Difference between revisions of "Security"

From MILEDROPEDIA
Jump to: navigation, search
(M-Shield)
(Added fuse reading and blowing functions listings)
Line 5: Line 5:
 
* '''eFuse''' cells for one-time blowing to increment counter for security purposes
 
* '''eFuse''' cells for one-time blowing to increment counter for security purposes
 
* '''M-Shield''' protection, solution from Texas Instruments special for cellular networks (similar as SecureShield from Quallcomm)
 
* '''M-Shield''' protection, solution from Texas Instruments special for cellular networks (similar as SecureShield from Quallcomm)
 +
 +
'''Listing 1.''' Fuse blowing functions from mbmloader
 +
<syntaxhighlight lang="asm" line>
 +
048AC                ; =============== S U B R O U T I N E =======================================
 +
ROM:870048AC
 +
ROM:870048AC
 +
ROM:870048AC                ; int __cdecl fuse_blow_BS_DIS()
 +
ROM:870048AC                fuse_blow_BS_DIS
 +
ROM:870048AC 000 10 B5                      PUSH    {R4,LR}                            ; Push registers
 +
ROM:870048AE 008 10 24                      MOVS    R4, #0x10                          ; Rd = Op2
 +
ROM:870048B0 008 01 21                      MOVS    R1, #1                              ; value
 +
ROM:870048B2 008 6E 20                      MOVS    R0, #SEC_BS_DIS                    ; fuse_entry_number
 +
ROM:870048B4 008 FF F7 70 FF                BL      fuse_blow_byte                      ; Branch with Link
 +
ROM:870048B8 008 04 46                      MOV    R4, R0                              ; Rd = Op2
 +
ROM:870048BA 008 20 46                      MOV    R0, R4                              ; Rd = Op2
 +
ROM:870048BC 008 10 BD                      POP    {R4,PC}                            ; Pop registers
 +
ROM:870048BC                ; End of function fuse_blow_BS_DIS
 +
ROM:870048BC
 +
 +
ROM:870048E2                ; =============== S U B R O U T I N E =======================================
 +
ROM:870048E2
 +
ROM:870048E2
 +
ROM:870048E2                ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)
 +
ROM:870048E2                fuse_blow_CUSTOM
 +
ROM:870048E2 000 70 B5                      PUSH    {R4-R6,LR}                          ; Push registers
 +
ROM:870048E4 010 04 46                      MOV    R4, R0                              ; Rd = Op2
 +
ROM:870048E6 010 0D 46                      MOV    R5, R1                              ; Rd = Op2
 +
ROM:870048E8 010 10 26                      MOVS    R6, #0x10                          ; Rd = Op2
 +
ROM:870048EA 010 A9 B2                      UXTH    R1, R5                              ; Unsigned extend halfword to word
 +
ROM:870048EC 010 20 46                      MOV    R0, R4                              ; fuse_entry_number
 +
ROM:870048EE 010 FF F7 53 FF                BL      fuse_blow_byte                      ; Branch with Link
 +
ROM:870048F2 010 06 46                      MOV    R6, R0                              ; Rd = Op2
 +
ROM:870048F4 010 30 46                      MOV    R0, R6                              ; Rd = Op2
 +
ROM:870048F6 010 70 BD                      POP    {R4-R6,PC}                          ; Pop registers
 +
ROM:870048F6                ; End of function fuse_blow_CUSTOM
 +
ROM:870048F6
 +
ROM:870048F8
 +
ROM:870048F8                ; =============== S U B R O U T I N E =======================================
 +
ROM:870048F8
 +
ROM:870048F8
 +
ROM:870048F8                ; int __cdecl fuse_blow_PRODUCTION()
 +
ROM:870048F8                fuse_blow_PRODUCTION
 +
ROM:870048F8 000 10 B5                      PUSH    {R4,LR}                            ; Push registers
 +
ROM:870048FA 008 10 24                      MOVS    R4, #0x10                          ; Rd = Op2
 +
ROM:870048FC 008 01 21                      MOVS    R1, #1                              ; value
 +
ROM:870048FE 008 70 20                      MOVS    R0, #SEC_PROD                      ; fuse_entry_number
 +
ROM:87004900 008 FF F7 4A FF                BL      fuse_blow_byte                      ; Branch with Link
 +
ROM:87004904 008 04 46                      MOV    R4, R0                              ; Rd = Op2
 +
ROM:87004906 008 20 46                      MOV    R0, R4                              ; Rd = Op2
 +
ROM:87004908 008 10 BD                      POP    {R4,PC}                            ; Pop registers
 +
ROM:87004908                ; End of function fuse_blow_PRODUCTION
 +
ROM:87004908
 +
ROM:8700490A
 +
ROM:8700490A                ; =============== S U B R O U T I N E =======================================
 +
ROM:8700490A
 +
ROM:8700490A
 +
ROM:8700490A                ; int __cdecl fuse_blow_ENGINEERING()
 +
ROM:8700490A                fuse_blow_ENGINEERING                                      ; CODE XREF: main+20
 +
ROM:8700490A 000 10 B5                      PUSH    {R4,LR}                            ; Push registers
 +
ROM:8700490C 008 10 24                      MOVS    R4, #0x10                          ; Rd = Op2
 +
ROM:8700490E 008 01 21                      MOVS    R1, #1                              ; value
 +
ROM:87004910 008 6F 20                      MOVS    R0, #SEC_ENG                        ; fuse_entry_number
 +
ROM:87004912 008 FF F7 41 FF                BL      fuse_blow_byte                      ; Branch with Link
 +
ROM:87004916 008 04 46                      MOV    R4, R0                              ; Rd = Op2
 +
ROM:87004918 008 20 46                      MOV    R0, R4                              ; Rd = Op2
 +
ROM:8700491A 008 10 BD                      POP    {R4,PC}                            ; Pop registers
 +
ROM:8700491A                ; End of function fuse_blow_ENGINEERING
 +
</syntaxhighlight>
 +
 +
 +
'''Listing 2.''' Fuse reading functions from mbmloader
 +
<syntaxhighlight lang="asm" line>
 +
ROM:870046DA                ; =============== S U B R O U T I N E =======================================
 +
ROM:870046DA
 +
ROM:870046DA
 +
ROM:870046DA                ; int __cdecl fuse_read_byte(int fuse_entry_number)
 +
ROM:870046DA                fuse_read_byte                                              ; CODE XREF: check_SMID+6�p
 +
ROM:870046DA                                                                            ; fuse_read_BS_DIS+6�p ...
 +
ROM:870046DA 000 70 B5                      PUSH    {R4-R6,LR}                          ; Push registers
 +
