YG
Uploaded byYannick Gicquel
ODP, PPTX6,051 views

Introduction to Optee (26 may 2016)

The document provides an overview of OP-TEE, an open-source portable trusted execution environment that implements the Global Platform API on ARM TrustZone. It describes the software architecture, including the interaction between rich execution environments and trusted execution environments, as well as the security measures in place for trusted applications. It further discusses integration with Yocto, features of the Global Platform, and references for additional information.

Embed presentation

Download as ODP, PPTX
Introduction to OP-TEE 25 May 2016
May-2016AGL-2.0 OP-TEE Introduction 2 OP-TEE ● OP-TEE ● Open-source Portable Trusted Execution Environment, ● Implements the Global Platform API on top of ARM TrustZone, ● Initiated by ST in 2007, then handled by Linaro (sources on GitHub). ● Architecture ● Security by isolated execution, introducing two contexts: – Rich Execution Environment (normal world), – Trusted Execution Environment (secure world). ● A software part handles context switches : – “secure monitor” (armv7) or “ARM trusted firmware” (armv8). ● Both worlds communicates through: – Sequences of messages ( ioctl() ), – Shared memory.
May-2016AGL-2.0 OP-TEE Introduction 3 ARM Trustzone hardware isolation ● Principle ● The SoC memory mapping / peripherals visibility can be configured for both worlds, ● CPU contexts, Core Exceptions Levels, ● Depends on SoC design, sometimes BootRom use this internally. Credit: http://genode.org/documentation/articles/trustzone
May-2016AGL-2.0 OP-TEE Introduction 4 OP-TEE Software architecture
May-2016AGL-2.0 OP-TEE Introduction 5 OP-TEE ● OP-TEE OS Characteristics ● Sequential execution of commands from Client App, no re-entrance, ● Checks inputs (commands/datas) received from REE, ● Strong isolation of TA, stack protections, tasks creation on each TA entries points, ● Use Secure-RAM HW capability, ● Secured Applications ● Two binaries blobs: – User space program (Normal world), – TA: Trusted Application (Secure world). ● TA are signed, and identified by a UUID, ● TA integrity is checked by the trusted OS before execution. ● OS Design ● Client library (libteec.so), ● Kernel Driver (optee.ko), ● Trusted OS (bare metal C code)
May-2016AGL-2.0 OP-TEE Introduction 6 Global Platform ● Features ● Protected storage, ● SW isolation, ● Device integrity. ● TEE Core API specify ● Trusted Core Framework API, ● Trusted Storage API for Data and Keys, ● Cryptographic Operation API, ● Time API, ● Arithmetical API. ● TEE Client API ● Others ● Access Control, UI API. ● Specifications are accessible: https://www.globalplatform.org/
May-2016AGL-2.0 OP-TEE Introduction 7 Dynamic view
May-2016AGL-2.0 OP-TEE Introduction 8 Typical boot sequence 2nd stage Bootloader Linux BootROM 1st stage Bootloader
May-2016AGL-2.0 OP-TEE Introduction 9 Boot sequence 2nd stage Bootloader Linux BootROM 1st stage Bootloader Secure mode : Load, Verify integrity OP-TEE OS Secure Monitor / ARM TF 1 2 3 4 5 : Execute
May-2016AGL-2.0 OP-TEE Introduction 10 Data vs. peripherals isolation eMMC Flash SPI BootROM OP-TEE OS Bootloader Linux Kernel Flash SPI BootROM eMMC Linux RootFS RAM Secure World Normal World eMMC SPI
May-2016AGL-2.0 OP-TEE Introduction 11 Data storage ● Secure storage ● Using Normal world rootfs + cryptography, ● Using eMMC RPMB (Jedec-84 A) partition, ● A Storage usage policy may be defined ● In regards of distro. packages & SW architecture, ● Installation strategy to perform the update ● Single vs. Dual copy updates, ● Recovery mode, rollback, persistence, ● Sw update package format, ● ...
May-2016AGL-2.0 OP-TEE Introduction 12 Status ● Integration in Yocto/AGL ● Layer enabling a QEmu machine with OP-TEE OS + samples apps: https://github.com/iotbzh/meta-optee ● Open points ● Security API commonly available in Intel TXT & ARM, architecture that can enforce SOTA, ● Key management, ● Updates package format, generation from Yocto,
May-2016AGL-2.0 OP-TEE Introduction 13 References External links: ● http://fr.slideshare.net/linaroorg/hkg15311-optee-for-beginners-and-porting-review ● http://fr.slideshare.net/linaroorg/lcu14-302-how-to-port-optee-to-another-platform Sources repositories: ● https://github.com/OP-TEE/ ● https://github.com/OP-TEE/optee_os/tree/master/documentation ● https://github.com/ARM-software/arm-trusted-firmware

