
Qualcomm KeyMaster keys extracted directly from TrustZone - marksamman
https://mobile.twitter.com/laginimaineb/status/737051964857561093
======
slimsag
What would the implications of this be?

Does it just mean that people can root all devices using this chipset? Or
something worse?

(sorry if this is obvious, I'm just not in the know)

~~~
HappyTypist
This breaks the security model of all affected devices using this chip.

Including all iPhones sold today. Bye bye secure enclave. Bye bye full disk
encryption.

~~~
dogma1138
No it doesn't, the secure enclave is a separate chip, it doesn't uses ARM
trustzone, infact AFAIK Apple never implemented trustzone in any of their
SOC's.

Considering the previous publications by this author the issue is most likely
within the TZ Kernel that QM uses not in the hardware itself, previous
vulnerabilities that were disclosed by the same guy/gal/singular or plural
sentient entity were patched.

~~~
tlrobinson
To be clear, Secure Enclave is a coprocessor on Apple's A7 and later SoCs,
it's not a physically separate chip from the main processor. But you are
correct it's different from TrustZone.

~~~
dogma1138
Thanks for the correction, I've read that it was a separate die but you are
correct it's in the same package.

~~~
cnvogel
Just picking some nits..., but being on a separate die still can mean that
it's in the same package.

[https://www.google.de/search?q=multi+chip+package&tbm=isch](https://www.google.de/search?q=multi+chip+package&tbm=isch)

------
robot
Trustzone runs an RTOS-like kernel, he likely hacked Qualcomm's implementation
of this kernel to gain access.

In particular this line in the screenshot hints at what he did: "Overwriting
syscall_table_5 pointer"

The issue is likely applicable on particular qualcomm devices, and a software
patch should be possible.

~~~
robot
Trustzone adds an additional protected mode to the cpu. IMO it complicates the
CPU and adds no additional security - it's not like other protected modes in
the cpu are less secure, or more hackable.

~~~
mike_hearn
The assumption is that yes, other modes _are_ more hackable because they're
running much larger kernels. The code inside TrustZone is supposed to be much
smaller, more focused and thus more easily auditable.

Unfortunately the constant stream of hacks of TrustZone applets that amount to
"I smashed a buffer on the stack and got access" make me think that too often
people forget the "more auditable" part.

~~~
kuschku
And then you have on x86 the Intel Management Engine, running a whole
graphics, audio and network stack, and a full JVM, and you notice that the
promise of "more auditable" was just a smokescreen, and it really is just
about DRM and backdoors.

------
zimmerfrei
Granted that details are not there yet (but from previous work done by the
author one can guess), would a formally proven OS like seL4 have prevented
this? seL4 is somewhat weak on HW support but the functionality required in
the secure domain doesn't do much I/O anyway.

~~~
laginimaineb
FWIW, formal verification requires a complete and exact spec - the TZ kernel
is _very_ complex and interacts with nearly all the peripherals on the SoC, it
doesn't just manage QSEE applications. I think creating a spec for something
like that would be really hard.

~~~
Eridrus
The whole point of using seL4 is that you can use it to provide guaranteed
isolation. If you were to use seL4 it would be so that you could write those
drivers in user mode and so that a bug in one would not let you extract crypto
keys in another.

------
guimarin
I hope there is a way to patch this remotely. TrustZone is on quite a few
devices today.[1]

If it's not, well, uhh, yeah this is kind of a problem.

1\.
[http://www.arm.com/products/processors/technologies/trustzon...](http://www.arm.com/products/processors/technologies/trustzone/)

~~~
dogma1138
Keymaster is a Key Management application that runs "ontop" of TrustZone this
doesn't mean that TrustZone or even QM's (hardware) implementation of
TrustZone is flawed.

It's more likely than not just a flaw within Keymaster itself, or within the
Trustzone Kernel which means that this can effectively be patched, this isn't
the first time vulnerabilities like this have been identified[0] (same author)
and previous issues have been patched.

For anyone who wonders TrustZone is a Trusted Execution Environment (TEE)
technology for ARM CPU's the more known equivalent is probably Intel's TXT,
it's not something QM has (solely) developed internally and an underlying
issue with TZ can affect many more SOC's than just QM's (since AMD also uses
TrustZone[1] this could potentially also affect desktop/server CPU's).

My personal bet would be that this is an issue with Keymaster, or the TZ
Kernel that QM has built not with TZ itself on a hardware or even microcode
level and most likely very possible to be patched.

[0][http://bits-please.blogspot.co.uk/2015/08/exploring-
qualcomm...](http://bits-please.blogspot.co.uk/2015/08/exploring-qualcomms-
trustzone.html) [1][http://www.amd.com/en-us/innovations/software-
technologies/s...](http://www.amd.com/en-us/innovations/software-
technologies/security)

------
modeless
What is TrustZone being used for in practice?

~~~
HappyTypist
iPhones secure enclave, full disk encryption, Touch ID, etc. likewise on
android.

~~~
JumpCrisscross
Source?

~~~
NEDM64
He's a troll.

iPhones don't use it. They don't use Qualcomm SOC's.

~~~
runholm
Note that TrustZone is not a Qualcomm technology, but rather an ARM
technology. Apple could have gone with TrustZone in their SOC.

(But yes, he is a troll and this whole case has nothing to do with Apple).

~~~
msbarnett
Nit: TrustZone isn't a Qualcomm technology, but KeyMaster is Qualcomm software
built on top of it (and that appears to be where this break lies).

------
gruez
How would this be patched? I'm assuming that this will require ucode/hardware
patching as trustzone is implemented in hardware?

~~~
runholm
If TrustZone itself has a bug, that would require a hardware patch. Luckily it
seems that this bug was an issue with the code running on the chip.

With TrustZone, some code is running in the secure domain and can read or
write to both secure and non-secure memory. You need to find some bug in the
secure code to "trick" the secure code into copying data from secure memory to
non-secure memory.

------
cloudjacker
you dont post about this on twitter you wait

------
happycube
When someone asks if you're a (security) god, say NO!

(... unless you are one)

------
mrweasel
See, this is why Twitter is a terrible news medium. TrustZone is the company I
buy SSL certificates from, so what do you think people like me assume has
happened?

A little context wouldn't have hurt anyone.

~~~
sspiff
> QualComm ... TrustZone

I think to most people following him, it's clear this is about ARM TrustZone.

------
mindcreek
So now we know how the fbi got into the shooters phone :)

~~~
NEDM64
It was an iPhone. Not Qualcomm.

~~~
mindcreek
Maybe read a little bit before down voting ? Quallcom is a chipset
manufacturer Iphone is a device, has it occured to you that iphone might have
quallcom tech in it ?

~~~
abritishguy
Maybe you should read? The secure enclave is completely separate to TrustZone
on an iPhone and has nothing to do with Qualcomm.

~~~
mindcreek
"Inside, the 5c packs the same Apple A6 processor featured in the iPhone 5, a
Qualcomm MDM9615M LTE modem, and a Qualcomm WTR1605L
LTE/HSPA+/CDMA2K/TDSCDMA/EDGE/GPS transceiver. The back of the logic board
features assorted power management, flash, and controller components from
Toshiba, Qualcomm, and Broadcom, as well as a Murata Wi-Fi module. "

Iphone 5c has qualcomm stuff in it.

~~~
jrockway
TrustZone is an ARM thing for the general-purpose computer on the device. The
modem and radio are not relevant to discussions on TrustZone.

