Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
LCU14-103: How to create and run Trusted 
Applications on OP-TEE 
Joakim Bech, LCU14 
LCU14 BURLINGAME
OP-TEE Overview 
OP-TEE is an Open Source TEE and is the result of collaboration work between 
STMicroelectronics and Lina...
Hello world 
The “hello world” example consists of two parts 
● Linux user space, client implementation 
● Secure world Tr...
Initialize context 
/* Initialize a context connecting us to the TEE */ 
res = TEEC_InitializeContext(NULL, &ctx); 
if (re...
Initialize context 
The call to: 
TEEC_InitializeContext() 
enters “TEE Driver” before returning
Open session 
/* 
* Open a session to the "hello world" TA, the TA will print "hello 
* world!" in the log when the sessio...
Open session 
● The TEEC_OpenSession() 
call enters “TEE Core” via “TEE Driver” 
● “TEE Core” loads the TA binary with 
he...
Invoke command 
memset(&op, 0, sizeof(op)); 
op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_NONE, 
TEEC_NONE, TEE...
Invoke command 
● The TEEC_InvokeCommand() call 
enters “TEE Core” via “TEE Driver” 
● “TEE Core” calls 
TA_InvokeCommandE...
Close session and finalize context 
/* 
* We're done with the TA, close the session and 
* destroy the context. 
* 
* The ...
Close session and finalize context 
● The TEEC_CloseSession() 
call enters “TEE Core” via “TEE Driver 
● “TEE Core” calls ...
Create a Trusted Application 
● As reference, have a look at the Hello World Trusted Application (*) 
● Define UUIDs and f...
build_helloworld.sh 
#!/bin/bash 
export PATH=$HOME/fvp_optee/toolchains/aarch64/bin:$PATH 
export PATH=$HOME/fvp_optee/to...
Demo Time - Hello World TA 
● Trusted Application binaries should be stored on (adb, mount fs, gen_init_cpio ...) 
/lib/te...
Questions?
Source code 
● Hello world example available at 
http://github.com/jenswi-linaro/lcu14_optee_hello_world 
● OP-TEE source ...
More about Linaro Connect: connect.linaro.org 
Linaro members: www.linaro.org/members 
More about Linaro: www.linaro.org/a...
Upcoming SlideShare
Loading in …5
×

LCU14-103: How to create and run Trusted Applications on OP-TEE

17,717 views

Published on

LCU14-103: How to create and run Trusted Applications on OP-TEE
---------------------------------------------------
Speaker: Joakim Bech
Date: September 15, 2014
---------------------------------------------------
Coresight is the name given to a set of IP blocks providing hardware assisted tracing for ARM based SoCs. This presentation will give an introduction to the technology, how it works and offer a glimpse of the capabilities it offers. More specifically we will go over the components that are part of the architecture and how they are used. Next will be presented the framework Linaro is working on in an effort to provide consolidation and standardization of interfaces to the coresight subsystem. We will conclude with a status of our current upstreaming efforts and how we see the coming months unfolding.

---------------------------------------------------
★ Resources ★
Zerista: http://lcu14.zerista.com/event/member/137703
Google Event: https://plus.google.com/u/0/events/cvb85kqv10dsc4k3e0hcvbr6i58
Presentation: http://www.slideshare.net/linaroorg/lcu14-101-coresight-overview
Video: https://www.youtube.com/watch?v=IQhbM55F23U&list=UUIVqQKxCyQLJS6xvSmfndLA
Etherpad: http://pad.linaro.org/p/lcu14-101
---------------------------------------------------
★ Event Details ★
Linaro Connect USA - #LCU14
September 15-19th, 2014
Hyatt Regency San Francisco Airport
---------------------------------------------------

Published in: Software
  • At 7th slide, in the sequence diagram, would not the first message (Open Session) be "Initialize Context"? According to two slides before, the "TEEC_InitializeContext()" enters the TEE Driver...
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

