Hi Joakim,

Thanks for your response.

I understand that Raspberry Pi 3 is not probably the best board. I haven't bought it yet so I can change.

My objective is to become familiar with embeded security using TrustZone. I would like to manipulate secure boot, secure storage, trusted applications...
If possible, I don't want to write "low level code" but only the application part.

In this context, what is the best board to buy? 

Regards,

Christopher Lambert


-------- Message original --------
Sujet: Re: [Tee-dev] Questions about OP-TEE and Raspberry Pi 3
Date: Mardi 30 Août 2016 20:18 CEST
De: Joakim Bech <joakim.bech@linaro.org>
Pour: LAMBERT Christopher <christopher.lambert@mythalesgroup.com>
Copie: tee-dev <tee-dev@lists.linaro.org>
Références:




 
Hi Christoper,
 
No, unfortunately you cannot implement secure boot on RPi3, because we have no control of the root key (if there is any) and therefore you cannot get any true chain of trust. Then there is no (memory) firewall (like TZASC), which means that normal side can both read and write memory that are assigned to secure side. Another challenge is that there is not much documentation available for the Pi itself in this area and I don't believe Broadcom have any plans to release it either (Broadcom hasn't been involved in this work).
 
The RPi3 is a good device if you want to get started with TEE development, learn how to create and run the full stack, everything from user space, to Linux kernel to the monitor code, to the TEE core itself and Trusted Applications. But again, you cannot create any secure products based on this setup, since there are gaps in the hardware design itself (and lack of documentation about it). If you have the ability to run OP-TEE on another device that actually _are_ secure, then it would be almost effortless to transfer the work you've done on the RPi3 to that particular device.
 
We also have plans together with Sequitur Labs to put up some documentation how to use cheap JTAG debuggers and OpenOCD for this setup. All in all, you can have complete TEE development environment with JTAG capabilities for under $100USD.
 
Regards,
Joakim
 
On 30 August 2016 at 18:48, LAMBERT Christopher <christopher.lambert@mythalesgroup.com> wrote:
Hello,

I'm very interested in OP-TEE for Raspberry Pi 3.

I've read https://github.com/OP-TEE/optee_os/blob/master/documentation/rpi3.md, especially the disclaimer part.
This part is not really clear to me:
"Although the Raspberry Pi3 processor provides ARM TrustZone
exception states, the mechanisms and hardware required to
implement secure boot, memory, peripherals or other secure
functions are not available"

What does it mean? Is it possible to have a secure boot with Raspberry Pi 3?

Thanks.

Best regards,

Christopher Lambert

_______________________________________________
Tee-dev mailing list
Tee-dev@lists.linaro.org
https://lists.linaro.org/mailman/listinfo/tee-dev