Presented by

Date

HKG15-311:OP-TEE Basics and Porting Review

Victor Chong

2015-2-9

Objectives

● Security Building Blocks● Secure Boot● Introduction to Trusted Applications● OP-TEE Porting

OP-TEE

● Open-source Portable TEE● Sponsored by ST● GlobalPlatform (GP) compatible● Compatible with ARM-TF● Complete system

Security Building Blocks● TrustZone-enabled chipset (Hardware)● ARM Trusted Firmware aka ARM-TF (Firmware)

● Boot Services● Run-time Services

● OP-TEE (OS)● Client library (libteec.so)● Driver (optee.ko)● Trusted OS

● Client Applications● OP-TEE Clients (Normal World)● Trusted Applications (Secure World)

Security Building Blocks

Security Building Blocks

Secure Boot● Prevent unauthorized executables from booting by verifying image

signatures● Divided into stages● Start with trusted source (ROM boot code) @ stage/level 1

● Root of Trust● Every subsequent image (stage/level) to be loaded is verified first

by the one before it● Chain of Trust

Secure Boot

Introduction to Trusted ApplicationsA Trusted Application typically consists of two parts

● Linux user space, client implementation● Secure world Trusted Application (TA)

Introduction to Trusted Applications

Introduction to Trusted ApplicationsTypical normal world program flow based on GP Client API● TEEC_InitializeContext

● Connect to the OP-TEE Linux driver● TEEC_OpenSession

● Loads the TA● TEEC_InvokeCommand

● Control TA functions● TEEC_CloseSession● TEEC_FinalizeContext

Hello World Exampleroot@host:/ hello_world

TEEC_InitializeContext

TEEC_OpenSession

TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE)

TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE) ==> 100+1 = 101

TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD)

TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD) done

…

TEEC_CloseSession

TEEC_FinalizeContex

Introduction to Trusted Applications● GP Client API

● Not too flexible● Somewhat limited in functionality

● GP Functional API forthcoming● High level APIs, e.g. encrypt/decrypt● Secure side TAs not required

Introduction to Trusted Applications● Details

http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-trusted-applications-on-optee

● Hello world example available athttp://github.com/jenswi-linaro/lcu14_optee_hello_world

● GlobalPlatformhttp://www.globalplatform.org/

OP-TEE PortingPrerequisites● ARM-TF ported for ARMv8

https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/porting-guide.md

References● Detailed design document

https://github.com/OP-TEE/optee_os/blob/master/documentation/optee_design.md

OP-TEE Trusted OS

Linux

Android

OP-TEE Porting - Main Blocks

TEE Driver

TEE Client

Client Application

Client Application

TEE Core TEE functions(crypto/mm)

TEE Internal API

Trusted Application

Trusted Application

TrustZone based chipset crypto timer efuse

HAL

TEE Client API

SMC

porting

OP-TEE Porting - Affected Gits

● OP-TEE Trusted OS (optee_os)- Add new platform support (plat-<myplat>)

● OP-TEE Linux kernel driver (optee_linuxdriver)- No changes needed.

- Built as module (optee.ko) by default and included in rootfs.

● OP-TEE Normal World user space (optee_client)- No changes needed.

- Built as library (libteec.so) and included in rootfs.

OP-TEE Porting - Getting started

● Get OP-TEE source codehttp://github.com/OP-TEE

● Get the toolchainhttp://releases.linaro.org/14.09/components/toolchain/binaries/gcc-linaro-arm-linux-gnueabihf-4.9-2014.09_linux.tar.xz

OP-TEE Porting - How to build

● Add toolchain path export PATH=$PATH:path-to-toolchain-bin

● Define CROSS_PREFIX macro export CROSS_PREFIX=arm-linux-gnueabihf

● Choose target platform export PLATFORM=<myplat> (e.g. vexpress)

● Choose target flavor export PLATFORM_FLAVOR=<myflav> (e.g. juno)

● Build OP-TEE make (produces tee.bin)

OP-TEE Porting - Partition Map

BL2/BL3-1/BL3-2fip.bin (includes bl2.bin, bl31.bin,

tee.bin, u-boot.bin/uefi)

BL1bl1.bin

kernel Image

rootfs

Example partition map based on Allwinner A80 board

● Clone from an existing platformE.g. core/arch/arm32/plat-vexpress → core/arch/arm32/plat-<myplat>

OP-TEE Porting - Creating a New Platform

├── conf.mk├── link.mk├── sub.mk├── ..├── core_bootcfg.c└── platform_config.h

├── conf.mk├── link.mk├── sub.mk├── ..├── core_bootcfg.c└── platform_config.h

OP-TEE Porting - Compiler & Linker options

● Compiler options: conf.mk

● Linker options: link.mk

CROSS_PREFIX ?= arm-linux-gnueabihfCROSS_COMPILE ?= $(CROSS_PREFIX)-PLATFORM_FLAVOR ?= <myflav>platform-cpuarch = cortex-a57 #default is cortex-a15platform-cflags += ..