More Related Content

PDF
HKG15-311: OP-TEE for Beginners and Porting Review
byLinaro
 
PDF
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
byLinaro
 
PDF
LCU14 302- How to port OP-TEE to another platform
byLinaro
 
PDF
Lcu14 107- op-tee on ar mv8
byLinaro
 
PDF
LCA14: LCA14-502: The way to a generic TrustZone® solution
byLinaro
 
PDF
LCU14-103: How to create and run Trusted Applications on OP-TEE
byLinaro
 
PDF
SFO15-200: Linux kernel generic TEE driver
byLinaro
 
PDF
HKG18-402 - Build secure key management services in OP-TEE
byLinaro
 
HKG15-311: OP-TEE for Beginners and Porting Review
byLinaro
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
byLinaro
 
LCU14 302- How to port OP-TEE to another platform
byLinaro
 
Lcu14 107- op-tee on ar mv8
byLinaro
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
byLinaro
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
byLinaro
 
SFO15-200: Linux kernel generic TEE driver
byLinaro
 
HKG18-402 - Build secure key management services in OP-TEE
byLinaro
 

What's hot

PDF
BUD17-400: Secure Data Path with OPTEE
byLinaro
 
PDF
SFO15-503: Secure storage in OP-TEE
byLinaro
 
PDF
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
byLinaro
 
PDF
Lcu14 306 - OP-TEE Future Enhancements
byLinaro
 
PDF
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
byLinaro
 
TXT
OPTEE on QEMU - Build Tutorial
byDalton Valadares
 
PDF
Secure storage updates - SFO17-309
byLinaro
 
PDF
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
byLinaro
 
PDF
Trusted firmware deep_dive_v1.0_
byLinaro
 
PDF
TEE - kernel support is now upstream. What this means for open source security
byLinaro
 
PDF
LCU14 500 ARM Trusted Firmware
byLinaro
 
PDF
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
byLinaro
 
PDF
Qemu Introduction
byChiawei Wang
 
PDF
Linux Networking Explained
byThomas Graf
 
PDF
LAS16-504: Secure Storage updates in OP-TEE
byLinaro
 
PDF
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
PDF
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
byLinaro
 
PDF
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
byLinaro
 
PDF
LCA13: Power State Coordination Interface
byLinaro
 
PDF
Character Drivers
byAnil Kumar Pugalia
 
BUD17-400: Secure Data Path with OPTEE
byLinaro
 
SFO15-503: Secure storage in OP-TEE
byLinaro
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
byLinaro
 
Lcu14 306 - OP-TEE Future Enhancements
byLinaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
byLinaro
 
OPTEE on QEMU - Build Tutorial
byDalton Valadares
 
Secure storage updates - SFO17-309
byLinaro
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
byLinaro
 
Trusted firmware deep_dive_v1.0_
byLinaro
 
TEE - kernel support is now upstream. What this means for open source security
byLinaro
 
LCU14 500 ARM Trusted Firmware
byLinaro
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
byLinaro
 
