**** BEGIN LOGGING AT Sat Jan 30 02:59:58 2016 Jan 30 20:47:40 I have a problem with trustzone in arm, if I compile a kernel which enable trustzone, do I need to do prepare work to use that kernel Jan 30 20:47:46 just sign the kernel? Jan 30 21:05:48 funny question. trustzone needs support by bootloader Jan 30 21:07:24 the 1st stage bootloader (xloader) already needs to be signed by the private key matching the (non)public key in OMAP ROM Jan 30 21:08:04 so first of all you need that private key matching the pubkey your particular OMAP has Jan 30 21:09:32 at least that's what I think I understood of that trustzone mess Jan 30 21:11:39 if you need to sign your kernel and with which key, it's all a question of what xloader and main bootloader (usually uBoot of sorts) do Jan 30 21:14:06 on N9 for example there's a bootloader variant that actually will load unsigned kernels, but it sets a "tainted" flag in this case, which will lock several trustzone things for good, until next full reboot Jan 30 21:15:06 see Jan 30 21:15:09 ~aegis Jan 30 21:15:09 http://www.developer.nokia.com/Community/Wiki/Harmattan:Developer_Library/Developing_for_Harmattan/Harmattan_security/Security_guide , or "The purpose of this framework is: ... to make sure that the platform meets the requirements set by third party software that requires a safe execution environment.", or http://en.wikipedia.org/wiki/Trusted_Computing#Criticism, or http://en.qi-hardware.com/w/images/1/10/ME_382_LockedUpTechnology2.gif Jan 30 21:16:58 trustzone isn't a hardware function that kernel supports, rather it's a chain of trust resulting in a trusted kernel running under trustzone Jan 30 21:18:06 "enable turstzone in kernel" doesn't mean the kernel uses trustzone, it means trustzone will accept and work with that kernel ;-) Jan 30 21:29:44 DocScrutinizer05, I see, then the bootldr which will check the kernel whether is signed is just a job about self check? Jan 30 21:30:21 the TrustZone doesn't request the kernel is signed but the bootldr could decide whether it will accept this kernel? Jan 30 21:35:05 yes Jan 30 21:36:00 ROMBOOT checksums xloader. xloader checksums uboot. uboot checksums kernel. or not Jan 30 21:36:38 you can't change ROMBOOT, neither the key it uses, both are burned into chip at factory (TI) Jan 30 21:37:05 DocScrutinizer05, I see thank you Jan 30 21:37:24 a HighSecurity OMAP device will not load an unsigned or incorrectly signed xloader Jan 30 21:37:50 when you have a signed xloader that does what you want, you win Jan 30 21:39:03 luckily, my platform is exynos, which doesn't request bl2 is signed Jan 30 21:39:09 HS devices are OMAP34xx and 36xx, GeneralPurpose(=) are OMAP35xx and 37xx - iirc Jan 30 21:39:27 which doesn't request bl2 be signed Jan 30 21:39:54 by the way, is the OMAP serial going to dead? Jan 30 21:40:04 yes Jan 30 21:40:52 at least it seems like TI is not planning to do new OAMP chips Jan 30 21:41:09 OMAP5 is last of a kind Jan 30 21:41:11 maybe the second choose is im.x serial, which is seems to be the second open chip Jan 30 21:42:32 do you know some other serial of multimedia chip? I would like to use them in video encode area Jan 30 21:43:28 I only know the other like Qualcomm, Broadcomm Jan 30 21:51:04 DocScrutinizer05, thank you very much Jan 30 21:52:20 sorry, recently I didn't look into chip market, so I don't know what's out there and available and good Jan 30 21:52:50 I think some kickstarter projects used FPGAs Jan 30 21:53:30 you might want to ask on #qi-hardware Jan 30 21:55:45 I will Jan 30 22:12:59 and thank you Jan 30 22:19:10 yw Jan 30 22:24:49 and sorry I focused on OMAP. It's just the only real platform where I know a few details, though trustzone per se is same everywhere on all ARM platforms Jan 30 22:25:08 in OAMP it's called M-Shield Jan 30 22:28:52 basically trustzone is a way in ARM architecture to block access to certain (configurable) functions on the chip (like RAM ranges, peripheral interfaces etc) for a number of CPU operation modes. So you have a non-privileged mode and a secure mode. The secure mode is where bootloader runs in, and it loads kernel into the non-privileged mode so the kernel has no way to access certain stuff Jan 30 22:41:32 so the M-Shield is a TrustZone implement in OMAP Jan 30 22:42:58 the original design of trustzone is to run a secure kernel in secure area and a normal kernel in insecure area? Jan 30 22:43:55 but as linux don't actually support it, so it just let it is loaded from bootldr which in secure area into insecure area? Jan 31 01:03:28 the secure area is usually no linux, it's basically the bootloader and some monitor code. the cpu only runs one thing at a time, so the secure mode stuff usually doesn't run at all. Kernel however can cause a software interrupt that causes the CPU to enter privileged aka secure mode and jump to the code (from bootloader or monitor) and do some stuff in secure mode Jan 31 01:08:42 however on some system architectures actually the main system runs in secure mode, e.g. in a SoC with integrated modem radio. The modem system (linux or RTOS or whatever) has control over the complete system and runs secure, while the system we think of (regular linux, or android or windows etc) is basically just a "virtual machine" under control of the modem radio OS Jan 31 01:12:10 yes, M-Shield is the OMAP implementation of trustzone Jan 31 01:12:17 basically **** ENDING LOGGING AT Sun Jan 31 02:59:58 2016