link-out-dir = $(out-dir)/core/link-script = $(platform-dir)/kern.ld.Slink-ldflags = $(LDFLAGS)

OP-TEE Porting - Platform Configurations● Platform-specific definitions: platform_config.h

#define STACK_TMP_SIZE 1024#define STACK_ABT_SIZE 1024#define STACK_THREAD_SIZE 8192..#define DRAM0_BASE 0x80000000#define DRAM0_SIZE 0x7F000000

/* Location of trusted dram */#define TZDRAM_BASE 0xFF000000#define TZDRAM_SIZE 0x00E00000..#define CFG_TEE_CORE_NB_CORE 6..#define TEE_RAM_START (TZDRAM_BASE)#define TEE_RAM_SIZE 0x0010000

#define CFG_SHMEM_START (DRAM0_BASE + DRAM0_SIZE - CFG_SHMEM_SIZE)#define CFG_SHMEM_SIZE 0x100000

OP-TEE Porting - Platform Configurations

● platform_config.h also includes definitions for● GIC base

● UART

OP-TEE Porting - Adding Source Files ● Source files list: sub.mk

srcs-y += file1.csrcs-y += file2.c…subdirs-y += dir1subdirs-y += dir2

OP-TEE Porting - Memory Map

PUB_RAMNon-Secure

OP-TEE Porting - Memory Configuration● plat-<myplat>/\

core_bootcfg.c

static struct map_area bootcfg_memory_map[] = { { /* teecore execution RAM */ .type = MEM_AREA_TEE_RAM, .pa = CFG_TEE_RAM_START, .size = CFG_TEE_RAM_SIZE, .cached = true, .secure = true, .rw = true, .exec = true, },

{ /* teecore TA load/exec RAM - Secure, exec user only! */ .type = MEM_AREA_TA_RAM, .pa = CFG_TA_RAM_START, .size = CFG_TA_RAM_SIZE, .cached = true, .secure = true, .rw = true, .exec = false, },

{ /* teecore public RAM - NonSecure, non-exec. */ .type = MEM_AREA_NSEC_SHM, .pa = CFG_PUB_RAM_START, .size = SECTION_SIZE, .cached = true, .secure = false, .rw = true, .exec = false, },

{ /* Add platform IO devices like UART, GIC, etc. */ .type = MEM_AREA_IO_SEC, .pa = (GIC_BASE + GICD_OFFSET) & ~SECTION_MASK, .size = SECTION_SIZE, .device = true, .secure = true, .rw = true, },

{.type = MEM_AREA_NOTYPE}};

OP-TEE Porting - Platform Initialization

(_start) (kern.ld.S)

1. _start (entry.S)a. CPU basic init (v7 only)b. Cache/MMU initc. BSS init (v7 only)d. Jump to main_init

2. main_init (main.c)a. Init UART, canaries, GICb. Clear BSS (v8 only)c. Init monitor (v7 only)d. Init thread stackse. Register handlers

(stdcall/fiq/svc/abort)f. Init core

g. Return to non-secure entry

OP-TEE Porting - Running and Debug

(_start) (kern.ld.S)

4. sm_smc_entry (v7 only)(sm_asm.S)a. Save caller world contextb. Restore world contextc. Update SCR bits (NS/FIQ)

5. Thread handle (thread_asm.S,thread.c)a. Check if fiq handle requestb. Thread allocatec. Thread context restore

6. main_tee_entry (main.c)

7. tee_entry (entry.c)

OP-TEE Porting - Test/Verify● Build normal world program and corresponding TA● Copy both to rootfs● Run normal world program

● Detailshttp://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-trusted-applications-on-optee

● Hello world example available athttp://github.com/jenswi-linaro/lcu14_optee_hello_world

OP-TEE Porting - Sample Test Logroot@Vexpress:/ modprobe optee

misc teetz: no TZ l2cc mutex service supported

misc teetz: outer cache shared mutex disabled

root@Vexpress:/ tee-supplicant&

root@Vexpress:/ hello_world

Invoking TA to increment 42

TA incremented value to 43

root@Vexpress:/

OP-TEE Porting - Initial Task Checklist- [ ] Port ARM-TF with U-Boot/UEFI (as bl33.bin) but without optee_os (bl32.bin)- [ ] Make platform-specific changes to optee_os - [ ] Add new platform - [ ] conf.mk, link.mk, platform_config.h, core_bootcfg.c - [ ] Add new source files (if required) - [ ] Platform initialization (if required) - [ ] Thread handlers (if required)- [ ] Build optee_os- [ ] Rebuild ARM-TF with U-Boot/UEFI as bl33.bin and optee_os as bl32.bin- [ ] Build other required system components (kernel, rootfs, etc.)- [ ] Test/Verify

OP-TEE documentation● OP-TEE OS Documents

https://github.com/OP-TEE/optee_os/tree/master/documentation

● OP-TEE Wiki FAQ https://wiki.linaro.org/WorkingGroups/Security/OP-TEE

Thank You!