



APRIL 18-19, 2024

BRIEFINGS

# What the TrustZone-M Doesn't See, the MCU Does Grieve Over

Lessons Learned from Assessing a Microcontroller TEE

Cristiano Rodrigues | Sandro Pinto, PhD

(Centro ALGORITMI / LASI, Universidade do Minho)

# What the TrustZone-M Doesn't See, the MCU Does Grieve Over

## Lessons Learned from Assessing a Microcontroller TEE

Cristiano Rodrigues | Sandro Pinto, PhD

(Centro ALGORITMI / LASI, Universidade do Minho)



# AGENDA

01

02

03

04

05

## Introduction

Background and Motivation

## A Bumpy but Revealing Journey

Weak Protections, TEE Assessment and our Responsible Disclosure Journey

## What Can Go Wrong

Attack Examples and “Live” Demo

## Lessons Learned

Advices for HW & SW providers and System Designers

## Summary

Final Thoughts and BH Sound Bytes

# Introduction

Background and Motivation

AI-ENABLED  
EDGE DEVICES



SMART  
AGRICULTURE



SMART  
FACTORIES



SMART  
CITIES



DRONES



HARDWARE  
WALLETS



# INTERNET OF THINGS

MEDICAL  
DEVICES



WEARABLES



HOME  
APPLIANCES



AUTONOMOUS  
VEHICLES



## AI-ENABLED EDGE DEVICES



## SMART AGRICULTURE

### Annual Production of IoT devices



1 trillion  
cumulative

Source: SoftBank and ARM estimates

## MEDICAL DEVICES

## SMART FACTORIES

## SMART CITIES

## DRONES



## The route to a trillion devices

The outlook for IoT investment to 2035

## WEARABLES

## VEHICLES

Healthcare &amp; Pharmaceuticals

## Pacemakers, defibrillators are potentially hackable

By Lisa Rapaport

February 21, 2018 3:55 PM GMT · Updated 6 years ago

# News This Week: An IoT Teddy Millions of Parent and Child Findings



COMPUTING | INTERNET | IT | MOBILE TECH | REVIEWS | SECURITY

## Hackers Remotely Control Highway-V

### THE AGE OF CYBERWARFARE

PRIVACY

## Uber Takes FTC's Heat Over Self-Things Security

By Richard Adhikari • September 5, 2013 3:56 PM PT • Email Article



## BrickerBot Malware En Bricks IoT Devices

## Flaw in Home Security Cameras Exposes Live Feeds to Hackers

# INTERNET OF THINGS



SMART  
AGRICULTURE



MEDICAL  
DEVICES



AI-ENABLED  
EDGE DEVICES

WEARABLES



SMART  
FACTORIES



SMART  
CITIES



DRONES



HARDWARE  
WALLETS



HOME  
APPLIANCES



AUTONOMOUS  
VEHICLES

# INTERNET OF THINGS



# INTERNET OF THINGS



arm  
TRUSTZONE

# Armv8-M TrustZone

Armv6/7-M Processor Modes



# Armv8-M TrustZone

Armv6/7-M Processor Modes



# Armv8-M TrustZone

Armv6/7-M Processor Modes



# Armv8-M TrustZone

Armv6/7-M Processor Modes



Armv6/7-M Privileges Levels



# Armv8-M TrustZone

Armv6/7-M Processor Modes



Armv6/7-M Privileges Levels



# Armv8-M TrustZone

Armv6/7-M Processor Modes



Armv6/7-M Privileges Levels



# Armv8-M TrustZone

Armv6/7-M Processor Modes



Armv6/7-M Privileges Levels



# Armv8-M TrustZone

Armv6/7-M Processor Modes



Armv6/7-M Privileges Levels



Armv6/7-M Base Architecture



# Armv8-M TrustZone

Armv6/7-M Processor Modes



Armv6/7-M Privileges Levels



Armv6/7-M Base Architecture



# Armv8-M TrustZone

Armv6/7-M Processor Modes



Armv6/7-M Privileges Levels



Armv6/7-M Base Architecture



# Armv8-M TrustZone

Armv6/7-M Processor Modes



Armv6/7-M Privileges Levels



Armv6/7-M Base Architecture



# Armv8-M TrustZone

Armv6/7-M Processor Modes



Armv6/7-M Privileges Levels



Armv6/7-M Base Architecture



# Armv8-M TrustZone

Armv6/7-M Base Architecture



# Armv8-M TrustZone

Armv6/7-M Base Architecture



x2

# Armv8-M TrustZone

Armv6/7-M Base Architecture



# Armv8-M TrustZone

Armv6/7-M Base Architecture



# Armv8-M TrustZone

Armv6/7-M Base Architecture



x2



# Armv8-M TrustZone

Armv6/7-M Base Architecture



x2



# Armv8-M TrustZone

Armv6/7-M Base Architecture



x2



# Armv8-M TrustZone



# Armv8-M TrustZone



# Armv8-M TrustZone



# Armv8-M TrustZone



# Armv8-M TrustZone



# Armv8-M TrustZone



# Armv8-M TrustZone



# Armv8-M TrustZone



# Armv8-M TrustZone



# Armv8-M TrustZone



# Armv8-M TrustZone



# CPU Protection vs System Protection

# CPU Protection vs System Protection

# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# CPU Protection vs System Protection



# Platform Security Architecture (PSA)

# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)



# Platform Security Architecture (PSA)

PSA Level 1

# Platform Security Architecture (PSA)

## PSA Level 1



# Platform Security Architecture (PSA)

## PSA Level 1



# Platform Security Architecture (PSA)

## PSA Level 1



# Platform Security Architecture (PSA)

PSA Level 1



PSA Level 2

# Platform Security Architecture (PSA)

PSA Level 1



PSA Level 2



# Platform Security Architecture (PSA)

PSA Level 1



PSA Level 2



# Platform Security Architecture (PSA)

PSA Level 1



PSA Level 2



PSA Level 3

# Platform Security Architecture (PSA)

PSA Level 1



PSA Level 2



PSA Level 3



# Platform Security Architecture (PSA)

PSA Level 1



PSA Level 2



PSA Level 3



# PARADOXAL OBSERVATIONS

01

**TRUSTZONE-M HAS A CPU-CENTRIC VIEW**

Armv8-M Only Defines Protection Controllers at The CPU-level (MPU, SAU, IDAU)

02

**SYSTEM-WIDE PROTECTIONS ARE PROPRIETARY**

Vendors Are Forced to Develop System Protection Controllers (PPCs, MPCs)

03

**MISSMATCH BETWEEN TZ-M AND PSA LEVELS**

PSA Level 2/3 Need CPU- and System-level Memory Protection Controllers (the latter isn't defined by Armv8-M)

*While System-Wide protections are a must, Armv8-M only defines CPU-level memory protections. We hypothesize that this dichotomy (together with a lack of understanding of the PSA isolation levels) may open security holes in modern TrustZone-M systems*

## Hypothesis

# A Bumpy but Revealing Journey

Weak Protections, TEE Assessment and our Responsible Disclosure Journey



MICROCHIP





MICROCHIP

SAML11



TRUSTONIC



SAML11



TRUSTONIC

Kinibi-M

# Mircocchip First To Use Turstonic Revolutionary Kinibi-M Platform For Microcontrollers



SAML11

Kinibi-M

# Mircocchip First To Use Turstonic Revolutionary Kinibi-M Platform For Microcontrollers

TECHNOLOGIES > EMBEDDED

## Microchip Debuts Cortex-M23 MCUs

June 25, 2018 

Two of the first Cortex-M23 microcontrollers have arrived—developed by Microchip—and advanced security is among the features.

