Accelerate Your Trusted Software Development Using OP-TEE

This ARM TechCon 2017 session is being presented by Akshay Bhat, security architect at Timesys. Attendees will learn about adding a new ARMv7-based SoC to OP-TEE, the pieces and parts of the OP-TEE ecosystem, and key factors to consider when developing a Trusted Application.



Session Date & Time: October 25, 2017 | 4:30 PM – 5:20 PM
#ArmTechCon

 
Session Abstract:

ARM® TrustZone® is an instrumental technology for securing devices. The availability of OP-TEE, an open source operating system, enables developers to make use of TrustZone to deploy applications in a trusted environment.

Getting started with a new OS usually involves a large learning curve, especially when the focus is on device security. In this session, you’ll get a head start on deploying trusted apps/OP-TEE on your product by leveraging the lessons learned from adding a new ARMv7-based SoC to OP-TEE.

This presentation also navigates through design decisions and best practices that need to be considered when developing a Trusted Application.

Topics covered are:

  1. Adding your ARMv7 based SoC to OP-TEE
    a. Getting started when your ARMv7 based SoC is not in the list of supported boards in OP-TEE
    – Review if SoC supports running secure OS (TrustZone/Security extensions, memory protection)
    b. Adding bare minimum board support to get up and running
    – Setting up a memory map, adding serial port support, deciding if pager support is needed, JTAG debugging tips
    c. Changes needed to the bootloader
    – Using U-Boot as an example, exploring different methods to load OP-TEE and jump to the kernel
    d. Changes needed to the Linux kernel
    – Linux kernel patches that need to be back-ported, device tree changes, setting up shared memory
    e. Great. Now my previously working kernel panics …
    – Typical issues faced (eg: imprecise external aborts) and methods to debug, reviewing permissions to peripherals and memory
    f. Making sure OP-TEE is working as expected
    – Running XTest and tee-supplicant
  2. Considerations before deploying your first Trusted Application
    a. What is a Trusted Application?
    – Overview of Trusted Application, tee-supplicant, Global Platform API
    b. What are the features offered by OP-TEE?
    – Overview of crypt operations, encrypted file storage
    c. Can I run my Trusted Application as service?
    – Exploring timers and secure interrupts on OP-TEE
    d. Can my application directly access physical memory? How can my Trusted Application talk to a hardware peripheral?
    – Overview of static/pseudo trusted apps. Running applications in kernel mode vs. user mode on OP-TEE; exploring the limitations of a dynamic Trusted Application
    e. Resource sharing between secure and non-secure world OS
    – Awareness of restrictions when a peripheral is being accessed both in secure and non-secure world
    f. How do I reduce the code size of OP-TEE?
    – Code size overview with various options
  3. Example Trusted Application
    a. Getting started with a Trusted Application
    – HelloWorld test application overview
    b. Using OpenSSL running on Linux to interface with a Trusted Application on OP-TEE
    – OpenSSL engine overview, implementing interfaces to call into a Trusted Application
You can follow Akshay’s security blogs at www.timesys.com/author/akshay_bhat.

Akshay Bhat

Have questions about OP-TEE and want to chat with Akshay while you’re at Arm TechCon? To schedule a meeting, please contact him directly via email.

Email Akshay
 

Could you benefit from a no-obligation, 30-minute security services consultation? Simply fill out our online form, email us at sales@timesys.com or call us at 1.866.392.4897 (toll-free) or +1.412.232.3250.

Contact Us

Timesys TRST Security Solutions    Timesys TRST Security Services including secure boot    Timesys Security Services no-obligation consultation

Could you benefit from a no-obligation,
30-minute security services consultation?

Simply fill out the form or email us at sales@timesys.com, and we will be in touch within one business day to schedule a date and time that works for you. Or you can call us at 1.866.392.4897 (toll-free) or +1.412.232.3250.

* Denotes required field.