<smaeul>
apritzel: speaking of trustzone, when you put TF-A in DRAM, do you protect it with the TZASC?
<karlp>
I may have mixed thi sup with armv7-m vs armv8-m where, and the _appearance_ on armv8-a, on -m profile, trustzone isnew in v8.
<karlp>
isn't that all from trustzone changes?
<apritzel>
You have the same Trustzone in your H3, and use it for U-Boot's very minimal PSCI implementation
<karlp>
yeah, but ~everything on armv8 has trustzone, and ~nothing on armv7 has, even if the spec was available for years and years
<apritzel>
Trustzone predates Armv8 by years (if not a decade?)
<karlp>
for me arm64 is all about trustzone,
2020-11-11
<bauen1>
the pinephone is a very interesting target for doing trustzone and hardware security in general e.g. something like https://www.youtube.com/watch?v=voFV1W4yyY8 or a secure pin (encryption password) entry screen
2020-10-04
<bauen1>
asdf28: if you want to i can talk about secure boot, trustzone, my future plans with a h6 sbc, and my recent reverse engineering of the h5 sbrom, interested ? lol
2020-10-03
<bauen1>
it kind of looks like all trustzone implementation in allwinner SoCs are handi-capped in some way or another (backkdoor in h3, probably a lack of SPC / SMC on the h6)
2020-04-05
<buZz>
amd's trustzone is indeed licensed from ARM
<psydread>
I built everything from scratch last year using the linux-sunxi wiki as a guide, so I don't have any blobs installed as far as I know. The only kind of dodgy thing could be the ARM Trusted Firmware (as in people bringing up Trustzone as something similar to the Intel Management Engine), but even that came from Github
2019-10-28
<tuxd3v>
I have enabled only 'Support for ARM TrustZone CryptoCell family of security processors'
2018-10-09
<smaeul>
though I'm not sure what the state of TrustZone ports is
<smaeul>
as for secure mode, you can run A64/H5 with upstream opensource ATF, and I know people have used that with a TrustZone implementation (OPTEE, I believe)
<KotCzarny>
smaeul: trustzone
<KotCzarny>
but trustzone isnt 64bit specific, then you can get some older board cheaply to play around?
<quitte>
by trustzone I mean the 33rd address bit that marks memory as secure
<quitte>
no trustzone can be used from the interrupt vector tables from how I interpret the parts of the manuals I read
<KotCzarny>
but without it trustzone isnt doing anything afaiu from those chats
<quitte>
Hi. What kind of surprises can I expect when I buy a pine a64 but read the cortex a53 reference manuals? Do I get a gic and trustzone?
2018-07-29
<KalPaOne>
: The processor delivers hardware security features that enable trustzone security system, Digital
2018-01-22
<[TheBug]>
but I swear I have a memory of watching/reading about how they broke trustzone on gameboy DS or whatever and it had 2 SoCs and one was A13, but maybe I am remembering the SoC wrong
2017-11-16
<maz>
trustzone is a SW concept. securioty extentions is what is used to implement TZ.
<lvrp16>
so trustzone implies security extensions?
2017-05-04
<wens>
it's the trustzone implementation. The AXI bus' secure state line isn't being forwarded properly
2017-05-02
<wens>
and if you're interested, read up on trustzone extensions and stuff
2017-02-17
<apritzel>
and we finally get the TrustZone protection we want
2017-02-08
<apritzel>
and now Trustzone works!
2017-02-07
<MoeIcenowy>
so you shouldn't face TrustZone problem ;-)
<jernej>
I disabled trustzone, but it didn't help
2017-01-17
<kristina>
broken trustzone :(
<Kosaka-Honoka>
the final story is that on H3/A64/H5 development boards which do not have the Secure Boot feature enabled, you cannot use TrustZone Peripheral Controller ;-)
<apritzel>
kristina: hi, the A64 seems to have a TrustZone controller which looks like the ARM TZ380 to me
<kristina>
got a Pine64 because it has proper trustzone peripherals and support.
<kristina>
is the sun50i trustzone controller documented anywhere?
<kristina>
is there any documentation for features like trustzone protection controllers or anything?
2017-01-10
<apritzel>
willmore: TrustZone is the marketing term for all this "secure" world things, which in turn is just another layer of privilege on top of the kernel(EL1) or hypervisors(EL2)
<willmore>
apritzel, thanks for the education. I had the impression it was more like TrustZone where it ran on a separate core inside the SoC--some little M3 or M4 or something.
2016-11-20
<xdeniz>
who can i ask for this topic montjoie? i have to install trustzone on this board (optee) and i need help
2016-11-04
<montjoie>
I try to play also with the Secure CE, but didnt work (need to learn more about trustzone)
2016-10-24
<MoeIcenowy>
for TrustZone.
2016-10-01
<apritzel>
trusted refers to both TrustZone and to the possibility of having some secure firmware, not easily being hackable from Linux
2016-06-08
<apritzel>
TrustZone is the ARM marketing name for this whole secure/non-secure architecture
<ssvb>
wtf is trustzone? is it something that can restrict access to some areas of the address space?
2016-05-20
<apritzel>
mripard: hey, it's called "TrustZone"
2016-01-12
<wens>
ah, as in TrustZone
2015-06-25
<_romain_>
Hi, does someone knows if the Allwinner A20 supports/has a TrustZone Protection Controller (TZPC) ?
2015-04-05
<rellla>
NiteHawk: ok. thanks for your contributions to the wiki, but i'd suggest to drop the neon and trustzone pages.
