Secure and Dynamic Hardware Partitioning Management on Heterogeneous SoC

The presentation discusses the challenges of secure partitioning and sharing hardware resources within complex system layers of heterogeneous SoC architectures and proposes a hardware-assisted dynamic partitioning framework for Linux- and TEE-based architectures.

• Heterogeneous SoC architectures are becoming more popular for complex IoT and edge devices
• Multiple CPUs and peripherals require secure partitioning and sharing of hardware resources
• Static hardware partitioning at boot time cannot satisfy most use cases' security, performance, or compatibility requirements
• Hardware-assisted dynamic partitioning framework is proposed for Linux- and TEE-based architectures
• Framework modifies the Linux kernel, trusted firmware, and TEE kernel to achieve fine-grained privilege separation
• Hardware features such as mdac, pack, and mrcs enable hierarchical access control policies for logical separation of secure world from normal world
• Multiple trusted execution environments and enclaves can be combined to provide strong security features for different use cases

The speaker mentions that their team is working with hardware partners on a cardboard prototype of an IMX atlp device, which contains multiple components and security-sensitive components such as trusted execution environments and secure and clear processors. They emphasize the need for a proper hardware partitioning mechanism to enable application developers to maximize their use of hardware and benefit from all the hardware features available.

Heterogeneous SoC architectures enable a wide range of functionalities, notably for modern IoT/edge platforms. Modern SoCs contain heterogeneous CPUs (e.g., a combination of ARM and RISC-V architectures) and peripherals. As a result, the systems stack on such devices includes multiple OSs (e.g., Linux and FreeRTOS), hypervisors, or TEEs (trusted execution environments). Hence secure partitioning and sharing hardware resources within such complex system layers is challenging. Static hardware partitioning at boot time can not satisfy most use cases' security, performance, or compatibility requirements. This talk describes a hardware-assisted dynamic partitioning framework for Linux- and TEE-based heterogeneous architectures. We first summerise state-of-the-art hardware features for fine-grained privilege separation. Then we discuss how our solution modifies the Linux kernel, trusted firmware, and TEE kernel to achieve this goal while resolving various security and functionality challenges.