ROM:870046DC 010 04 46                      MOV    R4, R0                              ; Rd = Op2
 +
ROM:870046DE 010 9D 4D                      LDR    R5, =0xDEADBEEF                    ; Load from Memory
 +
ROM:870046E0 010 A4 F1 65 00                SUB.W  R0, R4, #0x65                      ; switch 16 cases
 +
ROM:870046E4 010 10 28                      CMP    R0, #0x10                          ; Set cond. codes on Op1 - Op2
 +
ROM:870046E6 010 53 D2                      BCS    do_nothing                          ; default
 +
ROM:870046E6                                                                            ; jumptable 10006CE8 cases 102,103,107,109,114
 +
ROM:870046E8 010 DF E8 00 F0                TBB.W  [PC,R0]                            ; switch jump
 +
ROM:870046E8 010            ; ---------------------------------------------------------------------------
 +
ROM:870046EC 010 08          jpt_10006CE8    DCB 8                                      ; jump table for switch statement
 +
ROM:870046ED 010 52                          DCB 0x52
 +
ROM:870046EE 010 52                          DCB 0x52
 +
ROM:870046EF 010 11                          DCB 0x11
 +
ROM:870046F0 010 1A                          DCB 0x1A
 +
ROM:870046F1 010 22                          DCB 0x22
 +
ROM:870046F2 010 52                          DCB 0x52
 +
ROM:870046F3 010 2A                          DCB 0x2A
 +
ROM:870046F4 010 52                          DCB 0x52
 +
ROM:870046F5 010 32                          DCB 0x32
 +
ROM:870046F6 010 37                          DCB 0x37
 +
ROM:870046F7 010 3D                          DCB 0x3D
 +
ROM:870046F8 010 43                          DCB 0x43
 +
ROM:870046F9 010 52                          DCB 0x52
 +
ROM:870046FA 010 4D                          DCB 0x4D
 +
ROM:870046FB 010 51                          DCB 0x51
 +
ROM:870046FC                ; ---------------------------------------------------------------------------
 +
ROM:870046FC 010 03 20                      MOVS    R0, #3                              ; jumptable 10006CE8 case 101
 +
ROM:870046FE 010 FF F7 B5 FF                BL      fuse_read_word                      ; Branch with Link
 +
ROM:87004702 010 06 12                      ASRS    R6, R0, #8                          ; Arithmetic Shift Right
 +
ROM:87004704 010 30 46                      MOV    R0, R6                              ; Rd = Op2
 +
ROM:87004706 010 FF F7 D6 FF                BL      count_1                            ; Branch with Link
 +
ROM:8700470A 010 05 46                      MOV    R5, R0                              ; Rd = Op2
 +
ROM:8700470C 010 41 E0                      B      return                              ; Branch
 +
ROM:8700470E                ; ---------------------------------------------------------------------------
 +
ROM:8700470E 010 03 20                      MOVS    R0, #3                              ; jumptable 10006CE8 case 104
 +
ROM:87004710 010 FF F7 AC FF                BL      fuse_read_word                      ; Branch with Link
 +
ROM:87004714 010 C6 B2                      UXTB    R6, R0                              ; Unsigned extend byte to word
 +
ROM:87004716 010 30 46                      MOV    R0, R6                              ; Rd = Op2
 +
ROM:87004718 010 FF F7 CD FF                BL      count_1                            ; Branch with Link
 +
ROM:8700471C 010 05 46                      MOV    R5, R0                              ; Rd = Op2
 +
ROM:8700471E 010 38 E0                      B      return                              ; Branch
 +
ROM:87004720                ; ---------------------------------------------------------------------------
 +
ROM:87004720 010 02 20                      MOVS    R0, #2                              ; jumptable 10006CE8 case 105
 +
ROM:87004722 010 FF F7 A3 FF                BL      fuse_read_word                      ; Branch with Link
 +
ROM:87004726 010 06 46                      MOV    R6, R0                              ; Rd = Op2
 +
ROM:87004728 010 FF F7 C5 FF                BL      count_1                            ; Branch with Link
 +
ROM:8700472C 010 05 46                      MOV    R5, R0                              ; Rd = Op2
 +
ROM:8700472E 010 30 E0                      B      return                              ; Branch
 +
ROM:87004730                ; ---------------------------------------------------------------------------
 +
ROM:87004730 010 01 20                      MOVS    R0, #1                              ; jumptable 10006CE8 case 106
 +
ROM:87004732 010 FF F7 9B FF                BL      fuse_read_word                      ; Branch with Link
 +
ROM:87004736 010 06 46                      MOV    R6, R0                              ; Rd = Op2
 +
ROM:87004738 010 FF F7 BD FF                BL      count_1                            ; Branch with Link
 +
ROM:8700473C 010 05 46                      MOV    R5, R0                              ; Rd = Op2
 +
ROM:8700473E 010 28 E0                      B      return                              ; Branch
 +
ROM:87004740                ; ---------------------------------------------------------------------------
 +
ROM:87004740 010 00 20                      MOVS    R0, #0                              ; jumptable 10006CE8 case 108
 +
ROM:87004742 010 FF F7 93 FF                BL      fuse_read_word                      ; Branch with Link
 +
ROM:87004746 010 06 46                      MOV    R6, R0                              ; Rd = Op2
 +
ROM:87004748 010 FF F7 B5 FF                BL      count_1                            ; Branch with Link
 +
ROM:8700474C 010 05 46                      MOV    R5, R0                              ; Rd = Op2
 +
ROM:8700474E 010 20 E0                      B      return                              ; Branch
 +
ROM:87004750                ; ---------------------------------------------------------------------------
 +
ROM:87004750 010 04 20                      MOVS    R0, #4                              ; jumptable 10006CE8 case 110
 +
ROM:87004752 010 FF F7 8B FF                BL      fuse_read_word                      ; Branch with Link
 +
ROM:87004756 010 C5 13                      ASRS    R5, R0, #0xF                        ; Arithmetic Shift Right
 +
ROM:87004758 010 1B E0                      B      return                              ; Branch
 +
ROM:8700475A                ; ---------------------------------------------------------------------------
