects;
4) sharing the memory: the system is used for realizing memory sharing among different TEE services and realizing the GTS based on a subsystem of the TEE;
the system calling module is an interface for interaction between an application layer and a kernel, and supports two types of system calling: the system call module distributes the capability according to the capability types and dispatches the capability to a corresponding kernel object module for processing;
the interrupt management module is used for forwarding the FIQ class interrupt and the IRQ class interrupt to the security monitoring module;
the task management module is used for managing tasks by relying on organization of a TCB structure, task management information comprises task identification, task state, scheduling information, task hardware context and task control information, and a task scheduling strategy adopts a mode of preemptible time slice rotation with the same priority based on priority;
the safety monitoring module is a safety component operating in a Monitor working mode, is used as a communication medium of TEE and REE, and is used for power supply management, interrupt routing and world context management and switching, wherein the world context of each processor is respectively stored in a Per-CPU queue of each processor, and the safety monitoring module operates in a condition of shielding an external interrupt environment; the safety monitoring module comprises a power management module, an interrupt routing module and a world switching module, wherein:
the power management module is used for providing dynamic add-delete processor, low power consumption state management and slave core guide functions for the multi-core;
the interrupt routing module is used for carrying out interrupt routing processing on the received FIQ type interrupt and IRQ type interrupt, wherein the FIQ type interrupt occurs in the common world, the IRQ type interrupt occurs in the safe world, and when the IRQ type interrupt occurs in the safe world, the interrupt routing module enables the world switching module to be switched to the common world to carry out interrupt response; when FIQ interruption occurs in the common world, the interruption routing module enables the world switching module to be switched to the safe world for interruption response, and enables the world switching module to be switched back to the common world after interruption processing is finished;
the world switching module is used for switching the secure world and the common world, context data of both sides of the world are stored to the top of the Per-CPU queue, the context of the current world is stored according to the security state of the current processor, and the context of the world on the other side is recovered.
2. The trusted microkernel operating system of claim 1, wherein the memory management module employs a Buddy + Slab allocation policy during memory allocation, wherein large blocks of memory are allocated by pages and small blocks of memory are allocated by bytes.
CN202110974579.1A 2021-08-24 2021-08-24 TrustZone-based trusted microkernel operating system Active CN113791898B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110974579.1A CN113791898B (en) 2021-08-24 2021-08-24 TrustZone-based trusted microkernel operating system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110974579.1A CN113791898B (en) 2021-08-24 2021-08-24 TrustZone-based trusted microkernel operating system

Publications (2)

Publication Number Publication Date
CN113791898A true CN113791898A (en) 2021-12-14
CN113791898B CN113791898B (en) 2022-07-26

Family

ID=78876359

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110974579.1A Active CN113791898B (en) 2021-08-24 2021-08-24 TrustZone-based trusted microkernel operating system

Country Status (1)

Country Link
CN (1) CN113791898B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1570855A (en) * 2004-04-30 2005-01-26 浙江大学 Micro-kernel design method for ARM processor framework
CN101226577A (en) * 2008-01-28 2008-07-23 南京大学 Method for protecting microkernel OS integrality based on reliable hardware and virtual machine
CN108647513A (en) * 2018-03-22 2018-10-12 华中科技大学 A kind of shared library security isolation method and system based on TrustZone
US20190266345A1 (en) * 2018-02-27 2019-08-29 Samsung Electronics Co., Ltd. Trustzone graphic rendering method and display device using the same
WO2020074354A1 (en) * 2018-10-10 2020-04-16 Technische Universität Darmstadt Method and device for isolating sensitive non-trusted program code on mobile terminals
CN111382445A (en) * 2020-03-03 2020-07-07 首都师范大学 Method for providing trusted service by using trusted execution environment system
CN112131019A (en) * 2020-09-17 2020-12-25 国网宁夏电力有限公司营销服务中心(国网宁夏电力有限公司计量中心) Method for rapidly communicating processes of microkernel operating system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1570855A (en) * 2004-04-30 2005-01-26 浙江大学 Micro-kernel design method for ARM processor framework
CN101226577A (en) * 2008-01-28 2008-07-23 南京大学 Method for protecting microkernel OS integrality based on reliable hardware and virtual machine
US20190266345A1 (en) * 2018-02-27 2019-08-29 Samsung Electronics Co., Ltd. Trustzone graphic rendering method and display device using the same
CN108647513A (en) * 2018-03-22 2018-10-12 华中科技大学 A kind of shared library security isolation method and system based on TrustZone
WO2020074354A1 (en) * 2018-10-10 2020-04-16 Technische Universität Darmstadt Method and device for isolating sensitive non-trusted program code on mobile terminals
CN111382445A (en) * 2020-03-03 2020-07-07 首都师范大学 Method for providing trusted service by using trusted execution environment system
CN112131019A (en) * 2020-09-17 2020-12-25 国网宁夏电力有限公司营销服务中心(国网宁夏电力有限公司计量中心) Method for rapidly communicating processes of microkernel operating system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张文: "基于TrustZone的可信操作系统设计与实现", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑(月刊)》 *
肖堃,: "嵌入式系统安全可信运行环境研究", 《中国优秀博硕士学位论文全文数据库(博士)信息科技辑(月刊)》 *

Also Published As

Publication number Publication date
CN113791898B (en) 2022-07-26

Similar Documents

Publication Publication Date Title
CN109933441B (en) Method and system for communication between microkernel processes
KR102255767B1 (en) Systems and methods for virtual machine auditing
EP3968160A1 (en) Inter-process communication method and apparatus, and computer device
US8443377B2 (en) Parallel processing system running an OS for single processors and method thereof
EP2443553B1 (en) Annotating virtual application processes
US10255088B2 (en) Modification of write-protected memory using code patching
JP3570525B2 (en) Microkernel architecture data processing system and memory management method thereof, method of running operating system personality program, method of running application program
Loepere Mach 3 kernel principles
US7516323B2 (en) Security management system in parallel processing system by OS for single processors
JP2000330806A (en) Computer system
US20080172667A1 (en) Parallel processing system by OS for single processors and parallel processing program
CN111095205A (en) Multi-core framework for pre-boot environment of system-on-chip
CN111857993B (en) Method for calling user mode function in kernel mode
US20080134187A1 (en) Hardware scheduled smp architectures
WO2024007934A1 (en) Interrupt processing method, electronic device, and storage medium
US20110072432A1 (en) METHOD TO AUTOMATICALLY REDIRECT SRB ROUTINES TO A zIIP ELIGIBLE ENCLAVE
CN113791898B (en) TrustZone-based trusted microkernel operating system
Au et al. L4 user manual
Loepere OSF Mach Final Draft Kernel Principles
US20230409321A1 (en) Security vulnerability mitigation using address space co-execution
US20230236906A1 (en) Information processing device, information processing method, and program
Huang et al. Design memory protection based on embedded operating system with focus on PicoBlaze soft controller
Goel et al. Android OS CASE STUDY
Potts et al. L4 Reference Manual---Alpha 21x64
Waddington et al. The magazine archive includes every article published in Communications of the ACM for over the past 50 years.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant