Mobile handsets, as well as PCs or tablets, generally use the same input device for all purposes. Such input device may, for instance, be a keyboard, mouse, or touch sensitive screen. This involves that the same input device is shared by all the environments running on the device. In case when one of these environments processes sensitive data, it is desirable that what is displayed to and what is input from the user remains known only to the user and to the sensitive environment. Security in data processing and information systems, including communication systems, contributes to accountability, fairness, accuracy, confidentiality, operability, as well as a plethora of other desired criteria.
There are several techniques used to control the display. A display is like a memory buffer (frame buffer), whose content is exactly the screen display. It is feasible, using dedicated hardware, to control both the read and write access to the frame buffer. In general, it is easy to control the access to any output or passive peripheral using dedicated hardware. For instance, a control register may be used for defining which master has access to the frame buffer, this control register being in turn controlled by the most secure environment on the platform, which decides the access policy on the device. Another possibility, when using a virtualization solution, is to let the hypervisor decide which virtual machine can see the frame buffer—and map the frame buffer memory to this virtual machine only.
Sharing the control of input peripherals, such as a keypad or a touch screen, is much more complicated. Indeed, when user action is detected by the peripheral, the central processing unit (also named by the acronym CPU) is triggered using interrupts and signaling through General Purpose Inputs/Outputs (also named by the acronym GPIOs) that have been properly configured. In order to be able to share, with isolation, such input peripherals, between environments running simultaneously on this central processing unit, several techniques may be used.
It is known to use a virtualization solution to run virtual machines and to restrict the General Purpose Inputs/Outputs (GPIO) programming and interrupts from the input peripherals to a hypervisor. Each virtual machine corresponds to an environment. A hypervisor is also called virtual machine manager. The hypervisor is then in charge of deciding which virtual machine can get the input, and of dispatching this input to this virtual machine. The main drawback with this solution is that it requires a virtualization solution. In this case, the access control is static, as the hypervisor can be given this access and then apply its own policy for interaction with the virtual machines.
There is also a known a technique which comprises restricting the GPIO programming and interrupting from the input peripherals to the most secure environment that may need these inputs. The secure environment is then in charge of deciding which environments on the platform can get the input, and dispatching the input to this environment. Thus, every input would trigger first execution in the secure environment. As most of the input during runtime is dedicated to another environment (e.g. Linux—registered trademark—), the secure environment generally triggers execution in the open environment, providing the information to the open environment. Once the open environment has finished, it switches to the secure environment to clear the initial input trigger, and comes back again to normal execution in the open environment. Such operation is not the most efficient.
Another solution may be considered. Dedicated hardware can be added to control both the dispatching of the input peripheral information (interrupts, GPIOs) the access to the GPIO programming interface, using for instance a control register to define which master has access. The control register, in turn, is controlled by the most secure environment. There is no need for the different environments to be virtualized on top of a hypervisor. For instance, a secure environment and an open environment may run on the same CPU using hardware virtualization such as Trustzone (registered trademark). A drawback with this solution is that it is very complicated to protect the access to GPIOs dynamically. Hence, this solution is nearly unpractical to implement.