Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Presented by
Date
HKG15-311:OP-TEE Basics
and Porting Review
Victor Chong
2015-2-9
Objectives
● Security Building Blocks
● Secure Boot
● Introduction to Trusted Applications
● OP-TEE Porting
OP-TEE
● Open-source Portable TEE
● Sponsored by ST
● GlobalPlatform (GP) compatible
● Compatible with ARM-TF
● Complete s...
Security Building Blocks
● TrustZone-enabled chipset (Hardware)
● ARM Trusted Firmware aka ARM-TF (Firmware)
● Boot Servic...
Security Building Blocks
Security Building Blocks
Secure Boot
● Prevent unauthorized executables from booting by verifying image
signatures
● Divided into stages
● Start wi...
Secure Boot
Introduction to Trusted Applications
A Trusted Application typically consists of two parts
● Linux user space, client impl...
Introduction to Trusted Applications
Introduction to Trusted Applications
Typical normal world program flow based on GP Client API
● TEEC_InitializeContext
● C...
Hello World Example
root@host:/ hello_world
TEEC_InitializeContext
TEEC_OpenSession
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_...
Introduction to Trusted Applications
● GP Client API
● Not too flexible
● Somewhat limited in functionality
● GP Functiona...
Introduction to Trusted Applications
● Details
http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-trusted-...
OP-TEE Porting
Prerequisites
● ARM-TF ported for ARMv8
https://github.com/ARM-software/arm-trusted-firmware/blob/master/do...
OP-TEE Trusted OS
Linux
Android
OP-TEE Porting - Main Blocks
TEE Driver
TEE Client
Client
Application
Client
Application
T...
OP-TEE Porting - Affected Gits
● OP-TEE Trusted OS (optee_os)
- Add new platform support (plat-<myplat>)
● OP-TEE Linux ke...
OP-TEE Porting - Getting started
● Get OP-TEE source code
http://github.com/OP-TEE
● Get the toolchain
http://releases.lin...
OP-TEE Porting - How to build
● Add toolchain path
export PATH=$PATH:path-to-toolchain-bin
● Define CROSS_PREFIX macro
exp...
OP-TEE Porting - Partition Map
BL2/BL3-1/BL3-2
fip.bin (includes bl2.bin, bl31.bin,
tee.bin, u-boot.bin/uefi)
BL1
bl1.bin
...
● Clone from an existing platform
E.g. core/arch/arm32/plat-vexpress → core/arch/arm32/plat-<myplat>
OP-TEE Porting - Crea...
OP-TEE Porting - Compiler & Linker options
● Compiler options: conf.mk
● Linker options: link.mk
CROSS_PREFIX ?= arm-linux...
OP-TEE Porting - Platform Configurations
● Platform-specific definitions: platform_config.h
#define STACK_TMP_SIZE 1024
#d...
OP-TEE Porting - Platform Configurations
● platform_config.h also includes definitions for
● GIC base
● UART
OP-TEE Porting - Adding Source Files
● Source files list: sub.mk
srcs-y += file1.c
srcs-y += file2.c
…
subdirs-y += dir1
s...
OP-TEE Porting - Memory Map
OP-TEE Porting - Memory Configuration
● plat-<myplat>/
core_bootcfg.c
static struct map_area bootcfg_memory_map[] = {
{ /*...
OP-TEE Porting - Platform Initialization
(_start) (kern.ld.S)
1. _start (entry.S)
a. CPU basic init (v7 only)
b. Cache/MMU...
OP-TEE Porting - Running and Debug
(_start) (kern.ld.S)
4. sm_smc_entry (v7 only)
(sm_asm.S)
a. Save caller world context
...
OP-TEE Porting - Test/Verify
● Build normal world program and corresponding TA
● Copy both to rootfs
● Run normal world pr...
OP-TEE Porting - Sample Test Log
root@Vexpress:/ modprobe optee
misc teetz: no TZ l2cc mutex service supported
misc teetz:...
OP-TEE Porting - Initial Task Checklist
- [ ] Port ARM-TF with U-Boot/UEFI (as bl33.bin) but without optee_os (bl32.bin)
-...
OP-TEE documentation
● OP-TEE OS Documents
https://github.com/OP-TEE/optee_os/tree/master/documentation
● OP-TEE Wiki FAQ
...
Thank You!
HKG15-311: OP-TEE for Beginners and Porting Review
Upcoming SlideShare
Loading in …5
×

