The device pages don't warn about proprietary (and likely signed) TrustZone TEE
Most of the devices currently supported by Replicant (except the GTA04) support TrustZone, which is likely used on most devices. It is likely the reason why manufacturers enforce signed bootloaders while allowing unsigned kernels to run.
TrustZone TEE runs in parallel to and with greater privileges than the regular operating system (Replicant). Since it is proprietary and stored with/loaded by the (signed) bootloader, it is a great threat to both freedom and privacy/security. TrustZone is often used to allow decoding DRM contents without any possibility for the userHowever, since little is known about TrustZone TEE implementations (and exactly how it's loaded, how it's contacted), we should do some research about:
- Whether there are TrustZone bindings in the kernel (e.g. related to DRM decoding).
- How the (signed) bootloaders load the TrustZone TEE image and where it is stored. If not part of the bootloader image, knowing whether it is signed would be crucial.
Looking at some documentation and known free implementations for that could help (ARM's reference trusted firmware). Some platforms and devices come with more documentation about TrustZone (e.g. i.MX53 and USB armory, Tegra X1).