1 rld, and multiple in addition, provides v8-M CMSE October 31, 2016 ch other. This has the each benefit that ch other. ost trusted) and Root-User execution modes execution ost trusted) and Root-User g model, where Guests may be OSes and thus be OSes and may where Guests model, g educe privilege to less trusted code. User (least trusted) modes. User (least as Compared to ARM as Compared a. The Guest TLB is used by the Guest OSes. b. (hypervisor). software TBL is used theby The Root Root-kernel This is the typical virtualization operatin is provided. isolation OS level ARMv8-M CMSE uses two blocks to resolve access to memory, the SAU (Security (Security Attri- the SAU ARMv8-M CMSE uses two blocks to access toresolve memory, and non-secure. secure as banked Unit) Protection (Memory and an MPU bute Unit), access by secure/non-secure resolves mode. this The SAU After MPU check is done, the accessresolves within the mode.level by privilege two configurations: has an MMU that uses MIPS-VZ 1.for A two-level larger systems. TLB Both ARMv8-M CMSE and MIPS-VZ use additional execution modes to give additional togive modes use additionalexecution and MIPS-VZ BothARMv8-M CMSE mostcodeand r privilege to the trusted modes trusted) execution (most ARMv8-M adds the Secure-Handler and Secure-Thread trusted) states. (least NonSecure-Thread NonSecure-Handler and to the (m the Root-Kernel adds MIPS-VZ Similarly, Guest- and Guest-Kernel to the model: between ARMv8-M CMSE and the MIPS-VZ an equivalence draw To Secure a Wo provides MIPS The model likewise ARMv8-M Security Extensions (CMSE) is based on Trust-zone (TZ). toSimilar other TZ- ARMv8-M Security Extensions (CMSE) is based on Trust-zone That basedand a systems,single World. Non-Secure there is a single Secure World as they all means all code that is meant to be protected must mutually trust each other, space. address Secure single World same shared from the execute is based on hardware based MIPS-VZ CPU virtualization, which allowsmultiple for fromea and protected separate domains, each software, trust other pieces of be protectedtonot needthat is meant of software piece architecture allows to 255 Theup MIPS-VZ domain to itself. a private as each can have domains, while particular CPU implementationseparate might implement a lower num- ber of domains. worlds, each isolated fromthe other. "Normal" Memory Management Execution Modes Overview MIPS-VZ Security Features Security Features MIPS-VZ

2 Virtualization solution offers a thus gh a handler may opt to do the same. TLB without the physical address, the physical TLB without called the Root portion of the MMU to createthe Root of Write-Inhibit, Execute-Only, and Read- Execute-Only, of Write-Inhibit, e ARMv8-M SAU/MPU is base-bound is base-bound based e ARMv8-M SAU/MPU an OEM manufactures and provisions an OEM manufactures and a chip provisions are really partitionedall applications/codeare really ed from each other within the Guest context. Guest the ed from each other within g the architecture state. fferent Security Regions the Root Protection Unitthe Root (RPU). Software management of the RPU is similar to a beforeRPU initializing the any to program forsecure software is The model TLB. There Guests (untrusted). is no expectation that misses be through resolved the by demand-paging, thou refill handler i.e., a) Using the SG (Secure Gateway) instruction to denote a) Using a legal entrythe SG Gateway) (Secure point in the address space. Secure World region residesin a routine the accessed to denote that usage of the SAU The b) modeis are allowed. Such regions called Non- in Non-Secure-World where execution Secure-Callable (NSC) regions. to in Secure memory, a secure function by a branch c) The SG followed instruction if allowed. a.(FMT) Unit. be portion can The Guest a full TLB or a Fixed-Mapping-Translation b. portion is a stripped down Root-level The The MIPS-VZ MMU is CAM based, while th The MIPS-VZ smallerin die-area The CAM-basedwill be MMU entry (meaning address comparators). MIPS The MMU entry. the comparator-based than Inhibit. need for method is faster as there is no the MIPS-VZ and latency, speed execution For instructionthe thatSG instruction follows and the branch the SG instruction upon entry routine. called the of For the case where a Guest MMU is an FMT, and Root MMU is an RPU, application level level application an RPU, is MMU Root and FMT, theMMU is an case wherea Guest For isolation provided. is Guests Thatis, the of in the commonguest mode. This is a more static/constrained level privilege operating An example is when of this environment. with its own can be proprietary software, which isolated either rootin or context as a added reseller) will add and3rd- (value its own perhaps even software Guest. A VAR isolat kept is all of which software, party fully scalable solution from application to OS isolation. pages which are shared among the desired Guests. The code could be protected by (neither readablenor writable). The Root beexecute-only the shared page to making MMU imposes permission in checks the form ARMv8-M CMSE adds the Codeability to of callNon-Secure specific routines within the the high of without a Monitor Secure the Call, which overhead involves Secure World of saving/restorin overhead ability is to sharethe routinesequivalent between multipleIn MIPS-VZ, Guests/ programming Domains. This wouldbe done by This is done by: This is done 2. forsmaller MMU A two-level systems. Routine Calls between Di MIPS-VZ SecurityMIPS-VZ FeaturesasComparedARMv8-Mto Revision— CMSE 00.10