William G. Wong



SAML11

Kinibi-M

# Mircocchip First To Use Turstonic Revolutionary Kinibi-M Platform For Microcontrollers

TECHNOLOGIES > EMBEDDED

## Microchip Debuts Cortex-M23 MCUs

June 25, 2018 

Two of the first Cortex-M23 microcontrollers have arrived—developed by Microchip—and advanced security is among the features.

William G. Wong

TRUSTONIC

FIND OUT MORE

Not just droning on! The rise of Kinibi-M

31 OCTOBER 2017



# TRUSTONIC

# SAML11

# Kinibi-M

# Mircocchip First To Use Turstonic Revolutionary Kinibi-M Platform For Microcontrollers

FIND OUT MORE

TRUSTONIC

Not just droning on! The rise of Kinibi-M

31 OCTOBER 2017

TECHNOLOGIES > EMBEDDED

## Microchip Debuts Cortex-M23 MCUs

June 25, 2018 

Two of the first Cortex-M23 microcontrollers have arrived—developed by Microchip—and advanced security is among the features.

William G. Wong



Flying Vehicles ▾ Smart Cities ▾ Transportation ▾ Robotics IIoT ▾ Security ▾ More ▾

## Trustonic Embeds IoT Security Technology in Microchip MCU

The IoT security technology will be embedded at the chip level using Trustonic's Kinibi-M software.

SAML11

Kinibi-M

# Mircocchip First To Use Turstonic Revolutionary Kinibi-M Platform For Microcontrollers

FIND OUT MORE

TRUSTONIC

Not just droning on! The rise of Kinibi-M

31 OCTOBER 2017

**DCS** DATA CENTRE  
SOLUTIONS

CLOUD DESIGN + OPTIMISATION ENERGY MANAGEMENT HOSTING + COLOCATION INFRASTRU

Trustonic launches IoT device security solution

Blockchain-based Digital Holograms, trusted device provisioning and a modular, secure OS combine to bring trust to constrained IoT devices.

6 years ago Posted in

TECHNOLOGIES > EMBEDDED

## Microchip Debuts Cortex-M23 MCUs

June 25, 2018 

Two of the first Cortex-M23 microcontrollers have arrived—developed by Microchip—and advanced security is among the features.

William G. Wong



 Flying Vehicles ▾ Smart Cities ▾ Transportation ▾ Robotics IIoT ▾ Security ▾ More ▾

## Trustonic Embeds IoT Security Technology in Microchip MCU

The IoT security technology will be embedded at the chip level using Trustonic's Kinibi-M software.

# Kinibi-M

# Mircocchip First To Use Turstonic Revolutionary Kinibi-M Platform For Microcontrollers

## Microchip Debuts Cortex-M23 MCUs

June 25, 2018 

Two of the first Cortex-M23 microcontrollers have arrived—developed by Microchip—and advanced security is among the features.

William G. Wong

TRUSTONIC

FIND OUT MORE

Not just droning on! The rise of Kinibi-M

31 OCTOBER 2017



Flying Vehicles Smart Cities Transportation Robotics IIoT Security More

## Trustonic Embeds IoT Security Technology in Microchip MCU

The IoT security technology will be embedded at the chip level using Trustonic's Kinibi-M software.



**DCS** DATA CENTRE SOLUTIONS

CLOUD DESIGN + OPTIMISATION ENERGY MANAGEMENT HOSTING + COLOCATION INFRASTRU

NEWSLETTER MEDIA EVENTS SHOP RSS

中文 ENGLISH X in

elektroniknet.de

Markt&Technik

Elektronik

Elektronik  
automotive

Elektronik  
medical

Rubrics ticker Pictures videos Market overviews White paper Web seminars glossary Matchmaker+



## Trustonic launches IoT device security solution

Blockchain-based Digital Holograms, trusted device provisioning and a modular, secure OS combine to bring trust to constrained IoT devices.

6 years ago Posted in

## Microchip introduces SAM L10/L11 MCUs

## arm Cortex-M23 plus on-chip security for the IoT

June 25, 2018, 12:30 am | Frank Riemenschneider

# MICROCHIP SAM L11



# MICROCHIP SAML11



## Overview

The SAML11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power SAML11 ARM® Cortex®-M23 based microcontrollers integrating robust security which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

# MICROCHIP SAML11



## Overview

The SAM L11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power **SAML11 ARM® Cortex®-M23 based microcontrollers** integrating robust security which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

# MICROCHIP SAML11



## Overview

The SAM L11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power **SAML11 ARM® Cortex®-M23 based microcontrollers** **integrating robust security** which includes ARM® TrustZone®, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

# MICROCHIP SAML11



## Overview

The SAM L11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power **SAML11 ARM® Cortex®-M23 based microcontrollers** integrating robust security which includes **ARM® TrustZone®**, secure boot, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

# MICROCHIP SAML11



## Overview

The SAM L11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power **SAML11 ARM® Cortex®-M23 based microcontrollers** integrating robust security which includes **ARM® TrustZone®**, **secure boot**, crypto acceleration, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

# MICROCHIP SAML11



## Overview

The SAM L11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power **SAML11 ARM® Cortex®-M23 based microcontrollers** integrating robust security which includes **ARM® TrustZone®**, **secure boot**, **crypto acceleration**, secure key storage and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

# MICROCHIP SAML11



## Overview

The SAM L11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power **SAML11 ARM® Cortex®-M23 based microcontrollers** integrating robust security which includes **ARM® TrustZone®**, **secure boot**, **crypto acceleration**, **secure key storage** and chip-level tamper detection. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

# MICROCHIP SAML11



## Overview

The SAM L11 Xplained Pro evaluation kit is ideal for evaluating and prototyping with the ultra low power **SAML11 ARM® Cortex®-M23 based microcontrollers** integrating robust security which includes **ARM® TrustZone®**, **secure boot**, **crypto acceleration**, **secure key storage** and **chip-level tamper detection**. In addition to security the SAM L11 MCU features general purpose embedded control capabilities with enhanced peripheral touch controller and advanced analog.

SAM L11 Added













## 13. SAM L11 Specific Security Features

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features can be divided into two main categories.

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals:
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing:
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using CRC checks

## 13. SAM L11 Specific Security Features

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features can be divided into two main categories.

