Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OP-TEE.pdf

Avatar for wayling wayling
October 04, 2018
0
370

 OP-TEE.pdf

2018 TDOH conf

Avatar for wayling

wayling

October 04, 2018
Tweet

Featured

See All Featured
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
36
2.7k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
46
14k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.2k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.4k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
137
34k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.6k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.6k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.3k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
30
2.1k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
4
190
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k

Transcript

  1. The things behind OP-TEE 2018/09/29 la la land

  2. id (uid=1000(la la land) gid=1000(la la land) groups=1000(la la land))

    #北部回收業者 #肥宅 #無業游民 #來吃大食團 #交朋友 #kernel愛好者

  3. 今天要講一個很OP的東西...

  4. OP 鄉民用語?

  5. OP-TEE ?? Open Portable Trusted Execution Environment

  6. 執行於armv7/v8-A TrustZone環境的作業 系統核心

  7. 生活中的TrustZone???

  8. None
  9. None

  10. TrustZone的上層應用 • DRM (WideVine, PlayReady, DTCP-IP) • Secure key storage

    (dm-verify) • Mobile payments • Protected hardware (framebuffer, PIN entry) • Management of secure boot (via QFuses) • Kernel integrity monitoring (TIMA)

  11. 先來講一些armv8-A和trustzone的故事...

  12. ARM architecture

  13. 玩家該注意的東西 - SoC • 常見OTT的SoC

  14. armv8-A and TrustZone • Arm TrustZone 提供物理層級的隔離環境(non security/security world) ◦

    控制訪問各個IP的能力及限制DDR的存取權限 ◦ CPU內部暫存器也提供了權限的限制 • TrustZone/security world 有一套banked register + MMU • 定義 non security/security 中斷 (IRQ/FIQ) ◦ security 中斷只能被security 看到並處理 • 開機從security world開始 ◦ 建立trust chain • SCR (Secure Configuration Register) ◦ scr = 1 (non security), scr = 0 (security) • 一道新指令 : SMC (Secure Monitor Call) ◦ 觸發exception,讓CPU 能夠進入monitor • 定義了4個特權級 (EL0-3)

  15. armv8-A 提供了物理層級的隔離環境: Trusted Execution Environment(TEE,trusted) Rich Execution Environment(REE,not trtusted)

  16. armv8-A (EL, Exception Level)

  17. Monitor mode • 總是執行於security world 的狀態,但是可以藉由SCR.NS去讀不同暫存器 ◦ case 1 :

    SCR.NS = 1,MMU還是會使用security 的ttbr0/ttbr1,但是你去讀取的會讀到 non security的ttbr0/ttbr1 ◦ case 2 : SCR.NS = 0,MMU還是會使用security 的ttbr0/ttbr1,你去讀取的會讀到non security的 ttbr0/ttbr1 • Monitor mode擁有最高執行權限,所以被設計來作為非安全/安全的一個閘道 ◦ 非安全狀態跟安全狀態的切換 (context switch) ◦ 讀取一些跟arm相關的狀態(PSCI,Power State Coordination Interface) ◦ arm自己有定義一套軟體 (ATF,arm trusted firmware)作為標準執行於monitor mode

  18. arm 提供了安全防護標配 • ARM Trusted Firmware(ATF) • security boot flow

  19. ARM Trusted Firmware • 提供標準的 EL3 firmware ◦ 目標所以有arm 64都支援

    • 給各間IC設計公司參考 ◦ Power State Coordination Interface (PSCI) ◦ SMC Calling Convention ◦ Configuration of ARM hardware

  20. • 標準的boot 流程,可是實際產品 都會跟這有差別

  21. • 現代SoC內基本都不 只一顆CPU...

  22. armv8文件 1. ARM® Architecture Reference Manual ARMv8, for ARMv8-A architecture

    profile 2. ARM® Cortex® -A53 MPCore Processor Revision: Technical Reference Manual 3. ARM® Cortex® -A Series Version: 1.0 Programmer’s Guide for ARMv8-A 4. ARM Security Technology Building a Secure System using TrustZone® Technology 5. ARM® Generic Interrupt Controller Architecture version 2.0 Architecture Specification 6. CoreLink™ GIC-400 Generic Interrupt Controller Revision: r0p0 Technical Reference Manual

  23. 開始介紹今天主角OP-TEE

  24. OP-TEE • open source的TEE - (BSD 2-Clause) • 最新版本v3.2,可是今天主要講的是v2.4 •

    實作GlobalPlatform API ◦ 1999創立定義smart card標準的一個組織 ◦ 定義一些行動裝置安全的標準 ◦ 定義TEE並訂出API ▪ TEE Client API Specification v1.0 July 2010 ▪ TEE Internal API Specification v1.0 Dec 2011 • Internal Core API v1.1 June 2014 • 最早2007由ST開發,現在是linaro 接管,使用github平台來管理所有程式碼

  25. OP-TEE • 目前mainline kernel已經有 OP-TEE的driver(4.12時整合完成) • Android(AOSP)也已經跟OP-TEE 整合完成 • 支援的平台很多

    • 算是比較堪用的TEE kernel

  26. Hello World • 一個hello world包含兩部份 CA/TA ◦ Client Application (CA)

    - GlobalPlatform TEE Client API ◦ Trusted Application (TA) - GlobalPlatform TEE Internal Core API • CA就是一般linux app • TA就是一個static link的pie ELF執行檔(包含header)

  27. Hello World 結構 ta結構 : header + ELF 檔案

  28. Key Concepts Context: Connection from CA to the Trusted OS.

    Session: Connection from CA to TA. Command: Unit of Communication from CA to TA. Shared Memory: Shared buffers allocated by Client API or by CA and registered.

