OPTEE_00_01 - OP-TEE support
- Tim Ouyang
- Yu Chien Peter Lin
- Sunil V L
Owned by Tim Ouyang
About
OP-TEE (Open Portable Trusted Execution Environment) is an open-source TEE designed for secure software execution implemented according to the GlobalPlatform TEE Client API and TEE Internal Core API. This project fosters collaboration among RISE members and individuals to develop OP-TEE for RISC-V.
Project Scope and Timelines
- PoC implementation of OP-TEE OS and OpenSBI
- Run optee_test on QEMU virt (riscv64, dual-core)
- Run optee_test on Andes AE350 platform (QEMU and FPGA)
- Leverage domain context switching and
RPXYMPXY extension for OP-TEE SPD driver
- Add CI support for QEMU RV64 virt in OP-TEE OS
- Integrate U-Boot
- Support dynamic shared memory
Components and Repos
- https://gitlab.com/riseproject/riscv-optee/buildroot.git
- https://gitlab.com/riseproject/riscv-optee/optee_os.git
- https://gitlab.com/riseproject/riscv-optee/opensbi.git
- https://gitlab.com/riseproject/riscv-optee/u-boot.git
- https://gitlab.com/riseproject/riscv-optee/linux.git
QEMU Virt test environment
This implementation uses PMPs to isolate TEE and REE, no secure interrupt registered; software, timer and external interrupts will cause TEE managed exit to REE for interrupt handling.
Boot process overview:
Memory Layout:
| Address | Usage | |
|---|---|---|
| RAM | 0x1_7FFF_FFFF 0x0_F220_0000 | N/A |
| 0x0_F1FF_FFFF 0x0_F100_0000 (16MiB) | OP-TEE OS core & TA | |
| 0x0_8129_D800 0x0_8120_0000 (630KiB) | U-Boot proper load address | |
| 0x0_8015_FFFF 0x0_8014_0000 | OpenSBI (data) | |
| 0x0_8013_FFFF 0x0_8010_0000 | OpenSBI (text) | |
| 0x0_8000_A000 0x0_8000_0000 | U-Boot SPL | |
| MMIO | 0x0_0C5F_FFFF 0x0_0C40_0000 | PLIC |
| 0x0_0C3F_FFFF 0x0_0C00_0000 | PLIC | |
| 0x0_1000_0FFF 0x0_1000_0000 | UART | |
| 0x0_0200_FFFF 0x0_0200_0000 | CLINT |
How to build and run optee_test:
git clone https://gitlab.com/riseproject/riscv-optee/buildroot.git -b dev-optee-mpxy-v2 cd buildroot make qemu_riscv64_virt_optee_defconfig make ./output/images/start-qemu.sh # launch another terminal and connect to normal world telnet localhost 64320 # run 'xtest' or 'optee_example*' in the shell
Stakeholders and Partners
- RISE
- Andes Technology
- Yu Chien Peter Lin <peterlin@andestech.com>
- Alvin Che-Chia Chang <alvinga@andestech.com>
- Tim Ouyang <tim609@andestech.com>
- Andes Technology
Dependencies
- MPXY/RPMI Specification
- SBI_00_04 - Domain Context Switch Support
Measure of Success
- Support QEMU virt (riscv64) in OP-TEE OS
- Support OP-TEE SPD in OpenSBI
- Support SMC-like RISC-V ABI in Linux and U-Boot OP-TEE drivers
Future Work
- IOPMP: To allow domains to request access ownership of devices
- AIA/APLIC: Secure/Non-secure interrupt handling
- FF-A like ABI: Unified protocol used among Secure/Non-secure images (need to be standardised for RISC-V)
- SmMTT: Additional secure features e.g. memory isolation, assigning interrupts to domains, etc.
RISE Requirements
None