Kicking the Firmware Out of the TCB with the Miralis Virtual Firmware Monitor

Kicking the Firmware Out of the TCB with the Miralis Virtual Firmware Monitor

연구 분야: Verification

학회: KISV '24: Proceedings of the 2nd Workshop on Kernel Isolation, Safety and Verification

The role of firmware has evolved over the past decades. Not only is firmware responsible for discovering, initializing, and monitoring the system's chipset, board, and devices, but it also acts as the root of trust and plays a leading role in confidential computing. Yet vulnerabilities in the non-security critical part of the firmware have repeatedly led to the compromise of the core TCB of the system. We propose an alternative architecture that excludes the non-security critical part of the firmware from the TCB by isolating it within a virtual machine with the introduction of a simple and verifiable virtual firmware monitor. We present the design of Miralis, the first virtual firmware monitor. Miralis can successfully boot Linux with a virtualized OpenSBI on RISC-V. We demonstrate through construction that the M-mode of RISC-V architecture meets the Popek & Golberg criteria for classical virtualization. Our initial evaluation shows that Miralis removes vendor-provided, platform-specific firmware from the TCB with no measurable impact on boot and run-time performance.