UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Ubuntu Touch ARM TrustZone Support

    Scheduled Pinned Locked Moved Unsolved Support
    6 Posts 3 Posters 310 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • S Offline
        Seteris
        last edited by

        Hi Ubuntu Touch Community,

        I hope you all are doing well.
        I'm a software developer currently researching getting ARM TrustZone/Trusted Execution Engine running on non-Android operating systems. This would allow different applications, like eGovernment apps, to run on operating systems with TrustZone support even if the device can't provide any biometric data (e.g. fingerprint). Maybe the user just doesn't want to use those features.

        However, I haven't been able to find any specific information in the documentation about whether Ubuntu Touch provides any interfaces or support for ARM TrustZone. It's possible I might have missed it, so I wanted to reach out to the community here.

        Could anyone provide me with some insight into whether Ubuntu Touch has any support or planned support for ARM TrustZone? Any pointers or guidance would be greatly appreciated, even if not specifically Ubuntu Touch related.

        Thank you in advance for your help!

        ikozI 1 Reply Last reply Reply Quote 0
        • ikozI Online
          ikoz @Seteris
          last edited by

          @Seteris From my understanding of ARM TrustZone, it needs to be supported by the chipset, processor, compiler and the OS. Let's suppose the manufacturer supports the extension, the operating system would need to provide an API for whether it is running in secure mode.

          Currently Ubuntu Touch requires unlocked bootloader (no safe boot) and no disk encryption (although some made it work for /home), which are required for a guaranteed safe enviroment. Even if it was supported, it would say that it is running insecurely.

          Unfortunately I couldn't find anything regarding whether it is supported by any Linux based operating system, even proprietary android, so I guess it's not.
          Good luck with the messy ARM (not only the ISA).

          May the source be with you

          arubislanderA S 2 Replies Last reply Reply Quote 0
          • arubislanderA Offline
            arubislander @ikoz
            last edited by arubislander

            @ikoz said in Ubuntu Touch ARM TrustZone Support:

            Currently Ubuntu Touch requires unlocked bootloader (no safe boot)

            Ubuntu Touch does not require an unlocked bootloader per se. If the keys were available, the images could be signed with them and the bootloader could be locked. This is the case for the Jingpad for instance.

            On regular android devices all after market OS's would need an unlocked bootloader since the images would not have been signed with the manufacturer's keys.

            πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
            Happily running Ubuntu Touch
            Google Pixel 3a (20.04 DEV)
            JingPad (24.04 preview)
            Meizu Pro 5 (16.04 DEV)

            ikozI 1 Reply Last reply Reply Quote 1
            • S Offline
              Seteris @ikoz
              last edited by

              @ikoz Thanks for the response!

              Yeah my understanding matches yours, however to me it seems that most ARM Cortex-A series CPUs should support ARM TrustZone by default, even running on a non-secure kernel.

              I did find code for some implementations of the Trusted Execution Engine (see: https://github.com/mqttz/optee-apps/tree/master which is code for benchmarking MQTT TZ).

              However I also couldn't find anything in regards to other linux-based mobile operating systems (or even any desktop distro for that matter), or even Android. Which begs the question: Is nobody but Android using it at all? And even for Android it seems to be a proprietary implementation (which isn't surprising, as this alone keeps a lot of Android folk away from any other non-Android/Apple device).

              1 Reply Last reply Reply Quote 0
              • ikozI Online
                ikoz @arubislander
                last edited by

                @arubislander That makes sense, just like secure boot on x86 requires keys signed by Microsoft. Is the manufacturer the chip's (e.g. Qualcomm) or the phone's who signs the keys. If it's the latter then do all devices which have UT pre installed also have locked bootloader?

                May the source be with you

                arubislanderA 1 Reply Last reply Reply Quote 0
                • arubislanderA Offline
                  arubislander @ikoz
                  last edited by

                  @ikoz said in Ubuntu Touch ARM TrustZone Support:

                  Is the manufacturer the chip's (e.g. Qualcomm) or the phone's who signs the keys

                  It would stand to reason that the device manufacturers would be the ones doing th signing with their keys. Or better said, whoever is responsible for the OS image that is pre-installed on the device.

                  If it's the latter then do all devices which have UT pre installed also have locked bootloader?

                  I expect that they could do so. But not having such a device myself, I cannot say for sure.

                  πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
                  Happily running Ubuntu Touch
                  Google Pixel 3a (20.04 DEV)
                  JingPad (24.04 preview)
                  Meizu Pro 5 (16.04 DEV)

                  1 Reply Last reply Reply Quote 0
                  • S Seteris referenced this topic on
                  • First post
                    Last post