LTZVisor: TrustZone is the Key

LTZVisor: TrustZone is the Key∗ Sandro Pinto1 , Jorge Pereira2 , Tiago Gomes3 , Adriano Tavares4 , and Jorge Cabral5 1 Centro Algoritmi, Universidade do Minho, Guimarães, Portugal Centro Algoritmi, Universidade do Minho, Guimarães, Portugal Centro Algoritmi, Universidade do Minho, Guimarães, Portugal Centro Algoritmi, Universidade do Minho, Guimarães, Portugal Centro Algoritmi, Universidade do Minho, Guimarães, Portugal 2 3 4 5 Abstract Virtualization technology starts becoming more and more widespread in the embedded systems arena, driven by the upward trend for integrating multiple environments into the same hardware platform. The penalties incurred by standard software-based virtualization, altogether with the strict timing requirements imposed by real-time virtualization are pushing research towards hardware-assisted solutions. Among existing commercial off-the-shelf (COTS) technologies, ARM TrustZone promises to be a game-changer for virtualization, despite of this technology still being seen with a lot of obscurity and scepticism. In this paper we present a Lightweight TrustZoneassisted Hypervisor (LTZVisor) as a tool to understand, evaluate and discuss the benefits and limitations of using TrustZone hardware to assist virtualization. We demonstrate how TrustZone can be adequately exploited for meeting the real-time needs, while presenting a low performance cost on running unmodified rich operating systems. While ARM continues to spread TrustZone technology from the applications processors to the smallest of microcontrollers, it is undeniable that this technology is gaining an increasing relevance. Our intent is to encourage research and drive the next generation of TrustZone-assisted virtualization solutions. 1998 ACM Subject Classification C.3 Real-Time and Embedded Systems Keywords and phrases hypervisor, virtualization, TrustZone, space and time partitioning, realtime, embedded systems Digital Object Identifier 10.4230/LIPIcs.ECRTS.2017.4 1 Introduction Platform virtualization, which enables multiple operating systems (OSes) to run on top of the same hardware platform, is gaining momentum in the embedded systems arena, driven by the growing interest in consolidating and isolating multiple and heterogeneous environments [6]. While in industrial control or automotive systems virtualization has been used to integrate real-time control functionalities with high-level or infotainment environments [20, 9], in aeronautics and aerospace virtualization provides isolation for safety-critical components ∗ This work has been supported by COMPETE: POCI-01-0145-FEDER-007043 and FCT – Fundação para a Ciência e Tecnologia – (grant SFRH/BD/91530/2012 and UID/CEC/00319/2013). © Sandro Pinto, Jorge Pereira, Tiago Gomes, Adriano Tavares, and Jorge Cabral; licensed under Creative Commons License CC-BY 29th Euromicro Conference on Real-Time Systems (ECRTS 2017). Editor: Marko Bertogna; Article No. 4; pp. 4:1–4:22 Leibniz International Proceedings in Informatics Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany 4:2 LTZVisor: TrustZone is the Key [10, 26]. Despite the differences among several embedded industries, all share an upward trend for integration, due to the common interest in building systems with reduced size, weight, power and cost (SWaP-C) budget [6, 10]. Typically, solutions for embedded virtualization [10, 1, 7, 26] follow two different approaches: full-virtualization and paravirtualization. Between both approaches there is a trade-off between performance and flexibility: the traditional full-virtualization [7, 26] incurs on a higher performance cost, while the static paravirtualization approach [1, 10, 26] incurs on a higher design cost. Recently, due to penalties incurred by software-based virtualization approaches, as well as the strict timing requirements and constraints imposed by real-time virtualization [31], academia and industry have recently begun focusing their attention in providing hardware support to assist virtualization. Intel introduced Intel Virtualization Technology (VT) [24], ARM presented ARM Virtualization Extensions (VE) and ARM TrustZone [28, 4, 5, 17], and, recently, Imagination/MIPS released MIPS Virtualization and OmniShield technhology [31]. Among existent COTS technologies, ARM VE and ARM TrustZone [30] have attracted particular attention, due to the ubiquitous adoption of ARM-based processors in the embedded market. Although ARM VE is the specific technology from ARM for virtualization, ARM TrustZone is also seen as a hardware-based alternative for system virtualization [5]. This technology is gaining momentum due to the supremacy and lower cost of TrustZone-enabled processors in comparison with VE-enabled processors, and because it is seen as the only implementable hardware-based approach on ARM processors where VE are not available. Examples of such processors include the well-established ARM Cortex-A9, and the newest Cortex-A32. Furthermore, due to the recent ARM announcement of introducing TrustZone technology in the new generation of Cortex-M processors [27], this technology also promises to be a game-changer in the low-end sector, opening the possibility of breaking the barrier to the adoption of system virtualization in resource-constrained embedded devices. TrustZone technology virtualizes a physical core as two virtual cores, providing two completely separate execution domains. The non-secure world acts as a virtual machine (VM) under the control of a hypervisor running in the secure world side. Some TrustZonebased solutions for virtualization have been proposed [30, 3, 5, 22, 13, 17]. While some of them just support a single guest execution, others present a dual-OS configuration for running an RTOS side-by-side with a GPOS. The problem is that they still lack in providing detailed information about their implementation and deployment on physical platforms, as well as in performing extensive experiments and presenting convincing results. We believe that ARM TrustZone, when adequately exploited, opens up a number of opportunities for (real-time) virtualization, despite some researchers still arguing that perceiving TrustZone as a virtualization mechanism is very limiting and ill-guided [28, 8]. To give answers to a plethora of doubts and questions we developed LTZVisor (Lightweight TrustZone-assisted Hypervisor) as a tool to clearly understand and evaluate how TrustZone hardware can be efficiently exploited to assist virtualization. We describe all the details behind the implementation, highlighting its benefits and discussing identified limitations and how they can be overcome. We conducted an extensive set of experiments which clearly demonstrate how TrustZone-assisted virtualization can effectively meet real-time needs. LTZVisor is the outcome of years of our experience in working and developing TrustZonebased solutions for a multitude of applications and domains [17, 16, 18, 19, (...truncated)