Trusted Execution Environments (TEEs) are commonly used as a “safe container” for executing processes or services in a trusted manner. Examples of TEE implementations are the ARM TrustZone, and Intel TEE. The common TEE architecture combines the main operating system (OS) running on the main processor(s) and having its own “main domain” (also referred herein as the “normal domain”), and a single process or a set of processes that run within another, more privileged and trusted section of the processor, which is commonly referred to as a “trusted domain” or “secured domain”. Typically, a “Trusted Domain OS”, which is separate, and most often also different in structure, language and layer from the main OS, operates within said privileged secured domain. The access to the Trusted Domain OS can be performed (in a privileged manner) only via the main OS, both for the purpose of its configuration, and for the purpose of receiving service from it in run time.
In one example, the trusted zone is typically used to store encryption and decryption keys. The main OS, in turn, submits data to the trusted-domain OS, which in turn uses a respective process running within the trusted domain to encrypt or decrypt said data, respectively, and return the results to the main OS.
The TEE structure is not so commonly used in embedded systems, and moreover, when used, it is commonly applied for performing limited and specific functionalities.
As described, a user or a process may receive service from the trusted domain only via the main OS. However, the main OS is typically accessible to a wide range of users, devices, and processes, particularly when the system includes a network. Although the ability to access and receive services from the trusted domain is limited and privileged, still the main OS itself is susceptible to malicious code manipulations, in view of its availability to such a wide range of users and processes. Therefore, even though the trusted domain is relatively secured in itself, the fact that the interaction with the trusted domain is implemented via the relatively susceptible environment of the main OS, significantly degrades the security of operation with the trusted domain and its resources.
In another aspect, a hypervisor is commonly used in computer systems as a privileged, low level layer below the operating system. The hypervisor, also called a “virtual machine manager”, or a “virtual machine monitor”, is a piece of low level software, firmware or hardware. In one example, the hypervisor is commonly used to create and run virtual machines, allowing multiple operating systems to share a single hardware host. Each operating system appears to have the host's processor, memory, and other resources all to itself. In such a manner and structure, a plurality of “virtual machines” is implemented on a single hardware machine.
Even though the TEE and the hypervisor are sometimes implemented on a same machine, their typical functions are totally isolated, namely, one allows receiving services from a trusted-privileged zone, and the other virtually provides the possibility for a plurality of virtual machines to operate on a single machine.
In still another aspect, many systems are required to be turned off relatively frequently to allow performance of maintenance or software updates. However, the turning off becomes almost impossible in essential systems like embedded systems that handle very sensitive processes. The fact that such systems can only rarely be turned off (for example, for maintenance and software upgrade purposes), leads to a situation where the security and performance of the system are compromised.
Moreover, the inspection and analysis with respect to the integrity of the main OS during runtime, even when they are performed by services of the trusted domain OS, are also compromised, as the interaction with said services of the trusted domain OS must be performed via the relatively unsecured environment (i.e., domain) of the main OS.
It is an object of the present invention to provide a structure which significantly improves the security of interaction with the trusted domain of a TEE structure, and with the resources running therewith.
It is still another object of the present invention to provide a structure that enables performance of a secured maintenance and software updates during runtime, particularly in embedded systems.
Other objects and advantages of the invention will become apparent as the description proceeds.