Penglai-PMP on VisionFive

Penglai-PMP on VisionFive

We plan to port open-sourced Penglai-PMP to VisionFive, Penglai-PMP follows the PMP (Physical Memory Protection) rules in RISC-V ISA v1.10 to enable memory barrier protection.

The github repository for Penglai-PMP is GitHub - Penglai-Enclave/Penglai-Enclave-sPMP: Penglai Enclave is an open-sourced, secure and scalable TEE system for RISC-V. Root direcotry includes opensbi-0.9 and openEuler-kernel, representing two important porting components, SBI and OS kernel respectively. Penglai SM (Secure Monitor) is based on OpenSBI 0.9, the source code is under /opensbi-0.9/lib/sbi/sm, and is going to be a part of OpenSBI to compile and form fw_payload, the firmware platform.

Penglai-PMP offers memory isolation protection based on user-mode enclave abstraction. SM running in M-mode provides enclave lifecycle management. The process of memory isolation protection is completed around the enclave lifecycle. In addition, SM also supports enclave key management and remote authentication, and is responsible for random number generation. The platform needs to provide the device root key bound to the platform identity and provide the proof to the SM through secure boot user mode.

Penglai kernel drive is a Linux module. openEuler 21.04 is a relatively better version in Euler OS community that supports RISC-V. Penglai-PMP will use openEuler to demo and simplify the porting process, Penglai-PMP supports other Linux distributions as well.


蓬莱待移植组件介绍

将要移植到赛昉开发板的是PMP版本的开源蓬莱,其利用RISC-V ISA规范v1.10版本中指定的PMP(Physical Memory Protection)机制实现内存隔离保护。

此版本的开源蓬莱对应的Github代码仓库为GitHub - Penglai-Enclave/Penglai-Enclave-sPMP: Penglai Enclave is an open-sourced, secure and scalable TEE system for RISC-V. 根目录下包括 opensbi-0.9 以及 openEuler-kernel 这两个子目录,分别对应 SBI 和 OS kernel 这两个移植过程中的重要组件。蓬莱的 SM(Secure Monitor) 基于0.9版本的 OpenSBI 实现,源代码位于 /opensbi-0.9/lib/sbi/sm 目录下,将作为 OpenSBI 的一部分共同编译生成 fw_payload,即平台固件。

此PMP版本的蓬莱提供基于用户态 enclave 抽象的内存隔离保护,运行在 M-mode 的 SM提供 enclave 生命周期管理,内存隔离保护的过程围绕 enclave 的生命周期完成。另外,SM还支持 enclave 的密钥管理和远程认证,负责随机数生成等。平台需提供与平台身份绑定的设备根密钥并通过安全启动提供对 SM 的完整性证明。

蓬莱的 kernel driver 是 Linux 系统的一般驱动模块,openEuler 21.04 是欧拉操作系统社区中对 RISC-V 软件源支持较好的 Linux 发行版。此版本的蓬莱使用 openEuler 作为示例操作系统以简化部署过程,同时也支持其他的 Linux 系统。