HKG15-311: OP-TEE for Beginners and Porting Review

16,665 views

Published on

HKG15-311: OP-TEE for Beginners and Porting Review
---------------------------------------------------
Speaker: Victor Chong
Date: February 11, 2015
---------------------------------------------------
★ Session Summary ★
Explains the building blocks involved in Security including TrustZone, OP-TEE, Trusted Firmware etc. Goes into detail on how Secure Boot Works.. and Why. Explains how a simple secure Trusted Application interacts with OP-TEE and works. Brief overview on how to port OP-TEE to an ARM platform. Opens discussions for Potential Challenges and Hardware limitations and how they can be overcome.
--------------------------------------------------
★ Resources ★
Pathable: https://hkg15.pathable.com/meetings/250816
Video: https://www.youtube.com/watch?v=Fksx4-bpHRY
Etherpad: http://pad.linaro.org/p/hkg15-311
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2015 - #HKG15
February 9-13th, 2015
Regal Airport Hotel Hong Kong Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org

Published in: Software
  • DOWNLOAD THI5 BOOKS 1NTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download Full EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... Download doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

HKG15-311: OP-TEE for Beginners and Porting Review

  1. 1. Presented by Date HKG15-311:OP-TEE Basics and Porting Review Victor Chong 2015-2-9
  2. 2. Objectives ● Security Building Blocks ● Secure Boot ● Introduction to Trusted Applications ● OP-TEE Porting
  3. 3. OP-TEE ● Open-source Portable TEE ● Sponsored by ST ● GlobalPlatform (GP) compatible ● Compatible with ARM-TF ● Complete system
  4. 4. Security Building Blocks ● TrustZone-enabled chipset (Hardware) ● ARM Trusted Firmware aka ARM-TF (Firmware) ● Boot Services ● Run-time Services ● OP-TEE (OS) ● Client library (libteec.so) ● Driver (optee.ko) ● Trusted OS ● Client Applications ● OP-TEE Clients (Normal World) ● Trusted Applications (Secure World)
  5. 5. Security Building Blocks
  6. 6. Security Building Blocks
  7. 7. Secure Boot ● Prevent unauthorized executables from booting by verifying image signatures ● Divided into stages ● Start with trusted source (ROM boot code) @ stage/level 1 ● Root of Trust ● Every subsequent image (stage/level) to be loaded is verified first by the one before it ● Chain of Trust
  8. 8. Secure Boot
  9. 9. Introduction to Trusted Applications A Trusted Application typically consists of two parts ● Linux user space, client implementation ● Secure world Trusted Application (TA)
  10. 10. Introduction to Trusted Applications
  11. 11. Introduction to Trusted Applications Typical normal world program flow based on GP Client API ● TEEC_InitializeContext ● Connect to the OP-TEE Linux driver ● TEEC_OpenSession ● Loads the TA ● TEEC_InvokeCommand ● Control TA functions ● TEEC_CloseSession ● TEEC_FinalizeContext
  12. 12. Hello World Example root@host:/ hello_world TEEC_InitializeContext TEEC_OpenSession TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE) TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE) ==> 100+1 = 101 TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD) TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD) done … TEEC_CloseSession TEEC_FinalizeContex
