SlideShare a Scribd company logo

Lcu14 306 - OP-TEE Future Enhancements

Linaro, profile picture
Linaro

The document outlines future enhancements for OP-TEE, focusing on improvements in cryptographic services, secure storage, and memory management. Key enhancements include defining an API for implementing various cryptographic algorithms, ensuring secure storage encryption by default, and enabling multiple Trusted Applications (TAs) to run in parallel. Additionally, it discusses the aim to support power state coordination interface (PSCI) and integrate address space layout randomization (ASLR) to enhance security.

Software
1 of 12
Downloaded 167 times
1
2
3
Most read
4
5
Most read
6
7
8
9
Most read
10
11
12
LCU14-306: OP-TEE Future Enhancements Joakim Bech, Jens Wiklander and Pascal Brand, LCU14 LCU14 BURLINGAME
Cryptographic Layer in OP-TEE ● Aim and problem ● Interaction between TA and Cryptographic Services ● Does not define how the services are implemented / data structures ● Current Status ● LibTomCrypt is the cryptographic library in OP-TEE ● End user may want to switch to ... - OpenSSL - Using ARMv8-A cryptographic extensions - Dedicated cryptographic IP ● Enhancement ● Define a low level API to easily switch from one implementation to another one.
GlobalPlatform Internal Core API 1.1 ● Current Status ● Internal API 1.0 is supported ● Enhancement ● Add support for GP Internal API 1.1 released in June 2014 ● Main updates are: - Elliptic Curve Digital Signature Algorithm (ECDSA) - Elliptic Curve Cryptography Cofactor Diffie-Hellman (ECDH) - Some errata with new error cause - Few deprecated features (object)
Secure Storage ● Current Status ● File storage is implemented (using a daemon running normal world) ● Data isn’t encrypted by default ● No persistent storage ● Enhancement ● Making Secure Storage … more secure ● Enable encryption by default ● Key provisioning ● Streaming to be taken into account ● Replay Protected Memory Block (RPMB) support Secure World Trusted Application Normal World TEE supplicant Linux kernel Trusted OS Secure monitor RPMB
Secure Time ● Aim and problem ● GlobalPlatform TEE Internal API defines support of the Clock ● Secure clock will be needed in DRM use cases ● Secure IP usage is specific to a given platform ● Current Status ● Only based on REE using RPC NOT Secure! ● Enhancement ● Enable clocks from both REE and Secure IP ● Create a Time API to access the Secure IP ● Fulfill TEE Internal API 1.1 requirements of maximum 15% deviation from real time
Reduce Memory Footprint ● Aim and problem ● Memory footprint of the Trusted OS part is critical ● OP-TEE enables all GlobalPlatform features by default ● Enhancement ● Make it possible to select functionality at compile time ● All cryptographic algorithms are probably not needed … ● Some functionality may not be needed (Big Number arithmetic, ...)
Multiple TA Support ● Aim ● Enable multiple TA functions to be called at the same time ● Current Status ● Threading model of the Trusted OS is ready, but not activated ● Enhancement ● Will enable multiple-TA’s running in parallel
Paging ● Aim ● Trusted OS may run on embedded memory which is small ● Enhancement ● Paging the Trusted OS would solve memory constraint ● some parts would never be paged out (mmu management,...) ● some parts could be paged in DDR (secured or encrypted)
PSCI - Power State Coordination Interface ● Aim ● Make OP-TEE aware of PSCI functions. ● Current Status ● OP-TEE aware of: CPU_ON, CPU_OFF, CPU_SUSPEND and CPU_RESUME (as stubbed functions) ● ARM-Trusted-Firmware handles ● Implemented: PSCI_VERSION, AFFINITY_INFO ● Not implemented: MIGRATE, MIGRATE_INFO_TYPE, MIGRATE_INFO_UP_CPU, SYSTEM_OFF and SYSTEM_RESET
ASLR - Address Space Layout Randomization ● Aim and problem ● Already exists in normal world (user space and kernel) ● To avoid attack like return-to-libc-attack for example ● Make it random enough! ● Enhancement ● This feature could be part of Trusted OS ● Current limitations ● We use pre-defined virtual addresses ● Trusted Applications are currently statically linked
Other Potential Enhancements ● GlobalPlatform Trusted UI 1.1 ● API to display content and capture input in a secure manner. ● User-mode TEE ● For early Trusted Applications development and debug ● Avoid the need for having a full TrustZone platform ● Support for OP-TEE in QEMU ● Virtualization team have patches enabling TrustZone functionality
More about Linaro Connect: connect.linaro.org Linaro members: www.linaro.org/members More about Linaro: www.linaro.org/about/

