Hi Friedrich,

We may not openly disclose partner plans into which products this component is deployed.

I may just mention the most common usages: -in mobile/client market: the intent is often to protect the normal world (kernel, hypervisor or ML data) from the secure world/TEE. Hafnium prevents a TEE from mapping any arbitrary physical memory and tamper with it by the use of a second level of MMU translation. A common configuration can be a single TEE on top of Hafnium (one secure partition implementing multiple vCPUs). The TEE can still manage services commonly found on a handset e.g. biometrics, secure storage, OTA, etc. There is flexibility to add other S-EL1 (platform driver) or S-EL0 partitions (self contained secure service). Use of multiple TEEs in parallel is supported however not a common usage (just yet).

-in server market: a common configuration is the use of multiple single vCPU secure partitions (running exclusively at S-EL0). Hafnium at S-EL2 acts like a 'lightweight TEE' or partitioning kernel. Most often this is to deliver management services e.g. secure variables, fTPM, FW update or RAS (platform) handling.

A common goal is reducing the amount of platform code or services from EL3 and push them down to lower ELs. Isolating partitions also has benefits in narrowing privileges per partition, and help towards software certification.

Regards, Olivier.

________________________________ From: Friedrich via Hafnium hafnium@lists.trustedfirmware.org Sent: 07 August 2024 23:12 To: hafnium@lists.trustedfirmware.org hafnium@lists.trustedfirmware.org Subject: [Hafnium] Hafnium in Industry

Hi,

Can someone explain to me where and why Hafnium is used in the industry? I've only ever seen it being used in academic research.

Thanks, Friedrich -- Hafnium mailing list -- hafnium@lists.trustedfirmware.org To unsubscribe send an email to hafnium-leave@lists.trustedfirmware.org