Ubuntu Touch ARM TrustZone Support
-
Hi Ubuntu Touch Community,
I hope you all are doing well.
I'm a software developer currently researching getting ARM TrustZone/Trusted Execution Engine running on non-Android operating systems. This would allow different applications, like eGovernment apps, to run on operating systems with TrustZone support even if the device can't provide any biometric data (e.g. fingerprint). Maybe the user just doesn't want to use those features.However, I haven't been able to find any specific information in the documentation about whether Ubuntu Touch provides any interfaces or support for ARM TrustZone. It's possible I might have missed it, so I wanted to reach out to the community here.
Could anyone provide me with some insight into whether Ubuntu Touch has any support or planned support for ARM TrustZone? Any pointers or guidance would be greatly appreciated, even if not specifically Ubuntu Touch related.
Thank you in advance for your help!
-
@Seteris From my understanding of ARM TrustZone, it needs to be supported by the chipset, processor, compiler and the OS. Let's suppose the manufacturer supports the extension, the operating system would need to provide an API for whether it is running in secure mode.
Currently Ubuntu Touch requires unlocked bootloader (no safe boot) and no disk encryption (although some made it work for /home), which are required for a guaranteed safe enviroment. Even if it was supported, it would say that it is running insecurely.
Unfortunately I couldn't find anything regarding whether it is supported by any Linux based operating system, even proprietary android, so I guess it's not.
Good luck with the messy ARM (not only the ISA).May the source be with you
-
@ikoz said in Ubuntu Touch ARM TrustZone Support:
Currently Ubuntu Touch requires unlocked bootloader (no safe boot)
Ubuntu Touch does not require an unlocked bootloader per se. If the keys were available, the images could be signed with them and the bootloader could be locked. This is the case for the Jingpad for instance.
On regular android devices all after market OS's would need an unlocked bootloader since the images would not have been signed with the manufacturer's keys.
π¦πΌ π³π± πΊπΈ πͺπΈ
Happily running Ubuntu Touch
Google Pixel 3a (20.04 DEV)
JingPad (20.04 DEV)
Meizu Pro 5 (16.04 DEV) -
@ikoz Thanks for the response!
Yeah my understanding matches yours, however to me it seems that most ARM Cortex-A series CPUs should support ARM TrustZone by default, even running on a non-secure kernel.
I did find code for some implementations of the Trusted Execution Engine (see: https://github.com/mqttz/optee-apps/tree/master which is code for benchmarking MQTT TZ).
However I also couldn't find anything in regards to other linux-based mobile operating systems (or even any desktop distro for that matter), or even Android. Which begs the question: Is nobody but Android using it at all? And even for Android it seems to be a proprietary implementation (which isn't surprising, as this alone keeps a lot of Android folk away from any other non-Android/Apple device).
-
@arubislander That makes sense, just like secure boot on x86 requires keys signed by Microsoft. Is the manufacturer the chip's (e.g. Qualcomm) or the phone's who signs the keys. If it's the latter then do all devices which have UT pre installed also have locked bootloader?
-
@ikoz said in Ubuntu Touch ARM TrustZone Support:
Is the manufacturer the chip's (e.g. Qualcomm) or the phone's who signs the keys
It would stand to reason that the device manufacturers would be the ones doing th signing with their keys. Or better said, whoever is responsible for the OS image that is pre-installed on the device.
If it's the latter then do all devices which have UT pre installed also have locked bootloader?
I expect that they could do so. But not having such a device myself, I cannot say for sure.