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals:
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing:
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using CRC checks

## 13. SAM L11 Specific Security Features

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features can be divided into two main categories.

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals:
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing:
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using CRC checks

## 13. SAM L11 Specific Security Features

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features can be divided into two main categories.

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals:
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing:
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using CRC checks

## 13. SAM L11 Specific Security Features

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features can be divided into two main categories.

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals:
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing:
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using CRC checks

## 13. SAM L11 Specific Security Features

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features

## What about Privilege and Non-Privileged??

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of memories and peripherals:
  - Up to six regions for the Flash
  - Up to two regions for the Data Flash
  - Up to two regions for the SRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing:
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using CRC checks

## 13. SAM L11 Specific Security Features

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of:
  - Up to six regions for the CPU
  - Up to two regions for the SRAM
  - Up to two regions for the Flash
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing:
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using CRC checks

## What about Privilege and Non-Privileged??

## What about Memory Protection at the System-Level??

## 13. SAM L11 Specific Security Features

This chapter provides an overview of the security features which are specific to the SAM L11.

### 13.1 Features

SAM L11-specific security features

The first category relates to the ARM TrustZone for Cortex-M technology features:

- Flexible hardware isolation of:
  - Up to six regions for the CPU
  - Up to two regions for the SRAM
  - Up to two regions for the DRAM
  - Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
  - Mix-Secure peripherals which support both secure and non-secure security attributions
- Three debug access levels allowing:
  - The highest debug level with no restrictions in term of memory and peripheral accesses
  - A restricted debug level with non-secure memory regions access only
  - The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
- Different chip erase support according to security settings
- Security configuration is fully stored in Flash and safely auto-loaded at startup during Boot ROM execution using CRC checks

## What about Privilege and Non-Privileged??

## What about Memory Protection at the System-Level??



# SAML11 WEAK PROTECTIONS



# SAML11 WEAK PROTECTIONS



# SAML11 WEAK PROTECTIONS



# SAML11 WEAK PROTECTIONS



# SAML11 WEAK PROTECTIONS



# SAML11 WEAK PROTECTIONS



# SAML11 WEAK PROTECTIONS



# SAML11 WEAK PROTECTIONS



# PSA Certification

## SAML11

# PSA Certification

SAML11

SILICON

SAML11-KPH



psacertified™  
level one

# PSA Certification

SAML11

SILICON

SAML11-KPH



psacertified™  
level one

# PSA Certification

SAML11



# PSA Certification

SAML11

SILICON

SAML11-KPH



psacertified™  
level one

PSA Level 1



# PSA Certification

SAML11

SILICON

SAML11-KPH



psacertified™  
level one

PSA Level 1



# PSA Certification

SAML11

SILICON

SAML11-KPH



psacertified™  
level one

PSA Level 1



# PSA Certification

## SAML11 + Kinibi-M



# PSA Certification

## SAML11 + Kinibi-M



# PSA Certification

## SAML11 + Kinibi-M



# PSA Certification

## SAML11 + Kinibi-M



# PSA Certification

## SAML11 + Kinibi-M



# PSA Certification

## SAML11 + Kinibi-M



# SAML11 WEAK PROTECTIONS



# SAML11 WEAK PROTECTIONS



# SAML11 WEAK PROTECTIONS



*We report to Microchip that the lack of a MPC may create security issues, special in PSA level 2/3, Microchip didn't take any actions!*

Responsible Disclosure: Microchip



Trustonic  
Kinibi-M

# TRUSTONIC KINIBI-M



**Figure 1: Kinibi-M Architecture Overview.**

# TRUSTONIC KINIBI-M



**Figure 1: Kinibi-M Architecture Overview.**

# TRUSTONIC KINIBI-M



**Figure 1: Kinibi-M Architecture Overview.**

# TRUSTONIC KINIBI-M



**Figure 1: Kinibi-M Architecture Overview.**

# TRUSTONIC KINIBI-M



**Figure 1: Kinibi-M Architecture Overview.**

# TRUSTONIC KINIBI-M



Figure 1: Kinibi-M Architecture Overview.

# TRUSTONIC KINIBI-M



Figure 1: Kinibi-M Architecture Overview.

Kinibi-M Refers to PRoT and ARoT as a Secure Module

# TRUSTONIC KINIBI-M



Figure 1: Kinibi-M Architecture Overview.

Kinibi-M Refers to PRoT and ARoT as a Secure Module

# TRUSTONIC KINIBI-M



Figure 1: Kinibi-M Architecture Overview.

Kinibi-M Refers to PRoT and ARoT as a Secure Module

# TRUSTONIC KINIBI-M



Figure 1: Kinibi-M Architecture Overview.

Kinibi-M Refers to PRoT and ARoT as a Secure Module

# TRUSTONIC KINIBI-M



PSA Level 2



Figure 1: Kinibi-M Architecture Overview.

Kinibi-M Refers to PRoT and ARoT as a Secure Module



# TRUSTONIC KINIBI-M



Figure 1: Kinibi-M Architecture Overview.

**Kinibi-M Refers to PRoT and ARoT as a Secure Module**



# TRUSTONIC KINIBI-M



Figure 1: Kinibi-M Architecture Overview.

**Kinibi-M Refers to PRoT and ARoT as a Secure Module**



# TRUSTONIC KINIBI-M



Figure 1: Kinibi-M Architecture Overview.

Kinibi-M Refers to PRoT and ARoT as a Secure Module



# TRUSTONIC KINIBI-M



Figure 1: Kinibi-M Architecture Overview.

Kinibi-M Refers to PRoT and ARoT as a Secure Module



# TRUSTONIC KINIBI-M



Figure 1: Kinibi-M Architecture Overview.

**Kinibi-M Refers to PRoT and ARoT as a Secure Module**

# TRUSTONIC KINIBI-M



Kinibi-M Refers to PRoT and ARoT as a Secure Module

# TRUSTONIC KINIBI-M



# TRUSTONIC KINIBI-M



# TRUSTONIC KINIBI-M



Microkernel-like Architecture

# TRUSTONIC KINIBI-M



Microkernel-like Architecture

# TRUSTONIC KINIBI-M



# TRUSTONIC KINIBI-M



# TRUSTONIC KINIBI-M



# TRUSTONIC KINIBI-M



Kinibi-M Architecture

# TRUSTONIC KINIBI-M



Kinibi-M Architecture

Seems Probably More then PSA Level 3

# TRUSTONIC KINIBI-M



Kinibi-M Architecture

Seems Probably More then PSA Level 3

# TRUSTONIC KINIBI-M



Kinibi-M Architecture

Seems Probably More then PSA Level 3



Microchip SAML11

# TRUSTONIC KINIBI-M



Kinibi-M Architecture

Seems Probably More then PSA Level 3



Microchip SAML11

Only PSA Level 1 & No MPC



Kinibi-M  
Seems Probably

ML11  
& No MPC

BLACKHAT24

ESRGv3

# TRUSTONIC KINIBI-M



Kinibi-M Architecture

Seems Probably More then PSA Level 3



Microchip SAML11

Only PSA Level 1 & No MPC

# TRUSTONIC KINIBI-M

✓ SAU+IDAU



Kinibi-M Architecture

Seems Probably More then PSA Level 3



Microchip SAML11

Only PSA Level 1 & No MPC

# TRUSTONIC KINIBI-M



Kinibi-M Architecture

Seems Probably More then PSA Level 3

- ✓ SAU+IDAU
- ✓ MPU



Microchip SAML11

Only PSA Level 1 & No MPC

# TRUSTONIC KINIBI-M



Kinibi-M Architecture

Seems Probably More then PSA Level 3



Microchip SAML11

Only PSA Level 1 & No MPC

*With this gap of protection, a Secure Unprivileged application that has been granted a DMA can bypass all Kinibi-M security mechanism and achieve arbitrary read, write or execute capabilities*

