TEE學習(一) OP-TEE OP-TEE CONCEPT OP-TEE(open source project Trusted Execution Environment),REE中的系統和應用無法直接訪問TEE中的資源,只能通過TEE提供的介面獲取一個結果。 main design goals ...
TEE學習(一) OP-TEE
OP-TEE
CONCEPT
-
OP-TEE(open source project Trusted Execution Environment),
REE中的系統和應用無法直接訪問TEE中的資源,只能通過TEE提供的介面獲取一個結果。 -
main design goals:
- isolation: provide isolation between REE and TEE; protect TAs from each other,
- small footprint: TEE should be small enough to reside in a reasonable memory,
- portability: TEE aims to be loaded in different architecture and hardware,support various setups(multiple clients OSes,mutiple TEEs).
COMPONENT
| components | feature |
|---|---|
| A secure privileged layer | Arm secure PL-1 (v7-A) or EL-1 (v8-A) level |
| A set of secure user space libraries | for TAs needs |
| A Linux kernel TEE framework and driver | |
| A Linux user space library | upon the GP TEE Client API specifications |
| A Linux user space supplicant daemon | for remote services expected by the TEE OS |
| A test suite | for doing regression testing and testing the consistency of the API implementations. |
| An example git | containing a couple of simple host- and TA-examples |
| some build scripts,debugging tools | ease integration and the development of Trusted Applications and secure services |
QEMU
一款模擬軟體,可以模擬虛擬電腦/嵌入式開發板(支持ARM、MIPS、RISC-V等各種架構)。run OP-TEE using QEMU for Armv8-A.
在沒有硬體虛擬化的支持下,QEMU本質上完成的工作是二進位的翻譯,如在Ubuntu(x86)系統上使用Qemu模擬ARM64處理器時,Guest OS中的ARM64程式是無法在x86架構運行的,但使用Qemu進行翻譯,可以將Guest代碼指令翻譯成TCG(Tiny Code Generator)中間代碼,最終翻譯成Host架構支持的代碼指令。
RUNNING OP-TEE on QEMU v8
ENVIRONMENT
| software/OS | version |
|---|---|
| VMware Workstation | 16.2.1 |
| Ubuntu | 20.04 |
OPERATION
-
download necessary tools and libraries:
sudo apt-get install android-tools-fastboot autoconf bison cscope curl flex gdisk libc6:i386 libfdt-dev libglib2.0-dev libpixman-1-dev libstdc++6:i386 libz1:i386 netcat python-crypto uuid-dev xz-utils zlib1g-dev -
install repo:
mkdir ~/.bin cd ~/.bin wget https://storage.googleapis.com/git-repo-downloads/repo -P ~/bin/ # 使用鏡像 chmod a+x ~/bin/repo export PATH=~/bin:$PATH -
download the sourcecode of OP-TEE:
repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml # git需要設置代理 # With these you will get a setup containing the all necessary software components to run OP-TEE on the chosen device. repo sync cd build make toolchains # .mk文件里的交叉編譯器下載地址已遷移,需要更換 make run #編譯的過程中缺少依賴需下載 -
successfully run OP-TEE:
ANALYZE HELLO_WORLD
hello_world folder
ta folder
-
Makefile: a make file that should set
some configuration variablesand include theTA-devkit(TA 的開發工具包)make file.- TA_DEV_KIT_DIR: Base directory of the TA-devkit.
- BINARY: BINARY shall provide the TA filename used to load the TA.The built and signed TA binary file will be named ${BINARY}.ta.In native OP-TEE, it is the TA UUID.
-
sub.mk: a make file that lists
the sources to build(local source files, subdirectories to parse, source file specific build directives).- the entry point for listing the source files to build and other specific build directives.
-
user_ta_header_defines.h: a specific ANSI-C header file to
define most of the TA properties. -
Andriod.mk: Android’s build system will parse the Android.mk file for the TA which in turn will parse a TA-devkit Android make file to locate TA build resources.
-
hello_world_ta.c:
TEE_Result TA_CreateEntryPoint(void); //Allocate some resources, init something void TA_DestroyEntryPoint(void); //Release resources if required before TA destruction TEE_Result TA_OpenSessionEntryPoint(uint32_t ptype, TEE_Param param[4], void **session_id_ptr); //Check client identity, and alloc/init some session resources if any void TA_CloseSessionEntryPoint(void *sess_ptr); //check client and handle session resource release, if any TEE_Result TA_InvokeCommandEntryPoint(void *session_id, uint32_t command_id, uint32_t parameters_type, TEE_Param parameters[4]); //Decode the command and process execution of the target service
Checking TA Parameters
TEE_PARAM_TYPE_GET(param_type, param_index)to get the type of a parameter and check its value according to the expected parameter.
Signing of TAs
對於離線簽名,需要三步過程:在第一步中,必鬚生成已編譯二進位文件的摘要,在第二步中,使用私鑰對該摘要進行離線簽名,最後在第三步中,對二進位文件及其摘要進行簽名。 簽名被縫合到完整的TA中。
host folder
workflow
-
initialize context(host),open op-tee driver,獲取到操作句柄並存放到TEE_Context類型的變數中
TEEC_InitializeContext(NULL, &ctx); -
open session(CA),創建一個特定CA與特定TA之間進行通信的通道
TEEC_OpenSession(&ctx, &sess, &uuid,TEEC_LOGIN_PUBLIC, NULL, NULL,&err_origin);Then TA's
TA_OpenSessionEntryPoint()will print "Hello World!". (in TEE core) -
initialize paramTypes
op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_NONE, TEEC_NONE, TEEC_NONE); -
invoke command, use command ID and op
TEEC_InvokeCommand(&sess, TA_HELLO_WORLD_CMD_INC_VALUE, &op, &err_origin);Then OP-TEE and TA deal with the request and return the result to CA (
TA_InvokeCommandEntryPoint).
