[Ksummit-2013-discuss] [ARM ATTEND] Trustzone-based security solution for ARM Linux

Thu Aug 15 04:17:07 EDT 2013

On Thu, Aug 15, 2013 at 1:15 PM, Barry Song <21cnbao at gmail.com> wrote:
> 2013/8/15 Jassi Brar <jassisinghbrar at gmail.com>:
>> On Thu, Aug 15, 2013 at 9:58 AM, Greg KH <greg at kroah.com> wrote:
>>> On Thu, Aug 15, 2013 at 11:44:30AM +0800, Barry Song wrote:
>>>> For the moment, there is strong markting requirement from
>>>> IVI(In-Vehicle Infotainment) or mobile to use ARM Trustzone. We take
>>>> IVI as an example, Auto requires security enviorment to access CAN bus
>>>> and other car busses. Auto requires security enviorment to show
>>>> rearview/surround view from cameras and play alert audio. on the other
>>>> hand, IVI system is generically working as a video streaming sink and
>>>> HDMI sink instead of a source. To support HDCP and widevine, we need
>>>> to make sure private keys and video buffers are only visible to
>>>> security mode. With CAN stack, video playback backend and more tasks,
>>>> generically it requires a multi-task RTOS running in security mode
>>>> parallel with Linux in non-security mode.
>>>>
>>>> Linux is a generic purpose OS with UI and all kinds of software, but
>>>> we need to make sure even the Linux is ROOTed, RTOS in security mode
>>>> is still active. We are able to find some opensource projects like
>>>> SafeG[1], Multivisor[2], SierraVisor[3], but it turns out that ARM
>>>> Linux has no rich support for this kind of architecture:
>>>> 1. hypervisor running in monitor mode
>>>> 2. RTOS running in security mode
>>>> 3. Linux running in non-security mode
>>>
>>> "Linux" is just a kernel, not a whole operating system :)
>>>
>>> Anyway, why can't Linux be the RTOS kernel as well?  What are the
>>> requirements for that kernel that Linux does not currently meet?
>
> we will run rtos+linux instead of linux+linux. typically, Auto
> industry has long history to use rtos. on the other hand, we need to
> boot the rtos very fast in hundreds of milliseconds to make sure
> rearview, early audio have been ready.
>
Why do you think optimized linux can't boot up in "hundereds of millisecs"?

>>>
>> Yes, in fact at least during development Linux usually runs in Secure mode.
>> Ideally I would love to see 2 instances of Linux running - one in
>> NonSecure mode and another in Secure mode, getting capabilities via 2
>> corresponding DTBs reflecting the h/w partitioning done by the TZ.
>
> not real. i think there are similar users in linux already. at least
> omap and exynos have some chip specific codes like omap-smc.S,
> sleep34xx.S, exynos-smc.S and so on.
>
... and there are socs that has TZ but don't implement SMC (yet).

> and i have explained why we don't use linux+linux.
>
>>
>>>
>>>> 3. as some CPU time is stolen by security mode, so the scheduler need
>>>> to get this for load balance
>>>
>>> Does the kernel know this time is gone?  Or is it not aware of it (like
>>> MSIs on x86?)
>>>
>> The TrustedOS could share time on the same cpu as the UnTrustedOS or
>> be assigned a dedicated cpu on an MP.
>
> no. TrustedOS will not hold a whole CPU and we don't put a whole core
> to RTOS as it has low CPU loading.
>
 If by "we" you mean you and your device, I can understand. Otherwise
please have a look at some TZ whitepaper. It is possible to run in AMP
mode where SecureOS has dedicated cpu core(s).