[Arm-netbook] ARM's OOB para-virtualization & FreeZone in A10?

[nil]

Henrik Nordström <henrik <at> henriknordstrom.net> writes:

> Actually the TPM is very useful for you to protect from attacks. With
> the TPM you can lock down the hardware to only accept you, and you can
> make sure any tampering with your device gets noticed by you.
Yeah, and it's pretty hard to subvert from software. Getting one set up can be a
hassle, and of course upgrades are a pain (since they change the PCRs your
secrets are sealed under) but hardened devices ideally shouldn't be getting many
of those, anyway...

> The theory goes as
> 1. LAN gets hacked
> 2. From LAN the box gets hacked
> 3. On the box the hacker installs a rootkit as a hypervisor. As
> demonstrated with Intel VT this can be done runtime if virtualization is
> enabled but no hypervisor currently running.
Mmm; seems a bit like overkill, though, since it doesn't grant any further
capability, just stealth (which is useless if you're going to do things that'll
get you noticed anyway.)


> Allwinner A10 mentions TrustZone in it's marketing. TrustZone can be
> used for implementing a TPM kind of solution. But infotmation on the
> trustzone implementation in Allwinner A10 is very scarse.
Some vendors stick their own names on it (TI's 'M-Shield' springs to mind) and
tbh there's very little public information on any of them.
Other things on the AXI bus can be TrustZone-aware ("secure/not secure" is an
extra address bit,) but I think the basic functionality is the same in any core
that has it (and documented by ARM, though I'm unsure how complete that is.)
 
> Actually virtualization is a great tool for increasing system security
> if used right.
Looking forward to the A15, here!