LCU14 BURLINGAME

Joakim Bech, LCU14

LCU14-103: How to create and run Trusted Applications on OP-TEE

OP-TEE is an Open Source TEE and is the result of collaboration work between STMicroelectronics and Linaro (Security Working Group).

It contains the complete stack from normal world client API's (optee_client), the Linux kernel TEE driver (optee_linuxdriver) and the Trusted OS and the secure monitor (optee_os).

OP-TEE Overview

The “hello world” example consists of two parts● Linux user space, client implementation

● Secure world Trusted Application (TA), passive receiver

● Based on GlobalPlatform APIs

Hello world

/* Initialize a context connecting us to the TEE */

res = TEEC_InitializeContext(NULL, &ctx);

if (res != TEEC_SUCCESS)

errx(1, "TEEC_InitializeContext failed with code 0x%x", res);

Initialize context

The call to: TEEC_InitializeContext()

enters “TEE Driver” before returning

Initialize context

/*

* Open a session to the "hello world" TA, the TA will print "hello

* world!" in the log when the session is created.

*/

res = TEEC_OpenSession(&ctx, &sess, &uuid,

TEEC_LOGIN_PUBLIC, NULL, NULL, &err_origin);

if (res != TEEC_SUCCESS)

errx(1, "TEEC_Opensession failed with code 0x%x origin 0x%x", res, err_origin);

Open session

Open session● The TEEC_OpenSession()

call enters “TEE Core” via “TEE Driver”

● “TEE Core” loads the TA binary withhelp of the Linux user space daemontee-supplicant

● “TEE Core” copies the TA into secure RAM and callsTA_OpenSessionEntryPoint()

● Session is returned back to hello_world in user space

memset(&op, 0, sizeof(op));op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_NONE, TEEC_NONE, TEEC_NONE);

op.params[0].value.a = 42;

printf("Invoking TA to increment %d\n", op.params[0].value.a);res = TEEC_InvokeCommand(&sess, TA_HELLO_WORLD_CMD_INC_VALUE, &op, &err_origin);

if (res != TEEC_SUCCESS) errx(1, "TEEC_InvokeCommand failed with code 0x%x origin 0x%x", res, err_origin);

printf("TA incremented value to %d\n", op.params[0].value.a);

Invoke command

Invoke command● The TEEC_InvokeCommand() call

enters “TEE Core” via “TEE Driver”

● “TEE Core” callsTA_InvokeCommandEntryPoint()

● Result is returned back to hello_world in user space

/* * We're done with the TA, close the session and * destroy the context. * * The TA will print "Goodbye!" in the log when the * session is closed. */

TEEC_CloseSession(&sess);

TEEC_FinalizeContext(&ctx);

Close session and finalize context

Close session and finalize context● The TEEC_CloseSession()

call enters “TEE Core” via “TEE Driver

● “TEE Core” calls TA_CloseSessionEntryPoint()

● Control is returned back to hello_world in user space

● The TEEC_FinalizeContext() call enters “TEE Driver” which cleans eventual remaining resources

● Control is returned back to hello_world in user space

● As reference, have a look at the Hello World Trusted Application (*)

● Define UUIDs and function IDs (ta/include/ta_hello_world.h )

● Implement the functions in (ta/hello_world_ta.c )

● Create/call this new TA from user space in Linux (host/hello_world.c )

● Build/clone and export the needed tools/flags● optee_os for the so Trusted Application development kit (TA_DEV_KIT_DIR )● optee_client for the public TEE Client API interfaces and libraries (TEEC_EXPORT )● Host and TA toolchain

(*) See the last slide about links to the source code

Create a Trusted Application

#!/bin/bash

export PATH=$HOME/fvp_optee/toolchains/aarch64/bin:$PATH

export PATH=$HOME/fvp_optee/toolchains/aarch32/bin:$PATH

export TA_DEV_KIT_DIR=$HOME/fvp_optee/optee_os/out-os-fvp/export-user_ta

export TEEC_EXPORT=$HOME/fvp_optee/optee_client/out-client-aarch64/export

cd $HOME/fvp_optee/lcu14_optee_hello_world

make O=./out-client-aarch64 \

HOST_CROSS_COMPILE=aarch64-linux-gnu- \

TA_CROSS_COMPILE=arm-linux-gnueabihf- \

$@

build_helloworld.sh

● Trusted Application binaries should be stored on (adb, mount fs, gen_init_cpio ...) /lib/teetz

● Run FVP

● Load optee Linux kernel drivermodprobe optee

● Run the daemon serving secure world with amongst others, filesystem access. tee-supplicant &

● Run the client application hello_world

Demo Time - Hello World TA

Questions?

● Hello world example available at http://github.com/jenswi-linaro/lcu14_optee_hello_world

● OP-TEE source available at http://github.com/OP-TEE

● ARM-TF source available at https://github.com/ARM-software/arm-trusted-firmware

● If the OP-TEE dispatcher is not merged yet it can be found in pull request https://github.com/ARM-software/arm-trusted-firmware/pull/188

Source code

More about Linaro Connect: connect.linaro.org Linaro members: www.linaro.org/membersMore about Linaro: www.linaro.org/about/