00:22.18 | *** join/#openmoko-cdevel ThibG (~ThibG@85-171-223-56.rev.numericable.fr) |
00:59.39 | *** join/#openmoko-cdevel Brinky_ (brinky@faui2k3.org) |
01:03.56 | *** join/#openmoko-cdevel higgins` (~higgins@105.ip-167-114-152.net) |
01:10.00 | *** join/#openmoko-cdevel higgins (~higgins@105.ip-167-114-152.net) |
01:44.49 | *** join/#openmoko-cdevel antrik_ (~olaf@port-92-195-115-133.dynamic.qsc.de) |
04:02.30 | *** join/#openmoko-cdevel DocScrutinizer05 (~saturn@openmoko/engineers/joerg) |
05:12.21 | *** join/#openmoko-cdevel sparetire_ (~sparetire@unaffiliated/sparetire) |
05:26.37 | *** join/#openmoko-cdevel coolmouse (~coolmouse@113.201.246.117) |
07:55.19 | *** join/#openmoko-cdevel coolmouse (~coolmouse@113.201.246.117) |
08:24.18 | *** join/#openmoko-cdevel ThibG (~ThibG@85-171-223-56.rev.numericable.fr) |
09:01.21 | *** join/#openmoko-cdevel daniele_athome (~daniele_a@net-93-67-0-106.cust.vodafonedsl.it) |
09:16.21 | *** join/#openmoko-cdevel ao2 (~ao2@cl-35.trn-01.it.sixxs.net) |
09:54.31 | *** join/#openmoko-cdevel pini (~pini@bou-fi.pustule.org) |
10:43.35 | *** join/#openmoko-cdevel radish (~radish@unaffiliated/stryx/x-3871776) |
10:56.32 | *** join/#openmoko-cdevel pini (~pini@bou-fi.pustule.org) |
11:08.13 | *** join/#openmoko-cdevel radish (~radish@unaffiliated/stryx/x-3871776) |
11:16.04 | *** join/#openmoko-cdevel daniele_athome (~daniele_a@net-188-217-59-32.cust.vodafonedsl.it) |
12:36.42 | *** join/#openmoko-cdevel daniele_athome (~daniele_a@net-188-217-103-215.cust.vodafonedsl.it) |
13:07.01 | *** join/#openmoko-cdevel jluis (~jluis@2001:67c:1810:f055:dafc:93ff:fe08:8b49) |
13:28.17 | *** join/#openmoko-cdevel daniele_athome (~daniele_a@net-93-151-234-70.cust.dsl.teletu.it) |
14:17.44 | *** join/#openmoko-cdevel pini (~pini@bou-fi.pustule.org) |
14:36.08 | *** join/#openmoko-cdevel sparetire (~sparetire@unaffiliated/sparetire) |
16:42.05 | *** join/#openmoko-cdevel daniele_athome (~daniele_a@net-188-217-70-98.cust.vodafonedsl.it) |
19:58.46 | *** join/#openmoko-cdevel ayaka (~ayaka@140.224.79.160) |
20:47.39 | ayaka | I have a problem with trustzone in arm, if I compile a kernel which enable trustzone, do I need to do prepare work to use that kernel |
20:47.46 | ayaka | just sign the kernel? |
21:05.48 | DocScrutinizer05 | funny question. trustzone needs support by bootloader |
21:07.24 | DocScrutinizer05 | the 1st stage bootloader (xloader) already needs to be signed by the private key matching the (non)public key in OMAP ROM |
21:08.04 | DocScrutinizer05 | so first of all you need that private key matching the pubkey your particular OMAP has |
21:09.32 | DocScrutinizer05 | at least that's what I think I understood of that trustzone mess |
21:11.39 | DocScrutinizer05 | if you need to sign your kernel and with which key, it's all a question of what xloader and main bootloader (usually uBoot of sorts) do |
21:14.06 | DocScrutinizer05 | on N9 for example there's a bootloader variant that actually will load unsigned kernels, but it sets a "tainted" flag in this case, which will lock several trustzone things for good, until next full reboot |
21:15.06 | DocScrutinizer05 | see |
21:15.09 | DocScrutinizer05 | ~aegis |
21:15.09 | apt | http://www.developer.nokia.com/Community/Wiki/Harmattan:Developer_Library/Developing_for_Harmattan/Harmattan_security/Security_guide , or "The purpose of this framework is: ... to make sure that the platform meets the requirements set by third party software that requires a safe execution environment.", or http://en.wikipedia.org/wiki/Trusted_Computing#Criticism, or http://en.qi-hardware.com/w/images/1/10/ME_382_LockedUpTechnology2.gif |
