Security & Virtualization

Isolation primitives

• TrustZone-A — Secure vs Non-secure worlds since Armv6 (2004); the original isolation model.
• EL2 hypervisor — Armv7-A (2010) Hyp mode, then Armv8-A EL2, then VHE (v8.1).
• RME / CCA — Armv9-A (2021) adds Realm & Root worlds; four-world model.

Per-access defences

• PAC (Armv8.3) — Pointer Authentication; signs function pointers with a MAC.
• BTI (Armv8.5) — Branch Target Identification; defeats JOP.
• MTE (Armv8.5) — Memory Tagging; colour-tag pointer & memory, hardware check on each access.
• PAN (v8.1), UAO (v8.2), SSBS (v8.5) — incremental kernel hardening.

• EL3 is the only level that can toggle SCR_EL3.NS — the bit that switches the PE between Secure and Non-secure worlds.
• Banked system registers and banked TTBR means each world has its own MMU configuration, caches tagged by NS.
• S-EL2 (Armv8.4-A) added a separate Secure hypervisor for isolating trusted-application workloads.
• Main use cases: DRM / Widevine L1, secure boot + attestation, fingerprint / face-ID matchers, payment applets, fTPM.

• SMC #imm16 — secure monitor call. Traps from EL1/EL2 (any world) to EL3.
• Argument layout (SMCCC): X0 = function ID, X1-X17 = args, X0-X17 = return.
• Function ID bit fields: Fast/Yielding, SMC32/SMC64, Owner (Arm / PSCI / SiP / TOS / vendor), Function number.
• Canonical handlers:
  • PSCI — Power State Coordination: CPU_ON, CPU_OFF, SYSTEM_RESET.
  • SDEI — Software Delegated Exception Interface.
  • TRNG / HVC — entropy, feature discovery.
• Canonical EL3 implementation is Arm Trusted Firmware-A (TF-A) — open-source, BSD-licensed, running on virtually every Cortex-A phone and server board.

// Power on a secondary CPU via PSCI
// Linux kernel function psci_cpu_on()

  ldr   x0, =0xC4000003   // SMCCC: 64-bit, Arm, PSCI CPU_ON
  mov   x1, x_cpuid       // target MPIDR
  ldr   x2, =_text_phys   // entry PA
  mov   x3, #0            // context arg
  smc   #0                // trap to EL3

// EL3 receives, routes to PSCI handler
// which clocks on the core, programs its
// reset vector, and returns success

SMCCC v1.3 adds SVE state handling — Z-regs must be saved/restored across SMC if SVE was in use in the caller.

• Guest kernel runs at EL1 believing it has full control. Every guest memory access actually passes through two translation stages:
  • Stage 1 (guest): VA → IPA (Intermediate Physical Address).
  • Stage 2 (host): IPA → PA — owned by EL2 via VTTBR_EL2.
• HCR_EL2 traps: guest's reads/writes to sensitive system registers can be trapped to EL2 for emulation.
• VMID tags TLB entries so context-switching between VMs doesn't require flushing.
• vGIC — virtual GIC interface. Each VM sees what looks like a GIC; hypervisor context-switches the state.
• Timer virtualization — offset registers (CNTVOFF_EL2) give each VM its own view of the counter.

• Android 13+ ships protected KVM on Armv8.2+ devices.
• pKVM runs a minimal hypervisor at EL2 that isolates "protected VMs" even from the host Linux kernel.
• Each protected VM gets memory that the host OS cannot read or write — enforced by Stage-2 and the Memory Protection Granule.
• Use case: DRM playback, health sensors, biometric enclave — all without the size & attack-surface of TrustZone.
• Related: Gunyah (Qualcomm's open-source type-1 hypervisor, used on recent Snapdragons).
• On Armv9-A, CCA / Realms subsume much of what pKVM does — cleanly architected across vendors.

• A pointer = 64-bit value. Only ~48 bits are real VA; top bits are unused (or TBI tag).
• PAC uses those top bits to store a short MAC (12-16 bits) computed from:
  • The pointer value itself
  • A secret key (APIAKey / APIBKey / APDAKey / APDBKey / APGAKey — stored in system registers)
  • A modifier (e.g., stack pointer for return addresses)
• Signing: PACIA / PACIB (instruction A/B), PACDA / PACDB (data). Verification: AUTIA / AUTIB.
• Compressed canonical pair: RETAA / RETAB — authenticate LR and return in one instruction.
• Cipher: QARMA-64 (a round-reduced Feistel network). Lightweight, ~3-5 cycle latency.

// Function prologue with PAC-RET

caller:
    paciasp                 // sign LR using SP as mod
    stp  x29, x30, [sp,#-16]!
    ...
    ldp  x29, x30, [sp],#16
    retaa                   // auth-then-ret (PACIA key A)

// Attempting to return to attacker-chosen addr
// → AUTIA gets a wrong value, top bits set to
// an invalid canonical tag → translation fault

• JOP (Jump-Oriented Programming) — attacker chains indirect branches (call/jmp) instead of returns. PAC defeats returns; BTI defeats JOP.
• BTI marks legal indirect-branch targets with a new instruction: BTI #{c|j|jc} (a NOP on cores without BTI).
• On a BTI-guarded page, an indirect branch to a non-BTI instruction faults with a BTI abort.
• Modes: c (call), j (jump), jc (either). Each indirect branch instruction has a type (BLR → c, BR → j).
• Compiler sets the page's BTI attribute in PTE GP (Guarded Page) bit; toolchain inserts BTI at function entries and jump-table slots.
• Turned on in: Android NDK r21+, modern Fedora, Ubuntu 22.04 arm64 system libraries.

