/
OPTEE_00_01 - OP-TEE support

OPTEE_00_01 - OP-TEE support

Owned by Tim Ouyang
Last updated: Feb 19, 2025Version comment
2 min read

About

OP-TEE (Open Portable Trusted Execution Environment) is an open-source TEE designed for secure software execution implemented according to the GlobalPlatform TEE Client API and TEE Internal Core API. This project fosters collaboration among RISE members and individuals to develop OP-TEE for RISC-V.

Project Scope and Timelines

PoC implementation of OP-TEE OS and OpenSBI 
Run optee_test on QEMU virt (riscv64, dual-core)
Run optee_test on Andes AE350 platform (QEMU and FPGA) 
Leverage domain context switching and RPXY MPXY extension for OP-TEE SPD driver
Add CI support for QEMU RV64 virt in OP-TEE OS 
Integrate U-Boot
Support dynamic shared memory

Components and Repos

QEMU Virt test environment

This implementation uses PMPs to isolate TEE and REE, no secure interrupt registered; software, timer and external interrupts will cause TEE managed exit to REE for interrupt handling.  

Boot process overview:

Memory Layout:



Address

Usage



Address

Usage

RAM

0x1_7FFF_FFFF
0x0_F220_0000

N/A

0x0_F21F_FFFF
0x0_F200_0000 (2MiB)

static shared memory

0x0_F1FF_FFFF
0x0_F100_0000 (16MiB)

OP-TEE OS core & TA

0x0_8129_D800
0x0_8120_0000 (630KiB)

U-Boot proper load address

0x0_8015_FFFF
0x0_8014_0000

OpenSBI (data)

0x0_8013_FFFF
0x0_8010_0000

OpenSBI (text)

0x0_8000_A000
0x0_8000_0000  

U-Boot SPL

MMIO

0x0_0C5F_FFFF
0x0_0C40_0000

PLIC

0x0_0C3F_FFFF
0x0_0C00_0000

PLIC

0x0_1000_0FFF
0x0_1000_0000

UART

0x0_0200_FFFF
0x0_0200_0000

CLINT

How to build and run optee_test:

git clone https://gitlab.com/riseproject/riscv-optee/buildroot.git -b dev-optee-mpxy-v2 cd buildroot make qemu_riscv64_virt_optee_defconfig make ./output/images/start-qemu.sh # launch another terminal and connect to normal world telnet localhost 64320 # run 'xtest' or 'optee_example*' in the shell

Stakeholders and Partners

  • RISE

    • Andes Technology

      • Randolph Sheng-Kai Lin <randolph@andestech.com>

      • Alvin Che-Chia Chang <alvinga@andestech.com>

      • Tim Ouyang <tim609@andestech.com>

Dependencies

  • MPXY/RPMI Specification

  • SBI_00_04 - Domain Context Switch Support

Measure of Success

  • Support QEMU virt (riscv64) in OP-TEE OS

  • Support OP-TEE SPD in OpenSBI

  • Support SMC-like RISC-V ABI in Linux and U-Boot OP-TEE drivers

Future Work

  • IOPMP: To allow domains to request access ownership of devices

  • AIA/APLIC: Secure/Non-secure interrupt handling

  • FF-A like ABI: Unified protocol used among Secure/Non-secure images (need to be standardised for RISC-V)

  • SmMTT: Additional secure features e.g. memory isolation, assigning interrupts to domains, etc. 

RISE Requirements

None

Status



Dependency

MPXY/RPMI Specification



Development

ONGOING

URL: https://gitlab.com/riseproject/riscv-optee

Development Timeline

1H 2024



Upstreaming

TBD

URL:

Upstream version





Contacts

Tim Ouyang (Andes)

@Tim Ouyang 



Updates





Related content

openEuler
openEuler
Home
More like this
Security Software WG
Security Software WG
Home
Read with this
TFM_00_01 - Secure Bootloader
TFM_00_01 - Secure Bootloader
Home
More like this
Firmware WG
Firmware WG
Home
Read with this
1H24 Priorities Update (08/23/2023)
1H24 Priorities Update (08/23/2023)
Home
More like this
Firmware Projects
Firmware Projects
Home
Read with this