  13. 13. Introduction to Trusted Applications ● GP Client API ● Not too flexible ● Somewhat limited in functionality ● GP Functional API forthcoming ● High level APIs, e.g. encrypt/decrypt ● Secure side TAs not required
  14. 14. Introduction to Trusted Applications ● Details http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-trusted- applications-on-optee ● Hello world example available at http://github.com/jenswi-linaro/lcu14_optee_hello_world ● GlobalPlatform http://www.globalplatform.org/
  15. 15. OP-TEE Porting Prerequisites ● ARM-TF ported for ARMv8 https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/porting-guide.md References ● Detailed design document https://github.com/OP-TEE/optee_os/blob/master/documentation/optee_design.md
  16. 16. OP-TEE Trusted OS Linux Android OP-TEE Porting - Main Blocks TEE Driver TEE Client Client Application Client Application TEE Core TEE functions (crypto/mm) TEE Internal API Trusted Application Trusted Application TrustZone based chipset crypto timer efuse HAL TEE Client API SMC porting
  17. 17. OP-TEE Porting - Affected Gits ● OP-TEE Trusted OS (optee_os) - Add new platform support (plat-<myplat>) ● OP-TEE Linux kernel driver (optee_linuxdriver) - No changes needed. - Built as module (optee.ko) by default and included in rootfs. ● OP-TEE Normal World user space (optee_client) - No changes needed. - Built as library (libteec.so) and included in rootfs.
  18. 18. OP-TEE Porting - Getting started ● Get OP-TEE source code http://github.com/OP-TEE ● Get the toolchain http://releases.linaro.org/14.09/components/toolchain/binaries/gcc-linaro-arm- linux-gnueabihf-4.9-2014.09_linux.tar.xz
  19. 19. OP-TEE Porting - How to build ● Add toolchain path export PATH=$PATH:path-to-toolchain-bin ● Define CROSS_PREFIX macro export CROSS_PREFIX=arm-linux-gnueabihf ● Choose target platform export PLATFORM=<myplat> (e.g. vexpress) ● Choose target flavor export PLATFORM_FLAVOR=<myflav> (e.g. juno) ● Build OP-TEE make (produces tee.bin)
  20. 20. OP-TEE Porting - Partition Map BL2/BL3-1/BL3-2 fip.bin (includes bl2.bin, bl31.bin, tee.bin, u-boot.bin/uefi) BL1 bl1.bin kernel Image rootfs Example partition map based on Allwinner A80 board
  21. 21. ● Clone from an existing platform E.g. core/arch/arm32/plat-vexpress → core/arch/arm32/plat-<myplat> OP-TEE Porting - Creating a New Platform ├── conf.mk ├── link.mk ├── sub.mk ├── .. ├── core_bootcfg.c └── platform_config.h ├── conf.mk ├── link.mk ├── sub.mk ├── .. ├── core_bootcfg.c └── platform_config.h
  22. 22. OP-TEE Porting - Compiler & Linker options ● Compiler options: conf.mk ● Linker options: link.mk CROSS_PREFIX ?= arm-linux-gnueabihf CROSS_COMPILE ?= $(CROSS_PREFIX)- PLATFORM_FLAVOR ?= <myflav> platform-cpuarch = cortex-a57 #default is cortex-a15 platform-cflags += .. link-out-dir = $(out-dir)/core/ link-script = $(platform-dir)/kern.ld.S link-ldflags = $(LDFLAGS)
  23. 23. OP-TEE Porting - Platform Configurations ● Platform-specific definitions: platform_config.h #define STACK_TMP_SIZE 1024 #define STACK_ABT_SIZE 1024 #define STACK_THREAD_SIZE 8192 .. #define DRAM0_BASE 0x80000000 #define DRAM0_SIZE 0x7F000000 /* Location of trusted dram */ #define TZDRAM_BASE 0xFF000000 #define TZDRAM_SIZE 0x00E00000 .. #define CFG_TEE_CORE_NB_CORE 6 .. #define TEE_RAM_START (TZDRAM_BASE) #define TEE_RAM_SIZE 0x0010000 #define CFG_SHMEM_START (DRAM0_BASE + DRAM0_SIZE - CFG_SHMEM_SIZE) #define CFG_SHMEM_SIZE 0x100000
