[Cryptech Tech] ARM trust zone

[Peter Gutmann]

Joachim Strömbergson <joachim at secworks.se> writes:

>From my experience talking to and working with TrustZone, TEE people that is
>really part of the security model though. If you can get an escape from the
>TA inside the TEE, most people seem in the field seems to understand that any
>secrets inside the TEE are then free for taking.

It's not just the secrets, it's that anything outside the TEE, like malware-
protection software, can't see in.  This makes it the perfect place for an
undetectable, unremovable rootkit, which is exactly what some folks did a year
or two back (another attack-the-insecure-bit-from-inside-the-secure-bit
attack, compromising the TEE to get the rootkit in wasn't too difficult).  

So you've got a "secure" environment that (a) isn't very secure and (b) can't
be defended against once compromised.

>The ones that don't like this are the ones pushing for having a Secure
>Element as the next protection level.

Given that ARM already has a whole string of operating modes, do you really
need to use the TEE?  Just going with some standard kernel that supports more
than the usual embedded all-in-one mode will give you a lot of the benefit of
the TEE without all the complications.

>FIDO is really interesting in many ways. You could probably write a chapter
>for Engineering Security on its security model, design, mechanisms etc. ;-)

I think all I need to do is point to this XKCD cartoon:

http://xkcd.com/927/

Peter :-).