Qemu Introduction
byChiawei Wang
 
Linux Networking Explained
byThomas Graf
 
LAS16-504: Secure Storage updates in OP-TEE
byLinaro
 
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
byLinaro
 
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
byLinaro
 
LCA13: Power State Coordination Interface
byLinaro
 
Character Drivers
byAnil Kumar Pugalia
 

Similar to Introduction to Optee (26 may 2016)

PDF
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
bysatyabratmallaBujarb
 
PDF
RISC-V-Day-Tokyo2018-suzaki
byKuniyasu Suzaki
 
PDF
optee~--10299019iui74978429962974902774.pdf
bysatyabratmallaBujarb
 
PDF
Introduction of AArch64 TrustZone and OPTEE
byChiawei Wang
 
PDF
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
byLibreCon
 
PDF
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
by96Boards
 
PDF
HKG18-212 - Trusted Firmware M: Introduction
byLinaro
 
PDF
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
byRiscure
 
PDF
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
byCristofaro Mune
 
PDF
Android Security Internals
byOpersys inc.
 
PDF
Nick Stephens-how does someone unlock your phone with nose
byGeekPwn Keen
 
PDF
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
byThe Linux Foundation
 
PDF
LCU13: An Introduction to ARM Trusted Firmware
byLinaro
 
PPTX
Security for io t apr 29th mentor embedded hangout
bymentoresd
 
PDF
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
byKuniyasu Suzaki
 
PDF
6 andrii grygoriev - security issues in arm trust zone software
byIevgenii Katsan
 
PDF
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
byThe Linux Foundation
 
PDF
Open Source Firmware - FrOSCon 2019
byDaniel Maslowski
 
PDF
BKK16-200 Designing Security into low cost IO T Systems
byLinaro
 
PDF
Embedded Linux primer
byDrew Fustini
 
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
bysatyabratmallaBujarb
 
RISC-V-Day-Tokyo2018-suzaki
byKuniyasu Suzaki
 
optee~--10299019iui74978429962974902774.pdf
bysatyabratmallaBujarb
 
Introduction of AArch64 TrustZone and OPTEE
byChiawei Wang
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
byLibreCon
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
by96Boards
 
HKG18-212 - Trusted Firmware M: Introduction
byLinaro
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
byRiscure
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
byCristofaro Mune
 
Android Security Internals
byOpersys inc.
 
Nick Stephens-how does someone unlock your phone with nose
byGeekPwn Keen
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
byThe Linux Foundation
 
LCU13: An Introduction to ARM Trusted Firmware
byLinaro
 
Security for io t apr 29th mentor embedded hangout
bymentoresd
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
byKuniyasu Suzaki
 
6 andrii grygoriev - security issues in arm trust zone software
byIevgenii Katsan
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
byThe Linux Foundation
 
Open Source Firmware - FrOSCon 2019
byDaniel Maslowski
 
BKK16-200 Designing Security into low cost IO T Systems
byLinaro
 
Embedded Linux primer
byDrew Fustini
 

Recently uploaded

PPTX
Aix-Marseille Université Diploma
by美国加利福尼亚州立理工大学波莫纳分校学位证书补办【Q微号:1954 292 140】CPP毕业证购买
 
PPTX
2_Consequence of threats, E-mail threats, Web.pptx
bydolly475229
 
PPTX
Transportation Engineering- Modes of Transport, Types of roads, Components of...
byvidyanand kadam
 
PPTX
The Complete Guide to Energy Audits_ Unlocking Savings, Sustainability, and P...
bygreentechnexus2024
 
PPT
Tutorial-security-privacy-cloud intro duction about cloud compting its services
byHEmansuSingh
 
PDF
Nostr : A protocol for freedom of speech
byEmre YILMAZ
 
PPTX
1_Sources of security threats, Motives, Target.pptx
bydolly475229
 
PPTX
KTU 2024 SCHEME -PEMET 413 COMPOSITE MATERIALS MODULE 1 LECTURE 1.pptx
byVinayB68
 
PPTX
Introduction to Civil Engineering-Defination, Branches of civil engineering a...
byvidyanand kadam
 
