While TrustZone can isolate IO hardware, it lacks drivers for modern IO devices. Rather than porting drivers, we propose a novel approach to deriving minimum viable drivers: developers exercise a full driver and record the driver/device interactions; the processed recordings, dubbed driverlets, are replayed in the TEE at run time to access IO devices. Driverlets address two key challenges: correctness and expressiveness, for which they build on a key construct called interaction template. The interaction template ensures faithful reproduction of recorded IO jobs (albeit on new IO data); it accepts dynamic input values; it tolerates nondeterministic device behaviors. We demonstrate driverlets on a series of sophisticated devices, making them accessible to TrustZone for the first time to our knowledge. Our experiments show that driverlets are secure, easy to build, and incur acceptable overhead (1.4x -2.7x compared to native drivers). Driverlets fill a critical gap in the TrustZone TEE, realizing its long-promised vision of secure IO.
翻译:虽然信任区可以分离IO硬件,但它缺乏现代 IO 设备的驱动器。 我们建议采用新颖的方法,而不是移植驱动器来生成最起码可行的驱动器:开发者使用一个完整的驱动器,并记录驱动器/构件的相互作用;在运行时在TEE中重新播放经过处理的录音,称为驱动器,以进入IO 设备。驱动器解决两大挑战:正确性和表达性,它们建在一个称为互动模板的关键构件之上。互动模板确保记录 IO 工作(尽管有新的 IO 数据);它接受动态输入值;它容忍非非非定型设备行为。我们用一系列复杂的设备展示驱动器,让我们第一次了解信任区的情况。我们的实验显示,驱动器是安全的、容易建造的,并且产生可接受的间接费用(与本地驱动器相比为1.4x-2.7x)。驱动器填补了信任区的关键缺口,实现了其安全 IO 长期得到认可的愿景。