[Ksummit-2013-discuss] [ARM ATTEND] Trustzone-based security solution for ARM Linux
Dave Martin
Dave.Martin at arm.com
Thu Aug 15 13:43:15 EDT 2013
On Thu, Aug 15, 2013 at 10:03:42AM -0600, Stephen Warren wrote:
> On 08/15/2013 01:36 AM, Barry Song wrote:
> > 2013/8/15 Greg KH <greg at kroah.com>:
> >> On Thu, Aug 15, 2013 at 11:44:30AM +0800, Barry Song wrote:
> >>> For the moment, there is strong markting requirement from
> >>> IVI(In-Vehicle Infotainment) or mobile to use ARM Trustzone. We take
> >>> IVI as an example, Auto requires security enviorment to access CAN bus
> >>> and other car busses. Auto requires security enviorment to show
> >>> rearview/surround view from cameras and play alert audio. on the other
> >>> hand, IVI system is generically working as a video streaming sink and
> >>> HDMI sink instead of a source. To support HDCP and widevine, we need
> >>> to make sure private keys and video buffers are only visible to
> >>> security mode. With CAN stack, video playback backend and more tasks,
> >>> generically it requires a multi-task RTOS running in security mode
> >>> parallel with Linux in non-security mode.
> >>>
> >>> Linux is a generic purpose OS with UI and all kinds of software, but
> >>> we need to make sure even the Linux is ROOTed, RTOS in security mode
> >>> is still active. We are able to find some opensource projects like
> >>> SafeG[1], Multivisor[2], SierraVisor[3], but it turns out that ARM
> >>> Linux has no rich support for this kind of architecture:
> >>> 1. hypervisor running in monitor mode
> >>> 2. RTOS running in security mode
> >>> 3. Linux running in non-security mode
> >>
> >> "Linux" is just a kernel, not a whole operating system :)
> >
> > do agree. but i am not saying i want linux kernel to do all these
> > things. i just want kernel is able to integrate into the system.
> >
> >>
> >> Anyway, why can't Linux be the RTOS kernel as well? What are the
> >> requirements for that kernel that Linux does not currently meet?
> >>
> >>> So the point is that we need generic support for this, especially for
> >>> IVI and other markets which want Trustzone technology a lot and have
> >>> complex user scenarios.
> >>> 1. Dispatch FIQ to security, dispatch IRQ to Linux, for this case, FIQ
> >>> is not permitted to happen on Linux
> >>
> >> Isn't that up to the hardware? Nothing that Linux can do about that.
> >
> > right. but linux need to assign interrupts to right group in GIC
> > hardware. now it doesn't care.
>
> I strongly hope that whatever is the secure OS is setting up these
> routings, and the HW prevents the non-secure OS from modifying them and
> hence never attempts to. Otherwise, the non-secure OS is able to affect
> the functioning of the secure OS, which seems like a bad thing.
Typically, the master controls are hard-wired for Secure-only access in
hardware: so assigning GIC interrupts to groups is something the secure
OS/firmware has to take care of.
Of course, if Linux is acting as secure OS, it might have to understand
what controls exist and to do some of that configuration itself.
Cheers
---Dave
More information about the linux-arm-kernel
mailing list