Accelerate Your Trusted Software Development Using OP-TEE
This ARM TechCon 2017 session is being presented by Akshay Bhat, security architect at Timesys. Attendees will learn about adding a new ARMv7-based SoC to OP-TEE, the pieces and parts of the OP-TEE ecosystem, and key factors to consider when developing a Trusted Application.
Session Date & Time: October 25, 2017 | 4:30 PM – 5:20 PM
#ArmTechCon
Session Abstract:
ARM® TrustZone® is an instrumental technology for securing devices. The availability of OP-TEE, an open source operating system, enables developers to make use of TrustZone to deploy applications in a trusted environment.
Getting started with a new OS usually involves a large learning curve, especially when the focus is on device security. In this session, you’ll get a head start on deploying trusted apps/OP-TEE on your product by leveraging the lessons learned from adding a new ARMv7-based SoC to OP-TEE.
This presentation also navigates through design decisions and best practices that need to be considered when developing a Trusted Application.
Topics covered are:
- Adding your ARMv7 based SoC to OP-TEE
- a. Getting started when your ARMv7 based SoC is not in the list of supported boards in OP-TEE
- – Review if SoC supports running secure OS (TrustZone/Security extensions, memory protection)
- b. Adding bare minimum board support to get up and running
- – Setting up a memory map, adding serial port support, deciding if pager support is needed, JTAG debugging tips
- c. Changes needed to the bootloader
- – Using U-Boot as an example, exploring different methods to load OP-TEE and jump to the kernel
- d. Changes needed to the Linux kernel
- – Linux kernel patches that need to be back-ported, device tree changes, setting up shared memory
- e. Great. Now my previously working kernel panics …
- – Typical issues faced (eg: imprecise external aborts) and methods to debug, reviewing permissions to peripherals and memory
- f. Making sure OP-TEE is working as expected
- – Running XTest and tee-supplicant
- Considerations before deploying your first Trusted Application
- a. What is a Trusted Application?
- – Overview of Trusted Application, tee-supplicant, Global Platform API
- b. What are the features offered by OP-TEE?
- – Overview of crypt operations, encrypted file storage
- c. Can I run my Trusted Application as service?
- – Exploring timers and secure interrupts on OP-TEE
- d. Can my application directly access physical memory? How can my Trusted Application talk to a hardware peripheral?
- – Overview of static/pseudo trusted apps. Running applications in kernel mode vs. user mode on OP-TEE; exploring the limitations of a dynamic Trusted Application
- e. Resource sharing between secure and non-secure world OS
- – Awareness of restrictions when a peripheral is being accessed both in secure and non-secure world
- f. How do I reduce the code size of OP-TEE?
- – Code size overview with various options
- Example Trusted Application
- a. Getting started with a Trusted Application
- – HelloWorld test application overview
- b. Using OpenSSL running on Linux to interface with a Trusted Application on OP-TEE
- – OpenSSL engine overview, implementing interfaces to call into a Trusted Application
Akshay Bhat
Have questions about OP-TEE and want to chat with Akshay while you’re at Arm TechCon? To schedule a meeting, please contact him directly via email.
Could you benefit from a no-obligation, 30-minute security services consultation? Simply fill out our online form, email us at sales@timesys.com or call us at 1.866.392.4897 (toll-free) or +1.412.232.3250.
Could you benefit from a no-obligation,
30-minute security services consultation?
Simply fill out the form or email us at sales@timesys.com, and we will be in touch within one business day to schedule a date and time that works for you. Or you can call us at 1.866.392.4897 (toll-free) or +1.412.232.3250.
* Denotes required field.