/
Project RP016: OpenSBI feature additions to support TEEs for RISC-V

Project RP016: OpenSBI feature additions to support TEEs for RISC-V

Bidding Starts: 9/26/2025

Bidding Ends: 10/20/2025

Summary:

This project adds core SW infrastructure to OpenSBI in order to support running TEEs such as OP-TEE. A separate future project will focus on OP-TEE enablement building on top of this one.

Milestones to Deliver: 

 

#

Milestone

Description

Resources if any

Deliverables

1

Baseline Setup

  • A reproducible integration of multiple relevant repositories needs to be created

  • This is especially important given that there is in-flight work available that is directly relevant to this project

  • This is also very important to create a continuing channel for interested partners in obtaining and trialling the code to begin the feedback loop

  • The integration must contain at least the following:

    • Qemu

    • OpenSBI

    • Linux (OpenSBI Domain A)

    • Simple Bare-metal U/S-Mode app environment (OpenSBI Domain B)

    • Domains A and B shall be the target of the OpenSBI feature extensions outlined below

    • Feature development and milestone tagging should follow standard methods

 

  • Integration repository

  • Documentation

2

Support for External Interrupts using the APLIC

  • OpenSBI needs extensions to service external interrupts at M-Mode as a precursor to potentially relaying that interrupt to an appropriate OpenSBI Domain (item 3 below)

  • Feature branch in the integration repository

  • Documentation

  • Tests

3

Interrupt driven OpenSBI Domain Context Switching

  • OpenSBI needs extensions to associate external interrupts with corresponding OpenSBI Domains such that interrupts are delivered to the appropriate Domain at S-Mode in a timely manner

  • This includes the logic necessary to ensure that external interrupts are managed appropriately when the target OpenSBI Domain is currently not in-context

  • This enables scenarios such as:

    • TEE resident secure HW drivers that have TEE resident handlers at S-Mode

      • If the external interrupt intended for the secure HW driver occurs when the TEE is not in-context at S-Mode, then the interrupt must be serviced by OpenSBI and arrangements must be made to restore the TEE S-Mode context plus delivery of the interrupt at S-Mode

      • If the interrupt occurs when the TEE is in-context, it must be delivered to S-Mode directly by apriori arrangement.

    • REE (eg Linux) specific interrupts that occur when the TEE is in-context

      • If the external interrupt or local interrupt intended for the REE occurs when the TEE is in-context then the interrupt must be serviced by OpenSBI and arrangements must be made to restore the REE S-Mode context plus delivery of the interrupt at S-Mode. Accommodation must be made to inform the TEE suitably so that it may perform any state management first

 

  • Feature branch in the integration repository

  • Documentation

  • Tests

4

Generic support for platform specific system level HW isolation features

  • OpenSBI needs extensions to allow optional, platform specific, system level HW isolation features to be specified, configured and used on a per OpenSBI Domain specific basis

  • The configuration and usage must be done in a phased manner

    • Boot time

    • Before switching to an OpenSBI Domain

    • After switching out an OpenSBI Domain

  • DeviceTree must be the basis for specifying platform specific, system level HW isolation features and their configuration for each Domain

 

  • Feature branch in the integration repository

  • Documentation

  • Tests

5

Concrete support for WorldGuard based system level HW isolation

  • OpenSBI needs extensions to support WorldGuard based HW isolation using the generic mechanisms introduced in 4 above

  • This includes boot time and OpenSBI Domain context switch time WorldGuard configuration

  • Feature branch in the integration repository

  • Documentation

  • Tests

6

OpenSBI Floating Point Context and Vector Context management

  • OpenSBI needs extensions to support optional context management of HW Floating Point and Vector Unit context

  • This includes optional lazy context management for OpenSBI Domains

 

  • Feature branch in the integration repository

  • Documentation

  • Tests

Developer Expectations:

  • The primary focus is on feature completion:

    • Given the nature of the technologies involved, we want to enable RISE member engineers to quickly try the code in production to provide feedback that guides up-streaming

    • As such, the emphasis is on quick execution, integration and delivery, with upstreaming as a parallel background effort

    • This is particularly important to set the stage for the aforementioned follow-on OP-TEE enablement project

  • The target platforms are::

    • qemu-system-riscv32 multicore

    • qemu-system-riscv64 multicore

  • The platforms must target the RVA23 profile and use standard qemu options with the following key platform elements in scope:

    • MMU

    • APLIC with wired interrupts

  • The project focuses on enabling TEEs at S-Mode

  • The project attempts to focus on technologies whose specifications are already ratified or very stable from an RVI specification PoV

  • Evidence of experience in OpenSBI development desirable

  • Evidence of experience in TEE development, especially OP-TEE, is desirable

Please review the scope of work, key technical objectives, expected deliverables, and milestone-based requirements. The intent is to establish a clear and achievable roadmap to complete the feature parity effort.

Success Criteria

  • High quality implementations of all milestones completed as stipulated, including tagged milestone specific release repositories, documentation and implemented test plans

  • Demonstrations of each Milestone’s deliverables  to the RISE Sec SW WG

Interested vendors should submit their proposals including:

  1. Technical approach and implementation plan.

  2. Please provide a breakdown of the total cost along with the individual costs and durations for each milestone. 

Please provide a breakdown of the total cost along with the individual costs and durations for each phase.

Please reach out to  rfpinfo@riseproject.dev if you have any questions.

Please read the RISE RFP instructions PRIOR to bidding.

Some things to note include:

  • Contracts will be written using the Standard Linux Foundation Europe Paper with the SOW and payment schedule added as an addendum. 

    • Please review prior to your bid submission to address any concerns.

    • Contract Language is not negotiable as Linux Foundation will be contracting the work and paying the invoices.

  • Contracts are milestone based, not hourly.

  • Biweekly progress reporting is a requirement of this contract.

Bidding is Closed