LCU14 BURLINGAME
Joakim Bech, LCU14
LCU14-103: How to create and run Trusted Applications on OP-TEE
OP-TEE is an Open Source TEE and is the result of collaboration work between STMicroelectronics and Linaro (Security Working Group).
It contains the complete stack from normal world client API's (optee_client), the Linux kernel TEE driver (optee_linuxdriver) and the Trusted OS and the secure monitor (optee_os).
OP-TEE Overview
The “hello world” example consists of two parts● Linux user space, client implementation
● Secure world Trusted Application (TA), passive receiver
● Based on GlobalPlatform APIs
Hello world
/* Initialize a context connecting us to the TEE */
res = TEEC_InitializeContext(NULL, &ctx);
if (res != TEEC_SUCCESS)
errx(1, "TEEC_InitializeContext failed with code 0x%x", res);
Initialize context
The call to: TEEC_InitializeContext()
enters “TEE Driver” before returning
Initialize context
/*
* Open a session to the "hello world" TA, the TA will print "hello
* world!" in the log when the session is created.
*/
res = TEEC_OpenSession(&ctx, &sess, &uuid,
TEEC_LOGIN_PUBLIC, NULL, NULL, &err_origin);
if (res != TEEC_SUCCESS)
errx(1, "TEEC_Opensession failed with code 0x%x origin 0x%x", res, err_origin);
Open session
Open session● The TEEC_OpenSession()
call enters “TEE Core” via “TEE Driver”
● “TEE Core” loads the TA binary withhelp of the Linux user space daemontee-supplicant
● “TEE Core” copies the TA into secure RAM and callsTA_OpenSessionEntryPoint()
● Session is returned back to hello_world in user space
memset(&op, 0, sizeof(op));op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_NONE, TEEC_NONE, TEEC_NONE);
op.params[0].value.a = 42;
printf("Invoking TA to increment %d\n", op.params[0].value.a);res = TEEC_InvokeCommand(&sess, TA_HELLO_WORLD_CMD_INC_VALUE, &op, &err_origin);
if (res != TEEC_SUCCESS) errx(1, "TEEC_InvokeCommand failed with code 0x%x origin 0x%x", res, err_origin);
printf("TA incremented value to %d\n", op.params[0].value.a);
Invoke command
Invoke command● The TEEC_InvokeCommand() call
enters “TEE Core” via “TEE Driver”
● “TEE Core” callsTA_InvokeCommandEntryPoint()
● Result is returned back to hello_world in user space
/* * We're done with the TA, close the session and * destroy the context. * * The TA will print "Goodbye!" in the log when the * session is closed. */
TEEC_CloseSession(&sess);
TEEC_FinalizeContext(&ctx);
Close session and finalize context
Close session and finalize context● The TEEC_CloseSession()
call enters “TEE Core” via “TEE Driver
● “TEE Core” calls TA_CloseSessionEntryPoint()
● Control is returned back to hello_world in user space
● The TEEC_FinalizeContext() call enters “TEE Driver” which cleans eventual remaining resources
● Control is returned back to hello_world in user space
● As reference, have a look at the Hello World Trusted Application (*)
● Define UUIDs and function IDs (ta/include/ta_hello_world.h )
● Implement the functions in (ta/hello_world_ta.c )
● Create/call this new TA from user space in Linux (host/hello_world.c )
● Build/clone and export the needed tools/flags● optee_os for the so Trusted Application development kit (TA_DEV_KIT_DIR )● optee_client for the public TEE Client API interfaces and libraries (TEEC_EXPORT )● Host and TA toolchain
(*) See the last slide about links to the source code
Create a Trusted Application
#!/bin/bash
export PATH=$HOME/fvp_optee/toolchains/aarch64/bin:$PATH
export PATH=$HOME/fvp_optee/toolchains/aarch32/bin:$PATH
export TA_DEV_KIT_DIR=$HOME/fvp_optee/optee_os/out-os-fvp/export-user_ta
export TEEC_EXPORT=$HOME/fvp_optee/optee_client/out-client-aarch64/export
cd $HOME/fvp_optee/lcu14_optee_hello_world
make O=./out-client-aarch64 \
HOST_CROSS_COMPILE=aarch64-linux-gnu- \
TA_CROSS_COMPILE=arm-linux-gnueabihf- \
$@
build_helloworld.sh
● Trusted Application binaries should be stored on (adb, mount fs, gen_init_cpio ...) /lib/teetz
● Run FVP
● Load optee Linux kernel drivermodprobe optee
● Run the daemon serving secure world with amongst others, filesystem access. tee-supplicant &
● Run the client application hello_world
Demo Time - Hello World TA
Questions?
● Hello world example available at http://github.com/jenswi-linaro/lcu14_optee_hello_world
● OP-TEE source available at http://github.com/OP-TEE
● ARM-TF source available at https://github.com/ARM-software/arm-trusted-firmware
● If the OP-TEE dispatcher is not merged yet it can be found in pull request https://github.com/ARM-software/arm-trusted-firmware/pull/188
Source code
More about Linaro Connect: connect.linaro.org Linaro members: www.linaro.org/membersMore about Linaro: www.linaro.org/about/