## Observation

# Responsible Disclosure Trustonic

## A Journey



# We Contact Trustonic Reporting our Findings

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>



# Trustonic Security Team Acknowledged the Reception of Our Report

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>



# Trustonic Security Team Provided 1<sup>st</sup> Feedback

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>



# We Respond to 1<sup>st</sup> Feedback

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>



# Trustonic Security Team Provided 2<sup>nd</sup> Feedback

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>



# We Respond to 2<sup>nd</sup> Feedback

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>



# Trustonic Security Team Provided 3rd and last Feedback

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>



# We Sent a Last Response Wrapping up the Responsible Disclosure

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>



1

# Topic: Evaluation SDK vs Commercial SDK

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

- 1 Topic: Evaluation SDK vs Commercial SDK
- 2 Topic: Attestation Secure Modules



- 
- 1 Topic: Evaluation SDK vs Commercial SDK
  - 2 Topic: Attestation Secure Modules
  - 3 Topic: DMA Permissions



**1 Topic:** Evaluation SDK vs Commercial SDK

**2 Topic:** Attestation Secure Modules

**3 Topic:** DMA Permissions

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

## Topic: Evaluation SDK vs Commercial SDK



“We note that you are **using the Kinibi-M evaluation SDK, not the full (commercial) production SDK.** (...) Kinibi-M evaluation (...) is deliberately more flexible than a commercial (...) production SDK”

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# Topic: Evaluation SDK vs Commercial SDK



"We note that you are using the Kinibi-M evaluation SDK, not the full (commercial) production SDK.  
(...) Kinibi-M evaluation (...) is deliberately more flexible than a commercial (...) production SDK"

## DISCLAIMER

We were only granted access to the **evaluation SDK**, thus all assessments and conclusions presented on this talk are derived from documentation and artifacts from the Evaluation SDK.

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# Topic: Evaluation SDK vs Commercial SDK



"We note that you are using the Kinibi-M evaluation SDK, not the full (commercial) production SDK.  
(...) Kinibi-M evaluation (...) is deliberately more flexible than a commercial (...) production SDK"

## DISCLAIMER

We were only granted access to the **evaluation SDK**, thus all assessments and conclusions presented on this talk are derived from documentation and artifacts from the Evaluation SDK.

We still think commercial version may suffer from the same problem (the underlying architecture problem is the same, weak hardware protections on SAML11)



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

**1 Topic:** Evaluation SDK vs Commercial SDK

**2 Topic:** Attestation Secure Modules

**3 Topic:** DMA Permissions

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

**1 Topic:** Evaluation SDK vs Commercial SDK

**2 Topic:** Attestation Secure Modules

**3 Topic:** DMA Permissions

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: Attestation Secure Modules



You cannot install malicious modules because, “all modules must be signed, and are validated at install time against a protected list of signing keys” (attestation).

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

## Topic: Attestation Secure Modules



You cannot install malicious modules because, “all modules must be signed, and are validated at install time against a protected list of signing keys” (attestation).

### DISCLAIMER

The Evaluation SDK doesn't support attestation of secure modules so we could freely instantiate secure modules, but in the Commercial SDK only OEMs can instantiate modules and they are all signed and validated.

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: Attestation Secure Modules



You cannot install malicious modules because, “all modules must be signed, and are validated at install time against a protected list of signing keys” (attestation).

### DISCLAIMER

The Evaluation SDK doesn't support attestation of secure modules so we could freely instantiate secure modules, but in the Commercial SDK only OEMs can instantiate modules and they are all signed and validated.

Attesting OEMs' Secure Modules offers no guarantees that the Secure Module has no defects.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: Attestation Secure Modules



You cannot install malicious modules because, “all modules must be signed, and are validated at install time against a protected list of signing keys” (attestation).

### DISCLAIMER

The Evaluation SDK doesn’t support attestation of secure modules so we could freely instantiate secure modules, but in the Commercial SDK only OEMs can instantiate modules and they are all signed and validated.

Attesting OEMs’ Secure Modules offers no guarantees that the Secure Module has no defects.



Unless OEMs code is formally verified (which, as far as we know, is not the industry standard) we should (by probability) expect bugs and vulnerabilities.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# TAKEAWAY

1

We argue that there is a **naive trust in OEM developers**. Even if there is **no malicious intent**, unintended bugs may be introduced in the code which may lead to a vulnerability, e.g., privileged escalation.

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

**1 Topic:** Evaluation SDK vs Commercial SDK

**2 Topic:** Attestation Secure Modules

**3 Topic:** DMA Permissions

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

**1 Topic:** Evaluation SDK vs Commercial SDK

**2 Topic:** Attestation Secure Modules

**3 Topic:** DMA Permissions

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: DMA Permissions



It's true that a **Secure Module** with access to a DMA "can effectively access any part of the system", it is "**a common limitation** of low-cost hardware, however it is **far from an open door**"

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: DMA Permissions



It's true that a **Secure Module** with access to a DMA "can effectively access any part of the system", it is "**a common limitation** of low-cost hardware, however it is **far from an open door**"



"Access to the **DMA controller** needs to be granted, and the best practice guidance in the **production SDK** (which we acknowledge you do not have) **explains how to lock down** access to **devices** from less trusted developers"

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: DMA Permissions



It's true that a **Secure Module** with access to a DMA "can effectively access any part of the system", it is "**a common limitation** of low-cost hardware, however it is **far from an open door**"



"Access to the DMA controller **needs to be granted**, and the best practice guidance in the **production SDK** (which we acknowledge you do not have) **explains how to lock down** access to **devices** from less trusted developers"

**Contradictory ideas**, on one side, Trustonic admits that a **Secure Module with DMA access has full access to the system**, and, on the other side, Trustonic claims that it **is not an open door**.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: DMA Permissions



It's true that a **Secure Module** with access to a DMA "can effectively access any part of the system", it is "**a common limitation** of low-cost hardware, however it is **far from an open door**"



"Access to the DMA controller **needs to be granted**, and the best practice guidance in the **production SDK** (which we acknowledge you do not have) **explains how to lock down** access to **devices** from less trusted developers"

**Contradictory ideas**, on one side, Trustonic admits that a **Secure Module with DMA access has full access to the system**, and, on the other side, Trustonic claims that it **is not an open door**.



