Jerry Leichter <leichter@lrw.com> writes:

Lessons? Generality and power lead (to complexity, which is the enemy of security.

I think a more direct lesson here is that taking a security mechanism that consists of a bit flag used to tag a block of memory, defining any such tagged area as secure by executive fiat, and selling it as TrustZone, is no match for, you know, actually doing real security. It's not like this hasn't happened before, in 2013 Motorola cellphones got 0wned via attackers targeting the insecure TrustZone and attacking from inside that out to the (apparently) quite secure non-TrustZone code. Peter.