OP-TEE (3.13.0)

Open Portable Trusted Execution Environment, or OP-TEE, is an open-source project that provides a Trusted Execution Environment (TEE) for secure computing on ARM-based processors. A TEE is a secure area within a processor that ensures the confidentiality and integrity of the code and data running inside it. OP-TEE specifically targets ARM TrustZone technology, which is a hardware-based security feature available on ARM Cortex-A processors.

OP-TEE is widely used in various applications, including mobile devices, Internet of Things (IoT) devices, and other systems where the secure execution of code and protection of sensitive data are critical. As an open-source project, OP-TEE encourages collaboration and contributions from the community to enhance its security features and support a broader range of ARM-based platforms.

For further information, refer to:

OP-TEE Documentation

OP-TEE GitHub Repository

Table of Contents

1 Software Architecture of OP-TEE
- 1.1 Trusted OS (TEE Core)
- 1.2 Trusted Applications (TA)
- 1.3 TEE Internal API
- 1.4 Client Applications (CA)
- 1.5 TEE Client API
- 1.6 Linux TEE Framework
- 1.7 Linux OP-TEE Driver
- 1.8 TEE Msg SMC Calls
2 Implementation of OP-TEE in SP7350 Platform
3 Source Files
4 OP-TEE Log and Explanation

Software Architecture of OP-TEE

The software architecture of OP-TEE can be depicted as follows:

Trusted OS (TEE Core)

Trusted OS is the heart of the OP-TEE, often referred to as the TEE Core. It provides the foundational layer for secure execution of trusted applications and services. It manages the secure world of the system, handling secure bootstrapping, memory isolation, and secure context switching between trusted and non-trusted execution environments. It also provides essential services such as cryptographic operations, secure storage, and secure inter-process communication between trusted applications and other components.

Trusted Applications (TA)

Trusted applications are designed to execute sensitive or security-critical operations within the TEE. They ensure the confidentiality, integrity, and authenticity of the data and processes they manage. A Dynamic Trusted Application (DTA) is a type of trusted application within the TEE that is loaded and executed dynamically at runtime. Unlike Static Trusted Applications (STAs), which are statically linked into the TEE core image during the build process, DTAs are loaded into memory and executed as needed, allowing for more flexibility and dynamic behavior in the TEE environment.

TEE Internal API

OP-TEE defines internal APIs that allow developers to access various TEE functionalities, including cryptographic services, secure storage, and secure communication between trusted applications.

Client Applications (CA)

Client applications utilize the "TEE Client API" to communicate with trusted applications within TEE, thereby accessing security services provided by these trusted applications.

TEE Client API

This layer provides a set of APIs that enable communication between non-secure (normal world) applications and trusted applications running within the TEE. Non-secure applications can use these APIs to securely invoke services provided by trusted applications and access secure resources managed by the TEE Core.

Linux TEE Framework

The Linux TEE (Trusted Execution Environment) framework is a subsystem within the Linux kernel designed to support the integration of TEE into the Linux operating system. The Linux TEE framework enables communication and interaction between the Linux kernel and TEE, facilitating the execution of trusted applications and services within the TEE.

Linux OP-TEE Driver

The Linux OP-TEE driver serves as the interface between the Linux kernel and specific TEE implementations. It provides a standardized interface for communication and interaction with the TEE from the Linux kernel.

TEE Msg SMC Calls

"TEE msg SMC calls" is used for communication between the Normal World (non-secure) and the Secure World (trusted execution environment) in a TEE. When an application or service in the Normal World needs to access secure resources or execute secure operations managed by the Trusted OS (TEE Core), it issues an SMC call. This call triggers an exception that switches the processor from Non-secure mode to Secure mode, allowing the TEE Core to handle the request securely. The TEE Core processes the request, performs the necessary operations in the Secure World, and sends back the result to the Normal World through another SMC call.

Implementation of OP-TEE in SP7350 Platform

Loading and Initialization

During the boot process, OP-TEE must be initiated at the earliest feasible stage to prevent potential security vulnerabilities. In the SP7350 software environment, the x-boot (the first-stage bootloader loads the OP-TEE, BL31 (Trusted Firmware-A), and U-Boot images from the boot storage devices. Subsequently, control is transferred to BL31, acting as a secure monitor, which initiates OP-TEE.

Reserved Memory for OP-TEE

In the SP7350 platform's device tree source (dts), a two-megabyte area starting at memory address 0x300000 is reserved for OP-TEE. Below is a snippet illustrating the reserved memory configuration:

	reserved-memory {
		:
		/*OP-TEE reserve memory: 0x300000-0x4fffff, total 2M */
		optee_reserve@300000 {
			reg = <0x0 0x300000 0x0 0x200000>;
			no-map;
		};
		:
		:
	};

Linux TEE Framework and OP-TEE Driver

To integrate the Linux TEE framework and the OP-TEE driver into the SP7350 platform, the following configurations are required in the device tree source (dts):

	firmware {
		optee {
			compatible = "linaro,optee-tz";
			method = "smc";
		};
	};

This configuration snippet specifies the firmware node, within which the optee subnode is defined. The subnode is configured with compatibility attributes "linaro,optee-tz," indicating compatibility with the OP-TEE trusted zone, and the communication method "smc" (Secure Monitor Call).

