TEE学习(一) OP-TEE
OP-TEE
CONCEPT
-
OP-TEE(open source project Trusted Execution Environment),
REE中的系统和应用无法直接访问TEE中的资源,只能通过TEE提供的接口获取一个结果
。 -
main design goals:
- isolation: provide isolation between REE and TEE; protect TAs from each other,
- small footprint: TEE should be small enough to reside in a reasonable memory,
- portability: TEE aims to be loaded in different architecture and hardware,support various setups(multiple clients OSes,mutiple TEEs).
COMPONENT
components | feature |
---|---|
A secure privileged layer | Arm secure PL-1 (v7-A) or EL-1 (v8-A) level |
A set of secure user space libraries | for TAs needs |
A Linux kernel TEE framework and driver | |
A Linux user space library | upon the GP TEE Client API specifications |
A Linux user space supplicant daemon | for remote services expected by the TEE OS |
A test suite | for doing regression testing and testing the consistency of the API implementations. |
An example git | containing a couple of simple host- and TA-examples |
some build scripts,debugging tools | ease integration and the development of Trusted Applications and secure services |
QEMU
一款仿真软件,可以仿真虚拟电脑/嵌入式开发板(支持ARM、MIPS、RISC-V等各种架构)。run OP-TEE using QEMU for Armv8-A.
在没有硬件虚拟化的支持下,QEMU本质上完成的工作是二进制的翻译,如在Ubuntu(x86)系统上使用Qemu模拟ARM64处理器时,Guest OS中的ARM64程序是无法在x86架构运行的,但使用Qemu进行翻译,可以将Guest代码指令翻译成TCG(Tiny Code Generator)中间代码,最终翻译成Host架构支持的代码指令
。
RUNNING OP-TEE on QEMU v8
ENVIRONMENT
software/OS | version |
---|---|
VMware Workstation | 16.2.1 |
Ubuntu | 20.04 |
OPERATION
-
download necessary tools and libraries:
sudo apt-get install android-tools-fastboot autoconf bison cscope curl flex gdisk libc6:i386 libfdt-dev libglib2.0-dev libpixman-1-dev libstdc++6:i386 libz1:i386 netcat python-crypto uuid-dev xz-utils zlib1g-dev
-
install repo:
mkdir ~/.bin cd ~/.bin wget https://storage.googleapis.com/git-repo-downloads/repo -P ~/bin/ # 使用镜像 chmod a+x ~/bin/repo export PATH=~/bin:$PATH
-
download the sourcecode of OP-TEE:
repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml # git需要设置代理 # With these you will get a setup containing the all necessary software components to run OP-TEE on the chosen device. repo sync cd build make toolchains # .mk文件里的交叉编译器下载地址已迁移,需要更换 make run #编译的过程中缺少依赖需下载
-
successfully run OP-TEE:
ANALYZE HELLO_WORLD
hello_world folder
ta folder
-
Makefile: a make file that should set
some configuration variables
and include theTA-devkit(TA 的开发工具包)
make file.- TA_DEV_KIT_DIR: Base directory of the TA-devkit.
- BINARY: BINARY shall provide the TA filename used to load the TA.The built and signed TA binary file will be named ${BINARY}.ta.In native OP-TEE, it is the TA UUID.
-
sub.mk: a make file that lists
the sources to build
(local source files, subdirectories to parse, source file specific build directives).- the entry point for listing the source files to build and other specific build directives.
-
user_ta_header_defines.h: a specific ANSI-C header file to
define most of the TA properties
. -
Andriod.mk: Android’s build system will parse the Android.mk file for the TA which in turn will parse a TA-devkit Android make file to locate TA build resources.
-
hello_world_ta.c:
TEE_Result TA_CreateEntryPoint(void); //Allocate some resources, init something void TA_DestroyEntryPoint(void); //Release resources if required before TA destruction TEE_Result TA_OpenSessionEntryPoint(uint32_t ptype, TEE_Param param[4], void **session_id_ptr); //Check client identity, and alloc/init some session resources if any void TA_CloseSessionEntryPoint(void *sess_ptr); //check client and handle session resource release, if any TEE_Result TA_InvokeCommandEntryPoint(void *session_id, uint32_t command_id, uint32_t parameters_type, TEE_Param parameters[4]); //Decode the command and process execution of the target service
Checking TA Parameters
TEE_PARAM_TYPE_GET(param_type, param_index)
to get the type of a parameter and check its value according to the expected parameter.
Signing of TAs
对于脱机签名,需要三步过程:在第一步中,必须生成已编译二进制文件的摘要,在第二步中,使用私钥对该摘要进行脱机签名,最后在第三步中,对二进制文件及其摘要进行签名。 签名被缝合到完整的TA中。
host folder
workflow
-
initialize context(host),open op-tee driver,获取到操作句柄并存放到TEE_Context类型的变量中
TEEC_InitializeContext(NULL, &ctx);
-
open session(CA),创建一个特定CA与特定TA之间进行通信的通道
TEEC_OpenSession(&ctx, &sess, &uuid,TEEC_LOGIN_PUBLIC, NULL, NULL,&err_origin);
Then TA's
TA_OpenSessionEntryPoint()
will print "Hello World!". (in TEE core) -
initialize paramTypes
op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_NONE, TEEC_NONE, TEEC_NONE);
-
invoke command, use command ID and op
TEEC_InvokeCommand(&sess, TA_HELLO_WORLD_CMD_INC_VALUE, &op, &err_origin);
Then OP-TEE and TA deal with the request and return the result to CA (
TA_InvokeCommandEntryPoint
).