 +
ROM:8700475A 010 04 20                      MOVS    R0, #4                              ; jumptable 10006CE8 case 111
 +
ROM:8700475C 010 FF F7 86 FF                BL      fuse_read_word                      ; Branch with Link
 +
ROM:87004760 010 C0 F3 40 35                UBFX.W  R5, R0, #0xD, #1                    ; Unsigned Bit Field Extract
 +
ROM:87004764 010 15 E0                      B      return                              ; Branch
 +
ROM:87004766                ; ---------------------------------------------------------------------------
 +
ROM:87004766 010 04 20                      MOVS    R0, #4                              ; jumptable 10006CE8 case 112
 +
ROM:87004768 010 FF F7 80 FF                BL      fuse_read_word                      ; Branch with Link
 +
ROM:8700476C 010 C0 F3 80 35                UBFX.W  R5, R0, #0xE, #1                    ; Unsigned Bit Field Extract
 +
ROM:87004770 010 0F E0                      B      return                              ; Branch
 +
ROM:87004772                ; ---------------------------------------------------------------------------
 +
ROM:87004772 010 04 20                      MOVS    R0, #4                              ; jumptable 10006CE8 case 113
 +
ROM:87004774 010 FF F7 7A FF                BL      fuse_read_word                      ; Branch with Link
 +
ROM:87004778 010 C0 F3 04 26                UBFX.W  R6, R0, #8, #5                      ; Unsigned Bit Field Extract
 +
ROM:8700477C 010 30 46                      MOV    R0, R6                              ; Rd = Op2
 +
ROM:8700477E 010 FF F7 9A FF                BL      count_1                            ; Branch with Link
 +
ROM:87004782 010 05 46                      MOV    R5, R0                              ; Rd = Op2
 +
ROM:87004784 010 05 E0                      B      return                              ; Branch
 +
ROM:87004786                ; ---------------------------------------------------------------------------
 +
ROM:87004786 010 74 48                      LDR    R0, =0x480023B4                    ; jumptable 10006CE8 case 115
 +
ROM:87004788 010 00 68                      LDR    R0, [R0]                            ; Load from Memory
 +
ROM:8700478A 010 85 B2                      UXTH    R5, R0                              ; Unsigned extend halfword to word
 +
ROM:8700478C 010 01 E0                      B      return                              ; Branch
 +
ROM:8700478E                ; ---------------------------------------------------------------------------
 +
ROM:8700478E 010 00 BF                      NOP                                        ; jumptable 10006CE8 case 116
 +
ROM:87004790
 +
ROM:87004790                do_nothing                                                  ; CODE XREF: fuse_read_byte+C�j
 +
ROM:87004790 010 00 BF                      NOP                                        ; default
 +
ROM:87004790                                                                            ; jumptable 10006CE8 cases 102,103,107,109,114
 +
ROM:87004792
 +
ROM:87004792                return                                                      ; CODE XREF: fuse_read_byte+32�j
 +
ROM:87004792                                                                            ; fuse_read_byte+44�j ...
 +
ROM:87004792 010 00 BF                      NOP                                        ; No Operation
 +
ROM:87004794 010 28 46                      MOV    R0, R5                              ; Rd = Op2
 +
ROM:87004796 010 70 BD                      POP    {R4-R6,PC}                          ; Pop registers
 +
ROM:87004796                ; End of function fuse_read_byte
 +
 +
ROM:870048BE
 +
ROM:870048BE                ; =============== S U B R O U T I N E =======================================
 +
ROM:870048BE
 +
ROM:870048BE
 +
ROM:870048BE                ; int __cdecl fuse_read_BS_DIS()
 +
ROM:870048BE                fuse_read_BS_DIS                                            ; CODE XREF: check_BS_DIS+4
 +
ROM:870048BE 000 10 B5                      PUSH    {R4,LR}                            ; Push registers
 +
ROM:870048C0 008 10 24                      MOVS    R4, #0x10                          ; Rd = Op2
 +
ROM:870048C2 008 6E 20                      MOVS    R0, #SEC_BS_DIS                    ; fuse_entry_number
 +
ROM:870048C4 008 FF F7 09 FF                BL      fuse_read_byte                      ; Branch with Link
 +
ROM:870048C8 008 00 B9                      CBNZ    R0, return                          ; Compare and Branch on Non-Zero
 +
ROM:870048CA 008 00 24                      MOVS    R4, #0                              ; Rd = Op2
 +
ROM:870048CC
 +
ROM:870048CC                return                                                      ; CODE XREF: fuse_read_BS_DIS+A
 +
ROM:870048CC 008 20 46                      MOV    R0, R4                              ; Rd = Op2
 +
ROM:870048CE 008 10 BD                      POP    {R4,PC}                            ; Pop registers
 +
ROM:870048CE                ; End of function fuse_read_BS_DIS
 +
ROM:870048CE
 +
ROM:870048D0
 +
ROM:870048D0                ; =============== S U B R O U T I N E =======================================
 +
ROM:870048D0
 +
ROM:870048D0
 +
ROM:870048D0                ; int __cdecl fuse_read_SECVER(int entry_number)
 +
ROM:870048D0                fuse_read_SECVER                                            ; CODE XREF: check_secure_version+14
 +
ROM:870048D0 000 70 B5                      PUSH    {R4-R6,LR}                          ; Push registers
 +
ROM:870048D2 010 04 46                      MOV    R4, R0                              ; Rd = Op2
 +
ROM:870048D4 010 00 25                      MOVS    R5, #0                              ; Rd = Op2
 +
ROM:870048D6 010 20 46                      MOV    R0, R4                              ; fuse_entry_number
 +
ROM:870048D8 010 FF F7 FF FE                BL      fuse_read_byte                      ; Branch with Link
 +
ROM:870048DC 010 05 46                      MOV    R5, R0                              ; Rd = Op2
 +
ROM:870048DE 010 28 46                      MOV    R0, R5                              ; Rd = Op2
 +
ROM:870048E0 010 70 BD                      POP    {R4-R6,PC}                          ; Pop registers
 +
ROM:870048E0                ; End of function fuse_read_SECVER
 +
ROM:870048E0
 +
ROM:870048E2
 +
</syntaxhighlight>
  
