HKG15-311: OP-TEE for Beginners and Porting Review
19 likes23,358 views
The document presents an overview of OP-TEE, an open-source portable trusted execution environment, focusing on security building blocks, secure boot, and the development of trusted applications. It outlines the porting process for OP-TEE, including the necessary prerequisites, configuration, and compilation steps for different platforms. Additionally, it provides links to resources and examples for creating and running trusted applications on OP-TEE.
![OP-TEE Porting - Memory Configuration
● plat-<myplat>/
core_bootcfg.c
static struct map_area bootcfg_memory_map[] = {
{ /* teecore execution RAM */
.type = MEM_AREA_TEE_RAM,
.pa = CFG_TEE_RAM_START, .size = CFG_TEE_RAM_SIZE,
.cached = true, .secure = true, .rw = true, .exec = true,
},
{ /* teecore TA load/exec RAM - Secure, exec user only! */
.type = MEM_AREA_TA_RAM,
.pa = CFG_TA_RAM_START, .size = CFG_TA_RAM_SIZE,
.cached = true, .secure = true, .rw = true, .exec = false,
},
{ /* teecore public RAM - NonSecure, non-exec. */
.type = MEM_AREA_NSEC_SHM,
.pa = CFG_PUB_RAM_START, .size = SECTION_SIZE,
.cached = true, .secure = false, .rw = true, .exec = false,
},
{ /* Add platform IO devices like UART, GIC, etc. */
.type = MEM_AREA_IO_SEC,
.pa = (GIC_BASE + GICD_OFFSET) & ~SECTION_MASK, .size = SECTION_SIZE,
.device = true, .secure = true, .rw = true,
},
{.type = MEM_AREA_NOTYPE}
};](https://image.slidesharecdn.com/hkg15-311op-teebasicsandportingreview-150219152117-conversion-gate01/85/HKG15-311-OP-TEE-for-Beginners-and-Porting-Review-27-320.jpg)
![OP-TEE Porting - Initial Task Checklist
- [ ] Port ARM-TF with U-Boot/UEFI (as bl33.bin) but without optee_os (bl32.bin)
- [ ] Make platform-specific changes to optee_os
- [ ] Add new platform
- [ ] conf.mk, link.mk, platform_config.h, core_bootcfg.c
- [ ] Add new source files (if required)
- [ ] Platform initialization (if required)
- [ ] Thread handlers (if required)
- [ ] Build optee_os
- [ ] Rebuild ARM-TF with U-Boot/UEFI as bl33.bin and optee_os as bl32.bin
- [ ] Build other required system components (kernel, rootfs, etc.)
- [ ] Test/Verify](https://image.slidesharecdn.com/hkg15-311op-teebasicsandportingreview-150219152117-conversion-gate01/85/HKG15-311-OP-TEE-for-Beginners-and-Porting-Review-32-320.jpg)
HKG15-311: OP-TEE for Beginners and Porting Review
- 1. Presented by Date HKG15-311:OP-TEE Basics and Porting Review Victor Chong 2015-2-9
- 2. Objectives ● Security Building Blocks ● Secure Boot ● Introduction to Trusted Applications ● OP-TEE Porting
- 3. OP-TEE ● Open-source Portable TEE ● Sponsored by ST ● GlobalPlatform (GP) compatible ● Compatible with ARM-TF ● Complete system
- 4. Security Building Blocks ● TrustZone-enabled chipset (Hardware) ● ARM Trusted Firmware aka ARM-TF (Firmware) ● Boot Services ● Run-time Services ● OP-TEE (OS) ● Client library (libteec.so) ● Driver (optee.ko) ● Trusted OS ● Client Applications ● OP-TEE Clients (Normal World) ● Trusted Applications (Secure World)
- 7. Secure Boot ● Prevent unauthorized executables from booting by verifying image signatures ● Divided into stages ● Start with trusted source (ROM boot code) @ stage/level 1 ● Root of Trust ● Every subsequent image (stage/level) to be loaded is verified first by the one before it ● Chain of Trust
- 8. Secure Boot
- 9. Introduction to Trusted Applications A Trusted Application typically consists of two parts ● Linux user space, client implementation ● Secure world Trusted Application (TA)
- 10. Introduction to Trusted Applications
