Presented by
Date
HKG15-311:OP-TEE Basics and Porting Review
Victor Chong
2015-2-9
Objectives
● Security Building Blocks● Secure Boot● Introduction to Trusted Applications● OP-TEE Porting
OP-TEE
● Open-source Portable TEE● Sponsored by ST● GlobalPlatform (GP) compatible● Compatible with ARM-TF● Complete system
Security Building Blocks● TrustZone-enabled chipset (Hardware)● ARM Trusted Firmware aka ARM-TF (Firmware)
● Boot Services● Run-time Services
● OP-TEE (OS)● Client library (libteec.so)● Driver (optee.ko)● Trusted OS
● Client Applications● OP-TEE Clients (Normal World)● Trusted Applications (Secure World)
Security Building Blocks
Security Building Blocks
Secure Boot● Prevent unauthorized executables from booting by verifying image
signatures● Divided into stages● Start with trusted source (ROM boot code) @ stage/level 1
● Root of Trust● Every subsequent image (stage/level) to be loaded is verified first
by the one before it● Chain of Trust
Secure Boot
Introduction to Trusted ApplicationsA Trusted Application typically consists of two parts
● Linux user space, client implementation● Secure world Trusted Application (TA)
Introduction to Trusted Applications
Introduction to Trusted ApplicationsTypical normal world program flow based on GP Client API● TEEC_InitializeContext
● Connect to the OP-TEE Linux driver● TEEC_OpenSession
● Loads the TA● TEEC_InvokeCommand
● Control TA functions● TEEC_CloseSession● TEEC_FinalizeContext
Hello World Exampleroot@host:/ hello_world
TEEC_InitializeContext
TEEC_OpenSession
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE)
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_INCVALUE) ==> 100+1 = 101
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD)
TEEC_InvokeCommand(TA_HELLO_WORLD_CMD_PRINT_HELLO_WORLD) done
…
TEEC_CloseSession
TEEC_FinalizeContex
Introduction to Trusted Applications● GP Client API
● Not too flexible● Somewhat limited in functionality
● GP Functional API forthcoming● High level APIs, e.g. encrypt/decrypt● Secure side TAs not required
Introduction to Trusted Applications● Details
http://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-trusted-applications-on-optee
● Hello world example available athttp://github.com/jenswi-linaro/lcu14_optee_hello_world
● GlobalPlatformhttp://www.globalplatform.org/
OP-TEE PortingPrerequisites● ARM-TF ported for ARMv8
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/porting-guide.md
References● Detailed design document
https://github.com/OP-TEE/optee_os/blob/master/documentation/optee_design.md
OP-TEE Trusted OS
Linux
Android
OP-TEE Porting - Main Blocks
TEE Driver
TEE Client
Client Application
Client Application
TEE Core TEE functions(crypto/mm)
TEE Internal API
Trusted Application
Trusted Application
TrustZone based chipset crypto timer efuse
HAL
TEE Client API
SMC
porting
OP-TEE Porting - Affected Gits
● OP-TEE Trusted OS (optee_os)- Add new platform support (plat-<myplat>)
● OP-TEE Linux kernel driver (optee_linuxdriver)- No changes needed.
- Built as module (optee.ko) by default and included in rootfs.
● OP-TEE Normal World user space (optee_client)- No changes needed.
- Built as library (libteec.so) and included in rootfs.
OP-TEE Porting - Getting started
● Get OP-TEE source codehttp://github.com/OP-TEE
● Get the toolchainhttp://releases.linaro.org/14.09/components/toolchain/binaries/gcc-linaro-arm-linux-gnueabihf-4.9-2014.09_linux.tar.xz
OP-TEE Porting - How to build
● Add toolchain path export PATH=$PATH:path-to-toolchain-bin
● Define CROSS_PREFIX macro export CROSS_PREFIX=arm-linux-gnueabihf
● Choose target platform export PLATFORM=<myplat> (e.g. vexpress)
● Choose target flavor export PLATFORM_FLAVOR=<myflav> (e.g. juno)
● Build OP-TEE make (produces tee.bin)
OP-TEE Porting - Partition Map
BL2/BL3-1/BL3-2fip.bin (includes bl2.bin, bl31.bin,
tee.bin, u-boot.bin/uefi)
BL1bl1.bin
kernel Image
rootfs
Example partition map based on Allwinner A80 board
● Clone from an existing platformE.g. core/arch/arm32/plat-vexpress → core/arch/arm32/plat-<myplat>
OP-TEE Porting - Creating a New Platform
├── conf.mk├── link.mk├── sub.mk├── ..├── core_bootcfg.c└── platform_config.h
├── conf.mk├── link.mk├── sub.mk├── ..├── core_bootcfg.c└── platform_config.h
OP-TEE Porting - Compiler & Linker options
● Compiler options: conf.mk
● Linker options: link.mk
CROSS_PREFIX ?= arm-linux-gnueabihfCROSS_COMPILE ?= $(CROSS_PREFIX)-PLATFORM_FLAVOR ?= <myflav>platform-cpuarch = cortex-a57 #default is cortex-a15platform-cflags += ..
