[Freedombox-discuss] Backdoor in military chips may also be in Freedombox

Wookey wookey at wookware.org
Thu Jun 28 18:39:14 UTC 2012

+++ freebirds at hushmail.com [2012-06-28 12:30 -0400]:
> Hash: SHA1
> I am requested that Freedombox
> ask ARM and  Marvell if there is a debugger, ARM's TrustZone,
> antitheft and a visible PSN.

xscale CPUs have a debug facility, consisting of 32K of sram which is
enabled in debug state allowing the CPU state to be interrogated
without affecting anything else about what is going on. This has been
documented in the xscale docs since they were released circa 2003. So
do other ARM CPUs, although manufacturer's implementations vary. I
believe all current CortexA series CPUs have Trustzone, but I could be
wrong. PSN processor serial number? xscales have an ID and chip
stepping. They don't have a unique serial number SFAIK. Embedding the
variation needed for serial numbers into chips is difficult so is not
normally done, but I haven't been taking much notice of hardware
details since xscale.

However the existence of these things is not the same as them being
any meaningful sort of threat. It depends on many things, like how the
SOC is connected up and exactly what the CPU's hardware capability is.
In general I'd bne a lot more worried about code running on the CPU in
the normal way than code accessing the debug and trustzone modes, but
those are obviously worth checking for vulnerabilities. If you succeed
in hacking trustzone you can probably make actual real money :-)

Principal hats:  Linaro, Emdebian, Wookware, Balloonboard, ARM

More information about the Freedombox-discuss mailing list