SlideShare a Scribd company logo

Lcu14 306 - OP-TEE Future Enhancements

Linaro, profile picture
Linaro

The document outlines future enhancements for OP-TEE, focusing on improvements in cryptographic services, secure storage, and memory management. Key enhancements include defining an API for implementing various cryptographic algorithms, ensuring secure storage encryption by default, and enabling multiple Trusted Applications (TAs) to run in parallel. Additionally, it discusses the aim to support power state coordination interface (PSCI) and integrate address space layout randomization (ASLR) to enhance security.

Software
1 of 12
Downloaded 167 times
1
2
3
Most read
4
5
Most read
6
7
8
9
Most read
10
11
12
LCU14-306: OP-TEE Future Enhancements Joakim Bech, Jens Wiklander and Pascal Brand, LCU14 LCU14 BURLINGAME
Cryptographic Layer in OP-TEE ● Aim and problem ● Interaction between TA and Cryptographic Services ● Does not define how the services are implemented / data structures ● Current Status ● LibTomCrypt is the cryptographic library in OP-TEE ● End user may want to switch to ... - OpenSSL - Using ARMv8-A cryptographic extensions - Dedicated cryptographic IP ● Enhancement ● Define a low level API to easily switch from one implementation to another one.
GlobalPlatform Internal Core API 1.1 ● Current Status ● Internal API 1.0 is supported ● Enhancement ● Add support for GP Internal API 1.1 released in June 2014 ● Main updates are: - Elliptic Curve Digital Signature Algorithm (ECDSA) - Elliptic Curve Cryptography Cofactor Diffie-Hellman (ECDH) - Some errata with new error cause - Few deprecated features (object)
Secure Storage ● Current Status ● File storage is implemented (using a daemon running normal world) ● Data isn’t encrypted by default ● No persistent storage ● Enhancement ● Making Secure Storage … more secure ● Enable encryption by default ● Key provisioning ● Streaming to be taken into account ● Replay Protected Memory Block (RPMB) support Secure World Trusted Application Normal World TEE supplicant Linux kernel Trusted OS Secure monitor RPMB
Secure Time ● Aim and problem ● GlobalPlatform TEE Internal API defines support of the Clock ● Secure clock will be needed in DRM use cases ● Secure IP usage is specific to a given platform ● Current Status ● Only based on REE using RPC NOT Secure! ● Enhancement ● Enable clocks from both REE and Secure IP ● Create a Time API to access the Secure IP ● Fulfill TEE Internal API 1.1 requirements of maximum 15% deviation from real time
Reduce Memory Footprint ● Aim and problem ● Memory footprint of the Trusted OS part is critical ● OP-TEE enables all GlobalPlatform features by default ● Enhancement ● Make it possible to select functionality at compile time ● All cryptographic algorithms are probably not needed … ● Some functionality may not be needed (Big Number arithmetic, ...)
Multiple TA Support ● Aim ● Enable multiple TA functions to be called at the same time ● Current Status ● Threading model of the Trusted OS is ready, but not activated ● Enhancement ● Will enable multiple-TA’s running in parallel
Paging ● Aim ● Trusted OS may run on embedded memory which is small ● Enhancement ● Paging the Trusted OS would solve memory constraint ● some parts would never be paged out (mmu management,...) ● some parts could be paged in DDR (secured or encrypted)
PSCI - Power State Coordination Interface ● Aim ● Make OP-TEE aware of PSCI functions. ● Current Status ● OP-TEE aware of: CPU_ON, CPU_OFF, CPU_SUSPEND and CPU_RESUME (as stubbed functions) ● ARM-Trusted-Firmware handles ● Implemented: PSCI_VERSION, AFFINITY_INFO ● Not implemented: MIGRATE, MIGRATE_INFO_TYPE, MIGRATE_INFO_UP_CPU, SYSTEM_OFF and SYSTEM_RESET
ASLR - Address Space Layout Randomization ● Aim and problem ● Already exists in normal world (user space and kernel) ● To avoid attack like return-to-libc-attack for example ● Make it random enough! ● Enhancement ● This feature could be part of Trusted OS ● Current limitations ● We use pre-defined virtual addresses ● Trusted Applications are currently statically linked
Other Potential Enhancements ● GlobalPlatform Trusted UI 1.1 ● API to display content and capture input in a secure manner. ● User-mode TEE ● For early Trusted Applications development and debug ● Avoid the need for having a full TrustZone platform ● Support for OP-TEE in QEMU ● Virtualization team have patches enabling TrustZone functionality
More about Linaro Connect: connect.linaro.org Linaro members: www.linaro.org/members More about Linaro: www.linaro.org/about/