link-out-dir = $(out-dir)/core/link-script = $(platform-dir)/kern.ld.Slink-ldflags = $(LDFLAGS)
OP-TEE Porting - Platform Configurations● Platform-specific definitions: platform_config.h
#define STACK_TMP_SIZE 1024#define STACK_ABT_SIZE 1024#define STACK_THREAD_SIZE 8192..#define DRAM0_BASE 0x80000000#define DRAM0_SIZE 0x7F000000
/* Location of trusted dram */#define TZDRAM_BASE 0xFF000000#define TZDRAM_SIZE 0x00E00000..#define CFG_TEE_CORE_NB_CORE 6..#define TEE_RAM_START (TZDRAM_BASE)#define TEE_RAM_SIZE 0x0010000
#define CFG_SHMEM_START (DRAM0_BASE + DRAM0_SIZE - CFG_SHMEM_SIZE)#define CFG_SHMEM_SIZE 0x100000
OP-TEE Porting - Platform Configurations
● platform_config.h also includes definitions for● GIC base
● UART
OP-TEE Porting - Adding Source Files ● Source files list: sub.mk
srcs-y += file1.csrcs-y += file2.c…subdirs-y += dir1subdirs-y += dir2
OP-TEE Porting - Memory Map
PUB_RAMNon-Secure
OP-TEE Porting - Memory Configuration● plat-<myplat>/\
core_bootcfg.c
static struct map_area bootcfg_memory_map[] = { { /* teecore execution RAM */ .type = MEM_AREA_TEE_RAM, .pa = CFG_TEE_RAM_START, .size = CFG_TEE_RAM_SIZE, .cached = true, .secure = true, .rw = true, .exec = true, },
{ /* teecore TA load/exec RAM - Secure, exec user only! */ .type = MEM_AREA_TA_RAM, .pa = CFG_TA_RAM_START, .size = CFG_TA_RAM_SIZE, .cached = true, .secure = true, .rw = true, .exec = false, },
{ /* teecore public RAM - NonSecure, non-exec. */ .type = MEM_AREA_NSEC_SHM, .pa = CFG_PUB_RAM_START, .size = SECTION_SIZE, .cached = true, .secure = false, .rw = true, .exec = false, },
{ /* Add platform IO devices like UART, GIC, etc. */ .type = MEM_AREA_IO_SEC, .pa = (GIC_BASE + GICD_OFFSET) & ~SECTION_MASK, .size = SECTION_SIZE, .device = true, .secure = true, .rw = true, },
{.type = MEM_AREA_NOTYPE}};
OP-TEE Porting - Platform Initialization
(_start) (kern.ld.S)
1. _start (entry.S)a. CPU basic init (v7 only)b. Cache/MMU initc. BSS init (v7 only)d. Jump to main_init
2. main_init (main.c)a. Init UART, canaries, GICb. Clear BSS (v8 only)c. Init monitor (v7 only)d. Init thread stackse. Register handlers
(stdcall/fiq/svc/abort)f. Init core
g. Return to non-secure entry
OP-TEE Porting - Running and Debug
(_start) (kern.ld.S)
4. sm_smc_entry (v7 only)(sm_asm.S)a. Save caller world contextb. Restore world contextc. Update SCR bits (NS/FIQ)
5. Thread handle (thread_asm.S,thread.c)a. Check if fiq handle requestb. Thread allocatec. Thread context restore
6. main_tee_entry (main.c)
7. tee_entry (entry.c)
OP-TEE Porting - Test/Verify● Build normal world program and corresponding TA● Copy both to rootfs● Run normal world program
● Detailshttp://www.slideshare.net/linaroorg/lcu14103-how-to-create-and-run-trusted-applications-on-optee
● Hello world example available athttp://github.com/jenswi-linaro/lcu14_optee_hello_world
OP-TEE Porting - Sample Test Logroot@Vexpress:/ modprobe optee
misc teetz: no TZ l2cc mutex service supported
misc teetz: outer cache shared mutex disabled
root@Vexpress:/ tee-supplicant&
root@Vexpress:/ hello_world
Invoking TA to increment 42
TA incremented value to 43
root@Vexpress:/
OP-TEE Porting - Initial Task Checklist- [ ] Port ARM-TF with U-Boot/UEFI (as bl33.bin) but without optee_os (bl32.bin)- [ ] Make platform-specific changes to optee_os - [ ] Add new platform - [ ] conf.mk, link.mk, platform_config.h, core_bootcfg.c - [ ] Add new source files (if required) - [ ] Platform initialization (if required) - [ ] Thread handlers (if required)- [ ] Build optee_os- [ ] Rebuild ARM-TF with U-Boot/UEFI as bl33.bin and optee_os as bl32.bin- [ ] Build other required system components (kernel, rootfs, etc.)- [ ] Test/Verify
OP-TEE documentation● OP-TEE OS Documents
https://github.com/OP-TEE/optee_os/tree/master/documentation
● OP-TEE Wiki FAQ https://wiki.linaro.org/WorkingGroups/Security/OP-TEE
Thank You!