Building Your Own Trusted Execution Environments Using FPGA
Md Armanuzzaman, Ahmad-Reza Sadeghi, Ziming Zhao
TL;DR
This paper introduces BYOTee, a hardware-software co-design framework that builds multiple, customizable TEEs on commodity SoC FPGAs to address the static hardware TCB and cache-side-channel limitations of traditional TEEs. It delivers a dynamic root of trust and both software- and hardware-based attestation, along with a Python-based toolchain (HardwareBuilder, Hw-Att, SSAPacker) to generate protected bitstreams and SSA binaries for enclave deployment. The approach enables on-demand enclaves with isolated hardware resources (softcore CPUs, BRAM, peripherals) and secure boot/configuration flows, demonstrated on Xilinx Zynq-7000 with four SSAs and twelve Embench-IoT benchmarks, achieving favorable performance/power trade-offs relative to lightweight hard CPUs. The work presents a versatile path toward transparent, verifiable, and customizable hardware TEEs suitable for research and deployment on commodity devices, while acknowledging remaining challenges such as TOCTOU, side-channels, and dynamic reconfiguration security.
Abstract
In recent years, we have witnessed unprecedented growth in using hardware-assisted Trusted Execution Environments (TEE) or enclaves to protect sensitive code and data on commodity devices thanks to new hardware security features, such as Intel SGX and Arm TrustZone. Even though the proprietary TEEs bring many benefits, they have been criticized for lack of transparency, vulnerabilities, and various restrictions. For example, existing TEEs only provide a static and fixed hardware Trusted Computing Base (TCB), which cannot be customized for different applications. Existing TEEs time-share a processor core with the Rich Execution Environment (REE), making execution less efficient and vulnerable to cache side-channel attacks. Moreover, TrustZone lacks hardware support for multiple TEEs, remote attestation, and memory encryption. In this paper, we present BYOTee (Build Your Own Trusted Execution Environments), which is an easy-to-use infrastructure for building multiple equally secure enclaves by utilizing commodity Field Programmable Gate Arrays (FPGA) devices. BYOTee creates enclaves with customized hardware TCBs, which include softcore CPUs, block RAMs, and peripheral connections, in FPGA on demand. Additionally, BYOTee provides mechanisms to attest the integrity of the customized enclaves' hardware and software stacks, including bitstream, firmware, and the Security-Sensitive Applications (SSA) along with their inputs and outputs to remote verifiers. We implement a BYOTee system for the Xilinx System-on-Chip (SoC) FPGA. The evaluations on the low-end Zynq-7000 system for four SSAs and 12 benchmark applications demonstrate the usage, security, effectiveness, and performance of the BYOTee framework.