DMA access **should not need to be granted but MEDIATED** (because lack of hardware mechanisms). **Kinibi-B should mediate access from ALL Secure Modules** via DMA interposer.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: DMA Permissions



It's true that a **Secure Module** with access to a DMA "can effectively access any part of the system", it is "**a common limitation** of low-cost hardware, however it is **far from an open door**"



"Access to the DMA controller **needs to be granted**, and the best practice guidance in the **production SDK** (which we acknowledge you do not have) **explains how to lock down** access to **devices** from less trusted developers"

**Contradictory ideas**, on one side, Trustonic admits that a **Secure Module with DMA access has full access to the system**, and, on the other side, Trustonic claims that it **is not an open door**.



DMA access **should not need to be granted but MEDIATED** (because lack of hardware mechanisms). **Kinibi-B should mediate** access from **ALL Secure Modules** via DMA interposer.



We proposed to share the **DMA interposer mechanism** to fix the DMA issue.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# TAKEAWAY

1

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# TAKEAWAY

1

We argue that there is a **lack of understanding of the limitations of the underlying hardware** (where Kinibi-M runs) and the necessary **Software mechanisms needed to enforce claimed protections**.

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>



1

# Topic: No Native DMA Support

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 Topic: No Native DMA Support

2 Topic: No System MMU & DMA permissions

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

- 1 Topic: No Native DMA Support
- 2 Topic: No System MMU & DMA permissions
- 3 Topic: Native FLASH Access Mediation but not Native DMA mediation.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

- 1 Topic: No Native DMA Support
- 2 Topic: No System MMU & DMA permissions
- 3 Topic: Native FLASH Access Mediation but not Native DMA mediation.

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: No Native DMA Support



**“Kinibi-M for SAML11 does not ship with a Secure World DMA module, and it is left up to customers to source one or do without.”**

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: No Native DMA Support



**“Kinibi-M for SAML11 does not ship with a Secure World DMA module, and it is left up to customers to source one or do without.”**



**“In our architecture it would be up to the OEM provided DMA module to provide that mediation”**

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1

2

3

## Topic: No Native DMA Support



**"Kinibi-M for SAML11 does not ship with a Secure World DMA module, and it is left up to customers to source one or do without."**



**"In our architecture it would be up to the OEM provided DMA module to provide that mediation"**

OEMs have to source one DMA module if they want to use a DMA. **We don't think is a good approach**, because this **forces OEMs to trust each other** (which they don't).



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: No Native DMA Support



"Kinibi-M for SAML11 **does not ship with a Secure World DMA module**, and it is left up to customers to source one or do without."



"In our architecture it **would be up to the OEM** provided DMA module to provide that mediation"



OEMs have to source one DMA module if they want to use a DMA. **We don't think is a good approach**, because this **forces OEMs to trust each other** (which they don't).



It also **increases the probability of a bug/vulnerability**.

Jan 10<sup>th</sup> Jan 12<sup>th</sup> Jan 30<sup>th</sup> Jan 31<sup>st</sup> Feb 9<sup>th</sup> Feb 14<sup>th</sup> Feb 16<sup>th</sup> Mar 10<sup>th</sup>

# TAKEAWAY

1

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# TAKEAWAY

1

We argue that there is a **lack of understanding of multi-OEM threat model**. In a multistakeholder scenario (i.e., multiple OEMs) **OEMs don't trust each other**.

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

- 1 Topic: No Native DMA Support
- 2 Topic: No System MMU & DMA permissions
- 3 Topic: Native FLASH Access Mediation but not Native DMA mediation.

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

- 1 Topic: No Native DMA Support
- 2 Topic: No System MMU & DMA permissions
- 3 Topic: Native FLASH Access Mediation but not Native DMA mediation.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: No System MMU & DMA permissions



“You have at most revealed that this device has **no system MMU** (covered in the data sheet), and that DMA permissions should not be granted to untrusted application modules”

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: No System MMU & DMA permissions



"You have at most revealed that this device has **no system MMU** (covered in the data sheet), and that DMA permissions should not be granted to untrusted application modules"

**System MMU** is an access control IP used in **platforms with virtual memory**, In **Cortex-M (MCU)** platforms, there are no SMMU, but **MPC** (Memory Protection Controller) and **PPC** (Peripheral Protection Controller)



Jan 10<sup>th</sup> Jan 12<sup>th</sup> Jan 30<sup>th</sup> Jan 31<sup>st</sup> Feb 9<sup>th</sup> Feb 14<sup>th</sup> Feb 16<sup>th</sup> Mar 10<sup>th</sup>

1 2 3

## Topic: No System MMU & DMA permissions



"You have at most revealed that this device has **no system MMU** (covered in the data sheet), and that DMA permissions should not be granted to untrusted application modules"

**System MMU** is an access control IP used in **platforms with virtual memory**, In **Cortex-M (MCU)** platforms, there are no SMMU, but **MPC** (Memory Protection Controller) and **PPC** (Peripheral Protection Controller)



The **PPC/MPC** in **SAML11** cannot enforce access control in terms of **privilege levels**. If you directly assign a DMA device to an OEM you are basically **granting them full control of the system**



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Topic: No System MMU & DMA permissions



"You have at most revealed that this device has **no system MMU** (covered in the data sheet), and that DMA permissions should not be granted to untrusted application modules"

**System MMU** is an access control IP used in **platforms with virtual memory**, In **Cortex-M (MCU)** platforms, there are no SMMU, but **MPC** (Memory Protection Controller) and **PPC** (Peripheral Protection Controller)



The **PPC/MPC** in **SAML11** cannot enforce access control in terms of **privilege levels**. If you directly assign a DMA device to an OEM you are basically **granting them full control of the system**



**Kinibi-M** should provide native DMA support once it is a critical piece of infrastructure for Microcontrollers, due to the power and resource-constrained nature of this devices.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# TAKEAWAY

1

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# TAKEAWAY

1

We argue there is a **lack of understanding about the memory protection controllers of Microcontrollers** (system wide protection mechanisms).

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

- 1 Topic: No Native DMA Support
- 2 Topic: No System MMU & DMA permissions
- 3 Topic: Native FLASH Access Mediation but not Native DMA mediation.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

- 1 Topic: No Native DMA Support
- 2 Topic: No System MMU & DMA permissions
- 3 Topic: Native FLASH Access Mediation but not Native DMA mediation.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1

2

3

## Topic: Native FLASH Access Mediation but not Native DMA mediation.



“Kinibi-M fully supports secure identification of module-to-module caller identity precisely to support this sort of use case. For example this is the pattern we use to **mediated access to flash storage provided by our secure storage module.**”

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1

2

3

## Topic: Native FLASH Access Mediation but not Native DMA mediation.



“Kinibi-M fully supports secure identification of module-to-module caller identity precisely to support this sort of use case. For example this is the pattern we use to **mediated access to flash storage provided by our secure storage module**.”

