OP-TEE Using TrustZone to Protect Our Own Secrets · 2017. 10. 22. · OP-TEE in detail The OP-TEE consists of three parts Normal World, User Mode TEE client library tee-supplicant

Slide 1 - http://www.pengutronix.de - 2017-10-23

OP-TEEUsing TrustZone to Protect Our Own Secrets

ELC Europe 2017, 23.10.2017

Marc Kleine-Budde <[email protected]>

ROM-Code

Bootloader

OP-TEE

Root File System

Kernel


Overview

● ARM architecture overview

● ARM TrustZone

● Trusted Execution Environment

● Open Portable Trusted Execution Environment


What is a TEE?

● Trusted Execution Environment● small OS-like environment● isolated from normal operating system (e.g. Linux) “rich OS”

● Allows Applications to execute, process, protect and store sensitive data

● Rich OS is often target of malware and attackers

● Design applications so that sensitive functionscan be offloaded to the TEE as Trusted Applications.

● API standardized by GlobalPlatform● TEE internal APIs for Trusted Application● communication interfaces between

rich OS Applications and Trusted Applications


What is a TEE? (cont'd)

SE

TEE

Rich OS

SE

TEE

SE

RichOS

Security

Functionality


ARM architecture

usr

AppAppApp

svc

OS

ARM SoC


ARM architecture with TrustZone

usr

AppAppApp

svc

OS

ARM SoC

Non-Secure world

usr (secure state)

AppAppTrusted App

svc (secure state)

Trusted OS

Secure world

mon (secure state)

SecureMonitor


ARM TrustZone in detail

Source: http://genode.org/documentation/articles/trustzone


ARM TrustZone in detail (cont'd)

●

●

http://genode.org/documentation/articles/trustzone


What is OP-TEE?

● Started as closed source implementation by somemobile, telco and chip vendors

● Since 2015 Open Source (BSD license),owned and maintained by Linaro

● In 2017 the TEE driver went mainline with v4.12

● Small and simple TEE

● Relies on rich OS to schedule TEE

● Based on ARM TrustZone to provide isolation ofthe TEE from the rich OS in hardware

● Runs on ~20 platforms● 32 bit: ARMv7-A● 64 bit: ARMv8-A


OP-TEE in detail

● The OP-TEE consists of three parts

● Normal World, User Mode● TEE client library● tee-supplicant

● Normal World, Priviledged Mode● Linux kernel TEE subsystem● Linux kernel TEE device driver

● Secure world, Priviledged Mode● Trusted OS (optee_os)


OP-TEE architecture

usr

Native App

svc

ARM SoC

Non-Secure world

mon (secure state)

SecureMonitor

GlobalPlatformTEE Client API

TEESupplicant

Wrapper API(optional)

TEE Driver

Storage...

usr (secure state)

AppAppTrusted App

svc (secure state)

TEE core

Secure world

TEE functions/libs(crypto...)

HAL

GlobalPlatformTEE internal API

optee_client

optee_os

optee_linuxdriver

Source: https://www.linaro.org/blog/core-dump/op-tee-open-source-security-mass-market/


Boot LoaderSoC

ROM-Code

Fuses

Boot Loader

Pubkey

Signature

Pubkey

https://www.linaro.org/blog/core-dump/op-tee-open-source-security-mass-market/


Demo Time!


What's Missing?

● Protection of Directories● Prevents to move, delete and create files● There are already patches "directory integrity protection"

● Mainlining● Offline image creation via mkfs.ext4 and ima-evm-utils● blob drivers for imx6 crypto engine (CAAM)● blob drivers for mx25 crypto engine

● Support for other SoCs:● MX53● Other Vendors (Dokumentation?)


Best Practices / Lessons Learned

● Development Keys in BSP

● Access t0 Production Keys via pkcs#11

● Some packages in two configuration variants (Development/Production):● bootloader● Kernel/InitRAMFS

● Regularly turn on more security features during integration

● Once activated, debugging (field returns) becomes a pain

● UBIFS with IMA/EVM doesn't like sudden power cuts


Q & A

@marckleinebudde

Documents

OP-TEE Using TrustZone to Protect Our Own Secrets · 2017. 10. 22. · OP-TEE in detail The OP-TEE consists of three parts Normal World, User Mode TEE client library tee-supplicant