 
=== M-Shield ===
 
=== M-Shield ===

Revision as of 22:52, 26 August 2010

Introduction

Security of Motorola Droid-family phones based on two important technologies:

  • eFuse cells for one-time blowing to increment counter for security purposes
  • M-Shield protection, solution from Texas Instruments special for cellular networks (similar as SecureShield from Quallcomm)

Listing 1. Fuse blowing functions from mbmloader

  1. 048AC                 ; =============== S U B R O U T I N E =======================================
  2. ROM:870048AC
  3. ROM:870048AC
  4. ROM:870048AC                 ; int __cdecl fuse_blow_BS_DIS()
  5. ROM:870048AC                 fuse_blow_BS_DIS
  6. ROM:870048AC 000 10 B5                       PUSH    {R4,LR}                             ; Push registers
  7. ROM:870048AE 008 10 24                       MOVS    R4, #0x10                           ; Rd = Op2
  8. ROM:870048B0 008 01 21                       MOVS    R1, #1                              ; value
  9. ROM:870048B2 008 6E 20                       MOVS    R0, #SEC_BS_DIS                     ; fuse_entry_number
  10. ROM:870048B4 008 FF F7 70 FF                 BL      fuse_blow_byte                      ; Branch with Link
  11. ROM:870048B8 008 04 46                       MOV     R4, R0                              ; Rd = Op2
  12. ROM:870048BA 008 20 46                       MOV     R0, R4                              ; Rd = Op2
  13. ROM:870048BC 008 10 BD                       POP     {R4,PC}                             ; Pop registers
  14. ROM:870048BC                 ; End of function fuse_blow_BS_DIS
  15. ROM:870048BC
  16.  
  17. ROM:870048E2                 ; =============== S U B R O U T I N E =======================================
  18. ROM:870048E2
  19. ROM:870048E2
  20. ROM:870048E2                 ; int __cdecl fuse_blow_CUSTOM(int fuse_entry_number, int value)
  21. ROM:870048E2                 fuse_blow_CUSTOM
  22. ROM:870048E2 000 70 B5                       PUSH    {R4-R6,LR}                          ; Push registers
  23. ROM:870048E4 010 04 46                       MOV     R4, R0                              ; Rd = Op2
  24. ROM:870048E6 010 0D 46                       MOV     R5, R1                              ; Rd = Op2
  25. ROM:870048E8 010 10 26                       MOVS    R6, #0x10                           ; Rd = Op2
  26. ROM:870048EA 010 A9 B2                       UXTH    R1, R5                              ; Unsigned extend halfword to word
  27. ROM:870048EC 010 20 46                       MOV     R0, R4                              ; fuse_entry_number
  28. ROM:870048EE 010 FF F7 53 FF                 BL      fuse_blow_byte                      ; Branch with Link
  29. ROM:870048F2 010 06 46                       MOV     R6, R0                              ; Rd = Op2
  30. ROM:870048F4 010 30 46                       MOV     R0, R6                              ; Rd = Op2
  31. ROM:870048F6 010 70 BD                       POP     {R4-R6,PC}                          ; Pop registers
  32. ROM:870048F6                 ; End of function fuse_blow_CUSTOM
  33. ROM:870048F6
  34. ROM:870048F8
  35. ROM:870048F8                 ; =============== S U B R O U T I N E =======================================
  36. ROM:870048F8
  37. ROM:870048F8
  38. ROM:870048F8                 ; int __cdecl fuse_blow_PRODUCTION()
  39. ROM:870048F8                 fuse_blow_PRODUCTION
  40. ROM:870048F8 000 10 B5                       PUSH    {R4,LR}                             ; Push registers
  41. ROM:870048FA 008 10 24                       MOVS    R4, #0x10                           ; Rd = Op2
  42. ROM:870048FC 008 01 21                       MOVS    R1, #1                              ; value
  43. ROM:870048FE 008 70 20                       MOVS    R0, #SEC_PROD                       ; fuse_entry_number
  44. ROM:87004900 008 FF F7 4A FF                 BL      fuse_blow_byte                      ; Branch with Link
  45. ROM:87004904 008 04 46                       MOV     R4, R0                              ; Rd = Op2
  46. ROM:87004906 008 20 46                       MOV     R0, R4                              ; Rd = Op2
  47. ROM:87004908 008 10 BD                       POP     {R4,PC}                             ; Pop registers
  48. ROM:87004908                 ; End of function fuse_blow_PRODUCTION
  49. ROM:87004908
  50. ROM:8700490A
  51. ROM:8700490A                 ; =============== S U B R O U T I N E =======================================
  52. ROM:8700490A
  53. ROM:8700490A
  54. ROM:8700490A                 ; int __cdecl fuse_blow_ENGINEERING()
  55. ROM:8700490A                 fuse_blow_ENGINEERING                                       ; CODE XREF: main+20
  56. ROM:8700490A 000 10 B5                       PUSH    {R4,LR}                             ; Push registers
  57. ROM:8700490C 008 10 24                       MOVS    R4, #0x10                           ; Rd = Op2
  58. ROM:8700490E 008 01 21                       MOVS    R1, #1                              ; value
  59. ROM:87004910 008 6F 20                       MOVS    R0, #SEC_ENG                        ; fuse_entry_number
  60. ROM:87004912 008 FF F7 41 FF                 BL      fuse_blow_byte                      ; Branch with Link
  61. ROM:87004916 008 04 46                       MOV     R4, R0                              ; Rd = Op2
  62. ROM:87004918 008 20 46                       MOV     R0, R4                              ; Rd = Op2
  63. ROM:8700491A 008 10 BD                       POP     {R4,PC}                             ; Pop registers
  64. ROM:8700491A                 ; End of function fuse_blow_ENGINEERING