**Kinibi-M provides mediation for flash storage, but why doesn't it offer similar mediation for DMA?**  
DMA is also a critical service, arguably even more.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# TAKEAWAY

1

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# TAKEAWAY

1

We argue that there is a **lack of understanding** regarding the **criticality of a core service such as the DMA**. If mismanaged, it can grant full access to all system memory.

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>



1

# Topic: Clarification of Kinibi-M isolation levels

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

- 1 Topic: Clarification of Kinibi-M isolation levels
- 2 Topic: Clarification of who should provide DMA mediator



- 1 Topic: Clarification of Kinibi-M isolation levels
- 2 Topic: Clarification of who should provide DMA mediator
- 3 Topic: Requests to Trustonic



- 1 Topic: Clarification of Kinibi-M isolation levels
- 2 Topic: Clarification of who should provide DMA mediator
- 3 Topic: Requests to Trustonic



## Topic: Clarification of Kinibi-M isolation levels



“Kinibi-M pre-dates Arm PSA and was not built on the PSA architecture. (...) In some areas we do more than PSA (any level) in others we do less. That is why we do not claim PSA Level 3 and have not certified against it.”

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# TAKEAWAY

1

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# TAKEAWAY

1

We argue there is **lack of awareness and mapping** regarding the **PSA isolation levels** on Kinibi-M.

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

- 1 Topic: Clarification of Kinibi-M isolation levels
- 2 Topic: Clarification of who should provide DMA mediator
- 3 Topic: Requests to Trustonic

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1

**Topic: Clarification of Kinibi-M isolation levels**

2

**Topic: Clarification of who should provide DMA mediator**

3

**Topic: Requests to Trustonic**

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1

2

3

## Topic: Clarification of who should provide DMA mediator



"This **device has only** (at most) **64kb of flash** and a **16kb of ram**. There are very few use cases for secure world DMA. In practice **most customers simply disable the use of DMA in the secure world**, preventing any potential abuse."

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1

2

3

## Topic: Clarification of who should provide DMA mediator



"This **device has only** (at most) **64kb of flash** and a **16kb of ram**. There are very few use cases for secure world DMA. In practice **most customers simply disable the use of DMA in the secure world**, preventing any potential abuse."



"If needed, **DMA access should be provided and mediated by a “system” module**. That is what we have said all along. **However**, that module needs to be **provided by an OEM**. It is not provided by Trustonic."

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1

2

3

## Topic: Clarification of who should provide DMA mediator



"This **device has only** (at most) **64kb of flash** and a **16kb of ram**. There are very few use cases for secure world DMA. In practice **most customers simply disable the use of DMA in the secure world**, preventing any potential abuse."



"If needed, **DMA access should be provided and mediated by a “system” module**. That is what we have said all along. **However**, that module needs to be **provided by an OEM**. It is not provided by Trustonic."

We strongly believe that **not providing DMA mediation is not a good security practice.**

Jan 10<sup>th</sup>Jan 12<sup>th</sup>Jan 30<sup>th</sup>Jan 31<sup>st</sup>Feb 9<sup>th</sup>Feb 14<sup>th</sup>Feb 16<sup>th</sup>Mar 10<sup>th</sup>

1

2

3

## Topic: Clarification of who should provide DMA mediator



"This **device has only** (at most) **64kb of flash** and a **16kb of ram**. There are very few use cases for secure world DMA. In practice **most customers simply disable the use of DMA in the secure world**, preventing any potential abuse."



"If needed, **DMA access should be provided and mediated by a “system” module**. That is what we have said all along. **However**, that module needs to be **provided by an OEM**. It is not provided by Trustonic."

We strongly believe that **not providing DMA mediation is not a good security practice.**



**DMA**s are **key components** in **MCUs** (but bus masters!!). **Not providing DMA module** is limiting the system's capabilities from one side and leaving an open threat vector on the other side.

Jan 10<sup>th</sup>Jan 12<sup>th</sup>Jan 30<sup>th</sup>Jan 31<sup>st</sup>Feb 9<sup>th</sup>Feb 14<sup>th</sup>Feb 16<sup>th</sup>Mar 10<sup>th</sup>

1

**Topic: Clarification of Kinibi-M isolation levels**

2

**Topic: Clarification of who should provide DMA mediator**

3

**Topic: Requests to Trustonic**

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1

**Topic: Clarification of Kinibi-M isolation levels**

2

**Topic: Clarification of who should provide DMA mediator**

3

**Topic: Requests to Trustonic**

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

- 1
- 2
- 3

## Requests to Trustonic

To issue a **Security Advisory**.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

# Requests to Trustonic

To issue a **Security Advisory**.



**Clarify the documentation** clearly communicating the limitations of **Evaluation SDK** vs **Commercial SDK**.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

# Requests to Trustonic

To issue a **Security Advisory**.



**Clarify the documentation** clearly communicating the limitations of **Evaluation SDK** vs **Commercial SDK**.



Provide us **access** to the **Commercial SDK** for internal assessment.



Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

1 2 3

## Requests to Trustonic

To issue a **Security Advisory**.



**Clarify the documentation** clearly communicating the limitations of **Evaluation SDK** vs **Commercial SDK**.



Provide us access to the **Commercial SDK** for internal assessment.



**NO RESPONSE TO OUR REQUESTS!**

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# SUMMING UP

1

2

3

4

5

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# SUMMING UP

1

We could only validate our claims on **Evaluation SDK** (the only SDK we were granted permissions);

2

3

4

5

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# SUMMING UP

1

We **could only validate** our claims on **Evaluation SDK** (the only SDK we were granted permissions);

2

**Secure Modules** (from OEMs) are **signed and validated** on the **Commercial Version**;

3

4

5

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# SUMMING UP

1

We **could only validate** our claims on **Evaluation SDK** (the only SDK we were granted permissions);

2

**Secure Modules** (from OEMs) are **signed and validated** on the **Commercial Version**;

3

We think **attestation is orthogonal** to the problem we discussed in this presentation;

4

5

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# SUMMING UP

1

We could only validate our claims on **Evaluation SDK** (the only SDK we were granted permissions);

2

**Secure Modules** (from OEMs) are signed and validated on the **Commercial Version**;

3

We think **attestation is orthogonal** to the problem we discussed in this presentation;

4

Official Kinibi-m claims only **PSA Level 2** ready, but its **secure architecture claims higher protections levels** (not backed by any hardware or software mechanism);

5

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# SUMMING UP

1

We could only validate our claims on **Evaluation SDK** (the only SDK we were granted permissions);

2

**Secure Modules** (from OEMs) are signed and validated on the **Commercial Version**;

3

We think **attestation is orthogonal** to the problem we discussed in this presentation;