More Related Content

PDF
LCU14 302- How to port OP-TEE to another platform
Linaro
 
PDF
Lcu14 107- op-tee on ar mv8
Linaro
 
PDF
HKG15-311: OP-TEE for Beginners and Porting Review
Linaro
 
PDF
LCU14-103: How to create and run Trusted Applications on OP-TEE
Linaro
 
PDF
LCA14: LCA14-502: The way to a generic TrustZone® solution
Linaro
 
PDF
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Linaro
 
PDF
TEE - kernel support is now upstream. What this means for open source security
Linaro
 
PDF
LCA14: LCA14-418: Testing a secure framework
Linaro
 
LCU14 302- How to port OP-TEE to another platform
Linaro
 
Lcu14 107- op-tee on ar mv8
Linaro
 
HKG15-311: OP-TEE for Beginners and Porting Review
Linaro
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
Linaro
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
Linaro
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Linaro
 
TEE - kernel support is now upstream. What this means for open source security
Linaro
 
LCA14: LCA14-418: Testing a secure framework
Linaro
 

What's hot (20)

PDF
HKG18-402 - Build secure key management services in OP-TEE
Linaro
 
PDF
SFO15-200: Linux kernel generic TEE driver
Linaro
 
PDF
Secure storage updates - SFO17-309
Linaro
 
PDF
SFO15-503: Secure storage in OP-TEE
Linaro
 
PDF
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
96Boards
 
ODP
Introduction to Optee (26 may 2016)
Yannick Gicquel
 
PDF
LCU13: An Introduction to ARM Trusted Firmware
Linaro
 
PDF
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
PDF
LCU14 500 ARM Trusted Firmware
Linaro
 
PDF
Trusted firmware deep_dive_v1.0_
Linaro
 
PDF
BUD17-400: Secure Data Path with OPTEE
Linaro
 
PDF
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
PDF
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
Linaro
 
TXT
OPTEE on QEMU - Build Tutorial
Dalton Valadares
 
PDF
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
Linaro
 
PDF
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
Linaro
 
PDF
Embedded Linux Kernel - Build your custom kernel
Emertxe Information Technologies Pvt Ltd
 
PDF
ACPI Debugging from Linux Kernel
SUSE Labs Taipei
 
PDF
HKG18-203 - Overview of Linaro DRM
Linaro
 
PPTX
RISC-V Boot Process: One Step at a Time
Atish Patra
 
HKG18-402 - Build secure key management services in OP-TEE
Linaro
 
SFO15-200: Linux kernel generic TEE driver
Linaro
 
Secure storage updates - SFO17-309
Linaro
 
SFO15-503: Secure storage in OP-TEE
Linaro
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
96Boards
 
Introduction to Optee (26 may 2016)
Yannick Gicquel
 
LCU13: An Introduction to ARM Trusted Firmware
Linaro
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
LCU14 500 ARM Trusted Firmware
Linaro
 
Trusted firmware deep_dive_v1.0_
Linaro
 
BUD17-400: Secure Data Path with OPTEE
Linaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
Linaro
 
OPTEE on QEMU - Build Tutorial
Dalton Valadares
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
Linaro
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
Linaro
 
Embedded Linux Kernel - Build your custom kernel
Emertxe Information Technologies Pvt Ltd
 
ACPI Debugging from Linux Kernel
SUSE Labs Taipei
 
HKG18-203 - Overview of Linaro DRM
Linaro
 
RISC-V Boot Process: One Step at a Time
Atish Patra
 
Ad

Similar to Lcu14 306 - OP-TEE Future Enhancements (20)

