Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Open Portable Trusted Execution Environment, or OP-TEE, is an open-source project that provides a Trusted Execution Environment (TEE) for secure computing on ARM-based processors. A TEE is a secure area within a processor that ensures the confidentiality and integrity of the code and data running inside it. OP-TEE specifically targets ARM TrustZone technology, which is a hardware-based security feature available on ARM Cortex-A processors.

OP-TEE is widely used in various applications, including mobile devices, Internet of Things (IoT) devices, and other systems where the secure execution of code and protection of sensitive data are critical. As an open-source project, OP-TEE encourages collaboration and contributions from the community to enhance its security features and support a broader range of ARM-based platforms. Refer to:

https://optee.readthedocs.io/en/latest/general/about.html

https://github.com/OP-TEE/

Contents

Key features

  1. Trusted Applications (TAs): OP-TEE allows the development and execution of Trusted Applications, which run in the TEE.

  2. GlobalPlatform TEE Standard: OP-TEE follows the GlobalPlatform TEE standard, providing a standardized interface for communication between the Rich Execution Environment (REE) and the Trusted Execution Environment (TEE).

  3. TEE Core: The TEE Core is the heart of OP-TEE, responsible for managing the TEE and executing trusted applications.

  4. TEE Internal APIs: OP-TEE defines internal APIs that allow developers to access various TEE functionalities, including cryptographic services, secure storage, and secure communication between trusted applications.

  5. TEE Client APIs: For communication between the Rich Execution Environment (REE) and the TEE, OP-TEE provides client APIs. These APIs allow applications running in the REE to securely invoke services provided by Trusted Applications in the TEE.

Software architecture

image-20240218-180719.png

Start-up flow

Theoretically speaking, during the boot process, OP-TEE must be started as early as possible (the execution of the bootloader, for example, U-Boot, prior to OP-TEE will bring a defect and touch sensitive data). In SP7350 software, the OP-TEE, BL31 (TF-A), and U-Boot images are loaded by x-boot from the boot storage. x-boot then hand over the control to BL31. BL31, as a secure monitor, starts OP-TEE and U-Boot.

Linux OP-TEE framework and driver

	reserved-memory {
		:
		/*OP-TEE reserve memory: 0x300000-0x4fffff, total 2M */
		optee_reserve@300000 {
			reg = <0x0 0x300000 0x0 0x200000>;
			no-map;
		};
		:
		:
	};
	:
	firmware {
		optee {
			compatible = "linaro,optee-tz";
			method = "smc";
		};
	};

Source files

Source files of OP-TEE can be found in the "optee/" directory under the project's top directory. Refer to table below for main sub-directories and descriptions.

Folders

Descriptions

optee_client/

optee_examples/

Contains several official examples.

optee_os/

“optee_os/core” directory contains the core components of OP-TEE, including the trusted OS (TEE Core), which is responsible for handling secure operations, managing trusted applications, and providing secure services to these applications.

Folders

Descriptions

arch/arm/

Contains ARM-specific code, such as context switching, exception handling, and low-level initialization.

arch/arm/plat/sp/

Contains SP7350-specific code and configurations. This includes code related to bootstrapping, device drivers, and hardware-specific functionalities.

  • No labels