TEE学习(一) OP-TEE

TEE学习(一) OP-TEE

OP-TEE

CONCEPT

  1. OP-TEE(open source project Trusted Execution Environment),REE中的系统和应用无法直接访问TEE中的资源,只能通过TEE提供的接口获取一个结果

  2. main design goals:

  • isolation: provide isolation between REE and TEE; protect TAs from each other,
  • small footprint: TEE should be small enough to reside in a reasonable memory,
  • portability: TEE aims to be loaded in different architecture and hardware,support various setups(multiple clients OSes,mutiple TEEs).

COMPONENT

components feature
A secure privileged layer Arm secure PL-1 (v7-A) or EL-1 (v8-A) level
A set of secure user space libraries for TAs needs
A Linux kernel TEE framework and driver
A Linux user space library upon the GP TEE Client API specifications
A Linux user space supplicant daemon for remote services expected by the TEE OS
A test suite for doing regression testing and testing the consistency of the API implementations.
An example git containing a couple of simple host- and TA-examples
some build scripts,debugging tools ease integration and the development of Trusted Applications and secure services

QEMU

一款仿真软件,可以仿真虚拟电脑/嵌入式开发板(支持ARM、MIPS、RISC-V等各种架构)。run OP-TEE using QEMU for Armv8-A.

在没有硬件虚拟化的支持下,QEMU本质上完成的工作是二进制的翻译,如在Ubuntu(x86)系统上使用Qemu模拟ARM64处理器时,Guest OS中的ARM64程序是无法在x86架构运行的,但使用Qemu进行翻译,可以将Guest代码指令翻译成TCG(Tiny Code Generator)中间代码,最终翻译成Host架构支持的代码指令

RUNNING OP-TEE on QEMU v8

ENVIRONMENT

software/OS version
VMware Workstation 16.2.1
Ubuntu 20.04

OPERATION

  1. download necessary tools and libraries:

    sudo apt-get install android-tools-fastboot autoconf bison cscope curl flex gdisk libc6:i386 libfdt-dev libglib2.0-dev libpixman-1-dev libstdc++6:i386 libz1:i386 netcat python-crypto uuid-dev xz-utils zlib1g-dev
    
  2. install repo:

    mkdir ~/.bin
    cd ~/.bin
    wget https://storage.googleapis.com/git-repo-downloads/repo -P ~/bin/ # 使用镜像
    chmod a+x ~/bin/repo
    export PATH=~/bin:$PATH
    
  3. download the sourcecode of OP-TEE:

    repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml # git需要设置代理 
    # With these you will get a setup containing the all necessary software components to run OP-TEE on the chosen device.
    repo sync
    cd build
    make toolchains # .mk文件里的交叉编译器下载地址已迁移,需要更换
    make run #编译的过程中缺少依赖需下载
    
  4. successfully run OP-TEE:

    image-20221107150510394

ANALYZE HELLO_WORLD

hello_world folder

image-20221107153813266

ta folder

image-20221107153755239

  • Makefile: a make file that should set some configuration variables and include the TA-devkit(TA 的开发工具包) make file.

    • TA_DEV_KIT_DIR: Base directory of the TA-devkit.
    • BINARY: BINARY shall provide the TA filename used to load the TA.The built and signed TA binary file will be named ${BINARY}.ta.In native OP-TEE, it is the TA UUID.
  • sub.mk: a make file that lists the sources to build (local source files, subdirectories to parse, source file specific build directives).

    • the entry point for listing the source files to build and other specific build directives.
  • user_ta_header_defines.h: a specific ANSI-C header file to define most of the TA properties.

  • Andriod.mk: Android’s build system will parse the Android.mk file for the TA which in turn will parse a TA-devkit Android make file to locate TA build resources.

  • hello_world_ta.c:

    TEE_Result TA_CreateEntryPoint(void); 
    //Allocate some resources, init something
    
    void TA_DestroyEntryPoint(void); 
    //Release resources if required before TA destruction
    
    TEE_Result TA_OpenSessionEntryPoint(uint32_t ptype,
                                        TEE_Param param[4],
                                        void **session_id_ptr); 
    //Check client identity, and alloc/init some session resources if any
    
    void TA_CloseSessionEntryPoint(void *sess_ptr); 
    //check client and handle session resource release, if any
    
    TEE_Result TA_InvokeCommandEntryPoint(void *session_id,
                                          uint32_t command_id,
                                          uint32_t parameters_type,
                                          TEE_Param parameters[4]); 
    //Decode the command and process execution of the target service
    
    
    

Checking TA Parameters

TEE_PARAM_TYPE_GET(param_type, param_index)to get the type of a parameter and check its value according to the expected parameter.

Signing of TAs

对于脱机签名,需要三步过程:在第一步中,必须生成已编译二进制文件的摘要,在第二步中,使用私钥对该摘要进行脱机签名,最后在第三步中,对二进制文件及其摘要进行签名。 签名被缝合到完整的TA中。

host folder

image-20221107200905242

workflow

image-20221107202832755

  1. initialize context(host),open op-tee driver,获取到操作句柄并存放到TEE_Context类型的变量中

    TEEC_InitializeContext(NULL, &ctx);
    
  2. open session(CA),创建一个特定CA与特定TA之间进行通信的通道

    TEEC_OpenSession(&ctx, &sess, &uuid,TEEC_LOGIN_PUBLIC, NULL, NULL,&err_origin);
    

    Then TA's TA_OpenSessionEntryPoint() will print "Hello World!". (in TEE core)

  3. initialize paramTypes

    op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_NONE, TEEC_NONE, TEEC_NONE);
    
  4. invoke command, use command ID and op

    TEEC_InvokeCommand(&sess, TA_HELLO_WORLD_CMD_INC_VALUE, &op, &err_origin);
    

    Then OP-TEE and TA deal with the request and return the result to CA (TA_InvokeCommandEntryPoint).

posted @ 2022-11-09 09:53  ppddcsz  阅读(1376)  评论(0编辑  收藏  举报