Fabian Schwarz
CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

Jan Philipp Thoma
Ruhr University Bochum, Bochum, Germany

Christian Rossow
CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

Tim Güneysu
Ruhr University Bochum, Bochum, Germany; DFKI GmbH, Bremen, Germany

Keywords: Security Extensions, Microarchitecture, Key Management

Abstract

The confidentiality of cryptographic keys is essential for the security of protection schemes used for communication, file encryption, and outsourced compu- tation. Beyond cryptanalytic attacks, adversaries can steal keys from memory via software exploits or side channels, enabling them to, e.g., manipulate confidential information or impersonate key owners. Therefore, existing defenses protect keys in dedicated devices or isolated memory, or store them only in encrypted form. However, these designs often provide unfavorable tradeoffs, sacrificing performance, fine-grained access control, or deployability.In this paper, we present KeyVisor, a lightweight Instruction Set Architecture ( ISA) extension that securely offloads the handling of symmetric crypto keys to the CPU. KeyVisor provides CPU instructions that enable applications to request protected key handles and perform AEAD cipher operations on them. The underlying keys are accessible only by KeyVisor, and thus never leak to memory. KeyVisor’s direct CPU integration enables fast crypto operations and hardware-enforced key usage restrictions, e.g., keys usable only for de-/encryption, with a limited lifetime, or with a process binding. Furthermore, privileged software, e.g., the monitor firmware of TEEs, can revoke keys or bind them to a specific process/TEE. We implement KeyVisor for RISC-V based on RocketChip, evaluate its performance, and demonstrate real-world use cases, including key-value databases, automotive feature licensing, and a read-only network middlebox.