Open Portable Trusted Execution Environment, or OP-TEE, is an open-source project that provides a Trusted Execution Environment (TEE) for secure computing on ARM-based processors. A TEE is a secure area within a processor that ensures the confidentiality and integrity of the code and data running inside it. OP-TEE specifically targets ARM TrustZone technology, which is a hardware-based security feature available on ARM Cortex-A processors.The
OP-TEE image is loaded by x-boot from the boot storage and is invoked within TF-A.is widely used in various applications, including mobile devices, Internet of Things (IoT) devices, and other systems where the secure execution of code and protection of sensitive data are critical. As an open-source project, OP-TEE encourages collaboration and contributions from the community to enhance its security features and support a broader range of ARM-based platforms. Refer to:
https://optee.readthedocs.io/en/latest/general/about.html
Contents
| Table of Contents | ||
|---|---|---|
|
Key features
Trusted Applications (TAs): OP-TEE allows the development and execution of Trusted Applications, which run in the TEE. These applications benefit from a higher level of security and isolation compared to regular applications running in the Rich Execution Environment (REE).
GlobalPlatform TEE Standard: OP-TEE follows the GlobalPlatform TEE standard, providing a standardized interface for communication between the Rich Execution Environment (REE) and the Trusted Execution Environment (TEE). This standardization ensures portability and interoperability across different platforms and implementations.
TEE Core: The TEE Core is the heart of OP-TEE, responsible for managing the TEE and executing trusted applications. It enforces security boundaries and provides services such as secure storage, cryptographic operations, and secure inter-process communication.
TEE Internal APIs: OP-TEE defines internal APIs that allow developers to access various TEE functionalities, including cryptographic services, secure storage, and secure communication between trusted applications.
TEE Client APIs: For communication between the Rich Execution Environment (REE) and the TEE, OP-TEE provides client APIs. These APIs allow applications running in the REE to securely invoke services provided by Trusted Applications in the TEE.
Software architecture
...
Start-up flow
Theoretically speaking, during the boot process, OP-TEE is widely used in various applications, including mobile devices, Internet of Things (IoT) devices, and other systems where the secure execution of code and protection of sensitive data are critical. As an open-source project, OP-TEE encourages collaboration and contributions from the community to enhance its security features and support a broader range of ARM-based platforms.
Files
...
Folders
...
Descriptions
...
optee/
...
Root folder of OP-TEE
must be started as early as possible (the execution of the bootloader, for example, U-Boot, prior to OP-TEE will bring a defect and touch sensitive data). In SP7350 software, the OP-TEE, BL31 (TF-A), and U-Boot images are loaded by x-boot from the boot storage. x-boot then hand over the control to BL31. BL31, as a secure monitor, starts OP-TEE and U-Boot.
Linux OP-TEE framework and driver
| Code Block |
|---|
reserved-memory {
:
/*OP-TEE reserve memory: 0x300000-0x4fffff, total 2M */
optee_reserve@300000 {
reg = <0x0 0x300000 0x0 0x200000>;
no-map;
};
:
:
};
:
firmware {
optee {
compatible = "linaro,optee-tz";
method = "smc";
};
}; |
Source files
Source files of OP-TEE can be found in the "optee/" directory under the project's top directory. Refer to table below for main sub-directories and descriptions.
Folders | Descriptions |
optee_client/ | |
optee_examples/ | Contains several official examples. |
optee_os/ |
x“optee_os/core”
Folders | Descriptions |
arch/arm/plat/sp/ | |