Please note that as of October 24, 2014, the Nokia Developer Wiki will no longer be accepting user contributions, including new entries, edits and comments, as we begin transitioning to our new home, in the Windows Phone Development Wiki. We plan to move over the majority of the existing entries. Thanks for all your past and future contributions.

Capabilities (Symbian Signed)/TCB Capability

From Wiki
Jump to: navigation, search
Article Metadata
Created: hamishwillee (16 Dec 2010)
Last edited: hamishwillee (20 Jul 2012)

The TCB (Trusted Computing Base) platform security capability protects the core set of processes that enforce security on the rest of the platform.

Applications that wish to use this capability must first obtain permission from the device manufacturer

  • Device Manufacturer Capabilities - see this for information about device manufacturer capabilities
  • Sensitive Applications - see this article for examples of application types that may need TCB. Note that it is unlikely that any new process will be given TCB, with the exception of debug tools used during product creation.

Further information


  • A trusted computing base is the foundation of any secure system.
  • The /sys and /resource directories are protected, because process capabilities are encoded in the executable header.
  • Certificates are checked at install time by the software installer, rather than at load time by the loader.


  • Tcb allows write access to \sys and \resource directories. This is the most critical capability as it allows write access to executables, which contain the capabilities that define the security attributes of a process.
  • The file server checks TCB capability when a process attempts to access /sys or write to /resource
  • The kernel and device drivers check TCB capability on certain APIs intended for use by the file server


  • The kernel has TCB capability because code running in kernel mode can access the whole system.
  • The file server has TCB capability because it is responsible for enforcing security of the file system
  • The software install server has TCB capability because it needs to write to /sys and /resource when installing software.
  • Device drivers need TCB because they are loaded into the kernel process and run in kernel mode.
  • File server plugins (extensions and filesystems) need TCB because they are loaded into the file server process.

Also see Symbian OS Platform Security/02. Platform Security Concepts#The Trusted Computing Base (TCB)

Licence icon cc-by-sa 3.0-88x31.png© 2010 Symbian Foundation Limited. This document is licensed under the Creative Commons Attribution-Share Alike 2.0 license. See for the full terms of the license.
Note that this content was originally hosted on the Symbian Foundation developer wiki.

This page was last modified on 20 July 2012, at 09:31.
97 page views in the last 30 days.