PPT
Intro AI DBATU.ppt ppt useful engineering
bydevinjon990
 
PPTX
Industrial Plant Safety – Comprehensive Guide for Workplace Safety & Risk Pre...
byMaintWiz Technologies Private Limited
 
DOCX
Project Management(BOE 070) notes Unite 4 AKTU
by26dsyogam
 
PPTX
Track & Monitor Preventive Maintenance — Best Practices with MaintWiz CMMS
byMaintWiz Technologies Private Limited
 
PPTX
22PEOIT4C Session 7 A searching algorithm.pptx
bymailmegokilavani
 
PPTX
Industrial Smart Ventilation system.pptx
byfsanjay42
 
PDF
Sensor & Instrument MODULE 3 REVISION PPT.pdf
by26dsyogam
 
PDF
PROPEX-RAG: Prompt-Driven GraphRAG for Multi-Hop QA
byapurvakarne
 
PPTX
Fiber reinforced concrete (FRC) is a composite material made from Portland ce...
bymanojaioe
 
PPTX
Preventive Maintenance Program for Compressors – Complete Guide
byMaintWiz Technologies Private Limited
 
PPTX
A7383 3D Printing UNIT-III : 3D printing techniques
byVishnuVardhan909561
 
Aix-Marseille Université Diploma
by美国加利福尼亚州立理工大学波莫纳分校学位证书补办【Q微号:1954 292 140】CPP毕业证购买
 
2_Consequence of threats, E-mail threats, Web.pptx
bydolly475229
 
Transportation Engineering- Modes of Transport, Types of roads, Components of...
byvidyanand kadam
 
The Complete Guide to Energy Audits_ Unlocking Savings, Sustainability, and P...
bygreentechnexus2024
 
Tutorial-security-privacy-cloud intro duction about cloud compting its services
byHEmansuSingh
 
Nostr : A protocol for freedom of speech
byEmre YILMAZ
 
1_Sources of security threats, Motives, Target.pptx
bydolly475229
 
KTU 2024 SCHEME -PEMET 413 COMPOSITE MATERIALS MODULE 1 LECTURE 1.pptx
byVinayB68
 
Introduction to Civil Engineering-Defination, Branches of civil engineering a...
byvidyanand kadam
 
Intro AI DBATU.ppt ppt useful engineering
bydevinjon990
 
Industrial Plant Safety – Comprehensive Guide for Workplace Safety & Risk Pre...
byMaintWiz Technologies Private Limited
 
Project Management(BOE 070) notes Unite 4 AKTU
by26dsyogam
 
Track & Monitor Preventive Maintenance — Best Practices with MaintWiz CMMS
byMaintWiz Technologies Private Limited
 
22PEOIT4C Session 7 A searching algorithm.pptx
bymailmegokilavani
 
Industrial Smart Ventilation system.pptx
byfsanjay42
 
Sensor & Instrument MODULE 3 REVISION PPT.pdf
by26dsyogam
 
PROPEX-RAG: Prompt-Driven GraphRAG for Multi-Hop QA
byapurvakarne
 
Fiber reinforced concrete (FRC) is a composite material made from Portland ce...
bymanojaioe
 
Preventive Maintenance Program for Compressors – Complete Guide
byMaintWiz Technologies Private Limited
 
A7383 3D Printing UNIT-III : 3D printing techniques
byVishnuVardhan909561
 

Introduction to Optee (26 may 2016)

