Lines Matching +full:secure +full:- +full:only
1 .. SPDX-License-Identifier: GPL-2.0
4 OP-TEE (Open Portable Trusted Execution Environment)
7 The OP-TEE driver handles OP-TEE [1] based TEEs. Currently it is only the ARM
8 TrustZone based OP-TEE solution that is supported.
10 Lowest level of communication with OP-TEE builds on ARM SMC Calling
11 Convention (SMCCC) [2], which is the foundation for OP-TEE's SMC interface
12 [3] used internally by the driver. Stacked on top of that is OP-TEE Message
15 OP-TEE SMC interface provides the basic functions required by SMCCC and some
16 additional functions specific for OP-TEE. The most interesting functions are:
18 - OPTEE_SMC_FUNCID_CALLS_UID (part of SMCCC) returns the version information
21 - OPTEE_SMC_CALL_GET_OS_UUID returns the particular OP-TEE implementation, used
22 to tell, for instance, a TrustZone OP-TEE apart from an OP-TEE running on a
23 separate secure co-processor.
25 - OPTEE_SMC_CALL_WITH_ARG drives the OP-TEE message protocol
27 - OPTEE_SMC_GET_SHM_CONFIG lets the driver and OP-TEE agree on which memory
28 range to used for shared memory between Linux and OP-TEE.
34 OP-TEE architecture::
36 User space Kernel Secure world
38 +--------+ +-------------+
40 +--------+ | Application |
41 /\ +-------------+
42 || +----------+ /\
43 || |tee- | ||
45 || +----------+ +-------------+
47 +-------+ || | API |
48 + TEE | || +--------+--------+ +-------------+
49 | Client| || | TEE | OP-TEE | | OP-TEE |
51 +-------+----------------+----+-------+----+-----------+-------------+
52 | Generic TEE API | | OP-TEE MSG |
54 +-----------------------------+ +------------------------------+
56 RPC (Remote Procedure Call) are requests from secure world to kernel driver
57 or tee-supplicant. An RPC is identified by a special range of SMCCC return
60 tee-supplicant without further involvement of the driver, except switching
63 OP-TEE device enumeration
64 -------------------------
66 OP-TEE provides a pseudo Trusted Application: drivers/tee/optee/device.c in
67 order to support device enumeration. In other words, OP-TEE driver invokes this
71 OP-TEE notifications
72 --------------------
74 There are two kinds of notifications that secure world can use to make
79 2. Asynchronous notifications delivered with a combination of a non-secure
80 edge-triggered interrupt and a fast call from the non-secure interrupt
84 this is only usable when secure world is entered with a yielding call via
85 ``OPTEE_SMC_CALL_WITH_ARG``. This excludes such notifications from secure
88 An asynchronous notification is delivered via a non-secure edge-triggered
89 interrupt to an interrupt handler registered in the OP-TEE driver. The
98 building block for OP-TEE OS in secure world to implement the top half and
102 ----------------------------------------
105 BL32 OP-TEE image from the kernel after the kernel boots, rather than loading
116 * Attack vector: Replace the OP-TEE OS image in the rootfs to gain control of
120 rootfs, otherwise an attacker can modify the loaded OP-TEE binary by
126 OP-TEE driver isn't loaded, leaving the SMC hole open.
135 OP-TEE can be exploited to then load an alternate OS image.
137 * Mitigation: The OP-TEE driver must be loaded before any potential attack
142 4. Blocking SMC call to load OP-TEE.
145 load OP-TEE isn't executed when desired, leaving it open to being executed
148 * Mitigation: It is recommended to build the OP-TEE driver as builtin driver
155 [1] https://github.com/OP-TEE/optee_os
166 [6] https://trustedfirmware-a.readthedocs.io/en/latest/threat_model/threat_model.html