TEEm: Supporting Large Memory for Trusted Applications in ARM TrustZone

Trusted Execution Environments (TEEs), like ARM TrustZone, are increasingly crucial in fields like machine learning, blockchain, WebAssembly, and databases due to their robust security features. Despite their growing importance, TrustZone-based compact TEE operating systems such as OP-TEE are not equipped to support large memory for trusted applications. This is because TrustZone was primarily used in embedded and mobile devices, which typically do not require large memory capacities. However, this restriction is particularly critical as it limits TEEs' effectiveness in processing large-scale data and conducting memory-intensive computations. In this paper, we propose TEEm, a novel solution that enables large secure memory support in TEEs without compromising security. To the best of our knowledge, this is the first public method that supports large memory for Trusted Applications (TAs) to run directly within TrustZone. TEEm designs the single-to-multiple memory mapping policy to expand virtual address space for TA, and a parameter-based memory allocation mechanism that allows TAs to request more trusted memory from TEE. To validate the feasibility and performance of TEEm, we build a prototype based on OP-TEE and evaluate it using multiple memory micro-benchmarks. Security and performance evaluations demonstrate that TEEm not only achieves a performance of 3.48 times faster than Linux in memory allocation but also maintains a high level of security, providing substantial memory support for memory-intensive applications.