[slrz]

> TrustZone doesn't give apps extra privileges, it just isolates code and data so things can't leak out of it into the reach of untrusted programs.

Right, which is why you might want to use it for handling key material or other sensitive things. Except you now have some gigantic DRM blob (the Widevine trustlet is huge compared to most saner ones) running in your "trusted" environment, able to access your actual sensitive data. That privilege should not be given out like candy (and generally isn't, except when DRM is involved).

> "Cooperating device drivers" isn't really the right way to look at it.

At least video vendors used to claim that DRM-related obligations prevent them from publishing specs for and/or open-sourcing those parts of their driver code that deal with video decoding/output.

> Any application can make use of TrustZone and the trusted output path; it's not something special only EME can access.

So, I've just finished writing my trustlet. How do I get it to load on common consumer devices? The ones I have all seem to require that I get it signed by the vendor which doesn't reply to my mails. How should I proceed?