How to config a device to be trusted in aarch64()?


#1

Suppose I have a WL1835MOD bluetooth module(or CC2540, or some other devices like a keyboard), and I want to let it work both in secure state(SCR_EL3.NS=0) and in Non-secure state(SCR_EL3.NS=0), how should I config it?
I understand that Hikey provide with the TrustZone feature, but I don’t quite understand how to config it to work when in secure state(when SCR_EL3.NS=0). Can I simply change the NS bit in SCR register to make it work?

I have roughly searched the arm documentation of armv8, but all I get is that the NS bit in SCR_EL3 register will infect the secure state. I really don’t know much about SoC before, could anyone please give me some advice?

Thanks a lot.


#2

NS bit is regitered by monitor. (refer ARM trusted firmware)


#3

This is still in the very early stages of work in progress.
Some related components are:

DT Secure bindings
https://lkml.org/lkml/2015/10/29/287

GlobalPlatform Trusted UI Specification v1.1
http://www.globalplatform.org/specificationsdevice.asp


#4

Thanks, I’m looking forword to it.

BTW, I find a paper saying that I can config an I/O peripheral to be secure by configuring TZPC (TrustZone Protection Controller), what is the difference between DT Secure bingings and the method in this paper?


#5

The DT just ‘marks’ the device as secure or not or both, and the TZPC (or TZASC or TZMA) does the actual configuration.

Adding to the previous post, another related component can be the Secure Element (https://www.globalplatform.org/mediaguideSE.asp).

Configuring a device to be trusted requires the integration of many components in many layers of the software stack running in both rich and trusted execution environment (REE and TEE). It’s not just writing a piece of code or calling a function or setting a bit somewhere. Maybe when everything’s said and done, but that’s a really big maybe…


#6

Thanks, vchong.
It seems to be a long way to go, I’ll keep watching it.


#7

Hi, vchong
I’m wondering if there is any documentation about the TZPC or TZASC on Hikey. Because I couldn’t find relevant information in the Hi6220 datasheet and Hikey user guide.

I find some information in this technical overview. It is a primCell peripheral named BP147, and is a kind of soft IP. So I guess it is not available on Hikey.

If it is not available on Hikey, is there any alternative to configure a peripheral?

Thanks in advance.


#8

@Tgn yes, unfortunately, the vendor seemed to have chosen not to include the relevant info in their documentation. I don’t have it either.

The only possibly related example I could find is below, showing to configure part of DRAM as secure.


#9

Thanks a lot!
It seems very useful, even though not including TZPC.