Arm aims to introduce a novel security model as it prepares for the processors that will be designed under its upcoming v9 architectural definition. The company sees “realms” as a way of isolating user-level secure operations from the operating system and hypervisor so that software will not be compromised even if the core system is.
Although it will incorporate some elements proposed for the existing v8.5 architecture, v9 is meant to address changes in the processor market that are moving across the industry, from servers to deeply embedded systems, talking in security, machine learning and hardware acceleration.
Arm v9 sees the company trying to navigate the boundary between the standard architectures that pretty much defined the recent past of computing, both embedded and desktop, and the growing demand for specialised processors that offer a better balance between energy consumption and performance now that Dennard scaling is long gone.
At Arm’s “vision day”, Arm senior vice president, chief architect and fellow Richard Grisenthwaite pointed to the company’s prior work on server architectures with SBSA and the ServerReady program “to drive the right amount of standardisation”. This is a contrast to what RISC-V offers: the open-source instruction-set architecture offers a path to much more radical customization at the cost of binary compatibility with other, similar platforms.
Although the company plans to add further extensions for matrix arithmetic as the use of machine learning increases, the focus for the moment is on the second-generation Scalable Vector Extensions (SVE2) developed with Fujitsu for its supercomputer efforts. Grisenthwaite claimed SVE2 works well for use-cases such as 5G as well as augmented and virtual reality and machine learning. He emphasised the need for instruction-set flexibility in AI because based on the company’s analysis of existing applications, there can be radically different mixtures of operation depending on the end task. Image-focused AI, for example, makes intensive use of matrix operations, presumably because of its reliance on convolutional neural networks while audio anomaly detection, mostly in deeply embedded devices, involves a higher proportion of scalar instructions.
Though there are few details today, the biggest change with v9 is likely to be in the security model. Grisenthwaite pointed to the problem with existing security models that are based on rings of privilege. “There is a tremendous amount of trusts in the operating system and hypervisor,” he said, which leads to problems in situations such as cloud computing in particular.
The core issue is that if the high-privilege layers are compromised, everything underneath is at risk. Arm’s proposal is to move secure operations needed by a user task into a fourth address space that cannot be accessed by the hypervisor or operating system. This, Grisenthwaite said, would help underpin the idea of “confidential computing” and “make it far easier to trust the computing infrastructure. Using realms it will be possible to safeguard data from end to end even if the operating system holding the data has been subverted”.
Mark Hambleton, vice president of open-source software at Arm, said the realms concept will not just be applied to cloud servers. “You can apply the same thinking to mixed-criticality environments in applications such as robotics to protect memory spaces from interference.”
Arm’s proposal is to extend Trustzone to manage the additional address spaces though it will not be a transparent change. Software will need to be written specifically to take advantage of the realms concept when it becomes available. Other changes in v9 will continue the work Arm began in the v8 generation with the rollout of features such as memory tagging extensions, developed in concert with Google, that are meant to block common exploits such as buffer overflows and accesses to data elements that should have been freed and removed by a memory manager.
Other changes in v9 will likely come from research projects such as CHERI that the company is conducting with the University of Cambridge as well as the Morello project that has been part-funded by government group UK Research and Innovation (UKRI).