vTZ - TrustZone and TEE Virtualization

vTZ: TrustZone and TEE Virtualization

vTZ enables TEE multiplexing for virtual machines. Combine the hardware assisted virtualization and TrustZone to support multiple isolated secure worlds to enable seamless deployment of TEE to virtualized environment.

There are many requirements of TEE for different users. TEE virtualization enables a device to run multiple TEEs at the same time. However, TrustZone is not designed to be virtualized as there is only one TEE provided by TrustZone, which prevents its being securely shared by multiple VMs. In another world, as long as one TEE is compromised, all other TEEs are also exposed to attakers.

vTZ is a system that provides transparent virtualization of TrustZone while still maintaining the strong isolation among virtualized TrustZone instances. Different from existing approaches that provide merely an execution environment for trustlets, vTZ leverages the virtualization extension of ARM to trap and emulate all functionalities of a real TrustZone, enabling guest VMs to deploy more complex systems in its virtualized private secure world. vTZ also provides isolation among different VMs’ secure worlds to ensure one guest’s secure world can only access its own resources.