Versions Compared

Old Version 12

changes.mady.by.user Wells Lu

Saved on

compared with

New Version 13

changes.mady.by.user Wells Lu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

OP-TEE is widely used in various applications, including mobile devices, Internet of Things (IoT) devices, and other systems where the secure execution of code and protection of sensitive data are critical. As an open-source project, OP-TEE encourages collaboration and contributions from the community to enhance its security features and support a broader range of ARM-based platforms. Refer

For further information, refer to:

https://optee.readthedocs.io/en/latest/general/about.html

https://github.com/OP-TEE Documentation

OP-TEE /GitHub Repository

Contents

Table of Contents
stylenone

...

OP-TEE defines internal APIs that allow developers to access various TEE functionalities, including cryptographic services, secure storage, and secure communication between trusted applications.

Trusted applications

Trusted applications are designed to execute sensitive or security-critical operations within the TEE. They ensure the confidentiality, integrity, and authenticity of the data and processes they manage.

...

Client applications

Client applications utilize the "TEE Client API" to communicate with trusted applications within OP-TEE, thereby accessing security services provided by these trusted applications.

TEE Client API

This layer provides a set of APIs that enable communication between non-secure (normal world) applications and trusted applications running in within the TEE. Non-secure applications can use these APIs to securely invoke services provided by trusted applications and access secure resources managed by the TEE Core.

...

The Linux TEE (Trusted Execution Environment) framework is a subsystem within the Linux kernel designed to support the integration of TEE into the Linux operating system. The Linux TEE framework enables communication and interaction between the Linux kernel and TEE, facilitating the execution of trusted applications and services within the TEE.

Linux OP-TEE driver

The Linux OP-TEE driver serves as the interface between the Linux kernel and specific TEE implementations. It provides a standardized interface for communication and interaction with the TEE from the Linux kernel.

Implementation of OP-TEE

...

in SP7350 platform

Start-up flow

...

Loading and initialization

During the boot process, OP-TEE must be started as early as possible (the execution of the bootloader, for example, U-Boot, prior to OP-TEE will bring a defect and touch sensitive data). In SP7350 software, the initiated at the earliest feasible stage to prevent potential security vulnerabilities. In the SP7350 software environment, the x-boot (the first-stage bootloader loads the OP-TEE, BL31 (TFTrusted Firmware-A), and U-Boot images are loaded by x-boot from the boot storage devices. x-boot then hand over the control Subsequently, control is transferred to BL31. BL31, acting as a secure monitor, starts which initiates OP-TEE.

Reserved memory for OP-TEE

The In the SP7350 platform reserves 's device tree source (dts), a two-megabyte area beginning starting at 0x300000 in the device tree source (dts) memory address 0x300000 is reserved for OP-TEE. Please refer to the dts node provided belowBelow is a snippet illustrating the reserved memory configuration:

Code Block
	reserved-memory {
		:
		/*OP-TEE reserve memory: 0x300000-0x4fffff, total 2M */
		optee_reserve@300000 {
			reg = <0x0 0x300000 0x0 0x200000>;
			no-map;
		};
		:
		:
	};

...

Linux TEE framework and OP-TEE driver
To integrate the Linux TEE framework and the OP-TEE driver into the SP7350 platform, the following configurations are required in the device tree source (dts):
 Code Block
	firmware {
		optee {
			compatible = "linaro,optee-tz";
			method = "smc";
		};
	};
Source files
Source This configuration snippet specifies the firmware node, within which the optee subnode is defined. The subnode is configured with compatibility attributes "linaro,optee-tz," indicating compatibility with the OP-TEE trusted zone, and the communication method "smc" (Secure Monitor Call).
Enabling the Linux TEE framework (CONFIG_TEE=y) and the OP-TEE driver (CONFIG_OPTEE=y) in the kernel configuration are essential prerequisites for this configuration to take effect.
Source files
The source files of OP-TEE can be found in are organized within the "optee/" directory under at the top level of the project's top directory. Refer to table below for main sub-directories and descriptions.. Below is a breakdown of the main subdirectories:
Folders
Descriptions
optee_client/
This directory houses client libraries, including libteec and libckteec, along with the TEE supplicant. These libraries facilitate communication between non-secure applications and trusted applications running in the TEE.
optee_examples/
Contains several official examplesSeveral official examples demonstrating the usage of OP-TEE are located here. These examples serve as reference implementations for developers integrating OP-TEE into their applications.
optee_os/
The Trusted OS (Operating System) component of OP-TEE resides in this directory. It encompasses core components responsible for secure operations, management of trusted applications, and provision of secure services within the TEE environment. 
optee_build.sh
This script facilitates the building of the OP-TEE image.
optee_clean.sh
This script simplifies the cleaning process within the "optee/" directory.
“optee_os/core” directory contains the core components of OP-TEE, including the trusted OS (TEE Core), which is responsible for handling secure operations, managing trusted applications, and providing secure services to these applications.
...