Every time i see a news item about these trusted systems i can't help asking myself a few things :

- Why it isn't named "Don't trust the owner/user of this device" environment because that reflects what those things do.

- Where can i buy new devices without that environment ?

I do understand there are use cases for such environments, but it's forced on everyone.

Here the idea is to have a separate storage for your private keys.
So even if your machine is compromised, an attacker cannot retrieve your private keys.
The keys never leave the TEE, to use them you must send an authentication to its own embed OS and then it will sign/decrypt what you require it to sign, with the key staying safely inside.

So for once the user/owner isn't the not truster person, this time it's instead any unauthorized user who might try to steal your key.

At least that's the theory.

(Think of it as the same role as that old laptop that never connects to the internet that you can use only to sign and encrypt things offline.
- Except that laptop is entirely inside the same package as your internet laptop
- Because it's everything inside the silicon, it's harder to manage to get the keys even if it gets stolen.
- It communicates using a shared memory block, instead of through USB sticks, CD-ROM, or printing/scanning/and QR-Codes.
- Whereas your crypto laptop runs a dedicated full blown Linux distro that has been reviewed for security usage (e.g.: TAILS), it runs whatever the crap was installed by the hardware manufacturer. You can bet on some buggy, hastily patched linux-based system).




In practice, giving how juicy this is as a target, you can be sure that there are going to be every possible government and even some large scale criminal ring, trying to write exploit to ex-filtrate the private keys, or run a malware in the TEE with the target of snooping outside of the supposed shared memory and thus snooping on whatever the main OS is doing on the main CPU.



Turning it on or off is done in the main system's firmware (UEFI or Legacy BIOS, whatever you have...)

Now you just have to *hope* that your choice will be respected.

No one runs linux within trustzone. Many systems use the ARM trusted firmware, which is 100% open source. Others run Trustonic. All Qualcomm chipsets utilize QSEE (Qualcomm Secure Execution Environment).

All of these are wayyyy smaller than the linux kernel. AFAIK there's no technical reason that the linux kernel couldn't be run in TZ, but it would be stupid since 90% of the functionality would be useless.

I don't know of a single system where this is possible. Maybe the raspberry pi 3? But for all major TZ utilizers (ARM based phones and cars) there's literally no way to turn it off, by design. In Qualcomm's boot chain, loading and jumping to trustzone comes before getting to UEFI.

Source: Qualcomm employee that works on QSEE.

That's because you are looking at it from the wrong point of view.

These systems make your device "trusted" by third parties that want to show you stuff without having you steal it (this is the theory, anyway)

You can't. All relatively modern x86 processors from AMD and pretty much everything still worth using from Intel have that crap.

In devices that have a decent BIOS/UEFI you can disable external access to them, in devices where there is no (shown) option, you cannot. On average, laptops have total shit BIOS so you can't disable them without hacking the embedded flash one way or another.

That would be awesome. Main issue is that in most (all?) laptops you don't have that option.

Not that the actual firmware cannot do that (it can), the fuckers usually have hidden away the option because of some brain dead reason.

And I know very well as I did extract and decompress my laptop's firmware. My board setup interface has like 3 lines (thankfully "virtualization" is one of them, back then in 2012 it was fun for Sony or Acer customers that didn't even have that).

Then there are like 4 pages of options that I cannot edit because some joker decided to hide most panels and options and the bios is signed so I cannot have someone hack it.

AFAIK the only possibility is to read the flash chip with a hardware flasher, find where the VSS (UEFI settings storage database) is, then edit it using the offset and values read from the hidden interface I decompressed, and then reflash it manually with the hardware flasher. And I lack info on where that VSS is, or how to edit it properly.

And the main reason I went this way was that some complete idiot enabled WoL in BIOS on my laptop, so my laptop battery was draining for no reason even when turned off.

I worked around it by adding a systemd unit calling a command to disable it on startup (and changing Windows settings for the same result), but I really wanted to solve this in the BIOS.

After I decompressed and saw the hidden options, yeah I could theoretically disable PSP too, if the fuckers didn't hide it.

And I'm not blaming HP for this, I never saw a half-decent BIOS interface in laptops of any brand.

It's possible to disable PSP access from OS in AM4 socket boards (x86), there are options in BIOS for that. PSP should be ARM Trustzone right?

The PSP isn't truly disabled though, as board initialization works similar to what you said for Qualcomm, PSP is responsible of starting up the x86 cores. If PSP isn't started, no x86 cores come online.