Listing 2. Fuse reading functions from mbmloader

  1. ROM:870046DA                 ; =============== S U B R O U T I N E =======================================
  2. ROM:870046DA
  3. ROM:870046DA
  4. ROM:870046DA                 ; int __cdecl fuse_read_byte(int fuse_entry_number)
  5. ROM:870046DA                 fuse_read_byte                                              ; CODE XREF: check_SMID+6�p
  6. ROM:870046DA                                                                             ; fuse_read_BS_DIS+6�p ...
  7. ROM:870046DA 000 70 B5                       PUSH    {R4-R6,LR}                          ; Push registers
  8. ROM:870046DC 010 04 46                       MOV     R4, R0                              ; Rd = Op2
  9. ROM:870046DE 010 9D 4D                       LDR     R5, =0xDEADBEEF                     ; Load from Memory
  10. ROM:870046E0 010 A4 F1 65 00                 SUB.W   R0, R4, #0x65                       ; switch 16 cases
  11. ROM:870046E4 010 10 28                       CMP     R0, #0x10                           ; Set cond. codes on Op1 - Op2
  12. ROM:870046E6 010 53 D2                       BCS     do_nothing                          ; default
  13. ROM:870046E6                                                                             ; jumptable 10006CE8 cases 102,103,107,109,114
  14. ROM:870046E8 010 DF E8 00 F0                 TBB.W   [PC,R0]                             ; switch jump
  15. ROM:870046E8 010             ; ---------------------------------------------------------------------------
  16. ROM:870046EC 010 08          jpt_10006CE8    DCB 8                                       ; jump table for switch statement
  17. ROM:870046ED 010 52                          DCB 0x52
  18. ROM:870046EE 010 52                          DCB 0x52
  19. ROM:870046EF 010 11                          DCB 0x11
  20. ROM:870046F0 010 1A                          DCB 0x1A
  21. ROM:870046F1 010 22                          DCB 0x22
  22. ROM:870046F2 010 52                          DCB 0x52
  23. ROM:870046F3 010 2A                          DCB 0x2A
  24. ROM:870046F4 010 52                          DCB 0x52
  25. ROM:870046F5 010 32                          DCB 0x32
  26. ROM:870046F6 010 37                          DCB 0x37
  27. ROM:870046F7 010 3D                          DCB 0x3D
  28. ROM:870046F8 010 43                          DCB 0x43
  29. ROM:870046F9 010 52                          DCB 0x52
  30. ROM:870046FA 010 4D                          DCB 0x4D
  31. ROM:870046FB 010 51                          DCB 0x51
  32. ROM:870046FC                 ; ---------------------------------------------------------------------------
  33. ROM:870046FC 010 03 20                       MOVS    R0, #3                              ; jumptable 10006CE8 case 101
  34. ROM:870046FE 010 FF F7 B5 FF                 BL      fuse_read_word                      ; Branch with Link
  35. ROM:87004702 010 06 12                       ASRS    R6, R0, #8                          ; Arithmetic Shift Right
  36. ROM:87004704 010 30 46                       MOV     R0, R6                              ; Rd = Op2
  37. ROM:87004706 010 FF F7 D6 FF                 BL      count_1                             ; Branch with Link
  38. ROM:8700470A 010 05 46                       MOV     R5, R0                              ; Rd = Op2
  39. ROM:8700470C 010 41 E0                       B       return                              ; Branch
  40. ROM:8700470E                 ; ---------------------------------------------------------------------------
  41. ROM:8700470E 010 03 20                       MOVS    R0, #3                              ; jumptable 10006CE8 case 104
  42. ROM:87004710 010 FF F7 AC FF                 BL      fuse_read_word                      ; Branch with Link
  43. ROM:87004714 010 C6 B2                       UXTB    R6, R0                              ; Unsigned extend byte to word
  44. ROM:87004716 010 30 46                       MOV     R0, R6                              ; Rd = Op2
  45. ROM:87004718 010 FF F7 CD FF                 BL      count_1                             ; Branch with Link
  46. ROM:8700471C 010 05 46                       MOV     R5, R0                              ; Rd = Op2
  47. ROM:8700471E 010 38 E0                       B       return                              ; Branch
  48. ROM:87004720                 ; ---------------------------------------------------------------------------
  49. ROM:87004720 010 02 20                       MOVS    R0, #2                              ; jumptable 10006CE8 case 105
  50. ROM:87004722 010 FF F7 A3 FF                 BL      fuse_read_word                      ; Branch with Link
  51. ROM:87004726 010 06 46                       MOV     R6, R0                              ; Rd = Op2
  52. ROM:87004728 010 FF F7 C5 FF                 BL      count_1                             ; Branch with Link
  53. ROM:8700472C 010 05 46                       MOV     R5, R0                              ; Rd = Op2
  54. ROM:8700472E 010 30 E0                       B       return                              ; Branch
  55. ROM:87004730                 ; ---------------------------------------------------------------------------
  56. ROM:87004730 010 01 20                       MOVS    R0, #1                              ; jumptable 10006CE8 case 106
  57. ROM:87004732 010 FF F7 9B FF                 BL      fuse_read_word                      ; Branch with Link
  58. ROM:87004736 010 06 46                       MOV     R6, R0                              ; Rd = Op2
  59. ROM:87004738 010 FF F7 BD FF                 BL      count_1                             ; Branch with Link
  60. ROM:8700473C 010 05 46                       MOV     R5, R0                              ; Rd = Op2
  61. ROM:8700473E 010 28 E0                       B       return                              ; Branch
  62. ROM:87004740                 ; ---------------------------------------------------------------------------
  63. ROM:87004740 010 00 20                       MOVS    R0, #0                              ; jumptable 10006CE8 case 108
  64. ROM:87004742 010 FF F7 93 FF                 BL      fuse_read_word                      ; Branch with Link
  65. ROM:87004746 010 06 46                       MOV     R6, R0                              ; Rd = Op2
  66. ROM:87004748 010 FF F7 B5 FF                 BL      count_1                             ; Branch with Link
  67. ROM:8700474C 010 05 46                       MOV     R5, R0                              ; Rd = Op2
  68. ROM:8700474E 010 20 E0                       B       return                              ; Branch
  69. ROM:87004750                 ; ---------------------------------------------------------------------------
  70. ROM:87004750 010 04 20                       MOVS    R0, #4                              ; jumptable 10006CE8 case 110
  71. ROM:87004752 010 FF F7 8B FF                 BL      fuse_read_word                      ; Branch with Link
