Image result for optee

Overview

In today’s digital world security plays a very crucial role. Given the rise of number attacks on data, software systems and hardware platform on various institutions like banks, governments, hospitals, data centers etc, there is urgent need for highly secure mechanism to protect assets with no vulnerability left and there is huge in what being actually visioned and what being actually implemented. Fortunately, this security hole is filled with the Trusted Execution Environment (TEE). TEE is the ARM processor security extension designed and  architected with the help of security centric designed hardware and soc, and secure software extensions layers on top the hardware. This approach issolates TEE from Rich OSs or Rich Execution Environment (REE) for example linux, freebsd etc.

OPTEE secure mechanism for embedded world

OPTEE, Open Source Portable Trusted Execution Environment is small operating system which resides in secure hardware implemented Trust Zone(TZ) RAM and executes in hardware implemented secure virtual processor. Trust zone supported hardware and software is designed carefully by keeping in eye various hardware, software, cryptographic  and application security aspects, which isolates two world Non Secure World and Secure world from top to bottom.

Secure World : which known as trusted execution environment which have trusted applications Operating system running in secure state(a state of running processor), also know as OPTEE OS.

Non Secure world: These are the normal operating system which are rich in features therefor also known as Rich Execution Environment or Rich OS. For example linux.

Non secure world and secure world switch between each other by using Secure Monitor Call (SMC) in case of ARM32 and Arm Trusted Firmware(ATF) in case of ARM64.

TEE or Secure World comprises of secure boot, Trusted OS and Trusted Applications.

All the mission critical secure operations are performed in TEE and Normal world or REE utilises these services.

Uses cases    

  • Digital Right  Management(DRM) protected videos
  • Secure Payment Terminals and applications
  • Secure and Boot
  • Authentication with boot trust chain
  • Mobile Commerce Application – Secure Transactions such as:
    • Mobile Wallets, Contactless payments (NFC)
    • Secure Point Of Sale (Secure POS)
  • Authentication: Biometric ID methods
    • Facial recognition, fingerprint sensor and voice authorization 
  • Secure software and hardware stack
    • Secure and Authenticated Boot

 

Features         

  • Secure Operations: Optee provide following APIs for secure operations
    • Tee client side Apis
    • Tee Core APIs include: These are as accordance with Gloabal Plaform Specification and Standards:
      • Secure Storage APIs for secure storage
      • Cryptographic Operations APIs for encryption, decryption of secure credentials and data
      • Secure Element API which help in hosting applications or applets on tamper-resistant platform
      • Time APIs
      • Arithmetical APIs
  • Isolated Environments: Optee provides two different REE and TEE environments
    • This governs controlled and limited access to Secure world or TEE.
  • Small size: As of writing this(October 2018), the size of OPTEE is 252K.
  • Scalability and Portability: Multiple OPTEE environments (including OPTee OS and Trusted Applications )can run simultaneously on same platform.

 

What Amarula Solutions can offer in OPTEE

Amarula solutions have dedicated team for who are working optee, as of now we offer following:

Porting optee on all imx6qdl boards variants and its  and with different peripherals from firmware to Rich OS(REE) with secure boot chain of trust.

Write Trusted applications for optee and integrating them with their counterpart in REE.

This includes many security features such as:

  • Cryptographic operations on credentials data.
  • Tamper Detection
  • Secure storage

Amarula solutions provide different optee solutions based on customer requirement. We have successful port optee on Engicam reference design platform and included in our buildroot environment. Test was performed on top of the imx6 SoM

We have applied patches on top of Mainline u-boot and linux kernel using the latest versions of both project.

We have performed the both benchmark and regression tests with level 15 (That means covering all tests including optional ones),  we got all positive results. Here is the tests results chart:

OPTEE  Benchmark Tests  Results:

PlatformTest type and numberTest LevelResult
imx6qbenchmark_100115OK
imx6qbenchmark_100215OK
imx6qbenchmark_100315OK
imx6qbenchmark_200115OK
imx6qbenchmark_200215OK
imx6qbenchmark_201115OK
imx6qbenchmark_201215OK

 

OPTEE  Regression Tests  Results:

PlatformTest type and numberTest LevelResult
imx6qregression_100115OK
imx6qregression_100215OK
imx6qregression_100315OK
imx6qregression_100415OK
imx6qregression_100515OK
imx6qregression_100615OK
imx6qregression_100715OK
imx6qregression_100815OK
imx6qregression_100915OK
imx6qregression_101015OK
imx6qregression_101115OK
imx6qregression_101215OK
imx6qregression_101315OK
imx6qregression_101515OK
imx6qregression_101615OK
imx6qregression_101715OK
imx6qregression_101815OK
imx6qregression_101915OK
imx6qregression_200115OK
imx6qregression_200215OK
imx6qregression_200315OK
imx6qregression_200415OK
imx6qregression_400115OK
imx6qregression_400215OK
imx6qregression_400315OK
imx6qregression_400415OK
imx6qregression_400515OK
imx6qregression_400615OK
imx6qregression_400715OK
imx6qregression_400815OK
imx6qregression_400915OK
imx6qregression_401015OK
imx6qregression_401115OK
imx6qregression_401215OK
imx6qregression_500615OK
imx6qregression_600115OK
imx6qregression_600215OK
imx6qregression_600315OK
imx6qregression_600415OK
imx6qregression_600515OK
imx6qregression_600615OK
imx6qregression_600715OK
imx6qregression_600815OK
imx6qregression_600915OK
imx6qregression_601015OK
imx6qregression_601215OK
imx6qregression_601315OK
imx6qregression_601415OK
imx6qregression_601515OK
imx6qregression_601615OK
imx6qregression_601715OK
imx6qregression_601815OK
imx6qregression_601915OK
imx6qregression_602015OK
imx6qregression_700115OK
imx6qregression_700215OK
imx6qregression_700315OK
imx6qregression_700415OK
imx6qregression_700515OK
imx6qregression_700615OK
imx6qregression_700715OK
imx6qregression_700815OK
imx6qregression_700915OK
imx6qregression_701015OK
imx6qregression_701315OK
imx6qregression_701615OK
imx6qregression_701715OK
imx6qregression_701815OK
imx6qregression_701915OK
imx6qregression_800115OK
imx6qregression_800215OK
imx6qregression_810115OK
imx6qregression_810215OK
imx6qregression_810315OK

 

Here is the details of Entire Software Stack Used:

  • Linux kernel version: 69d5b97c597307773fe6c59775a5d5a88bb7e6b3 (4.19)
  • Optee_os version: ee595e950f5be1ace3e831261c22a0e99f959046 (3.3.0)
  • Optee_test version: 5659bceaa001cf8271327d8c0005c8ef3371fdfc (3.3.0)
  • Optee_client version: c48bc3be9f23529952c7dd80ddd775bf580315b8 (3.3.0)
  • Optee demo application version: 552c9d08acfaa13afe5699bbbc26f06b0 (3.3.0)
  • U-boot version:  15f22ac2eea5ee9f17b14a143c94e7480bbafbff (2018.11-rc1)