Image result for optee

Overview

In today’s digital world security plays a very crucial role. Given the rise of number attacks on data, software systems and hardware platform on various institutions like banks, governments, hospitals, data centers etc, there is urgent need for highly secure mechanism to protect assets with no vulnerability left and there is huge in what being actually visioned and what being actually implemented. Fortunately, this security hole is filled with the Trusted Execution Environment (TEE). TEE is the ARM processor security extension designed and  architected with the help of security centric designed hardware and soc, and secure software extensions layers on top the hardware. This approach issolates TEE from Rich OSs or Rich Execution Environment (REE) for example linux, freebsd etc.

OPTEE secure mechanism for embedded world

OPTEE, Open Source Portable Trusted Execution Environment is small operating system which resides in secure hardware implemented Trust Zone(TZ) RAM and executes in hardware implemented secure virtual processor. Trust zone supported hardware and software is designed carefully by keeping in eye various hardware, software, cryptographic  and application security aspects, which isolates two world Non Secure World and Secure world from top to bottom.

Secure World : which known as trusted execution environment which have trusted applications Operating system running in secure state(a state of running processor), also know as OPTEE OS.

Non Secure world: These are the normal operating system which are rich in features therefor also known as Rich Execution Environment or Rich OS. For example linux.

Non secure world and secure world switch between each other by using Secure Monitor Call (SMC) in case of ARM32 and Arm Trusted Firmware(ATF) in case of ARM64.

TEE or Secure World comprises of secure boot, Trusted OS and Trusted Applications.

All the mission critical secure operations are performed in TEE and Normal world or REE utilises these services.

Uses cases    

  • Digital Right  Management(DRM) protected videos
  • Secure Payment Terminals and applications
  • Secure and Boot
  • Authentication with boot trust chain
  • Mobile Commerce Application – Secure Transactions such as:
    • Mobile Wallets, Contactless payments (NFC)
    • Secure Point Of Sale (Secure POS)
  • Authentication: Biometric ID methods
    • Facial recognition, fingerprint sensor and voice authorization 
  • Secure software and hardware stack
    • Secure and Authenticated Boot

 

Features         

  • Secure Operations: Optee provide following APIs for secure operations
    • Tee client side Apis
    • Tee Core APIs include: These are as accordance with Gloabal Plaform Specification and Standards:
      • Secure Storage APIs for secure storage
      • Cryptographic Operations APIs for encryption, decryption of secure credentials and data
      • Secure Element API which help in hosting applications or applets on tamper-resistant platform
      • Time APIs
      • Arithmetical APIs
  • Isolated Environments: Optee provides two different REE and TEE environments
    • This governs controlled and limited access to Secure world or TEE.
  • Small size: As of writing this(October 2018), the size of OPTEE is 252K.
  • Scalability and Portability: Multiple OPTEE environments (including OPTee OS and Trusted Applications )can run simultaneously on same platform.

 

What Amarula Solutions can offer in OPTEE

Amarula solutions have dedicated team for who are working optee, as of now we offer following:

Porting optee on all imx6qdl boards variants and its  and with different peripherals from firmware to Rich OS(REE) with secure boot chain of trust.

Write Trusted applications for optee and integrating them with their counterpart in REE.

This includes many security features such as:

  • Cryptographic operations on credentials data.
  • Tamper Detection
  • Secure storage

Amarula solutions provide different optee solutions based on customer requirement. We have successful port optee on Engicam reference design platform and included in our buildroot environment. Test was performed on top of the imx6 SoM

We have applied patches on top of Mainline u-boot and linux kernel using the latest versions of both project.

We have performed the both benchmark and regression tests with level 15 (That means covering all tests including optional ones),  we got all positive results. Here is the tests results chart:

OPTEE  Benchmark Tests  Results:

Platform Test type and number Test Level Result
imx6q benchmark_1001 15 OK
imx6q benchmark_1002 15 OK
imx6q benchmark_1003 15 OK
imx6q benchmark_2001 15 OK
imx6q benchmark_2002 15 OK
imx6q benchmark_2011 15 OK
imx6q benchmark_2012 15 OK

 

OPTEE  Regression Tests  Results:

Platform Test type and number Test Level Result
imx6q regression_1001 15 OK
imx6q regression_1002 15 OK
imx6q regression_1003 15 OK
imx6q regression_1004 15 OK
imx6q regression_1005 15 OK
imx6q regression_1006 15 OK
imx6q regression_1007 15 OK
imx6q regression_1008 15 OK
imx6q regression_1009 15 OK
imx6q regression_1010 15 OK
imx6q regression_1011 15 OK
imx6q regression_1012 15 OK
imx6q regression_1013 15 OK
imx6q regression_1015 15 OK
imx6q regression_1016 15 OK
imx6q regression_1017 15 OK
imx6q regression_1018 15 OK
imx6q regression_1019 15 OK
imx6q regression_2001 15 OK
imx6q regression_2002 15 OK
imx6q regression_2003 15 OK
imx6q regression_2004 15 OK
imx6q regression_4001 15 OK
imx6q regression_4002 15 OK
imx6q regression_4003 15 OK
imx6q regression_4004 15 OK
imx6q regression_4005 15 OK
imx6q regression_4006 15 OK
imx6q regression_4007 15 OK
imx6q regression_4008 15 OK
imx6q regression_4009 15 OK
imx6q regression_4010 15 OK
imx6q regression_4011 15 OK
imx6q regression_4012 15 OK
imx6q regression_5006 15 OK
imx6q regression_6001 15 OK
imx6q regression_6002 15 OK
imx6q regression_6003 15 OK
imx6q regression_6004 15 OK
imx6q regression_6005 15 OK
imx6q regression_6006 15 OK
imx6q regression_6007 15 OK
imx6q regression_6008 15 OK
imx6q regression_6009 15 OK
imx6q regression_6010 15 OK
imx6q regression_6012 15 OK
imx6q regression_6013 15 OK
imx6q regression_6014 15 OK
imx6q regression_6015 15 OK
imx6q regression_6016 15 OK
imx6q regression_6017 15 OK
imx6q regression_6018 15 OK
imx6q regression_6019 15 OK
imx6q regression_6020 15 OK
imx6q regression_7001 15 OK
imx6q regression_7002 15 OK
imx6q regression_7003 15 OK
imx6q regression_7004 15 OK
imx6q regression_7005 15 OK
imx6q regression_7006 15 OK
imx6q regression_7007 15 OK
imx6q regression_7008 15 OK
imx6q regression_7009 15 OK
imx6q regression_7010 15 OK
imx6q regression_7013 15 OK
imx6q regression_7016 15 OK
imx6q regression_7017 15 OK
imx6q regression_7018 15 OK
imx6q regression_7019 15 OK
imx6q regression_8001 15 OK
imx6q regression_8002 15 OK
imx6q regression_8101 15 OK
imx6q regression_8102 15 OK
imx6q regression_8103 15 OK

 

Here is the details of Entire Software Stack Used:

  • Linux kernel version: 69d5b97c597307773fe6c59775a5d5a88bb7e6b3 (4.19)
  • Optee_os version: ee595e950f5be1ace3e831261c22a0e99f959046 (3.3.0)
  • Optee_test version: 5659bceaa001cf8271327d8c0005c8ef3371fdfc (3.3.0)
  • Optee_client version: c48bc3be9f23529952c7dd80ddd775bf580315b8 (3.3.0)
  • Optee demo application version: 552c9d08acfaa13afe5699bbbc26f06b0 (3.3.0)
  • U-boot version:  15f22ac2eea5ee9f17b14a143c94e7480bbafbff (2018.11-rc1)