Hi Erwan,
On Fri, Nov 24, 2017 at 03:33:36PM +0000, erwan.louet@orange.com wrote:
Joakim,
Just my $.02 on this one : isn’t the point of TEEs to reduce the amount of code that they run, so that better trust can be put into it, and a comprehensive code review remains possible.
Yes, you are absolutely right here, we always needs to be aware of the "functional creep", otherwise we end up in the same situation with a big TEE kernel sooner or later.
Adding a full eMMC stack would mean a lot of code and a greater attack surface, wouldn’t it ? I fear that at one point we need to to consider implementing yet another trust level (we’d have to call them HTTs, Highly Trusted TEEs) because the amount of code in TEE has grown beyond control.
Exactly.
One the other hand, given such problem as early security verifications during boot, we currently are left with a mix of ARM Trusted Firmware and proprietary code, which isn’t an ideal situation.
As mentioned, we haven't decided anything here yet, we have just started working with Android Verified Boot 2.0 and it'll take a bit more time until we will start digging into the parts touching the TEE.
Summary, your point is absolutely valid and is something that must be considered.