Hi Stefan and all, Thank you for your response. Yes I’m aware of your work for the GSoC 2016. It is an interesting work. I would love to explore the possibility of running seL4 in Secure World, for experiment and also for backward compatibility consideration with existing software stack built for Linux. I’m pretty new to TrustZone is there any resources that you can point to me. I found the OP-TEE OS project through searching, it seems interesting. Also, I’m not sure which development board actually support TrustZone. Does i.MX 6 SabreLite and Raspberry Pi 3 have the necessary support? How about QEMU, it will be easier to simulate first. Best Regards -Daniel Wang
On Jan 27, 2018, at 3:51 AM, Stefan Wallentowitz
wrote: Hi Dan,
I have mentored a proof of concept project with the lowRISC project during Google Summer of Code 2016: http://mahadevrahul.blogspot.de/2016/08/
It apparently is far from being ready, and the scope was different: I think the GP TEE Internal API and GP TEE Client API are nice APIs for writing Trustlets. So the work was scoped to check how those components can work with seL4. seL4 is the hypervisor in this case, separating the rich OS container from the TEE container. The TEE OS performs more or less the mapping between TEE client requests to seL4 APIs. Beside that the Trustlets are loaded and triggered by the "OS". We did not get deeper into the Internal API, because the mapping of the trustlet API to libraries or hardware functions is pretty straight forward.
Unfortunately, I never catched up with this work, because it is not on the critical path. Also there are a few other APIs in the GP specification pipeline, that I am currently concentrating on.
So, and finally why this is probably not what you are searching for. It does not use Trustzone. First, that is because we scoped it with RISC-V in mind and not Arm. Second, I am still undecided about the viability of Trustzone for the scenarios we have been discussing.
Anyhow, while TEE was kind of designed for the Trustzone, I believe its a nice API to run Trustlets in any secure environment, let it be on a containered environment or even a dedicated secure co-processor.
Hope that helps a bit.
Cheers, Stefan
On 26.01.2018 21:52, Daniel (Xiaolong) Wang wrote:
Hi all,
I’m exploring for possible ways to run seL4 as a secure TEE kernel in TrustZone. I found an old discussion thread back in 2016 and corresponding from Gernot:
I’m very new to TrustZone technology. I wonder has anyone done that before using seL4? Is there any public available resources for reference? Also on which development board did Data61 run seL4 in the secure world?
Thanks -Dan
FYI
Is it possible to run sel4 as a secure world OS in TrustZone? Has anyone successfully done that before?
I believe we have done that in the past (with platforms where we could just ignore the secure/normal split and ran everything in secure mode). There is no reason why it wouldn’t work, it just comes down to initialising the platform correctly.
https://sel4.systems/pipermail/devel/2016-March/000750.html
Thanks -Dan
_______________________________________________ Devel mailing list Devel@sel4.systems https://sel4.systems/lists/listinfo/devel
_______________________________________________ Devel mailing list Devel@sel4.systems https://sel4.systems/lists/listinfo/devel