All recent Huawei devices ship with a security hypervisor, a defense-in-depth measure designed to enhance kernel security. Unlike other OEMs, Huawei encrypts this privileged piece of software, hence why it has received little to no public scrutiny. With this blog post, we aim to cast light on its inner-workings and provide an in-depth analysis of its implementation, from its entry point to the functions dedicated to protecting the kernel at runtime.

This is a follow-up to our compendium blog post that presented the internals of Samsung's security hypervisor, including all the nitty-gritty details. This extensive knowledge is put to use in today's blog post that explains how we attacked Samsung RKP. After revealing three vulnerabilities leading to the compromise of the hypervisor or of its assurances, we also describe the exploitation paths we came up with. Finally, we take a look at the patches made by Samsung following our report.

The purpose of this blog post is to provide a comprehensive reference of the inner workings of the Samsung RKP. It enables anyone to start poking at this obscure code that is executing at a high privilege level on their device. In addition, a now-fixed vulnerability that allowed getting code execution in Samsung RKP is revealed. It is a good example of a simple mistake that compromises platform security, as the exploit consists of a single call, which is all it takes to make hypervisor memory writable from the kernel.