  72. ROM:87004756 010 C5 13                       ASRS    R5, R0, #0xF                        ; Arithmetic Shift Right
  73. ROM:87004758 010 1B E0                       B       return                              ; Branch
  74. ROM:8700475A                 ; ---------------------------------------------------------------------------
  75. ROM:8700475A 010 04 20                       MOVS    R0, #4                              ; jumptable 10006CE8 case 111
  76. ROM:8700475C 010 FF F7 86 FF                 BL      fuse_read_word                      ; Branch with Link
  77. ROM:87004760 010 C0 F3 40 35                 UBFX.W  R5, R0, #0xD, #1                    ; Unsigned Bit Field Extract
  78. ROM:87004764 010 15 E0                       B       return                              ; Branch
  79. ROM:87004766                 ; ---------------------------------------------------------------------------
  80. ROM:87004766 010 04 20                       MOVS    R0, #4                              ; jumptable 10006CE8 case 112
  81. ROM:87004768 010 FF F7 80 FF                 BL      fuse_read_word                      ; Branch with Link
  82. ROM:8700476C 010 C0 F3 80 35                 UBFX.W  R5, R0, #0xE, #1                    ; Unsigned Bit Field Extract
  83. ROM:87004770 010 0F E0                       B       return                              ; Branch
  84. ROM:87004772                 ; ---------------------------------------------------------------------------
  85. ROM:87004772 010 04 20                       MOVS    R0, #4                              ; jumptable 10006CE8 case 113
  86. ROM:87004774 010 FF F7 7A FF                 BL      fuse_read_word                      ; Branch with Link
  87. ROM:87004778 010 C0 F3 04 26                 UBFX.W  R6, R0, #8, #5                      ; Unsigned Bit Field Extract
  88. ROM:8700477C 010 30 46                       MOV     R0, R6                              ; Rd = Op2
  89. ROM:8700477E 010 FF F7 9A FF                 BL      count_1                             ; Branch with Link
  90. ROM:87004782 010 05 46                       MOV     R5, R0                              ; Rd = Op2
  91. ROM:87004784 010 05 E0                       B       return                              ; Branch
  92. ROM:87004786                 ; ---------------------------------------------------------------------------
  93. ROM:87004786 010 74 48                       LDR     R0, =0x480023B4                     ; jumptable 10006CE8 case 115
  94. ROM:87004788 010 00 68                       LDR     R0, [R0]                            ; Load from Memory
  95. ROM:8700478A 010 85 B2                       UXTH    R5, R0                              ; Unsigned extend halfword to word
  96. ROM:8700478C 010 01 E0                       B       return                              ; Branch
  97. ROM:8700478E                 ; ---------------------------------------------------------------------------
  98. ROM:8700478E 010 00 BF                       NOP                                         ; jumptable 10006CE8 case 116
  99. ROM:87004790
  100. ROM:87004790                 do_nothing                                                  ; CODE XREF: fuse_read_byte+C�j
  101. ROM:87004790 010 00 BF                       NOP                                         ; default
  102. ROM:87004790                                                                             ; jumptable 10006CE8 cases 102,103,107,109,114
  103. ROM:87004792
  104. ROM:87004792                 return                                                      ; CODE XREF: fuse_read_byte+32�j
  105. ROM:87004792                                                                             ; fuse_read_byte+44�j ...
  106. ROM:87004792 010 00 BF                       NOP                                         ; No Operation
  107. ROM:87004794 010 28 46                       MOV     R0, R5                              ; Rd = Op2
  108. ROM:87004796 010 70 BD                       POP     {R4-R6,PC}                          ; Pop registers
  109. ROM:87004796                 ; End of function fuse_read_byte
  110.  
  111. ROM:870048BE
  112. ROM:870048BE                 ; =============== S U B R O U T I N E =======================================
  113. ROM:870048BE
  114. ROM:870048BE
  115. ROM:870048BE                 ; int __cdecl fuse_read_BS_DIS()
  116. ROM:870048BE                 fuse_read_BS_DIS                                            ; CODE XREF: check_BS_DIS+4
  117. ROM:870048BE 000 10 B5                       PUSH    {R4,LR}                             ; Push registers
  118. ROM:870048C0 008 10 24                       MOVS    R4, #0x10                           ; Rd = Op2
  119. ROM:870048C2 008 6E 20                       MOVS    R0, #SEC_BS_DIS                     ; fuse_entry_number
  120. ROM:870048C4 008 FF F7 09 FF                 BL      fuse_read_byte                      ; Branch with Link
  121. ROM:870048C8 008 00 B9                       CBNZ    R0, return                          ; Compare and Branch on Non-Zero
  122. ROM:870048CA 008 00 24                       MOVS    R4, #0                              ; Rd = Op2
  123. ROM:870048CC
  124. ROM:870048CC                 return                                                      ; CODE XREF: fuse_read_BS_DIS+A
  125. ROM:870048CC 008 20 46                       MOV     R0, R4                              ; Rd = Op2
  126. ROM:870048CE 008 10 BD                       POP     {R4,PC}                             ; Pop registers
  127. ROM:870048CE                 ; End of function fuse_read_BS_DIS
  128. ROM:870048CE
  129. ROM:870048D0
  130. ROM:870048D0                 ; =============== S U B R O U T I N E =======================================
  131. ROM:870048D0
  132. ROM:870048D0
  133. ROM:870048D0                 ; int __cdecl fuse_read_SECVER(int entry_number)
  134. ROM:870048D0                 fuse_read_SECVER                                            ; CODE XREF: check_secure_version+14
  135. ROM:870048D0 000 70 B5                       PUSH    {R4-R6,LR}                          ; Push registers
  136. ROM:870048D2 010 04 46                       MOV     R4, R0                              ; Rd = Op2
  137. ROM:870048D4 010 00 25                       MOVS    R5, #0                              ; Rd = Op2
  138. ROM:870048D6 010 20 46                       MOV     R0, R4                              ; fuse_entry_number
  139. ROM:870048D8 010 FF F7 FF FE                 BL      fuse_read_byte                      ; Branch with Link
  140. ROM:870048DC 010 05 46                       MOV     R5, R0                              ; Rd = Op2
  141. ROM:870048DE 010 28 46                       MOV     R0, R5                              ; Rd = Op2
  142. ROM:870048E0 010 70 BD                       POP     {R4-R6,PC}                          ; Pop registers
  143. ROM:870048E0                 ; End of function fuse_read_SECVER
  144. ROM:870048E0
  145. ROM:870048E2

