We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Keystone: towards an open standard for trusted execution environments

00:00

Formal Metadata

Title
Keystone: towards an open standard for trusted execution environments
Title of Series
Number of Parts
637
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Keystone is an open framework for building customizable trusted execution environments (TEEs) based on RISC-V for various platforms and use cases. Instead of building a single instance of TEE hardware, Keystone provides security primitives, which can be composed by the software framework. The enclave developer and the platform provider can customize the TEE in order to meet their threat models or platform configurations. The Keystone project aims to build an open standard for TEEs by providing a generic and formally-verified interface for a wide range of devices. We envision that every hardware can have a secure TEE with almost no additional cost. In this talk, we will discuss the current state and future directions of the project.
179
Thumbnail
20:09
245
253
Thumbnail
30:06
294
350
Thumbnail
59:28
370
419
491
588
Thumbnail
30:18
Computer hardwareIntegrated development environmentOpen setStandard deviationSoftware frameworkOpen sourceReduced instruction set computingRing (mathematics)Data integrityRootCryptographyMechanism designFirmwareCodeFormal verificationFormal grammarBus (computing)Software development kitInterface (computing)ArmIterationEndliche ModelltheorieFingerprintMobile appMobile WebPoint cloudIntelDigital rights managementBuildingProjective planeOpen sourceProcess (computing)Semiconductor memoryData managementRevision controlCartesian coordinate systemComputer programmingChainUtility softwareBuildingMereologySoftware frameworkINTEGRALRootIntegrated development environmentEntire functionEncryptionMechanism designOperating systemContext awarenessFirmwareInformationComputer hardwareOrder (biology)Information securitySoftware developerSource codeSpeicherschutzSoftwareWrapper (data mining)Slide ruleImplementationLatent heatArmModel theorySoftware testingLibrary (computing)Computing platformCASE <Informatik>Mobile WebDomain nameDampingMicrocontrollerServer (computing)Partition (number theory)Social classConnectivity (graph theory)Flow separationPhysical systemFunctional (mathematics)CoprocessorNetwork topologyCausalityWorkstation <Musikinstrument>Level (video gaming)Exception handlingPersonal digital assistantPerspective (visual)SpacetimeWebsiteComputer architectureVideo gameWordTime zoneWorkloadExecution unitFormal verificationScripting languageSet (mathematics)FreewareCodeVelocityShared memoryComputer animation
BefehlsprozessorReduced instruction set computingStandard deviationImplementationComputing platformBuildingReduction of orderDisintegrationComputer hardwareFormal verificationOpen setArchitectureSoftwareSource codeProcess (computing)Ring (mathematics)Asynchronous Transfer ModeVirtual machineModel theoryRootInformation securityRead-only memoryComputer architectureInternet service providerAsynchronous Transfer ModeSet (mathematics)MikroarchitekturOperator (mathematics)Binary codeKernel (computing)Process (computing)Ring (mathematics)MereologyShared memorySoftwareGame controllerCache (computing)PhysicalismVirtual machineSpeicherschutzConnectivity (graph theory)Computer configurationCore dumpProper mapCryptographyRootDifferent (Kate Ryan album)Model theoryAbstractionSemiconductor memoryCoprocessorImplementationRange (statistics)Address spaceContext awarenessIntegrated development environmentProjective planeComputer hardwareOpen setComputing platformInformation securityInterface (computing)Standard deviationOrder (biology)Extension (kinesiology)Open sourceMultiplicationMicrocontrollerLevel (video gaming)FreewareMechanism designSoftware developerCartesian coordinate systemUniform resource locatorWordDependent and independent variablesNP-hardRun time (program lifecycle phase)Graphics processing unitPartition (number theory)Error messageConstructor (object-oriented programming)Arrow of timeFormal verificationINTEGRALSocial classServer (computing)CodeExpert systemMotif (narrative)Physical systemImage resolutionState of matterPosition operatorSoftware frameworkCASE <Informatik>Forcing (mathematics)Service (economics)Latent heatXMLComputer animationProgram flowchart
