Open Portable Trusted Execution Environment, or OP-TEE, is an open-source project that provides a Trusted Execution Environment (TEE) for secure computing on ARM-based processors. A TEE is a secure area within a processor that ensures the confidentiality and integrity of the code and data running inside it. OP-TEE specifically targets ARM TrustZone technology, which is a hardware-based security feature available on ARM Cortex-A processors.
OP-TEE is widely used in various applications, including mobile devices, Internet of Things (IoT) devices, and other systems where the secure execution of code and protection of sensitive data are critical. As an open-source project, OP-TEE encourages collaboration and contributions from the community to enhance its security features and support a broader range of ARM-based platforms. Refer to:
https://optee.readthedocs.io/en/latest/general/about.html
Contents
Table of Contents | ||
---|---|---|
|
Software architecture
Trusted OS (TEE Core)
Trusted OS is the heart of the OP-TEE, often referred to as the TEE Core. It provides the foundational layer for secure execution of trusted applications and services. It manages the secure world of the system, handling secure bootstrapping, memory isolation, and secure context switching between trusted and non-trusted execution environments. It also provides essential services such as cryptographic operations, secure storage, and secure inter-process communication between trusted applications and other components.
TEE Internal API
OP-TEE defines internal APIs that allow developers to access various TEE functionalities, including cryptographic services, secure storage, and secure communication between trusted applications.
TEE Client API
This layer provides a set of APIs that enable communication between non-secure (normal world) applications and trusted applications running in the TEE. Non-secure applications can use these APIs to securely invoke services provided by trusted applications and access secure resources managed by the TEE Core.
Linux TEE framework
The Linux TEE (Trusted Execution Environment) framework is a subsystem within the Linux kernel designed to support the integration of TEE into the Linux operating system. The Linux TEE framework enables communication and interaction between the Linux kernel and TEE, facilitating the execution of trusted applications and services within the TEE.
Linux TEE driver
The Linux TEE driver serves as the interface between the Linux kernel and specific TEE implementations. It provides a standardized interface for communication and interaction with the TEE from the Linux kernel.
Implementation of TEE of SP7350 platform
Start-up flow
Theoretically speaking, during the boot process, OP-TEE must be started as early as possible (the execution of the bootloader, for example, U-Boot, prior to OP-TEE will bring a defect and touch sensitive data). In SP7350 software, the OP-TEE, BL31 (TF-A), and U-Boot images are loaded by x-boot from the boot storage devices. x-boot then hand over the control to BL31. BL31, as a secure monitor, starts OP-TEE.
Reserved memory for OP-TEE
The SP7350 platform reserves a two-megabyte area beginning at 0x300000 in the device tree source (dts) for OP-TEE. Please refer to the dts node provided below:
Code Block |
---|
reserved-memory { : /*OP-TEE reserve memory: 0x300000-0x4fffff, total 2M */ optee_reserve@300000 { reg = <0x0 0x300000 0x0 0x200000>; no-map; }; : : }; |
Besides, there is optee subnode in firmware node in the device tree source for OP-TEE.
Code Block |
---|
firmware { optee { compatible = "linaro,optee-tz"; method = "smc"; }; }; |
Source files
Source files of OP-TEE can be found in the "optee/" directory under the project's top directory. Refer to table below for main sub-directories and descriptions.
Folders | Descriptions |
optee_client/ | |
optee_examples/ | Contains several official examples. |
optee_os/ |
“optee_os/core” directory contains the core components of OP-TEE, including the trusted OS (TEE Core), which is responsible for handling secure operations, managing trusted applications, and providing secure services to these applications.
Folders | Descriptions |
arch/arm/ | Contains ARM-specific code, such as context switching, exception handling, and low-level initialization. |
arch/arm/plat/sp/ | Contains SP7350-specific code and configurations. This includes code related to bootstrapping, device drivers, and hardware-specific functionalities. |