LCU14-103: How to create and run Trusted Applications on OP-TEE

  1. 1. LCU14-103: How to create and run Trusted Applications on OP-TEE Joakim Bech, LCU14 LCU14 BURLINGAME
  2. 2. OP-TEE Overview OP-TEE is an Open Source TEE and is the result of collaboration work between STMicroelectronics and Linaro (Security Working Group). It contains the complete stack from normal world client API's (optee_client), the Linux kernel TEE driver (optee_linuxdriver) and the Trusted OS and the secure monitor (optee_os).
  3. 3. Hello world The “hello world” example consists of two parts ● Linux user space, client implementation ● Secure world Trusted Application (TA), passive receiver ● Based on GlobalPlatform APIs
  4. 4. Initialize context /* Initialize a context connecting us to the TEE */ res = TEEC_InitializeContext(NULL, &ctx); if (res != TEEC_SUCCESS) errx(1, "TEEC_InitializeContext failed with code 0x%x", res);
  5. 5. Initialize context The call to: TEEC_InitializeContext() enters “TEE Driver” before returning
  6. 6. Open session /* * Open a session to the "hello world" TA, the TA will print "hello * world!" in the log when the session is created. */ res = TEEC_OpenSession(&ctx, &sess, &uuid, TEEC_LOGIN_PUBLIC, NULL, NULL, &err_origin); if (res != TEEC_SUCCESS) errx(1, "TEEC_Opensession failed with code 0x%x origin 0x%x", res, err_origin);
  7. 7. Open session ● The TEEC_OpenSession() call enters “TEE Core” via “TEE Driver” ● “TEE Core” loads the TA binary with help of the Linux user space daemon tee-supplicant ● “TEE Core” copies the TA into secure RAM and calls TA_OpenSessionEntryPoint() ● Session is returned back to hello_world in user space
  8. 8. Invoke command memset(&op, 0, sizeof(op)); op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_NONE, TEEC_NONE, TEEC_NONE); op.params[0].value.a = 42; printf("Invoking TA to increment %dn", op.params[0].value.a); res = TEEC_InvokeCommand(&sess, TA_HELLO_WORLD_CMD_INC_VALUE, &op, &err_origin); if (res != TEEC_SUCCESS) errx(1, "TEEC_InvokeCommand failed with code 0x%x origin 0x%x", res, err_origin); printf("TA incremented value to %dn", op.params[0].value.a);
  9. 9. Invoke command ● The TEEC_InvokeCommand() call enters “TEE Core” via “TEE Driver” ● “TEE Core” calls TA_InvokeCommandEntryPoint() ● Result is returned back to hello_world in user space
  10. 10. Close session and finalize context /* * We're done with the TA, close the session and * destroy the context. * * The TA will print "Goodbye!" in the log when the * session is closed. */ TEEC_CloseSession(&sess); TEEC_FinalizeContext(&ctx);
  11. 11. Close session and finalize context ● The TEEC_CloseSession() call enters “TEE Core” via “TEE Driver ● “TEE Core” calls TA_CloseSessionEntryPoint() ● Control is returned back to hello_world in user space ● The TEEC_FinalizeContext() call enters “TEE Driver” which cleans eventual remaining resources ● Control is returned back to hello_world in user space
  12. 12. Create a Trusted Application ● As reference, have a look at the Hello World Trusted Application (*) ● Define UUIDs and function IDs (ta/include/ta_hello_world.h ) ● Implement the functions in (ta/hello_world_ta.c ) ● Create/call this new TA from user space in Linux (host/hello_world.c ) ● Build/clone and export the needed tools/flags ● optee_os for the so Trusted Application development kit (TA_DEV_KIT_DIR ) ● optee_client for the public TEE Client API interfaces and libraries (TEEC_EXPORT ) ● Host and TA toolchain (*) See the last slide about links to the source code
  13. 13. build_helloworld.sh #!/bin/bash export PATH=$HOME/fvp_optee/toolchains/aarch64/bin:$PATH export PATH=$HOME/fvp_optee/toolchains/aarch32/bin:$PATH export TA_DEV_KIT_DIR=$HOME/fvp_optee/optee_os/out-os-fvp/export-user_ta export TEEC_EXPORT=$HOME/fvp_optee/optee_client/out-client-aarch64/export cd $HOME/fvp_optee/lcu14_optee_hello_world make O=./out-client-aarch64 HOST_CROSS_COMPILE=aarch64-linux-gnu- TA_CROSS_COMPILE=arm-linux-gnueabihf- $@
  14. 14. Demo Time - Hello World TA ● Trusted Application binaries should be stored on (adb, mount fs, gen_init_cpio ...) /lib/teetz ● Run FVP ● Load optee Linux kernel driver modprobe optee ● Run the daemon serving secure world with amongst others, filesystem access. tee-supplicant & ● Run the client application hello_world
  15. 15. Questions?
  16. 16. Source code ● Hello world example available at http://github.com/jenswi-linaro/lcu14_optee_hello_world ● OP-TEE source available at http://github.com/OP-TEE ● ARM-TF source available at https://github.com/ARM-software/arm-trusted-firmware ● If the OP-TEE dispatcher is not merged yet it can be found in pull request https://github.com/ARM-software/arm-trusted-firmware/pull/188
  17. 17. More about Linaro Connect: connect.linaro.org Linaro members: www.linaro.org/members More about Linaro: www.linaro.org/about/

×