- Source code
- Building
- License
- Contribution, Promotion and security flaws
- Certification and security reviews
- Interfaces
- Architecture
- Trusted Applications
- Testing
- It is located on GitHub under the project OP-TEE.
- Then besides the main gits at OP-TEE we also have some other gits used in one or another way by OP-TEE at linaro-swg.
- All the source code for that can be found in the git called optee_test.
- The GlobalPlatform extension, TEE Initial Configuration Compliance Test Suite v1.x, can be purchased separately.
Since the beginning of 2015 we have been trying to get our driver mainlined. This seems to be more challenging than we initially could foresee, but as of now it has reached linux-next. (A list of all patches submitted could be found at the Generic TEE driver patches patchwork page.)
-
What did you try to build? Only optee_os? A full setup using QEMU, HiKey, RPi3, Juno using repo? AOSP? OpenEmbedded? What we build on daily basis are the OP-TEE repo setups, other builds like AOSP and OpenEmbedded are builds that we try from time to time, but not very often within Security Working Group. Having that said there are other teams in Linaro working with such builds, but they most often base their builds on OP-TEE stable releases.
-
By running latest instead of stable also comes with a risk of getting build errors due to version and/or interdependency skew which can result in build error. Now, such issues most often affects running xtest and not the building. If you however clean all gits and do a
repo sync -d
. Then we're almost 100% sure you will get back to a working state again, since as mentioned in next bullet, we build (and run xtest) on all QEMU on all patches sent to OP-TEE. -
Every pull request in OP-TEE are built for a multitude of different platforms automatically using Travis for OP-TEE. Please have a look there to see whether it failed building on the platform you're using before submitting any issue about build errors.
-
Once a day Travis builds all repo setups (manifests) automatically and the results for the builds can be found at the Travis OP-TEE build page.
Stable releases are quite well tested both in terms of building for all supported platforms and running xtest on all platforms, so if you cannot get that to build and run, then there is a great chance you have something wrong on your side. All platforms that has been tested on a stable release can be found in CHANGELOG.md file.
Most likely you're trying to build OP-TEE using the regular x86 compiler and not the using the ARM toolchain. Please install the OP-TEE pre-requisties and this time try to ensure that you are using GCC for ARM (for more information, please see Issue#846).
That git is used in conjunction with the OP-TEE repo setups. It contains helper makefiles that makes it easy to get OP-TEE up and running on the setups that are using repo.
We try to stay somewhat up to date with running later gcc versions. But just like everywhere else on the net things moves around. In some cases like Issue#1195, the URL was changed without us noticing it. If you find and fix such an issue, please send the fix as pull request and we will be happy to merge it.
That would be running it on QEMU on a local PC. To do that you would need to:
- Install the OP-TEE pre-requisties, see section 7.1.
- Configure repo as described in OP-TEE repo setups, see section 6.
- Build QEMU, see qemu.md.
- Run xtest, see section 7.9.
By summarizing the above, you would need to:
$ sudo apt-get install [pre-reqs]
$ mkdir optee-qemu && cd optee-qemu
$ repo init -u https://github.com/OP-TEE/manifest.git
$ repo sync
$ cd build
$ make toolchains -j3
$ make all run
(qemu) c
root@Vexpress:/ xtest
- Mostly under BSD 2-Clause, see the LICENSE file.
- The TEE kernel driver is released under GPLv2 for obvious reasons.
- xtest uses BSD 2-Clause for code running in secure world (Trusted Applications etc) and GPLv2 for code running in normal world (client code).
Since OP-TEE is a GlobalPlatform based TEE which implements the APIs as specified by GlobalPlatform one has to accept, the click-through license which is presented when trying to download the GlobalPlatform specifications before start using OP-TEE.
That is something we deal with case by case. But as a general answer, if it does not contaminate the BSD 2-Clause license we will accept it. Send us an email or file an issue at OP-TEE Issues.
Please see the section “Contributions” in the file Notice.md at the GitHub project page.
Via one of the avenues below:
- Create a new issue for a relevant repository on our GitHub site, such as OP-TEE Issues for example.
#linaro-security
IRC channel (url: irc.linaro.org
orirc.freenode.net
,ssl: yes, port: 6697
)- Email:
<op-tee at linaro dot org>
- For Linaro member companies, please use the LDTS page.