More Related Content

What's hot (20)

PDF
SFO15-503: Secure storage in OP-TEE
Linaro
 
PDF
HKG18-402 - Build secure key management services in OP-TEE
Linaro
 
ODP
Introduction to Optee (26 may 2016)
Yannick Gicquel
 
PDF
LCU14-103: How to create and run Trusted Applications on OP-TEE
Linaro
 
PDF
BUD17-400: Secure Data Path with OPTEE
Linaro
 
PDF
TEE - kernel support is now upstream. What this means for open source security
Linaro
 
PDF
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
Linaro
 
TXT
OPTEE on QEMU - Build Tutorial
Dalton Valadares
 
PDF
LCU14 500 ARM Trusted Firmware
Linaro
 
PDF
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
96Boards
 
PDF
HKG18-203 - Overview of Linaro DRM
Linaro
 
PDF
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
PDF
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
Linaro
 
PDF
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
PPTX
U-Boot Porting on New Hardware
RuggedBoardGroup
 
PDF
Trusted firmware deep_dive_v1.0_
Linaro
 
PDF
RISC-V-Day-Tokyo2018-suzaki
Kuniyasu Suzaki
 
PDF
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
Linaro
 
PDF
LCU13: An Introduction to ARM Trusted Firmware
Linaro
 
PPT
U boot porting guide for SoC
Macpaul Lin
 
SFO15-503: Secure storage in OP-TEE
Linaro
 
HKG18-402 - Build secure key management services in OP-TEE
Linaro
 
Introduction to Optee (26 may 2016)
Yannick Gicquel
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
Linaro
 
BUD17-400: Secure Data Path with OPTEE
Linaro
 
TEE - kernel support is now upstream. What this means for open source security
Linaro
 
BKK16-201 Play Ready OPTEE Integration with Secure Video Path lhg-1
Linaro
 
OPTEE on QEMU - Build Tutorial
Dalton Valadares
 
LCU14 500 ARM Trusted Firmware
Linaro
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
96Boards
 
HKG18-203 - Overview of Linaro DRM
Linaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
SFO15-205: OP-TEE Content Decryption with Microsoft PlayReady on ARM
Linaro
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
U-Boot Porting on New Hardware
RuggedBoardGroup
 
Trusted firmware deep_dive_v1.0_
Linaro
 
RISC-V-Day-Tokyo2018-suzaki
Kuniyasu Suzaki
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
Linaro
 
LCU13: An Introduction to ARM Trusted Firmware
Linaro
 
U boot porting guide for SoC
Macpaul Lin
 

Similar to Lcu14 306 - OP-TEE Future Enhancements (20)

PDF
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
satyabratmallaBujarb
 
PDF
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
Linaro
 
PDF
Feasibility of Security in Micro-Controllers
ardiri
 
PDF
Resilient IoT Security: The end of flat security models
Milosch Meriac
 
PDF
Performance of State-of-the-Art Cryptography on ARM-based Microprocessors
Hannes Tschofenig
 
PDF
HKG18-212 - Trusted Firmware M: Introduction
Linaro
 
PPTX
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 
PDF
Introduction of AArch64 TrustZone and OPTEE
Chiawei Wang
 
