Design And Implementation Of Trusted Operating System Based On TrustZone

With the development of embedded system towards networking and openness,the deficiency of the ability of embedded devices to deal with security attacks is becoming increasingly prominent,and the security of devices is becoming more and more important.But the general operating system focuses on performance and building a rich ecological environment.The system is huge and bloated.The potential security flaws and a wide range of attack surface make it difficult for the general operating system to adapt to some applications that perform higher security level operations.Therefore,based on the ARM Trust Zone system-level isolation technology,with the help of its hardware security extensions,this paper designs and implements a trusted operating system that meets the requirements of reliability,security,scalability and standardization,and migrates sensitive data access and sensitive operations to the trusted execution environment to ensure the security of the system.This paper studies the existing embedded kernel architecture,and analyzes that the trusted operating system is more suitable for adopting the micro-kernel architecture,which is superior to the current mainstream macro-kernel architecture in terms of reliability and scalability.At the same time,most of the services of the microkernel architecture are in the user mode,which is conducive to reducing the size of the kernel and making it easier to thoroughly investigate the potential security flaws of the kernel.In order to meet the security needs of trusted operating systems,this paper uses a security solution that combines fine-grained access control based on capabilities,multi-level isolation,and trusted boot to ensure the integrity of the image when the system boots and the trusted service is loaded,and the security during the execution of trusted services.Meanwhile,considering that the client application may run in a multi-core environment,in order to reduce the time delay of requesting trusted services,this paper designs a reentrant service request interface for the system,so that requests from multiple client applications can be executed in parallel,and proposed multi-core synchronous guidance and PSCI-based guidance scheme.In addition,in order to improve the flexibility of this system,this paper has conducted in-depth research on the analysis and guidance of ELF files,and implemented a dynamic loader for trusted services,which enables trusted applications to be independently compiled and loaded.In Addition,to make the system meet the standardization requirements,this paper encapsulates the interfaces in line with the GP TEE specifications according to the existing functions of the system.Finally,this paper designs and implements the trusted operating system based on i.MX6 Q,and carries out the function test and performance test,including system boot and service load test,and then detects the TEE service acquisition cost,service load and common cryptographic algorithm overhead.