Hi Stefan and all,

Thank you for your response. Yes I’m aware of your work for the GSoC 2016. It is an interesting work. I would love to explore the possibility of running seL4 in Secure World, for experiment and also for backward compatibility consideration with existing software stack built for Linux.

I’m pretty new to TrustZone is there any resources that you can point to me. I found the OP-TEE OS project through searching, it seems interesting.

Also, I’m not sure which development board actually support TrustZone. Does i.MX 6 SabreLite and Raspberry Pi 3 have the necessary support? How about QEMU, it will be easier to simulate first.

Best Regards
-Daniel Wang



On Jan 27, 2018, at 3:51 AM, Stefan Wallentowitz <stefan@wallentowitz.de> wrote:

Hi Dan,

I have mentored a proof of concept project with the lowRISC project
during Google Summer of Code 2016: http://mahadevrahul.blogspot.de/2016/08/

It apparently is far from being ready, and the scope was different: I
think the GP TEE Internal API and GP TEE Client API are nice APIs for
writing Trustlets. So the work was scoped to check how those components
can work with seL4. seL4 is the hypervisor in this case, separating the
rich OS container from the TEE container. The TEE OS performs more or
less the mapping between TEE client requests to seL4 APIs. Beside that
the Trustlets are loaded and triggered by the "OS". We did not get
deeper into the Internal API, because the mapping of the trustlet API to
libraries or hardware functions is pretty straight forward.

Unfortunately, I never catched up with this work, because it is not on
the critical path. Also there are a few other APIs in the GP
specification pipeline, that I am currently concentrating on.

So, and finally why this is probably not what you are searching for. It
does not use Trustzone. First, that is because we scoped it with RISC-V
in mind and not Arm. Second, I am still undecided about the viability of
Trustzone for the scenarios we have been discussing.

Anyhow, while TEE was kind of designed for the Trustzone, I believe its
a nice API to run Trustlets in any secure environment, let it be on a
containered environment or even a dedicated secure co-processor.

Hope that helps a bit.

Cheers,
Stefan

On 26.01.2018 21:52, Daniel (Xiaolong) Wang wrote:
Hi all,

I’m exploring for possible ways to run seL4 as a secure TEE kernel in
TrustZone. I found an old discussion thread back in 2016 and
corresponding from Gernot:

I’m very new to TrustZone technology. I wonder has anyone done that
before using seL4? Is there any public available resources for
reference? Also on which development board did Data61 run seL4 in the
secure world?

Thanks
-Dan

FYI 

Is it possible to run sel4 as a secure world OS in TrustZone?
Has anyone successfully done that before?

I believe we have done that in the past (with platforms where we could just ignore the secure/normal split and ran everything in secure mode). There is no reason why it wouldn’t work, it just comes down to initialising the platform correctly.

https://sel4.systems/pipermail/devel/2016-March/000750.html

Thanks
-Dan





_______________________________________________
Devel mailing list
Devel@sel4.systems
https://sel4.systems/lists/listinfo/devel



_______________________________________________
Devel mailing list
Devel@sel4.systems
https://sel4.systems/lists/listinfo/devel