KeyVisor -- A Lightweight ISA Extension for Protected Key Handles with CPU-enforced Usage Policies

Abstract

KeyVisor is a novel, lightweight ISA extension that securely offloads cryptographic key handling directly to the CPU, preventing keys from leaking to memory via software exploits or side channels. It introduces dedicated CPU instructions that utilize protected key handles to perform fast authenticated encryption/decryption (AEAD) operations. This architecture enables hardware-enforced usage policies, allowing privileged software to restrict key lifetime, bind keys to specific processes, and revoke access, enhancing security for applications like TEEs and databases.

Report

Key Highlights

• Secure Key Offload: KeyVisor is a lightweight Instruction Set Architecture (ISA) extension designed to securely offload cryptographic key management directly to the CPU.
• Memory Protection: The underlying keys are accessible only by KeyVisor and never leak to main memory, mitigating risks from software exploits and side-channel attacks.
• Protected Handles: The extension provides CPU instructions for applications to request and utilize protected key handles for AEAD cipher operations.
• Hardware-Enforced Policies: KeyVisor supports CPU-enforced usage restrictions, including limited key lifetime, key usability restrictions (e.g., de-/encryption only), and process/TEE binding.
• RISC-V Implementation: KeyVisor has been implemented and evaluated for the RISC-V architecture, based on the Rocket Chip platform.

Technical Details

• Architecture: Implemented as a lightweight ISA extension, integrating secure key handling capabilities directly into the processor's instruction set.
• Key Interface: Applications interact with keys via opaque, protected key handles; the raw key material remains isolated within the KeyVisor CPU component.
• Operations: Provides specialized instructions for cryptographic operations, specifically focusing on AEAD (Authenticated Encryption with Associated Data) cipher primitives.
• Policy Management: Usage policies are defined and enforced in hardware. These policies include binding a key to a specific process or TEE (Trusted Execution Environment) and setting expiration limits.
• Revocation Mechanism: Privileged software (such as monitor firmware) retains the ability to revoke existing key handles or modify their bindings dynamically.
• Evaluation Context: The implementation targets the RISC-V ecosystem, demonstrating its feasibility on open-source hardware designs like Rocket Chip.

Implications

• Elevated Security Posture: KeyVisor offers a stronger security guarantee than purely software-based memory isolation or simple encryption, as the fundamental cryptographic secrets are never exposed outside the CPU boundary.
• Improved Performance: By integrating crypto operations directly into the CPU instruction set, KeyVisor avoids the performance overhead often associated with moving data between isolated memory enclaves or dedicated hardware security modules (HSMs).
• Flexibility in RISC-V Ecosystem: This work validates the extensibility of the RISC-V ISA, allowing security researchers to rapidly develop and integrate novel hardware-enforced security primitives tailored to specific application needs.
• Enabling Fine-Grained Access Control: The ability to bind keys to specific processes and enforce granular usage policies provides crucial primitives for constructing highly secure trusted computing environments and modern software licensing schemes (e.g., automotive feature licensing) or read-only network middleboxes.