M-Shield

This is an extended implementation of MTM (Mobile Trusted Module) of Trusted Computing Group, based on reference design of MTM, and embedded into OMAP chip. Also it support TrustZone ARM technology. It's located on it's own ROM/RAM and in M-Shield only software emulation - see TrustZone specification. Both, Secure and Insecure world are running on one core. From insecure world it's called by the SMC ARM instruction:

  1.                  ; =============== S U B R O U T I N E =======================================
  2. 4001537C
  3. 4001537C                 ; running in ARM mode
  4. 4001537C
  5. 4001537C                 ; __int32 __cdecl security_monitor_call(__int32 ssid, __int32 proc_id, __int32 flag, __int32 params_addr)
  6. 4001537C                 security_monitor_call                                                 ; CODE XREF: security_monitor_handler+8�p
  7. 4001537C 000 F0 5F 2D E9           STMFD SP!, {R4-R12,LR}                                      ; Store Block to Memory
  8. 40015380 028 FF 60 A0 E3           MOV   R6, #0xFF                                             ; Rd = Op2
  9. 40015384 028 00 C0 A0 E3           MOV   R12, #0                                               ; Rd = Op2
  10. 40015388 028 95 0F 07 EE           MCR   p15, 0, R0,c7,c5, 4                                   ; prefetch flush
  11. 4001538C 028 9A 0F 07 EE           MCR   p15, 0, R0,c7,c10, 4                                  ; data synchronisation barrier
  12. 40015390 028 71 00 60 E1           SMC   1                                                     ; Secure Monitor Call
  13. 40015394 028 02 00 00 EA           B     service_end                                           ; Branch
  14. 40015394 028
  15. 40015398                 ; ---------------------------------------------------------------------------
  16. 40015398 028 00 F0 20 E3           NOP                                                         ; No Operation
  17. 4001539C 028 FE C0 A0 E3           MOV   R12, #SMC_IRQ_END                                     ; Rd = Op2
  18. 400153A0 028 71 00 60 E1           SMC   1                                                     ; Secure Monitor Call
  19. 400153A0 028
  20. 400153A4
  21. 400153A4                 service_end                                                           ; CODE XREF: security_monitor_call+18�j
  22. 400153A4 028 F0 5F BD E8           LDMFD SP!, {R4-R12,LR}                                      ; Load Block from Memory
  23. 400153A8 000 1E FF 2F E1           BX    LR                                                    ; Branch to/from Thumb mode
  24. 400153A8 000
  25. 400153A8                 ; End of function security_monitor_call

Here is full TrustZone description - File:Prd29-genc-009492c trustzone security whitepaper.pdf

In our target device, the native handset boot starts exe- cuting from an on-chip ROM, which in turns loads a signed bootloader and executes it on successful verification. The M-Shield architecture additionally includes on-chip RAM to be used by so-called protected applications. These can either persistently be present on an on-chip ROM, or be uploaded to on-chip RAM as signed binaries. The system implements a firewall/monitor entry point for executing these applica- tions, and this firewall takes care of disabling or clearing all security-critical processor features (interrupts, DMA, VM) for the duration of the TrEE invocation. In this manner the system provides hardware-enforced isolation for the pro- tected applications. The on-chip protected applications have access to a limited amount of persistent secret data (like a device-specific symmetric key) and to cryptographic accelerator primitives.


[1]

Sheme.gif 2007 06-nokia-figure-2.gif Arch 1.jpg

  1. ROM to store the program code or a mechanism by which the integrity of code uploaded to the secure environment can be validated (code signing).
  2. a shielded location (secure RAM) for the loaded state, as well as for run-time data.
  3. an isolated execution environment (TrEE) for the program code with access to the shielded data location.
  4. a device-specific, persistent secret to seed the RTS. The confidentiality (access control) of the secret can e.g. be bound to the secure environment itself.
  5. a simple (I/O) library for use in the isolated environment, including cryptographic primitives and random number generation necessary for a MTM.1

Definitions

Abbreviation Meaning
AKI Attestation Identity Key
EK Endorcement Key
DAA Direct Anonymous Attestation
DRTM Dynamic Root of Trust Management
MTM Mobile Trusted Module
RIM Reference Integrity Metric
RTE Root of Trust for Enforcement
RTR Root of Trust for Reporting
RTS Root of Trust for Storage
RTV Root of Trust for Verification
RVAI Root Verification Authority Information
SRK Storage Root Key, is used to protect local data (keys e.g)


Listing 1: Structure for symmetric SRK

  1. // 128 bits key length                        
  2. #define SRK KEYLENGTH 16  
  3.  
  4. typedef struct tdTPM KEY SRK {
  5.   TPM STRUCT VER ver;
  6.   TPM KEY USAGE keyUsage;
  7.   TPM KEY FLAGS keyFlags;
  8.   TPM AUTH DATA USAGE authDataUsage;
  9.   TPM KEY PARMS algorithmParms;
  10.   TPM SECRET usageAuth;
  11.   UINT32 PCRInfoSize;
  12.   TPM PCR INFO pcrInfo;
  13.   BYTE symKey[SRK KEYLENGTH];
  14. } TPM KEY SRK;
  15. // Size of TPM KEY SRK in bytes: 123

Listing 2: Structure for loaded asymmetric key

  1. typedef struct tdTPM KEY LOADED {
  2. TPM STRUCT VER ver;
  3. TPM KEY USAGE keyUsage;
  4. TPM KEY FLAGS keyFlags;
  5. TPM AUTH DATA USAGE authDataUsage;
  6. TPM KEY PARMS algorithmParms;
  7. TPM KEY PARMS algorithmParms;
  8. UINT32 PCRInfoSize;
  9. UINT32 PCRInfoSize;
  10. TPM PCR INFO pcrInfo;
  11. TPM STORE ASYMKEY keyData;
  12. } TPM KEY LOADED;
  13. // Size of TPM KEY LOADED in bytes: 551

COMPRESSED STRUCTURES

  1. typedef struct tdTPM PCR ATTRIBUTES {
  2.   BOOL pcrReset;
  3. } TPM PCR ATTRIBUTES;
  4.  
  5. // Size of TPM PCR ATTRIBUTES in bytes: 1
  6. typedef struct tdTPM PERMANENT FLAGS {
  7.   TPM STRUCTURE TAG tag;
  8.   BOOL disable;
  9.   BOOL FIPS;
  10.  
  11.   BOOL readSRKPub;
  12. } TPM PERMANENT FLAGS;
  13.  
  14. // Size of TPM PERMANENT FLAGS in bytes: 5
  15. typedef struct tdTPM STCLEAR FLAGS {
  16.   TPM STRUCTURE TAG tag;
  17.   BOOL deactivated;
  18. } TPM STCLEAR FLAGS;
  19.  
  20. // Size of TPM STCLEAR FLAGS in bytes: 3
  21. typedef struct tdTPM STANY FLAGS {
  22.   TPM STRUCTURE TAG tag;
  23.   BOOL postInitialise;
  24. } TPM STANY FLAGS;
  25.  
  26. // Size of TPM STANY FLAGS in bytes: 3
  27. #define TPM SESSIONS 2
  28. typedef struct tdTPM STANY DATA {
  29.   TPM STRUCTURE TAG tag;
  30.   TPM SESSION DATA sessions[TPM SESSIONS];
  31. } TPM STANY DATA;
  32.  
  33. // Size of TPM STANY DATA in bytes: 98
  34. #define TPM NUM COUNTER 1
  35. #define TPM NUM PCR 16
  36.  
  37. typedef struct tdTPM PERMANENT DATA {
  38.   TPM STRUCTURE TAG tag;
  39.   BYTE revMajor;
  40.   BYTE revMinor;
  41.   TPM NONCE tpmProof;
  42.   TPM KEY srk;
  43.   TPM COUNTER VALUE monotonicCounter[TPM NUM COUNTER];
  44.   TPM PCR ATTRIBUTES pcrAttrib[TPM NUM PCR];
  45. } TPM PERMANENT DATA;
  46.  
  47. // Size of TPM PERMANENT DATA in bytes: 173
  48. typedef struct tdTPM STCLEAR DATA {
  49.   TPM STRUCTURE TAG tag;
  50.   TPM COUNT ID countID;
  51.   TPM PCRVALUE PCR[TPM NUM PCR];
  52. } TPM STCLEAR DATA;
  53. // Size of TPM STCLEAR DATA in bytes: 326