  24. 24. OP-TEE Porting - Platform Configurations ● platform_config.h also includes definitions for ● GIC base ● UART
  25. 25. OP-TEE Porting - Adding Source Files ● Source files list: sub.mk srcs-y += file1.c srcs-y += file2.c … subdirs-y += dir1 subdirs-y += dir2
  26. 26. OP-TEE Porting - Memory Map
  27. 27. OP-TEE Porting - Memory Configuration ● plat-<myplat>/ core_bootcfg.c static struct map_area bootcfg_memory_map[] = { { /* teecore execution RAM */ .type = MEM_AREA_TEE_RAM, .pa = CFG_TEE_RAM_START, .size = CFG_TEE_RAM_SIZE, .cached = true, .secure = true, .rw = true, .exec = true, }, { /* teecore TA load/exec RAM - Secure, exec user only! */ .type = MEM_AREA_TA_RAM, .pa = CFG_TA_RAM_START, .size = CFG_TA_RAM_SIZE, .cached = true, .secure = true, .rw = true, .exec = false, }, { /* teecore public RAM - NonSecure, non-exec. */ .type = MEM_AREA_NSEC_SHM, .pa = CFG_PUB_RAM_START, .size = SECTION_SIZE, .cached = true, .secure = false, .rw = true, .exec = false, }, { /* Add platform IO devices like UART, GIC, etc. */ .type = MEM_AREA_IO_SEC, .pa = (GIC_BASE + GICD_OFFSET) & ~SECTION_MASK, .size = SECTION_SIZE, .device = true, .secure = true, .rw = true, }, {.type = MEM_AREA_NOTYPE} };
  28. 28. OP-TEE Porting - Platform Initialization (_start) (kern.ld.S) 1. _start (entry.S) a. CPU basic init (v7 only) b. Cache/MMU init c. BSS init (v7 only) d. Jump to main_init 2. main_init (main.c) a. Init UART, canaries, GIC b. Clear BSS (v8 only) c. Init monitor (v7 only) d. Init thread stacks e. Register handlers (stdcall/fiq/svc/abort) f. Init core g. Return to non-secure entry
  29. 29. OP-TEE Porting - Running and Debug (_start) (kern.ld.S) 4. sm_smc_entry (v7 only) (sm_asm.S) a. Save caller world context b. Restore world context c. Update SCR bits (NS/FIQ) 5. Thread handle (thread_asm.S, thread.c) a. Check if fiq handle request b. Thread allocate c. Thread context restore 6. main_tee_entry (main.c) 7. tee_entry (entry.c)
  30. 30. OP-TEE Porting - Test/Verify ● Build normal world program and corresponding TA ● Copy both to rootfs ● Run normal world program ● Details http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run- trusted-applications-on-optee ● Hello world example available at http://github.com/jenswi-linaro/lcu14_optee_hello_world
  31. 31. OP-TEE Porting - Sample Test Log root@Vexpress:/ modprobe optee misc teetz: no TZ l2cc mutex service supported misc teetz: outer cache shared mutex disabled root@Vexpress:/ tee-supplicant& root@Vexpress:/ hello_world Invoking TA to increment 42 TA incremented value to 43 root@Vexpress:/
  32. 32. OP-TEE Porting - Initial Task Checklist - [ ] Port ARM-TF with U-Boot/UEFI (as bl33.bin) but without optee_os (bl32.bin) - [ ] Make platform-specific changes to optee_os - [ ] Add new platform - [ ] conf.mk, link.mk, platform_config.h, core_bootcfg.c - [ ] Add new source files (if required) - [ ] Platform initialization (if required) - [ ] Thread handlers (if required) - [ ] Build optee_os - [ ] Rebuild ARM-TF with U-Boot/UEFI as bl33.bin and optee_os as bl32.bin - [ ] Build other required system components (kernel, rootfs, etc.) - [ ] Test/Verify
  33. 33. OP-TEE documentation ● OP-TEE OS Documents https://github.com/OP-TEE/optee_os/tree/master/documentation ● OP-TEE Wiki FAQ https://wiki.linaro.org/WorkingGroups/Security/OP-TEE
  34. 34. Thank You!

×