Accelerate Your Trusted Software Development Using OP-TEE
This ARM TechCon 2017 session is being presented by Akshay Bhat, security architect at Timesys. Attendees will learn about adding a new ARMv7-based SoC to OP-TEE, the pieces and parts of the OP-TEE ecosystem, and key factors to consider when developing a Trusted Application.
ARM® TrustZone® is an instrumental technology for securing devices. The availability of OP-TEE, an open source operating system, enables developers to make use of TrustZone to deploy applications in a trusted environment.
Getting started with a new OS usually involves a large learning curve, especially when the focus is on device security. In this session, you’ll get a head start on deploying trusted apps/OP-TEE on your product by leveraging the lessons learned from adding a new ARMv7-based SoC to OP-TEE.
This presentation also navigates through design decisions and best practices that need to be considered when developing a Trusted Application.
Topics covered are:
- Adding your ARMv7 based SoC to OP-TEE
- a. Getting started when your ARMv7 based SoC is not in the list of supported boards in OP-TEE
- – Review if SoC supports running secure OS (TrustZone/Security extensions, memory protection)
- b. Adding bare minimum board support to get up and running
- – Setting up a memory map, adding serial port support, deciding if pager support is needed, JTAG debugging tips
- c. Changes needed to the bootloader
- – Using U-Boot as an example, exploring different methods to load OP-TEE and jump to the kernel
- d. Changes needed to the Linux kernel
- – Linux kernel patches that need to be back-ported, device tree changes, setting up shared memory
- e. Great. Now my previously working kernel panics …
- – Typical issues faced (eg: imprecise external aborts) and methods to debug, reviewing permissions to peripherals and memory
- f. Making sure OP-TEE is working as expected
- – Running XTest and tee-supplicant
- Considerations before deploying your first Trusted Application
- a. What is a Trusted Application?
- – Overview of Trusted Application, tee-supplicant, Global Platform API
- b. What are the features offered by OP-TEE?
- – Overview of crypt operations, encrypted file storage
- c. Can I run my Trusted Application as service?
- – Exploring timers and secure interrupts on OP-TEE
- d. Can my application directly access physical memory? How can my Trusted Application talk to a hardware peripheral?
- – Overview of static/pseudo trusted apps. Running applications in kernel mode vs. user mode on OP-TEE; exploring the limitations of a dynamic Trusted Application
- e. Resource sharing between secure and non-secure world OS
- – Awareness of restrictions when a peripheral is being accessed both in secure and non-secure world
- f. How do I reduce the code size of OP-TEE?
- – Code size overview with various options
- Example Trusted Application
- a. Getting started with a Trusted Application
- – HelloWorld test application overview
- b. Using OpenSSL running on Linux to interface with a Trusted Application on OP-TEE
- – OpenSSL engine overview, implementing interfaces to call into a Trusted Application
Have questions about OP-TEE and want to chat with Akshay while you’re at Arm TechCon? To schedule a meeting, please contact him directly via email.
Could you benefit from a no-obligation, 30-minute security services consultation? Simply fill out our online form, email us at firstname.lastname@example.org or call us at 1.866.392.4897 (toll-free) or +1.412.232.3250.
Have an inquiry about an upcoming event or want to meet with us at the event?
We’d be happy to to answer your questions. For more information about any of our upcoming events or to schedule a meeting, email us at email@example.com or call us at 1.866.392.4897 (toll-free) or +1.412.232.3250.