21:16.58 | DocScrutinizer05 | trustzone isn't a hardware function that kernel supports, rather it's a chain of trust resulting in a trusted kernel running under trustzone |
21:18.06 | DocScrutinizer05 | "enable turstzone in kernel" doesn't mean the kernel uses trustzone, it means trustzone will accept and work with that kernel ;-) |
21:28.01 | *** join/#openmoko-cdevel daniele_athome (~daniele_a@net-188-217-103-188.cust.vodafonedsl.it) |
21:29.44 | ayaka | DocScrutinizer05, I see, then the bootldr which will check the kernel whether is signed is just a job about self check? |
21:30.21 | ayaka | the TrustZone doesn't request the kernel is signed but the bootldr could decide whether it will accept this kernel? |
21:35.06 | DocScrutinizer05 | yes |
21:36.01 | DocScrutinizer05 | ROMBOOT checksums xloader. xloader checksums uboot. uboot checksums kernel. or not |
21:36.38 | DocScrutinizer05 | you can't change ROMBOOT, neither the key it uses, both are burned into chip at factory (TI) |
21:37.05 | ayaka | DocScrutinizer05, I see thank you |
21:37.24 | DocScrutinizer05 | a HighSecurity OMAP device will not load an unsigned or incorrectly signed xloader |
21:37.50 | DocScrutinizer05 | when you have a signed xloader that does what you want, you win |
21:39.03 | ayaka | luckily, my platform is exynos, which doesn't request bl2 is signed |
21:39.09 | DocScrutinizer05 | HS devices are OMAP34xx and 36xx, GeneralPurpose(=) are OMAP35xx and 37xx - iirc |
21:39.26 | ayaka | which doesn't request bl2 be signed |
21:39.53 | ayaka | by the way, is the OMAP serial going to dead? |
21:40.04 | DocScrutinizer05 | yes |
21:40.52 | DocScrutinizer05 | at least it seems like TI is not planning to do new OAMP chips |
21:41.09 | DocScrutinizer05 | OMAP5 is last of a kind |
21:41.11 | ayaka | maybe the second choose is im.x serial, which is seems to be the second open chip |
21:42.31 | ayaka | do you know some other serial of multimedia chip? I would like to use them in video encode area |
21:43.28 | ayaka | I only know the other like Qualcomm, Broadcomm |
21:51.04 | ayaka | DocScrutinizer05, thank you very much |
21:52.20 | DocScrutinizer05 | sorry, recently I didn't look into chip market, so I don't know what's out there and available and good |
21:52.50 | DocScrutinizer05 | I think some kickstarter projects used FPGAs |
21:53.30 | DocScrutinizer05 | you might want to ask on #qi-hardware |
21:55.44 | ayaka | I will |
22:12.59 | ayaka | and thank you |
22:19.10 | DocScrutinizer05 | yw |
22:24.49 | DocScrutinizer05 | and sorry I focused on OMAP. It's just the only real platform where I know a few details, though trustzone per se is same everywhere on all ARM platforms |
22:25.08 | DocScrutinizer05 | in OAMP it's called M-Shield |
22:28.52 | DocScrutinizer05 | basically trustzone is a way in ARM architecture to block access to certain (configurable) functions on the chip (like RAM ranges, peripheral interfaces etc) for a number of CPU operation modes. So you have a non-privileged mode and a secure mode. The secure mode is where bootloader runs in, and it loads kernel into the non-privileged mode so the kernel has no way to access certain stuff |
22:41.32 | ayaka | so the M-Shield is a TrustZone implement in OMAP |
22:42.58 | ayaka | the original design of trustzone is to run a secure kernel in secure area and a normal kernel in insecure area? |
22:43.55 | ayaka | but as linux don't actually support it, so it just let it is loaded from bootldr which in secure area into insecure area? |
23:06.33 | *** join/#openmoko-cdevel Brinky_ (brinky@faui2k3.org) |
23:18.11 | *** join/#openmoko-cdevel sparetire_ (~sparetire@unaffiliated/sparetire) |
23:50.13 | *** join/#openmoko-cdevel daniele_athome (~daniele_a@net-2-39-165-236.cust.vodafonedsl.it) |