4

Lets say I have a symmetric key wrapped with a storage root key (SRK) in a TPM. The SRK cannot be read by an attacker and so I perform the decryption and using the SRK and get the symmetric key in memory to do subsequent operations using the symmetric key. How is the security of the symmetric key in memory obtained? On a standard linux (android) should I not be able to dump the contents of memory and hence obtain the symmetric key? So what is the Trust Zone and wrapping with the SRK giving me? Is there a way to protect this symmetric key and all subsequent operations using the symmetric key? I remember reading a while ago that in the Trust Zone we can run signed code only which is good but isn't encrypted memory required to be secure? Is there a trust zone mode where I get encrypted memory there by protecting the key in memory?

How does Android solve it? If there is an option to use encrypted memory in Android, how is the memory encrypted, with which key and how is the key provisioned/generated?

user220201
  • 893
  • 9
  • 22

2 Answers2

2

TrustZone and TPM (with its SRK) are two very different things. I'll try to deferenciate both of those before explaining how they can be used to achieve what you explained.

TrustZone is an ARM platform environment. It provides a second environment which is meant to be secure. By this I mean, many features are available to obtain security.

In your example, the normal environment (the rich world in TrustZone terms) would be running Android and a so-called trusted/secure kernel (the TEE) would be on TrustZone side (the secure world). Those protections are defined by the TEE itself and depends on its actual goals. What's running in the secure world use protected memory that cannot be write/read by the normal world (Android) and some device might be mediated or reserved exclusively by the TrustZone kernel too.

You are right when you say a symmetric key wrapped by the TPM's SRK would normally be exposed directly in memory once unwrapped. The TPM does not offer anything at that point. The assumption is that you are only doing this from a trusted environment. However, if we join both a TPM and TrustZone, we can encrypt/decrypt data with the SRK (e.g. a symmetric key) and only expose the plain text to the secure world hence protecting it from the normal word, Android.

This is basically how Apple protects sensible information/processes (obviously heavily simplified).

northox
  • 1,403
  • 16
  • 26
0

Your question switches from TPM to TrustZone midway. Those are different technologies, providing different functionality, with different security properties, and available on different (largely disjoint) sets of platforms. What they have in common is that both are computing environments that contain a secret key that's unique to the device they're attached to, and that is protected from the main operating system running on that device.

A TPM is a separate chip that provides a fixed set of services. One of these services is to protect a key at rest by wrapping it with a key that doesn't leave the TPM. To use this key in an application, the application needs to retrieve the key from the TPM, and at that point the key ends up within the main operating system. TPM are pretty much exclusively found attached to x86 processors.

TrustZone (and associated technologies) provides an isolated environment running on the same processor as the device's main operating system. It's possible to use it to protect a key at rest, and also to protect a key at runtime if the key is manipulated by an application running in the TrustZone side of the processor (the trusted execution environment (TEE)). TrustZone is an ARM feature.

A TPM provides a key storage facility. Android provides this facility via the Keymaster service. On many recent Android phones, the keymaster servie is hardware-backed, running in the TrustZone secure world. But in the end the key needs to be retrieved by the application that uses it.

TrustZone potentially offers the additional functionality of running custom applications in the secure world. If you can do that, then you can have a key that doesn't leave the secure world.

Some very recent x86 processors have a similar functionality called SGX. They allow applications to run in a context that's protected from the main operating system.

If you can deploy applications to TrustZone or SGX, the next problem is how to process the data that's encrypted or signed with the key. If that data is exchanged with a server using a secure channel then you may not need to trust the main operating system at all. The subsequent problem, for many applications, is how to establish a relationship with a specific device, i.e. provisioning. That tends to require a somewhat heavy infrastructure.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • TPM are not necessarily discrete chip. Nowadays they're mostly running as an application within Intel ME. Clarifying this should help people to understand TPM's functionality can be implemented as an application within TrustZone. – northox Nov 29 '16 at 20:39