Software frameworkBuildingBlock (periodic table)SoftwareFirmwareComputer hardwareMultiplicationComputing platformMicrocontrollerEntire functionExtension (kinesiology)Read-only memoryGame controllerCache (computing)Advanced Encryption StandardLatent heatEncryptionBootingSpeicherschutzReduced instruction set computingCarry (arithmetic)Integrated development environmentReduction of orderDisintegrationFocus (optics)Formal verificationOpen sourceInterface (computing)Binary fileAsynchronous Transfer ModeOpen setRootVideo trackingCryptographyData managementAbstractionModel theoryLevel (video gaming)Formal grammarImplementationFunction (mathematics)Information securityAerodynamicsLibrary (computing)Physical systemSystem callThread (computing)Time zoneCoprocessorSoftware frameworkCartesian coordinate systemOrder (biology)TwitterOpen sourceComputer hardwareProjective planeModeling languageSide channel attackTask (computing)PrototypeElectric generatorSet (mathematics)Medical imagingShared memoryMaxima and minimaThread (computing)Block (periodic table)IP addressModel theoryDifferent (Kate Ryan album)Graphics tabletDampingGroup actionBuildingNumbering schemeDefault (computer science)SoftwareRevision controlCycle (graph theory)Video gameCASE <Informatik>CryptographyLatent heatArithmetic progressionFirmwarePoint (geometry)Semiconductor memoryMereologyCache (computing)Proof theoryFormal verificationRange (statistics)Game controllerInformation securityExtension (kinesiology)ImplementationCoprocessorMultiplicationINTEGRALBinary codeRootEndliche ModelltheorieComputing platformBootingData managementProcess (computing)Level (video gaming)Physical systemComputing platformInterface (computing)Formal grammarRemote procedure callStress (mechanics)Cross-platformComputer architecturePartition (number theory)AuthorizationWebsiteOpen setRoutingMeasurementFunctional (mathematics)Motif (narrative)40 (number)Term (mathematics)WaveComputer animation
Element (mathematics)Computer animation
Transcript: English(auto-generated)
Hi, my name is Dayoli from UC Berkeley. Today, I'm going to talk about an open source project called Keystone, which I've been working on for a couple of years. Let me first briefly introduce our project.
Keystone Enclave is a framework for Trusted Execution Environments or TE. It is an open source project with permissive license. Most parts are under BSE3 class with several components licensed under MIT and Zlib licenses. It's been two years since we released the first version in December 2018.
Keystone is based on RISC-V instruction set architecture. It was started in the University of California at Berkeley as an academic project. So there is an academic paper published in Eurosys last April. The paper actually explains a lot of details about motivation,
design, implementation, and so on. So please check it out if you're interested. As of now, it has at least eight users from both academia and industry. There are more than five active contributors and more than 50 forks so far. It's still a growing project
and it's still in its only stage, but a lot of people are starting to get involved. This is our website, so please check it out if you want more information. I'll elaborate what is Trusted Execution Environment or TE in the context of our project.
In the traditional perspective, the system security was often based on a trusted operating system. For example, the OS is in charge of process isolation and resource management and so on. We all trust that the OS will always do the right thing. So any application on top of it must trust the OS.
However, people start thinking that this might not be a good idea. So the OS is getting bigger and bigger every day, and we may never make it entirely bug-free. Because of this, a malicious application can compromise the OS to breach a security-critical application,
or also sometimes the operating system itself could be malicious. So this is where TE comes into play. The idea of TE solves this problem by relying on hardware, trusted hardware, instead of trusting the OS. So the hardware actually guarantees that the application always resides inside an isolated
or sometimes even encrypted memory space. This is often referred to as an enclave, which provides confidentiality and integrity of the data and the program execution. Also, these guarantees are, of course, backed by the remote utilization using a chain of trust based on the hardware.
So this, part of this simple idea, building TE isn't so simple, actually. As a hardware manufacturer, for example, you may need to design the entire silicon root of trust and build it, hardware mechanisms for memory isolation or encryption and so on. Also, you may need to implement some microcode or firmware
to allow the software, upper layer software, to use your hardware mechanisms. This is not the end of the story. You may also need to verify the entire thing together with rigorous testing or ideally with former methods. Also, in order to seamlessly deploy applications to a TE,
you'll probably need a lot of software tools like SDK, libraries and wrappers and so on. There are a lot of open source projects on the software side, for example, Google, Cecilo, OPT, Graphene and so on. But you may notice that there are less often
source projects on the hardware side. I'll talk more about it in the next slide. So now, all of the major hardware vendors have added some TE capability to their processors. Examples are Intel's SJX, TDX, Arm TrustZone and AMD's SEV.
