Trust zone apps on Linux


#1

I am interested in knowing the support for trusted zone on snapdragon 410c boards. I need to be able to use crypto operations and run some background security applications for my IOT device.

It appears QSEE is only available for Android. However, we are interested in small footprint embedded linux, not android.

Appreciate any pointers. Thank you.


#2

@osm1c Trustzone is supported but the firmware that runs in the secure world is proprietary and provided by QCOM, and it is not possible (for now) to change it. See https://discuss.96boards.org/t/is-trustzone-feature-enabled-in-dragonboard-410c for previous disucssion.


#3

Thank you. If it is available, is there a way to use it for crypto operations? Are there any standard trusted apps available?

However, I don’t see any Linux driver for communication from Rich-OS apps to Trusted OS apps.


#4

You’re welcome. Afaik, there might be some trusted apps or trustlets included for certain builds (e.g. aosp) to work with the media server and such, but nothing is available for open use. Do you just need crypto operations, or secure crypto operations?

The linux driver is generally called qseecom. I don’t see it in the linaro tree either (http://git.linaro.org/landing-teams/working/qualcomm/kernel.git/tree/drivers/misc?h=release/qcomlt-4.9), so maybe it’s provided as some sort of module binary, but you can perhaps draw some references from say https://source.codeaurora.org/quic/la/kernel/msm-3.10/tree/drivers/misc/qseecom.c?h=LNX.LA.3.6.1.


#5

We like to perform secure crypto operations and also develop some secure monitor applications.

Would android secure apps work on Linux as well? tz firmware I believe is the same, communication interface is no different. So, what makes Linux tz apps different from Android tz apps?


#6

The hikey or hikey960 board allows a decent level of secure world/trusted apps development, i.e. open source arm-tf, optee_os and linux driver.

If by secure apps you mean a native executable binary, then no. Android apps run on the android os while linux executables run on linux (os). If by tz apps you mean a Trusted Application that abides by the specs released by the GlobalPlatform consortium, then yes, the APIs are the same, so the source is portable but for the executable you would usually compile/link it with different toolchains/libraries/etc for android vs linux. Also, it’s generally more difficult to get it to run on android due to the need of having to create/write selinux domains/rules.


#7

we haven’t really done much work related to security.

for sure the TZ firmware is the same (at least we think so, this is a black box to us as well).

however the downstream Android kernel might be doing some setup/init that we aren’t doing with the linux/upstream kernel. there is a ‘qsee’ kernel driver in the downstream, and if you want to use secure apps on linux/upstream you will need to forward port the qsee driver (and any of its dependencies, first.

even after that, it’s not very clear (e.g. we don’t have the guarantees) that it will work, since i don’t even know if the secure app work on Android on DB410c…