Thanks for the extra context, guys. Much appreciated!
On Sat, Mar 5, 2016 at 1:46 AM, Paul Kocialkowski <cont...@paulk.fr> wrote: > Le mardi 01 mars 2016 à 11:02 -0800, Blibbet a écrit : > > On 02/29/2016 09:16 PM, Bob Summerwill wrote: > > [...] > > > * Samsung KNOX, using Trustonic's TEE ( > > > https://www.trustonic.com/technology/trusted-execution-environment) > which > > > sounds much like the notorious Intel ME to me. Does anybody here > have > > > experience of Trustonic TEE, and can confirm that. or explain what it > does > > > better than me? I think it's more proprietary software on-silicon, > > which > > > constrains what you can run on your own device. > > [..] > > > > > https://en.wikipedia.org/wiki/Trusted_execution_environment#Implementations > > > > Most ARM chips have TrustZone or some other TEE. Most Intel systems have > > a Mangement Engine. Most AMD systems have a Platform Security > > Processor. There are open source implementations of TEE, like OP-TEE. > > TEEs protect 'untrusted' software stacks (Windows, Linux, Android, > > etc.). It can be helpful for security, and may also be misused by > > attackers to abuse security and privacy. It is 'notorious' if you want > > to reconfigure a system in a way that the vendor would consider > > something more a security attack than a normal use case of a consumer. > :-( > > TruztZone and TEE are not inherently a bad thing indeed, but on some > platforms, > those are only available when bootrom signature verification is enforced. > > For instance on OMAP[0], TrustZone is only available on HS (High Security) > devices that enforce signature verification, while it's disabled on GP > (General > Purpose) devices. In practice, it means that since we cannot replace the > bootloader (the signature fuses are always already programmed on HS > devices), we > can't have control of TrustZone either on HS devices. > > On some other platforms (such as the i.MX53 and perhaps the latest Tegra > platforms), the user can be in control of it. This is the case on the USB > armory. > > Bear in mind that TEE on TrustZone is a separate system, running with more > privileges (regarding hardware access) than the regular operating system. > This > is really bad for user's privacy and security. It is very likely that > TrustZone > TEE is actively used on most devices that enforce bootloader signature > checks, > (including those with Replicant support). This is yet another very strong > reasons to focus on devices that are able to run free bootloaders. > > [0]: https://e2e.ti.com/support/omap/f/849/t/58680 > > -- > Paul Kocialkowski, Replicant developer > > Replicant is a fully free Android distribution running on several > devices, a free software mobile operating system putting the emphasis on > freedom and privacy/security. > > Website: https://www.replicant.us/ > Blog: https://blog.replicant.us/ > Wiki/tracker/forums: https://redmine.replicant.us/ > > _______________________________________________ > Replicant mailing list > Replicant@lists.osuosl.org > http://lists.osuosl.org/mailman/listinfo/replicant > > -- b...@summerwill.net
_______________________________________________ Replicant mailing list Replicant@lists.osuosl.org http://lists.osuosl.org/mailman/listinfo/replicant