- 11. Introduction to Trusted Applications Typical normal world program flow based on GP Client API ● TEEC_InitializeContext ● Connect to the OP-TEE Linux driver ● TEEC_OpenSession ● Loads the TA ● TEEC_InvokeCommand ● Control TA functions ● TEEC_CloseSession ● TEEC_FinalizeContext
- 12. Hello World Example root@host:/ hello_world TEEC_InitializeContext TEEC_OpenSession TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE) TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE) ==> 100+1 = 101 TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD) TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD) done … TEEC_CloseSession TEEC_FinalizeContex
- 13. Introduction to Trusted Applications ● GP Client API ● Not too flexible ● Somewhat limited in functionality ● GP Functional API forthcoming ● High level APIs, e.g. encrypt/decrypt ● Secure side TAs not required
- 14. Introduction to Trusted Applications ● Details http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-trusted- applications-on-optee ● Hello world example available at http://github.com/jenswi-linaro/lcu14_optee_hello_world ● GlobalPlatform http://www.globalplatform.org/
- 15. OP-TEE Porting Prerequisites ● ARM-TF ported for ARMv8 https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/porting-guide.md References ● Detailed design document https://github.com/OP-TEE/optee_os/blob/master/documentation/optee_design.md
- 16. OP-TEE Trusted OS Linux Android OP-TEE Porting - Main Blocks TEE Driver TEE Client Client Application Client Application TEE Core TEE functions (crypto/mm) TEE Internal API Trusted Application Trusted Application TrustZone based chipset crypto timer efuse HAL TEE Client API SMC porting
- 17. OP-TEE Porting - Affected Gits ● OP-TEE Trusted OS (optee_os) - Add new platform support (plat-<myplat>) ● OP-TEE Linux kernel driver (optee_linuxdriver) - No changes needed. - Built as module (optee.ko) by default and included in rootfs. ● OP-TEE Normal World user space (optee_client) - No changes needed. - Built as library (libteec.so) and included in rootfs.
- 18. OP-TEE Porting - Getting started ● Get OP-TEE source code http://github.com/OP-TEE ● Get the toolchain http://releases.linaro.org/14.09/components/toolchain/binaries/gcc-linaro-arm- linux-gnueabihf-4.9-2014.09_linux.tar.xz
- 19. OP-TEE Porting - How to build ● Add toolchain path export PATH=$PATH:path-to-toolchain-bin ● Define CROSS_PREFIX macro export CROSS_PREFIX=arm-linux-gnueabihf ● Choose target platform export PLATFORM=<myplat> (e.g. vexpress) ● Choose target flavor export PLATFORM_FLAVOR=<myflav> (e.g. juno) ● Build OP-TEE make (produces tee.bin)
- 20. OP-TEE Porting - Partition Map BL2/BL3-1/BL3-2 fip.bin (includes bl2.bin, bl31.bin, tee.bin, u-boot.bin/uefi) BL1 bl1.bin kernel Image rootfs Example partition map based on Allwinner A80 board
- 21. ● Clone from an existing platform E.g. core/arch/arm32/plat-vexpress → core/arch/arm32/plat-<myplat> OP-TEE Porting - Creating a New Platform ├── conf.mk ├── link.mk ├── sub.mk ├── .. ├── core_bootcfg.c └── platform_config.h ├── conf.mk ├── link.mk ├── sub.mk ├── .. ├── core_bootcfg.c └── platform_config.h
- 22. OP-TEE Porting - Compiler & Linker options ● Compiler options: conf.mk ● Linker options: link.mk CROSS_PREFIX ?= arm-linux-gnueabihf CROSS_COMPILE ?= $(CROSS_PREFIX)- PLATFORM_FLAVOR ?= <myflav> platform-cpuarch = cortex-a57 #default is cortex-a15 platform-cflags += .. link-out-dir = $(out-dir)/core/ link-script = $(platform-dir)/kern.ld.S link-ldflags = $(LDFLAGS)
