HKG15-311: OP-TEE for Beginners and Porting Review
---------------------------------------------------
Speaker: Victor Chong
Date: February 11, 2015
---------------------------------------------------
★ Session Summary ★
Explains the building blocks involved in Security including TrustZone, OP-TEE, Trusted Firmware etc. Goes into detail on how Secure Boot Works.. and Why. Explains how a simple secure Trusted Application interacts with OP-TEE and works. Brief overview on how to port OP-TEE to an ARM platform. Opens discussions for Potential Challenges and Hardware limitations and how they can be overcome.
--------------------------------------------------
★ Resources ★
Pathable: https://hkg15.pathable.com/meetings/250816
Video: https://www.youtube.com/watch?v=Fksx4-bpHRY
Etherpad: http://pad.linaro.org/p/hkg15-311
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2015 - #HKG15
February 9-13th, 2015
Regal Airport Hotel Hong Kong Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
7. Secure Boot
● Prevent unauthorized executables from booting by verifying image
signatures
● Divided into stages
● Start with trusted source (ROM boot code) @ stage/level 1
● Root of Trust
● Every subsequent image (stage/level) to be loaded is verified first
by the one before it
● Chain of Trust
9. Introduction to Trusted Applications
A Trusted Application typically consists of two parts
● Linux user space, client implementation
● Secure world Trusted Application (TA)
11. Introduction to Trusted Applications
Typical normal world program flow based on GP Client API
● TEEC_InitializeContext
● Connect to the OP-TEE Linux driver
● TEEC_OpenSession
● Loads the TA
● TEEC_InvokeCommand
● Control TA functions
● TEEC_CloseSession
● TEEC_FinalizeContext
12. Hello World Example
root@host:/ hello_world
TEEC_InitializeContext
TEEC_OpenSession
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE)
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE) ==> 100+1 = 101
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD)
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD) done
…
TEEC_CloseSession
TEEC_FinalizeContex
13. Introduction to Trusted Applications
● GP Client API
● Not too flexible
● Somewhat limited in functionality
● GP Functional API forthcoming
● High level APIs, e.g. encrypt/decrypt
● Secure side TAs not required
14. Introduction to Trusted Applications
● Details
http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-trusted-
applications-on-optee
● Hello world example available at
http://github.com/jenswi-linaro/lcu14_optee_hello_world
● GlobalPlatform
http://www.globalplatform.org/
16. OP-TEE Trusted OS
Linux
Android
OP-TEE Porting - Main Blocks
TEE Driver
TEE Client
Client
Application
Client
Application
TEE Core
TEE functions
(crypto/mm)
TEE Internal API
Trusted
Application
Trusted
Application
TrustZone based chipset crypto timer efuse
HAL
TEE Client API
SMC
porting
17. OP-TEE Porting - Affected Gits
● OP-TEE Trusted OS (optee_os)
- Add new platform support (plat-<myplat>)
● OP-TEE Linux kernel driver (optee_linuxdriver)
- No changes needed.
- Built as module (optee.ko) by default and included in rootfs.
● OP-TEE Normal World user space (optee_client)
- No changes needed.
- Built as library (libteec.so) and included in rootfs.
18. OP-TEE Porting - Getting started
● Get OP-TEE source code
http://github.com/OP-TEE
● Get the toolchain
http://releases.linaro.org/14.09/components/toolchain/binaries/gcc-linaro-arm-
linux-gnueabihf-4.9-2014.09_linux.tar.xz
28. OP-TEE Porting - Platform Initialization
(_start) (kern.ld.S)
1. _start (entry.S)
a. CPU basic init (v7 only)
b. Cache/MMU init
c. BSS init (v7 only)
d. Jump to main_init
2. main_init (main.c)
a. Init UART, canaries, GIC
b. Clear BSS (v8 only)
c. Init monitor (v7 only)
d. Init thread stacks
e. Register handlers
(stdcall/fiq/svc/abort)
f. Init core
g. Return to non-secure entry
29. OP-TEE Porting - Running and Debug
(_start) (kern.ld.S)
4. sm_smc_entry (v7 only)
(sm_asm.S)
a. Save caller world context
b. Restore world context
c. Update SCR bits (NS/FIQ)
5. Thread handle (thread_asm.S,
thread.c)
a. Check if fiq handle request
b. Thread allocate
c. Thread context restore
6. main_tee_entry (main.c)
7. tee_entry (entry.c)
30. OP-TEE Porting - Test/Verify
● Build normal world program and corresponding TA
● Copy both to rootfs
● Run normal world program
● Details
http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-
trusted-applications-on-optee
● Hello world example available at
http://github.com/jenswi-linaro/lcu14_optee_hello_world
31. OP-TEE Porting - Sample Test Log
root@Vexpress:/ modprobe optee
misc teetz: no TZ l2cc mutex service supported
misc teetz: outer cache shared mutex disabled
root@Vexpress:/ tee-supplicant&
root@Vexpress:/ hello_world
Invoking TA to increment 42
TA incremented value to 43
root@Vexpress:/
32. OP-TEE Porting - Initial Task Checklist
- [ ] Port ARM-TF with U-Boot/UEFI (as bl33.bin) but without optee_os (bl32.bin)
- [ ] Make platform-specific changes to optee_os
- [ ] Add new platform
- [ ] conf.mk, link.mk, platform_config.h, core_bootcfg.c
- [ ] Add new source files (if required)
- [ ] Platform initialization (if required)
- [ ] Thread handlers (if required)
- [ ] Build optee_os
- [ ] Rebuild ARM-TF with U-Boot/UEFI as bl33.bin and optee_os as bl32.bin
- [ ] Build other required system components (kernel, rootfs, etc.)
- [ ] Test/Verify
33. OP-TEE documentation
● OP-TEE OS Documents
https://github.com/OP-TEE/optee_os/tree/master/documentation
● OP-TEE Wiki FAQ
https://wiki.linaro.org/WorkingGroups/Security/OP-TEE