PDF
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
satyabratmallaBujarb
 
PDF
RISC-V-Day-Tokyo2018-suzaki
Kuniyasu Suzaki
 
PDF
Feasibility of Security in Micro-Controllers
ardiri
 
PDF
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
Linaro
 
PDF
Resilient IoT Security: The end of flat security models
Milosch Meriac
 
PDF
Performance of State-of-the-Art Cryptography on ARM-based Microprocessors
Hannes Tschofenig
 
PDF
HKG18-212 - Trusted Firmware M: Introduction
Linaro
 
PPTX
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 
PDF
Introduction of AArch64 TrustZone and OPTEE
Chiawei Wang
 
PDF
Securing the Internet of Things - Hank Chavers
WithTheBest
 
PDF
BUD17-510: Power management in Linux together with secure firmware
Linaro
 
PDF
BKK16-200 Designing Security into low cost IO T Systems
Linaro
 
PDF
optee~--10299019iui74978429962974902774.pdf
satyabratmallaBujarb
 
PDF
Android 5.0 Lollipop platform change investigation report
hidenorly
 
PDF
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
Linaro
 
PDF
ARM Architecture and Meltdown/Spectre
GlobalLogic Ukraine
 
PDF
DYNAMIC ROOT OF TRUST AND CHALLENGES
ijsptm
 
PDF
HKG15-100: What is Linaro working on - core development lightning talks
Linaro
 
PDF
HKG15-104: What is Linaro working on - core development lightning talks
Linaro
 
PPTX
Crypto Performance on ARM Cortex-M Processors
Hannes Tschofenig
 
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
satyabratmallaBujarb
 
RISC-V-Day-Tokyo2018-suzaki
Kuniyasu Suzaki
 
Feasibility of Security in Micro-Controllers
ardiri
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
Linaro
 
Resilient IoT Security: The end of flat security models
Milosch Meriac
 
Performance of State-of-the-Art Cryptography on ARM-based Microprocessors
Hannes Tschofenig
 
HKG18-212 - Trusted Firmware M: Introduction
Linaro
 
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 
Introduction of AArch64 TrustZone and OPTEE
Chiawei Wang
 
Securing the Internet of Things - Hank Chavers
WithTheBest
 
BUD17-510: Power management in Linux together with secure firmware
Linaro
 
BKK16-200 Designing Security into low cost IO T Systems
Linaro
 
optee~--10299019iui74978429962974902774.pdf
satyabratmallaBujarb
 
Android 5.0 Lollipop platform change investigation report
hidenorly
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
Linaro
 
ARM Architecture and Meltdown/Spectre
GlobalLogic Ukraine
 
DYNAMIC ROOT OF TRUST AND CHALLENGES
ijsptm
 
HKG15-100: What is Linaro working on - core development lightning talks
Linaro
 
HKG15-104: What is Linaro working on - core development lightning talks
Linaro
 
Crypto Performance on ARM Cortex-M Processors
Hannes Tschofenig
 
Ad

More from Linaro (20)

PDF
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Linaro
 
PDF
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Linaro
 
PDF
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Linaro
 
PDF
Bud17 113: distribution ci using qemu and open qa
Linaro
 
PDF
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
Linaro
 
PDF
HPC network stack on ARM - Linaro HPC Workshop 2018
Linaro
 
PDF
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
Linaro
 
PDF
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Linaro
 
PDF
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Linaro
 
PDF
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Linaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
PDF
HKG18-100K1 - George Grey: Opening Keynote
Linaro
 
PDF
HKG18-318 - OpenAMP Workshop
Linaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
PDF
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
Linaro
 
PDF
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
Linaro
 
PDF
HKG18-TR08 - Upstreaming SVE in QEMU
Linaro
 
PDF
HKG18-113- Secure Data Path work with i.MX8M
Linaro
 
PPTX
HKG18-120 - Devicetree Schema Documentation and Validation
Linaro
 
PDF
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
Linaro
 
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Linaro
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Linaro
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Linaro
 
Bud17 113: distribution ci using qemu and open qa
Linaro
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
Linaro
 