- 23. OP-TEE Porting - Platform Configurations ● Platform-specific definitions: platform_config.h #define STACK_TMP_SIZE 1024 #define STACK_ABT_SIZE 1024 #define STACK_THREAD_SIZE 8192 .. #define DRAM0_BASE 0x80000000 #define DRAM0_SIZE 0x7F000000 /* Location of trusted dram */ #define TZDRAM_BASE 0xFF000000 #define TZDRAM_SIZE 0x00E00000 .. #define CFG_TEE_CORE_NB_CORE 6 .. #define TEE_RAM_START (TZDRAM_BASE) #define TEE_RAM_SIZE 0x0010000 #define CFG_SHMEM_START (DRAM0_BASE + DRAM0_SIZE - CFG_SHMEM_SIZE) #define CFG_SHMEM_SIZE 0x100000
- 24. OP-TEE Porting - Platform Configurations ● platform_config.h also includes definitions for ● GIC base ● UART
- 25. OP-TEE Porting - Adding Source Files ● Source files list: sub.mk srcs-y += file1.c srcs-y += file2.c … subdirs-y += dir1 subdirs-y += dir2
- 26. OP-TEE Porting - Memory Map
- 27. OP-TEE Porting - Memory Configuration ● plat-<myplat>/ core_bootcfg.c static struct map_area bootcfg_memory_map[] = { { /* teecore execution RAM */ .type = MEM_AREA_TEE_RAM, .pa = CFG_TEE_RAM_START, .size = CFG_TEE_RAM_SIZE, .cached = true, .secure = true, .rw = true, .exec = true, }, { /* teecore TA load/exec RAM - Secure, exec user only! */ .type = MEM_AREA_TA_RAM, .pa = CFG_TA_RAM_START, .size = CFG_TA_RAM_SIZE, .cached = true, .secure = true, .rw = true, .exec = false, }, { /* teecore public RAM - NonSecure, non-exec. */ .type = MEM_AREA_NSEC_SHM, .pa = CFG_PUB_RAM_START, .size = SECTION_SIZE, .cached = true, .secure = false, .rw = true, .exec = false, }, { /* Add platform IO devices like UART, GIC, etc. */ .type = MEM_AREA_IO_SEC, .pa = (GIC_BASE + GICD_OFFSET) & ~SECTION_MASK, .size = SECTION_SIZE, .device = true, .secure = true, .rw = true, }, {.type = MEM_AREA_NOTYPE} };
- 28. OP-TEE Porting - Platform Initialization (_start) (kern.ld.S) 1. _start (entry.S) a. CPU basic init (v7 only) b. Cache/MMU init c. BSS init (v7 only) d. Jump to main_init 2. main_init (main.c) a. Init UART, canaries, GIC b. Clear BSS (v8 only) c. Init monitor (v7 only) d. Init thread stacks e. Register handlers (stdcall/fiq/svc/abort) f. Init core g. Return to non-secure entry
- 29. OP-TEE Porting - Running and Debug (_start) (kern.ld.S) 4. sm_smc_entry (v7 only) (sm_asm.S) a. Save caller world context b. Restore world context c. Update SCR bits (NS/FIQ) 5. Thread handle (thread_asm.S, thread.c) a. Check if fiq handle request b. Thread allocate c. Thread context restore 6. main_tee_entry (main.c) 7. tee_entry (entry.c)
- 30. OP-TEE Porting - Test/Verify ● Build normal world program and corresponding TA ● Copy both to rootfs ● Run normal world program ● Details http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run- trusted-applications-on-optee ● Hello world example available at http://github.com/jenswi-linaro/lcu14_optee_hello_world
- 31. OP-TEE Porting - Sample Test Log root@Vexpress:/ modprobe optee misc teetz: no TZ l2cc mutex service supported misc teetz: outer cache shared mutex disabled root@Vexpress:/ tee-supplicant& root@Vexpress:/ hello_world Invoking TA to increment 42 TA incremented value to 43 root@Vexpress:/
- 32. OP-TEE Porting - Initial Task Checklist - [ ] Port ARM-TF with U-Boot/UEFI (as bl33.bin) but without optee_os (bl32.bin) - [ ] Make platform-specific changes to optee_os - [ ] Add new platform - [ ] conf.mk, link.mk, platform_config.h, core_bootcfg.c - [ ] Add new source files (if required) - [ ] Platform initialization (if required) - [ ] Thread handlers (if required) - [ ] Build optee_os - [ ] Rebuild ARM-TF with U-Boot/UEFI as bl33.bin and optee_os as bl32.bin - [ ] Build other required system components (kernel, rootfs, etc.) - [ ] Test/Verify
- 33. OP-TEE documentation ● OP-TEE OS Documents https://github.com/OP-TEE/optee_os/tree/master/documentation ● OP-TEE Wiki FAQ https://wiki.linaro.org/WorkingGroups/Security/OP-TEE
- 34. Thank You!