Hi, Le samedi 16 décembre 2017 à 11:44 +0100, Denis 'GNUtoo' Carikli a écrit : > This explains the interaction between a signed bootloader and > TrustZone.
See comments below. > Signed-off-by: Denis 'GNUtoo' Carikli <[email protected]> > --- > freedom-privacy-security-issues.php | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/freedom-privacy-security-issues.php b/freedom-privacy- > security-issues.php > index cf380d2..ee57822 100644 > --- a/freedom-privacy-security-issues.php > +++ b/freedom-privacy-security-issues.php > @@ -87,6 +87,7 @@ > However, it also occurs that the > bootloaders are cryptographically signed with a private key. > In that case, the bootrom will check > the signature against a public key that cannot be replaced and only > run the bootloader if the signature matches. > That sort of tivoization prevents > replacing pre-installed bootloaders, even when their sources are > released as free software. > + This is even more problematic when > the bootloader is in charge of loading code into TrustZone as that > code gives full control of the processor to software that is > proprietary and/or cannot be modified. I don't think we should be talking about TrustZone here in particular bur rather talk about privileged execution environments in general. We could rephrase it like this: " This is even more problematic when the bootloader is in charge of loading the privileged execution environment, such as TrustZone, as that code gives full control of the processor to software that is proprietary and cannot be modified." Note that if the code cannot be modified, it is proprietary per-se. > There are some good platforms that > don't perform such signature checks and can run free bootloaders (e.g. > Allwinner Ax, TI OMAP General- > Purpose). > </p> -- Paul Kocialkowski, developer of free digital technology and hardware support. Website: https://www.paulk.fr/ Coding blog: https://code.paulk.fr/ Git repositories: https://git.paulk.fr/ https://git.code.paulk.fr/
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Replicant mailing list [email protected] https://lists.osuosl.org/mailman/listinfo/replicant