PDF
Securing the Internet of Things - Hank Chavers
WithTheBest
 
PDF
BUD17-510: Power management in Linux together with secure firmware
Linaro
 
PDF
BKK16-200 Designing Security into low cost IO T Systems
Linaro
 
PDF
optee~--10299019iui74978429962974902774.pdf
satyabratmallaBujarb
 
PDF
Android 5.0 Lollipop platform change investigation report
hidenorly
 
PDF
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
Linaro
 
PDF
ARM Architecture and Meltdown/Spectre
GlobalLogic Ukraine
 
PDF
DYNAMIC ROOT OF TRUST AND CHALLENGES
ijsptm
 
PDF
HKG15-100: What is Linaro working on - core development lightning talks
Linaro
 
PDF
HKG15-104: What is Linaro working on - core development lightning talks
Linaro
 
PPTX
Crypto Performance on ARM Cortex-M Processors
Hannes Tschofenig
 
ODP
Signature verification of hibernate snapshot
joeylikernel
 
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
satyabratmallaBujarb
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
Linaro
 
Feasibility of Security in Micro-Controllers
ardiri
 
Resilient IoT Security: The end of flat security models
Milosch Meriac
 
Performance of State-of-the-Art Cryptography on ARM-based Microprocessors
Hannes Tschofenig
 
HKG18-212 - Trusted Firmware M: Introduction
Linaro
 
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 
Introduction of AArch64 TrustZone and OPTEE
Chiawei Wang
 
Securing the Internet of Things - Hank Chavers
WithTheBest
 
BUD17-510: Power management in Linux together with secure firmware
Linaro
 
BKK16-200 Designing Security into low cost IO T Systems
Linaro
 
optee~--10299019iui74978429962974902774.pdf
satyabratmallaBujarb
 
Android 5.0 Lollipop platform change investigation report
hidenorly
 
HKG15-505: Power Management interactions with OP-TEE and Trusted Firmware
Linaro
 
ARM Architecture and Meltdown/Spectre
GlobalLogic Ukraine
 
DYNAMIC ROOT OF TRUST AND CHALLENGES
ijsptm
 
HKG15-100: What is Linaro working on - core development lightning talks
Linaro
 
HKG15-104: What is Linaro working on - core development lightning talks
Linaro
 
Crypto Performance on ARM Cortex-M Processors
Hannes Tschofenig
 
Signature verification of hibernate snapshot
joeylikernel
 
Ad

More from Linaro (20)

PDF
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Linaro
 
PDF
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Linaro
 
PDF
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Linaro
 
PDF
Bud17 113: distribution ci using qemu and open qa
Linaro
 
PDF
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
Linaro
 
PDF
HPC network stack on ARM - Linaro HPC Workshop 2018
Linaro
 
PDF
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
Linaro
 
PDF
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Linaro
 
PDF
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Linaro
 
PDF
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Linaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
PDF
HKG18-100K1 - George Grey: Opening Keynote
Linaro
 
PDF
HKG18-318 - OpenAMP Workshop
Linaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
PDF
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
Linaro
 
PDF
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
Linaro
 
PDF
HKG18-TR08 - Upstreaming SVE in QEMU
Linaro
 
PDF
HKG18-113- Secure Data Path work with i.MX8M
Linaro
 
PPTX
HKG18-120 - Devicetree Schema Documentation and Validation
Linaro
 
PDF
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
Linaro
 
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Linaro
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Linaro
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Linaro
 
Bud17 113: distribution ci using qemu and open qa
Linaro
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
Linaro
 
HPC network stack on ARM - Linaro HPC Workshop 2018
Linaro
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
Linaro
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Linaro
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Linaro
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
HKG18-100K1 - George Grey: Opening Keynote
Linaro
 
HKG18-318 - OpenAMP Workshop
Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
Linaro
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
Linaro
 
HKG18-TR08 - Upstreaming SVE in QEMU
Linaro
 
HKG18-113- Secure Data Path work with i.MX8M
Linaro
 
HKG18-120 - Devicetree Schema Documentation and Validation
Linaro
 
HKG18-500K1 - Keynote: Dileep Bhandarkar - Emerging Computing Trends in the D...
Linaro
 
