FAARM: Firmware Attestation and Authentication Framework for Mali GPUs
Md. Mehedi Hasan
TL;DR
MOLE reveals a critical trust gap in GPU TEEs caused by unverified MCU firmware loading, enabling data exfiltration and inference tampering. FAARM addresses this gap with an EL3-anchored firmware attestation and locking framework that authenticates vendor-signed MCU firmware, enforces monotonic versioning, and atomically locks firmware to eliminate TOCTOU and rollback vulnerabilities. In a software Colab prototype, FAARM achieves a mean verification latency of about 1.34 ms and under 2% overhead relative to typical GPU initialization, while blocking all MOLE-style attacks in tested scenarios. The approach provides a practical, deployable defense for mobile and cloud GPU deployments and can extend to other co-processors with similar architectures, strengthening the end-to-end security of GPU TEEs.
Abstract
Recent work has revealed MOLE, the first practical attack to compromise GPU Trusted Execution Environments (TEEs), by injecting malicious firmware into the embedded Microcontroller Unit (MCU) of Arm Mali GPUs. By exploiting the absence of cryptographic verification during initialization, adversaries with kernel privileges can bypass memory protections, exfiltrate sensitive data at over 40 MB/s, and tamper with inference results, all with negligible runtime overhead. This attack surface affects commodity mobile SoCs and cloud accelerators, exposing a critical firmware-level trust gap in existing GPU TEE designs. To address this gap, this paper presents FAARM, a lightweight Firmware Attestation and Authentication framework that prevents MOLE-style firmware subversion. FAARM integrates digital signature verification at the EL3 secure monitor using vendor-signed firmware bundles and an on-device public key anchor. At boot, EL3 verifies firmware integrity and authenticity, enforces version checks, and locks the firmware region, eliminating both pre-verification and time-of-check-to-time-of-use (TOCTOU) attack vectors. We implement FAARM as a software-only prototype on a Mali GPU testbed, using a Google Colab-based emulation framework that models the firmware signing process, the EL1 to EL3 load path, and secure memory configuration. FAARM reliably detects and blocks malicious firmware injections, rejecting tampered images before use and denying overwrite attempts after attestation. Firmware verification incurs only 1.34 ms latency on average, demonstrating that strong security can be achieved with negligible overhead. FAARM thus closes a fundamental gap in shim-based GPU TEEs, providing a practical, deployable defense that raises the security baseline for both mobile and cloud GPU deployments.