However, the TE implementations on these platforms are usually not open source. This is simply because they don't disclose their hardware or microcode. Actually, this is totally fine if you're a software developer and you're gonna just trust them and use their chips to deploy your program in a TE they provide.
But the caveat here is that their TE might be tightly coupled with their business. In other words, the TE might have a very specific frame model and a lot of assumptions on the software you're gonna run. For example, Intel SJX targets a partition server or desktop application and has a very strong frame model against the untrusted external memory.
And Arm TrustZone targets mobile devices, but the applications are typically provisioned by a trusted party. So it ends up having only two security domains where all the trusted applications share the same security domain. AMD's SEV supports full VM encryption, which would be useful for VM isolation in a data center,
but not very useful for isolating individual applications. So if you have any needs beyond these use cases or have different assumptions on your workload, you may need significant amount of work to work around these things in software. Or you may also need to build a TE capable hardware
from the scratch. Actually, this is very expensive because, again, you need to build and design everything, including the root of trust, hardware mechanisms, and the microcontroller firmware. Also, you need to verify functionality and security. So the goals of the Keyson project is as follows.
First, we're gonna enable TE on every RISC-V processor for free. We enable it by sticking to the standard ISA or sub-ISA as much as possible to provide a basic set of TE functionalities, such as memory isolation and attestation. And then we make TE easy to customize
depending on the specific needs. So people can still add some kind of platform-specific features to their TE if they want. For example, you can add cache side-channel defense using some cache partitioning mechanism in your hardware or something else. So the key idea here is that you can easily reuse
a specific part of the TE implementation across multiple hardware platforms if it was open source. Any hardware vendor can easily extend our implementation to enable their custom TE with their own hardware. And also they can contribute back to the project if they want. So more importantly, we'd like to reduce the cost of TE development.
So we believe that every processor in the world will have some kind of TE in the future and a lot of application will rely on TE eventually. So anyone who want to build their own chip should be able to enable TE with very low cost. In order to achieve that, we are working on reducing various costs
such as hardware integration, verification, and integrating with existing software tools and so on. So until now, the project has been focusing on these two goals. I'll talk about how we enabled a customizable and portable TE that works with multiple RISC-V platforms. So before we dive in,
let me talk briefly about RISC-V. RISC-V is an Open Instruction Set Architecture. Note that this is not an open source processor. It is an ISA. And the key design philosophy of the ISA was simplicity, efficiency, and extensibility. So it actually fits our project perfectly well.
It's now becoming an industry standard for all kind of computing devices. And also its ecosystem is growing rapidly on both software and hardware sides. More and more companies are getting involved and building their own RISC-V chips. A lot of microcontrollers or embedded devices
are already being built with RISC-V. And we're expecting high performance or server-class RISC-V processors in the near future. So how TE can be implemented in RISC-V? So here's the difference between x86 and RISC-V privilege levels. In x86, kernel is running in ring zero
and both user process and the kernel will interact with the hardware using x86 SISC instructions. These instructions are once again translated into a microcode. And the TE is mostly implementing this proprietary microcode as a part of hardware. The hardware vendor is in charge of designing,
implementing, and verifying the TE. In RISC-V, on the other hand, there are currently three software privilege modes. Kernel runs in S mode and M mode acts very similar to the microcode in SISC architecture. Both M mode and S mode share exactly the same base instruction sets. So instead of adding instructions for TE,
RISC-V M mode can provide so-called supervisor binary interface, which is SBI for TE operations. RISC-V TEs are implemented via the M mode software and the microarchitecture components. So here's the overall architecture and trust model of Keysun.
Keysun requires a trusted hardware with unmodified RISC-V cores and the root of trust, and also may have optional hardware features such as advanced cache controller or cryptographic accelerators and so on. And on top of that, the security monitor runs in machine mode
and the monitor implements the basic security features such as memory isolation and attestation, and the monitor is in charge of also provide a proper abstraction interface of the hardware to the upper layer software. For example, different hardware may have different implementation of root of trust,
but the monitor provides the same interface to the upper layer software. And on top of that, there is a traditional software stack, which is the host, and that host can launch and execute enclaves by using the monitor interface. So each enclave will have isolated execution environment protected by the hardware
and consists of two components, which are the enclave application, which runs in user mode, and the runtime, which runs in the supervisor mode. Let me talk about how Keysun enables TE on RISC-V processors. Keysun uses hardware-enforced
and software-defined memory isolation. So we use a standard RISC-V feature called physical memory protection, or PMP. PMP is implemented by a set of special registers, only accessible by the security monitor, and the monitor can use the registers to configure entries of the physical address ranges
and the access permissions to each range. Since PMP is enforced on every physical memory access, the monitor can use it to implement memory isolation of enclaves. In an untrusted context, the security monitor protects the enclave memory as well as its own memory. By flipping, for example, these two PMP entries,
each of the enclave memory becomes exclusively accessible only when we enter this enclave, in this case, enclave one context. So based on these standard RISC-V feature, we can implement the basic set of TE capability without requiring any hardware modification.