Ad

Recently uploaded (20)

PDF
How to Download and Install ADT (ABAP Development Tools) for Eclipse IDE | SA...
SAP Vista, an A L T Z E N Company
 
PDF
On Software Engineers' Productivity - Beyond Misleading Metrics
Romén Rodríguez-Gil
 
PDF
Troubleshooting Virtual Threads in Java!
Tier1 app
 
PDF
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
PDF
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
PDF
Balancing Resource Capacity and Workloads with OnePlan – Avoid Overloading Te...
OnePlan Solutions
 
PPT
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
PPTX
Presentation about Database and Database Administrator
abhishekchauhan86963
 
PDF
MiniTool Power Data Recovery Crack New Pre Activated Version Latest 2025
imang66g
 
PPTX
Explanation about Structures in C language.pptx
Veeral Rathod
 
PPTX
Role Of Python In Programing Language.pptx
jaykoshti048
 
PDF
Virtual Threads in Java: A New Dimension of Scalability and Performance
Tier1 app
 
PDF
Why Are More Businesses Choosing Partners Over Freelancers for Salesforce.pdf
Cymetrix Software
 
PDF
Salesforce Pricing Update 2025: Impact, Strategy & Smart Cost Optimization wi...
GetOnCRM Solutions
 
PDF
Enhancing Security in VAST: Towards Static Vulnerability Scanning
ESUG
 
PPT
Activate_Methodology_Summary presentatio
annapureddyn
 
PDF
AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdf
siddharthnetsavvies
 
PPT
Brief History of Python by Learning Python in three hours
adanechb21
 
PDF
System Center 2025 vs. 2022; What’s new, what’s next_PDF.pdf
Q-Advise
 
PPTX
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
How to Download and Install ADT (ABAP Development Tools) for Eclipse IDE | SA...
SAP Vista, an A L T Z E N Company
 
On Software Engineers' Productivity - Beyond Misleading Metrics
Romén Rodríguez-Gil
 
Troubleshooting Virtual Threads in Java!
Tier1 app
 
Generating Union types w/ Static Analysis
K. Matthew Dupree
 
Enhancing Healthcare RPM Platforms with Contextual AI Integration
Cadabra Studio
 
Balancing Resource Capacity and Workloads with OnePlan – Avoid Overloading Te...
OnePlan Solutions
 
Why Reliable Server Maintenance Service in New York is Crucial for Your Business
Sam Vohra
 
Presentation about Database and Database Administrator
abhishekchauhan86963
 
MiniTool Power Data Recovery Crack New Pre Activated Version Latest 2025
imang66g
 
Explanation about Structures in C language.pptx
Veeral Rathod
 
Role Of Python In Programing Language.pptx
jaykoshti048
 
Virtual Threads in Java: A New Dimension of Scalability and Performance
Tier1 app
 
Why Are More Businesses Choosing Partners Over Freelancers for Salesforce.pdf
Cymetrix Software
 
Salesforce Pricing Update 2025: Impact, Strategy & Smart Cost Optimization wi...
GetOnCRM Solutions
 
Enhancing Security in VAST: Towards Static Vulnerability Scanning
ESUG
 
Activate_Methodology_Summary presentatio
annapureddyn
 
AWS_Agentic_AI_in_Indian_BFSI_A_Strategic_Blueprint_for_Customer.pdf
siddharthnetsavvies
 
