HKG15-311: OP-TEE for Beginners and Porting Review --------------------------------------------------- Speaker: Victor Chong Date: February 11, 2015 --------------------------------------------------- ★ Session Summary ★ Explains the building blocks involved in Security including TrustZone, OP-TEE, Trusted Firmware etc. Goes into detail on how Secure Boot Works.. and Why. Explains how a simple secure Trusted Application interacts with OP-TEE and works. Brief overview on how to port OP-TEE to an ARM platform. Opens discussions for Potential Challenges and Hardware limitations and how they can be overcome. -------------------------------------------------- ★ Resources ★ Pathable: https://hkg15.pathable.com/meetings/250816 Video: https://www.youtube.com/watch?v=Fksx4-bpHRY Etherpad: http://pad.linaro.org/p/hkg15-311 --------------------------------------------------- ★ Event Details ★ Linaro Connect Hong Kong 2015 - #HKG15 February 9-13th, 2015 Regal Airport Hotel Hong Kong Airport --------------------------------------------------- http://www.linaro.org http://connect.linaro.org

1. Presented by
Date
HKG15-311:OP-TEE Basics
and Porting Review
Victor Chong
2015-2-9

2. Objectives
● Security Building Blocks
● Secure Boot
● Introduction to Trusted Applications
● OP-TEE Porting

3. OP-TEE
● Open-source Portable TEE
● Sponsored by ST
● GlobalPlatform (GP) compatible
● Compatible with ARM-TF
● Complete system

4. Security Building Blocks
● TrustZone-enabled chipset (Hardware)
● ARM Trusted Firmware aka ARM-TF (Firmware)
● Boot Services
● Run-time Services
● OP-TEE (OS)
● Client library (libteec.so)
● Driver (optee.ko)
● Trusted OS
● Client Applications
● OP-TEE Clients (Normal World)
● Trusted Applications (Secure World)

5. Security Building Blocks

6. Security Building Blocks

7. Secure Boot
● Prevent unauthorized executables from booting by verifying image
signatures
● Divided into stages
● Start with trusted source (ROM boot code) @ stage/level 1
● Root of Trust
● Every subsequent image (stage/level) to be loaded is verified first
by the one before it
● Chain of Trust

8. Secure Boot

9. Introduction to Trusted Applications
A Trusted Application typically consists of two parts
● Linux user space, client implementation
● Secure world Trusted Application (TA)

10. Introduction to Trusted Applications

11. Introduction to Trusted Applications
Typical normal world program flow based on GP Client API
● TEEC_InitializeContext
● Connect to the OP-TEE Linux driver
● TEEC_OpenSession
● Loads the TA
● TEEC_InvokeCommand
● Control TA functions
● TEEC_CloseSession
● TEEC_FinalizeContext

12. Hello World Example
root@host:/ hello_world
TEEC_InitializeContext
TEEC_OpenSession
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE)
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE) ==> 100+1 = 101
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD)
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD) done
…
TEEC_CloseSession
TEEC_FinalizeContex

13. Introduction to Trusted Applications
● GP Client API
● Not too flexible
● Somewhat limited in functionality
● GP Functional API forthcoming
● High level APIs, e.g. encrypt/decrypt
● Secure side TAs not required

14. Introduction to Trusted Applications
● Details
http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-trusted-
applications-on-optee
● Hello world example available at
http://github.com/jenswi-linaro/lcu14_optee_hello_world
● GlobalPlatform
http://www.globalplatform.org/

15. OP-TEE Porting
Prerequisites
● ARM-TF ported for ARMv8
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/porting-guide.md
References
● Detailed design document
https://github.com/OP-TEE/optee_os/blob/master/documentation/optee_design.md

16. OP-TEE Trusted OS
Linux
Android
OP-TEE Porting - Main Blocks
TEE Driver
TEE Client
Client
Application
Client
Application
TEE Core
TEE functions
(crypto/mm)
TEE Internal API
Trusted
Application
Trusted
Application
TrustZone based chipset crypto timer efuse
HAL
TEE Client API
SMC
porting

17. OP-TEE Porting - Affected Gits
● OP-TEE Trusted OS (optee_os)
- Add new platform support (plat-<myplat>)
● OP-TEE Linux kernel driver (optee_linuxdriver)
- No changes needed.
- Built as module (optee.ko) by default and included in rootfs.
● OP-TEE Normal World user space (optee_client)
- No changes needed.
- Built as library (libteec.so) and included in rootfs.

18. OP-TEE Porting - Getting started
● Get OP-TEE source code
http://github.com/OP-TEE
● Get the toolchain
http://releases.linaro.org/14.09/components/toolchain/binaries/gcc-linaro-arm-
linux-gnueabihf-4.9-2014.09_linux.tar.xz

19. OP-TEE Porting - How to build
● Add toolchain path
export PATH=$PATH:path-to-toolchain-bin
● Define CROSS_PREFIX macro
export CROSS_PREFIX=arm-linux-gnueabihf
● Choose target platform
export PLATFORM=<myplat> (e.g. vexpress)
● Choose target flavor
export PLATFORM_FLAVOR=<myflav> (e.g. juno)
● Build OP-TEE
make (produces tee.bin)

20. OP-TEE Porting - Partition Map
BL2/BL3-1/BL3-2
fip.bin (includes bl2.bin, bl31.bin,
tee.bin, u-boot.bin/uefi)
BL1
bl1.bin
kernel Image
rootfs
Example partition map based on
Allwinner A80 board

21. ● Clone from an existing platform
E.g. core/arch/arm32/plat-vexpress → core/arch/arm32/plat-<myplat>
OP-TEE Porting - Creating a New Platform
├── conf.mk
├── link.mk
├── sub.mk
├── ..
├── core_bootcfg.c
└── platform_config.h
├── conf.mk
├── link.mk
├── sub.mk
├── ..
├── core_bootcfg.c
└── platform_config.h

