Project

General

Profile

Actions

Issue #1659

open

The device pages don't warn about proprietary (and likely signed) TrustZone TEE

Added by Paul Kocialkowski about 6 years ago. Updated about 1 year ago.

Status:
In Progress
Priority:
High
Category:
Website and wiki content
Target version:
-
Start date:
03/06/2016
Due date:
% Done:

50%

Estimated time:
Resolution:
Device:
Grant:
Type of work:
C programming, Communication (mails, contacting people, etc), Wiki editions

Description

Most of the devices currently supported by Replicant (except the GTA04) support TrustZone, which is likely used on most devices. It is likely the reason why manufacturers enforce signed bootloaders while allowing unsigned kernels to run.

TrustZone TEE runs in parallel to and with greater privileges than the regular operating system (Replicant). Since it is proprietary and stored with/loaded by the (signed) bootloader, it is a great threat to both freedom and privacy/security. TrustZone is often used to allow decoding DRM contents without any possibility for the user

However, since little is known about TrustZone TEE implementations (and exactly how it's loaded, how it's contacted), we should do some research about:
  • Whether there are TrustZone bindings in the kernel (e.g. related to DRM decoding).
  • How the (signed) bootloaders load the TrustZone TEE image and where it is stored. If not part of the bootloader image, knowing whether it is signed would be crucial.

Looking at some documentation and known free implementations for that could help (ARM's reference trusted firmware). Some platforms and devices come with more documentation about TrustZone (e.g. i.MX53 and USB armory, Tegra X1).

Actions

Also available in: Atom PDF