Brief History of Python by Learning Python in three hours
adanechb21
 
System Center 2025 vs. 2022; What’s new, what’s next_PDF.pdf
Q-Advise
 
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 

Lcu14 306 - OP-TEE Future Enhancements

  • 1. LCU14-306: OP-TEE Future Enhancements Joakim Bech, Jens Wiklander and Pascal Brand, LCU14 LCU14 BURLINGAME
  • 2. Cryptographic Layer in OP-TEE ● Aim and problem ● Interaction between TA and Cryptographic Services ● Does not define how the services are implemented / data structures ● Current Status ● LibTomCrypt is the cryptographic library in OP-TEE ● End user may want to switch to ... - OpenSSL - Using ARMv8-A cryptographic extensions - Dedicated cryptographic IP ● Enhancement ● Define a low level API to easily switch from one implementation to another one.
  • 3. GlobalPlatform Internal Core API 1.1 ● Current Status ● Internal API 1.0 is supported ● Enhancement ● Add support for GP Internal API 1.1 released in June 2014 ● Main updates are: - Elliptic Curve Digital Signature Algorithm (ECDSA) - Elliptic Curve Cryptography Cofactor Diffie-Hellman (ECDH) - Some errata with new error cause - Few deprecated features (object)
  • 4. Secure Storage ● Current Status ● File storage is implemented (using a daemon running normal world) ● Data isn’t encrypted by default ● No persistent storage ● Enhancement ● Making Secure Storage … more secure ● Enable encryption by default ● Key provisioning ● Streaming to be taken into account ● Replay Protected Memory Block (RPMB) support Secure World Trusted Application Normal World TEE supplicant Linux kernel Trusted OS Secure monitor RPMB
  • 5. Secure Time ● Aim and problem ● GlobalPlatform TEE Internal API defines support of the Clock ● Secure clock will be needed in DRM use cases ● Secure IP usage is specific to a given platform ● Current Status ● Only based on REE using RPC NOT Secure! ● Enhancement ● Enable clocks from both REE and Secure IP ● Create a Time API to access the Secure IP ● Fulfill TEE Internal API 1.1 requirements of maximum 15% deviation from real time
  • 6. Reduce Memory Footprint ● Aim and problem ● Memory footprint of the Trusted OS part is critical ● OP-TEE enables all GlobalPlatform features by default ● Enhancement ● Make it possible to select functionality at compile time ● All cryptographic algorithms are probably not needed … ● Some functionality may not be needed (Big Number arithmetic, ...)
  • 7. Multiple TA Support ● Aim ● Enable multiple TA functions to be called at the same time ● Current Status ● Threading model of the Trusted OS is ready, but not activated ● Enhancement ● Will enable multiple-TA’s running in parallel
  • 8. Paging ● Aim ● Trusted OS may run on embedded memory which is small ● Enhancement ● Paging the Trusted OS would solve memory constraint ● some parts would never be paged out (mmu management,...) ● some parts could be paged in DDR (secured or encrypted)
  • 9. PSCI - Power State Coordination Interface ● Aim ● Make OP-TEE aware of PSCI functions. ● Current Status ● OP-TEE aware of: CPU_ON, CPU_OFF, CPU_SUSPEND and CPU_RESUME (as stubbed functions) ● ARM-Trusted-Firmware handles ● Implemented: PSCI_VERSION, AFFINITY_INFO ● Not implemented: MIGRATE, MIGRATE_INFO_TYPE, MIGRATE_INFO_UP_CPU, SYSTEM_OFF and SYSTEM_RESET
  • 10. ASLR - Address Space Layout Randomization ● Aim and problem ● Already exists in normal world (user space and kernel) ● To avoid attack like return-to-libc-attack for example ● Make it random enough! ● Enhancement ● This feature could be part of Trusted OS ● Current limitations ● We use pre-defined virtual addresses ● Trusted Applications are currently statically linked
  • 11. Other Potential Enhancements ● GlobalPlatform Trusted UI 1.1 ● API to display content and capture input in a secure manner. ● User-mode TEE ● For early Trusted Applications development and debug ● Avoid the need for having a full TrustZone platform ● Support for OP-TEE in QEMU ● Virtualization team have patches enabling TrustZone functionality
  • 12. More about Linaro Connect: connect.linaro.org Linaro members: www.linaro.org/members More about Linaro: www.linaro.org/about/