4

Official Kinibi-m claims only **PSA Level 2** ready, but its **secure architecture claims higher protections levels** (not backed by any hardware or software mechanism);

5

There is **no DMA mediator**, the responsibility is **left to the OEMs**, and by default Kinibi-M has no control of such an import core service, able to disrupt all system;

Jan 10<sup>th</sup>

Jan 12<sup>th</sup>

Jan 30<sup>th</sup>

Jan 31<sup>st</sup>

Feb 9<sup>th</sup>

Feb 14<sup>th</sup>

Feb 16<sup>th</sup>

Mar 10<sup>th</sup>

# DMA Mediation

# DMA MEDIATION



# DMA MEDIATION



# DMA MEDIATION



# DMA MEDIATION



# DMA MEDIATION



# DMA MEDIATION



① NS calls ARoT 1

# DMA MEDIATION



① NS calls ARoT 1

② ARoT 1 requests access to DMA mediator

# DMA MEDIATION



- ① NS calls ARoT 1
- ② ARoT 1 requests access to DMA mediator
- ③ TEE Kernel Invokes DMA Mediator

# DMA MEDIATION



① NS calls ARoT 1

② ARoT 1 requests access to DMA mediator

③ TEE Kernel Invokes DMA Mediator

④ DMA Mediator Checks Access Permissions and Memory Range

# DMA MEDIATION



① NS calls ARoT 1

② ARoT 1 requests access to DMA mediator

③ TEE Kernel Invokes DMA Mediator

④ DMA Mediator Checks Access Permissions and Memory Range

⑤ DMA Memory Access Granted to ARoT 1

# DMA MEDIATION



① NS calls ARoT 1

② ARoT 1 requests access to DMA mediator

③ TEE Kernel Invokes DMA Mediator

④ DMA Mediator Checks Access Permissions and Memory Range

⑤ DMA Memory Access Granted to ARoT 1

A ARoT 2 requests access to DMA mediator

# DMA MEDIATION



- ① NS calls ARoT 1
  - ② ARoT 1 requests access to DMA mediator
  - ③ TEE Kernel Invokes DMA Mediator
  - ④ DMA Mediator Checks Access Permissions and Memory Range
  - ⑤ DMA Memory Access Granted to ARoT 1
  - A ARoT 2 requests access to DMA mediator
- Red X:** ARoT 2 is not on the DMA Mediator Whitelist, requested is rejected

# What Can Go Wrong

Attack Examples and “Live” Demo

WHEN WE WANT  
“PSA 3+” ISOLATION



Kinibi-M Architecture  
Seems Probably More then PSA Level 3

BUT THE MCU  
HAS NO MPC



# AND FIRMWARE HAS NO DMA MEDIATION



AND FIR  
NO DMA



# POTENTIAL EXPLOITS

01

## Arbitrary Code Execution in Secure Privilege Mode

Demonstrates the capability to directly tamper with Kinibi-M and achieve **arbitrary code execution in secure privileged mode**, rendering all Kinibi-M memory protections ineffective.

Attack 1

02

## Steal Proprietary Code from a Secure Module

Demonstrates the capability to **read arbitrary CODE memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.

Attack 2

03

## Steal Cryptographic Keys from Kinibi-M Secure Storage

Demonstrates the capability to **read and write arbitrary DATA memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.

Attack 3

# POTENTIAL EXPLOITS

01

## Arbitrary Code Execution in Secure Privilege Mode

Demonstrates the capability to directly tamper with Kinibi-M and achieve **arbitrary code execution in secure privileged mode**, rendering all Kinibi-M memory protections ineffective.

Attack 1

02

## Steal Proprietary Code from a Secure Module

Demonstrates the capability to **read arbitrary CODE memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.

Attack 2

03

## Steal Cryptographic Keys from Kinibi-M Secure Storage

Demonstrates the capability to **read and write arbitrary DATA memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.

Attack 3

# POTENTIAL EXPLOITS

01

## Arbitrary Code Execution in Secure Privilege Mode

Demonstrates the capability to directly tamper with Kinibi-M and achieve **arbitrary code execution in secure privileged mode**, rendering all Kinibi-M memory protections ineffective.

Attack 1

02

## Steal Proprietary Code from a Secure Module

Demonstrates the capability to **read arbitrary CODE memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.

Attack 2

03

## Steal Cryptographic Keys from Kinibi-M Secure Storage

Demonstrates the capability to **read and write arbitrary DATA memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.

Attack 3

# POTENTIAL EXPLOITS

01

## Arbitrary Code Execution in Secure Privilege Mode

Demonstrates the capability to directly tamper with Kinibi-M and achieve **arbitrary code execution in secure privileged mode**, rendering all Kinibi-M memory protections ineffective.

Attack 1

02

## Steal Proprietary Code from a Secure Module

Demonstrates the capability to **read arbitrary CODE memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.

Attack 2

03

## Steal Cryptographic Keys from Kinibi-M Secure Storage

Demonstrates the capability to **read and write arbitrary DATA memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.

Attack 3

# POTENTIAL EXPLOITS

01

## Arbitrary Code Execution in Secure Privilege Mode

Demonstrates the capability to directly tamper with Kinibi-M and achieve **arbitrary code execution in secure privileged mode**, rendering all Kinibi-M memory protections ineffective.

Attack 1

02

## Steal Proprietary Code from a Secure Module

Demonstrates the capability to **read arbitrary CODE memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.

Attack 2

03

## Steal Cryptographic Keys from Kinibi-M Secure Storage

Demonstrates the capability to **read and write arbitrary DATA memory** from other secure modules and entirely bypass Kinibi-M's system memory protections.

Attack 3

# Steal Cryptographic Keys from Kinibi-M Secure Storage

# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



Malicious

Victim

# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# ATTACK 3 STEALING KEYS



# Live Demo

Video

# Lessons Learned

Advices for HW & SW providers and System Designers

# LESSONS

# LESSONS



# LESSONS

#1

For Hardware  
Providers

#2

For Firmware  
Providers

# LESSONS

#1

For Hardware  
Providers

#3

For System's  
Users

For Firmware  
Providers

#2

# LESSONS

#1

## For Hardware Providers

Hardware providers should implement protections at the **system-level** that takes in account both **privilege levels** and **security states**.

#3

## For System's Users

## For Firmware Providers

#2

# LESSONS

#1

For Hardware  
Providers

## RECOMENDED

Hardware providers should implement protections at the system-level that takes in account both privilege levels and security states.

#3

For System's  
Users

For Firmware  
Providers

#2

# LESSONS

#1

For Hardware  
Providers

**RECOMENDED**

Hardware providers should implement protections at the system-level that takes in account both privilege levels and security states.

#3

For System's  
Users

**NOT RECOMENDED**

For Firmware  
Providers

#2

# NXP LPC5500

LESSONS

#3

For System's  
Users

**NOT RECOMMENDED**

Firmware  
Providers

#2



Fig 177. System view with secure AHB bus

# NXP LPC5500

# LESSONS

# MICROCHIP SAML11



# LESSONS

#1

## For Hardware Providers

Hardware providers should implement protections at the **system-level** that takes in account both **privilege levels** and **security states**.