22. OP-TEE Porting - Compiler & Linker options
● Compiler options: conf.mk
● Linker options: link.mk
CROSS_PREFIX ?= arm-linux-gnueabihf
CROSS_COMPILE ?= $(CROSS_PREFIX)-
PLATFORM_FLAVOR ?= <myflav>
platform-cpuarch = cortex-a57 #default is cortex-a15
platform-cflags += ..
link-out-dir = $(out-dir)/core/
link-script = $(platform-dir)/kern.ld.S
link-ldflags = $(LDFLAGS)

23. OP-TEE Porting - Platform Configurations
● Platform-specific definitions: platform_config.h
#define STACK_TMP_SIZE 1024
#define STACK_ABT_SIZE 1024
#define STACK_THREAD_SIZE 8192
..
#define DRAM0_BASE 0x80000000
#define DRAM0_SIZE 0x7F000000
/* Location of trusted dram */
#define TZDRAM_BASE 0xFF000000
#define TZDRAM_SIZE 0x00E00000
..
#define CFG_TEE_CORE_NB_CORE 6
..
#define TEE_RAM_START (TZDRAM_BASE)
#define TEE_RAM_SIZE 0x0010000
#define CFG_SHMEM_START (DRAM0_BASE + DRAM0_SIZE - CFG_SHMEM_SIZE)
#define CFG_SHMEM_SIZE 0x100000

24. OP-TEE Porting - Platform Configurations
● platform_config.h also includes definitions for
● GIC base
● UART

25. OP-TEE Porting - Adding Source Files
● Source files list: sub.mk
srcs-y += file1.c
srcs-y += file2.c
…
subdirs-y += dir1
subdirs-y += dir2

26. OP-TEE Porting - Memory Map

27. OP-TEE Porting - Memory Configuration
● plat-<myplat>/
core_bootcfg.c
static struct map_area bootcfg_memory_map[] = {
{ /* teecore execution RAM */
.type = MEM_AREA_TEE_RAM,
.pa = CFG_TEE_RAM_START, .size = CFG_TEE_RAM_SIZE,
.cached = true, .secure = true, .rw = true, .exec = true,
},
{ /* teecore TA load/exec RAM - Secure, exec user only! */
.type = MEM_AREA_TA_RAM,
.pa = CFG_TA_RAM_START, .size = CFG_TA_RAM_SIZE,
.cached = true, .secure = true, .rw = true, .exec = false,
},
{ /* teecore public RAM - NonSecure, non-exec. */
.type = MEM_AREA_NSEC_SHM,
.pa = CFG_PUB_RAM_START, .size = SECTION_SIZE,
.cached = true, .secure = false, .rw = true, .exec = false,
},
{ /* Add platform IO devices like UART, GIC, etc. */
.type = MEM_AREA_IO_SEC,
.pa = (GIC_BASE + GICD_OFFSET) & ~SECTION_MASK, .size = SECTION_SIZE,
.device = true, .secure = true, .rw = true,
},
{.type = MEM_AREA_NOTYPE}
};

28. OP-TEE Porting - Platform Initialization
(_start) (kern.ld.S)
1. _start (entry.S)
a. CPU basic init (v7 only)
b. Cache/MMU init
c. BSS init (v7 only)
d. Jump to main_init
2. main_init (main.c)
a. Init UART, canaries, GIC
b. Clear BSS (v8 only)
c. Init monitor (v7 only)
d. Init thread stacks
e. Register handlers
(stdcall/fiq/svc/abort)
f. Init core
g. Return to non-secure entry

29. OP-TEE Porting - Running and Debug
(_start) (kern.ld.S)
4. sm_smc_entry (v7 only)
(sm_asm.S)
a. Save caller world context
b. Restore world context
c. Update SCR bits (NS/FIQ)
5. Thread handle (thread_asm.S,
thread.c)
a. Check if fiq handle request
b. Thread allocate
c. Thread context restore
6. main_tee_entry (main.c)
7. tee_entry (entry.c)

30. OP-TEE Porting - Test/Verify
● Build normal world program and corresponding TA
● Copy both to rootfs
● Run normal world program
● Details
http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-
trusted-applications-on-optee
● Hello world example available at
http://github.com/jenswi-linaro/lcu14_optee_hello_world

31. OP-TEE Porting - Sample Test Log
root@Vexpress:/ modprobe optee
misc teetz: no TZ l2cc mutex service supported
misc teetz: outer cache shared mutex disabled
root@Vexpress:/ tee-supplicant&
root@Vexpress:/ hello_world
Invoking TA to increment 42
TA incremented value to 43
root@Vexpress:/

32. OP-TEE Porting - Initial Task Checklist
- [ ] Port ARM-TF with U-Boot/UEFI (as bl33.bin) but without optee_os (bl32.bin)
- [ ] Make platform-specific changes to optee_os
- [ ] Add new platform
- [ ] conf.mk, link.mk, platform_config.h, core_bootcfg.c
- [ ] Add new source files (if required)
- [ ] Platform initialization (if required)
- [ ] Thread handlers (if required)
- [ ] Build optee_os
- [ ] Rebuild ARM-TF with U-Boot/UEFI as bl33.bin and optee_os as bl32.bin
- [ ] Build other required system components (kernel, rootfs, etc.)
- [ ] Test/Verify

33. OP-TEE documentation
● OP-TEE OS Documents
https://github.com/OP-TEE/optee_os/tree/master/documentation
● OP-TEE Wiki FAQ
https://wiki.linaro.org/WorkingGroups/Security/OP-TEE

34. Thank You!