  • 1.
  • 2.
    May-2016AGL-2.0 OP-TEE Introduction2 OP-TEE ● OP-TEE ● Open-source Portable Trusted Execution Environment, ● Implements the Global Platform API on top of ARM TrustZone, ● Initiated by ST in 2007, then handled by Linaro (sources on GitHub). ● Architecture ● Security by isolated execution, introducing two contexts: – Rich Execution Environment (normal world), – Trusted Execution Environment (secure world). ● A software part handles context switches : – “secure monitor” (armv7) or “ARM trusted firmware” (armv8). ● Both worlds communicates through: – Sequences of messages ( ioctl() ), – Shared memory.
  • 3.
    May-2016AGL-2.0 OP-TEE Introduction3 ARM Trustzone hardware isolation ● Principle ● The SoC memory mapping / peripherals visibility can be configured for both worlds, ● CPU contexts, Core Exceptions Levels, ● Depends on SoC design, sometimes BootRom use this internally. Credit: http://genode.org/documentation/articles/trustzone
  • 4.
    May-2016AGL-2.0 OP-TEE Introduction4 OP-TEE Software architecture
  • 5.
    May-2016AGL-2.0 OP-TEE Introduction5 OP-TEE ● OP-TEE OS Characteristics ● Sequential execution of commands from Client App, no re-entrance, ● Checks inputs (commands/datas) received from REE, ● Strong isolation of TA, stack protections, tasks creation on each TA entries points, ● Use Secure-RAM HW capability, ● Secured Applications ● Two binaries blobs: – User space program (Normal world), – TA: Trusted Application (Secure world). ● TA are signed, and identified by a UUID, ● TA integrity is checked by the trusted OS before execution. ● OS Design ● Client library (libteec.so), ● Kernel Driver (optee.ko), ● Trusted OS (bare metal C code)
  • 6.
    May-2016AGL-2.0 OP-TEE Introduction6 Global Platform ● Features ● Protected storage, ● SW isolation, ● Device integrity. ● TEE Core API specify ● Trusted Core Framework API, ● Trusted Storage API for Data and Keys, ● Cryptographic Operation API, ● Time API, ● Arithmetical API. ● TEE Client API ● Others ● Access Control, UI API. ● Specifications are accessible: https://www.globalplatform.org/
  • 7.
  • 8.
    May-2016AGL-2.0 OP-TEE Introduction8 Typical boot sequence 2nd stage Bootloader Linux BootROM 1st stage Bootloader
  • 9.
    May-2016AGL-2.0 OP-TEE Introduction9 Boot sequence 2nd stage Bootloader Linux BootROM 1st stage Bootloader Secure mode : Load, Verify integrity OP-TEE OS Secure Monitor / ARM TF 1 2 3 4 5 : Execute
  • 10.
    May-2016AGL-2.0 OP-TEE Introduction10 Data vs. peripherals isolation eMMC Flash SPI BootROM OP-TEE OS Bootloader Linux Kernel Flash SPI BootROM eMMC Linux RootFS RAM Secure World Normal World eMMC SPI
  • 11.
    May-2016AGL-2.0 OP-TEE Introduction11 Data storage ● Secure storage ● Using Normal world rootfs + cryptography, ● Using eMMC RPMB (Jedec-84 A) partition, ● A Storage usage policy may be defined ● In regards of distro. packages & SW architecture, ● Installation strategy to perform the update ● Single vs. Dual copy updates, ● Recovery mode, rollback, persistence, ● Sw update package format, ● ...
  • 12.
    May-2016AGL-2.0 OP-TEE Introduction12 Status ● Integration in Yocto/AGL ● Layer enabling a QEmu machine with OP-TEE OS + samples apps: https://github.com/iotbzh/meta-optee ● Open points ● Security API commonly available in Intel TXT & ARM, architecture that can enforce SOTA, ● Key management, ● Updates package format, generation from Yocto,
  • 13.
    May-2016AGL-2.0 OP-TEE Introduction13 References External links: ● http://fr.slideshare.net/linaroorg/hkg15311-optee-for-beginners-and-porting-review ● http://fr.slideshare.net/linaroorg/lcu14-302-how-to-port-optee-to-another-platform Sources repositories: ● https://github.com/OP-TEE/ ● https://github.com/OP-TEE/optee_os/tree/master/documentation ● https://github.com/ARM-software/arm-trusted-firmware