#3

## For System's Users

## For Firmware Providers

#2

# LESSONS

#1

## For Hardware Providers

Hardware providers should **implement protections** at the **system-level** that takes in account both **privilege levels** and **security states**.

Firmware providers should implement mechanisms that enforce isolation defined in the PSA standard.

## For Firmware Providers

#2

#3

## For System's Users

# LESSONS

#1

For Hardware  
Providers

**RECOMENDED**

Hardware providers should implement protections at the system-level that takes in account both privilege levels and security states.

Firmware providers should implement mechanisms that enforce isolation defined in the PSA standard.

**NOT RECOMENDED**

For Firmware  
Providers

#2

#3

For System's  
Users

# LESSONS

MULTIZONE

#1

0x5

## HEX-Five Security

“To enforce system separation policies, MultiZone built-in support for protected DMA transfers traps all DMA requests and emulates the PMP logic in software”

Pag. 19 - MultiZone. MultiZone® Security Reference Manual, RISC-V. Tech. rep. MultiZone, Nov 2021.

re providers should implement mechanisms to enforce isolation defined in the PSA standard.

**NOT RECOMENDED**

for Firmware Providers

#2

#3

For System's Users

# LESSONS

MULTIZONE

#1

## 0x5 HEX-Five Security

“To enforce system separation policies, MultiZone built-in support for protected DMA transfers traps all DMA requests and emulates the PMP logic in software”

Pag. 19 - MultiZone. MultiZone® Security Reference Manual, RISC-V. Tech. rep. MultiZone, Nov 2021.

KINIBI-M

#3



#2

# LESSONS

#1

## For Hardware Providers

Hardware providers should **implement protections** at the **system-level** that takes in account both **privilege levels** and **security states**.

Firmware providers should implement mechanisms that enforce isolation defined in the PSA standard.

## For Firmware Providers

#2

#3

## For System's Users

# LESSONS

#1

## For Hardware Providers

Hardware providers should **implement protections** at the **system-level** that takes in account both **privilege levels** and **security states**.

Firmware providers should implement mechanisms that enforce isolation defined in the PSA standard.

## For Firmware Providers

#2

#3

## For System's Users

Users (OEMs and software developers) should be cautious in choosing the system where they want to deploy their software.

# LESSONS

#1

For Hardware Providers

## WHY NOT AN EXTRA PSA LEVEL?

Hardware providers should implement protections at the system-level that takes in account both privilege levels and security states.

For Firmware Providers

#2

Firmware providers should implement mechanisms that enforce isolation defined in the PSA standard.

#3

For System's Users

Users (OEMs and software developers) should be cautious in choosing the system where they want to deploy their software.

# LESSONS

#1

NORMAL WORLD

For Hardware  
Providers

NSPE  
SW

Hardware providers  
implement protocols  
the system-level  
takes in account  
privilege levels and  
security states.

SECURE WORLD

ARoT  
1

ARoT  
N

PRoT  
1

PRoT  
N

Kernel

CPU

#2

#3

# Summary

Final Thoughts and BH Sound Bytes

# Responsible Disclosure

# Responsible Disclosure

MICROCHIP



# Responsible Disclosure

MICROCHIP



TRUSTONIC



Problem of the SW



# Responsible Disclosure

MICROCHIP



TRUSTONIC



Problem of the SW

It would be a Good  
Security Practice to  
Provide a MPC



# Responsible Disclosure

MICROCHIP



Problem of the SW

It would be a Good  
Security Practice to  
Provide a MPC



TRUSTONIC



DMA Module is Responsibility  
of Developers

OEMs

# Responsible Disclosure

MICROCHIP



Problem of the SW



It would be a Good  
Security Practice to  
Provide a MPC



TRUSTONIC



DMA Module is Responsibility  
of Developers

OEMs



It would be a Good Security  
Practice to Provide  
DMA MEDIATION



# Responsible Disclosure

MICROCHIP



Problem of the SW

It would be a Good  
Security Practice to  
Provide a MPC



TRUSTONIC



ATTESTATION  
We signed all OEMs  
Secure Modules

OEMs

DMA Module is Responsibility  
of Developers

It would be a Good Security  
Practice to Provide  
DMA MEDIATION



# Responsible Disclosure

MICROCHIP



It would be a Good  
Security Practice to  
Provide a MPC



TRUSTONIC



Problem of the SW



ATTESTATION  
We signed all OEMs  
Secure Modules

DMA Module is Responsibility  
of Developers

OEMs



It would be a Good Security  
Practice to Provide  
DMA MEDIATION



ATTESSTATION is  
ORTHOGONAL to the  
problem

# Responsible Disclosure

MICROCHIP



It would be a Good  
Security Practice to  
Provide a MPC



TRUSTONIC



Problem of the SW



EVALUATION SDK  
You Just Proved in an  
Unsecure SDK Version

ATTESTATION  
We signed all OEMs  
Secure Modules

ATTESTATION is  
ORTHOGONAL to the  
problem

OEMs

DMA Module is Responsibility  
of Developers



It would be a Good Security  
Practice to Provide  
DMA MEDIATION



# Responsible Disclosure

MICROCHIP



TRUSTONIC



ATTESTATION is  
ORTHOGONAL to the  
problem

ATTESTATION  
We signed all OEMs  
Secure Modules

OEMs



It would be a Good  
Security Practice to  
Provide a MPC

EVALUATION SDK  
You Just Proved in an  
Unsecure SDK Version

DMA Module is Responsibility  
of Developers

You Didn't Provide us  
COMERCIAL SDK

It would be a Good Security  
Practice to Provide  
DMA MEDIATION



# Black Hat SOUND BYTES

1. We shared our **journey** on fully **assessing** an **MCU-based TEE (Kinibi-M) targeting** a reference TrustZone-M hardware platform (**SAML11**)
2. We presented how it is possible to **bypass CPU-level isolation primitives**, and explain the design of a TEE **core mechanism (DMA Mediator)** to offer such protection;
3. We perform a **live demo** of one potential **exploit that retrieves a cryptographic key** from other Secure Partitions **bypassing** all hardware and software **TEE isolation boundaries**.

# THANK YOU!

Cristiano Rodrigues | Sandro Pinto, PhD  
(Centro ALGORITMI / LASI, Universidade do Minho)

[id9492@alunos.uminho.pt](mailto:id9492@alunos.uminho.pt)

 @\_CRodrigues\_\_

[sandro.pinto@dei.uminho.pt](mailto:sandro.pinto@dei.uminho.pt)

 @sandro2pinto

# Q & A

Cristiano Rodrigues | Sandro Pinto, PhD  
(Centro ALGORITMI / LASI, Universidade do Minho)



Cristiano Rodrigues



Sandro Pinto