HPC network stack on ARM - Linaro HPC Workshop 2018
Linaro
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
Linaro
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Linaro
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Linaro
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
HKG18-100K1 - George Grey: Opening Keynote
Linaro
 
HKG18-318 - OpenAMP Workshop
Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
Linaro
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
Linaro
 
HKG18-TR08 - Upstreaming SVE in QEMU
Linaro
 
HKG18-113- Secure Data Path work with i.MX8M
Linaro
 
HKG18-120 - Devicetree Schema Documentation and Validation
Linaro
 
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
Linaro
 

Recently uploaded (20)

PDF
Summary Of Odoo 18.1 to 18.4 : The Way For Odoo 19
CandidRoot Solutions Private Limited
 
PPTX
Presentation about variables and constant.pptx
kr2589474
 
PDF
49785682629390197565_LRN3014_Migrating_the_Beast.pdf
Abilash868456
 
PPTX
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
PDF
Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...
Q-Advise
 
PDF
ChatPharo: an Open Architecture for Understanding How to Talk Live to LLMs
ESUG
 
PPTX
slidesgo-unlocking-the-code-the-dynamic-dance-of-variables-and-constants-2024...
kr2589474
 
PPTX
The-Dawn-of-AI-Reshaping-Our-World.pptxx
parthbhanushali307
 
PDF
Applitools Platform Pulse: What's New and What's Coming - July 2025
Applitools
 
PPTX
Odoo Integration Services by Candidroot Solutions
CandidRoot Solutions Private Limited
 
PDF
Protecting the Digital World Cyber Securit
dnthakkar16
 
PDF
An Experience-Based Look at AI Lead Generation Pricing, Features & B2B Results
Thomas albart
 
PPTX
Contractor Management Platform and Software Solution for Compliance
SHEQ Network Limited
 
PPTX
Explanation about Structures in C language.pptx
Veeral Rathod
 
PDF
10 posting ideas for community engagement with AI prompts
Pankaj Taneja
 
PDF
vAdobe Premiere Pro 2025 (v25.2.3.004) Crack Pre-Activated Latest
imang66g
 
PDF
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
PPTX
ConcordeApp: Engineering Global Impact & Unlocking Billions in Event ROI with AI
chastechaste14
 
PPT
Activate_Methodology_Summary presentatio
annapureddyn
 
PDF
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 
Summary Of Odoo 18.1 to 18.4 : The Way For Odoo 19
CandidRoot Solutions Private Limited
 
Presentation about variables and constant.pptx
kr2589474
 
49785682629390197565_LRN3014_Migrating_the_Beast.pdf
Abilash868456
 
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
Using licensed Data Loss Prevention (DLP) as a strategic proactive data secur...
Q-Advise
 
ChatPharo: an Open Architecture for Understanding How to Talk Live to LLMs
ESUG
 
slidesgo-unlocking-the-code-the-dynamic-dance-of-variables-and-constants-2024...
kr2589474
 
The-Dawn-of-AI-Reshaping-Our-World.pptxx
parthbhanushali307
 
Applitools Platform Pulse: What's New and What's Coming - July 2025
Applitools
 
Odoo Integration Services by Candidroot Solutions
CandidRoot Solutions Private Limited
 
Protecting the Digital World Cyber Securit
dnthakkar16
 
An Experience-Based Look at AI Lead Generation Pricing, Features & B2B Results
Thomas albart
 
Contractor Management Platform and Software Solution for Compliance
SHEQ Network Limited
 
Explanation about Structures in C language.pptx
Veeral Rathod
 
10 posting ideas for community engagement with AI prompts
Pankaj Taneja
 
vAdobe Premiere Pro 2025 (v25.2.3.004) Crack Pre-Activated Latest
imang66g
 
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
ConcordeApp: Engineering Global Impact & Unlocking Billions in Event ROI with AI
chastechaste14
 
