Firmwares with pure AArch32 TZ

[fxsheep]

Found some MSM8916 devices shipped with trustzone firmware running entirely in AArch32 mode (both EL3 and Secure EL1)

$readelf -a tz.elf ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: ARM Version: 0x1 Entry point address: 0x86500000 Start of program headers: 52 (bytes into file) Start of section headers: 0 (bytes into file) Flags: 0x5000002, Version5 EABI, Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 10 Size of section headers: 40 (bytes) Number of section headers: 0 Section header string table index: 0

There are two possible reasons for this. One is that QC switched to pure-AA32 TZBSP on LA at some point. Another is devices under Tested devices are actually using WP firmware, which has AA64 TZ(EL3-only) and HYP.

According to ARMv8-A spec, if EL3 runs in AArch32, then all lower ELs have to run under AA32 as well. Therefore, devices with these TZ firmwares, when flashed with qhypstub, won't boot anymore.

Possible solutions:

1. Flash a (WP?)TZ with an AArch64 EL3. (Afaik, QC SBL1 has support for automatically switching to 64 when the ELF is 64).
2. Redo everything EL2 and EL1(0) in AArch32 instead. Since Mainline has stopped supporting AArch32 KVM host, it'll be a dead end.

[stephan-gh]

All the devices under "Tested devices" have (firmware) secure boot disabled. This means it does not really matter which EL3/TZ firmware they used originally, since you can simply flash the tz firmware from other devices without issues.

I'm aware of three distinct TZ firmware versions for MSM8916:

1. AArch32 EL3: AArch64 EL2/1/0 is not possible there as you mentioned
2. AArch64 EL3 without PSCI: Both AArch64/32 possible but missing PSCI support is problematic for mainline Linux
3. AArch64 EL3 with PSCI: Best option for mainline Linux

Secure EL1 is always AArch32 as far as I know.

The TZ firmware version is typically related to the OS used on the device:

1. AArch32 EL3: Devices with Android 4.4, Windows (afaik)
2. AArch64 EL3 without PSCI: Most devices with Android 5.0+
3. AArch64 EL3 with PSCI: Only DragonBoard 410c (linux-board-support-package-r1034.2.1.zip)

If your device has (firmware) secure boot disabled I would recommend flashing the tz.mbn from the DragonBoard 410c firmware package (together with qhypstub or the hyp.mbn from there). I believe it should work with any version of the SBL1 firmware. I have used this approach on the Huawei Ascend G7 which normally has AArch32 TZ provided by Huawei.

Additional note: The syscall (scm) interface of the AArch64 TZ is different from the AArch32 version. The aboot firmware also needs to be compatible with that. I know one device where using lk1st was necessary because the original aboot was not compatible with the AArch64 TZ.

If your device has (firmware) secure boot enabled then there is likely little you can do without finding some exploit to load a custom TZ firmware. :/

Hope that helps. :)