Enabling the Linux TEE framework (CONFIG_TEE=y) and the OP-TEE driver (CONFIG_OPTEE=y) in the kernel configuration are essential prerequisites for this configuration to take effect.

Source Files

The source files of OP-TEE are organized within the "optee/" directory at the top level of the project. Below is a breakdown of the main subdirectories:

Folders	Descriptions
optee_client/	This directory houses client libraries, including libteec and libckteec, along with the TEE supplicant. These libraries facilitate communication between non-secure applications and trusted applications running in the TEE.
optee_examples/	Several official examples demonstrating the usage of OP-TEE are located here. These examples serve as reference implementations for developers integrating OP-TEE into their applications.
optee_os/	This directory is the top-level directory within the OP-TEE source code repository. It serves as the main container for all source code, configuration files, scripts, and documentation related to OP-TEE.
optee_build.sh	This script facilitates the building of the OP-TEE image.
optee_clean.sh	This script simplifies the cleaning process within the "optee/" directory.

Within the "optee_os/" directory, you would typically find the following:

Folders	Descriptions
core/	Contains the core components of OP-TEE, including the trusted OS (TEE Core), which is responsible for handling secure operations, managing trusted applications, and providing secure services to these applications.
keys/	Contains cryptographic keys and certificates used for secure operations within the TEE.
lib/	Contains libraries and related code used within the TEE. These libraries provide essential functionalities and services to trusted applications running within the TEE.
scripts/	Contains various scripts used for development, build automation, testing, and maintenance tasks related to OP-TEE.
out/arm	This directory is generated during the build process as an output directory where build artifacts, such as compiled binaries, object files, and logs, are stored.
ta/	This directory is the location where Trusted Applications (TAs) are stored. Trusted Applications are software components executed within the TEE. These applications run with higher security privileges and can access sensitive resources securely.
sp7350.mk	Makefile of OP-TEE OS of sp7350 platform.

Within the "core/" directory, further subdivisions include:

Folders	Descriptions
arch/arm/	Contains ARM-specific code, such as context switching, exception handling, and low-level initialization.
arch/arm/plat/sp/	Contains SP7350-specific code and configurations. This includes code related to bootstrapping, device drivers, and hardware-specific functionalities.
crypto/	Contains the implementation of cryptographic algorithms and related functionalities used within the TEE.
drivers/	Contains device driver implementations for hardware peripherals and components that interface with the TEE.
include/	Contains header files (.h files) that define interfaces, data structures, constants, and function prototypes used by various core components of the TEE.
kernel/	This directory contains the core kernel-level components of the TEE. These components are responsible for managing the execution environment, scheduling tasks, handling interrupts, and providing essential operating system functionalities within the TEE.
lib/	Contains libraries and related code used within the core components of the TEE. These libraries provide essential functionalities and services to various components running within the TEE.
mm/	Contains code related to memory management within the TEE. This includes functionalities for managing memory resources, implementing memory protection mechanisms, and handling memory operations securely.
pta/	Contains code related to PTAs (Primary Trusted Applications) within the Trusted Execution Environment (TEE). PTAs are trusted applications that are integral to the functioning of the TEE itself.
tee/	Contains the core components of the TEE. These components are responsible for providing a secure execution environment for Trusted Applications (TAs).

OP-TEE Log and Explanation

The log of OP-TEE is directed to UART0. The following log details the initialization process of OP-TEE (BL32):

Line 1: BL31 is initializing BL32 (OP-TEE).

Line 3: The banner (version) of OP-TEE.

Line 4-5: Indicate that the primary CPU (core 0) has completed initialization in secure mode and then switches back to normal world boot.

INFO:    BL31: Initializing BL32
I/TC: 
I/TC: OP-TEE version: 150e2ba (gcc version 9.2.1 20191025 (GNU Toolchain for the A-profile Architecture 9.2-2019.12 (arm-9.10))) #1 Sat Jan 13 06:09:33 PM UTC 2024 aarch64
I/TC: Primary CPU initializing
I/TC: Primary CPU switching to normal world boot
INFO:    BL31: Preparing for EL3 exit to normal world

In the Linux kernel, secondary CPUs (core 1, 2, and 3) are initialized in secure mode:

Line 1: smp is brining up secondary CPUs.

Line 2-7: Secondary CPUs, including core 1, 2, and 3, have completed initialization in secure mode and switch to normal world boot.

Line 15: All 4 cores are activated.

Line 19: OP-TEE driver is probing.

Line 20: Indicate that revision of OP-TEE is 3.13.

Line 21: OP-TEE driver has completed initialization.