Activate_Methodology_Summary presentatio
annapureddyn
 
Download iTop VPN Free 6.1.0.5882 Crack Full Activated Pre Latest 2025
imang66g
 

Lcu14 306 - OP-TEE Future Enhancements

  • 1. LCU14-306: OP-TEE Future Enhancements Joakim Bech, Jens Wiklander and Pascal Brand, LCU14 LCU14 BURLINGAME
  • 2. Cryptographic Layer in OP-TEE ● Aim and problem ● Interaction between TA and Cryptographic Services ● Does not define how the services are implemented / data structures ● Current Status ● LibTomCrypt is the cryptographic library in OP-TEE ● End user may want to switch to ... - OpenSSL - Using ARMv8-A cryptographic extensions - Dedicated cryptographic IP ● Enhancement ● Define a low level API to easily switch from one implementation to another one.
  • 3. GlobalPlatform Internal Core API 1.1 ● Current Status ● Internal API 1.0 is supported ● Enhancement ● Add support for GP Internal API 1.1 released in June 2014 ● Main updates are: - Elliptic Curve Digital Signature Algorithm (ECDSA) - Elliptic Curve Cryptography Cofactor Diffie-Hellman (ECDH) - Some errata with new error cause - Few deprecated features (object)
  • 4. Secure Storage ● Current Status ● File storage is implemented (using a daemon running normal world) ● Data isn’t encrypted by default ● No persistent storage ● Enhancement ● Making Secure Storage … more secure ● Enable encryption by default ● Key provisioning ● Streaming to be taken into account ● Replay Protected Memory Block (RPMB) support Secure World Trusted Application Normal World TEE supplicant Linux kernel Trusted OS Secure monitor RPMB
  • 5. Secure Time ● Aim and problem ● GlobalPlatform TEE Internal API defines support of the Clock ● Secure clock will be needed in DRM use cases ● Secure IP usage is specific to a given platform ● Current Status ● Only based on REE using RPC NOT Secure! ● Enhancement ● Enable clocks from both REE and Secure IP ● Create a Time API to access the Secure IP ● Fulfill TEE Internal API 1.1 requirements of maximum 15% deviation from real time
  • 6. Reduce Memory Footprint ● Aim and problem ● Memory footprint of the Trusted OS part is critical ● OP-TEE enables all GlobalPlatform features by default ● Enhancement ● Make it possible to select functionality at compile time ● All cryptographic algorithms are probably not needed … ● Some functionality may not be needed (Big Number arithmetic, ...)
  • 7. Multiple TA Support ● Aim ● Enable multiple TA functions to be called at the same time ● Current Status ● Threading model of the Trusted OS is ready, but not activated ● Enhancement ● Will enable multiple-TA’s running in parallel
  • 8. Paging ● Aim ● Trusted OS may run on embedded memory which is small ● Enhancement ● Paging the Trusted OS would solve memory constraint ● some parts would never be paged out (mmu management,...) ● some parts could be paged in DDR (secured or encrypted)
  • 9. PSCI - Power State Coordination Interface ● Aim ● Make OP-TEE aware of PSCI functions. ● Current Status ● OP-TEE aware of: CPU_ON, CPU_OFF, CPU_SUSPEND and CPU_RESUME (as stubbed functions) ● ARM-Trusted-Firmware handles ● Implemented: PSCI_VERSION, AFFINITY_INFO ● Not implemented: MIGRATE, MIGRATE_INFO_TYPE, MIGRATE_INFO_UP_CPU, SYSTEM_OFF and SYSTEM_RESET
  • 10. ASLR - Address Space Layout Randomization ● Aim and problem ● Already exists in normal world (user space and kernel) ● To avoid attack like return-to-libc-attack for example ● Make it random enough! ● Enhancement ● This feature could be part of Trusted OS ● Current limitations ● We use pre-defined virtual addresses ● Trusted Applications are currently statically linked
  • 11. Other Potential Enhancements ● GlobalPlatform Trusted UI 1.1 ● API to display content and capture input in a secure manner. ● User-mode TEE ● For early Trusted Applications development and debug ● Avoid the need for having a full TrustZone platform ● Support for OP-TEE in QEMU ● Virtualization team have patches enabling TrustZone functionality
  • 12. More about Linaro Connect: connect.linaro.org Linaro members: www.linaro.org/members More about Linaro: www.linaro.org/about/