Please note that as of October 24, 2014, the Nokia Developer Wiki will no longer be accepting user contributions, including new entries, edits and comments, as we begin transitioning to our new home, in the Windows Phone Development Wiki. We plan to move over the majority of the existing entries over the next few weeks. Thanks for all your past and future contributions.
Capabilities (Symbian Signed)/TCB Capability
The TCB (Trusted Computing Base) platform security capability protects the core set of processes that enforce security on the rest of the platform.
Applications that wish to use this capability must first obtain permission from the device manufacturer
- Device Manufacturer Capabilities - see this for information about device manufacturer capabilities
- Sensitive Applications - see this article for examples of application types that may need TCB. Note that it is unlikely that any new process will be given TCB, with the exception of debug tools used during product creation.
- A trusted computing base is the foundation of any secure system.
- The /sys and /resource directories are protected, because process capabilities are encoded in the executable header.
- Certificates are checked at install time by the software installer, rather than at load time by the loader.
- Tcb allows write access to \sys and \resource directories. This is the most critical capability as it allows write access to executables, which contain the capabilities that define the security attributes of a process.
- The file server checks TCB capability when a process attempts to access /sys or write to /resource
- The kernel and device drivers check TCB capability on certain APIs intended for use by the file server
- The kernel has TCB capability because code running in kernel mode can access the whole system.
- The file server has TCB capability because it is responsible for enforcing security of the file system
- The software install server has TCB capability because it needs to write to /sys and /resource when installing software.
- Device drivers need TCB because they are loaded into the kernel process and run in kernel mode.
- File server plugins (extensions and filesystems) need TCB because they are loaded into the file server process.
© 2010 Symbian Foundation Limited. This document is licensed under the Creative Commons Attribution-Share Alike 2.0 license. See http://creativecommons.org/licenses/by-sa/2.0/legalcode for the full terms of the license.
Note that this content was originally hosted on the Symbian Foundation developer wiki.