Ringmaster: How to juggle high-throughput host OS system calls from TrustZone TEEs

TL;DR

Ringmaster enables secure, high-throughput access to rich OS services from TrustZone TEEs using Linux's io_uring, balancing security and functionality for safety-critical systems.

Contribution

It introduces a novel framework allowing enclaves to asynchronously access untrusted OS services efficiently via io_uring, with minimal overhead and support for large unmodified programs.

Findings

Achieved nearly 1GiB/sec data throughput into enclave on Raspberry Pi4b.

Maintained 0-3% throughput overhead compared to non-enclave tasks.

Built a highly-secure system with minimal engineering effort.

Abstract

Many safety-critical systems require timely processing of sensor inputs to avoid potential safety hazards. Additionally, to support useful application features, such systems increasingly have a large rich operating system (OS) at the cost of potential security bugs. Thus, if a malicious party gains supervisor privileges, they could cause real-world damage by denying service to time-sensitive programs. Many past approaches to this problem completely isolate time-sensitive programs with a hypervisor; however, this prevents the programs from accessing useful OS services. We introduce Ringmaster, a novel framework that enables enclaves or TEEs (Trusted Execution Environments) to asynchronously access rich, but potentially untrusted, OS services via Linux's io_uring. When service is denied by the untrusted OS, enclaves continue to operate on Ringmaster's minimal ARM TrustZone kernel with access to small, critical device drivers. This approach balances the need for secure, time-sensitive processing with the convenience of rich OS services. Additionally, Ringmaster supports large unmodified programs as enclaves, offering lower overhead compared to existing systems. We demonstrate how Ringmaster helps us build a working highly-secure system with minimal engineering. In our experiments with an unmanned aerial vehicle, Ringmaster achieved nearly 1GiB/sec of data into enclave on a Raspberry Pi4b, 0-3% throughput overhead compared to non-enclave tasks.