This allows Keysun to be a customizable TE framework that can generate various TEs with shared common base. So the basic design principle is that the framework provides building blocks of TEs in software and people can customize their TEs using their framework.
The framework is in charge of composing these building blocks based on the thread model and features. And finally, the framework generates an image of TE firmware and the enclave that can run on a compatible hardware. So this is the basic idea of the Keysun. And because of our goals, we have been working hard to make Keysun a multi-platform
and general purpose TE. Thanks to the efforts, Keysun now supports both RV32 and RV64 architectures. Also recently, our team has successfully prototype enclave task execution in FreeRTOS. This means that it will work with embedded devices with minimal hardware as well.
Keysun aims to generalize the SPI so that it can easily support not only a partitioned application, but also sometimes a full application or even the fully feature OS inside the TE. Also, we make it easy to extend based on the platform specific needs
or available features on the platform. Few people, including ourselves, already have shown that this is easy to extend. And they have extended Keysun to defend different thread models or improve the performance. So we have implemented memory encryption, for example,
using the scratch pad available in the hardware, as well as a cache partitioning scheme using the advanced cache controller that has a way masking feature in order to defeat the side channel attacks. A group of people have extended Keysun to improve performance
by using available crypto accelerators in the hardware. And those are not only examples and there will be more use cases and extensions in the future. So far, we talked about how we built a customizable TE, which is portable across multiple RISC-V processors. So what's next?
We started looking at our third goal, which is to reduce the cost of building TE. This includes reducing the cost of hardware integration, verification, and also the software integration and so on. For the hardware integration, we have integrated Keysun with OpenSPI, which is ready in Keysun version one.
OpenSPI is an open source supervisor binary interface for RISC-V following the SBI spec 0.2. OpenSPI also allows to generate an M-Mod firmware for many, many RISC-V platforms. So it's now much easier to enable TE in those platforms supported by the OpenSPI.
Another effort that we have just started is to use OpenTitan as a Keysun silicon root of trust. So Keysun currently doesn't have a reliable root of trust implementation. So we'd like to integrate OpenTitan as a default root of trust of Keysun.
OpenTitan is, by the way, an open source silicon root of trust that transparently implements various hardware IPs. For example, the chip life cycle management or verified boot and so on. So this is what we exactly need. The second goal is to reduce the cost of verification.
So verification is actually the pain point when you design a TE. There is a project work in progress that tries to relieve this pain by automating some parts of the process. Here's the idea of the project from the M-Mod implementation of the security monitor. We actually can automatically generate
an instruction level software model and based on the high level former specification that we wrote for functionality, we can verify if the implementation actually follows the spec. So once we wrote this high level former specification,
the system will automatically generate this model and verify if the implementation matches with the functionality. It's quite an ambitious goal, but also we wanna combine this software model with RISC-V hardware model and prove that the model refines an abstract model
which is proven to be secure from a given adversary model. This is a following work of a formal work by Submanian, a former foundation for secure remote execution of run-claves, which was published in CCS 17, 2017.
Finally, we'll try to implement a lot of missing pieces to support wider range of applications. There are still a lot to do in order to make this happen. Actually, a long-term goal is to integrate Keystone with the existing software frameworks
so that any T applications based on these frameworks can be seamlessly ported over Keystone based T's. So to summarize, Keystone is a open source framework for T's on RISC-V. And our goal includes enabling T
on every RISC-V processor, making it easy to customize and extend, also reducing the cost of building T. We are actually happy to get any contribution or we are very open to discussion. So please contact me if you're interested in collaboration
or if you have any questions about the project. I'm happy to answer the questions. So thank you. I'm ready to take questions.