- We always need help with code reviews, feel free to review any of the open OP-TEE Pull Requests. Please also note that there could be open pull request in the other OP-TEE gits that needs review too.
- We always need help answering all the questions asked at OP-TEE Issues.
- If you want to try to solve a bug, please have a look at the OP-TEE Bugs or the OP-TEE Enhancements.
- Documentation tends to become obsolete if not maintained on regular basis. We try to do our best, but we're not perfect. Please have a look at OP-TEE Documentation and try to update where you find gaps.
- Enable
repo
for the device in Platforms Supported currently not using repo. - If you would like to implement a bigger feature, please reach out to us and we can discuss what is most relevant to look into for the moment. If you already have an idea, feel free to send the proposal to us.
If your company has done significant contributions to OP-TEE, then please send us an email and we will do our best to include your company. Pay attention to that we will review this on regular basis and inactive supporting companies might be removed in the future again.
Send an email to us (see the Security Advisories page), where you mention that you have found a vulnerability, no details are needed in this first email. After that someone in the team will contact you and let you know how to continue the communication securely.
No we will not, mainly for two reasons. The first is that there was a board decision that Security WG in Linaro should not be part of certifications. The second reason is that most often certification is done using a certain software version and on a unique device. I.e., it is the combination software + hardware that gets certified. Since Linaro have no own devices in production or for sale, we cannot be part of any certification. This is typically something that the SoC or OEM needs to do.
But since OP-TEE is coming from a proprietary TEE solution that was GlobalPlatform certified on some products in the past and we regularly have people from some member companies running the extended test suite from GlobalPlatform we know that the gap to become GlobalPlatform certified/qualified isn’t that big.
Applus Laboratories have done some side-channel attack testing and fault injection testing on OP-TEE using the HiKey. Their findings will be included at the Security Advisories page at op-tee.org.
- Audit, no! Not something initiated by Linaro. But there has been some companies that have done audits internally and they have then shared the result with us and where relevant, we have created patches resolving the issues reported to us.
- Code review, yes! Every single patch going into OP-TEE has been reviewed in a pull request on GitHub. We more or less have a requirement that every patch going into OP-TEE shall at least have one "Reviewed-by" tag in the patch.
- Third party / test lab code review, no! Again some companies have reviewed internally and shared the result with us, but other than that no.
- GlobalPlatform's TEE Client API v1.1 specification
- GlobalPlatform's TEE Internal Core API v1.1 specification.
- GlobalPlatform's Secure Elements v1.0
- GlobalPlatform's Trusted UI v1.0 (implementation not complete).
- GlobalPlatform's Socket API v1.0 (TCP and UDP, but not TLS).
All those specification can be found at GlobalPlatform specifications page.
Yes, OP-TEE has a Crypto Abstraction Layer that was designed mainly to make it easy to add support for hardware crypto acceleration. There you will find information about the abstraction layer itself and what you need to do to be able to support new software/hardware “drivers” in OP-TEE.
The Platforms Supported page lists all platforms and architectures currently supported in the official tree.
Both 32- and 64-bit are fully supported for all OP-TEE components.
To-Do mention the configuration flags for NW/SW/TEE/TA etc.
Does OP-TEE support mixed-mode, i.e., both AArch32 and AArch64 Trusted Applications on top of an AArch64 core?
Yes!
- Start by reading the porting_guidelines.md.
- There might be some interesting information in the LCU14-302 How To Port OP-TEE To Another Platform deck and the LCU14-302 YouTube clip that complements the deck. Beware that the presentation is more than three years old, so even though it is a good source, there might be parts that are not relevant any longer.
- As a good example for an ARMv8-A patch enabling OP-TEE support on a new device, please see the ZynqMP port that enabled support for running OP-TEE on Xilinx UltraScale+ Zynq MPSoC. Besides that there are similar patches for Juno port, Raspberry Pi3 port, HiKey port.
- And for ARMv7-A, please have a look at the Freescale ls1021a port, another example would be the TI DRA7xx port.
Yes, it can be changed. In the current setup (for vexpress for example), there
are 32MB DDR
dedicated for OP-TEE. 1MB
for TEE RAM
and 1MB
for PUB RAM
, this leaves 30MB
for Trusted Applications. In the Trusted Applications,
you set TA_DATA_STACK
and TA_DATA_SIZE
. Typically, we set stack to 1KB
and
data to 32K
. But you are free to adjust those according to the amount of
memory you have available. If you need them to be bigger than 1MB
then you
also must adjust TA’s MMU L1 table accordingly, since default section mapping is
1MB.
