Trustzone on i.MX6 sabrelite

S Madhu smadhu2048 at ...9...
Sun May 25 05:06:40 CEST 2014


Copying an email exchange between me and Norman to teh mailing list.
I have a few master's students who are starting to work on Trustzone, so
I am trying to find out the best way to get them up and running.

Target platform is the i.MX6 Sabrelite board from Freescale. later we will
move to our own open source i.MX6 board.

-----------------------------------------------------------------------------------
Hello,

> My student started work today. I have asked him to post on the group.
> I am defining the scope of work for him for the next 1 year. Basically I
> want
> him to complete the trustzone integration on the i.MX6 board. Do you
> think there is 6-8 months of work left for 1 person in this effort ?

the answer very much depends on the experience of the developer and
degree of trustzone support you want to achieve. Given that base-hw
support trustzone on the Cortex-A9 already (for the Versatile Express
platform) and also the i.MX53 SoC, I don't expect any difficulties to
get the TZ world switch running in principle.

If you really care about thoroughly protecting the secure world from the
normal world, however, there is much more work to do. E.g., in our
current demo scenario, we cut some corners, which might not be good idea
in a real product. E.g. we grant the normal world access to the
system-and-clock management unit. Revoking access to this unit from the
normal world is easy. But to get Linux running w/o access to it is quite
difficult. We'd need to either provide a virtualized version of the
device (using a trap-and-emulate scheme) or change the Linux kernel to
use custom smc "hypercalls" to the TZ VMM instead of accessing the
device directly.

Also, as an additional challenge, it would be worthwhile to investigate
a solution for the problem described in the last paragraphs of the
Section "Additional device drivers" of our article:


http://genode.org/documentation/articles/trustzone#Additional_device_drivers

The DMA problem (GPU and IPU are using the same DMA channel) is quite
serious. It would be interesting to investigate if i.MX6 has fixed that.

To sum it up, the task can be scaled from a few months (just
experimenting with the world switch and granting most devices to the
normal world) to more than a year (when revoking devices from the normal
world while still making Linux happy to run in the normal world).
---------------------------------------------------------------------------------


Madhu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.genode.org/pipermail/users/attachments/20140525/5f27d714/attachment.html>


More information about the users mailing list