  29. initiation & open session res = TEEC_InitializeContext(NULL, &ctx); if (res

    != TEEC_SUCCESS) errx(1, "TEEC_InitializeContext failed with code 0x%x", res); res = TEEC_OpenSession(&ctx, &sess, &uuid,TEEC_LOGIN_PUBLIC, NULL, NULL, &err_origin); if (res != TEEC_SUCCESS) errx(1, "TEEC_Opensession failed with code 0x%x origin 0x%x", res, err_origin);

  30. ta 載入流程

  31. invoke op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_NONE,TEEC_NONE, TEEC_NONE); op.params[0].value.a = 42; printf("Invoking

    TA to increment %d\n", op.params[0].value.a); res = TEEC_InvokeCommand(&sess,TA_HELLO_WORLD_CMD_INC_VALUE, &op,&err_origin); if (res != TEEC_SUCCESS) errx(1, "TEEC_InvokeCommand failed with code 0x%x origin 0x%x",res, err_origin);

  32. close session and finalize TEEC_CloseSession(&sess); TEEC_FinalizeContext(&ctx);

  33. 滿滿的TAT https://github.com/OP-TEE/optee_test/tree/master/ta

  34. 如果..今天想要自幹一個security OS...

  35. None

  36. OP-TEE internal • Secure Monitor Calls - SMC • Thread

    handling • Virtual memory, MMU • Scheduler • File system(Secure Storage) • Trusted Applications • Interrupt

  37. Secure Monitor Calls - SMC

  38. SMC整個處理流程 1. 觸發SMC指令並傳遞參數 2. 保存normal world的暫存器(gp_registers及sys_registers, BL31) 3. 進入OPTEE的handler (OP-TEE會註冊一個callback在BL31)

    4. 恢復secure EL1的暫存器(gp_registers及sys_registers, BL31) 5. eret
  39. None

  40. Virtual memory , MMU • OP-TEE有使用virtual memory的概念,也有pager的概念,可是這裡探討的是沒開 pager的 virtual memory

    • OP-TEE core - ttbr1 (section mapping,1MB page) • Threads - ttbr0 (page mapping,4K page,2level)

  41. memory map • register_phys_mem (core/arch/arm/mm/core_mmu.c) 用於註冊memory • init_mem_map : 開機時會填

    page table

  42. What’s Virtual memory • Virtual address(VA) -> MMU -> physical

    address(PA) • thread的VA可以相同只要page table有管理好即可 ◦ thread使用4k page (2level) • OP-TEE core也有VA->PA可是使用flat mapping所以VA跟PA相同可是還是要 經過MMU ◦ OP-TEE core 使用1MB page

  43. page table thread OP-TEE core thread

  44. Scheduler OP-TEE does not have its own scheduler, instead it

    is being scheduled by Linux kernel.

  45. File system(Secure Storage)

  46. Trusted Applications • Pseudo Trusted Applications (pta) ◦ 類似系統特殊服務角色,不需透過GP API

    跟OPTEE編譯在一起 ◦ https://github.com/OP-TEE/optee_os/tree/master/core/arch/arm/pta ▪ (內建的範例) • User Mode Trusted Applications (dynamic ta) ◦ 一般TA,根據應用自己撰寫

  47. Interrupt OP-TEE定義兩種interrupt • arm gic 可以配置security interrupt/non security interrupt ◦

    一般我們3C裝置使用的是gicv2, gicv3的設計很不同 • Native interrupt ◦ 在optee本地處理的(security interrupt) • Foreign interrupt ◦ 不被optee處理的中斷(non security interrupt)

  48. Interrupt • case 1 : normal interrupt發生在linux ◦ linux kernel

    ISR處理掉 • case 2: normal interrupt 發生再OP-TEE ◦ optee -> bl31->linux處理 ->bl31->optee • case 3: security interrutp發生在linux ◦ bl31->optee->bl31->linux • case 4:security interrutp發生在OP-TEE ◦ OP-TEE ISR處理掉 normal (case 2) secruity (case 4) secruity (case 3) normal (case 1)

  49. case 2 : Foreign interrupt

  50. 如何把玩OP-TEE • 支持的平台非常多,如果想一次到位, 推荐HiKey960, 低價方案推荐Allwinner A64 Pine64 Board/Raspberry Pi 3

    • 單純想玩玩可以使用 QEMU,建議研究QEMUv8版本 ◦ repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml ◦ repo sync ◦ cd build ◦ make -f qemu_v8.mk run -j4
  51. None

  52. Any questions?