TEE学习(一) OP-TEE

TEE学习（一） OP-TEE

OP-TEE

CONCEPT

1. OP-TEE（open source project Trusted Execution Environment），REE中的系统和应用无法直接访问TEE中的资源，只能通过TEE提供的接口获取一个结果。

2. main design goals:

• isolation: provide isolation between REE and TEE; protect TAs from each other,
• small footprint: TEE should be small enough to reside in a reasonable memory,
• portability: TEE aims to be loaded in different architecture and hardware,support various setups(multiple clients OSes,mutiple TEEs).

COMPONENT

components	feature
A secure privileged layer	Arm secure PL-1 (v7-A) or EL-1 (v8-A) level
A set of secure user space libraries	for TAs needs
A Linux kernel TEE framework and driver
A Linux user space library	upon the GP TEE Client API specifications
A Linux user space supplicant daemon	for remote services expected by the TEE OS
A test suite	for doing regression testing and testing the consistency of the API implementations.
An example git	containing a couple of simple host- and TA-examples
some build scripts,debugging tools	ease integration and the development of Trusted Applications and secure services

QEMU

一款仿真软件，可以仿真虚拟电脑/嵌入式开发板(支持ARM、MIPS、RISC-V等各种架构)。run OP-TEE using QEMU for Armv8-A.

在没有硬件虚拟化的支持下，QEMU本质上完成的工作是二进制的翻译，如在Ubuntu(x86)系统上使用Qemu模拟ARM64处理器时，Guest OS中的ARM64程序是无法在x86架构运行的，但使用Qemu进行翻译，可以将Guest代码指令翻译成TCG(Tiny Code Generator)中间代码，最终翻译成Host架构支持的代码指令。

RUNNING OP-TEE on QEMU v8

ENVIRONMENT

software/OS	version
VMware Workstation	16.2.1
Ubuntu	20.04

OPERATION

1. download necessary tools and libraries:

   sudo apt-get install android-tools-fastboot autoconf bison cscope curl flex gdisk libc6:i386 libfdt-dev libglib2.0-dev libpixman-1-dev libstdc++6:i386 libz1:i386 netcat python-crypto uuid-dev xz-utils zlib1g-dev
   

2. install repo:

   mkdir ~/.bin
   cd ~/.bin
   wget https://storage.googleapis.com/git-repo-downloads/repo -P ~/bin/ # 使用镜像
   chmod a+x ~/bin/repo
   export PATH=~/bin:$PATH
   

3. download the sourcecode of OP-TEE:

   repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml # git需要设置代理 
   # With these you will get a setup containing the all necessary software components to run OP-TEE on the chosen device.
   repo sync
   cd build
   make toolchains # .mk文件里的交叉编译器下载地址已迁移，需要更换
   make run #编译的过程中缺少依赖需下载
   

4. successfully run OP-TEE:

   

ANALYZE HELLO_WORLD

hello_world folder

ta folder

• Makefile: a make file that should set some configuration variables and include the TA-devkit(TA 的开发工具包) make file.

  • TA_DEV_KIT_DIR: Base directory of the TA-devkit.
  • BINARY: BINARY shall provide the TA filename used to load the TA.The built and signed TA binary file will be named ${BINARY}.ta.In native OP-TEE, it is the TA UUID.

• sub.mk: a make file that lists the sources to build (local source files, subdirectories to parse, source file specific build directives).

  • the entry point for listing the source files to build and other specific build directives.

• user_ta_header_defines.h: a specific ANSI-C header file to define most of the TA properties.

• Andriod.mk: Android’s build system will parse the Android.mk file for the TA which in turn will parse a TA-devkit Android make file to locate TA build resources.

• hello_world_ta.c:

  TEE_Result TA_CreateEntryPoint(void); 
  //Allocate some resources, init something
  
  void TA_DestroyEntryPoint(void); 
  //Release resources if required before TA destruction
  
  TEE_Result TA_OpenSessionEntryPoint(uint32_t ptype,
                                      TEE_Param param[4],
                                      void **session_id_ptr); 
  //Check client identity, and alloc/init some session resources if any
  
  void TA_CloseSessionEntryPoint(void *sess_ptr); 
  //check client and handle session resource release, if any
  
  TEE_Result TA_InvokeCommandEntryPoint(void *session_id,
                                        uint32_t command_id,
                                        uint32_t parameters_type,
                                        TEE_Param parameters[4]); 
  //Decode the command and process execution of the target service
  
  
  

Checking TA Parameters

TEE_PARAM_TYPE_GET(param_type, param_index)to get the type of a parameter and check its value according to the expected parameter.

Signing of TAs

对于脱机签名，需要三步过程：在第一步中，必须生成已编译二进制文件的摘要，在第二步中，使用私钥对该摘要进行脱机签名，最后在第三步中，对二进制文件及其摘要进行签名。 签名被缝合到完整的TA中。

host folder

workflow

1. initialize context(host),open op-tee driver，获取到操作句柄并存放到TEE_Context类型的变量中

   TEEC_InitializeContext(NULL, &ctx);
   

2. open session(CA),创建一个特定CA与特定TA之间进行通信的通道

   TEEC_OpenSession(&ctx, &sess, &uuid,TEEC_LOGIN_PUBLIC, NULL, NULL,&err_origin);
   

   Then TA's TA_OpenSessionEntryPoint() will print "Hello World!". (in TEE core)

3. initialize paramTypes

   op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_NONE, TEEC_NONE, TEEC_NONE);
   

4. invoke command, use command ID and op

   TEEC_InvokeCommand(&sess, TA_HELLO_WORLD_CMD_INC_VALUE, &op, &err_origin);
   

   Then OP-TEE and TA deal with the request and return the result to CA (TA_InvokeCommandEntryPoint).