// BTI-guarded callee
func:
    bti  c              // ok for BLR; faults on BR
    paciasp             // sign return addr
    ...

// BTI ensures: attacker with indirect call
// primitive (BLR x0) cannot jump into
// mid-instruction gadgets.

• Each 16-byte memory granule in DRAM has a 4-bit tag stored in a side-band region. Each pointer has a 4-bit tag in bits [59:56] (enabled by TBI).
• On each memory access the CPU compares the pointer tag to the granule tag. Mismatch → fault or async report.
• Malloc assigns a random 4-bit tag to each allocation; free re-tags the granule. UAF / OOB access has ~15/16 chance of catching the bug.
• Modes (TCR_EL1.TCF):
  • Async: fault reported later via SError — cheap, production-friendly.
  • Sync: fault reported immediately — debug / heavy.
  • Asymmetric (Armv8.7-A): sync on stores, async on loads.
• First shipping on Pixel 8 (Tensor G3, A78C) in 2023. Extensively used by Chrome and Android runtime for UAF hunting.

// MTE — allocate, use, free

// 1. Random tag for new allocation
irg     x0, x0, xzr          // insert random tag in x0
stg     x0, [x0]              // set granule tag = pointer tag
                              // (repeat for every 16B)

// 2. Load/store — tag checked by hardware
ldr     w1, [x0]              // tag match → ok
ldr     w1, [x0, #16]         // tag match → ok
ldr     w1, [x0, #1024]       // out-of-bounds → FAULT

// 3. Free — retag the storage
addg    x2, x0, #0, #1        // increment pointer tag
stg     x2, [x0]              // retag memory

• Four worlds, each with its own view of physical memory:
  • Non-secure — host OS + guests (as before)
  • Secure — trusted OS (as before)
  • Realm — new; isolated confidential-compute guests
  • Root — EL3 only; sits above all worlds
• Partition enforced by the Granule Protection Table (GPT) — a physical-memory-level firewall checked by every transaction on the interconnect (Granule Protection Check).
• New secure monitor component: RMM (Realm Management Monitor) runs at R-EL2 and manages Realms on behalf of the Non-secure hypervisor.
• Every AMBA 5 master needs NSE and NS signalling to distinguish the four worlds on the bus.

• CCA is the architectural umbrella: RME + RMM + attestation protocols + SDK.
• Goal: confidential cloud workloads on Arm servers, where even the host hypervisor cannot read guest memory.
• Mirrors (and interoperates with) Intel TDX and AMD SEV-SNP on x86.
• Attestation chain: TF-A boot → RMM → Realm VM image hash → signed by silicon key → verifiable by the tenant before sending secrets.
• First silicon: Neoverse V3 / N3 (2024) and Armv9-A flagship phones that choose to enable it (e.g., Dimensity 9300 roadmap). Hyperscalers (AWS Graviton 4, Microsoft Cobalt 100) are prime consumers.

• Meltdown (CVE-2017-5754) — Arm cores not generally vulnerable (the architecture specifies speculation doesn't bypass AP faults on most cores). Exception: a small number of older cores had partial exposure.
• Spectre v1 (bounds-check bypass) — all speculative cores vulnerable. Mitigation: CSDB / SB Barrier + masking + careful kernel-entry guards.
• Spectre v2 (BTB injection) — some early cores affected; mitigated with CSV2, CSV3 features (v8.0-A retrofit) and SB Speculation Barrier (v8.5-A).
• Spectre v4 (store bypass) — mitigated by SSBS (v8.5-A) on a per-thread basis.
• Straight-line-speculation fixes (SB after indirect branches, DSB + ISB on specific sequences) were added in response to Arm's own security advisories.

• "TrustZone vs Realm vs Hypervisor — which do I pick?" → TrustZone for device-vendor secrets (fingerprint, DRM). Hypervisor for standard multi-tenant VMs. Realm (CCA) when the tenant doesn't trust the hypervisor — cloud confidential compute.
• "How does PAC defeat ROP?" → signs function-pointer values with a key in a system register + context; attacker without that key cannot forge a valid signature; AUTIA fault on mismatch.
• "Why does MTE use 4 bits?" → 4 bits fits in the pointer's unused top byte and in a reasonable DRAM side-band (8 GB → 256 MB tag memory at 4 bits / 16 B granule).

• "VHE — what changed?" → EL2 register names aliased to behave like EL1. Lets Linux run bare in EL2; removes split-mode KVM overhead. 8.1-A feature.
• "SMC vs HVC vs SVC?" → SVC traps EL0→EL1 (syscall). HVC traps EL1→EL2 (hypercall). SMC traps any→EL3 (monitor call / PSCI).
• "Why BTI in addition to PAC?" → PAC protects returns (via signed LR); BTI protects forward indirect branches (JOP). Together they cover both halves of ROP/JOP attacks.
• "What's the Granule Protection Table?" → physical-memory firewall at 4 KB granule, queried by interconnect on every transaction. Enforces the four-world RME separation.

• Cortex-A 02 — Exception model + ELs — prerequisites for this deck
• Cortex-M 08 — TrustZone for Armv8-M — contrast: banked state vs banked worlds
• AMBA 06 — Future of AMBA, incl. RME / CCA hooks
• Neoverse Series — server-side CCA deployment context