Minimum Viable Device Drivers for ARM TrustZone
This addresses a critical gap in secure IO for TrustZone TEEs, enabling access to sophisticated devices for the first time.
The paper tackles the lack of modern IO device drivers for ARM TrustZone by proposing driverlets, which record and replay driver/device interactions to enable secure access, achieving acceptable overhead of 1.4x to 2.7x compared to native drivers.
While TrustZone can isolate IO hardware, it lacks drivers for modern IO devices. Rather than porting drivers, we propose a novel approach to deriving minimum viable drivers: developers exercise a full driver and record the driver/device interactions; the processed recordings, dubbed driverlets, are replayed in the TEE at run time to access IO devices. Driverlets address two key challenges: correctness and expressiveness, for which they build on a key construct called interaction template. The interaction template ensures faithful reproduction of recorded IO jobs (albeit on new IO data); it accepts dynamic input values; it tolerates nondeterministic device behaviors. We demonstrate driverlets on a series of sophisticated devices, making them accessible to TrustZone for the first time to our knowledge. Our experiments show that driverlets are secure, easy to build, and incur acceptable overhead (1.4x -2.7x compared to native drivers). Driverlets fill a critical gap in the TrustZone TEE, realizing its long-promised vision of secure IO.