Open Portable Trusted Execution Environment, or OP-TEE, is an open-source project that provides a Trusted Execution Environment (TEE) for secure computing on ARM-based processors. A TEE is a secure area within a processor that ensures the confidentiality and integrity of the code and data running inside it. OP-TEE specifically targets ARM TrustZone technology, which is a hardware-based security feature available on ARM Cortex-A processors.
...
Trusted OS is the heart of the OP-TEE, often referred to as the TEE Core. It provides the foundational layer for secure execution of trusted applications and services. It manages the secure world of the system, handling secure bootstrapping, memory isolation, and secure context switching between trusted and non-trusted execution environments. It also provides essential services such as cryptographic operations, secure storage, and secure inter-process communication between trusted applications and other components.
TEE Internal API
OP-TEE defines internal APIs that allow developers to access various TEE functionalities, including cryptographic services, secure storage, and secure communication between trusted applications.
Trusted applications
Trusted applications are designed to execute sensitive or security-critical operations within the TEE. They ensure the confidentiality, integrity, and authenticity of the data and processes they manage. A Dynamic Trusted Application (DTA) is a type of trusted application within the TEE that is loaded and executed dynamically at runtime. Unlike Static Trusted Applications (STAs), which are statically linked into the TEE core image during the build process, DTAs are loaded into memory and executed as needed, allowing for more flexibility and dynamic behavior in the TEE environment.
TEE Internal API
OP-TEE defines internal APIs that allow developers to access various TEE functionalities, including cryptographic services, secure storage, and secure communication between trusted applications.
...
Client applications
Client applications utilize the "TEE Client API" to communicate with trusted applications within OP- TEE, thereby accessing security services provided by these trusted applications.
...
Folders | Descriptions |
optee_client/ | This directory houses client libraries, including libteec and libckteec, along with the TEE supplicant. These libraries facilitate communication between non-secure applications and trusted applications running in the TEE. |
optee_examples/ | Several official examples demonstrating the usage of OP-TEE are located here. These examples serve as reference implementations for developers integrating OP-TEE into their applications. |
optee_os/ | This directory is the top-level directory within the OP-TEE source code repository. It serves as the main container for all source code, configuration files, scripts, and documentation related to OP-TEE. |
optee_build.sh | This script facilitates the building of the OP-TEE image. |
optee_clean.sh | This script simplifies the cleaning process within the "optee/" directory. |
Within the "optee_os/" directory, you would typically find the following:
Folders | Descriptions |
core/ | Contains the core components of OP-TEE, including the trusted OS (TEE Core), which is responsible for handling secure operations, managing trusted applications, and providing secure services to these applications. |
keys/ | Contains cryptographic keys and certificates used for secure operations within the TEE. |
lib/ | Contains libraries and related code used within the TEE. These libraries provide essential functionalities and services to trusted applications running within the TEE. |
scripts/ | Contains various scripts used for development, build automation, testing, and maintenance tasks related to OP-TEE. |
out/arm | This directory is generated during the build process as an output directory where build artifacts, such as compiled binaries, object files, and logs, are stored. |
ta/ | This directory is the location where Trusted Applications (TAs) are stored. Trusted Applications are software components executed within the TEE. These applications run with higher security privileges and can access sensitive resources securely. |
...
sp7350.mk | Makefile of OP-TEE OS of sp7350 platform. |
Within the "core/" directory, further subdivisions include:
Folders | Descriptions |
arch/arm/ | Contains ARM-specific code, such as context switching, exception handling, and low-level initialization. |
arch/arm/plat/sp/ | Contains SP7350-specific code and configurations. This includes code related to bootstrapping, device drivers, and hardware-specific functionalities. |
crypto/ | Contains the implementation of cryptographic algorithms and related functionalities used within the TEE. |
drivers/ | Contains device driver implementations for hardware peripherals and components that interface with the TEE. |
include/ | Contains header files (.h files) that define interfaces, data structures, constants, and function prototypes used by various core components of the TEE. |
kernel/ | This directory contains the core kernel-level components of the TEE. These components are responsible for managing the execution environment, scheduling tasks, handling interrupts, and providing essential operating system functionalities within the TEE. |
lib/ | Contains libraries and related code used within the core components of the TEE. These libraries provide essential functionalities and services to various components running within the TEE. |
mm/ | Contains code related to memory management within the TEE. This includes functionalities for managing memory resources, implementing memory protection mechanisms, and handling memory operations securely. |
pta/ | Contains code related to PTAs (Primary Trusted Applications) within the Trusted Execution Environment (TEE). PTAs are trusted applications that are integral to the functioning of the TEE itself. |
tee/ | Contains the core components of the TEE. These components are responsible for providing a secure execution environment for Trusted Applications (TAs). |
Log of OP-TEE
Log of OP-TEE is redirected to UART0. Refer to log below, OP-TEE (BL32) is initializing.
Line 1: BL21 is initializing BL32 (OP-TEE).
Line 3: Banner (version) is OP-TEE.
Line 4-5: Indicate that the primary CPU (core 0) has completed initialization in secure mode and then switches back to normal world boot.
| Code Block |
|---|
INFO: BL31: Initializing BL32 I/TC: I/TC: OP-TEE version: 150e2ba (gcc version 9.2.1 20191025 (GNU Toolchain for the A-profile Architecture 9.2-2019.12 (arm-9.10))) #1 Sat Jan 13 06:09:33 PM UTC 2024 aarch64 I/TC: Primary CPU initializing I/TC: Primary CPU switching to normal world boot INFO: BL31: Preparing for EL3 exit to normal world |
Within Linux kernel, secondary CPU (core 1, 2, and 3) was initializiing in secure mode.
| Code Block |
|---|