Minimum Viable Device Drivers for ARM TrustZone

TL;DR

This paper introduces a novel method for creating minimal, replay-based drivers called driverlets for ARM TrustZone, enabling secure and efficient access to modern IO devices without porting full drivers.

Contribution

It proposes a new approach to derive minimal drivers by recording and replaying driver interactions, addressing correctness and expressiveness challenges in TrustZone environments.

Findings

Driverlets enable TrustZone to access modern IO devices securely.

Experiments show driverlets have acceptable overhead (1.4x-2.7x).

Driverlets are secure, easy to build, and fill a critical gap in TrustZone.

Abstract

While TrustZone can isolate IO hardware, it lacks drivers for modern IO devices. Rather than porting drivers, we propose a novel approach to deriving minimum viable drivers: developers exercise a full driver and record the driver/device interactions; the processed recordings, dubbed driverlets, are replayed in the TEE at run time to access IO devices. Driverlets address two key challenges: correctness and expressiveness, for which they build on a key construct called interaction template. The interaction template ensures faithful reproduction of recorded IO jobs (albeit on new IO data); it accepts dynamic input values; it tolerates nondeterministic device behaviors. We demonstrate driverlets on a series of sophisticated devices, making them accessible to TrustZone for the first time to our knowledge. Our experiments show that driverlets are secure, easy to build, and incur acceptable overhead (1.4x -2.7x compared to native drivers). Driverlets fill a critical gap in the TrustZone TEE, realizing its long-promised vision of secure IO.