Software Emulators:

  1. MTM Emulator - http://mtm.nrsec.com/
  2. TroUserS http://trousers.sourceforge.net/ (http://sourceforge.net/projects/trousers/)
  3. http://tpm-emulator.berlios.de/

Useful literarure

  1. Patent description with nice graphics [2]
  1. M-Shield description[3]
  1. MCM Specification [4]
  1. Trusted Mobile Reference Architecture [5]
  1. MTM Use cases [6]

Other Staff (needed to be cleared)

Work history Motorola June 2005 to the present Senior Software Engineer

tags: c • stracore • tms320c55x+ How would you describe your time at Motorola?

   1. Implementation of Alternate Linear Output Equalizer (ALOE) for GSM handsets.
   Tools: Code Composer Studio (CCS), Freescale code warrior simulation tool.
   Language: TMS320C55x+ Algebraic Assembly, STARCORE ASSEMBLY
   Description: The ALOE algorithm is aimed at improving co-channel performance of the handset over the conventional GSM equalizers. The new algorithm gives 13 dB improvements over the conventional MLSE method.
   The implementation of this algorithm involved the coding in TMS320C55x+ Algebraic Assembly using CCS tool. And implementation is targeted to have lesser MIPS and better precision results. The algorithm testing is done with legacy starcore reference code.
   2. Implementation of G728 speech codec with FIXED POINT, 32/16 bit data paths.
   Tools: Freescale code warrior simulation tool.
   Language: C, STARCORE ASSEMBLY
   Description: The G728 speech codec adhering to the ITUT standards is implemented using fixed point 16 bit and 32 bit data paths. The 16 bit fixed point data path is bit complaint with ITUT standard provided testvectors.The work involved is implementation, integration and Testing of entire G728 codec of 32 bit and 16 bit precisions and analysis with fixed point arithmetic using C language. And then porting the C code to the STARCORE architecture and also porting to starcore assembly to meet the MIPS criterion. The code is implemented in C and then star core assembly coded to meet MIPS criterion.
   3. Development and Testing of Sync Detection, AFC, and sensitivity improvement algorithms.
   Tools: Matlab Freescale code warrior simulation tool.
   Language: C, STARCORE ASSEMBLY
   Description: The IDEN (similar to GSM) system has RF modem part which has Transmitter and Receiver. The Receiver is to demodulate the received Quad QAM data into in-Phase and Quadrature symbols, by applying sub channel demodulation, time synchronization, automatic frequency control, pilot interpolation and data decoding algorithms.
   The work involved implementation of AFC using the 1st order loop and synchronization using WLS algorithm and sensitivity improvement algorithm using 4-F Doppler mutipath fading modeling .The implementation of all these algorithms are on C, and STARCORE ASSEMBLY using the freescale code warrior tools....
   

RNG, DES/3DESx2, SHA1/MD5x2, AESx2, Fast PKA (Safenet EIP-29), e-fuse

On-Chip Memory: 96 Kbytes ROM, 64 Kbytes SRAM

M-Shield Hardware Security Technology

Integrated into TI's OMAP and OMAP-Vox platforms, M-Shield hardware security technology is a complete infrastructure for mobile platform robustness that includes:

   * Hardware cryptographic accelerators and randon number generator
   * Public key infrastructure with secure on-chip keys (e-fuse)
   * Secure booting and flashing
   * Secure access/restriction to all chip peripherals and memories
   * Secure DMA transfers
   * Hardware-based countermeasures against software attacks and cloning
   * Secure protection of debug, trace, and test capabilities
   * Hardware-reinforced secure execution and storage environment (Secure Environment) embedding:
         o A Secure State Machine
         o Secure RAM for sensitive authorized application execution and secure data storage
         o Secure ROM with 100+ accessible by authorized applications (Protected Applications) 
         o Secure storage mechanism

M-Shield hardware security technology is operating system-independent and not sensitive to software attacks. And once it is available, ARM® TrustZone™ hardware extensions will be incorporated and strengthened. M-Shield Software Security Technology

M-shield software security technology is the key software-based security element of OMAP Platforms and OMAP-Vox devices, built on top of and strengthened by M-Shield Hardware technology. This software security encompasses:

   * Secure signing and flashing tools
   * IMEI and SIMlock protection software on OMAP-Vox devices
   * Toolkits for development and signature of protected applications running in a secure environment
   * Security Middleware Component with associated Protected Applications and SDKs
   * Security packs to strengthen HLOS security

Additionally, the M-shield Security Middleware Component (SMC) provides sets of standard APIs that solve the problems of de-fragmentation and porting complexity:

   * Software reuse across platform generations as APIs on current platforms can continue to be utilized
   * SMC APIs are compatible with ARM® TrustZone™ software APIs
         o Applications can call specific secure services ported on SMC using ARM TrustZone API
         o Applications can use secure storage and standard PKCS#11 APIs for cryptography
         o Native secure services can use standard PKCS#11 APIs
         o Interpreted secure services can use GlobalPlatform GPD/STIP mobile profile standard APIs
   * Applications developed on TI's M-shield mobile security technology today will run binary compatible on devices incorporating an ARM core with TrustZone hardware extensions
   * Services developed today using ARM TrustZone software API will run on TI devices with M-Shield mobile security technology

Some info about eFuse in OMAP - http://elinux.org/OMAP_Power_Management/SmartReflex

All Secure ROM soultion based on Synopsys products http://www.synopsys.com/Tools/SLD/CapsuleModule/vp_ti_ss.pdf

http://www.freepatentsonline.com/y2005/0228980.html