Abstract
A trusted execution environment (TEE) is a new hardware security feature that is isolated from a normal OS (i.e., rich execution environment (REE)). The TEE enables us to run a critical process, but the behavior is invisible from the normal OS, which makes it difficult to debug and tune the performance. In addition, the hardware/software architectures of TEE are different on CPUs. For example, Intel SGX allows user-mode only, although Arm TrustZone and RISC-V Keystone run a trusted OS. In addition, each TEE has each SDK for programming. Each SDK offers own APIs and makes difficult to write a common program. These features make it difficult to compare the performance fairly between TEE and REE on different CPUs. To obtain precise performance and behavior in TEE, we propose TS-perf which is a compiler-based performance measurement method. TS-perf accesses the hardware timestamp counter in TEE as well as REE and keeps a precise log. The codes for measurement are inserted in a TEE binary by the compiler options (i.e., profile option, constructor, and destructor). Furthermore, we utilize the separate compilation technique, and the same benchmark binary is used for a fair comparison between TEE and REE. The architecture of TS-perf is general and implemented for three TEE architectures (Arm TrustZone, Intel SGX, and RISC-V Keystone). TS-perf measures the performance of GlobalPlatform’s TEE internal APIs, matrix multiplication, memory access, and storage access. The comparisons show the difference in performance between TEE and REE and the unusual behavior of trusted applications (TAs).
Highlights
Since recent OSs support many hardware/software functions, they have become very large and complex and cannot escape vulnerabilities [1], [2]
These results are quite natural because trusted execution environment (TEE) and rich execution environment (REE) run on the same core architecture
TS-perf is based on the timestamp counter that is available in REE and TEE on three architectures (ARM Cortex-A, Intel x86-64, and RISC-V U540), and this method enables a fair comparison between REE and TEE
Summary
Since recent OSs support many hardware/software functions, they have become very large and complex and cannot escape vulnerabilities [1], [2] To avoid these vulnerabilities, current CPUs offer an isolated execution environment for critical processing (i.e., TA: trusted application). Most TEE hardware architectures are implemented by changing the state from REE to TEE on a core, which means that the same core is used in REE and TEE. Intel SGX offers 96MB encrypted memory and user-mode (ring 3) only for a TA, whereas ARM TrustZone and RISC-V Keystone offer supervisor-mode to run a trusted OS on normal memory. The three TEE architectures used in this paper are described These TEEs are implemented by changing the state of the CPU cores. Some APIs require the help of a normal OS (e.g., secure storage)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.