The TrustZone (TZ) software was pioneered by ARM in their v6 architecture and significantly redesigned for v7. This hardware implementation of the TrustZone architecture provides a security framework that enables a device to counter many security threats from both a software and hardware level.
The hardware solution provided by ARM enables the design and implementation, in software, ofapplications or services that run in a secure environment. This secure environment is an isolatedexecution unit that establishes hardware separation from other nonsecure execution environments. TrustZone software is enabled on all MSM8960 and later chipsets.
QSEE software runs in a privilege mode of the TrustZone software. On cold boot, QSEE performs a security configuration of the SoC. QSEE also offers runtime services to the HLOS. Runtime services include power collapse, secure PIL, content protection, SSD, etc. QSEE also offers running secure applications in User mode of the TrustZone software. QSEE runs from OCIMEM on high tier MSM/APQ/MPQ chipsets and from DDR on MDMs and mid/low tier MSM/APQ/MPQ chipsets.
LLVM compiler
QSEE 4.0 is now compiled using the LLVM compiler. Previous TZ images were compiled using the ARM compiler, and there is no binary compatibility between these images. Therefore, all secure applications must be recompiled using the LLVM compiler to run on QSEE 4.0.
TZ logging
For QSEE 4.0, an OEM can no longer control whether to temporarily enable TrustZone logging on secure boot-enabled devices by customizing the tzbsp_oem_allow_logging() function. Instead, the recommended approach is to use a debug policy-based enabling process. Refer to 80-NU498-1 for relevant details.
BLSP QUP access driver
The BLSP QUP access driver is a TrustZone module that, at cold boot, assigns ownership of BLSP QUP and UART instances to execution environments (EE), as specified in the devcfg file QUPAC_<chip>_Access.xml.
OEMs should modify this XML file to specify which EE should manage which SPI/I2C/UART instance. Examples are provided in Section 5.1.2.
Location of the BLSP QUP access driver
For the MSM8996, the device configuration file that OEMs can modify is located at:
<TZ Build>\trustzone_images\core\buses\qup_accesscontrol\config\QUPAC_8996_Access.xml