2015-03-31
<ijc>
NiteHawk: PSCI is fundamentally an interface for nonsec to request sec to do things which it is not permitted to do (often things like starting/stopping cpus etc are limited to sec world only). The mechanism underlying PSCI (smc instruction) is, I think, only available from NS world (and traps to S world/monitor mode and monitor mode may not even be present in the CPU if trustzone isn't present). Plus when running in sec world the kernel can do all
2015-02-17
<Turl>
open source trustzone sw? :O
2014-10-10
* slapin
hates trustzones
<ssvb>
hramrach_: the industry is moving to signed kernels, UEFI, trustzone and other buzzwords
2014-01-07
<oliv3r>
mripard: ahh, so psci is a trustzone thing actually; very intersting
<oliv3r>
mripard: well if you disable trustzone, it becomes fully useable and mappable, i thought that's what the pcsi thing did
<oliv3r>
mripard: if you activate trustzone, yeah but then it won't be usefull for pcsi
<oliv3r>
mripard: so if you use it for something else, you technically can't use trustzone anymore
<oliv3r>
mripard: well isn't sram B officially soley for trustzone
<oliv3r>
ah it abuses turstzone ram; or is it actually part of trustzone?
2013-12-09
<oliv3r>
since we dont' even use trustzone, it's aw aste of 512 kiB of SRAM :)
<oliv3r>
TheSeven: maybe so, but we can configure the sram to be available to the CPU or the TrustZone
2013-11-21
<maz>
oliv3r: unused, yes. but *if* AW has wired things correctly, only a secure mode access can access secure RAM. otherwise, trustzone cannot be really trusted at all ;-)
<oliv3r>
maz: for sunxi specific have you conciderd having this blob in the 'secure' SRAM (that's used for trustzone which is unused?)
2013-11-06
<Turl>
and kill the trustzone one
<Turl>
arokux2: there is no driver for trustzone
<Turl>
deasy: I think the person who wrote that wiki page just mixed up SS and trustzone
<deasy>
"TrustZone cryptographic engine and security accelerator co-processor that supports both decryption and encryption of AES, DES, and 3DES, as well as SHA-1, "
<Turl>
arokux2: trustzone it's a thing to run a 'second OS' on a secure world
<pfdm>
Turl: Maybe because of this on the wiki : Allwinner SoC include a TrustZone cryptographic (crypto) engine co-processor that optimizes cryptographic operations with a 100x factor or even more comparing to a plain software implementation run on the CPU.
<Turl>
and trustzone won't accelerate your crypto operations, I dunno why do people always think that
<Turl>
deasy: yeah, all supposedly have trustzone
2013-10-20
<Turl>
aep: not trustzone, you want the Security System
2013-09-13
<wingrime>
mnemoc: so, trustzone , and propiraty stuff can also be disabled form dram access
2013-09-11
<atiti>
anyone has trustzone working?
2013-07-31
<hno>
but a working trustzone requires a working secure boot.
<hno>
not trustzone. Only SS and SID.
<oliv3r>
hno: haven't found that yet, but if they use 'trustzone' for that, figures
2013-07-28
<wingrime>
oliv3r: trustzone It seems for DRM
<oliv3r>
hno: do you think that 'trustzone' can be used for anything usefull?
<hno>
well, the A10 do have some ARM Trustzone support, but from specifications it looks like key management is fundamentally flawed.
2013-07-12
<oliv3r>
mripard_: incidentally, i looked at the generic sram controller too; figuring we can use atleast the trustzone cache for it
2013-06-25
<oliv3r>
navlrac i don't think we use the trustzone at all
<navlrac>
hno: thanks. yes I was referring to TrustZone secure world.
<hno>
navlrac, if you by secure world think about TrustZone secure wordl then it's normal world (not TrustZone protected). Not sure about virt support.
2013-06-18
<hark>
hi, is it possible to use the trustzone with cryptodev on the A20?
2013-04-10
<oliv3r>
it also tells us that you need to load a trustzone 'OS' into the arm to be executed in the arm trustzone
<Turl>
mripard_: a bit offtopic, but have you seen the trustzone bug they found on qcom motorolas?
2013-04-03
<oliv3r>
SRAM B i sfor 'ARM TrustZone'
2013-03-30
<oliv3r>
wingrime: but i'm assuming ALL arm cores have 'B' section as its used for trustzone so arm probably says its mandatory
<oliv3r>
i know the VE, Nand and arm 'trustzone' use it
2013-03-27
<oliv3r>
calris_: TrustZone-capable processors start executing in Secure state on power-on, if the boot loader does nothing to change the security state, all software will run as Secure (removing any security benefits).
<oliv3r>
calris_: i think you probably need userland/kernel support for ARM trustzone
2013-03-26
<oliv3r>
calris_: from what i glanced, trustzone makes the arm core not do context switches for certain things
<oliv3r>
hipboi: if that is possible (only during SPL, trustzone can have sram B back for regular u-boot) it would mean 64k more memory!
<oliv3r>
hipboi: quick question; SRAM B (secure) isn't really documented, i think it may be used for ARM Trustzone? By when or what is it used? Do you think it is possible to access it from SPL (and only from SPL)?
2013-03-25
<oliv3r>
mnemoc: maybe arm says 'we need 64k for trustzone that you cannot use'
<oliv3r>
the datasheet just lists SRAM B as 'secure' which could possibly mean, that is' ment for use of ARM trustzone; but SPL may be able to hijack it