Secure Block Device -- Secure, Flexible, and Efficient Data Storage for ARM TrustZone Systems

Recent years have seen a flurry of activity in the area of efficient and secure file systems for cloud storage, and also in the area of memory protection for secure processors. Both scenarios use cryptographic methods for data protection. Here, we consider the middle ground: the problem of using cryptographic methods to protect data integrity and confidentiality on a system with two strongly isolated execution environments, specifically an ARM TrustZone system with a Trusted Execution Environment. We introduce the Secure Block Device, a secure, easy to use, flexible, efficient, and widely applicable minimal Trusted Computing Base solution to provide data confidentiality and integrity for Data at Rest. The Secure Block Device is an open source C software library that uses a Merkle-Tree in conjunction with a selectable Authenticated Encryption scheme to provide an easy to integrate solution for applications that require fast and secure random access to data, but not a fully fledged file system. It was designed for Trusted Applications running in a Trusted Execution Environment that already have secure storage for cryptographic keys, but no secure general purpose data store. Beyond that, the Secure Block Device is applicable in all similar scenarios. We evaluate the Secure Block Device by using it as the core component in a secure storage Trusted Application that uses the ARM TrustZone Trusted Execution Environment to provide a confidential and integrity protected block device to the normal world OS.