Skip to content

Introduction

Jump to bottom
Andrea Barisani edited this page Oct 29, 2024 · 13 revisions

This tutorial demonstrates concurrent instantiation of TamaGo based unikernels in privileged and unprivileged modes, interacting with each other through monitor mode and custom system calls.

The shown API is exposed by GoTEE to allow implementation of pure Go Trusted Execution Environments (TEE), bringing Go memory safety, convenience and capabilities to bare metal execution within TrustZone Secure World or equivalent isolation technology.

Privilege levels

The ARM and RISC-V architectures, like most CPUs, provides different privilege levels which allow execution of code in an isolated context. This principle is what isolates your operating system kernel (e.g. Linux) from let's say your browser.

If we look at the following diagram, on a typical Linux installation your operating system kernel would run by default in Secure PL1 state, being responsible for drivers and exception handling, while all user applications (e.g. daemons, shells, programs, etc.) would run in Secure PL0 state (user mode).

Most architectures provide additional levels of separation, on modern ARM CPUs the separation between Non-secure and Secure states is implemented through the ARM Security Extensions, also known as TrustZone.

Such isolation technologies allow the creation of a parallel execution context, isolated from the "main" PL0/PL1 privilege levels, which can be isolated in terms of hardware peripheral access.

Typically a secure bare metal kernel would be instantiated in the secure context (e.g. Secure World in case of TrustZone) handling sensitive key material and related cryptographic operations, while the regular "rich" OS would be instantiated in the less privileged (e.g. NonSecure World) domain.

This isolation is not to be confused with virtualization, where resources are emulated, as both domains run on the actual non-emulated hardware. The TrustZone aware peripherals controllers act as "hardware firewalls" assigning real memory and I/O exclusively, or shared, to each context depending on user configuration.

TamaGo

The TamaGo framework enables Go compiled programs to run under bare metal, without the need for Operating System support, with pure Go drivers and boot up procedure.

TamaGo is ideally suited for unikernels running in secure domains as it brings memory safety, a powerful standard runtime and cryptographic libraries, and an overall simplicity to code whch has otherwise been traditionally developed in bare metal C (which undermines the security goals of such sensitive secure kernels).

Trusted Applets

Most TEE frameworks implement so called "trusted applets", running in bare metal user mode within the secure partition, to allow users to execute their secure code under the TEE framework.

Some of the reasons behind the need for applets are:

  1. the desire to isolate multiple different applets and ensure that compromise of one would not leak the memory of the other (or the Trusted OS);

  2. allowing an Open Source TEE framework to run closed applets deployed as binary blobs;

We believe that using a high level language such as Go mostly mitigates the concerns behind reason #1, as applets and Trusted OS can co-exist freely as imported libraries within the same execution context, with much convenience and simplicity over a much reduced, compared to C applets, security concern.

Regardless of this aspect, and avoiding any philosophical debate on reason #2, TamaGo and GoTEE offer maximum flexibility and allow implementation of all desired scenarios.

Next

Trusted OS and Applet execution

Tutorial

  1. Introduction
  2. Trusted OS and Applet execution
  3. System Calls
  4. Main OS execution
  5. TrustZone configuration
  6. Examples
Clone this wiki locally