3 Guest activity with- activity Guest l/status registers, exception logic regis- logic l/status registers, exception pies of COP0 (COP0 is the MIPS architec- visor or additional security, interrupts can visor or additional security, rrupt schemes to be used when running in rrupt schemes to be used when of context switching in MIPS-VZ is Root is Root of context switching in MIPS-VZ Virtualization model is imposed by Root Root by is imposed model Virtualization thus for the most part transparent to the the thus for part most transparent re completely monitors Shadow set can be assigned to each Guest, sallows jumping into the middle of routines. identification feature only exists forthese feature identification identified and the IO device can have specific identified and the IO can have device tity (secure or non-secure) is making the (secure tity try-point is not identification done. try-point this granularity be can implemented using by this granularity Non Secure World context switching requires saving/ Non Secure World ↔ Guest Mode context switching. Here there is no need for COP0 saving/restoring need no Here there is switching. Guest Mode context ↔ restoring the GPRs and FPRs. GPRs and restoring the to this type The closest functional equivalent mode the different page sizes that are available in the MIPS MMU. in the MIPS MMU. the different that are page sizes available memory request. a is this multi-bit GuestIDsignals for the same purpose. Since supports the MIPS-VZ multi-bit field, the individual Guest can be The TrustZone Secure World The TrustZone out giving up control of the operating environment. operating of the control givingup out The usethe of SG entry point instruction di minimal. is system entire the of security on the impact its feature, good a is While this this that for this is entry-point reason The be "regular"Non- will memory system of the majority vast The NSC regions. small Secure and Secure regions where such en The usethe of SG entry allowspoint instruction use for of morethe address granular SG of the usage through the world the Non-Secure to code being available space—some instruction and other code/data world, not accessible todue to the the Non-Secure lack of the SG instruction. In MIPS VZ, some of Secure execution mode. supportsinterrupt all of the faster MIPS schemesInterrupts as well. MIPS-VZ Similarly, where the interrupt can be handled any without can be assigned to each Guest directly, software/Hyper from intervention Root-Kernel be directly assigned to Root. memory fabric TZ HNONSEC signal and HPROT traditional ARMv8-M CMSE supports the attribute signal to tell IO devices which en support for multipleprotectiondomains be can behaviors for that particular Guest i.e., extended throughout the SOC. ARMv8-M CMSE supports the faster ARM inte ARMv8-M CMSE supports the context software orsecurecontext code, boot is software and model That application. theis, is programming similarsys- to that of a non-virtualized softwa tem, but controls.with security Root Further, the protection provided the by MIPS provided protection the Further, ture structure holding the CPU privileged contro CPU privileged ture structure holdingthe As and restored. required to be saved are FPRs GPRs and the this case, For ters, MMU). Set for the feature M5150, the can bementionedShadow used above, Register in com- theCPU virtualization.bination with GPR A as both the Root and Guest have their own co and Guest have as both the Root Context Switching SOC Security Interrupt Handling MIPS-VZ SecurityMIPS-VZ FeaturesasComparedARMv8-Mto Revision— CMSE 00.10

4 reserved. rights All Alternatively, the MIPS Architecture also also Architecture MIPS the Alternatively, a simple but complete and robust security and robust security complete a simple but Inc. r this case, the GPRs, FPRs and COP0 would the GPRs, FPRs and r this case, ests, there is also the case of the pability in a core i.e., multiple independent in apability core i.e., ed to running multiple Secure World applica- World Secure multiple ed to running Computing, www.wavecomp.ai Wave © Copyright Guest2 context switching. Guest2 context system— Each of Guests these be an operating can ↔ solution that scales from application to OS isolationlevel to flexibly meet the needs of customers in securitya world with ever-changing threats. The MIPS Virtualization Architecture provides defines virtualization of multi-threading ca of multi-threading virtualization defines isola- complete providing while core in a in execution time-multiplexed contexts be can tion without the need for saving/restoringany state. allows multiple domains/gu Since MIPS-VZ Guest1 removing the need to save/restore the GPRs. the need removing save/restore to have to be save/restored. Again, the Shadow Register Set feature can beto be used save/restored. the Again, to have Shadow miti- Register and restore. impactgate the of GPR save multiple Guest Operating of running the capability does not have TrustZone In contrast, systems. Instead, the system is limit TZ or TZ executive. tions under a shared TZ RTOS with each OS potentially managing COP0. Fo with each OS potentially Summary MIPS-VZ SecurityMIPS-VZ FeaturesasComparedARMv8-Mto Revision— CMSE 00.10