As of 2016.01, optee_os is about 244KB
(release build). It is preferred to
store optee_os in SRAM, but if there is not enough room, DRAM can be used and
protected with TZASC. We are also looking into the possibility of creating a
‘minimal’ OP-TEE, i.e. a limited OP-TEE usable even in a very memory constrained
environment, by eliminating as many memory-hungry parts as possible. There is
however no ETA for this at the moment.
You can check the memory usage by using the make mem_usage
target in
optee_os, example:
$ make ... mem_usage
# Which will output a file with the figures here:
# out/arm/core/tee.mem_usage
You will of course get different sizes depending on what compile time flags you
have enabled when running make mem_usage
.
Yes, but it will require implementation of lazy context switching which Linaro is currently working on as part of the work to add support for ARMv8-A Crypto Extensions. You can read more about Lazy Context Switching at the ARM pages. Please also see Issue#953.
C++ libraries are currently not supported. Technically, it is possible but will require a fair amount of work to implement, especially more so if exceptions are required. There are currently no plans to do this.
malloc()
in OP-TEE currently gives physically contiguous memory. It is not
guaranteed as it is not mentioned anywhere in the documentation, but in practice
the heap only has physically contiguous memory in the pool(s). The heap in
OP-TEE is normally quite small, ~24KiB, and could be a bit fragmented.
Currently it’s up to the kernel to decide which core it runs on, i.e, it will be the same core as the one initiating the SMC in Linux. Please also see Issue#1194.
OP-TEE does not have its own scheduler, instead it is being scheduled by Linux kernel. For more information, please see Issue#1036, Issue#1183.
- Start by reading the LCU14-103 How to create and run Trusted Applications on OP-TEE deck and have a look at the LCU14-103 YouTube clip that that complements the deck. Word of warning, the deck is more than three years old, so maybe not everything said there is valid as of today.
- Since that talk, the Hello World Trusted Application has been officially included in the OP-TEE repo setups. I.e., do not refer to the URL in the deck any longer since it is obsolete.
- If you want to see more advanced uses cases of Trusted Applications, then we encourage that you have a look at the TAs in xtest.
To-Do add more text, but see Issue#280, Issue#601, Issue#901, Issue#1003 for now.
/lib/optee_armtz
, that is the default configuration where tee-supplicant will
look for Trusted Applications.
A Psuedo TA is a Trusted Application that runs in TEE kernel / core context. I.e., it will have access to the same functions, memory and hardware etc as the TEE core itself. If we're talking ARMv8-A it is running in S-EL1.
No!
Yes, for a longer discussion see Issue#967, Issue#1085, Issue#1132.
You may develop your own “Psuedo TA”, which is part of the core (see above for more information about the Psuedo TA).
In the current solution all TAs are signed (sign.py) with the same RSA key (default_ta.pem). This works as long as the end user is in charge of the system. But for a setup involving third parties, there is a need for a better way to deal with this. We have started to look into various ideas and one of them is OTrP.
If the user will use the current implementation he MUST replace the default_ta.pem with a new key. default_ta.pem should only be seen as a test key!
Yes, you can have two or more TAs running simultaneously. Please see also Issue#1194.
No, there is no such concept as pthreads or similar. I.e, you cannot spawn thread from a TA. If you need to run tasks in parallel, then you should probably look into running two TAs or more simultaneously and then let them communicate with each other using the TA2TA interface.
Those can only be shared are under NDA with Google and Microsoft. Linaro can help members of Linaro to get access to those. As of now, we cannot share it with non-members.
There is a test suite called xtest (optee_test) that tests the complete TEE-solution to ensure that the communication between all architectural layers is working as it should. The test suite also tests the majority of the GlobalPlatform TEE Internal Core API. It has close to 50,000 and ever increasing test cases, and is also extendable with the official GlobalPlatform test suite (see TEE Initial Configuration Compliance Test Suite v1.x).
Also every single pull request in OP-TEE are being tested automatically on QEMU using Travis for OP-TEE.
- OP-TEE: Open Portable TEE
- TEE: Trusted Execution Environment
- TA: Trusted Application
- TZASC: TrustZone Address Space Controller
- TZPC: TrustZone Protection Controller