ARM TrustZone and KVM
来源:互联网 发布:微信矩阵怎么弄 编辑:程序博客网 时间:2024/06/06 11:11
ARM TrustZone and KVM
1. TrustZone
Overview
ARM TrustZone is a hardware based technology to enhance the security that is used on billions of chips. This new architecture allows CPU to run in two different world currently, the normal world and security world, which are hardware isolated from each other. As a example within a CPU, software either resides in the secure world or the normal world with a switch between these two worlds accomplished by a secure monitor. But, how does it work.more detail
Hardware Support
TrustZone extends the AXI bus by adding a control line, which is used to send the world type signal. Besides, TrustZone adds two controlers TZASC and TZMA, managing the access to memory and devices, respectively.
Swtich between two World
TrustZone introduce a monitor mode, which is responsible for the switch bwtween two world. When Apps in normal world try to enter security world, it will execute a dedicated secure monitor call instruction(SMC) and trigger the secure monitor. The monitor code typically save the state of the current world and restore the state of the world being switched to. On the other hand, some exception mechanisms also can trigger the switch.
2. KVM Virtural Machine
Overview on Virtural Machine
Virtualization refers to the act of creating several virtual version of computer resources, such as CPUs, memories and peripheral devices, in a singal set of actual hardwares. Each set of vertual resources acting like a real computer that run the operating system independently, which is very helpful to make full use of the limited resources. Different from QEMU using emulation, KVM uses processor extensions (HVM) for virtualization where the codes are excuted in real processor. Virtualization can be devided into two categories, full virtualization and half virtualization.
Full virtualization, such as VMware, provides platforms for operating system to run without any change, while half virtualization need some change in the kernel of guest OS. However, performance is an important problem for full virtualization. As we all know, there are four priorities in windows, ring 0 to ring 3, and userspace programs run in ring 3 while kernel space programs in ring 0. As for the guest OS which are regarded as a ordinary process by the host OS, kernel space can’t occupy ring 0 as usual. An exceptiones will be triggered when the guest OS tries to visit system resource(due to the limits of authority), and the host OS will cache those exceptions and return a successive signal to guest, which is very costly.
Hardware Support
To deal with those problems, some CPUs(intel VT) provide special support by add VMX root and VMX noroot model.
KVM
KVM is a full virtualization solution for linux containing virtualization extentsions(intel VT ot AMD-V). It consists of a loadable kernel module, that provides the core virtualization infrastucture and a processor specific module. Using KVM, you can run multiple virtual machines with unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc.
3. Different between TrustZone and KVM
Although TrustZone and KVM make it possible to run several OS in a single set of hardware, these are designed for different purpose. Virtualization is used to reuse the computer resources and build a isolated envionment, where TrustZone is design for security goals by limiting the access to computer resources of different OS.more detail
- ARM TrustZone and KVM
- TEE and ARM TrustZone
- ARM TrustZone
- ARM TrustZone
- ARM Trustzone
- ARM TrustZone
- ARM TrustZone
- ARM Trustzone
- ARM TrustZone
- A technical report on TEE and ARM TrustZone
- ARM的TrustZone技术
- ARM TRUSTZONE 续
- ARM TrustZone技术简介
- ARM TrustZone技术
- ARM TrustZone ----ARM信任区
- 对ARM的TrustZone理解
- ARM TrustZone安全内核调研
- ARM TrustZone技术简介 -- 1
- java语言程序设计第十版(Introduce to java) 课后习题 chapter6-25
- 2016SDAU课程练习一1007
- 一致性hash算法释义
- 利用堆栈实现四则表达式运算器
- Android热补丁技术—dexposed原理简析(手机淘宝采用方案)
- ARM TrustZone and KVM
- python学习笔记(第二章,快速入门)
- Wu-Manber实现
- ubuntu下用g++同时编译多个文件的方法
- ios判断某个坐标是否在某块区域内方法
- 一元多项式相加
- 冒泡排序与选择排序
- ListView的优化和自定义适配器继承于BaseAdapter
- Selenium2自动化测试